Latest news with #DaveyWinder
Forbes
20-06-2025
- Business
- Forbes
As Amazon Prime Account Hacks Surge — Here's What You Need To Do
Beware of these Amazon Prime scams. AFP via Getty Images Update, June 20, 2025: This story, originally published on June 19, has been updated to include more advice from Amazon, including the best contact methods if you are concerned someone might be trying to access your Prime account, as well as details of an anti-scam web browser you might like to try when shopping online. If there's one truism above all others when it comes to cybercriminal hackers, it has to be that they follow the money and the crowd. That is why we see so many attacks that target the likes of Gmail accounts, the Microsoft Windows operating system and, most recently, Facebook passwords. Amazon, as you might expect given its status in the world of online retail, is not immune to this attention. With the retail giant announcing that this year's Prime Day sales will span four days in July, hackers will already be making their nefarious plans. The badness is that last year, Prime Day attacks increased by 80% over the year before. The good news is that Amazon is ready. Here's what you need to know. Forbes 16 Billion Apple, Facebook, Google And Other Passwords Leaked — Act Now By Davey Winder You couldn't make this up. As I was writing this very article, I received a call from a scammer impersonating Amazon, asking if I had ordered an iPhone 13. Yes, seriously. Precisely the kind of threat that Amazon is warning about, at precisely the moment that I write about hackers making their plans for this year. Obviously, I didn't fall for it, and neither will you if you take the advice from Amazon that follows shortly. As Amazon has now confirmed that Prime Day 2025 will take place July 8 through July 11, you can expect to be on the end of such calls, text messages and emails yourself. An Amazon spokesperson told me that 'as deals drop, consumers may also drop their guards, making them more susceptible to scams.' And Amazon has the numbers to make the hairs on your back stand up to support this: 'In the weeks surrounding Prime Day in 2024,' the spokesperson said, 'Amazon customers reported an 80% increase in all impersonation scams that claimed there was an issue with their account.' Unsurprisingly, as in my case, the top threat tactics included claiming to be from Amazon support and warning that there was a problem with your order, account, or payment. 'Impersonation scams via phone calls,' Amazon said, 'more than doubled during Prime Day' last year. Ensure your Amazon account is protected by two-step verification, also known as two-factor ... More authenticion or 2FA. Amazon Forbes Use These Secret Gmail Addresses To Prevent Hack Attacks — Here's How By Davey Winder Amazon Advice For Customers To Prevent Account Scam Attacks Amazon has shared the following advice for shoppers, both before and during the Prime Day 2025 sales, on how to stay safe from brand impersonation hackers: Never share your Amazon credentials with any third-party tools, websites or, well, anyone. They don't need to know. Only use tools and sites that support the secure Login With Amazon authentication process. Verify purchases directly on Amazon, do not respond to a message, click on a link or give account information over the phone. Never place an order by email with a seller. Amazon will only ever ask for payment in its app or on the website, and never by email or phone. Do not be fooled by scammers creating a sense of false urgency. Count to ten and apply the advice at the top of the list. Amazon will never ask you to purchase a gift card. Keep your operating system and the Amazon app updated to the latest version to ensure the best security protections are in place. Ensure your Amazon account is protected by two-step verification, also known as two-factor authentication or 2FA Ensure your Amazon account is protected by two-step verification, also known as two-factor ... More authentication or 2FA. Amazon You might also want to look at the browser that you use to access Amazon, especially as the privacy-centric DuckDuckGo has just updated its offering specifically with anti-scam protections that include online shopping threats. Available and active as soon as you fire up the web browser, DuckDuckGo has a built-in Scam Blocker function that protects against phishing sites and malware. Of particular interest, and new in this latest update, is that it now also guards against 'sham e-commerce sites, fake cryptocurrency exchanges, scareware that falsely claims your device has a virus, and other sites known to advertise fake products or services,' according to Peter Dolanjski from DuckDuckGo. Find out more about how Amazon protects customers from scams and the best way to report an incident here. Forbes FBI Warns Smartphone Users — Do Not Click On SMS Links By Davey Winder
Daily Mail
27-05-2025
- General
- Daily Mail
Experts reveal what numbers you should change your PIN code to...and which to NEVER use
Tech experts are warning that some of the most widely recommended PIN codes for protecting your electronics may now be the easiest for hackers to crack — all thanks to their rising popularity. IT pro Davey Winder says once a supposedly 'secure' four-digit code hits the internet, it becomes useless. Case in point: 8068, once hailed as the safest PIN, is now a hacker's dream. 'As soon as 8068 was named online, it became anything but safe. As soon as you could Google what's the safest PIN code and get 8068 returned, it became a very weak number instead,' Winder wrote for Forbes. 'The same applies to the other numbers noted in the study, 6835, 7637, 8093, and 9629.' He warns that even a four-digit PIN, in theory, takes only 10,000 tries to guess — a task easily automated by hackers. Instead of choosing birthdays, anniversaries, or easy-to-remember patterns, Winder recommends going longer: six digits at minimum, or up to 12 for real protection. Davey Winder revealed the password '8068' became 'anything but safe' due to experts repeatedly saying it was a great password 'Passwords and PINs that are easy to type and recall are also easy to guess,' he said. 'That's your biggest mistake.' Some of the worst passwords, according to Winder, include '000000,' '1234567,' 'charlie,' and even 'iloveyou.' Even when someone opts out of using personal information, individuals can still find ways to crack codes. An easy way for this to happen is if the person uses the same four-digit PIN for all electronics, which is more common than one may expect. A study with over 29 million participants showed that one in 10 people use a four-digit PIN code from data breach lists. Through this study, experts were able to put together a complete list of four-digit PINs not to use, which include '1234,' '1111,' '0000,' and '1342.' Experts found that '1234' was the most popular choice, accounting for nearly one in 10 million participants' PIN numbers. The PIN number is frequently attributed to James Goodfellow, an inventor who's considered to be the person behind the creation of the ATM. Winder insisted people remember the importance of passwords, which can be just as easy to crack as PINs. 'Passwords that are easy to type as well as recall. And that, right there, is your biggest mistake,' Winder mentioned in another Forbes article. 'If you do it, other people will do as well, and that's why if your password is on this list you must change it now.' Some of the 33 passwords the expert insisted weren't good include '000000,' '1234567,' 'charlie,' and 'iloveyou.' A quick tip Winder suggested for anyone looking to keep their phones safe is to stop using four-digit pins and use six or 10 instead. PIN codes and passwords to never use PIN codes 0000 1010 1111 1122 1212 1234 1313 1342 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1998 2000 2002 2004 2005 2020 2222 2468 2580 3333 4321 4444 5555 6666 6969 7777 8888 9999 Passwords 000000 111111 11111111 121212 123123 12345 123456 1234567 12345678 123456789 1234567890 555666 aaron431 abc123 abcd1234 ABCDEF admin charlie dragon iloveyou lemonfish liverpool monkey password password1 qwerty qwerty1 qwerty123 secret tangkai user0123 welcome woaini
Forbes
07-05-2025
- Forbes
New Gmail 2FA Code Attack Alert — Don't Lose Your Account Access
Beware this Gmail account verification scam. SOPA Images/LightRocket via Getty Images Your Gmail account is under attack from those who would compromise it, lock you out, and then use the resources within to stage further attacks against you and your contacts. Everything from security alert email notifications, infostealer malware campaigns, and 2FA bypass attacks are employed by malicious cybercriminals looking to access your Google account. Now, a Reddit user has warned about a hacker that tried to get them to part with their 2FA code as part of an elaborate Gmail verification attack. Here's what you need to know and do to ensure you don't lose your account. Forbes Warning — 19 Billion Compromised Passwords Have Been Published Online By Davey Winder Employing phony technical support or security team alerts in an attempt to convince someone to hand over their account credentials is not a new wheeze that has just been dreamed up by a forward-looking hacker. Heck, I was doing precisely this as part of social engineering campaigns against clients, with their permission, twenty years or more ago. Impersonation is the greatest form of flattery, and the easiest way to convince someone to give you what you want. Only last year, I penned a report that went viral describing just such a scam, involving emails and AI-powered phone calls in an attempt to relieve a thankfully technology-savvy target of their account credentials. But old never gets old, especially when it evolves and is successful. One Redditor has now warned other users in the Gmail subreddit of a similar attack they have just experienced firsthand using an evolved account recovery 2FA code verification method without the AI component and involving a human hacker on the other end of the line. Going by the name of EvilKittensCo on Reddit, the poster explained that they had been on the receiving end of a telephone call from someone purporting to be a Google support agent. The caller explained that they needed to verify his Gmail recovery details in order to make changes to the account that had been requested. The rationale was that the original owner of the account needed to verify the information, or the requested changes would take place. If you think about it, that's red flag number two right there: if the original owner didn't verify the account recovery information then surely the changes would not be made. If you are wondering what the first red flag is, it's simply that Google will not call you out of the blue like this. Not ever. Nope. It just won't happen., If it does, it is a scam. Forbes Anonymous Hacks Airline Used In Trump El Salvador Deportations By Davey Winder EvilKittensCo was suspicious and asked 'Google' to call them back from a Google telephone number, and they did, or at least they called from a number that is associated with Google Assistant when searched for. To cut a long story very short, the sting is to try and get the victim to send a 2FA Gmail account recovery code that will be sent. Doing so will then enable the hacker to access the account and make the necessary changes to lock the legitimate owner out. EvilKittensCo checked their Google account online and told the 'support agent' that no recovery notifications were showing as pending. This only got the scammer agitated, and they insisted they were trying to stop a Gmail hack, not initiate one. They soon, of course, hung up. The Redditor did everything right in this case. To mitigate the risk of becoming a victim, however, as well as remembering that Google support will not call you like this, no matter how genuine they sound, you should follow the advice of Gmail spokesperson Ross Richendrfer. 'Use phishing-resistant authentication technologies, such as security keys or passkeys,' Richendrfer said. A Gmail passkey is very easy to implement and will stop such an attack dead in its tracks. Forbes Critical Android 'No Interaction' Attacks Confirmed By Google By Davey Winder
Forbes
07-05-2025
- Forbes
Critical Google Chrome 136 Audio Bug Lets Hackers Remotely Install Malware
Update Google Chrome now as WebAudio vulnerability confirmed. getty Google has had a busy week on the cybersecurity front; there's no doubt about that. The product update team has already confirmed and released a patch for an Android no user interaction attack that is being exploited in the wild, and Google's security operations team has detailed how a new Lumma Stealer variant is deploying captcha lures to grab Windows passwords. With the Google Chrome browser only just hitting the highly anticipated version 136 milestone, there's already a confirmed and critical security vulnerability that could lead to hackers remotely executing malicious code on your machine if successful. Here's what you need to know about the audio-related CVE-2025-4372 security bug. Forbes Warning — 19 Billion Compromised Passwords Have Been Published Online By Davey Winder Let's get the severity-rating elephant in the room out of the way before going into any further detail. Vendors such as Google and Microsoft like to apply their own severity ratings to vulnerabilities, often at odds with the generally accepted Common Vulnerabilities and Exposures determination. The whole point of giving a vulnerability a CVE number and associated rating is for users, especially security teams, to be able to get an at-a-glance understanding of the likely implications of an exploit and so assist with the patch management process. So, when vendors issue ratings that are most often lower than the official CVE ones, it's confusing and, in my never humble opinion, far from helpful. CVE-2025-4372 has an official base rating of 9.8 to 10, depending on whether you apply version 2 or 3 of the rating classification system. Things don't get much more critical than this, yet Google rates it as a medium-severity issue. Go figure. OK, severity semantics out of the way, the fact remains that this is a nasty security vulnerability that Google has rushed out an update patch to fix. There's a good reason for this; if exploited, it could lead to the remote execution of malicious code. Although there is no evidence of CVE-2025-4372 being exploited by attackers at this stage, don't expect that status quo to exist for long. Requiring no user privileges to exploit, and relatively minor user interaction of visiting a malicious web page, the use-after-free memory vulnerability sits within Chrome's WebAudio application programming interface. Update Google Chrome now. Davey Winder The Google Chrome security update takes the browser to versions 136.0.7103.92/.93 for Windows and Mac, while Linux moves to version 136.0.7103.92. There's also an Android update taking this version to 136.0.7103.87. All users are advised to kickstart the Chrome update process by visiting the Help|About Google Chrome menu option. Google has stated that the update will roll out automatically across the coming days and weeks. Forbes Google's Gmail Password Attack Warning — You Have Just 7 Days To Act By Davey Winder
Forbes
06-05-2025
- Forbes
Warning — 19 Billion Compromised Passwords Have Been Published Online
19 billion exposed passwords analyzed and it's not good news. getty Update, May 6, 2025: This story, originally published May 3, has been updated with details of the SMS phishing threat posed by the Chinese Panda Shop cybercrime group, and an open letter to the cybersecurity industry asking why the phishing threat behind the stolen passwords epidemic has yet to be fixed. In just the last few months, I have reported on confirmed lists of stolen passwords being made available on the dark web and in criminal forums that have risen from 800 million to 1.7 billion and even as high as 2.1 billion, mainly thanks to the rise and rise of infostealer malware attacks. But a new report has just blown even those shockingly large statistics out of the water with an analysis of 19 billion such passwords that are available online right now to any hackers who want to seek them out. The takeaway being that you need to take action now to prevent becoming a victim of the automatic password hacking machine epidemic. Forbes 884,000 Credit Cards Stolen With 13 Million Clicks By A Magic Cat By Davey Winder Imagine having access to 19,030,305,929 passwords that were compromised by leaks and breaches over the course of 12 months from April 2024 and involving 200 security incidents. Imagine that only sources where email addresses were available for consumption alongside the stolen password were included in this massive database. Oh, and forget about including any of those word-list compilations, such as RockYou, that regularly do the rounds but are about as useful to a criminal hacker as a chocolate router. Finally, get to grips with the fact that this dataset only includes passwords that have become publicly available in criminal forums online. Once you digest all of this, you can appreciate how huge, in all senses of the word, this really is, especially to any hacker with criminal intent. The analysis, published May 2 by the Cybernews research team, makes for truly eye-opening reading. It's so wide-ranging and security-scary in equal measure that it's hard to know where to start, so the beginning seems as good a place as any: password laziness and reuse. Of the 19,030,305,929 passwords that ended up exposed online, only 6% of them, or 1,143,815,266 if you like to be precise, were unique. Switch that around to 94% of them being reused across accounts and services, whether by the same or different people is moot, and you can see why the average cybercriminal gets very excited about the hacking potential such lists provide. Now throw in that 42% of the passwords were short, way too short, being only 8-10 characters in length. That now opens up the hacking potential to brute force attacks as well as credential stuffing. Ah, yes, and it just keeps getting worse; 27% consisted of only lowercase letters and digits, no special characters or mixed case. Sigh. Forbes Google Says Critical Android 'No User Interaction' Attacks Underway By Davey Winder According to Neringa Macijauskaitė, an information security researcher at Cybernews, 'the default password problem remains one of the most persistent and dangerous patterns in leaked credential datasets.' The analysis revealed that there were 53 million uses of admin and 56 million of password, for example. Changing these is one quick way to help mitigate against hackers, as Macijauskaitė said, 'attackers, too, prioritize them, making these passwords among the least secure.' Not reusing your passwords, ever, not at all, is another prime mitigation recommendation. 'If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect,' Macijauskaitė warned. Meaning that even without any existing system compromise, attackers are able to exploit common password patterns in their hacking exploits. 'Attackers constantly harvest the latest credential dumps from exposed info-stealers and recently cracked hashes available publicly,' Macijauskaitė concluded. 'These fresh datasets enable waves of highly effective credential-stuffing attacks, often bypassing traditional security defenses.' Forbes Apple Passwords Attack Warning — Do Not Install This Update By Davey Winder An Open Letter To The Cybersecurity industry — Stopping The Stolen Passwords Problem Paul Walsh, CEO of MetaCert and co-founder of the W3C Mobile Web Initiative in 2004, knows a thing or two about the problem of malicious messaging and has been involved in the creation of internet standards to protect against it. In conversation, Walsh told me that the latest national SMS phishing test carried out in March by MetaCert and including carriers such as AT&T, Verizon, T-Mobile and Boost Mobile, was as disappointing as it was expected. 'Every phishing message was still delivered,' Walsh told me, 'none were blocked, flagged, or rewritten.' This is, to say the least, given that the vast majority of phishing platforms are now developed to target mobile devices, overtaking email in this regard in 2024 according to ProofPoint. When you consider that phishing attacks, on whatever platform, are the starting point for most cyber attacks, it's no great leap to realize that the compromised passwords problem could be drastically reduced, if not stopped dead, by addressing the social engineering issue. Walsh has now written an open letter to the cybersecurity industry asking why the SMS phishing problem hasn't been solved ages ago? 'The cybersecurity industry has no shortage of experts in email security, endpoint protection, or network defense,' Walsh said, 'but when it comes to SMS infrastructure and security, there is a distinct lack of deep expertise.' His letter, therefore, is a call to action by security vendors who have 'built multi-billion-dollar businesses on stopping phishing in email and corporate networks,' Walsh said, 'yet the most trusted communication channel on the planet — SMS — remains an open, unprotected target.' Walsh demands that the same effort that has been made to address email security must now be made for the SMS vector because, he concluded, 'criminals have already moved in full force, and the industry is failing to respond.' Unless this happens, and happens with the full might of the cybersecurity industry behind it, I fear that I will be reporting about the compromise of user passwords for some time to come yet. Forbes 'Action Required Within 48 Hours' — PayPal Attack Warning Issued By Davey Winder From Passwords To Pandas A new report by the security researcher team at Rescurity has confirmed just how dangerous the SMS phishing threat is. Having already established that the 'Smishing Triad' criminal gang has been operating since at least 2023, the Rescurity researchers have been keeping a close eye on the group of Chinese cybercriminals with very global ambitions. Using the by now de rigueur crime-as-a-service model, the Smishing Triad comprises multiple associates and leverages that scale to target victims all over the world. Rescurity has reported how, according to the latest threat intelligence it has received, a single Chinese threat actor can distribute as many as 2 million phishing SMS text messages in a single day. The Smishing Triad, Rescurity said, 'could easily target up to 60,000,000 victims per month, or 720,000,000 per year,' or, to put it another way, every person in the U.S. — twice each year. The concern of Paul Walsh is brought sharply into focus when you realize that Smishing triad also uses network operator SMS gateways, alongside Google RCS and Apple's iMessage, to distribute their phishing attacks. So, where does this story turn from passwords to pandas? In March, Rescurity identified yet another smishing kit that appeared to be using the same principles as the Smishing Triad service, and went by the name of Panda Shop. The Panda Shop kit has 'multiple Telegram channels and interactive bots to automate service delivery,' the Rescurity report said, providing distribution services primarily by way of Apple's iMessage and Android's RCS platforms. Furthermore, it would appear that the threat actors are purchasing, and purchasing in significant numbers, compromised Gmail accounts, as well as compromised Apple accounts, to help with the distribution efforts. Forbes Microsoft Issues June 1 Warning — Do Not Wait, Save Your Passwords Now By Davey Winder 'Like the Smishing Triad,' the Resecurity report confirmed, 'Panda Shop offers a customized smishing kit that can be deployed on any server.' The research team investigation concluded that it is highly likely that the Panda Shop group itself consists of some former Smishing Triad members who 'transitioned their operations under the new brand after being publicly shamed.' This theory is reinforced by the fact that the Panda Shop phishing kit structure, along with various scripting scenarios that have been analyzed by Resecurity, 'mimic the same product but include specific improvements and new supported templates.' The scale of the smishing activity from Chinese threats actors, including Smishing Triad and now Panda Shop is, Resucurity warned, impressive. 'The spectrum of the crimes conducted due to smishing ranges from traditional carding and NFC-enabled fraud to money laundering chains, enabling fraudsters to process stolen funds,' Rescurity researchers said. There's more than just your passwords at stake from smishing or any phishing attacks; there's all the data that sits beyond it and the implications that the compromise of that and access to other services can have. 'Based on Resecurity's engagements with financial institutions globally,' the report concluded, 'this activity generates millions in losses annually.'
