Cyber threats were a hot topic last year and this year appears to be no different. As a valued partner of AIM, we want to make sure you’re aware of two pervasive and potentially dangerous cyber threats – QR code scams and a security vulnerability referred to as the Log4shell and Log4j vulnerability.
Beware QR Code Scams
The use of QR codes by businesses has risen sharply in the last few years, largely because smartphones are more easily able to convert the box-shaped code into a useable link to a website, which can be opened on a user’s smartphone, give access to applications, and provide other electronic or digital information. For example, many restaurants stopped distributing paper menus and instead posted QR codes at tables in order to provide diners with a touchless interface. Diners use the QR codes to access menus, process food orders, and complete payments electronically. QR codes have also proven to be convenient for tracking packages and locating information about events, recipes, and healthcare tips. According to a recent survey, by the end of 2021, 11 million households will have scanned a QR code.
QR codes can also be used for criminal purposes. Scammers use QR codes to download malware or secure personal information from unwary consumers. For example, using a QR code on an email, a social media message, a flyer or a notice posted on a community bulletin board scammers trick users into allowing access to their device under the guise of downloading some useful information or opening an innocuous link. However, rather than take the user to the intended application or website, the QR code accesses a phishing site that asks users for personally identifiable information or financial account information and credentials. Scammers may even paste their malicious QR code over an existing QR code. Any indication that a QR code has been tampered with is a red flag.
The Better Business Bureau suggests ways to protect yourself from being victimized by a QR code scam:
Make use of QR scanner applications (apps) developed by antivirus companies to check the safety of a scanned link before you open it. The apps can identify phishing scams, forced app downloads, and other dangerous links.
Independently verify the source of the QR code, even if the source appears to be a federal, state, or local government agency. Call or visit the official webpage of that agency and request that they verify the QR code’s authenticity.
Contact the sender of the QR code directly before you scan it—even if the QR code was sent to you by someone you know through the U.S. mail, an email, text, or social media site—to confirm that the sender was not hacked.
Avoid scanning QR codes presented in unsolicited emails, text messages, or social media messages arriving from someone you don’t know, particularly ones that ask you to scan a QR code in order to claim a gift or take advantage of an investment opportunity.
Make sure those in your firm and your family are aware of the dangers associated with blindly using QR Codes.
Beware Log4shell & Log4j Security Vulnerability
According to the Wall Street Journal, the Log4j framework is used by software developers to record user activity and the behavior of applications. Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites, and applications. The Log4j flaw, known as Log4shell, allows attackers to execute code remotely on a target computer, which could let them steal data, install malware or take control. Exploits discovered recently include hacking systems to mine cryptocurrency. Other hackers have built malware to hijack computers for large-scale assaults on internet infrastructure, cyber researchers have found. The vulnerability might give hackers enough of a foothold within a system to install ransomware, a type of computer virus that locks up data and systems until the attackers are paid by victims.
According to Wired, major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed. The exact extent of the exposure is still coming into view, though. Less fastidious organizations or smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat.
The vulnerability is already being used by a “growing set of threat actors,” US Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a statement issued on December 11, 2021. She added that the flaw is “one of the most serious I’ve seen in my entire career, if not the most serious” in a call with critical infrastructure operators on December 13, 2021, as first reported by CyberScoop. In that same call, a CISA official estimated that hundreds of millions of devices are likely affected.
This severe vulnerability is being exploited and can lead to an increase in cybercrime. Read more about the threats at the links listed below.
So, what should you do? This link identifies mitigation steps you can take to protect yourself and your firm: https://www.mandiant.com/resources/log4shell-recommendations.