Holiday Security Info: Avoid Account Takeover Attacks & Fake Windows Updates

Generally, the more accounts you have, including email and online accounts, the greater the number of threats you will receive because each target multiplies the number of incoming attacks. With new attacks popping up each day, it can be a challenge to keep up with what to watch out for. Keeping up with as many current threats as possible is all you can do and is a good step in protecting your data.

This post covers two recent threats you should be aware of as we head into the holiday season.

Holiday Security Info: Avoid Account Takeover Attacks & Fake Windows Updates

The holiday season has a unique combination that makes it an especially risky time for people when it comes to their digital security. First, most people are busier than ever during the holiday season. Between work deadlines, family events, get togethers with friends, planning and preparing for holiday events as well as holiday travel, people are generally busier.

Additionally, there is often an increase in threats this time of year because people traditionally spend more time shopping both online and in person. This often includes websites and stores they normally do not visit.

Between being busier, which means more distracted, and the increase in attacks hoping to take advantage of our brain being pulled in more than one direction at a time, this can be the worst time of year for protecting your data.

Currently, there are two major threats happening - account takeover attacks and fake windows update popups.

Account takeover attacks

The FBI Internet Crime Complaint Center (IC3) has published an alert about a recent uptick in account takeover attacks. This alert shares information about hackers impersonating other companies in account takeover attacks.

These attacks can be directed at financial institutions, payroll accounts, health savings accounts, or any other account where they might receive some sort of financial gain. The ultimate goal is to gain access to money, but stealing information can also be valuable.

There are several ways these attacks can be carried out. Here are several types of attacks and what you need to know about them:

Social engineering - an attack where someone pretends to be someone else. An example might look like a branch manager at a bank calling about your account because they got notification of what appeared to be fraud on your account. Of course it is not really a branch manager calling, they simply accessed some of your account details from a data breach and knew enough to make you think they were legit. Once you give over security information, they might be able to gain access to your accounts and steal from you.

Social engineering attacks can be via phone calls, text messages, or emails. Often times what the person is "calling to warn you about" is exactly what they are trying to do to you. Be extremely wary about unsolicited interactions like this. If you receive a message about an account, use a different method to verify everything is okay. Try calling the bank, using the app or logging into their website after specifically typing the domain rather than using a search engine.

Phishing attacks - phishing attacks can also begin with emails or text messages, but typically include links in them hoping you will click on the links and end up at fraudulent websites. Once you click the link to "reset your password" or "regain access to X account", you are entering your credentials into a website that is stripping those credentials off the page so they can be used later to access your actual account.

Phishing attacks can be more sophisticated in the sense that they are replicating a website of the company they are targeting in order to gain access to your credentials. All they have to do is build a site that looks similar enough that someone clicks a link, gets to the dummy site and then enters their credentials. Once they have access to your login credentials they can try to use them without you.

One of the most important things you can do is to enable multi-factor on every account where it is available. This helps reduce the chance someone else can access your account later even with your credentials. This does not mean you should rely upon multi-factor is not the end all of protection! It is still important to use unique credential combinations (user id's and passwords), to create long passwords and increase complexity. Add symbols and number swaps as well as paying attention to every website you visit when entering your credentials.

Windows fake update popup

Malwarebytes recently published an article about a new popup box, or ClickFix window, popping up on Windows devices prompting users to update their Windows device. Once clicked, the fake popup runs an installer and infects the machine.

ClickFix popups are essentially any window that pops up on your computer with a warning about some issues it is claiming to have found, alerting you to an update that should be installed or possibly even encouraging you to uninstall something. Regardless of the content of the message, it is a popup warning you did not expect that is hoping to get you to perform an action that will ultimately threaten your data security.

In this case, it is important to keep in mind Windows updates run through the windows updater in Settings. In every case, you should be really careful when clicking on links in popups and generally should never do this. Instead, go directly to the program to see if there are updates. These will usually be listed under the Help, About or Settings menu in most programs.

For this specific attack, it is helpful to know the three locations where the operating system will notify you of potential updates. First, you may see these notifications in the form of a popup from the bottom right corner of the taskbar in the system tray that updates need to finish installing.

Example of a Windows pending update notification in the system tray.

Second, you may also notice them if you plan to do a reboot where you are prompted to update and reboot, etc.

Example of pending updates showing up in the Power menu.

Lastly, you can go to Settings, Update & Security and look for updates there.

Example of pending Windows updates in the Settings, Update & Security menu.

The holiday season should be a time spent doing the things you love with the people you love. As you go through this busiest time of year, please slow down when reading communications from people and accounts you did not solicit. This includes calls, text messages, emails, and links in popups. Slowing down and taking the time to really assess the information coming at you could save you an immeasurable amount of time trying to recapture your data and accounts. Often, people are never made whole from identity theft or account fraud so slow down before clicking anything to protect yourself.

As always, being cautious of everything that you receive that you are not expecting is the best approach to take!