Smart home cybersecurity news roundup [May 2020]
Last month, employees working from home continued to be a top target for cyber attackers. This May smart home cybersecurity news roundup highlights the latest remote work danger, as well as a recent security update for a popular smart home device. Check out below.
Brand impersonation spear phishing attacks on the rise
On May 28, 2020, researchers from Barracuda Networks disclosed findings on a type of phishing attack predominantly targeting Google and Microsoft file sharing and storage product users. (Think Google Drive, Google Docs, Microsoft Office, Microsoft OneDrive— common collaboration tools employed by remote teams.)
The phishing attack, referred to as a brand impersonation attack, is when an attacker attempts to trick users by posing as Google-branded or Microsoft-branded sites (in this case) to steal their account login credentials through a form submission.
In this type of brand impersonation attack, scammers leverage file, content-sharing, or other productivity sites like docs.google.com or sway.office.com to convince victims to hand over their credentials. The phishing email will usually contain a link to one of these legitimate websites making this highly specialized attack difficult to detect. Plus, one particularly tricky variant steals account access without stealing credentials. [Barracuda Networks Report]
The Barracuda research team collected data from January 1, 2020 to April 30, 2020 and detected nearly 100,000 form-based brand impersonation spear phishing attacks during this time:
- 65% of these attacks used Google websites
- 13% of these attacks used Microsoft websites
- 10% of these attacks used sendgrid.net
- 4% of these attacks used mailchimp.com
- 2% of these attacks used formcrafts.com
- 6% of these attacks used other websites
Source: Barracuda Networks Report
Brand impersonation spear phishing attack findings from Check Point Research lists more top imitated brands from the first quarter of this year— Apple (10%), Netflix (9%), and Yahoo (6%) being the top 3.
See Check Point Research's Q1 2020 Brand Phishing report for more information. It is expected to see an increase in these attacks throughout the remainder of the year as more and more are launched successfully.
Nest security update: 2 factor authentication now mandatory
This smart home device security update may seem long overdue.
If you recall any of the headline-breaking news stories, Nest devices, particularly Nest cameras, have been involved in dozens of cyber attacks over the years.
As Minim CTO Alec Rooney explains below, the reason for these Nest hacks is not due to a security flaw with the devices themselves, but rather weak Nest account credentials.
"These attacks were successful because end users tend to reuse credentials — usernames and passwords — as they create accounts all over the internet. As we have seen in the news, some of those accounts and services get compromised, and then those credentials leak out onto the dark web, where attackers can try those same credentials against other sites, like Nest accounts. Many of them fail, but some of them will succeed and will lead to hacked accounts."
A common safeguard for this vulnerability is to enable 2 factor authentication, something that up until May 2020 wasn't mandatory for Nest account users.
Now, as stated in a recent announcement, all Nest account users must enable 2 factor authentication or migrate to a Google account to have extra login verification. Nest account users can visit here for guided setup instruction.
Past smart home cybersecurity news roundups:
- June 2019: Linksys Smart WiFi router vulnerability and Android pre-installed backdoor
- July 2019: Website drive-by attacks on home routers
- August 2019: VxWorks and Google Nest Cam IQ Indoor vulnerabilities
- September 2019: SMS-based attacks and major router vulnerabilities
- October 2019: What is Gafgyt malware?
- November 2019: What is Light Commands?
- December 2019: Blink camera and Ruckus router vulnerabilities
- January 2020: Ring doorbell privacy concerns
- March 2020: Work From Home edition
- April 2020: Malware stats amid COVID-19