The Ivanti Threat Thursday Update for December 21, 2017: More Shopping and Password Threats!
Greetings and welcome. This week, a survey in Japan finds nearly 20,000 fake shopping sites, and more evidence that users do not create good passwords. Inspired to share any relevant opinions, reactions, and/or suggestions? Please feel free. Thanks in advance – and Happy “Holidaze!”
Survey in Japan Finds Nearly 20,000 Fake Shopping Sites
Japan’s National Police Agency (NPA) announced that a recent survey found 19,834 fake shopping sites operating in that country during the second half of 2017.
- As Japan Times reported, a survey “by the Japan Cybercrime Control Center involving information security and online service providers,” identified nearly 20,000 such sites operating in Japan from July to earlier this month. “Police are investigating 122 bank accounts designated by the sites for payment, and confirmed that so far they had received about ¥240 million ($2.1 million).”
- “Police are investigating 122 bank accounts designated by the sites for payment, and confirmed that so far they had received about ¥240 million ($2.1 million). Investigators have identified online shopping scams involving 43 people, including those suspected of making their bank accounts available through the websites in violation of a law preventing the transfer of criminal proceeds.”
- The Center has also “confirmed in the country the existence of 272 websites that are altered versions of existing facilities such as hospitals and shops. These websites also eventually route visitors to the scam sites.” The Center has warned the operators of those 272 sites to “fix the security flaws.”
- Online fraud is on the upswing in Japan. “The police said they received 69,977 reports in the January to June period, up 4.9 percent from a year earlier and the highest since 2001 when comparable data became available. Police data showed that the leading category of reports — comprising 36,729 cases — involved the use of fraud and other malicious businesses practices to swindle customers of online shopping sites.”
What We Say: Antivirus software alone will not protect users from the growing number and range of fake websites and phishing emails. Your organization must have tools and processes that limit users’ abilities to access dangerous websites and links. Your processes must also educate and frequently remind users that they are the first line of defense for your organization. (See “What to Do BEFORE All Hell Breaks Loose: Cybersecurity for Today’s Extreme Threats” and “User Education for Cybersecurity: Yes, It’s Worth It.”)
More Evidence: Users Create Bad Passwords – Including “starwars”
As mentioned in last week’s Threat Thursday Update, 1.4 billion sets of clear text credentials found on the dark web show that users create and reuse passwords such as “123456,” “qwerty,” and “password.” The latest edition of an annual listing of worst passwords confirms such behaviors, and adds new examples.
- As Dark Reading reported, “The 2017 Worst Passwords list, drawn from more than five million stolen passwords found online and in plain text by researchers at password management firm SplashData, represents mostly credentials from users in North America and Western Europe. The list, now in its seventh year, doesn't include credentials exposed in the Yahoo breach, nor from compromised adult websites.”
- The top 10 passwords, ranked by count: “123456,” “Password,” “12345678,” “qwerty,” “123345,” “123456789,” “letmein,” “1234567,” “football,” and “iloveyou.” New to the list is “starwars,” which ranked sixteenth, just ahead of “passw0rd.”
- “[A] new survey of 1,000 Americans by Visa shows that consumers are getting a bit weary of the password drill: 70% of the respondents consider biometrics simpler than passwords, and some 46% believe biometric authentication is more secure. Close to one-third have used fingerprint authentication on one or two occasions, while 35% do so on a regular basis. Half consider the big selling point of biometrics is no longer having to remember multiple passwords. However, users must often create or remember passwords to set up or reconfigure biometric or fingerprint-based authentication.
What We Say: You and other IT and cybersecurity leaders and teams must help your users to avoid making themselves and their organizations vulnerable to hackers and thieves via inadequate passwords. Education can help users choose and create better passwords and avoid reusing them across multiple online resources. That education must be supported with robust, consistently implemented identity management tools and processes, to minimize password-related risk. (See “Three Things You Can Do Now to Increase User Contributions to Cybersecurity at Your Enterprise” and “The Biggest Mistakes Users Make When Choosing a Password.”)
Empower and Protect Your Users and Your Enterprise with Ivanti
Ivanti can help you protect your users from themselves, their badly created, overused passwords, and many other threats. Ivanti solutions help you control your users’ applications, devices, and admin rights, while delivering the access they need to do their jobs. Ivanti can also help fight malware attacks more effectively, and recover from successful threats more quickly. And Ivanti can help enhance endpoint management at your organization.
Check out our cybersecurity and endpoint management solutions online. Then, contact Ivanti, and let us help your business tap more of The Power of Unified IT™. (And do please keep reading, sharing, and commenting on our security blog posts, especially our Patch Tuesday and Threat Thursday updates.)