Scam of the day – February 25, 2017 – Google Chrome malware threat

Google Chrome is the most popular web browser and this popularity has made it a target of hackers who have managed to inject malware into vulnerable websites created with the popular WordPress software.  The malware, in turn attacks the Google Chrome browser making the website unreadable at which point a popup message arises that says, “The ‘Hoefler Text’ font wasn’t found” and prompts the unwary victim to download a software update to fix the problem.  Unfortunately, if you download the suggested corrective software, in fact, you are downloading malware to your computer.

TIPS

This particular scam takes advantage of vulnerabilities in WordPress software so it is very important, if you use WordPress for your website, as many people do, to update your WordPress security whenever security patches become available.  WordPress even allows you to have the security updates done automatically so you never delay in installing necessary updates.  I urge you to exercise this option.

In regard to this particular scam, although the pop up appears to come from Google Chrome to correct the font issue, Google Chrome will never provide downloads for correcting fonts.  Real messages from Google Chrome will never appear as an overlay to a website.  Finally, never click on links or download attachments of any kind without first verifying that the link or download is legitimate.  The risk is too great.

Scam of the day – February 24, 2017 – Talking doll banned in Germany

Cayla, a new doll from Genesis Toys seems like such a nice girl, but according to the Bundesnetagentur, the German telecommunications regulatory agency, she is a spy and she is now banned from Germany. Cayla is a part of the ever expanding Internet of Things and according to the Bundesnetagentur, Cayla has hidden cameras and microphones that could be used to record private conversations over an insecure Bluetooth connection.

Cayla is not the first doll to be so equipped, In the Fall of 2015, the latest incarnation of Barbie, the “Hello Barbie” was introduced.  Hello Barbie also has hidden microphones and speakers, but  instead of Bluetooth technology, uses Transport Layer Security (TLS) which is an encryption protocol to protect the privacy and security of communications

TIPS

Many of the devices that make up the Internet of Things come with preset passwords that can easily be discovered by hackers.  Change your password as soon as you set up the product.  Also, set up a guest network on your router exclusively for your Internet of Things devices.

Scam of the day – February 23, 2017 – FTC settles robocall scam charges regarding Caribbean cruise scam

The Federal Trade Commission and ten states have settled civil charges against Fred Accuardi and a number of his affiliated companies that used illegal robocalls and telemarketing to sell Caribbean cruises under the guise of the victims receiving a free cruise for participating in a survey.

Between October 2011 and July 2012, the defendants made 15 million illegal robocalls  each day in which the person answering the call was told that he or she had been chosen to participate in a thirty second survey in return for which he or she would receive a free two day cruise to the Bahamas.  The truth is that the calls were used to market cruises of Caribbean Cruise Lines, Inc in which the consumers were convinced into paying for more expensive, higher level cruise packages.

TIPS

Automated robocalls are a scam that has been with us for many years and despite the best efforts of the Federal Trade Commission, still is victimizing many people.    It is easy to identify a robocall that is a scam.  If you get a robocall, it is a scam.  Commercial robocalls are illegal.  In 2013 I reported to you about  how the FTC, in an effort to combat robocalls held a contest with a $50,000 prize to the person who came up with the best solution to stop robocalls. The winners that year were Aaron Foss and Serdar Danis who split the prize.  Their solution involved software that will filter out calls being placed by a computer or someone identified as an unwanted caller.  When you use the software, if a robocall comes in, it rings once on your phone and then your phone automatically hangs up on the call.  So all you have to do is let the phone ring and if it stops after one ring, it was a robocall.

The software developed by Foss and Danis is now available to anyone for free for your landline and for $4.99 per month for both your landline and mobile phone.  The company providing the service is Nomorobo and you can sign up for the service at   https://www.nomorobo.com/

Long time Scamicide reader Marty Kenney recently reminded me about nomorobo.  He has used it for a long time successfully.

Scam of the day – February 22, 2017 – Latest security updates from the Department of Homeland Security

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  These new updates from the Department of Homeland Security includes critical updates for Adobe software including Adobe Flash.

I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.  According to security company, Symantec 80% of the newly discovered software vulnerabilities which can be exploited by malware created by cybercriminals involved Adobe Flash.

TIPS

Here are the links to a list of all of the recent security updates as posted by the Department of Homeland Security:

https://www.us-cert.gov/ncas/bulletins/SB17-051

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.

Silverlight can be downloaded free directly from the Microsoft at this link: https://www.microsoft.com/silverlight/ while GNU Gnash can be downloaded free at this link: http://www.gnu.org/software/gnash/

Scam of the day – February 21, 2017 – U.S. Army warns about sextortion

The Army Criminal Investigation Command is warning military personnel about the dangers of sextortion.  Sex extortion or sextortion has been around for years on the Internet with criminals persuading people into performing sexual acts online that are recorded and then used to blackmail the victims.    The Army’s Computer Crime Investigative Unit (CCIU) is warning soldiers about extortionists who threaten to send the videos to the Soldier’s command, family and friends unless they pay a ransom.    Special Agent Daniel Andrews, the Director of the CCIU advises soldiers “Be cautious of your online communications and do not share intimate, personal information with strangers or people you have never met in person.”

Some sextortionists not only demand a payment, but also sensitive military information or access to Army systems or facilities according to Andrews.

TIPS

The best solution to any problem is to avoid the problem altogether.  If you are going to indulge in cybersex or phone sex, it should only be done with people whom you totally trust.  Engaging in such activities with strangers or people you do not know well is asking for trouble.  The Army Criminal Investigation Command advises military personnel who have been caught up in this scam not to send the demanded payments and cease all communication with the extortionists.   Victimized soldiers should notify the CCIU at usarmy.cciuintel@mail.mil or 571-305-4478 to report the crime.

Scam of the day – February 20, 2017 – Immigration assistance scams

Immigrants concerned about their status as American immigration laws and policies are changing are being preyed upon by scammers posing as attorneys and charging for immigration forms that can be obtained free or claiming to have special relationships with immigration officials that enable them to obtain favorable results.  Advertisements for such phony lawyer services are appearing on flyers in store windows and throughout social media.  The truth is that these scammers offer no services of any value and merely exploit the fears and concerns of immigrants in the United States.

TIPS

You can always check on the status of an attorney in your state by checking online with your state’s bar association or board of registration for lawyers.  In addition, people needing access to free or low cost legal advice regarding immigration issues should go to the U.S. Citizenship and Immigration Services’ (USCIS) website by clicking on this link to get access to such low cost and free services that you can rely upon. https://www.uscis.gov/avoid-scams/find-legal-services

Scam of the day – February 19, 2017 – WhatsApp adds dual factor authentication

WhatsApp is a mobile messaging app for your smartphone that allows you to send text messages, photographs, videos and audio.  With more than a billion people using WhatsApp, it is not surprising that it has become attractive to scammers seeking to use its popularity to lure people into becoming scam victims.  Also, like many popular apps, it has been a target of hackers seeking to take over the accounts of legitimate users of the app and send out malware filled messages that appear to be trustworthy because the messages look like they are coming from someone the victim trusts.

Mere passwords have not proven to be a particular secure method of authentication.  Many people use simple to guess passwords and even what may appear to be complex passwords can often be identified by sophisticated hackers using password cracking software.  However, more and more companies such as Facebook, Twitter, Google, Tumblr, Yahoo and others are using dual factor authentication by which when your password is used to access you account, a special code is sent to your smartphone that must be used in order to complete access to the account. This provides dramatically enhanced security.  Now WhatsApp has become the latest app to offer dual factor authentication.

TIPS

Passwords are just too vulnerable to be the sole method of authentication for important apps or accounts.  Whenever you are able to use dual factor authentication for a particular website, account or app, you should take advantage of this.  Some dual factor authentication protocols do not require it to be used when you are accessing the account from the computer or smartphone that you usually use, but only if the request to access the account comes from a different device, which still provides security without even having to use the special code.

Scam of the day – February 18, 2017 – Florida man sentenced for Business email scam

Recently, Jeffrey Ihm was sentenced to eleven years and eight months in federal prison after being convicted of multiple criminal counts related to his business email scam through which he managed to steal $2,234,681.

Ihm posed in emails as executives of a number of legitimate companies, such as Roper Industries and tricked Well Fargo Bank and other financial institutions to send him the money.

This scam, which is often referred to as the business email scam has become a serious problem in the last couple of years with many companies becoming victims of the scam.

TIPS

The key for businesses is to have a protocol in place in regard to approvals necessary and verification required before paying bills, particularly when funds are requested to be wired.

The lesson also applies to all of us as individuals.  Scammers also send phony bills that appear to individuals that appear to come from companies with which we do business, but with a different address to send the money. Never send a payment to a different address from that which you have done in the past unless you have verified both the accuracy of the bill and the address.

Scam of the day – February 17, 2017 – Company hit twice by W-2 scam

Income tax identity theft is a multi billion dollar problem that costs the government and, by extension,  we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund.  Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.

I have been warning you for a year about identity thieves tricking companies into providing employee W-2s to them.  These stolen W-2s contain all of the information the identity thieves need to file a fraudulent income tax return.  The scam works by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises.  Other times, payroll management companies have been targeted using the same type of phishing emails.  In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.

This scam continues to plague companies both big and small and recently, Monarch Beverage, Indiana’s biggest beer and wine distributor acknowledged that not only had it recently become a victim of this scam turning over W-2s of more than 600 employees to identity thieves, but that in the course of its investigation into the matter, it had been victimized last year by the same scam.

TIPS

All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs.  In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are.  These same lessons that apply to companies also apply to all of us as individuals, as well.  Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.”  Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information.  Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.  Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.

Scam of the day – February 16, 2017 – New twist on mail theft

Identity theft is a high tech, low tech and no tech crime and while we often tend to focus our attention on high tech identity theft tactics such as spear phishing, no tech tactics such as fishing for mail with a plastic bottle covered in glue that is lowered into blue public mailboxes to capture mail being sent with checks is making a comeback.  In the Bronx, New York just in the last year police and postal inspectors have made about 150 arrests according to Donna Harris of the U.S. Postal Inspection Service.

I have warned you for years about leaving mail with checks or credit card information in your personal mailbox outside of your home with the flag raised to alert your postal carrier that there is mail in your box to be retrieved is a bad idea because it also alerts identity thieves who can easily steal the mail.  Once they have the checks, they can “wash” the name or even the amount of the check and make the check payable to the thief. They also can use the account number of your check to create counterfeit checks to access your checking account.

TIPS

This is an easy crime to avoid.  The best course of action is to pay your bills electronically and avoid the problem altogether.  However, if you cannot do so or prefer to send a paper check by mail, you should use a gel pen that is not easily “washed” to write your checks and you should mail envelopes with checks in them directly from inside the post office.