Category: ‘Site Related’

Scam of the day – September 2, 2014 – Beware of nude photos of Jennifer Lawrence, Kate Upton and others

September 2, 2014 Posted by Steven Weisman, Esq.

News of stolen nude photos and videos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Jenny McCarthy, Rhianna, Avril Lavigne, Hayden Pannettiere, Hope Solo, Cat Deeley, Kayley Cuoco, Kim Kardashian, Scarlet Johannsson and others is sweeping across the Internet.  Although a few of the named celebrities, such as Victoria Justice have denied the accuracy of the photographs, many of the celebrities including Jennifer Lawrence and Kate Upton have confirmed that, much to their chagrin, the photos and videos are real.  Although the exact manner by which these photographs and videos were hacked and stolen is not known at the moment, it appears that they were taken from Apple’s iCloud.  The possibility exists that a vulnerability in Apple’s iCloud security is at the root of the problem, but another scenario is that the fault is with the individuals who took these photographs and videos of themselves.  Anyone who is able to get someone’s email address and password would find it easy to gain access to that person’s iCloud account and download the photographs and videos.  Obtaining an email address is a relatively easy task for any hacker and passwords can be obtained either from other hacked devices or by, as often is the case, by using the “forgot password” link on Apple’s iCloud, as with other accounts.  The answers to the security questions used to obtain the password through the “forgot password” function are generally easy to find for celebrities whose personal information, such as where they went to high school or other information used in security questions is easily found online.

The security flaw, however may also have been with Apple.  A vulnerability with the Find My iPhone  may have permitted hackers to use a brute force attach whereby they would flood the page with computer generated passwords until the correct password was guessed.  This vulnerability has now been patched and brute force attacks will not be effective because repeated failures to enter the correct password will result in the user being locked out.

So what does all of this mean to you?

This hacking presents two separate problems.  The first is that identity thieves will be taking advantage of the public’s interest in these photos and videos.  You will be receiving emails, text messages or social media postings with links that promise to bring you to these stolen photographs that will download keystroke logging malware when you click on the links.  Once this malware is installed on your computer, smartphone or other portable device, your personal information will be stolen and the information will be used to make you a victim of identity theft.

The second problem is the same problem faced by the celebrities whose accounts were hacked.  How do you keep your accounts secure?

TIPS

Don’t give in to the temptation to view these photos and videos online.  Ethically, it is the wrong thing to do.  However, it also is too risky an activity.  You cannot trust any email, text message or social media posting that promises access to these photos and videos.  Many of these will be laced with malware and you cannot know which one’s to trust.  Trust me, you can’t trust anyone.  In addition, identity thieves will be setting up phony websites that promise to provide these photos and videos, but again will only end up installing malware on your computer when you click on links in these websites.  Identity thieves are often adept at search engine optimizing so a phony website might appear high in a search from your web browser.

As for securing your own account, you should use a unique password for all of your accounts so if any of your accounts are hacked, all of your other accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the two-factor identification protocols offered by Apple and many others.  With two-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the two-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – September 1, 2014 – Phone scams

September 1, 2014 Posted by Steven Weisman, Esq.

Although so much of our attention is focused on scams perpetrated on the Internet and through means of high technology, a recent survey confirmed that low technology, namely the telephone still is fertile ground for many scams.  According to the Truecaller/Harris survey more than 17 million Americans became victims of telephone scams during the past year at a cost of 8.6 billion dollars.  One specifically telephone connected scam is “cramming” where fraudulent charges are added to your phone bill and often go unnoticed by people who pay little attention to the detailed information provided in lengthy, monthly phone bills particularly for wireless service. There are many ways that these unauthorized charges make their way to a victim’s phone, sometimes, consumers actually unknowingly sign up for premium texting services that may be for things such as flirting tips, horoscopes or celebrity gossip.  Whatever the source of the charges, they are fraudulent and typically cost about $9.99 per month and continue to appear for months without end.  You can find more detailed information about cramming by putting the word “cramming” into the archives section of Scamicide.  Other telephone related fraud occurs when people provide personal information over the phone when called by scamming telemarketers or to scammers who entice or scare the person receiving the call to either provide personal information or make a payment, such as in the present scam in which you receive a call purportedly from the IRS demanding payment for outstanding taxes.

TIPS

In regard to protecting yourself from cramming, you should never click on links or sign up for anything unless you have carefully read the fine print to see what else you may be signing up for.  In fact, you should never click on links in an email or text message unless you have independently verified that it is legitimate.  As for calls from telemarketers, not all telemarketers are criminals, but unfortunately, you have no way of knowing when you receive a call whether or not the person on the other end of the conversation is indeed legitimate or not so you should never provide personal information or payment in response to a telephone call until you have independently verified the call.  You may even wish to put yourself on the federal Do Not Call list to avoid telemarketers.  If you do get a call from a telemarketer after you have put yourself on the list, you know that the person is not legitimate and you should ignore the call.  Here is a link to the Do Not Call list if you wish to enroll.  https://www.donotcall.gov/  You can still receive calls from charities even if you are on the Do Not Call List, but again, you cannot be sure that the person calling is really from the charity so never give money over the phone to a telemarketer who calls you on behalf of a charity.  It is also worth noting that when you do make a charitable donation to a legitimate charity telemarketer, the telemarketer takes a percentage of your contribution as a commission.  If you want your donation to do the most good, you should contact the charity directly to make your donation.

Scam of the day – August 31, 2014 – Ponzi Investment scammer convicted

August 31, 2014 Posted by Steven Weisman, Esq.

It is interesting to note that when it comes to investment scams, sophisticated investors are often the victims.  This was true in the Ponzi investment scam of Bernie Madoff and it was true of the investment scam of recently convicted David Rose.  Rose specialized in scamming doctors and dentists who he lured into investing in, what they thought, were companies doing research and development in the medical field.  Rose was, as many scam artists are, a slick operator.  He met with clients and provided them with private placement memorandums that described in detail how the money was to be invested.  Unfortunately, of the two million dollars he took from investors, none of it was actually invested in anything.  Instead, Rose used the money to buy luxury boats and cars, jewelry as well as for other personal uses.

TIPS

The rules for protecting yourself from investment scams are always the same.  Before investing in anything, you should make sure you understand the investment and carefully investigate both the investment and the person advising you to make the investment.  In addition, a red flag in both the Madoff scam and the Rose scam is when the person advising you to make the investment is also the custodian of the account.  They should never be the same person.  Always have a separate broker-dealer from your individual adviser.  This way the actual funds and investments are monitored by a third party.

Scam of the day – August 30, 2014 – New scam threats springing from J.P. Morgan data breach

August 30, 2014 Posted by Steven Weisman, Esq.

As I have told you so many times, whenever something catches the attention of the public, it catches the attention of scammers and identity thieves who use it as a hook to turn that public’s interest in something into making the public victims of scams.  The recent death of Robin Williams and the Ice Bucket Challenge are two examples of things that have fascinated the public that were used to turn people into scam victims.  You can find the details about both of these scams in previous Scams of the day.  Now, the J.P. Morgan bank hacking is a big news story and it should be.  The data breach at J.P. Morgan and a number of other banks poses a serious threat to the financial well being of many people.  Scammers and identity thieves are now capitalizing on this concern and fear in the public to send emails and text messages to people in which the identity thieves pose as J.P. Morgan or other banks.  In the emails and text messages, you are told about problems with your account that require your immediate attention and you are directed to click on a link for further information.  If you click on this link, however, you will end up downloading keystroke logging malware that will steal the personal information from your computer and use it to make you a victim of identity theft.  In another variation of this scam, you are directed to provide your personal banking account information in response to the email for verification purposes.  Of course, if you do this, all you will succeed in doing is providing an identity thief with the information he or she needs to steal money from your accounts.

TIPS

Whenever you receive an email or a text message you cannot be sure of who sent it to you.  Even if the address of the sender appears to be legitimate, it is easy for a scam artist (remember, they are called artists) to “spoof” or counterfeit a legitimate address to make the message appear to be legitimate.  Never provide personal information in response to an email or text message.  Never click on links in emails or text messages unless you are absolutely sure that the message is legitimate.  If you have think that the email or text message may be legitimate, you should call the bank or other purported sender at a phone number that you independently have confirmed is legitimate to inquire.  Don’t call the number provided to you by the scammer.

Scam of the day – August 29, 2014 – J.P. Morgan and other banks hacked

August 29, 2014 Posted by Steven Weisman, Esq.

The FBI is investigating an apparent hacking of banking giant J.P. Morgan and as many as four other banks by what initially appears to be sophisticated hackers from Eastern Europe.  Some are theorizing that the hacking was sponsored by the Russian government in retaliation for sanctions brought against Russia in the wake of its actions in relation to Ukraine.  Much sensitive data was compromised and stolen as a result of the hacking.  The initial investigation appears to be focusing on the exploitation of computer programs used by a J.P. Morgan employee to work from a remote location.  This type of exploitation of remote desktop software such as Microsoft’s Remote Desktop, Apple’s Remote Desktop, Chrome’s Remote Desktop, Splashtop, Pulseway and LogMein that enable the convenience of logging into a company’s computers from an off site location has proven to be a major security flaw that has been continually exploited in company after company for quite a while going back to Target’s hacking last year to the recent UPS hacking.  I have warned people about this flaw for sometime and the FBI has warned American businesses to watch for this.

TIPS

Banks are a frequent target of cyberattacks and American banks have generally done a good job in recent years in protecting data, however, as this latest hacking shows, more needs to be done, particularly in regard to the particular type of malware used in this attack which may be or be similar to the “Backoff” malware I have been warning about.  As for we as consumers, there is little we can do other than to carefully monitor all of our accounts, only use credit cards rather than debit cards for retail purchases and limit the amount of personal information you provide to any company or governmental agency with which you do business.  This will not be the last major hacking exploiting this flaw to occur.

Scam of the day – August 28, 2014 – Department of Homeland Security hacked

August 27, 2014 Posted by Steven Weisman, Esq.

It probably does not make you feel pretty secure when you learn the the Department of Homeland Security suffered yet another security breach.  This one was disclosed recently by the Department of Homeland Security (DHS).  The breach actually occurred at a third party contractor US Investigations Services (USIS) which performs background checks for the DHS.  In the breach, personal information on 25,000 or more DHS employees was taken by what appears to be hackers from a foreign government.  USIS already has somewhat of a checkered past, having been the company that did the background check on former NSA employee and whistle blower, Edward Snowden as well as the background check on Aaron Alexis, a military contractor employee who shot and killed twelve people at the Navy Yard in Washington DC.

TIPS

This is just another example of the fact that regardless of how good you are at protecting your personal data, you are only as secure as the place with the weakest security that holds your information.  This applies to private companies and government agencies alike.  There have been many data breaches at both.  The best you can do is to limit, as much as possible the information that you provide anyone and always be vigilant in monitoring all of your accounts for fraud and identity theft.

Scam of the day – August 27, 2014 – Android phones vulnerable to hacking

August 27, 2014 Posted by Steven Weisman, Esq.

The Android operating system is used in many popular smartphones including the Google Nexus, HTC, Samsung Galaxy, Motorola Moto and LG Electronics phones.   Recently, researchers at the University of California Riverside have discovered a dangerous vulnerability in the Android operating system that permits most Android apps to be easily hacked.  This is done when an app infected with malware is unwittingly installed that uses the shared memory of the apps to hijack information from other apps such as those used for online banking while avoiding the Android system’s permission and security system.  Some of the apps that the researchers found they were able to access by exploiting this Android vulnerability included apps of Chase Bank and Gmail.  The Chase Bank app is particularly problematic because it would allow a hacker to see pictures of checks taken using the Android smartphone as well as bank account information thereby making identity theft and stealing from the victim’s bank account a simple task.

TIPS

Until the Android developers manage to fix this vulnerability in their operating system, the most prudent thing that Android users can do is to make sure that they are careful in downloading apps to avoid the tainted apps required to exploit this vulnerability.  Stick to apps sold or provided at legitimate app stores and make sure that your anti-virus and anti-malware software is up to date.

Scam of the day – August 26, 2014 – Sony PlayStation Network hacked

August 26, 2014 Posted by Steven Weisman, Esq.

Over the past weekend, Sony’s PlayStation Network was hacked and taken offline by a group of hackers identified as Lizard Squad.  The PlayStation Network is used by 53 million gamers around the world to play games with other people in a virtual environment.  The PlayStation Network was brought down by a simple, but still effective tactic called a distributed denial of service attack (DDOS) by which  hackers utilize a botnet to overwhelm and clog the network with artificially high traffic.  A botnet, as you may remember is brought about when hackers infiltrate the computers of unwary users and take over those computers, using them to send malware, spam or other harmful material.  Often the people whose computers are part of this botnet of what is often called zombie computers are not even aware that their computers are being used for these purposes.  In this case, all that Sony suffered was a minor embarrassment, however in 2011 the PlayStation Network was hacked and the personal information including credit card information of 77 million people was stolen.

TIPS

Although this particular hacking of Sony did not result in the personal information of any users of the Sony PlayStation Network being compromised, the security of Sony and the other online gaming network companies remains vulnerable.  It is for this reason that you should limit, as much as possible the personal information that you provide these companies to protect yourself in the event of a data breach.  Also, do not leave your credit card number on file with any company as a convenience.  Provide the number anew each time you use it online at any company so that it is not stored by the company and vulnerable to a data breach.  Also, as I constantly remind you, never use your debit card for any retail purchases.  Limit its use to ATMs.

Scam of the day – August 25, 2014 – “Backoff” malware stealing millions of credit card and debit card data

August 25, 2014 Posted by Steven Weisman, Esq.

In my Scam of the Day for August 1, 2014 I first warned you about the danger of the malware referred to as “Backoff” as described in a warning issued by the Department of Homeland Security on July 31st.  Backoff is the name of a type of malware that is being used by identity thieves and hackers to infect the point of sale card processors and cash registers of retailers to steal credit card and debit card information which the hackers then sell on black market websites to other identity thieves.  This is the same malware that was used in the infamous Target data breach and more recently in the data breaches at Supervalu stores and UPS.  The malware is very hard to detect and has resulted in the the theft of millions of credit and debit cards over the last year from, according to the Secret Service, more than 1,000 companies, most of which, still do not even know that their security has been breached which is why this story keeps being repeated as new stores finally become aware of their data breaches.   The situation has gotten so dire that the Department of Homeland Security issued a new warning to retailers about Backoff and what companies should be doing.  Here is a link to the Department of Homeland Security’s most recent security alert. https://www.us-cert.gov/ncas/current-activity/2014/08/22/Backoff-Point-Sale-Malware-Campaign

TIPS

There is much that corporate America should be doing to help protect the security of its data which includes credit and debit card information on all of us.  However, there is little we, as individuals, can do to advance this process other than to put pressure on companies to provide better security including two-factor authentication and better passwords.  However, what we all should be doing is refraining from using our debit cards for retail transactions because of the limited consumer protection laws that apply when fraudulent debit card purchases are made as well as the serious inconvenience of remedying the problem if your debit card information is stolen.  We also should be carefully monitoring our credit card usage for fraudulent use in order to identify as early as possible any data breaches affecting the security of our credit cards.  The earlier you recognize that your credit card has been compromised, the easier it is to fix the problem.

Scam of the day – August 24, 2014 – Ice Bucket Challenge scams

August 24, 2014 Posted by Steven Weisman, Esq.

According to the old saying, “no good deed goes unpunished” and this phrase could apply to the ALS Bucket Challenge, which has been taking the country by storm.  As everyone knows by now, people are dousing themselves with buckets of icy water as part of a national fund raising effort to support the fight against amyotrophic lateral sclerosis or ALS, which is also commonly known as Lou Gehrig’s disease.  We have all seen videos online and on television showing various people doing the challenge in entertaining and unusual ways.  Many celebrities and politicians have also been caught up in this viral campaign.  Unfortunately, as with anything that captures the public’s imagination, the Ice Bucket Challenge has also captured the imagination of scam artists, the only criminals we refer to as artists who are sending emails and text messages that purport to provide links to videos of particularly enticing and entertaining examples of the Ice Bucket Challenge, such as purported videos of popular celebrities, politicians, or athletes being dowsed, but, in fact are links that when clicked upon will download keystroke logging malware that will steal all of the personal information from your computer and use it to make you a victim of identity theft.

Another Ice Bucket Challenge related scam relates to websites or links for you to click on in order to make a charitable contribution.  Scammers have been busy setting up phony ALS charities and soliciting online and through telemarketing for phony ALS charities where your contribution will not go to ALS research and prevention, but rather to line the pockets of a scammer.

TIPS

In regard to avoiding the Ice Bucket Challenge video scams, my advice is the same as always, which is to never click on links in emails or in text messages unless you are absolutely sure that they are legitimate.  Even if they appear to come from a real friend of yours, you cannot be sure that your friend’s email account had not been hacked by a scammer sending you a tainted text or email.

As for avoiding the ALS charitable contribution scams, my advice is the same in regard to all charitable solicitations which is that whenever you are contacted by phone, mail, email, text message or any other form of communication, you can never be sure that the sender is actually from a legitimate charity.  In addition, many phony charities have names that are quite similar to legitimate charities and you can be fooled into giving a contribution to a scammer.  The first thing you should do before making any charitable contribution is to first check out the charity at www.charitynavigator.org where you first can find out whether or not the charity is actually legitimate.  Charitynavigator.org also provides information as to how much of the particular charities contributions go toward its charitable purposes and how much goes toward its salaries and administrative costs.  Once you have ascertained that a charity is legitimate, you should go online to the charity’s website to make your contribution directly.  In the case of the ALS Association, its website is http://www.alsa.org/