Scam of the day – December 9, 2016 – Celebrity hacker sentenced

December 8, 2016 Posted by Steven Weisman, Esq.

Since 2014 I have been reporting to you about a string of celebrity hackings in which nude photos, videos and other personal material were stolen by a number of different hackers who have been caught, put on trial and sentenced.  The latest celebrity hacker to be convicted for his crimes is Alonzo Knowles who hacked into the emails of various celebrities and athletes from whom he stole not just nude photos and videos, but also unreleased movie and television scripts, unreleased music and financial documents all of which he tried to sell for profit.  Knowles pleaded guilty and his attorneys asked for a sentence of fourteen months in prison.  Instead the judge sentenced him to five years in prison which was considerably more than the recommended federal sentencing guidelines of 27-33 months.  Contributing to the larger sentence was the fact that while in prison awaiting sentencing, Knowles used the monitored prison email system to send out emails in which he bragged about his plans to write a book including photographs in which he would expose the secrets of his victims.  For a sophisticated cybercriminal, this was an incredibly stupid action that showed a lack of remorse to the sentencing judge.

TIPS

Knowles managed to hack into the email accounts of his victims by first targeting friends of his victims.  He identified friends of his victims through photographs appearing on line and then hacked into the email accounts of these people, taking control of the accounts, gathering personal information including telephone numbers from the accounts and then emailing his celebrity targets with spear phishing emails that enabled him to get information from the celebrity victims.   You may remember that the fact that Hillary Clinton was using a private email server while acting as Secretary of State was disclosed not by a hacking of her email, but by a hacking of the email account of one of her advisers, Sidney Blumenthal.

This case serves as another reminder of the important cybersecurity steps we all need to take, particularly in regard to using email.  For personal emails you may wish to use a separate email account than the one you use generally that may be more easily discovered.  You should also use a security question that is not easily guessed or obtained through research.  Colin Powell and many others became victims of email hacking because their security questions were easily guessed enabling the hacker to change their passwords.  I suggest using a nonsensical answer to the email question, such that if the question is what is the maiden name of your mother, you indicate something totally unrelated, such as “firetruck.”  Another option, as cleverly suggested by a regular Scamicide reader is to just add some digits at the end of the answer so, for example, your mother’s maiden name could be “Smith1234.”

It is also important not to store sensitive data in your email folder.  To protect yourself from hackers, you may wish to both encrypt sensitive information on your computer and store it in a portable USB hard drive to protect it from ransomware attacks.  It is important to recognize that anytime you are asked for personal or sensitive information in an email, you can’t be sure if the person contacting you is someone you know and trust or whether their email account had been hacked as was done in this case so never provide personal information in response to an email or text message unless you have confirmed the identity of the person contacting you.   Trust me, you can’t trust anyone.

Dual factor authentication for all accounts where you may have sensitive information is also important.

 

Scam of the day – December 8, 2016 – Holiday online shopping scams

December 8, 2016 Posted by Steven Weisman, Esq.

Imagine Andy Williams singing, “It’s the Most Wonderful Time of the Year” and it may indeed be the most wonderful time of the year for many people, but it is not so wonderful if you have been scammed by cybercriminals who really do find the holiday shopping season to be the most wonderful time of the year – for them.   I received an email today showing me how I could get iPads and iPhones at 90% discounts by clicking on links and ordering them online.  If I had clicked on the links, all I would have succeeded in doing would have been paying electronically for goods that I never would have received.  Meanwhile, by clicking on the links, I also would have run the risk of unknowingly downloading keystroke logging malware that could have stolen all of the information from my computer, such as my Social Security number, credit card number and other financial data and made me a victim of identity theft.

People also get in trouble when they go to phony websites that appear to be those of legitimate retailers and turn over their credit card information to a scammer and never get the goods they think they are purchasing.

TIPS

If an offer sounds too good to be true, it usually is.  Scammers always pick the most popular and expensive items to lure people into sending them money for goods that never are delivered.  Never click on links in emails, tweets or text messages unless you are sure the communications are legitimate and it is hard to do so without calling the legitimate company because even if it truly appears to be coming from a legitimate person or entity, their email, twitter, or smart phone may have been hacked into and the communication you receive is from a scammer.  Only deal with companies that you know are legitimate and confirm that you are actually on a legitimate website because phony websites can look quite good.

As for online shopping websites, there are a few ways you can determine whether or not a shopping website is legitimate or not.  First, find out who actually owns the website. Websites such as http://lookwhois.net/ will enable you to merely put in the URL and see who actually owns the website you are considering using for shopping.  If it doesn’t match the  legitimate company that you think you are doing business with, you will know to stay away.  Also, call the company at a telephone number you know is legitimate to confirm the precise website URL that they use.

Scam of the day – December 7, 2016 – Gift card scams

December 7, 2016 Posted by Steven Weisman, Esq.

Buying a gift card as a gift is both an easy way to purchase a gift for someone and a good way to make sure that the gift is something that the receiver of the gift can actually use and enjoy.  It definitely is a win-win situation.  However, scammers are always present to take any good thing and turn it into a scam.  Scammers will go to racks of gift cards and using handheld scanners that are easy to obtain, they read the code on the strip of the card and the number on the front.  They then put the card back in the display and then periodically check with the retailer by calling its 800 number to check on whether the card has been activated and what the balance is on the card.  Once they have this information they can either create a counterfeit card using the information they have stolen or order material online without having the actual card in hand.

TIPS

When buying a gift card, only purchase cards from behind the customer service desk and if the card is preloaded, always ask for the card to be scanned to show that it is still fully valued.  Some retailers, in an effort to reduce gift card fraud, will also put a PIN on the gift card so that if the card is used online, the user must have access to the PIN which is generally covered and must have the covering material scratched off in order to be visible.  Unfortunately, many purchasers of gift cards are not aware of this so they don’t even notice that the PIN on the card that they are purchasing has already had the covering material scratched off by the scammer who has recorded the PIN.

Scam of the day – December 6, 2016 – Latest security updates from the Department of Homeland Security

December 6, 2016 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  These new updates from the Department of Homeland Security includes critical updates to the Android system used by millions of smartphones.

TIPS

Here are the links to a list of all of the recent security updates as posted by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB16-340

Scam of the day – December 5, 2016 – Online credit card fraud increasing

December 4, 2016 Posted by Steven Weisman, Esq.

Anti-fraud company Iovation is reporting that credit card fraud for online shopping during the first shopping weekend of the holiday shopping season that began on November 25th increased by 20% over last year and 34% over 2014.  This is not surprising because safer EMV credit cards with a chip that issue a new authorizing code every time the card is used cannot use the chip capability when shopping online,  leaving them more vulnerable to hackers accessing the victim’s credit card number which can then be used by the criminal for online purchases.  Victims may become victims of this type of identity theft through either security weaknesses in their own devices or at websites where they shop.

TIPS

This year 55% of online shoppers used their smartphones and other portable devices to make their online purchases and while many people have security software installed and regularly updated on their computers, many people do not take the same type of precautions with their smartphones or other portable devices, leaving them in greater danger of being hacked.  The key is to protect all of your devices with security software and keep it updated to protect you from the latest strains of malware as well as to prevent the malware from ever being installed on your devices.  The best thing you can do to prevent the malware from becoming installed on your devices is to never click on links in emails or text messages unless you have absolutely confirmed that the communication and the link are genuine.  Clicking on tainted links in specifically tailored spear phishing emails and text messages are still the most common method that malware is spread.

It is also important when shopping online to use your credit card rather than your debit card.  The consumer protection laws are stronger in regard to credit cards than debit cards and the inconvenience of having your debit card hacked is much greater than the problems you encounter when your credit card is hacked.

Scam of the day – December 4, 2016 – International law enforcement thwarts cybercrime ring

December 4, 2016 Posted by Steven Weisman, Esq.

After four years of intense investigation a group of international law enforcement agencies from thirty countries led by the German prosecutors have broken a huge cybercriminal network known as “Avalanche,”  arresting five people, seizing five servers and more than 800,000 Internet domains. Avalanche had been in existence since 2009 during which time it leased its services to other cybercriminals to enable them to create botnets of hacked computers to distribute  a variety of malware including ransomware as well as malware used to access victims’ bank accounts.    Millions of dollars were stolen through the Avalanche network.  Prior to its operations being stopped, Avalanche networks sent out more than a million malware infected emails every week and infected new computers at a rate of 500,000 every day.  If you did not lose money as a direct result of being a victim of the Avalanche network, your computer still may have been hacked and made a part of the botnets used by the cybercriminals using the Avalanche network.

TIPS

Perhaps the best aspect of the breaking of the Avalanche network is the fact that international law enforcement from thirty countries were able to work together in a concerted effort to apprehend the cybercriminals and break down their criminal enterprise.  The defeat of cybercrime will require continued international cooperation in order to be successful.

But what does Avalanche specifically mean to you?

With so many millions of infected computers around the world, there is a good chance that your computer could have been infected and made a part of the botnets created and used by Avalanche.  Federal authorities are recommending that you immediately perform security scans of your computers and other electronic devices to determine if your devices were infected and to remove any infections found.  The Department of Homeland Security suggested, without endorsing any particular company, the following free software security programs that you can use to determine if your computer is safe or not.  It is also important to note that Avalanche only infected computers using the Windows Operating System.

Here are links to security programs you can use:

https://www.eset.com/us/online-scanner/

https://www.f-secure.com/en/web/home_global/online-scanner

http://www.mcafee.com/us/downloads/free-tools/index.aspx

https://www.microsoft.com/security/scanner/en-us/default.aspx

https://security.symantec.com/nbrt/npe.aspx?&OpenDocument&src=npe&type=npe

http://housecall.trendmicro.com/

December 3, 2016 – Steve Weisman’s latest column for USA Today

December 3, 2016 Posted by Steven Weisman, Esq.

A recent Harris Poll indicated that 39% of Americans would give up sex for a year in return for cybersecurity.  Here is a link to my latest column for USA Today in which I describe some simple steps you can take to increase your cybersecurity without having to give up sex.

http://www.usatoday.com/story/money/columnist/2016/12/03/sex-cybersecurity-hmm-thinking/94548126/

Scam of the day – December 3, 2016 – Implications of Saudia Arabian hacking

December 3, 2016 Posted by Steven Weisman, Esq.

It has just been disclosed that unidentified hackers, thought to be Iranians, hacked into and destroyed thousands of computers at six Saudi Arabian government agencies including its General Authority of Civil Aviation.  This attack echoes a previous  2012 cyberattack thought to be the work of Iranian hackers that wreaked havoc on the Saudi state oil company Saudi Aramco and in fact both attacks used the same malware called Shamoon.  The malware was installed using passwords that appear to have been accessed through spear phishing emails. This escalation of cyberwarfare is indeed troubling.

TIPS

It is well established that the infrastructure of the United States including banks and a dam in New York were targeted by Iranian hackers in recent years.  The lesson for governments, companies and individuals from this latest Saudi hacking is clear.  Much greater attention has to be given to cybersecurity.  The fact that the same Shamoon malware that was used in 2012 was able to be effectively used again is an indictment of the failure of the Saudis to implement updated security software that might have thwarted this attack.  Further, as we have seen time after time, the malware appears to have been downloaded through simple spear phishing in which a Saudi employee clicked on an infected link.  Better anti-phishing analytics security software should have been used and the employees should have been better trained to avoid clicking on links in emails unless they have been confirmed to be legitimate.  There are other steps that can and should be taken as well, but these two are the best and easiest to implement.

Scam of the day – December 2, 2016 – FTC settles with debt relief scammers

December 2, 2016 Posted by Steven Weisman, Esq.

A group of defendants including Steven D. Short and his wife Karissa L. Dyer  have settled Federal Trade Commission (FTC)  charges that they operated a scam debt relief business.  Under the terms of the settlement the defendants are barred from conducting debt relief services in the future and must also surrender assets frozen by the court while the charges were pending.  The scam originated with a phone call to victims in which the defendants identified themselves as “card services,” “credit services” or “card member services.”  They represented that they were doing business with the victims’ credit card companies and promised the victims that they would reduce the victims’ credit card interest rates and reduce the amount that they owed within 90 days for a fee of between $500 and $1,500.  In addition,  they promised  a full money back guarantee if there were not successful.  Unfortunately, it was all a scam and no one got anything in return for the money they paid to the scammers nor did anyone receive a refund.  The scammers managed to steal more than 12 millions through this scam.

TIPS

You should never give personal information such as credit card numbers or Social Security numbers to someone who calls you on the phone because you can never be sure who is really on the other end of the line.  Even if your caller ID indicates the call is from a legitimate source, your Caller ID can be manipulated through a technique called spoofing to make it appear that the call is legitimate when it is not.

While there are some companies that provide debt relief services for a fee, the law requires that you not be required to pay any fee before your credit card rate is reduced or your debt lowered. Some of the legitimate debt relief companies may require you to deposit money into a special bank account to be administered by an independent third party who will charge you a reasonable fee for paying funds from your account to your creditors and the debt settlement company after settlements have been reached.  Generally, you are better working directly with your credit card company to restructure your debt or using the services of the legitimate American Consumer Credit Counseling, a non-profit corporation that can help you with debt relief.

Scam of the day – December 1, 2016 – Capital One online banking phishing scam

December 1, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email that download malware or  trick you into providing personal information that will be used to make you a victim of identity theft, are nothing new. They are a staple of identity thieves and scammers and with good reason because they work.   The Capital One phishing email reproduced below uses the common ploy of indicating that the bank needs you to update personal information for security purposes.   As phishing emails go, this one is not too bad, but it does have some telltale flaws.   Although the email address from which it was sent appears to be legitimate, upon closer examination you can determine it is not an official email address of Capital One.  Also, the email is not directed to you by name and does not contain your account number in the email.

TIPS

Obviously if you do not have an account with Capital One bank, you know that this is a phishing scam, but even if you do have an account with this bank, there are a number of indications that this is not a legitimate email from Capital One,  but instead is a phishing email.  Legitimate banks would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number  for your bank where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to purchase phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Capital One to trap you if you make a mistake in dialing the real number.

DO NOT CLICK ON THE LINKS IN THE PHISHING EMAIL REPRODUCED BELOW

About your Capital One® account.
As part of our continuing effort to ensure we provide adequate security for your Online Banking.
We’re providing this update notification for your account security.
We need you to certify your account immediately to avoid third party access.
Please visit here to complete verification process.
Thanks for choosing Capital One® Online Banking