Month: April 2025

Device Code Phishing
By in

Device Code Phishing

Don’t Fall for Device Code Phishing!

The Latest Trick from Cybercriminals

Cybercriminals never stop innovating, and their latest scam targets something you might not expect: the login process on your smart TVs, streaming devices, and even workplace tools. It’s called device code phishing, and it’s designed to trick you into handing over your login credentials through a process that looks completely legitimate.

Here’s what you need to know to stay safe.

What Is Device Code Phishing?

You’ve likely seen it before: a screen on your device that says something like,

“Visit example.com/activate and enter this code to sign in.”

This is known as a device authorization flow, and it’s a normal part of logging into apps on devices that don’t have a keyboard. It’s used by Netflix, Microsoft 365, Google, and more.

But now, attackers are copying that process to phish for your login info. Instead of a real activation page, they set up fake websites that look like the real thing, hoping you’ll enter your code and credentials.

Once you do, they instantly use those credentials on the real service to hijack your account.

How Does the Scam Work?

  1. You’re prompted with a real-looking activation screen. It may appear on a smart TV, streaming device, or even through a pop-up in a phishing email.
  2. You visit the link and enter the code. But instead of going to a real site like hulu.com/activate, you’re sent to something like hululogin-verify.com, which is a site controlled by hackers.
  3. They capture your login info. And now they have access to your streaming account, cloud tools, or even work systems.

Why It’s So Dangerous

  • It looks totally legit. These scams mimic real services and processes you trust.
  • It bypasses traditional phishing defenses. Since the actual login happens on a separate device, you might not even realize something went wrong.
  • It can lead to serious data breaches. If they get into your work or personal accounts, they may access sensitive info, financial data, or worse.

How to Protect Yourself

  • Double-check all URLs.  Legitimate activation links should be short and familiar (e.g., netflix.com/activate, not netflix-support.tv).
  • Don’t scan QR codes or follow links from unexpected sources.  Always verify directly on the device.
  • Use multi-factor authentication (MFA) such as DUO by Cisco.  Even if attackers get your password, MFA can stop them cold.
  • Stay skeptical of pop-ups.  Especially if they appear out of context or ask you to act fast.
  • Educate your family and employees.  The more people who recognize this scam, the less damage it can do.

Citynet’s Commitment to Your Security

At Citynet, we know that awareness is your first line of defense against cyber threats. That’s why we regularly share information about the latest scams and security tips, like device code phishing, on our blog and on Facebook and LinkedIn.

For businesses, we go a step further. Our CyberSuite includes powerful tools like security awareness training from KnowBe4, helping your team spot and avoid threats before they cause harm.

If your organization is ready to get serious about cybersecurity, Citynet is ready to help.

Watch Out for Browser-in-Browser Attacks: The Pop-Up That Isn’t What It Seems
By in

Watch Out for Browser-in-Browser Attacks: The Pop-Up That Isn’t What It Seems

Cybercriminals never stop devising new tricks, and one of their latest is so convincing that it can fool even the savviest internet users. It’s called a Browser-in-Browser attack (or BiB attack), and if you’ve ever clicked a login pop-up while signing into a website, you could be a target.

What is a Browser-in-Browser Attack?

Many websites let you log in using a service like Google, Microsoft, or Facebook. You click a button, a login pop-up appears, and you type in your password. Simple, right?

But with a Browser-in-Browser attack, that login window isn’t real; it’s a fake window designed to look exactly like the real thing. The attacker builds a lookalike login box directly inside the web page, tricking you into entering your real credentials.

Once you hit “Submit,” your login details are instantly sent to the attacker, giving them access to your account.

How Can You Tell If a Pop-Up Window Is Fake?

Detecting a BiB attack takes a sharp eye, but these signs can help:

  • Examine login windows closely
    If the design, wording, or layout looks even slightly off, pause. Something may be wrong.
  • Test the window’s behavior
    Try to resize, minimize, or drag the window off your screen. If it doesn’t behave like a normal browser pop-up, it may be a fake.
  • Check the URL
    Real login windows come from the official site. If you’re unsure, open a new browser tab and log in directly; never trust a pop-up you weren’t expecting.

How to Stay Protected

  • Use Multi-Factor Authentication (MFA)
    MFA adds an extra step to your login process, making it much harder for attackers to break in, even if they steal your password.
  • Avoid third-party logins
    It may be convenient to sign in with your Google or Facebook account, but it creates a single point of failure. If one account is compromised, everything connected to it is at risk.
  • Use a password manager
    A password manager can help you create and store strong, unique passwords for every site and app, without having to remember them all.
  • Never reuse passwords
    Repeating the same password across sites is risky. One breach can give attackers access to your entire digital life.
  • Keep your software up to date
    Browser and OS updates often include critical security patches that help protect against attacks like BiB.

Stay Sharp, Stay Safe

Browser-in-Browser attacks are clever, convincing, and becoming more common. But with awareness and a few smart habits like using strong, unique passwords and avoiding third-party logins, you can stay one step ahead.

At Citynet, we don’t just connect you, we help protect you. Whether you’re a home user or running a business, we’re here with real solutions to keep your digital life secure.

Spring Tech Tips 2025
By in

Spring Tech Tips 2025

Time to sweep out the cobwebs – digitally! These spring tech tips will help you declutter your devices, strengthen your security, and start the season fresh.

Icon Digital Image

Clear Out Digital Clutter

  • Remove unused apps and files: Free up space on your devices by deleting what you no longer need.
  • Clean your browser cache and history: Speed up your browsing and protect your privacy.
  • Declutter your online storage: Delete duplicates, old emails, and unused subscriptions.
  • Tidy up your inbox: Archive or delete emails you no longer need.
  • Organize your desktop: Group files into folders to reduce digital chaos.

Icon Lock Image

Stay Updated

  • Install the latest software and security updates: Protect yourself with current patches and features.
  • Update your browser and apps: Stay fast and secure with the newest versions.

Icon Passwords Image

Strengthen Your Security

  • Change your passwords regularly: Prioritize accounts with sensitive info.
  • Use a password manager: Create and store strong, unique passwords for each account.
  • Turn on two-factor authentication: Add an extra layer of protection.

Icon Broom Image

Physically Clean Your Devices

  • Wipe screens with a microfiber cloth: Use distilled water or a screen-safe cleaner.
  • Use compressed air on your keyboard: Blow out dust and crumbs.
  • Clean ports and connectors: A soft brush or cotton swab does the trick.

Icon Cloud Image

Organize and Back Up

  • Reorganize cloud storage: Create folders to keep files easy to find.
  • Delete what you don’t need: Ditch digital clutter you’ve been ignoring.
  • Back up important data: Use an external drive or secure cloud backup.

Know someone who could use a digital spring cleaning? Be sure to share this page with them!

Citynet Connects, Protects, and Perfects!

The Rise of Malvertising
By in

The Rise of Malvertising

What You Need to Know...and How to Stay Safe

You’ve probably done it a hundred times: typed something into Google, clicked on the top result, and went about your day. But what if that top result wasn’t what it seemed? What if it was dangerous?

Welcome to the new world of malvertising – a growing threat that’s catching both everyday users and businesses off guard.

What Is Malvertising?

Malvertising (short for malicious advertising) is when cybercriminals pay to place ads that look legitimate – but secretly deliver malware, phishing links, or spyware. These ads often appear on trustworthy sites, including search engines like Google, where you’d expect the content to be safe.

The scary part? You don’t even need to visit a sketchy website anymore. Hackers are buying ad space in all the usual places you go – making it harder than ever to tell the difference between safe and suspicious.

Why It’s a Bigger Deal Now

Recently, cybersecurity experts have seen a surge in malvertising on Google Search. These ads are designed to look exactly like real search results, often impersonating popular brands or software tools like Zoom, Adobe, Slack, or even banking websites.

Once clicked, the ad might:

  • Take you to a fake login page that steals your credentials
  • Download malware disguised as a legitimate app
  • Lead to a phishing site designed to trick you or your employees

What This Means for Casual Users

For everyday internet users, the danger lies in speed and habit. We’ve all learned to click the top result when searching. But if that result is a malicious ad? You could be compromising your personal information with just one click.

Tips to protect yourself:

  • Pause before clicking ads – Look for the tiny “Ad” label in search results.
  • Type in official URLs manually – Especially when visiting banks or downloading software.
  • Use an ad blocker – While not foolproof, it can reduce exposure to malicious ads.
  • Keep your system updated – Software patches often fix vulnerabilities that malware exploits.
  • Have antivirus and anti-malware tools running – And make sure they’re current.

What This Means for Business Users

For businesses, the stakes are even higher. One careless click from an employee could:

  • Infect your network with ransomware
  • Open the door to a data breach
  • Compromise client or financial information
  • Damage your reputation and bottom line

Citynet recommends the following for business protection:

  • Security Awareness Training – Make sure your team knows how to spot and report suspicious ads and phishing attempts.
  • Use Secure DNS & Filtering Tools – These can block malicious sites before the browser even loads them.
  • Implement Email & Web Gateways – Filter inbound threats from both search and email sources.
  • Keep Endpoints Monitored & Patched – Vulnerable devices are easy targets.
  • Partner with a Managed Security Provider – Like Citynet! We offer cybersecurity solutions tailored to West Virginia businesses, with local support you can trust.

Final Thoughts: Trust, But Verify

Search engines are still useful – but the days of blind trust are over. Whether you’re searching for a recipe or running a small business, the threat of malvertising is real and growing.

At Citynet, we’re committed to keeping you connected, protected, and informed. If you have questions about cybersecurity or want to learn how we can help safeguard your home or business, reach out to us today.

Citynet connects. Citynet protects. Citynet perfects.