Cyber ​​Security Today, July 22, 2022 – Five-character passwords allowed, PayPal used by scammers and more

Five-character passwords would be enough for some businesses, PayPal used by scammers and more.

Welcome to Cyber ​​Security Today. Today is Friday, July 22, 2022. I’m Howard Solomon, contributing cybersecurity reporter for

A number of companies and online services always have password policies with minimum standards that can be easily cracked. That’s the claim of a Stockholm-based company called Specops Software, which makes password management solutions. I haven’t been able to confirm the claim, but it alleges that an e-commerce company and an enterprise customer support software provider allow users to create passwords as short as five characters. In contrast, the US National Institute for Standards and Technology recommends that passwords be no shorter than eight characters, but it also encourages creating longer passwords. Specops also says it has found several large companies that allow customers to voluntarily use multi-factor authentication as additional protection against password theft, but they don’t make it mandatory. Most experts agree that token-based multi-factor authentication is vital for protecting businesses today.

Scammers use PayPal trick employees into paying fake bills and stealing their passwords. According to researchers from Avanan, scammers create an account in PayPal and then use its features to create fake but realistic invoices from well-known companies. One appears to be from security company Norton. The victim could be affected by paying the bill or calling the phone number on the fake bill. The scam works because many email gateways allow attachments from PayPal. Earlier this year, Avanan reported a similar scheme involving the abuse of free QuickBooks accounts set up by scammers. Employees should be trained to review every email they read for suspicious signs. Those who do not expect invoices should report them to officials.

To finish, there is a new version of the QakBot malware circulating. Fortinet researchers say one of the ways it is spread is by victims clicking on an infected attachment. The attachment looks like an HTML file because it comes with a browser icon. It downloads a compressed ZIP folder with a file that has a Microsoft Write icon. The attacker might be hoping this tricks a victim into thinking the file is safe. Instead, it runs QakBot malware which copies sensitive data. Employees should be warned that unexpected HTML attachments should be treated the same as other attachments, with great suspicion.

So much for this morning’s podcast. But later today, the Week in Review edition will be available. It will feature a discussion with Terry Cutler of Montreal Cytology Laboratories about this month’s internet and cellular network failure at Rogers Communications and a report on the scope of the Log4j vulnerability.

Links to podcast story details are in the text version on

Follow Cyber ​​Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Comments are closed.