Security Advisory

Security Advisory

Security Advisory – How to protect yourself from the security threat?

 

What is a Phishing scam? 

Phishing is a form of identity theft that attempts to trick you into revealing personal or financial information by visiting a website or by clicking on a link. Phishing attacks typically use phony websites or email messages that appear to be from trusted businesses and brands in order to steal personal information such as usernames, passwords, credit card numbers etc.

The attachments may purport to be invoices, business accounting documents, user account information or other seemingly work-related attachments. When the attachments are opened, the malware infects your computers or devices to steal personal information, as well as login credentials.

How to protect yourself?

  • Do not click on any suspicious link or open any attachment as this is the first clue of a phishing attempt.

  • Avoid downloading applications from unofficial third-party application stores.

  • Always ensure that you’re using a secure website when submitting personal or other sensitive information via your web browser.

  • Ensure your devices are updated with the latest anti-virus software, software security patches and have a personal firewall installed and activated.

  • Do not reveal your online login password, One-Time-Password (OTP) or hardware token details to anyone. (Note: Income will never ask you for your password for whatever reasons.)



What is a Phone Scam?
There are recent scams targeting Singapore residents via interactive automated voice message. The calls claim to be made from courier companies, banks or the police. If you receive an unexpected phone call from someone purporting to be an official from banks, DHL, customs, police, be wary as this could be a scam call.

In another variant of this scam, the caller might claim to be an employee or representative of financial / banking institutions who then asks – and even threatens – you to give them personal particulars such as passport or online login credentials or One-Time Password (OTP).

How to protect yourself?

  • Do not follow the caller’s instructions

  • Refrain from giving online login details, credit card numbers, OTP codes from tokens or passport numbers to strangers over the phone.

  • If you have any information related to such crime, please call the Police hotline.



What is a Malware? 

Malware (short for “malicious software”) is considered an annoying or harmful type of software intended to secretly access a device without the knowledge of the owner. Once your computers or devices are infected, the malware will attempt to steal your login and authorization credentials (such as password, one time password (OTP) or other personal information.) by altering the login flow of the Income website.

You should take precaution and not let your devices be infected by malware.

How to protect yourself from Malware:

  • Do not click on hyperlinks, attachments provided in emails messages from suspicious or unknown sources.

  • Avoid accessing unknown and unsecured websites.

  • Install and maintain the latest anti-virus software on your mobile devices / computer.

  • Secure your mobile device with a password, pin or a relevant mechanism to prevent unauthorised use.

  • Do not reveal your online login password, One-Time-Password (OTP) or hardware token details to anyone.

  • Keep us updated with your current mobile number and email address so you are alerted to transactions or account activity.
     

Creating a strong password

  • Your password should comprise at least 8 alphanumeric characters with a mix of upper and lower case letters.

  • Use the passphrase method to create a password that is difficult for others to guess.

  • Do not choose a dictionary word as your password.

  • Do not reveal your password to anyone.

  • Do not store your passwords on your computer or write them down.

  • Change your passwords regularly.

  • Log out and clear the internet cache after all transactions.

Malware Alert: Beware of online malware

23 August 2016
Threat: Dridex

What it does? 

DRIDEX is an online malware that steals personal information through HTML injections. It mainly targets customers of financial / banking institutions. DRIDEX is delivered through macro-laden Microsoft word (.docm) attachments in spam emails. If DRIDEX is downloaded and executed, hackers can hijack and steal your online credentials. 

How to protect yourself?

  • Be vigilant when downloading files, programs, attachments, etc; especially when the file extensions are .exe, .js or other unfamiliar extension types. Downloads that seem strange or are from an unfamiliar sources often contain malware.

  • Ensure your devices are updated with the latest anti-virus software, software security patches and have a personal firewall installed and activated.

  • If you suspect DRIDEX infection, changed your online account passwords using an uninfected computer immediately.

Mobile Malware Alert: Malware poses as security update

22 August 2016
Threat: Marcher

What it does? 

A new variant of overlay malware Marcher is impersonating firmware security updates. The malware attack begins on a malicious web page that says that your device is vulnerable to viruses. You are urged to install a firmware update to prevent virus infection. When this fake firmware update is installed and is granted with administrative privileges, Marcher will overlay a fraudulent login page on top of legitimate mobile applications asking for your login credentials or credit/debit card information.

How to protect yourself?

  • Only install or download mobile applications from trusted sources.

  • Read the permissions requested by every application before installing.

  • Perform regular backup of data stored in your mobile devices.

  • Never perform online activities over public Wi-Fi networks.

  • Ensure your devices are updated with the latest anti-virus software, software security patches and have a personal firewall installed and activated.

Mobile Malware Alert: Svpeng Android Malware

18 August 2016
Threat: SVPENG

What it does?

SVPENG is a Trojan which will be downloaded via Google AdSense advertising network targeted Android devices. When you visit webpages with infected advertisements using your Android devices, the Trojan will be downloaded and installed. SVPENG collects information from your mobile device such as your call history, text, multimedia messages, browser bookmarks and contacts.

How to protect yourself?

  • Only install or download mobile applications from trusted sources.

  • Read the permissions requested by every application before installing.

  • Perform regular backup of data stored in your mobile devices.

  • Never perform online activities over public Wi-Fi networks.

  • Ensure your devices are updated with the latest anti-virus software, software security patches and have a personal firewall installed and activated.


Learn more about online security guidelines