Latest news with #DaveyWinder
Forbes
22-07-2025
- Forbes
Password Hack Warning As New Threat Jumps From Your Laptop To Phone
Scanception password attack magically jumps from laptop to smartphone. getty Update, July 22, 2025: This story, originally published on July 20, has been updated with an expert counterpoint to the idea that it's the delivery mechanism being what's important in the latest password hack attack analysis. Your passwords are under attack. It really is as simple as that. I mean, it's not surprising when 98.5% fail the most basic password hacking test, and cross-service password reuse just adds fuel to the credentials attack fire. Behind much of this barrage of threat actor activity lies one tactic: phishing. One newly analysed and ongoing password hacking campaign, given the name Scanception by security researchers, uses a transitional tactic to switch the attack from your laptop to your smartphone, which is likely to have much less protection. Here's what you need to know. Forbes Microsoft Confirms Global SharePoint Attack — Emergency Update Issued By Davey Winder At the heart of the Scanception password hack campaign, as analyzed by the Cyble Research & Intelligence Labs team, is an old friend of the Forbes cybersecurity section, quishing. Oh my goodness, I just used that awful word, didn't I? QR code phishing, to be a little longer-winded but much less cheesy, is where the scanning of a QR code takes the unsuspecting user to a malicious site where harm can be done. That might be by way of malware downloads, including infostealers, or more straightforward credential theft involving a cloned account login page. 'The attack chain typically begins with a phishing email containing a PDF lure that urges recipients to scan an embedded QR code,' the Cyble report said, noting this technique 'effectively bypasses traditional email security and endpoint protection controls by shifting the attack surface to unmanaged personal mobile devices.' In the space of just 12 short weeks, the threat actors behind the Scanception campaign, which is very much still active, ongoing and evolving, have used at least 600 unique PDF document lures, and Cyble reported that 'nearly 80% of the quishing PDFs we observed had zero detections on VirusTotal.' The attack has so far targeted a broad sweep of users across North America, EMEA and APAC regions, and high-value industries appear to be favored by the threat actors behind the campaign. These include tech, healthcare, manufacturing and financial sectors. Rather cleverly, the attackers have embedded the malicious QR code at the very end of a four-page PDF that appears legitimate. No doubt intended to evade those detection methods that only scan the start of a document, rather than the whole thing. To scan the QR code and access the further information it promises, the user must use their smartphone camera, thereby shifting the attack from the laptop to the phone. Forbes Amazon Ring Doorbell May 28 Mass Hacking Claim Goes Viral By Davey Winder The Cyble Research & Intelligence Labs team recommended the following mitigation measures: The deployment of email security solutions that are able to inspect both attachments and, importantly, embedded QR codes. Expanding security protections beyond the network perimeter. Monitoring for malicious domains and URLs. Emphasizing the dangers of QR-based attacks to staff. Clever New QR Code Password Hack Or Same Phishing Playbook That's Been Used For 20 Years? Not everyone, it has to be said, agrees with the idea that the latest QR code password hack attack campaign is anything new or sophisticated. I don't disagree with this opinion, in as far as QR phishing is, after all, just phishing when all is said and done. What's more, such 'quishing' attacks are not new either. I did think that the delivery mechanism, especially the way that the code itself was left to the end of the PDF to evade detection mechanism, was worth highlighting. 'This is not new,' Paul Walsh, CEO at MetaCert, messaged me to argue, 'This is not sophisticated. It is the same impersonation playbook used for 20 years. Scan. Click. Trust. Regret.' Walsh does, of course, have skin in the game as his company revolves around a technology to verify links before any user has the chance to try and decide if they are trustworthy or not. That said, the counterpoint was strong enough to warrant an outing here. 'Instead of asking why security software still fails to detect phishing links,' Walsh said, 'we focus on sensational terms, like quishing or scanception, that just add noise.' The delivery method, in other words, is just a distraction, and it's the entry point where the focus should sit. Walsh argued that the quote 'Effectively bypasses traditional email security and endpoint protection controls by shifting the attack surface to unmanaged personal mobile devices,' is misleading. 'The attack does not shift anything,' Walsh explained, 'it just delivers the same type of phishing link in a different wrapper.' Forbes Amazon Warns 220 Million Customers Of Prime Account Attacks By Davey Winder Walsh also took umbrage with the mitigation advice of deploying email security solutions able to inspect both attachments and embedded QR codes. 'This is not bad advice,' Walsh said, 'but it solves the wrong problem.' What Walsh is getting at is that the QR code itself isn't dangerous, it's just a code after all. It's the link that is dangerous and if that link is already verified before loading then 'it doesn't matter whether it was delivered by QR code, email, SMS or a pigeon.' Again, I'm not going to say that Walsh is wrong, that would be disingenuous of me. However, I can't agree that he is 100% correct either. At least not in the real world where the vast majority of people don't have access to his MetaCert system either through using the app or web browser extension or, and I know it's something that is being worked on, by way of the service or network provider licensing it in the background. Until such a time, if it ever does gain that critical momentum, we have to work with what we've got — and that means fighting phishing, including this latest QR-driven password hack attack, using all the techniques, no matter how imperfect, that we already have available to us.
Forbes
19-07-2025
- Forbes
Amazon Ring Doorbell May 28 Mass Hacking Claim Goes Viral
Was your Ring doorbell hacked on May 28? Future via Getty Images Hot on the heels of Amazon emailing all 220 million Prime customers with a warning that their accounts are under attack, comes a claim that users of the hugely popular Ring doorbell were hacked on May 28. All of them. The claims, posted to TikTok and Reddit, have gone viral. Not least as they do, indeed, appear to show multiple unauthorised device logins all on May 28. So, has your doorbell been hacked, and if not, what the heck did happen? Forbes Amazon Warns 220 Million Customers Of Prime Account Attacks By Davey Winder Not so many years ago, if someone claimed that their doorbell had been hacked, then you would be looking for evidence of tinfoil hat wear. That all changed when the Internet of Things arrived, connecting just about any device you can think of in the race to be 'smart.' Of course, tinfoil hats and TikTok do have something of a history, so when I started getting emails from worried readers asking if the TikTok videos they had seen, warning that Ring doorbells had suffered a mass hacking attack on May 28, were true, I was tempted to dismiss it initially. The one thing that prompted me to investigate further, however, was the evidence. These videos, as well as postings to Reddit making the same claims, included the receipts in the form of screenshots showing a mass of seemingly unauthorized device connections. All dated May 28. Could an attacker, maybe with access to your account passwords, really have pulled off the hack of the century? Of course, I then checked my own Amazon Ring doorbell account to see if this was just some elaborate hoax, and, lo and behold, there were the same myriad logins from devices all dated May 28. Something was, indeed, not right. Ring doorbell device logins all dated May 28. Hmmmm? Davey Winder The difference, however, between my logs and the claims being made online, was that I recognized all the devices involved. Some couldn't have connected on May 28, it has to be said, as I no longer owned them at that point. This did mean that a hacking event was hugely unlikely in my professional opinion. It was, I concluded, far more likely to be an update glitch behind the scenes. And Amazon has now confirmed that this was, indeed, the case. A July 18 posting from the Ring team stated: 'We are aware of an issue where information is displaying inaccurately in Control Center. This is the result of a backend update, and we're working to resolve this. We have no reason to believe this is the result of unauthorized access to customer accounts.' Forbes Facebook Deletes 10 Million Accounts And Warns The Purge Will Go On By Davey Winder
Forbes
09-07-2025
- Forbes
Google Confirms New Hacker Protection For 3 Billion Android Users
Google confirms advanced protection against Android hackers. NurPhoto via Getty Images Google security updates are not exactly in short supply: Chrome browser vulnerabilities, Google Messages sender verification, and, of course, new Gmail features all vying for your attention. Sometimes, however, there's a danger of drowning in updates which leads to the most important of them potentially going unnoticed. Google has just published a posting to ensure that doesn't happen with the latest protections for Android users against hack attacks. And quite rightly so, as it's not easy protecting more than 3 billion users, with multiple risk profiles across that user base, from hackers. As Google said, 'Less sophisticated attacks by commodity malware can be very lucrative for attackers when done at scale, but so can sophisticated attacks on targeted users.' Let me, or rather Google, introduce you to Advanced Protection that does exactly what it says on the tin, allowing you to tailor your security protections to fit your personal risk profiles. Forbes Billions Of Gmail And Outlook Users At Risk — Change Your Password Now By Davey Winder You might be forgiven for thinking that the only threat you need to worry about as an Android smartphone user is the SMS one, as attacks surge and hackers employ new mobile SMS Blaster hardware weaponry. You would, however, be very wrong indeed. Smartphone hackers have a diverse array of attacks to choose from, each targeting a different victim group and employing a different methodology. Some of the more commonly used have been picked up upon by David Adrian, Javier Castro and Peter Kotwicz from the Google Chrome Security Team in a July 8 posting. Advanced Protection acts as an extension to Google's existing Advanced Protection Program, by providing a device-level security setting for those Android users most at risk. Think of it as being a 'single control point for at-risk users on Android that enables important security settings across applications,' Google said. This integrates with Chrome on Android, the trio of security experts explained, in three specific ways: By enabling the always use secure connections setting to protect users from hackers injecting malicious content or reading data. By enabling full site isolation, as long as your Android device has at least 4GB of RAM, to prevent the loading of malicious sites in the same process as legitimate websites. By reducing the attack surface through the disabling of JavaScript optimizations. 'We additionally recommend at-risk users join the Advanced Protection Program with their Google accounts,' the Google Chrome security team said, 'which will require the account to use phishing-resistant multi-factor authentication methods and enable Advanced Protection on any of the user's Android devices.' Advanced Protection is available on Google Android 16 in Chrome version 137 and later. Forbes FBI 2FA Bypass Warning Issued — The Attacks Have Started By Davey Winder
Forbes
20-06-2025
- Business
- Forbes
As Amazon Prime Account Hacks Surge — Here's What You Need To Do
Beware of these Amazon Prime scams. AFP via Getty Images Update, June 20, 2025: This story, originally published on June 19, has been updated to include more advice from Amazon, including the best contact methods if you are concerned someone might be trying to access your Prime account, as well as details of an anti-scam web browser you might like to try when shopping online. If there's one truism above all others when it comes to cybercriminal hackers, it has to be that they follow the money and the crowd. That is why we see so many attacks that target the likes of Gmail accounts, the Microsoft Windows operating system and, most recently, Facebook passwords. Amazon, as you might expect given its status in the world of online retail, is not immune to this attention. With the retail giant announcing that this year's Prime Day sales will span four days in July, hackers will already be making their nefarious plans. The badness is that last year, Prime Day attacks increased by 80% over the year before. The good news is that Amazon is ready. Here's what you need to know. Forbes 16 Billion Apple, Facebook, Google And Other Passwords Leaked — Act Now By Davey Winder You couldn't make this up. As I was writing this very article, I received a call from a scammer impersonating Amazon, asking if I had ordered an iPhone 13. Yes, seriously. Precisely the kind of threat that Amazon is warning about, at precisely the moment that I write about hackers making their plans for this year. Obviously, I didn't fall for it, and neither will you if you take the advice from Amazon that follows shortly. As Amazon has now confirmed that Prime Day 2025 will take place July 8 through July 11, you can expect to be on the end of such calls, text messages and emails yourself. An Amazon spokesperson told me that 'as deals drop, consumers may also drop their guards, making them more susceptible to scams.' And Amazon has the numbers to make the hairs on your back stand up to support this: 'In the weeks surrounding Prime Day in 2024,' the spokesperson said, 'Amazon customers reported an 80% increase in all impersonation scams that claimed there was an issue with their account.' Unsurprisingly, as in my case, the top threat tactics included claiming to be from Amazon support and warning that there was a problem with your order, account, or payment. 'Impersonation scams via phone calls,' Amazon said, 'more than doubled during Prime Day' last year. Ensure your Amazon account is protected by two-step verification, also known as two-factor ... More authenticion or 2FA. Amazon Forbes Use These Secret Gmail Addresses To Prevent Hack Attacks — Here's How By Davey Winder Amazon Advice For Customers To Prevent Account Scam Attacks Amazon has shared the following advice for shoppers, both before and during the Prime Day 2025 sales, on how to stay safe from brand impersonation hackers: Never share your Amazon credentials with any third-party tools, websites or, well, anyone. They don't need to know. Only use tools and sites that support the secure Login With Amazon authentication process. Verify purchases directly on Amazon, do not respond to a message, click on a link or give account information over the phone. Never place an order by email with a seller. Amazon will only ever ask for payment in its app or on the website, and never by email or phone. Do not be fooled by scammers creating a sense of false urgency. Count to ten and apply the advice at the top of the list. Amazon will never ask you to purchase a gift card. Keep your operating system and the Amazon app updated to the latest version to ensure the best security protections are in place. Ensure your Amazon account is protected by two-step verification, also known as two-factor authentication or 2FA Ensure your Amazon account is protected by two-step verification, also known as two-factor ... More authentication or 2FA. Amazon You might also want to look at the browser that you use to access Amazon, especially as the privacy-centric DuckDuckGo has just updated its offering specifically with anti-scam protections that include online shopping threats. Available and active as soon as you fire up the web browser, DuckDuckGo has a built-in Scam Blocker function that protects against phishing sites and malware. Of particular interest, and new in this latest update, is that it now also guards against 'sham e-commerce sites, fake cryptocurrency exchanges, scareware that falsely claims your device has a virus, and other sites known to advertise fake products or services,' according to Peter Dolanjski from DuckDuckGo. Find out more about how Amazon protects customers from scams and the best way to report an incident here. Forbes FBI Warns Smartphone Users — Do Not Click On SMS Links By Davey Winder
Daily Mail
27-05-2025
- General
- Daily Mail
Experts reveal what numbers you should change your PIN code to...and which to NEVER use
Tech experts are warning that some of the most widely recommended PIN codes for protecting your electronics may now be the easiest for hackers to crack — all thanks to their rising popularity. IT pro Davey Winder says once a supposedly 'secure' four-digit code hits the internet, it becomes useless. Case in point: 8068, once hailed as the safest PIN, is now a hacker's dream. 'As soon as 8068 was named online, it became anything but safe. As soon as you could Google what's the safest PIN code and get 8068 returned, it became a very weak number instead,' Winder wrote for Forbes. 'The same applies to the other numbers noted in the study, 6835, 7637, 8093, and 9629.' He warns that even a four-digit PIN, in theory, takes only 10,000 tries to guess — a task easily automated by hackers. Instead of choosing birthdays, anniversaries, or easy-to-remember patterns, Winder recommends going longer: six digits at minimum, or up to 12 for real protection. Davey Winder revealed the password '8068' became 'anything but safe' due to experts repeatedly saying it was a great password 'Passwords and PINs that are easy to type and recall are also easy to guess,' he said. 'That's your biggest mistake.' Some of the worst passwords, according to Winder, include '000000,' '1234567,' 'charlie,' and even 'iloveyou.' Even when someone opts out of using personal information, individuals can still find ways to crack codes. An easy way for this to happen is if the person uses the same four-digit PIN for all electronics, which is more common than one may expect. A study with over 29 million participants showed that one in 10 people use a four-digit PIN code from data breach lists. Through this study, experts were able to put together a complete list of four-digit PINs not to use, which include '1234,' '1111,' '0000,' and '1342.' Experts found that '1234' was the most popular choice, accounting for nearly one in 10 million participants' PIN numbers. The PIN number is frequently attributed to James Goodfellow, an inventor who's considered to be the person behind the creation of the ATM. Winder insisted people remember the importance of passwords, which can be just as easy to crack as PINs. 'Passwords that are easy to type as well as recall. And that, right there, is your biggest mistake,' Winder mentioned in another Forbes article. 'If you do it, other people will do as well, and that's why if your password is on this list you must change it now.' Some of the 33 passwords the expert insisted weren't good include '000000,' '1234567,' 'charlie,' and 'iloveyou.' A quick tip Winder suggested for anyone looking to keep their phones safe is to stop using four-digit pins and use six or 10 instead. PIN codes and passwords to never use PIN codes 0000 1010 1111 1122 1212 1234 1313 1342 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1998 2000 2002 2004 2005 2020 2222 2468 2580 3333 4321 4444 5555 6666 6969 7777 8888 9999 Passwords 000000 111111 11111111 121212 123123 12345 123456 1234567 12345678 123456789 1234567890 555666 aaron431 abc123 abcd1234 ABCDEF admin charlie dragon iloveyou lemonfish liverpool monkey password password1 qwerty qwerty1 qwerty123 secret tangkai user0123 welcome woaini
