A new report reveals that hackers are increasingly using avatars and brand impersonation to trick users into giving up their passwords. This sophisticated technique exploits popular cloud services like Gravatar to create convincing fake profiles that mimic legitimate services.
The number one security threat of our time is laid bare: credential harvesting by hackers using social engineering techniques. A newly published report has revealed how this threat has just gotten even more complex, with avatars and seemingly trusted apps being used in tandem to trick users out of their passwords. \Imagine sipping your morning coffee, scrolling through your inbox when a seemingly innocent ProtonMail message catches your eye.
Now imagine that this isn’t your typical email but rather a password-harvesting attack. Yeah, but I use ProtonMail for the enhanced security it offers, and being a security-minded user, I wouldn’t fall for that. Or would I? Not so fast, according to Stephen Kowski, the field chief technology officer at SlashNext, hackers are leveraging a diverse array of cloud applications to steal passwords, including Gravatar. This is important as Gravatar manages avatars across the web, and, Kowski warned, “it’s become a prime target for cybercriminals.” \How so? By exploiting Gravatar’s Profiles-as-a-Service functionality, Kowski explained, attackers are creating convincing fake profiles that mimic legitimate services and, ultimately, trick users into giving up their passwords. What sets modern credential harvesting apart is using unique, customized impersonations,” Kowski warned, as the use of generic, and so easier to spot, phishing tactics wane. Instead, attackers are tailoring the fake profiles in use to better resemble the service they are mimicking. This is often done, Kowski said, through services that are not commonly known or protected against, such as Gravatar. I reached out to Gravatar, which wanted to emphasize that it takes security extremely seriously and is able to confirm that when any abuse is reported, a dedicated team takes it down quickly and swiftly. “Our unique Verified Services feature – something not found on other platforms – requires users to prove ownership of linked accounts through OAuth or similar authentication methods. This helps profile visitors to better verify if they can trust a profile and makes it more difficult for bad actors to impersonate legitimate services,” a Gravatar spokesperson said. They also added, “We encourage all users to report any suspicious activity or profiles to our support team. We investigate all reports promptly as we work to maintain a trustworthy platform,” the Gravatar statement concluded. SlashNext recommends that users apply the following mitigations to help prevent such phishing attacks employing avatars and brand impersonation from being successful: Verify URLs: Always check the URL of the page you're visiting. Ensure it matches the official website of the service you're using. Be cautious with emails: If you receive unexpected emails requesting personal information, verify the sender's legitimacy before clicking any links. Use strong, unique passwords: Implementing strong, unique passwords for each of your accounts can prevent attackers from accessing multiple services if one password is compromised. Enable two-factor authentication: Adding an extra layer of security makes it harder for attackers to gain access, even if they have your password. “By understanding the tactics used in credential harvesting and adopting robust security measures,” Kowski concluded, “you can protect yourself and your valuable information from falling into the wrong hands.” And that’s good advice when dealing with any phishing threat, whether it uses avatars or not
Credential Harvesting Avatars Brand Impersonation Phishing Cybersecurity Gravatar
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Electricity from body movement: 280x more efficient device developed in South KoreaKorean researchers have developed a groundbreaking energy harvesting device that converts body movements into electricity.
Read more »
2024 Alabama oyster harvesting, red snapper seasons close TuesdayThe 2024 Alabama oyster harvesting and red snapper seasons are closing tomorrow, Dec. 31.
Read more »
We Could Search for Aliens Harvesting Energy from their Pet Black HoleSpace and astronomy news
Read more »
100 Million Apple Users Warned About New Credential-Stealing Hack AttackSecurity researchers have warned that a new variant of the Banshee credential-stealer is targeting Apple’s 100 million macOS users. Here’s what you need to know.
Read more »
Massive Data Breach Exposes Exploitation of Apps for Location Data HarvestingA hack of location data company Gravy Analytics reveals that thousands of popular Android and Apple apps are being exploited to collect sensitive location data on a massive scale, often without the knowledge of users or app developers. The data is being harvested through the advertising ecosystem rather than app code, indicating a disturbing trend in the mobile app industry.
Read more »
What Angelina Jolie’s Netflix Callas Biopic 'Maria' Gets Right and What it Gets WrongAngelina Jolie as Maria Callas in &39;Maria&39;
Read more »