The Kavalan Cyber Safety Newsletter

Cyber security and cyber hygiene spoken simple

(This newsletter contains links to external websites. Please review their terms of use and privacy policies before using those websites.)

October 2023 Edition

EXECUTIVE SUMMARY: Online shopping season is almost upon us and Maureen The Clean is getting MADD (Mothers Against Drive-by-Downloads) together to educate everyone on this easy way hackers can sit back and wait for us to come fall prey. Jake the Pedantic cares little for any of our cookies this Halloween season since he has found other spooky ways by which he can watch what we all do online. Meanwhile, Samuel the Harangued needs to react at extreme high speed to stop Aunt Mabry from clicking on that ad! Can seemingly harmless Discord chats get your kids to download malware? Read on for some of the real and active threats that are targeting our online lives this month!
Follow Us On Social Media For Weekly Cyber Safety Tips

Know Your Cyber Threats


Maureen The Clean

Drive-By-Download Attacks

You didn't click on any link, you didn't download anything from any site, you did not open any attachments in your emails but your device was still infected. Welcome to the world of 'drive-by-download' attacks! These attacks can happen by simply visiting a website - even ones we consider very safe!

How does this work? When hackers learn of a vulnerability that affects a very popular device (e.g. a specific model of phone or tablet), they create malware and inject them into popular websites and apps. If websites and apps allow ads to run on them from third parties, they could also use the ads to deliver the malware to your device without having to inject the website or app itself! Hackers know that some percent of the population that visits these websites and apps will do so on the targeted popular device and will fall victim to the attack.

What damage can they cause? Once they inject malware into your device, they can do anything including wiping it out, stealing your data or even using your device to attack others and making it look like the attack came from you.

Read how hackers compromised major online news outlets to install drive-by-download attacks.

drive-by-download attacks in the news

How to Protect Yourself?

Here are 2 things you can do to reduce your risk:
  • Update all of your devices and apps to the latest patches and security updates from the vendor. Very often vendors will find out about these attacks faster than you can and issue fixes for it. Your best defense is to install these fixes automatically.
  • It is important to use ad blocking not just inside your browsers and not just inside your laptop or desktop computers. You need whole home ad blocking protection like. Remember, each of us gets exposed to 1700 ads per month and one in 100 of those are malicious!! That means we each experience 17 cyberattacks a month just from internet ads.

'Cookies? No Thank You!'


Jake The Pedantic

Everyone knows about internet cookies and how they are used to track us online. The good news is that most companies are moving away from cookies due to various privacy laws and regulations around the world. The bad news is that they can track you anyway! Alternative techniques such as pixels, beacons, browser fingerprinting, canvas fingerprinting, audio fingerprinting, etc allow for companies to not just uniquely identify you but also know which exact device you are accessing their website or app from!

How do these new methods work?
Websites embed code from a pixel or beacon provider such as Facebook. The code downloads an invisible 1 pixel transparent image to your computer that track what you do on the website or app. The way the image is rendered reveals a lot of information about your computer. With audio fingerprinting, the way your device renders sound is akin to a unique signature and is used to uniquely identify your device. Many websites may use a combination of these capabilities. In other words, these techniques are invisible to the eye and not something you can disagree to like a cookie.

What can they learn about you using these technologies?

What can you do about it?

Unlike cookie consent notices, there is no way to reject this tracking on most websites. You can review the privacy policy of the website and see if there is a 'Do not track' request you can make. In addition, you can also see if the company will take 'Delete my data' or 'Do not sell my data' requests.

Aaargghh! with Samuel the Harangued

Malvertising = Advertising + Malware

Ads are everywhere on the internet. They are on websites, they are on apps, they are on streaming services, they are on online games. They show up as banners, pop ups, ticker tapes and more trying to grab our attention every which way possible. Each of us is exposed to 1700 ads a month and one in 100 is malicious i.e. clicking on them will install malware or take you to a scam site. By visiting a website or using an app, you reveal what kind of computer you are using and creative scammers create ads that mimic the messages you get from your computer to trick you into clicking on them. Internet ads also violate your privacy since the ad networks that deliver them collect and sell your information to other entities.

To protect yourself, it is not enough to use just browser based ad blocking. You need blocking across every website, device and app used in your home, which can only be provided by network based ad blocking tools like Kavalan.

The US Senate Committee on Homeland Security and Governmental Affairs conducted a full investigation back in 2014 on Online Advertising and Hidden Hazards to Consumer Security and Data Privacy. Their number one finding was that online ads expose consumers to malware!

read the full report

Threats and Breaches

A bug on a website, owned by the state of West Bengal in India, revealed the Aadhar numbers and copies of fingerprints of several citizens. In related news, theft of biometric fingerprints have resulted in bank accounts being emptied out.

Indian Aadhar  Numbers Leaked

Hackers are using compromised Discord accounts to direct message users and trick them into downloading a malicious file posing as a game that has the Lumma Stealer malware embedded. Users are enticed to review a game in return for rewards.

Lumma malware through Discord

Increasing number of Amazon Prime members are being targeted by scams that use phishing emails that trick them into believing their accounts have been suspended or have suspicious activity. Amazon has issued guidance on how to spot these.

How to spot an Amazon scam