Scam of the day – September 15, 2016 – What the data breach at the World Anti-Doping Agency means to you

September 14, 2016 Posted by Steven Weisman, Esq.

The World Anti-Doping Agency (WADA), the international agency that enforces the rules regarding the use of performance enhancing drugs and other prohibited substances by athletes around the world was hacked, apparently by Russian hackers who released the medical files of American athletes Simone Biles, Venus Williams, Serena Williams and Elena Delle Donne.  In each case, the records show that these athletes used drugs that were permitted under the Therapeutic Use Exemptions for legitimate medical reasons.  In the case of Simone Biles, the records indicated that she took Ritalin for ADHD.  None of the use of these drugs appeared to be related to improper drug use for performance enhancement.

Perhaps the bigger aspect of this story and one that is being overlooked in much of the media is how the hacking was accomplished.  Once again it appears that the hacking was done by exploiting information obtained through spear phishing.  Spear phishing occurs when you receive an email or text message specifically tailored to you with a link in it that the victim clicks on and unwittingly downloads keystroke logging malware that enables the hacker to be able to steal all of the information from the victim’s computer or smartphone including passwords and other critical information.

TIPS

Spear phishing has been used successfully by hackers in most of the major data breaches of the last few years including Sony, Target and the Office of Personnel Management (OPM).  Spear phishing is distinguished from the usual phishing email that can be easily spotted because, unlike ordinary phishing emails and text messages, spear phishing emails and text messages often appear to come from a trusted source and contain sufficient personal or relevant information that they appear to be genuine.  Often, we are our own worst enemies because we provide too much personal information on social media that can be used by clever cybercriminals to fashion spear phishing emails and text messages.  It is for this reason that you should never click on any links in an email or text message until you have confirmed that the email is legitimate.  You should also use security software and make sure that it is constantly updated with the latest patches although even doing that won’t protect you from the newest zero day exploits which exploit computer vulnerabilities that have previously not been discovered.  It usually takes the security software companies about a month to come up with defenses against the latest zero day exploits.

Tags: , , , , , ,
Categories: Site Related

Scam of the day – September 14, 2016 – Steps to take when getting a new smartphone

September 14, 2016 Posted by Steven Weisman, Esq.

According to the advertising slogan, diamonds are forever.  However, smartphones definitely are not.  Most people update to a new smartphone about every two years.  We use our smartphones for many purposes from doing banking to taking photos and our smartphones contain large amounts of personal information including passwords, account numbers and other information that we should take care to keep private when we turn in our phones.  The first thing, however,  that you should be doing even if you do not intend to turn in your phone soon is to backup all of the data from your phone on to your computer, a portable hard drive or the cloud.

TIPS

When you are going to turn in your phone for a new one, you should clear your old phone of all app data and use a factory reset that is intended to clear your device of information stored in the phone.  Generally, your service provider can transfer the information to your new smartphone before you delete it from your former phone.  Check the owner’s manual, the provider’s website or the website of your phone’s manufacturer for instructions about how to do a hard reset of your phone before you dispose of it.  It is also important to remove or delete the data contained on your phone’s SIM or SD card which contain important data and photos.  Even if you have cleared and reset your phone, your SIM or SD card will retain information so it is critical to remove your SIM or SD card from your old phone or have the data on these cards deleted.

Tags: , , , , , ,
Categories: Site Related

Scam of the day – September 13, 2016 – Phony Hillary Clinton video contains malware

September 12, 2016 Posted by Steven Weisman, Esq.

A common way that hackers manage to trick people into downloading malware used to steal the information from your computer or smartphone and enable them to make you a victim of identity theft is to send the malware disguised as an attachment for a video of something of great interest to many people.  It may be something related to a celebrity, such as purported nude videos or it may be of an event in the news, such as a video purporting to show formerly unavailable footage of, for instance, the shootings in the Orlando nightclub.  The presidential election is tremendous fodder for people seeking videos of candidates in compromising situations and scammers are taking advantage of this with malware attached to emails promising to provide newsworthy events. Such is the situation, as reported by computer security company Symantec, with an email presently circulation promising that the attached video shows Hillary Clinton accepting money from an ISIS leader in 2013.  In addition to being a totally outrageous accusation not based in any fact, the email is fraught with poor grammar.  However, that is not stopping some people who are clicking on the link and unwittingly downloading malware that can result in their becoming a victim of identity theft.

TIPS

Regardless of who sends you an email or a text message with a link attached, you should never click on the link until you have confirmed that the communication is legitimate.  Even if the message appears to come in the email or text message from a trusted friend, you can’t be sure that your friend has not had his email or smartphone hacked and used by a scammer to spread malware.  You should have security software on all of your electronic devices including your computer and smartphone and make sure that you keep your security software up to date with the latest security patches, but you cannot totally rely on that software to protect you from all malware dangers because it generally takes the software security companies about a month to catch up with the latest strains of malware.  Finally, in regard to communications promising startling videos or pictures of celebrities or newsworthy events, you should be particularly skeptical as to their authenticity.   Instead, it is better to rely on legitimate news sources that you can trust to be safer and more accurate.

Tags: , , , , , ,
Categories: Site Related

Scam of the day – September 12, 2016 – Four year old data breach revealed

September 12, 2016 Posted by Steven Weisman, Esq.

It was recently disclosed that Brazzers, a porn website had been hacked four years ago.   Personal information of users of its forum in which subscribers communicated about porn movies was stolen and is now available on the Internet.  The information stolen included not only user names, email addresses and passwords, but also the substance of their  conversations in the forum, which could be embarrassing to Brazzer subscribers if the information became public leading to concerns about blackmail by cybercriminals with access to this information.  This data breach is reminiscent of the data breach at Ashley Madison, which proved to be extremely embarrassing to customers of that website that dealt with extra-marital affairs.  Of course, any data breach in which user names, email addresses and passwords are compromised poses a threat to the victims of the data breach who can be more seriously victimized by cybercriminals using that information to advance spear phishing schemes targeting the victims and luring them to click on links that will download keystroke logging malware that will steal personal information from the victim’s computer, smartphone or other electronic device and use that information to make the person a victim of identity theft.  In addition, many people use the same password for all of their accounts and once their password at one website becomes known, it can lead to attacks at other places such as online banking.

TIPS

The website Have I Been Pwned https://haveibeenpwned.com/ is a good place to go to find out if you have been victimized in a data breach.  This website gathers information about data breaches and you can put in your email address to find out if you have been a victim of any data breaches such as Brazzers where information is being circulated on the Internet.  It is also important to use a distinct and unique password for each of your online accounts so if you do become a victim of a data breach at one account, the security of your other accounts are not threatened.  Finally, for people who go to websites that they would prefer no one to know about, they should consider using a different user name and separate email address from their usual use name and email address.

Tags: , , , , ,
Categories: Site Related

Scam of the day – September 11, 2016 – New malware attacking online banking app

September 11, 2016 Posted by Steven Weisman, Esq.

Many people find that doing their banking through their mobile devices is quick, efficient and convenient.  Unfortunately, it also carries with it risk of cybercriminals hacking the smartphones and other mobile devices used by their victims to gain access to their victims’ bank accounts and steal their money. In my Scam of the day for June 3, 2016 I gave a number of tips about how to do your online and mobile banking more safely.  Cybersecurity, however, is a never ending process and a few days ago, researchers at cybersecurity company Kaspersky Lab announced it had discovered a new form of malware used to steal banking information and credit card information from the smartphones of Android users that can override the new security features Android had installed in the Android OS version 6 specifically to combat this type of threat and other similar threats.

The new malware which is a modification of the Gugi banking malware starts, as with so many attacks by luring the victim into clicking on a link in a legitimate appearing text message that results in the initial downloading of the malware.  Once it is downloaded, however, the malware creates a display on your screen indicating the need for additional rights to work with graphics and windows.  If the victim clicks on the only link provided, another screen asks them to authorize app overlay and then other permissions. If the victim realizes what is going on and does not provide the requested permissions, the malware blocks the entire smartphone.  The only way to fix the problem at this point is to reboot the smartphone in safe mode and attempt to remove the malware, which  is difficult to do.

If the malware does get fully installed with all of the permissions it requires, it enables the cybercriminal to take total control of the victim’s electronic banking and can readily empty his or her accounts.

TIPS

Along with the basic online and mobile banking precautions I urged you to take in my Scam of the day for June 3, 2016, you can protect yourself from the Gugi malware by never just automatically giving rights and permissions when an app requests you to do so.  Always evaluate why the app would need such permissions.

As always, the two most important things to do to protect yourself from any cybersecurity threat to your mobile phone is to follow my advice of “trust me, you can’t trust anyone” and never click on links regardless of who appears to be sending them until you have absolutely confirmed that the links are legitimate.  Also, make sure you that you not only have security software on all of your mobile devices, but that you keep the security software updated with the latest security patches as soon as they are available.

Tags: , , , , , , , ,
Categories: Site Related

September 10, 2016 – Steve Weisman’s latest column for USA Today

September 10, 2016 Posted by Steven Weisman, Esq.

While it may appear that ATMs are a safe and secure way to get money from your bank account, the truth is that ATMs are vulnerable to being hacked in multiple ways and we, as customers must be vigilant in order to protect ourselves and the security of our bank accounts.  Here is a link to my column from USA Today describing this problem.

http://www.usatoday.com/story/money/columnist/2016/09/10/how-safe-atms-skimming-not-very/89225960/

Tags: , , , ,
Categories: Site Related

Scam of the day – September 10, 2016 – A new Chase phishing email

September 10, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Chase Bank.  DO NOT CLICK ON THE LINK.  Chase is a popular target for this type of phishing email because it is one of the largest banks in the United States.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond. As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Chase and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   The grammar and spelling is good, but a minor flaw is the inconsistent capitalization in the phrase, “All Rights reserved.” Also, as so often is the case, the email is not directed to you by name and does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit.

Chase logo

Chase Bank Online® Department Notice:

Your online account has been suspended (Reason: the violation of terms of service).
Update and Restore your online account Now
Log On
Thank you for using Chase Bank.
Member FDIC © 2016 Chase Bank Financial Corporation. All Rights reserved.
TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  This email has no salutation whatsoever.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Tags: , , , , ,
Categories: Site Related

Scam of the day – September 9, 2016 – Change of address scam

September 9, 2016 Posted by Steven Weisman, Esq.

I have warned you a number of times in the past about the danger of identity theft that occurs when criminals steal your mail from your mailbox.  Among the dangers are criminals gathering personal information contained in your mail to set up accounts in your name or getting your credit card bill and using the information in your bill to access your credit card.  However, sometimes the criminals don’t even have to steal your mail, they can get the United States Postal Service to deliver your mail directly to the criminal by submitting a change of address form with the post office on your behalf either in person or online that results in your mail being sent directly to the criminal.  One of the ways that the Postal Service tries to prevent this type of fraud is by sending a letter to your old address confirming that you wanted your mail sent to a new address, however, this can be circumvented by clever scammers who merely submit a form to the post office on your behalf to hold your mail, as many people do when they are on vacation, which enables the scammer to get extra time before the scam is discovered.

TIPS

Certainly if you get a notice that a change of address form has been filed on your behalf and you have not filed such a form, you should contact the United States Postal Service immediately.  Also, if you fail to receive any mail whatsoever for a couple of days, it is important to contact the post office to make sure that no one has changed your address.  Remember, even paranoids have enemies.

Tags: , , ,
Categories: Site Related

Scam of the day – September 8, 2016 – FTC issues warning about rental cars

September 7, 2016 Posted by Steven Weisman, Esq.

As if we didn’t have enough to worry about, the Federal Trade Commission (FTC) recently issued a warning about risks which most people are not aware of that arise when you connect your smartphone to a rental car in order to access the car’s infotainment system and other connected features.  By far, the biggest problem is that the car may store personal information of yours, such as your mobile phone number, message logs, contact lists and even the content of text messages you received while connected to the car.  If you don’t delete this information when you return the car, this information can be accessed by future renters of the car, employees of the rental car company or knowledgeable hackers.

TIPS

Don’t use the USB port merely to charge your smartphone rather than connect to the infotainment system.  Connecting your phone to the system may transfer your data automatically without your doing anything further.  Instead use a cigarette lighter adapter to recharge your phone in the car.  If you do decide to use the infotainment system, a screen may appear on which you are provided options as to the information you authorize the system to be able to access.  Limit the access to only those uses that you need.  Finally, and most important, when you return the car, make sure that you have gone into the infotainment system’s settings menu and delete your device and your data.

Tags: , , ,
Categories: Site Related

Scam of the day – September 7, 2016 – IRS fails to notify identity theft victims

September 7, 2016 Posted by Steven Weisman, Esq.

The IRS is certainly aware of the serious problems posed by identity theft which costs taxpayers billions of dollars in phony refunds paid to identity thieves filing income tax returns with fake W-2s in order to obtain fraudulent refunds.  This makes it more startling to recently learn from a report of the Treasury Inspector General for Tax Administration (TIGTA) that between 2011 and 2015, the IRS failed to notify more than a million taxpayers who had their Social Security numbers stolen even though the IRS was fully aware that these people were victims of employment related identity theft.  Employment related identity theft occurs when someone steals another person’s Social Security number in order to get a job.  Often this occurs when illegal immigrants use stolen Social Security numbers to get a job because they cannot legitimately obtain their own Social Security number.  The IRS becomes aware of the Social Security number being misused when the income tax returns filed using the Social Security number don’t match the W-2s associated with the Social Security number.

In 2014, the IRS instituted a pilot program by which it notified 25,000 people when their Social Security numbers were used by someone else to get a job, but the program was abandoned after a short time.  In April, the IRS indicated that it would begin to notify new victims of employment related identity theft beginning in January of 2017, however, in its report, TIGTA is recommending that the IRS institute procedures to notify not only people who become victims after January of 2017, but also everyone who had become a victim of employment related identity theft previously.  TIGTA also recommended to the IRS that it notify the Social Security Administration when it becomes aware of employment related identity theft.

TIPS

While the intention of the identity thief who commits employment related identity theft is not as nefarious as that of an identity thief who commits identity theft that causes unpaid debt to be incurred in the name of the victim, the dangers of employment related identity theft can easily turn into medical identity theft whereby your medical records become corrupted by the medical records of the identity thief or criminal identity theft whereby crimes are committed in your name.  The best thing you can do to prevent any kind of identity theft is to maintain the privacy of your Social Security number as much as possible.

Tags: , , , ,
Categories: Site Related
« Older Entries