This month in security: October 2020
Thousands of Aussies fall victim to employment, police and tax scams
Scammers are putting up fake job ads and pretending to be police and tax office officials to ensnare new victims.
With an uncertain employment situation looming on the horizon, thousands of Australian job seekers have already fallen victim to fake online ads in the last year. The Australian Competition and Consumer Commission (ACCC) has confirmed more than 2500 people were scammed by con artists who published fake job ads online on LinkedIn and Facebook. The overall cost of these cons has been estimated at over $1.7 million. Scammers are also pretending to be police staff and tax officials, hoping to scare their victims into surrendering their personal information. If you ever receive a call demanding your info, just hang up the phone and call the organisation back on a known, reputable number.
Scouts Victoria hit by email phishing scam, credit card details, passports compromised
The suspected phishing attack may have given hackers access to the personal data of 900 individuals.
The data included names, phone numbers, emails, residential addresses, credit card information, tax file numbers, bank details, driver's licences, bank cards, passports, birth certificates, Medicare cards, handwritten signatures and passwords. Incidents like this show just how much personal data organisations can hold, and how one mistaken click can impact thousands of people.
Cybercriminals using celebrity gossip to lure in unsuspecting Australian targets
Fake websites entice visitors with free content regarding celebrities like Adele, Drake and Cara Delevingne to steal user information.
Who doesn’t love a bit of gossip about their favourite celebrities? There are many among us who wouldn’t think twice about streaming or downloading free music or videos online, even off less-than-reputable-looking websites. Online searches for popular figures is a great opportunity for scammers, and search terms like "torrent", "free mp3" and "pirated content" are rife with scammers at the other end hoping to harvest your data. It’s always better to stick to reputable media outlets and streaming sites for your content fix.
Office 365 goes down for the third time in 10 days
Outlook and Microsoft Teams suffered even more outages, affecting office workers in the US and beyond.
Microsoft blamed a “recent update to network infrastructure” for the outage. Given how dependent we’ve become on remote working tools, even a small interruption can mean huge losses in productivity and downtime. It’s a good idea to stay resilient by having alternative services to fall back on, but make sure they’re whitelisted by your IT department. Remember folks, ‘shadow IT’ can cost a lot more than you bargained for.
Law firm Seyfarth Shaw, Spotless Group, Anglicare Sydney hit by ransomware attacks
A wave of ransomware attacks is storming across Australia, impacting organisations across a variety of verticals.
Law firm Seyfarth Shaw, which is headquartered in the US but has a regional presence in Sydney and Melbourne, experienced a sophisticated and aggressive malware attack on 10th October. The Spotless Group, a Downer-owned facilities services provider, also had to deal with unauthorised access to its servers, while Anglicare Sydney, an aged care provider, revealed that 17GB of its data was transmitted “to a remote location” after a ransomware attack.
Department of Foreign Affairs and Trade accidentally exposes email addresses of Aussies stranded overseas
A mix-up led to DFAT exposing the email addresses of more than 1,000 overseas Australians who had applied to a financial assistance program to help them with returning home.
The email addresses “were visible to other” recipients of the email sent by DFAT, regarding the department’s financial hardship program for overseas Aussies. At this time, it looks like it was just a case of simple human error. A simple human error that put the data of thousands of people at risk, admittedly, but mistakes can and will happen. That’s why awareness training needs to be an essential part of any cybersecurity programme.