September 9, 2014 By Douglas Bonderud 2 min read

There are few things more appealing to Internet scammers than major news events. When stories emerge — good, bad or sometimes entirely fabricated — scam artists are on-hand to craft legitimate-looking links, Facebook messages and phishing emails designed to draw in users and infect computers. How do companies stay ahead of these cons and make sure networks stay protected?

Skin Game

Last week, news broke that over 100 iClouds were hacked, and nude photos of A-list celebrities like Jennifer Lawrence and Kate Upton were posted on several message boards. According to Infosecurity Magazine, these images have drawn enough interest to grab the attention of cybercriminals, who are now running several new scams.

The first can be found on Twitter in a tweet that contains hashtags with the names of celebrity victims. Along with the hashtag comes a shortened link, supposedly leading the user to an enticing video. In fact, the link leads to a “video converter,” which is nothing of the sort — it’s malware.

Facebook also has a variation of this scam: Users must “share” the supposed video site’s URL before gaining access to the illicit movie. There’s nothing great waiting for those who fall victim — once again, it’s a malicious app looking for a home.

Bad Company

While the top layer of this scam may be new, the infrastructure hasn’t changed. Scammers have been using major news events to grab attention and fool users for years, and because they often succeed, there’s no reason to change tactics.

Consider the recent death of comedian Robin Williams. International Business Times reports that after his passing, Facebook was inundated with messages claiming the actor had left a “final goodbye” video. It was a hoax, of course, but many people looking for some explanation of Williams’ final act were willing to share the bogus message. Their reward? A redirect to paid survey sites that generated income for con men.

In some cases, the news isn’t even real. Guardian Liberty Voice noted that in February, a fake story about bad-boy singer Justin Bieber made the rounds on Facebook, claiming the star had been driving drunk when he hit and killed a seven-year-old boy. The post included what appeared to be a video but was actually a fake “play” button posted over a picture. Clicking the video took users to a fraudulent Facebook-like website that contained a host of links, all of which started a malicious app download.

Safe Haven?

It’s easy to see this as a “personal” problem; what users do on their own time is their own business, right? But according to Forbes, that’s not always the case. Twenty-five percent of working adults admit to looking at illicit materials during work, and 70 percent of all pornography access happens between 9 a.m. and 5 p.m. In other words, employees aren’t afraid to search for naked celebrity pictures at the office, placing corporate networks at real risk.

So do companies cover their technology assets? It starts with a clear use policy coupled with diligent oversight: If users are accessing these materials, consequences must be both clearly defined and immediate. Training is also critical. As noted above, the form of these scams never really changes; major news events will always spawn legitimate-looking Tweets and Facebook posts. If users don’t click and don’t share, then con artists lose their leverage.

Finally, robust application management policies are essential. Companies need to know what apps are on their network, where they came from and what they’re doing if they want to sniff out problems.

Bottom line? No nudes is good nudes.

Image Source: Wikimedia Commons

More from News

Can memory-safe programming languages kill 70% of security bugs?

3 min read - The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software." The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked. “About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced. In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a…

DOJ’s crackdown: A brief look at hacker group takedowns

3 min read - The Department of Justice (DOJ) is ramping up efforts focused on disrupting cyber criminal organizations operating within and outside of United States borders. The dismantling of Volt Typhoon, a prolific hacker collective, marked a turning point in the DOJ's offensive against cyber crime syndicates. The group was notorious for its brazen cryptocurrency scams and heists. Through coordinated global law enforcement efforts, individuals linked to the organization were apprehended, assets were frozen and critical infrastructure was seized. The success of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today