This alert contains information about multiple vulnerabilities in Apple products, and about an increase in social engineering “gift card” scams.
The Center for Internet Security reports that multiple potential vulnerabilities have been found in the following Apple products:
- Apple Support for iOS (versions prior to 2.4)
- Safari browser (versions prior to 12)
- watchOS (versions prior to 5)
- tvOS (versions prior to 12)
- iOS (versions prior to 12)
The vulnerabilities could allow for arbitrary code execution, in which perpetrators could execute their own code in the context of an application. With this they could gain log-in privileges, bypass security restrictions, install programs, modify data, create new accounts and worse.
While no reports of these vulnerabilities being exploited have been recorded, the potential risk level is noted as high or medium for businesses based on their size.
ACA Aponix Guidance
ACA Aponix recommends taking the following precautionary measures:
- Ensure that all Apple security upgrades are installed for all Apple products. Apple released iOS 12 earlier this week, which contains patches for these vulnerabilities. Staff should be encouraged to upgrade as soon as possible.
- Enforce a mandatory upgrade policy for all office computers and mobile phones
- Ensure that all vendors and portfolio companies maintain similar security/upgrade policies for their devices
Gift Card Scam
A recent uptick in “gift card” scams has been noted. In this scam, bad actors impersonate an executive via email or text, and ask unwitting staff to urgently run to the store and buy gift cards “for customers." They then ask staff to email or text them the gift card codes.
ACA Aponix Guidance
This scam has many typical markings of social engineering; i.e., taking advantage of human factors to perpetrate a crime. ACA Aponix recommends taking the following precautionary measures to prevent social engineering scams:
- Beware of false urgency for unusual requests; if it feels odd, slow down and investigate further
- Always confirm unusual urgent requests via phone calls with known individuals; never comply by text or email alone
- Increase staff awareness of phishing and spoofing and how to recognize their signs
- Train staff to verify reply-to addresses in emails
- Educate staff that “saying no” to an executive is acceptable in circumstances where additional caution is warranted
How ACA Aponix Can Help
ACA Aponix offers solutions that can help protect your firm from social engineering scams, digital vulnerabilities, and related cybersecurity risk. These solutions include:
- Phishing testing and cyber awareness training
- Threat intelligence monitoring and alerts
- Policies, procedures, and governance development and implementation assistance
- Vendor diligence and management outsourcing services
For More Information
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.