If you have an active Facebook, Twitter or Instagram account or have tuned in to any nightly news program lately, then you are most likely well aware of the Ice Bucket Challenge (#IceBucketChallenge), a phenomenon encouraging ALS (Amyotrophic Lateral Sclerosis) awareness across the Country. The premise of the challenge is for a person to call out/challenge their friends, family or co-workers (usually over social media) to either dump a bucket of ice water over their head within 24 hours or donate $100 to ALS. At the time of writing this article, the Ice Bucket Challenge has already generated over $30 million dollars in donations for ALS, and the “challenge” is being accepted by high profiled celebrities, such as Bill Gates, Mark Zuckerberg, George W. Bush, Lebron James and many more! But it has also jumped the borders of the United States and is now catching fire globally. With so many of us enthralled by this (positive) global phenomenon and anxiously anticipating the next Ice Bucket Challenge video of what family member or celebrity will be accepting the challenge next, my online security senses just wonder how long it will be until cybercriminals take advantage of this great cause and exploit it for their own personal agenda.
As predictable as the sun rising and the sun setting each day, is the common practice of cybercriminals capitalizing on our piqued interest in the hottest trends and latest news headlines. Unfortunately, past history proves that when following “hot news”, we forget to follow the basic “Internet Security Rules 101”. Studies show that computer users are more likely to experience a lapse of judgment and unknowingly click on a social engineered link or open a maliciously crafted attachment in disguise when it involves getting breaking news information on a hot story. Attackers understand this full well, and it is why they are so quick to bait (pollute) this enticing information online. Let’s just take a look at the last week or so…
Within days of the shocking breaking news of beloved actor and comedian Robin Williams taking his own life, Facebook scammers began making ‘Last Video Phone Call’ posts: the supposed video claimed to show Robin Williams saying his last goodbyes. As expected, users easily clicked on the bogus video and were not taken to the promised clip but rather to a fake BBC News website, where users were then asked to share the video with their Facebook friends and then are required to complete an online survey to see the video (which does not exist). Scammers use techniques similar to the above to generate revenue (for each completed survey or file downloaded, etc.).
Next, with all the global news surrounding the recent outbreak of the Ebola virus in Africa, which has already claimed over 1000 lives, and the heightened concern of Ebola epidemic making its way to the United States, cybercriminals have again been fast at work on exploiting this global Ebola scare and creating new malicious scams and schemes. To date, we have already seen multiple variations of emails involving the Ebola theme circulating in-the-wild with malicious attachments associated with them. Here’s a quick rundown of a few sample emails we’ve intercepted (so that you can avoid them and recognize future Ebola themed malicious emails):
An email offering a report on the Ebola virus. This particular email contains a phony Ebola report attached to it. Instead of an Ebola report, a user gets infected with a Trojan horse designed to steal personal and sensitive information.
An email claiming to have an attached Microsoft PowerPoint Presentation on the Ebola infection. When the attachment is viewed, it injects malicious code into the users Internet browser. Like the email described above, it is also designed to steal information from and make unwanted changes to the infected computer.
An email describing the experimental Ebola drug ‘Zmapp’. The email claims that the ‘Ebola virus has been cured’. The email contains malicious attachments as well (a Backdoor entry that many unsuspecting users will open right up.)
Also be wary of an authentic-looking email supposedly from CNN regarding prevention steps on how to guard against the Ebola virus. This particular email tries to lure a user into visiting a hacker controlled website. Users visiting this will be asked login using their email credentials.
Given the examples above and the craze of the Ice Bucket Challenge, sadly I feel it is not ‘if’ but more a question of ‘when’ we will see a fresh cyberattacks centered on “The Challenge”. I advise you that if you should see a suspicious post or come across a questionable email, be skeptical when exercising your best judgment. Search for information by directly visiting the trusted news webpage.
I support the Challenge 100% and I like to see people across our Country and the World doing Good together. But don’t get cooled off by falling victim to a possible Ice Bucket Challenge or similar scam.