Scam of the day – November 23, 2014 – New Drupal security threat

November 23, 2014 Posted by Steven Weisman, Esq.

In my Scam of the day for for November 3rd I warned you about a major security flaw in Drupal software.  Many of you may not be familiar with Drupal, but website developers certainly are.  Drupal is a software company whose software is used by a billion websites to manage images, text and video on websites.  On October 15th, Drupal announced that it had discovered a major security flaw that could be exploited by hackers to not only steal data from targeted websites, but also to set up a backdoor application that would permit the hacker to return to retrieve more data.  All of this could be done without any indication that a hacking had occurred.  Most companies responded to Drupal’s announcement and its security update, however, according to Drupal, any website that did not download the Drupal security patch within seven hours of its October 15th announcement should assume that they have been hacked and their sensitive information compromised.  Drupal estimates that about 5% of the billion websites that use Dropal software did not install the necessary security patch in a timely fashion and although this number may seem small, this means that the number of affected websites that may have personal information on you and me is as high as twelve million websites.   Among the websites that did not promptly update their security was the website of the Indiana Department of Education which was hacked twice after failing to update its Drupal software.

TIPS

Part of the problem is that unlike many software companies that provide automatic updates for you to install, Drupal does not do so.  Many companies, to their own detriment are slow to install important security updates and this delay puts them and their customers in serious danger of identity theft and being scammed.  This is why here at Scamicide we provide security updates as they are announced.  The Drupal security problem is also a warning again to us all that we are only as secure as the companies and governmental agencies with which we do business with the least effective security.  Drupal has issued a new security warning with instructions as to how to correct security flaws in their software.  Here is a link you can trust to Drupal’s security warning https://www.drupal.org/SA-CORE-2014-006

Scam of the day – November 22, 2014 – FTC takes action against “free” credit score scams

November 22, 2014 Posted by Steven Weisman, Esq.

The Federal Trade Commission along with the Attorneys General of Illinois and Ohio has announced a settlement with three companies that marketed what the companies advertised as free credit scores and then billed the unsuspecting customers $29.95 per month for credit monitoring services that they neither wanted nor knew that they had ordered.  Under the terms of the settlement, the defendants will be refunding 22 million dollars to scammed customers.  The companies marketed their programs MyCreditHealth and ScoreSense through at least fifty websites and bought advertising on Google and Bing that would appear high on a list when consumers looked for “free credit reports.”  One of their misleading ads read “View your latest Credit Scores from All 3 Bureaus in 60  seconds for $0.”  In the fine print of their agreement, the companies were able to bill the consumers’ credit cards until the customers called to cancel their membership.  Even then, the companies, in many instances did not cancel the contract until after repeated calls.

TIPS

It is important to note that a credit report and a credit score are not the same thing.  Your credit report, which you have a right to a free annual copy of at each of the three major credit reporting agencies, Equifax, Transunion and Experian does not contain your FICO credit score which is derived from the information in your credit report and used by companies to measure your creditworthiness.  There are many companies that also promise free copies of your credit report only to do the same scam of charging you hidden monthly fees for additional services.  The only website to use for your free credit report is www.annualcreditreport.com.  You should also be wary of any company that offers something free and then asks for your credit card.  This is a red flag that what you are ordering is not free.  There are no websites that offer your actual FICO credit score at no charge although there are a number of websites including CreditKarma, CreditSesame and Quizzle that will provide a free approximation of your score sometimes called a FAKO score that can be helpful

Scam of the day – November 21, 2014 – Online romance scam arrest

November 21, 2014 Posted by Steven Weisman, Esq.

Recently, Nigerian Kazeem Owonla was arrested and extradited to Indiana where he is facing charges for scamming an Indiana woman out of more than $100,000 in a romance scam.  The victim first met Owonla online in January of this year.  Owonla used the name John Tony Hagan in his communications with his Indiana victim who is thought to be one of a number of romance scam victims of Owonla that are still being investigated.  As is the typical situation in these scams, the apparent romance grew quickly and once his victim was hooked, Owonla started asking his victim for money for various purposes such as to pay for the cost of replacing stolen tools or to help him pay his employees when his own funds were stolen.  Somewhat ironically, although Owonla used the alias of John Tony Hagan, the photograph he supplied online was that of Montana Attorney General Tim Fox, a man who protects the citizens of Montana from such scams.

TIPS

There are many red flags to help you identify romance scams.  I describe many of them in detail in my book “The Truth About Avoiding Scams” which you can purchase from Amazon by clicking on the icon of the book at the right hand side of the page.  The most important thing to remember is to always be skeptical of anyone who falls in love with you quickly online without ever meeting you and early into the relationship needs you to wire money.  Here are a few other things to look for to help identify a romance scam.  Often their profile picture is stolen from a modeling website on the Internet.  If the picture looks too professional and the person looks too much like a model (or an attorney general), you should be wary.  Particular phrases, such as “Remember the distance or color does not matter, but love matters a lot in life” is a phrase that turns up in many romance scam emails.  Also be on the lookout for bad spelling and grammar as many of the romance scammers claim to be Americans, but are actually foreigners lying about where they are and who they are.  Of course you should be particularly concerned if someone falls in love with you almost immediately.  Often they will ask you to use a webcam, but will not use one themselves.  This is another red flag.  One thing you may do is ask them to take a picture of themselves holding up a sign with their name on it.  In addition, ask for a number of pictures because generally when the scammers are stealing pictures of models from websites, they do not have many photographs. Ask for the picture to be at a particular place that you designate to further test them.

Scam of the day – November 20, 2014 – Why are Nigerian email scams so absurd?

November 20, 2014 Posted by Steven Weisman, Esq.

Not all Nigerian email scams come from Nigeria although Nigeria is still a hub for this type of scam in which you are told that under some pretense you are to receive a huge amount of money for nothing.  Of course, once you correspond with the sender of the email, you soon learn that it takes payment after payment from you under various guises in order to receive the money and, of course, ultimately, you receive nothing, but the scammer has managed to trick you out of your money.  Here is a copy of such an email that I recently received:

“May God touch your heart as you read this message. I know this maybe a surprise to you but i want you to consider me as a friend because my mind choose you. My name is Waleed Hassan, a retired Oil Merchant from Tripoli, Libya. I am currently in a hospital suffering from the cancer of the lung as i write this message to you. I am a blessed man, but my life has been one of hardship and suffering because of bad health. suicide in my case is not the answer. I suffered the death of family and loved ones, due to the battle that went between the Gaddafi soldiers and the Independent Rebels in my country. My condition is really deteriorating and according to my doctors in all indication regards to medical analysis, it is quite obvious that i may not live for more than 2months. This is because the cancer has gotten to a very bad stage.

Presently I am contacting you because of the funds i lodge with the HSBC BANK when i was still working in England. I choosed from my mind to entrust this amount to a stranger and my mind choose you among different profiles that i have just viewed.

Once the money is transferred to you, i want you to keep 15% of the money for yourself and help me distribute the rest 85% to the street kids, charity organisations and different poor homes. The fund is currently with the HSBC BANK and upon my instruction, it will immediately be transferred to you. If you feel honoured to do the good work for me, Please kindly reply on my Private Email so i can further this with you: haswaled@gmail.com”

This email is typical of many others and filled with poor grammar and spelling errors and of course the story is utterly preposterous.  So who would possibly fall for this?  Only the truly gullible and that is the very strategy used by these scammers.  They do not want to waste their time on people who might eventually see through their scam so they make their plea as outrageous as possible so that if someone takes the bait, they are likely to be able to cheat that person out of their money.

TIPS

By now, we all know that no one is giving you something for nothing and even the most gullible among us must ask themselves, why they were singled out for such good fortune.  The answer is that this is a scam and the best thing you can do is to enjoy the humor of these emails, but never respond to them.

Scam of the day – November 19, 2014 – The twelve scams of Christmas

November 18, 2014 Posted by Steven Weisman, Esq.

It seems that the holiday season starts earlier and earlier each year so it certainly is not too early to warn you about some of the many scams that will be threatening your holidays if you are not careful.  As it says, in “Santa Claus is Coming to Town,” you better watch out.  My list of twelve scams of Christmas isn’t meant to be sung, but it is meant to provide an early warning of the fact that although every season is scam season, the holiday season is a particularly dangerous time of year for scams.  Here is my list of twelve scams of Christmas.  Over the next month I will be explaining them in detail here on Scamicide.

1.  Major data breach at retailers.

2.  Phony online shopping websites purporting to sell the latest toys and gadgets.

3.  Gift card scams.

4.  Delivery service scams.

5.  E greeting card scams.

6.  Phony charities.

7.  Puppy scams in which you are sold non-existent dogs.

8.  Phishing emails that appear to come from major retailers.

9.  Phony holiday vacation deals.

10. Phony holiday apps for your smartphone.

11. Phony holiday contests and lotteries.

12. Grandparent scam – holiday style.

TIPS

Although I will be explaining these scams in detail over the next month, here are a few major tips to keep in mind.

When shopping in a retail store, if you have the Apple iPay, use it.  It may not be perfect, but it is a great improvement over the magnetic stripe credit cards still used by almost all American retailers.   You also might want to consider getting a smart chip card from your credit card provider and using it at the stores such as WalMart which are switching to these safer credit cards well ahead of the October 2015 deadline to change over to the new cards.  Also remember not to use your debit card while retail shopping.  The consumer protection laws relating to debit card use are not as strong as those relating to fraudulent use of credit cards.  It is important to remember that there will be major data breaches at retail stores where we all shop and the hacked companies won’t be quick to discover that they have been hacked so carefully monitor on line your credit card’s usage more often than your monthly statement to be able to learn as quickly as possible if you have been victimized in a data breach.  Also, when shopping at a brick and mortar retail store, keep an eye on your credit card as it is processed by the sales clerk.  There will be more than a few seasonal, rogue employees who will have small electronic devices called skimmers that enable the sales clerk to run your card through this card reading skimmer to steal your credit card information before running the card through the store’s legitimate credit card processing equipment.

Here is a link to a column I wrote for USA Today that describes these holiday scams.  Within the column is another link to an additional column on the same subject.

http://www.usatoday.com/story/money/personalfinance/2014/11/22/holiday-scams-identity-theft/19340731/

Scam of the day – November 18, 2014 – Bitcoin Ponzi scheme

November 18, 2014 Posted by Steven Weisman, Esq.

Bitcoins are the increasingly popular digital currency that is privately issued and not supported by any government in the world.  It is, however, used by many people throughout the world.  Recently, Trendon Shavers was arrested in Texas and charged with securities and wire fraud in relation to his offer of 7% weekly interest on bitcoins deposited with his Bitcoin Savings and Trust Company.  This promise of an annual percentage interest of 3,641% managed to lure investors to turn over to him 740,000 bitcoins valued at 4.5 million dollars.  Shavers advertised his scheme on the internet bulletin board “Bitcoin Forum” and other online discussion groups.  He claimed that using his market-arbitrage strategy that included lending and trading bitcoins on online exchanges.  His complex and non-understandable strategy mirrors the original Ponzi schemer, Charles Ponzi who used a similar scheme involving international stamps.  As with Ponzi, Shavers appeared to be legitimate by paying profits to early investors.  However, as with Ponzi himself, there were not profits and the early investors were paid with the funds being contributed by newer investors to make the phony investment scheme appear legitimate.  Shavers, like Ponzi was extremely persuasive and according to prosecutors, at the height of his scam, he personally controlled 7% of the world’s bitcoins.

TIPS

Due to the fact that bitcoins are totally unregulated by any government, they are a questionable investment.  Add to that fact, their digital character and its susceptibility to hackers and fraud and you have a dangerous investment at best.  Shavers is just the latest in a long line of Ponzi schemers who make promises that are too good to be true backed up by an incomprehensible formula for investment success. You should always remember the prime rule of investing which is to never invest in anything or any investment strategy that you do not totally understand.

Scam of the day – November 16, 2014 – Latest software security patches

November 16, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates includes many important updates and security patches to prevent serious problems including important security updates for Google Chrome, Adobe and  Microsoft.  The Adobe flaw is particularly troublesome in that it can be exploited by hackers to take over your entire computer.

TIPS

Here are the links to the latest Department of Homeland Security software updates and security patches:

https://www.us-cert.gov/ncas/current-activity/2014/11/11/Google-Releases-Security-Update-Chrome

https://www.us-cert.gov/ncas/current-activity/2014/11/11/Adobe-Releases-Security-Updates-Flash-Player

https://www.us-cert.gov/ncas/bulletins/SB14-314

 

Scam of the day – November 15, 2014 – Indiana Department of Education hacked twice

November 15, 2014 Posted by Steven Weisman, Esq.

Within the space of a single week, the Indiana Department of Education was recently hacked twice although a spokesman for the Department has indicated that the vulnerability that enabled the attacks has been patched.  The Department said that no personal information of Indiana students was compromised in the attacks, saying that this information was kept on different servers than the one that operated the Department’s website.  Both attacks were claimed to be the work of a group calling itself the Nigeria Cyber Army, which boasted of the hacking on the Department’s website.  What makes this particular hacking noteworthy is that the vulnerability exploited in order to achieve the hacking was a flaw in Drupal content management software used by a billion websites around the world.  I told you about the Drupal security flaw in my Scam of the day for November 3rd.  Drupal warned its customers in late October of the flaw and urged its users to download the necessary security patch.  It was estimated by Drupal that around twelve million websites failed to install the security patch in a timely fashion.  It appears that the Indiana Department of Homeland Security was one of them.

TIPS

So what does this mean to you and me?

First of all it is a reminder that our personal information is only as secure as the places holding our personal information with the worst security.  The second thing to remember is that when security flaws are discovered and security patches issued, companies and individuals should download and install the necessary security patches as soon as possible.  It is for this reason that I regularly provide you with the latest security patches as issued by the Department of Homeland Security.  Scammers and identity thieves count on companies, governments and individuals not promptly updating their software and take advantage of this delay to the detriment of all of us.

Scam of the day – November 14, 2014 – Watch out for a “Masque Attack”

November 14, 2014 Posted by Steven Weisman, Esq.

FireEye, a cybersecurity firm announced this week that they had identified a serious flaw in Apple’s iPhone operating system that makes most iPhones and iPads extremely vulnerable to being hacked and data being stolen.  The vulnerability, is being called “Masque Attack” and was first discovered by FireEye in July, but was first made public by FireEye this week when the first attempts to exploit the vulnerability by hackers was discovered.  Hackers attempted to exploit the vulnerability through the use of malware deemed “WireLurker.”  Presently, Apple’s iPhone operating system permits a malicious app that uses the same bundle identifier as that of a legitimate app to replace the legitimate app on the victim’s iPhone or iPad while retaining the data from the replaced legitimate app.  Thus the hacker can make it appear that the victim’s bank app, for example is still installed, when in fact it has been replaced by this malicious app and steal account information, passwords and other sensitive data which can easily lead to identity theft.  A Masque Attack occurs when the victim downloads a tainted app that may appear to be that of a popular game or some other apparently innocuous app.  Once installed, the victim does not know that he or she has replaced legitimate apps on the phone or tablet with the malicious app.

TIPS

Users of iPhones and iPads can protect themselves by taking simple precautions.  First, do not install apps from any source other than Apple’s official App Store.  This is always good advice because you can never be sure of the security of apps that come from sources other than the official app stores.  When opening any app, if the iPhone or iPad operating system indicates “Untrusted App Developer,” click on “Don’t Trust” and immediately uninstall the app.