Scam of the day – December 23, 2014 – FBI warns about malware used to hack Sony

December 23, 2014 Posted by Steven Weisman, Esq.

Within hours of President Obama’s press conference on Friday, December 19th, the FBI and the Department of Homeland Security issued a warning about the five types of malware used by North Korea against Sony.  The malware was used to not only steal data, but to destroy data as well.  The Sony hacking has ushered in a new era of cybercrime in that it appears to be the first time that a hacking has been done of a major corporation for primarily destructive purposes rather than the stealing of data for either identity theft purposes or to gain access to enable foreign corporations to compete better in the international marketplace.  We may be seeing the first of what may turn into many attacks threatening to destroy a company’s data if it does not pay a ransom.  Corporations in America and around the world have got to better prepare themselves for such attacks and they need to do it now.

TIPS

Here is a link to the warning from the Department of Homeland Security which in turn has another link within it to an earlier Security Tip for handling destructive malware.  One important thing that all corporations have got to do is to better segregate their data and networks so that essential data is not available to anyone with access to the corporations’ computers.  Many recent hackings of retailers have started with hacks of less secure third-party vendors with access credentials to the computer systems of the the major retailers.

https://www.us-cert.gov/ncas/alerts/TA14-353A

Scam of the day – December 22, 2014 – Latest update about Staples data breach

December 22, 2014 Posted by Steven Weisman, Esq.

Regular readers of Scamicide may remember the October 22nd Scam of the Day in which I informed you about a data breach at Staples, the  popular office supply store.  The data breach is now known to have affected 115 stores around the country and to have been going on between August 10, 2014 through September 16, 2014 although at two stores, the data breach actually began in July.  The hackers were able to get into the cash registers and terminals that handle credit card and debit card purchases.  Included in the compromised information were customers’ names, card numbers, card expiration dates and card verification codes.  Staples has now also disclosed that the data breach took information from as many as 1.6 million cards from 115 specific stores around the country.   Here is a link to a list of the affected stores and the dates during which the data breach was active.  If you shopped at Staples during the summer you should check the list to see if you shopped at one of the stores affected by the data breach.

http://staples.newshq.businesswire.com/sites/staples.newshq.businesswire.com/themes/staplesREDESIGN_newshq_businesswire_com_theme/pdf/List%20of%20Impacted%20Stores.pdf

TIPS

As always, this is a reminder to shoppers not to use their debit cards for shopping due to the less protective laws pertaining to fraudulent use of your debit card.  Credit cards are the much preferred method to make purchases at stores and be most protected from fraudulent purchases and data breaches.  Staples is offering free credit monitoring services to affected customers.  For more information about enrolling in the free credit monitoring services if you were an affected customer, go to Staple’s website at

http://staples.newshq.businesswire.com/sites/staples.newshq.businesswire.com/themes/staplesREDESIGN_newshq_businesswire_com_theme/pdf/Notification%20and%20Customer%20Resources.pdf

 

Scam of the day – December 21, 2014 – Microsoft sues tech support scammers

December 21, 2014 Posted by Steven Weisman, Esq.

For years I have been warning you about the tech support scams which starts with a telephone call purportedly from Microsoft.  The caller informs you that Microsoft has diagnosed problems with your computer, such as viruses.  They then either ask for remote access so that they can fix the problem at no cost to you or they ask for personal information.   In both situations the caller is up to no good.  If you provide remote access to your computer you will have effectively turned over all of the information in your computer to the caller who can and will then use that information to make you a victim of identity theft.  If you provide personal information by phone, that information too will be used to make you a victim of identity theft.  In other situations, the scammer tells you that having scanned your computer they have found a virus or malware which they can fix for you at a fee.  Of course, there is no virus or malware, but they trick you into paying for a service you do not need.  Now Micosoft is striking back and has just filed a federal civil lawsuit in California against Omnitech Support and other associated companies that Microsoft assert has been perpetrating this scam.

TIPS

Microsoft will not and does not contact you by phone in regard to diagnosing or software problems.  If someone contacts you by phone unsolicited by you indicating that they are from Microsoft tech support and they are calling you to help you with a problem that you did not contact them about, you should immediately hang up.  You are talking to a scammer.  It should be noted, however, that Microsoft does regularly issue software security updates, but they do this in automated updates if you have provided for this service or on their website.  Installing the latest security software updates and patches is a critical part of fighting identity theft and scams because hackers exploit vulnerabilities that they discover in commonly used software to make you a victim of identity theft or scams.  Software companies are just as constantly coming up with software to correct these vulnerabilities so it is important to install the latest security patches as soon as possible.  It is for this reason that I regularly provide you with links to the latest security patches for the software that you use.  I assemble this information from the Department of Homeland Security.  It is therefore to check Scamicide each day to make sure that you do not miss important information.

Scam of the day – December 20, 2014 – Latest phishing emails

December 20, 2014 Posted by Steven Weisman, Esq.

Phishing emails by which an identity thief sends you an email that purports to be from a trusted source, such as your email provider or bank in which you are instructed to click on a link in order to resolve a major problem is a common and effective way for identity thieves to get you to unwittingly install keystroke logging malware on to your computer that will steal your personal information from your computer and use it to make you a victim of identity theft.  In a more advanced form of phishing called “spear phishing” the email may be directed to you by name and have other information that can fool you into believing that the email is legitimate.  Spear phishing has resulted in many of the major data breaches in the past year including Target and possibly Sony.

Here are some examples of some phishing email commonly circulating.  DO NOT CLICK ON THE LINKS.

“Your mailbox has exceeded the storage limit of 1 GB. You can not receive new messages until you update your mailbox. CLICK HERE to update.
Thank you
Aol Team!”

“Dear Aol User,

Your Account needs to be updated to enable your account work properly, Aol is doing upgrades to all users to keep there account safe from viruses and hacking.

Please CLICK HERE to upgrade now and continue to enjoy the benefits and services of Aol Mail.

Privacy Policy | Terms of Use | Security Tip
Copyright © in 2014 All rights reserved.”

“The Mail Team

Dear Customer,
Your incoming messages were placed on pending due to our recent upgrade.
You have 1 new Security message From Wells Fargo Bank.Click the secure link below to confirm your account.

https://www.wellsfargo.com/confirmation

Security Adviser, ATM/debit card number.
—————————————–
Copyright © 1999 – 2014 Wells Fargo. All rights reserved. NMLSR ID 399801.”

“We believe you have violated either the Terms of Service, product-specific Terms of Service (available on the product page),or product-specific policies.Please view all violated Terms below

Violated Terms Of Service”

TIPS

Trust me, you can’t trust anyone!  These particular phishing emails are pretty rudimentary.  Not only does your name not appear in the email, but the email addresses from where they were sent does not reflect that it was sent by AOL or Wells Fargo as represented in the email.  Rather, the email addresses from which these emails were sent are those of innocent people whose email accounts have been hijacked by the identity thieves and made a part of a botnet by which these phishing emails are sent.  Never click on a link or download an attachment from anyone unless your absolutely sure that it is legitimate. Even if the email appears to come from a legitimate company or someone you trust and even if the email addresses you by name, you should not click on the link until you have confirmed that the email and link are legitimate.  Identity thieves can hijack the email accounts of your friends or make the address of the sender appear to be legitimate.

 

Scam of the day – December 19, 2014 – Are you protected when you use your debit card as a credit card?

December 19, 2014 Posted by Steven Weisman, Esq.

Regular readers of Scamicide and my books, such as the recent “Identity Theft Alert” are familiar with my regular refrain that you should not use your debit card for anything other than an ATM card and even then you should carefully examine any ATM you are considering using for evidence of tampering that can indicate that the ATM has been tampered with and a skimmer installed on it that will capture your account data when you insert your card.  When you shop with a credit card whether online or in a brick and mortar store, your liability limit for fraudulent purchases made with your card is fifty dollars and most card issuers don’t hold you responsible for any fraudulent charges when you promptly report the fraud.  On the other hand, when you use your debit card, you are making a direct withdrawal from the bank account tied to your card.  If your debit card security is breached such as in a data breach as occurred in the last year at Target, Home Depot and numerous other stores your liability is five hundred dollars if you do not report the fraudulent use within two business days after learning of the breach and if you are not regularly monitoring your bank statements and do not report the fraudulent use for more than sixty days after your bank statement with the fraudulent charges is sent to you, your liability is unlimited.  Potentially, you could lose your entire bank account if you are not careful.  And even if you report fraudulent use of your debit card immediately, your bank account will be frozen and you will lose access to your own bank account while the bank investigates the matter which can be a tremendous inconvenience.

But what about people who use their debit card as a credit card at the register when paying for purchases?

When you present a debit card, you are asked if you want to use it as a debit card or a credit card which might lead some people to think that if they use it as a credit card, they are receiving the legal protections that apply when you use a credit card.  These people could not be more wrong.  Regardless of whether your debit card transaction is processed as a debit purchase with a PIN or as a credit card transaction without a PIN, the money is still processed as  a debit card with the funds being immediately withdrawn from your bank account.  Frankly, the only difference to the consumer is the fees associated with the card use.  Some banks charge you a transaction fee if you use your debit card as a debit card with a PIN for purchases, but charge the retailer a fee when the card is used as a “credit card” purchase.

TIPS

Never, and I mean never, use your debit card for anything other than an ATM card.  Do not use it for purchases either in a store or online.  Make your purchases by credit card only and regularly monitor your credit card account carefully for unauthorized purchases and report them immediately.  Also, pay careful attention to small regular occurring charges that may appear on your credit card statement that you might otherwise overlook due to their small amount.  Some identity thieves count on their victims missing these regular charges that can add up considerably over time to a great amount of lost money for you.

Scam of the day – December 18, 2014 – Latest Sony hacking developments

December 18, 2014 Posted by Steven Weisman, Esq.

The repercussions of the hacking of Sony continue to grow.  Although, it still has not been definitively determined that the North Korean government was behind the sophisticated hacking of Sony in retaliation for the release of the James Franco, Seth Rogen movie “The Interview” in which Franco and Rogen attempt to kill North Korean leader Kim Jong Un, forensic evidence appears to indicate that the hackers most likely had ties to the North Korean government.  Along with the release of embarrassing emails, released and unreleased movies and much financial information about Sony, the hackers have also threatened to release myriads of personal data of Sony employees that would be easily used to make those employees victims of identity theft.  Now in a recent communication, the hackers have threatened violence likened by the hackers to that of 9/11 at theaters showing the movie slated to open on Christmas day.

In an interesting development, in a headline the New York Daily News called Howard Stern an “idiot” for likening the Sony hacking to the attacks on the World Trade Center on September 11, 2001.  The Daily News’ headline could not be more ill timed as it was just a few hours later that the hackers threatened a 9/11 type attack on theaters.  In response, Sony has cancelled the Christmas opening of the film.  However, even beyond this threat of violence, Stern is correct in recognizing that just as the attack of 9/11 ushered in a new era of terrorist attacks, the attack on Sony could well be ushering in a new era of destructive cyberterrorism that, in fact, could have a devastating effect on world economies.

In a further development, two class action lawsuits have already been filed by former employees and present employees of Sony alleging, among other things, that Sony was extremely negligent in the protection of personal information thereby making them vulnerable to the hacking.

TIPS

The Sony hacking is just the latest example of the fact that despite your best efforts to protect your privacy and your personal information that in the wrong hands can be used to make you a victim of identity theft, you are only as secure as the government agencies and companies that have your information with the weakest security.  Therefore it is incumbent upon us all to both limit  the places that have our personal information as much as possible and to monitor our accounts and credit report regularly for indications of security breaches.

Scam of the day – December 17, 2014 – Afghan style Nigerian email scam

December 17, 2014 Posted by Steven Weisman, Esq.

Not all Nigerian email scams originate in Nigeria.  The long-time scam that has come to be known as the Nigerian email scam has many variations, but a common theme.  In the email you are promised something for nothing, however, once you respond to the plea which can be under the guise of a long lost deceased relative, a banker trying to send money out of the country or even, as this latest incarnation of the scam describes, helping to get money out of a war torn country, you soon learn that you need to send money for various purposes to facilitate the movement of the funds.  Of course, the money you send is lost and you receive nothing, but a lesson.

Here is a copy of the email I recently received.

“I am in the military unit here in Afghanistan,we have some amount of funds that we want to move out of the country.My partners and I need a good partner someone we can trust. It is risk free and legal. Reply to this email m.alanedward2@yahoo.cl

Regards,
Major. Alan Edward”

Although I only recently received this email, it has been circulating for at least two years.

TIPS

As I always say, “trust me, you can’t trust anyone.”  This email has scam written all over it.  Why are you being singled out to be blessed with such good fortune by an email that doesn’t even come with a salutation addressed to you by name?  Apparently it needs to be repeated, but if it looks too good to be true, it generally is.  Unfortunately, you still receive these emails because people still fall for these scams.  When you get such an email, the only thing you should do is get a good chuckle out of it and then delete it immediately.

Scam of the day – December 16, 2014 – Danger of smartwatch hacking

December 16, 2014 Posted by Steven Weisman, Esq.

Samsung’s Android smartwatches represent  the latest development in wearable technology.  These modern marvels will enable people to access the Internet and easily send and receive messages.  Unfortunately, they were not developed with a strong security component.   A six digit PIN is all that is needed to access the smartwatch and a nearby hacker can readily use a brute force attack by which large numbers of passwords flood the device until the correct password is found in order to gain access and control of the smartwatch and put your information in jeopardy thereby making you a potential victim of identity theft.

TIPS

Fortunately, with present technology the hacker would have to be relatively close to the victim to hack into the device, but this is of little consolation as hackers would be trolling for smartwatches in public places such as malls as the devices become more popular.  Samsung and the other smartwatch developers need to provide greater security protection, perhaps through a password or automatic encryption, however, at the moment these devices are in need of enhanced security before you can feel comfortable using them for anything of a personal nature.  As the entire “Internet of things” including smart refrigerators and cars, it becomes more important for the manufacturers of these things to pay more attention to our personal security.

Scam of the day – December 15, 2014 – FBI warns American businesses of Iranian hackers

December 15, 2014 Posted by Steven Weisman, Esq.

The FBI has sent out a confidential warning to American businesses about an imminent threat of hacking by Iranian hackers who may, or may not, be state sponsored.  The attack appears to be focused on the always vulnerable educational institutions as well as energy companies, airlines and defense contractors.  The FBI warning provides detailed technical information about the different types of malware used in the attack as well as information about techniques such as spear phishing that are being used by the hackers to enable their malware to be unwittingly downloaded on to the computer networks of the targeted companies.  Spear phishing, as you may remember is a technique whereby the victim receives a seemingly legitimate email message addressed to the victim by name that lures the victim into clicking on a link that downloads the malware used to attack the company.

TIPS

This particular Iranian hacking scheme may be the same one recently identified as Operation Cleaver by the security firm Cylance  recently that uncovered attacks on more than fifty companies in sixteen countries including the United States.  As for us as individuals, we need to recognize that regardless of how careful we are at protecting the security of our own personal information, that information, as seen in the recent Sony hacking is only as safe as the companies with the weakest security practices that hold our information.  Therefore, whenever possible you should limit the companies and governmental agencies that have your personal information.

Scam of the day – December 14, 2014 – CFPB stops student loan scams

December 14, 2014 Posted by Steven Weisman, Esq.

The Consumer Financial Protection Bureau (CFPB) announced that it is suing Student Loan Processing.US alleging it illegally marketed student loan debt relief services and in a separate action closed College Education Services for illegally marketing student loan debt relief services.   According to CFPB Director Richard Cordray, “Student loans are already a significant debt for many Americans…College Educations Services and Student Loan Processing.US added to that hardship by taking advantage of troubled borrowers and failing to describe their services honestly.”   College Education Services targeted students through ads and its websites CollegeDefaultedStudentLoan.com and HelpStudentLoanDefault.com where it falsely promised lower payments in return for advance payments that ranged between $195 and $2,500 although federal law requires that payments for such debt settlements not be paid for in advance.  Student Loan Processing US. charged its customers 1% of the loan balance or $250 in advance for its debt settlement services and falsely represented that it was affiliated with the U.S. Department of Education.  With Americans owing more than a trillion dollars in student loans, it is no surprise that scammers see this as a great opportunity to take advantage of desperate people.  I have warned you many times in the past about various student loan scammers.

TIPS

Two important things to remember are not to pay advance fees and not to provide your Federal Student Aid PIN to debt settlement companies.  Legitimate companies do not need your Federal Student Aid PIN to help you.  It is also important to note that help with student loans is available for free.  The best place to go if you are having difficulty with a student loan is directly to the servicer of the loan.  You can also find helpful information at StudentLoanBorrowerAssistance.org which is a website maintained by the National Consumer Law Center.  The United States Department of Education also has a lot of helpful information about student loan consolidation and other things you can do to reduce your payments at https://studentaid.ed.gov/repay-loans/consolidation.   You can also check out their Income-Based Repayment program and their Pay As You Earn program which are available at no cost to the borrower. The Department of Education also has a toll-free number where you can get helpful loan information at 1-800-4-FEDAID.