Many gamers have turned in-game item trading into a robust source of income. Some sell items that they cannot use for their character class. Others are just looking to unload the wealth that they have acquired before quitting the game altogether. Unfortunately, there are also scammers in the gaming community who use show more ...
cunning schemes to leave honest gamers high and dry. You should keep in mind that some publishers, including Valve, have refused to return items to players that they voluntarily gave up to scammers. Gamers must be prepared to look after their property themselves. In this article, we tell you how to preserve the fruits of your hard grind, avoid common fraudulent schemes, and not bring down the banhammer. Play by the rules To begin with, not all developers allow users to exchange in-game items, much less sell them for real money. So before looking for a buyer for your Golden AK-47 or purchasing the Sword of a Thousand Truths, you should check whether doing so will get your account blocked. For example, the developers of the MMORPG RuneScape prohibit the sale of both accounts and items for real money. There are several reasons for that, ranging from the legal (the game and the items in it are the property of the publisher) to security issues (accounts and items offered for sale are often stolen or obtained by dishonest means). If you are caught in a prohibited transaction, you will be banned regardless of whether you are the seller or buyer; either way, you broke the rules. The chance that an item you paid real money for will be confiscated is also quite high: To the game administrators, this kind of transaction looks very suspicious, and it leaves you with no in-game proof of payment. At the same time, trading armor, weapons, and other things inside the game as part of a general auction is usually not forbidden. Let the buyer beware … The second important rule is to trust your intuition and steer clear of trades that seem too attractive. Just like in real life, cyberfraudsters will try to win over your trust, and they will promise you incredible discounts to persuade you to part with your money or reveal your password. There are several signs that should make you wary. Red flags include the seller rushing your decision, pressuring you into the transaction, or suddenly offering to move the discussion outside the official platform. Even if it’s a friend writing to you, beware: Scammers could have hacked their account or be using a character with the same name as your longtime buddy, but with a barely noticeable dot at the end. Pay attention to the exchange window to make sure that the promised hundred thousand gold coins don’t become [Boar Tusk x 1] at the very last moment. And in general, be careful to check that you are being offered the exact item you want to buy and not just a similar one. And that the item is for the right game. Some scammers have published items for their own games on Steam that looked exactly like way more valuable items for way more popular games. For example, some shady dude managed to sell a fake Dragonclaw Hook from Dota 2. The fake was a perfect copy of the original: same look, same name. The scammers even copied the description and logo of Dota 2. The only problem with the fake was that it had nothing to do with Dota. The item could be used only in some game called Climber, which was later removed from Steam. After several similar cases, the platform moderators began to pay closer attention to which game an item belonged, but it’s still a good idea to exercise due diligence and check everything in advance. … but also be a smart seller Scammers are looking to deceive not just buyers, but also the owners of valuable items. If another player asks you to “confirm the quality” of items by sending them, or promises to make a copy of an item, or simply asks to take your item for a test drive, then most likely they are trying to rob you. If someone offers game keys in exchange for an expensive item, you should also be on your guard; they’re probably stolen. Game stores do not recommend selling items in exchange for real money using third-party payment services such as PayPal. However, if you still want to go through with a transaction, first make sure that the buyer can be trusted. Do you have even the slightest suspicion that they are trying to pull a dirty trick? Then call off the deal. Even if you have agreed on advance payment, a fraudster can retroactively cancel a transaction by complaining to the payment system’s support service, in which case you will be left both without the item, and your money. Beware of third-party software Sometimes, while negotiating a deal, a scammer will try to persuade you to install TeamViewer or, say, a voice-chat application. They say it’s to check that the product really belongs to you, or because it’s a more convenient way to communicate. The reason is just an excuse; in reality, the scammer wants to take control of your computer or infect your machine with malware. Refuse that request. Tips to remember Whether you are the buyer or the seller, protect your computer and account properly. If you get hacked, scammers will quickly monetize everything of value on it. Do not use the same password for online games that you use for other services; Do not click on any links to external sites from the game chat, and carefully check the address of any resource that requests you enter your username and password; the page may be fake; Never disable your computer's protection. Contrary to popular myth, certain antivirus packages will not interfere with your game’s performance. Rather, when you let them run, they will detect and block threats.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an show more ...
in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic. “The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification,” the alert reads. “In mid-July 2020, cybercriminals started a vishing campaign—gaining access to employee tools at multiple companies with indiscriminate targeting — with the end goal of monetizing the access.” As noted in Wednesday’s story, the agencies said the phishing sites set up by the attackers tend to include hyphens, the target company’s name, and certain words — such as “support,” “ticket,” and “employee.” The perpetrators focus on social engineering new hires at the targeted company, and impersonate staff at the target company’s IT helpdesk. The joint FBI/CISA alert (PDF) says the vishing gang also compiles dossiers on employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. From the alert: “Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.” “The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.” The alert notes that in some cases the unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, the attackers were able to intercept the one-time codes by targeting the employee with SIM swapping, which involves social engineering people at mobile phone companies into giving them control of the target’s phone number. The agencies said crooks use the vished VPN credentials to mine the victim company databases for their customers’ personal information to leverage in other attacks. “The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the alert reads. “The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.” The advisory includes a number of suggestions that companies can implement to help mitigate the threat from these vishing attacks, including: • Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN. • Restrict VPN access hours, where applicable, to mitigate access outside of allowed times. • Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains. • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities. • Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage. • Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed. • Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts. • Verify web links do not have misspellings or contain the wrong domain. • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call. • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company. • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement. • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing. • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
In this episode of the Security Ledger Podcast (#188), sponsored* by LastPass, we take a look at the fast-expanding world of crowdsourced surveillance by doing a deep dive on Flock Safety, a start up that sells inexpensive license plate scanners to homeowners and police departments. Also: users know that password show more ...
security is important...but they...Read the whole entry... » Related StoriesSpotlight Podcast: Two Decades On TCG Tackles Trustworthiness For The Internet of ThingsEpisode 185: Attacking COVID, Protecting PrivacyWhat’s Good IAM? The Answer may depend on your Industry
Eibiz i-Media Server Digital Signage version 3.8.0 suffers from unauthenticated privilege escalation and arbitrary user creation vulnerability that allows authentication bypass. Once serialized, an AMF encoded object graph may be used to persist and retrieve application state or allow two endpoints to communicate show more ...
through the exchange of strongly typed data. These objects are received by the server without validation and authentication and gives the attacker the ability to create any user with any role and bypass the security control in place and modify presented data on the screen/billboard.
Eibiz i-Media Server Digital Signage version 3.8.0 is affected by a directory traversal vulnerability. An unauthenticated remote attacker can exploit this to view the contents of files located outside of the server's root directory. The issue can be triggered through the oldfile GET parameter.
Eibiz i-Media Server Digital Signage version 3.8.0 suffers from an unauthenticated remote privilege escalation and account takeover vulnerability that can be triggered by directly calling the updateUser object (part of ActionScript object graphs), effectively elevating to an administrative role or taking over an existing account by modifying the settings.
Reading Time: ~ 2 min. Ransomware Attack Targets Major Cruise Line Officials for Carnival Cruises have confirmed that a portion of their IT systems were encrypted following a cyberattack identified over the weekend. The company also revealed that sensitive information for both employees and customers was illicitly show more ...
accessed, though they did not admit to what extent. Millions of Social Media Profiles Exposed More than 235 million social media profiles belonging to several major platforms, which contained personally identifiable information including names, locations and contact data, were publicly exposed due to a misconfigured database. Social Data, an online data marketing broker, seems to be the owner of the data, though it is unclear how they obtained it since data scraping for profit is generally not tolerated by Facebook or other platforms. According to Social Data, the database was exposed for up to three hours after initially spotted. It remains unknown how long the data was accessible without authentication. Wine and Spirits Conglomerate Suffers Ransomware Attack Brown-Forman, the parent company of many major liquor brands, recently fell victim to a ransomware attack that appears to be the work of the REvil ransomware authors. While the company was able to detect and thwart the attack before encryption, upwards of 1TB of highly sensitive internal information on employees, clients, and financial statements was stolen. Though no formal ransom was delivered, the attackers are likely to auction the data imminently. File-less Worms Creates Linux Crypto-mining Botnet Linux systems are on the lookout for a new infection that has been silently creating a botnet to employ target machines as crypto miners. Since the start of the year, over 500 SSH servers have been infected around the world by a worm creating additional backdoors to allow attackers to return to the systems later. Due to the file-less nature of this infection, a simple reboot of the system can temporarily remove the malicious processes, but because the login credentials have already been exported the system can be quickly re-infected. Canadian COVID-19 Relief Sites Breached Several Canadian government websites connected to healthcare relief funds were breached with the intent to steal COVID-19 relief fund payments. Though only a small portion of the 12 million total accounts, 9,000 GCKey accounts were directly affected after being breached via credential-stuffing. Credential-stuffing uses brute force attacks with employs previously leaked credentials in the hopes victims use the same login info for multiple sites. Since the websites affected don’t use multi-factor authentication, the odds of a successful credential-related attack were increased. The post Cyber News Rundown: Ransomware Targets Major Cruise Line appeared first on Webroot Blog.
