Vulnerability Discovered – Why You Shouldn’t Use WhatsApp and Telegram on the Web

According to the Israeli security firm Check Point, even encrypted messenger apps like WhatsApp and Telegram can be penetrated by malware. Just this month, spokesperson Doros Hadjizenonos announced the firm had discovered a weakness in the web versions of these apps. The vulnerability allowed hackers to send a contaminated photo capable of infecting the entire account upon opening. Both companies have reacted immediately to patch the problem and users who have downloaded the latest version should be protected. However, security experts are still advising that high-risk individuals stick to the mobile version of WhatsApp and Telegram.

Encrypted Apps are the Secure Choice

Privacy and reputation go hand in hand. ReputationDefender clients include individuals and businesses working to build a positive web profile. A few personal details or a private message made public can quickly undo months of effort. With over 1 billion users, WhatsApp is the go-to messenger app and the announcement of ‘end-to-end encryption’ last year made it one of the more secure choices as well. A unique encryption key means no one but the intended receiver can unlock and read the message, not even WhatsApp itself. Meanwhile, the lesser known Telegram has been offering ‘Secret Chats’ that rely on a similar encryption key for several years.

What Went Wrong?

Unfortunately, in this case encryption created its own unique problem. Since the sender’s content was scrambled before upload, the app wasn’t always able to identify contaminated files. Hackers could conceal HTML code in a harmless-looking image and send it to an unsuspecting user. Opening the message in a web application would allow the malware to run immediately on the user’s browser, giving hackers access to the entire account: personal contacts, messages, images… everything.

Hadjizenonos has assured users that WhatsApp and Telegram both responded quickly and responsibly to Check Point’s warning. The input validation process has been improved to identify and block files containing malware on both web and mobile versions. As always, it’s important to download the latest updates immediately, since these often contain fixes for weaknesses and vulnerabilities that have just been discovered.

What’s Different with Web Apps?

The larger lesson is that the mobile versions of WhatsApp and Telegram are more secure than the web-based versions. Web apps use JavaScript which will input new code and overwrite functionality immediately. Mobile apps don’t support this ‘just-in-time’ compiling; changes much be downloaded and configured before installation. This means users are better protected from the type of vulnerability spotted by Check Point.

Although this particular risk has been eliminated, it won’t prevent hackers from discovering a new access point in the future. If your WhatsApp account contains data that could hurt you if it were made public, it’s best to avoid messaging on the web. Stick to mobile, where there’s an extra layer of security.

Combat Online Crime – Five Ways to Improve Your Company’s Cyber-Hygiene

Cyber-crime is a growing problem that has begun to invade almost every part of the internet. There are numerous ways criminals can attack individuals and businesses online, from traditional fraud or theft, to leaking personal data and hijacking websites through ransomware or distributed denial of service (DDoS) attacks. At ReputationDefender, we help businesses shore up their defenses against these threats which can damage the company’s reputation and leave its leaders struggling to regain control of personal data.

Unfortunately, not every battle is winnable. There are many targeted online attacks, called Advanced Persistent Threats (APT), which are carried out by a massive organization (often a nation-state) with a lot of resources at their disposal. The latest big DDoS attacks also have the ability to knock out huge swaths of the internet for a short period of time, and they are very difficult to defend against.

Most Online Crime is Preventable

However, the majority of cyber-crime instances occur as a result of human error or systems that aren’t secure. People who fail to practice basic hygiene are more likely to get sick or spread disease to others and the same is true of online viruses and malware. Companies that succeed in blocking most access channels will send hackers on to easier targets. Basic cyber-hygiene won’t protect against every threat, but it will make it much less likely that your company will be one of the unlucky ones.

  • Education – A chain is only as strong as its weakest link and in this case that means the employee with the least amount of tech experience. Reduce the risk by educating everyone with computer access in basic security protocols, such as password strength and phishing scam recognition. Make sure anyone with home access is running security software.
  • Use Available Resources – There are a number of online sites that have a lot of information on cyber-security. In the UK, the Get Safe Online site offers valuable resources for companies and individuals who want to protect their privacy. Do not assume that you know everything; read the experts’ advice and then share it with other staff members.
  • Update Regularly – Microsoft, Adobe and other office software offer regular updates and security patches. It is extremely important to make sure someone is in charge of installing these; they’re often designed specifically to close vulnerabilities that criminals have learned to exploit.
  • Invest in Security – Viruses and malware are constantly changing. At some point, technology from ten years ago simply won’t protect against modern threats. Up-to-date security might seem like a big investment, but it’s nothing to what the company will lose through direct stealing or reputation damage if it’s hacked.
  • Perform Internal Audits – Security issues do not go away if you ignore them; they get worse. It’s worth hiring a professional to perform regular audits so you can diagnose the company’s weakest areas and work on fixing them.

Ultimately, combating cyber-crime will take a concerted effort amongst international and governmental agencies to track down these individuals and eliminate all the different ways they can attack. However in the short term, companies can accomplish a lot by making sure their own security practices are first rate.

How Can I Avoid a Phishing Attack?

Phishing attacks are scams that trick people into exposing financial details and other sensitive data. Phishing is not new; this type of online attack has been around almost as long as the internet, but today’s schemes are more sophisticated and harder to detect than ever. In the past, all but the most naïve could see through badly written requests to transfer money or suspicious-looking prize notices. This is not the case with modern phishing schemes which often resemble official communications so closely it’s hard to tell the difference. Some hackers take the time to learn co-worker’s names and personal details to make them appear even more convincing.

Phishing scams pose numerous risks. The most common scenario is a virus that will infect a computer through a contaminated link or a compressed document. Malware delivered through phishing can steal personal information, including financial details, or it may contain ransomware that will encrypt computer files and hold them hostage until you pay a fee. Most viruses have the ability to spread and infect an entire company network and businesses are frequently targeted since they have more resources and incentive to protect their data.

Falling prey to a phishing attack leaves a company vulnerable to financial theft, as well as leaks that could release trade secrets and confidential information. Compromising data released to the public causes reputational damage that’s hard to undo. Experts at Reputation Defender work to safeguard client reputations through regular privacy audits that catch problems as they emerge. We also help to repair online reputation by creating and promoting positive content.

Types of Phishing Attacks

There are basically two ways a hacker may design a phishing scheme:

  • Mass-scale phishing – A general attack that includes many different methods of communication. A lot like casting a large fishing net, mass-scale attacks do not target a specific person. However, they may include numerous semi-random attempts aimed at discovering the weakest link in a company’s network – the one employee gullible enough to click on a random link or reveal their password to a stranger.
  • Spear-phishing or Whaling – Spear-phishing is a targeted attack aimed at a specific person or a group of people. This type of phishing attack often includes details that make the included information seem legitimate. Emails can be designed to resemble personal office communication or a typical business invoice. Whaling is a type of spear-phishing that targets high-level personnel, particularly the CEO. Hooking these so-called “large fish” gives cyber criminals easier access to sensitive company data and financial accounts.
Methods of Delivery

Fraudsters have found even more creative ways to deliver links, through email, phone calls, text messaging and social media feeds.

Email phishing

A phishing email often looks like a generic notice from a well-known company or a bank. Cyber criminals have been known to copy logos from PayPal and eBay well enough to avoid detection. Typical scare tactics include warnings that the account is insecure, the password has been changed or there is a payment past due. Phishing emails usually include a CTA asking victims to click on a link or open an attached document. A targeted spear-phishing email may reference a colleague or a boss.

Things to look for – Many phishing emails still have small spelling mistakes or grammatical errors that a native speaker wouldn’t make, so this is the first thing to check. A missing email signature is another red flag or a form of address or writing style that’s not normal. Sometimes the only way to detect a phishing email is through slight changes in the email or domain name, such as the use of zeros instead of the letter “O” or “rn instead “m”. These can be easily missed, so if anything seems off, double-check the email address and domain name carefully.

Voice phishing – Vishing

Phone calls are another phishing technique (called vishing) which is aimed at getting individuals to hand over financial details or personal information. Like email phishing, vishing is often based on scare tactics that encourage victims to take action quickly without thinking about the consequences. Fraudsters may warn that a bank account is in danger or they may threaten legal action if a bill is not paid. Between 2013 and 2016, almost 900,000 people in the US received vishing calls purporting to be from tax collectors with IRS. These calls resulted in 5,000 victims with collective losses of USD $26.5 million.

Things to look for – Asking that bills be paid over the phone is unusual, so this should be an immediate warning. Banks also rarely ask for financial details or personal information over the phone. Don’t give details out unless you’ve made the phone call yourself to an official number and you know the counselor you’re speaking with well enough to recognize his or her voice. Other things to watch for are masked numbers or unknown caller ID.

SMS phishing – Smishing

Text messaging is another phishing technique that has come to be called smishing. Smishing messages often resemble phishing emails; they can come in the form of fake account notices with a CTA link. Some cyber criminals have even been known to use smishing to highjack a two-party identification system, first by requesting a password reset on your account, then sending a text asking for the code you just received in order to fix ‘’unusual activity” on that same account.

What to look for – Unusual or unfamiliar numbers should be a give-away, as well as unsolicited messages or codes you haven’t requested. Unless this is a company that normally sends texts, you should wonder why they are using this form of communication.

Social Media Phishing

Phishing schemes have also infiltrated social media. Fraudulent posts may claim you’ve won the lottery or ask you to click and sign up for membership. Targeted attacks often pretend to be from a friend who’s opened a second account. Some scams may even come from a regular account that’s been hacked.

What to look for – Watch for irregularities (why would a friend choose to open different account?) or language that doesn’t sound like the person you know. Be suspicious of sponsored posts from unknown businesses and links included in comments made by people you don’t know well.

Avoid Getting Hooked

Avoid all forms of phishing with these basic guidelines:

  • Don’t click on a link in an email or a text message unless you’re sure who the sender is.
  • Be wary of unsolicited messages and unusual account notices. Verify with the company before taking any action.
  • Always sign in to your accounts via a trusted app or by entering the URL in your browser. Don’t use an embedded link even if you think it’s legitimate.
  • Double-check any communication that’s doesn’t follow normal protocol. It never hurts to follow-up with an old fashioned phone call to make sure the message is from the real sender, especially if there’s money or confidential information involved.
  • Don’t transfer money without verifying who’s asking for it and where it’s going.
  • Don’t give out personal information over the phone.
  • Don’t fall for scams that seem too good to be true. They probably are.

5 Tips to Keep Hackers Out of Your Life

Physical property used to be the number one security concern for homeowners and business personnel. This has changed so much over the past ten years. Now, most of our interaction takes place online, whether it’s a personal banking transaction on your home computer or a work document emailed to a colleague. There are so many risks inherent in internet operation it’s hard to identify them all, let alone protect against them.

Some threats are obvious: hackers could steal passwords or financial information and use it to funnel money out of a bank account. But there are also more nebulous accesses that can be used to gather personal data or company secrets, which could be used to destroy a reputation.

At ReputationDefender we help to protect our clients’ privacy against all of these threats. Unfortunately, many people wait until they have a problem to invest in our services. By that time it may be too late. It often takes more than 200 days for a security breach to be detected, giving hackers ample time to gain access to an array of information, from personal documents to confidential business information. The thieves could then choose to make this information public at the most inconvenient time.

Protect Yourself

Here are 5 tips to help increase your personal and business security online:

  • Be careful when using Wi-Fi – You’ve no doubt heard of the dangers of public networks but any type of Wi-Fi can be insecure. Log off and hit “forget” anytime you leave a Wi-Fi network, whether it’s public or not, so you’re not automatically logged on again as soon as you come within range. It is also a good idea to keep the Wi-Fi button on your phone in the “off” position so you choose when you’re using Wi-Fi and can monitor what you’re doing.
  • VPN’s are more Secure – Short for “Virtual Private Network”, this is an encrypted space which allows for more secure communication and data sharing amongst authorized users. Any large business should install a VPN. Targeted individuals could also consider using encryption on their personal home devices.
  • Update your Password System – If you’re using similar passwords in an effort to remember them, it’s time to get a password manager. These downloadable apps will choose secure passwords and store them for you.
  • Check Apps and Websites – Double check all your apps to see what data they have access to. Some apps automatically ask for your location even if they don’t need it, whilst others connect directly to Facebook and other social media accounts. Turn off any sharing you don’t really need. This just increases the number of ways a hacker can get to you. At the same time, get in the habit of double checking websites you visit. The green HTTPS lock sign signifies that the website is secure. Don’t share any sensitive information unless you see this symbol.
  • Make a cyber security policy – Every business with an internal network also needs a cyber security strategy and a cyber security officer who monitors day to day operation. This department needs to ensure across-the-board staff training. Most data breaches are the result of human error and poor education on cyber security techniques. This strategy is mostly for businesses but the same model can also be applied at home. Family members, especially children, who may be less aware of internet security, can endanger any information stored or transmitted on the home computer. Educating every member of your family will reduce the chances of exposure and regular monitoring means you will be aware of a breach much sooner.

This last security aspect can be made easier by professionals. Our privacy packages at Reputation Defender will check for vulnerabilities and give you regular updates on potential threats. This can help safeguard your personal and brand reputation and, compared to the cost associated with reputation damage, it is well worth the investment.