Martin Lewis slams new Facebook Messenger scam using his name and picture – what to watch out for

MoneySavingExpert.com founder Martin Lewis has said he’s “sickened” by a new scam which tries to trick victims using his name and profile picture on Facebook Messenger.

The worrying new con, which involves the trickster pretending to be Martin and privately messaging people, is the latest disturbing twist in the trend of fakers using Martin’s reputation to try and fool victims into signing up for things such as binary trading scams, or dodgy investments.

Update 7pm Tue 13 Feb. We’re pleased to hear that Facebook has now disabled the account in question for violating its policies. It says: “Fraudulent or misleading activity is not allowed on Facebook and we’re constantly working to detect and shut it down using a combination of automated and manual systems.” However we’re continuing to warn users in case it happens again – let us know if you spot a scam at news@moneysavingexpert.com.

See our Fake Martin Lewis Ads guide for a list of scams we’ve seen and what to watch out for.

Martin: ‘This isn’t me – please help me spread the message’

Martin said: “I’m sickened that yet again people are trying to take my good name and reputation and con vulnerable people.

“I don’t use private messages with anybody. Please help me spread the word that this is not me, these people should not be trusted, they are liars and possibly thieves and nobody should have anything to do with them or engage with them in anyway.

“While we have reported this to Facebook I don’t have much faith in its mechanisms to deal with this, and so we have to rely on spreading the message among each other.”

‘No, you’re not Martin’: how the scam unfolded

We were quickly alerted to this latest scam by some savvy MoneySavers, who saw through the con. Here are some of the messages they received:

To be clear, this WASN’T a message from the real Martin, he doesn’t use private messages on Facebook and the messages are completely bogus.

Here’s how to report a message to Facebook

You can report and block dodgy messages you receive in Facebook, but how you do it depends on whether you’re using Facebook itself or its Messenger app:

  • To report a message on Facebook… open the conversation you want to report and click the settings icon, then click ‘report’ and a message will pop up saying you can fill out a full report in the Help Centre. Afterwards you can open the message, click settings and click ‘block’.
  • To report a message on Messenger… you can report a conversation by filling out this form. To block messages, open the conversation, click on the person’s name at the top and then ‘block’.

What are we doing about it?

Unfortunately we get many reports about firms and individuals either impersonating or claiming fake endorsements from Martin and MoneySavingExpert.com and leeching off the hard-earned trust people have in us.

We have reported this latest scam to Facebook, the Financial Conduct Authority and Action Fraud, and are continuing to warn people as quickly as possible about any new tricks such as this one.

We regularly update the Fake Martin Lewis Ads guide with examples of scams we’ve seen. If you spot a scam using Martin’s name or image, please email our news team.

Source: Martin Lewis slams new Facebook Messenger scam using his name and picture – what to watch out for

Over 700,000 bad apps removed from Google Play store in 2017 – Naked Security

There were a number of stories last year about malicious apps, or those with massive security holes, making their way to Android phones via the Google Play store.

It seems like those high profile stories were just the tip of the iceberg. In an announcement earlier this week, Google said that last year alone it removed 700,000 ‘bad apps’ and stopped 100,000 bad app developers from sharing their apps on the Google Play store. If the app number sounds high, it is: It’s a 70% jump from 2016.

Google classifies ‘bad apps’ as those that have inappropriate content (like pornography), install malware on target operating systems or steal data, or are copycats of other legitimate apps.

Last August, Google rolled out Google Play Protect to stop the ever-increasing number of malicious apps from popping up in Play. Play Protect uses machine learning to continuously figure out what kinds of behaviors bad apps adapt, to try and spot them in the wild.

We reported on a number of the bad apps in the Android ecosystem last year: Some of them installed malware with malicious, persistent pop-up ads, other apps used malware like SonicSpy to steal private data from their users, others went even further and behaved like ransomware on the phone, holding data hostage. These apps often impersonated legitimate, popular apps like WhatsApp and Pokemon GO to convince unwitting users to download and install them, which is why copycat apps aren’t just an intellectual property issue.

What to do?

  • Stick to Google Play. In the post, Google writes that 99% of apps with abusive content were discovered and removed before anyone even downloaded them. Although that still leaves 7,000 bad apps that got through last year, it’s still safest to download apps from the Google Play store than to go rogue and download apps elsewhere online. Many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
  • Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, you’ll be protected even if something slips through the cracks and into the Play store.
  • Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
  • Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features.

Source: Over 700,000 bad apps removed from Google Play store in 2017 – Naked Security

We are the Cyber Champions

The certification of 21 new Cyber Champions has followed an event staged by Nuneaton & Bedworth Neighbourhood Watch Association (N&BNWA). All are active volunteers in their own localities serving their neighbours by helping protect them from harm.

When it first started in 982 its focus was very much on enabling neighbours, by banding together and working closely with their local police, to protect themselves from the impact of threats such as burglary, criminal damage and vehicle crimes. How things have changed! Although those original threats have not gone away the greatest current threat is cybercrime.

Responding to this developing threat began in earnest by N&BNWA followed a challenge issued at its 2015 AGM by then Deputy Police & Crime Commissioner Dr Eric Wood – “…… and what are you going to do about it?” We began by making use of DISC (Database & Intranet for Safer Communities) to improve the efficacy of our communication network.

This was followed in 2016 by the organisation, in conjunction with NW colleagues from across Warwickshire, of a Combating Cybercrime Conference. Its aim was that each of the five district NW associations would be able to develop and implement and effective action plan.

By early 2017 N&BNWA had developed and adopted a Combating Cybercrime Policy supported by an operable, rolling action plan. Alert messages and advisory cybersecurity information items are posted regularly on DISC, on Twitter @NunBed and on website www.nbnwa.net Very recently the launch of a Nuneaton wide network of interlinked, closed Facebook groups has considerable enhanced capability to successfully deliver the Combating Cybercrime Action Plan.

And following the Community Champion’s event, so excellently facilitated by Warwickshire County Council Cybercrime Advisor Sam Slemensk, N&BNWA now has a cadre of up-skilled volunteers to support the delivery of the action plan

WhatsApp group chats not as secure as users might believe

Researchers have discovered flaws in the way WhatsApp,is messaging app handle secure (encrypted) group communication,which could result in unauthorized users getting added to closed groups and monitoring future conversations within them.

The problem with WhatsApp:
Paul Rösler, Christian Mainka, and Jörg Schwenk analysed the three widely used protocols and their implementations, and found that if someone – e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) – gains control of WhatsApp’s servers, they could easily insert a new member in a private group without the permission of the group’s administrator(s).

The other participants will get a notification about a new user joining the group, but they have no way of knowing whether the new member was invited by the administrator(s). Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.

As noted cryptographer and Johns Hopkins University professor Matthew Green explained, the vulnerability stems from the fact that the WhatsApp server plays a significant role in group management, and that group management messages are not end-to-end encrypted or signed.

“When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server.”

What now?
The main problem is this: end-to-end encryption, which WhatsApp purports to offer, should not depend on uncompromised servers. “We haven’t entirely achieved this yet, thanks to things like key servers. But we are making progress. This bug is a step back, and it’s one a sophisticated attacker potentially could exploit,” Green noted.

The researchers disclosed their findings to WatsApp last summer. WhatsApp said that the “group invitation bug” is a theoretical danger that’s additionally minimized by the fact that users will receive a notification about a new user joining the group. Also, the spokesperson noted, administrators could warn users about the new, unauthorized addition via private messages. That seems to be enough for them at the moment, especially because a fix for the flaw could end up breaking the convenient “group invite link” feature.

There are apps for most things; use them safely and securely

Thanks to apps, your phone, tablet and maybe your smart watch have become the smartest and fastest way to communicate, navigate, shop, bank, book, pay, get your entertainment … and much more. But convenience can be accompanied by disadvantages, so we’d like to pass on a few expert tips about making sure you choose and use apps safely and securely.

Use only official app stores

Avoid downloading fraudulent or otherwise illegitimate apps by using only the official store for your device’s operating system, and avoiding unauthorised sources such as bulletin boards and peer-to-peer networks. Even then, read reviews and choose with care, as some rogue apps occasionally make their way into app stores.

Read the small print

When downloading apps, you’re usually asked to agree to terms and conditions. These can be quite lengthy and complex, but it’s important to do so as some small print includes details on data sharing, in-app payments and other conditions.

Know what permissions you’re granting

You may be asked for permission for an app to access your location, photos, camera, contacts or other functions or data. Before agreeing, think about if you really want this type of access enabled, and the safety aspects of others knowing what you’re doing and where you are (especially important for children).

Check settings

Where possible, check app settings to determine whether downloading updates and day-to-day data are enabled automatically. This may be convenient, but it could also make it easier for your data to be intercepted, and may use up your data allowance.

Check content ratings

Most apps found in the official app stores feature ratings with guidance on the content and intensity of various aspects of the app. Each store has its own policy, so ratings may vary from store to store. A nice-to-have for you, but essential for apps which may be accessed by children.

Use public Wi-Fi safely

When you’re out and about, remember that you shouldn’t use Wi-Fi hotspots for confidential communications or transactions in places like cafés, pubs and hotel rooms, as there’s no guarantee of security. Instead, use your data, or wait until you get back to your secure Wi-Fi.

Always log out

When you’ve finished using an app – particularly one for banking, shopping or payments – always log out, as simply closing the app may not necessarily do it for you. This also goes for location-based apps, when you want to keep your whereabouts to yourself.

Download updates

Always download app updates when prompted, because as well as providing new features and better functionality, updates usually contain at least one security fix.

Look after your devices

With today’s apps, your mobile device becomes a computer, wallet, satnav, photo album, TV, filing cabinet, and much more. You shouldn’t leave any of these items in an unlocked house or vehicle, or unattended in a café or on a train …your mobile device is no different. And always PIN or password-protect your device as a first line of security.

Keep an eye on those bills

Be aware of the data used by apps when you’re out and about, including roaming charges abroad. And remember that some apps enable in-app purchases, which can be very attractive to use – especially to children – but at a price.

Do your housekeeping

Filling your phone or tablet with dozens of apps you don’t use can affect its performance, including reducing battery life. Remove the ones you haven’t used for a while, apart from security apps. If you’re disposing of your phone by any means, erase all data and apps, also preferably doing a factory re-set.

Click here for the full story

Stop children bingeing on social media during holidays, parents urged | Society | The Guardian

Children’s commissioner says too much time is spent online as she launches ‘five a day’ campaign. Children’s access to Snapchat should be limited, the children’s commissioner says. Photograph: Lucy Nicholson/Reuters.

Source: Stop children bingeing on social media during holidays, parents urged | Society | The Guardian

‘LinkedIn Update’ Phishing Scam Email

If you use LinkedIn, keep an eye out for an email that claims you must click a link to update your account. The email, which has the subject “LinkedIn Update” claims that LinkedIn is updating its “Services Agreement and Privacy.

The message warns that your account will be deactivated if you do not click the link and update your account. However, LinkedIn did not send the email and your account will not be deactivated if you don’t click the link. Instead, the email is a phishing scam that is designed to steal your LinkedIn account login details. If you click the link, you will be taken to a fraudulent website that has been built to emulate the real LinkedIn login page. Once on the fake site, you will be asked to enter your account email address and password to log in. After entering your details, you’ll see a message claiming that you’ve successfully completed the supposed update.

Online criminals can now use the information you provided to hijack your LinkedIn account. Once they have gained access to your account, the criminals can use it to send spam, scam, and malware messages to your LinkedIn contacts in your name.  They may also gather more of your personal information from your account and use it to pose as you and attempt to steal your identity. LinkedIn users are regularly targeted in such phishing scams.

LinkedIn has information about phishing scams and how to report them on its website.

Which smartphone is the most secure? – NCSC Site

Andy P (EUD Security Research Lead) says: “When talking about end-user device security, one of the questions I hear most often is ‘Which smartphone is the most secure?’ . Now, since Jon’s told us we’re not allowed to say ‘It Depends’, we’d better have a good answer. So here’s what I think.”

‘The most secure platform’ isn’t really a useful metric. It’s an old adage that the most secure computer is the one turned off, disconnected, and locked in a safe. Pretty secure, and not very usable. But it illustrates the point that there’s plenty more to think about than just security when deciding which device you’re going to use to get your job done (or play Minecraft on). Instead, I believe the question we should be asking is ‘Is it secure enough?’.  Once you’ve established which of your potential options are in that category, you can then pick the one that best meets your other requirements, such as cost, features, battery life, availability of your favourite apps and so on.

Source: Which smartphone is the most secure? – NCSC Site

It’s a trap! Marcher banking trojan masquerades as Adobe Flash Player for Android

 

A variant of the Marcher banking trojan is targeting Android users by masquerading as a mobile Adobe Flash Player app.

This version of the malware arrives via popcash[dot]net, an advertising network which is known to serve “popunder” ads that display behind a main browser window so that the user sees them when they try to exit.

The ads drop malware payloads that pose as Adobe Flash Player. If a user clicks on the dropper URL, they see a message warning them that their Flash Player is out of date.

The dropper also loads the malware “Adobe_Flash_2016.apk” onto the user’s device, a program which then guides the user to disable security features and allow app installations from unknown sources.

Successful installation prompts the malware to conceal its icon from the home screen, to register the infected device with its command-and-control (C&C) server, and to send important information about the infected device including a list of installed apps to its server.

Source: It’s a trap! Marcher banking trojan masquerades as Adobe Flash Player for Android

Cyber Safe Warwickshire – AA Data Breach Exposes Details Of Over 100,000 Customers

A breach at UK car insurance company, the AA, has exposed information on more than 100,000 customers, including names, email addresses and partial credit card details, according to security researchers.

The company said a ‘server misconfiguration’ was responsible for the information being openly available on the web for a few days in April of this year.

The AA have been criticized for its handling of the incident: After claiming no sensitive information was included in the exposed cache, the company was called to task when security researcher Troy Hunt said he found 117,000 unique email addresses, names and partial credit card info among the details.

The company never notified its affected customers, he added.

Source: Cyber Safe Warwickshire – AA Data Breach Exposes Details Of Over 100,000 Customers