Scam of the day – April 22, 2014 – Postmortem on the data breach of Michaels

April 22, 2014 Posted by Steven Weisman, Esq.

Arts and Crafts store Michaels recently issued a new report telling us all what we already knew, which was that between May 8, 2013 and February 27, 2014, Michaels and a subsidiary named Aaron Brothers were hacked by cybercriminals who stole credit and debit card information of 3 million of their customers.  At the end of 2013 and the beginning of 2014 we became aware of similar data breaches at Target and Neiman Marcus as well.  Although these are the large data breaches that made the news, the FBI has indicated that more than twenty retailers were hacked and there may be more that we have not even discovered yet.  In fact, many hackers now are focusing their attentions on smaller retailers whose security may not be as good as larger retailers.  In the data breaches of Michaels, Target and Neiman Marcus the malware used is called POSRAM Trojan which is a memory scraper that steals the information from the magnetic strips of credit cards and debit cards when it is swiped through the terminal before it is encrypted for transfer.  In the Target breach and many others, investigators are finding that the malware is put into the victim’s computer systems through initially hacking into the computers of third party vendors that have access to the computer systems of the larger stores.  In the case of Target, it was their heating and air conditioning company that was the victim of the initial hacking that enabled the hackers to, in turn, get access to Target.

So what can you do?  How do you defend yourself?

TIPS

The first thing to remember is to limit your use of debit cards to ATM machines.  Debit cards do not provide the same consumer protection from liability that credit cards do and even when they do, it is more time consuming and inconvenient to straighten out your debit card account when you are the victim of a hacking.  When retailers finally get around to implementing the EMV chip technology used everywhere else around the world, the type of hacking we saw used against Target, Michaels and Neiman Marcus will no longer be effective, but until then, you have to recognize that regardless of how careful you are when you use your credit card, you are in danger of identity theft.  Make sure that you check your credit card balance often to recognize early on if you have become a victim.  Meanwhile, retailers have got to start doing a better job of isolating the parts of their computer systems that deal with processing credit and debit cards.  Presently they are just too easy to hack.  Finally, retailers have got to get better at educating their employees about clicking on links and downloading attachments in emails that promise games, videos, music and pornography that entice employees to download the malware used to effectuate these hacks.

Scam of the day – April 21, 2014 – IRS misses Windows XP deadline

April 21, 2014 Posted by Steven Weisman, Esq.

It has been six years since Microsoft informed its customers that it would no longer support the Windows XP operating system, thus giving its users plenty of time to install a newer operating system, such as Windows 7.  Without continuing technical support, the Windows XP operating system will be dramatically vulnerable to hackers exposing flaws in the program to the detriment of stubborn people still using this program.  This is not a matter of Microsoft being greedy.  It is merely a reflection of the fact that Windows XP is too old in terms of computer software and just like after a while it becomes advisable to buy a new car instead of pouring money into repairs for an old car, it is prudent to move to another and better operating system.  It is unfortunate that many banks in the world that use Windows XP to operate ATMs and many government agencies that also use Windows XP failed to act before the April 8, 2014 deadline for Microsoft no longer providing updates.  What many of these companies and the IRS (yes, the IRS) are now doing is paying for short term support of Windows XP until they make the change over to a newer operating system.  The failure to act in a timely manner is  needlessly costing these companies and government agencies large amounts of money.  If they had merely acted in a timely manner, they would not have to be paying for these emergency services.  In a Congressional hearing last week numbers between $500,000 and $30 million dollars were tossed about as the additional cost incurred by the IRS due to their lateness in acting.  This is inexcusable.  Hackers have already been taking advantage of vulnerabilities in Windows XP to steal from ATMs and there is concern in some circles that government agencies such as the IRS may find problems due to their delay in updating their operating systems.

TIPS

Here is a warning to banks and government agencies including the IRS:  Microsoft has indicated that it will no longer do security updates for Windows 7 in January of 2020.  Don’t make the same mistake twice.

What do you think will happen?

Scam of the day – April 20, 2014 – Malware infected email

April 19, 2014 Posted by Steven Weisman, Esq.

Hardly a day goes by that I don’t receive a number of email scams and I am sure you are receiving the same or similar ones.  Today’s scam of the day comes from an email that came with the message line “Wire Payment Transfer Confirmation.”  Here is a copy of the email:

"I am glad we were able to resolve the issue with the payment. I have attached
the confirmation slip from the completed wire of $13,700 into your designated
account. Please view the slip attached and get back to me ASAP.
Regards.
Weber Green"

Attached to the email was what was indicated to be a confirmation slip from a wire transfer.  Curiosity killed the cat and it can also infect your computer.  Scams like this appeal to your curiosity.   Don’t give in because if you download the attachment all you will succeed in doing is downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.

TIPS

Never click on links in email or download attachments unless you are absolutely positive that they are legitimate.  I have never done business with someone named Weber Green so why would I download an attachment from him?  Even if an email appears to be legitimate, you should always confirm that it is real before ever considering downloading an attachment or clicking on a link.  Also, make sure that you have up to date anti-virus and anti-malware software on your computer and other electronic devices.

Scam of the day – April 19, 2014 – Electricity termination notice scam

April 19, 2014 Posted by Steven Weisman, Esq.

Pennsylvania Attorney General Kathleen G. Kane recently warned consumers about a scam involving people receiving phone calls purportedly from their electric utility company threatening the consumer with having their electrical service terminated for non-payment.  The consumer is then told that the only way they can avoid having their electricity turned off is to send payment by way of a Green Dot Card.  Green Dot Cards are prepaid debit cards that can be obtained in many places.  Scammers use them frequently because unlike a check, payment cannot be stopped on a Green Dot Card and they are extremely difficult to trace.  They are very much the equivalent to having money wired which is another favorite method that scammers like to use for their payments.  Although this particular scam warning came from the Pennsylvania Attorney General, this scam is being done throughout the country.

TIPS

Whenever you get a telephone call, you can never be sure who is actually calling you.  Even your Caller ID can be fooled by clever scammers who can make it appear that the call is from a legitimate source.  State regulations require you to receive written notice before a utility can be turned off and you will also receive information as to how to make arrangements for payments.  If you do receive a call from any company that you do business with demanding payment, your best course of action is to hang up and call the business back at a number that you know is accurate to make arrangements for the payment of your bill.

Scam of the day – April 18, 2014 – American banks victimized by foreign hackers

April 18, 2014 Posted by Steven Weisman, Esq.

Although the theft actually goes back to 2009, it was only now that the Department of Justice unsealed indictments made by a federal grad jury in 2012 in which nine people including six Ukrainians and a Russian were charged with using malware to steal passwords, account numbers and other information enabling the hackers to steal millions of dollars from American banks.  The particular malware that was used is called “Zeus” and has been used for years by hackers to get access to passwords and account numbers which, in turn, enabled the hackers to log on to their victims’ online banking accounts.  The Zeus malware is particularly effective and allowed the hackers to overcome the two-factor identification systems used by the banks.  The funds stolen were wired to other banks in America where co-conspirators would withdraw the money and wire the money back to Eastern Europe.

TIPS

The Zeus malware is spread through phishing, which means that the hackers and identity thieves send emails luring their victims to click on infected links or download infected attachments that appear to be legitimate, but in fact, contain the malware.  The malware then enables the hacker to steal all of the personal banking information from the victim’s computer that they need in order to access their accounts.  So the lesson is clear.  Don’t click on links or download attachments unless you are absolutely sure that they are legitimate.  Also, it is important to have anti-virus and anti-malware software on all of your computers, smartphones and other electronic devices.  However, don’t depend on the anti-virus software and anti-malware software to do your thinking for you.  Security software is helpful, particularly if they are kept up to date with the latest security patches, however, they are never 100% effective against the latest malware.

Scam of the day – April 17, 2014 – Stolen phone leads to identity theft

April 17, 2014 Posted by Steven Weisman, Esq.

New York state police are reporting the theft of a woman’s smartphone that was then used to send text messages appearing to be from the woman whose smartphone was stolen indicating that she had car problems and needed her friends to wire her money to cover towing charges for her car.  The phone thief sent the text message to a number of her friends from the victim’s phone so it appeared the calls were coming from the victim.  The thief persuaded the victim’s friends to wire money to a Western Union kiosk in a Rite Aid pharmacy where the thief collected the funds.  Police managed to catch the thief and have charged him with identity theft and larceny.

TIPS

There are a number of lessons here for all of us.  First, you should always have a complex password for your phone so that it cannot be used by someone who may steal it or if you lose it.  The second lesson is never to trust a text message.  You can never be sure of who is actually sending the text message.  Particularly if you get a text message requesting money, you should call the person and talk to them personally before sending money for an emergency.

Scam of the day – April 16, 2014 – Latest security updates from the Department of Homeland Security

April 16, 2014 Posted by Steven Weisman, Esq.

As regular followers of Scamicide know, whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security.  Today’s software update is particular extensive and includes updates for important software such as Adobe, Google Chrome and Internet Explorer.

TIPS

Here is a link to the latest release from the Department of Homeland Security with links to this important security update:

https://www.us-cert.gov/ncas/bulletins/SB14-104

 

Scam of the day – April 15, 2014 – Attorney General, Eric Holder victim of income tax identity theft

April 15, 2014 Posted by Steven Weisman, Esq.

Today being the deadline for filing your federal income tax return is also a good time to remind you that identity theft and income tax identity theft can happen to anyone.  It can even happen to the Attorney General of the United States.  Recently convicted of this crime were Yafait Tadesse and Eyaso Abebe, a man whose Facebook page describes him as an importer/exporter for Vandelay Industries, which if it sounds familiar is because it was a fictional company created by the George Costanza character in the old Seinfeld television show.  Obtaining the Social Security number of a real person and then filing a phony income tax return on behalf of that person before the potential victim files his or her legitimate federal income tax return is the key to income tax identity theft.  In this case Tadesse and Abebe purchased Social Security numbers including that of Attorney General Holder on black market websites and used the information to file phony returns and collect refunds.

TIPS

The two keys to protecting yourself from income tax identity theft are to protect the privacy of your Social Security number as best you can and file your federal income tax return as early as you can.  Even if an identity thief has managed to get your Social Security number, if you file your income tax return before he or she can file a phony return using your Social Security number, you will suffer no harm.  If an identity thief does manage to file a return using your Social Security number before you do, it can take many months before you can straighten the matter out and get your true refund.

Scam of the day – April 14, 2014 – The last income tax scam of the season

April 14, 2014 Posted by Steven Weisman, Esq.

Tomorrow is April 15th which is the last day for filing your federal income tax return unless you are a procrastinator who has filed an extension.  Identity thieves and scammers love income tax season as it provides them with an opportunity for a wide variety of scams to steal your money.  I have described these scams in numerous Scams of the day.  As the income tax season comes to an end, scammers and identity thieves are busy with one last scam about which I want to warn you.  It starts with you receiving an email that appears to come from the IRS Taxpayer Advocate Service in which you are told that there is a problem with your recently filed federal income tax return and that IRS computers have found errors in your return.  In order to resolve the problem, you are told to click on a link in the email that purports to take you to the IRS Taxpayer Advocate Service website where you are told you will find information about the problem and the name of the taxpayer advocate assigned to your case.  If you click on the link, you will not go to the IRS Taxpayer Advocate Service, which is a real organization.  Instead you will be sent to a legitimate looking, but phony website that will solicit you to provide information that will enable the identity thief behind this scam to make you a victim of identity theft.

TIPS

The easy way to avoid this scam is to remember that the IRS will never initiate contact with taxpayers by email.  If you get an email, text message or phone call purporting to be from the IRS initiating contact about anything, you can be sure that it is a scam.  As a general rule, however, it is important to recognize that whenever you get an email, phone call or text message, you can never be sure of who is contacting you and whether or not they are legitimate.   Therefore never provide information to anyone who contacts you in this manner and do not click on links or attachments in unsolicited text messages or emails which may either be seeking personal information from you to be used to make you a victim of identity theft or will automatically when you click on the link download keystroke logging malware on to your computer that will steal the information from your computer and again use it to make you a victim of identity theft.