Plus: A better news reader and 30 free AI tools
Plus: New Google goodies, a better news reader, and 30 free AI tools. |
When you think of computer hacking, it’s tempting to imagine a sophisticated cybercriminal exploiting the latest security holes to break through our devices’ defenses. |
The reality tends to be more mundane: Some of most devastating attacks arise from simple trickery. |
A friend of an Advisorator subscriber recently learned this the hard way. Seeking help with an Amazon Echo speaker, they wound up on a bogus Amazon support website, which in turn led to a call with a fake customer service representative. Before long, the attacker had full access to the victim’s computer using readily-available remote desktop software. |
After discussing the incident in Advisorator's Slack chat room, I thought it’d be worth sharing a few details on what went wrong and what can happen when the hackers prevail. Keep this info in mind for yourself, or share it with anyone who might find it useful. |
While I can't say exactly what happened in this particular incident, I found that one of the sponsored results for "alexa help number" included a link to a known scam site. Under the guise of providing troubleshooting software for Echo speaker users, the site shows a fake error message, then encourages visitors to provide a phone number for further assistance. |
What happens if you decide to trust one of these scam support lines? In the case of our victim, the scammer convinced them to install TeamViewer and AnyDesk, two programs that allow remote access to the user's PC. |
Remote desktop apps have plenty of legitimate uses—I use Chrome Remote Desktop to troubleshoot my Mac media server, for instance—but in the wrong hands, they can wreak havoc. In this case, the scammer performed the following on the victim's computer: |
- Purchased gift cards on nearly a dozen websites, presumably using stored credit card details.
- Installed Advanced Identity Protector, which is supposed to help users secure passwords and credit cards exposed on a computer, but in this case helped the attacker uncover them.
- Triggered password resets on various websites and created new accounts on several others.
- Searched Gmail for banking information and tried logging into the users' bank accounts (apparently with no success).
- Tried changing the user's Gmail password, but was foiled by security questions.
- Put up a fake error message screen to obscure this activity, disabled Windows' antivirus protections, and promptly moved password reset and fraud alert emails to the trash.
|
After about 90 minutes of this, the victim realized that something was amiss and shut the computer down, at which point our Advisorator subscriber was called in for damage control. |
There are two main considerations after an attack like this: Securing the user's online accounts, and cleaning the computer itself. |
For the former, that means going on a password reset spree. Our Advisorator subscriber had the smart idea to view Chrome's browsing history, which helped determine which sites the attacker had accessed. (In most browsers, history is easily accessible by pressing Ctrl/Cmd + H.) Resetting similar passwords on other sites would also be prudent, as would setting up a password manager and two-factor authentication. |
As for the computer, a handful of cleaning steps come to mind: |
- Windows has a neat tool called Reliability History that shows a day-by-day view of all installed software, appearing under the "Information events" header. (Thanks to Ed Bott for this excellent tip.) You can also use the "Add and Remove programs" menu to view installations by date.
- Mac users can view the Applications folder in Finder. Right-click the top of the folder and check "Date Added" for an option to sort by install date.
- Windows users can run an offline virus scan with the built-in Microsoft Defender software.
- Beware of potentially dangerous browser extensions as well. Visit chrome://extensions to see which extensions are installed, and remove any unrecognized ones, or consider resetting the browser entirely.
- A full factory reset will provide the most peace of mind, but only if you've fully backed up important data first.
|
If you take one thing away from all this, it's to always understand what you're clicking on. This is an underappreciated tech skill, given that even seemingly reputable companies try to trick folks into doing things they don't want to. Scammers are simply exploiting that same inattention for more nefarious purposes, so before you press the colorful button that claims to solve your problems, take a moment to consider whether everything's as it seems. |
Meanwhile, if you’ve been sagely nodding along with this article as someone who's often called in for help, try not to shame the victim. Look, I’m guilty of doing this too—sorry, Aunty J!—because it’s frustrating when seemingly obvious security advice gets ignored or unseen. But chances are the victim's embarrassed enough as-is, and even tech savvy folks aren’t immune to trickery. |
Got your own hacking horror story to share? Get in touch by replying to this email. |
Google news galore: Over the last week, Google made a slew of announcements across Chrome, Android, Workspace, and Photos. Let's round them up in short order: |
This is Google we're talking about, so some of these features will take weeks or months to actually arrive. But at least you'll be ready when they do. |
Scary Apple security stories: Last week, the Wall Street Journal ran a story about the dangers of having your iPhone PIN stolen. The gist is that a thief could snoop on your passcode—for instance, by looking over your shoulder at a bar, or with physical threats—then steal your phone. With phone and PIN in hand, they could then reset your Apple ID password to prevent a remote wipe, pay themselves with apps like Venmo, and access all your sensitive data. |
Over at 9to5Mac, Filipe Espósito has a helpful follow-up explaining what Apple should do in response, and how users can mitigate the risk. But simply being aware that this can happen in the first place may go a long way toward keeping your PIN safe. |
A better news reader: Artifact is a great new app for keeping up with the news, but you might not know it from the surrounding press hype. The app was created by Kevin Systrom and Mike Krieger, best known as the co-founders of Instagram, and some sites have billed it as a "TikTok for text" or "social news app." |
In reality, Artifact is just a simple app that takes the hassle out of deciding what to read. You pick a handful of preferred topics, and the app provides a feed of stories from reputable publications. It then learns more about your preferences over time, and you can always fine-tune the algorithm with a "show fewer" button for each story. |
Some folks might find Artifact to be too bare bones. You can't manually add publications or newsletters to the feed, and there's no "Read It Later" browser extension akin to Instapaper or Pocket. Those in need of more customizable news readers might look to Matter, Readwise, or Meco instead. |
But even in its current state, Artifact already feels more personalized to me than either Apple News and Google News. It's also a refreshing antidote to social media, scratching the same scrolling news feed itch as Instagram or Twitter, but at a lower emotional temperature. You can download it free for iOS or Android. |
YouTube Music's radio upgrade: YouTube Music has just improved its internet radio feature, letting you create custom stations with up to 30 artists, along with various filters to tweak the song selection. |
The new station creator is available for both free and paid subscribers. To find it, look for the "Your music tuner" heading in YouTube Music's iOS or Android apps. (Alternatively, read my previous newsletter on creating custom stations in Pandora.) |
Free AI tools to try: Over at Fast Company, I put together a list of 30 generative AI tools for creating text, audio, and images, all with some sort of free component. My personal favorites are the ones that can summarize existing content, such as Eighty (for YouTube videos) and SkimIt.ai (for text). Use this link if you hit a paywall. |
See also: This list of sites that determine whether the text you're reading was written by AI. |
Best Buy is currently offering store credit with the purchase of a few different gift cards: |
Note that the Apple card works with App Store subscriptions such as Apple Music and iCloud storage, so this is effectively free gadget money if you've got any ongoing subscriptions already. Same goes if you plan to take an Uber or stay at an AirBnB in the future. |
Thanks to the Advisorator subscriber (who asked for names to be withheld) for sparking this week's hacking discussion. To join the discussion yourself, head to the Advisorator chat room on Slack. It's a free benefit for subscribers, and a relaxing forum in which to talk tech with me and other friendly folks. |
Got questions for me? Just reply to this email to get in touch. |
This has been Advisorator, written by Jared Newman and made possible by readers like you. Manage your subscription by clicking here, or reply to this email with "unsubscribe" in the subject to cancel your membership. |
|
|