Category: ‘Site Related’

Scam of the day – December 5, 2016 – Online credit card fraud increasing

December 4, 2016 Posted by Steven Weisman, Esq.

Anti-fraud company Iovation is reporting that credit card fraud for online shopping during the first shopping weekend of the holiday shopping season that began on November 25th increased by 20% over last year and 34% over 2014.  This is not surprising because safer EMV credit cards with a chip that issue a new authorizing code every time the card is used cannot use the chip capability when shopping online,  leaving them more vulnerable to hackers accessing the victim’s credit card number which can then be used by the criminal for online purchases.  Victims may become victims of this type of identity theft through either security weaknesses in their own devices or at websites where they shop.

TIPS

This year 55% of online shoppers used their smartphones and other portable devices to make their online purchases and while many people have security software installed and regularly updated on their computers, many people do not take the same type of precautions with their smartphones or other portable devices, leaving them in greater danger of being hacked.  The key is to protect all of your devices with security software and keep it updated to protect you from the latest strains of malware as well as to prevent the malware from ever being installed on your devices.  The best thing you can do to prevent the malware from becoming installed on your devices is to never click on links in emails or text messages unless you have absolutely confirmed that the communication and the link are genuine.  Clicking on tainted links in specifically tailored spear phishing emails and text messages are still the most common method that malware is spread.

It is also important when shopping online to use your credit card rather than your debit card.  The consumer protection laws are stronger in regard to credit cards than debit cards and the inconvenience of having your debit card hacked is much greater than the problems you encounter when your credit card is hacked.

Scam of the day – December 4, 2016 – International law enforcement thwarts cybercrime ring

December 4, 2016 Posted by Steven Weisman, Esq.

After four years of intense investigation a group of international law enforcement agencies from thirty countries led by the German prosecutors have broken a huge cybercriminal network known as “Avalanche,”  arresting five people, seizing five servers and more than 800,000 Internet domains. Avalanche had been in existence since 2009 during which time it leased its services to other cybercriminals to enable them to create botnets of hacked computers to distribute  a variety of malware including ransomware as well as malware used to access victims’ bank accounts.    Millions of dollars were stolen through the Avalanche network.  Prior to its operations being stopped, Avalanche networks sent out more than a million malware infected emails every week and infected new computers at a rate of 500,000 every day.  If you did not lose money as a direct result of being a victim of the Avalanche network, your computer still may have been hacked and made a part of the botnets used by the cybercriminals using the Avalanche network.

TIPS

Perhaps the best aspect of the breaking of the Avalanche network is the fact that international law enforcement from thirty countries were able to work together in a concerted effort to apprehend the cybercriminals and break down their criminal enterprise.  The defeat of cybercrime will require continued international cooperation in order to be successful.

But what does Avalanche specifically mean to you?

With so many millions of infected computers around the world, there is a good chance that your computer could have been infected and made a part of the botnets created and used by Avalanche.  Federal authorities are recommending that you immediately perform security scans of your computers and other electronic devices to determine if your devices were infected and to remove any infections found.  The Department of Homeland Security suggested, without endorsing any particular company, the following free software security programs that you can use to determine if your computer is safe or not.  It is also important to note that Avalanche only infected computers using the Windows Operating System.

Here are links to security programs you can use:

https://www.eset.com/us/online-scanner/

https://www.f-secure.com/en/web/home_global/online-scanner

http://www.mcafee.com/us/downloads/free-tools/index.aspx

https://www.microsoft.com/security/scanner/en-us/default.aspx

https://security.symantec.com/nbrt/npe.aspx?&OpenDocument&src=npe&type=npe

http://housecall.trendmicro.com/

December 3, 2016 – Steve Weisman’s latest column for USA Today

December 3, 2016 Posted by Steven Weisman, Esq.

A recent Harris Poll indicated that 39% of Americans would give up sex for a year in return for cybersecurity.  Here is a link to my latest column for USA Today in which I describe some simple steps you can take to increase your cybersecurity without having to give up sex.

http://www.usatoday.com/story/money/columnist/2016/12/03/sex-cybersecurity-hmm-thinking/94548126/

Scam of the day – December 3, 2016 – Implications of Saudia Arabian hacking

December 3, 2016 Posted by Steven Weisman, Esq.

It has just been disclosed that unidentified hackers, thought to be Iranians, hacked into and destroyed thousands of computers at six Saudi Arabian government agencies including its General Authority of Civil Aviation.  This attack echoes a previous  2012 cyberattack thought to be the work of Iranian hackers that wreaked havoc on the Saudi state oil company Saudi Aramco and in fact both attacks used the same malware called Shamoon.  The malware was installed using passwords that appear to have been accessed through spear phishing emails. This escalation of cyberwarfare is indeed troubling.

TIPS

It is well established that the infrastructure of the United States including banks and a dam in New York were targeted by Iranian hackers in recent years.  The lesson for governments, companies and individuals from this latest Saudi hacking is clear.  Much greater attention has to be given to cybersecurity.  The fact that the same Shamoon malware that was used in 2012 was able to be effectively used again is an indictment of the failure of the Saudis to implement updated security software that might have thwarted this attack.  Further, as we have seen time after time, the malware appears to have been downloaded through simple spear phishing in which a Saudi employee clicked on an infected link.  Better anti-phishing analytics security software should have been used and the employees should have been better trained to avoid clicking on links in emails unless they have been confirmed to be legitimate.  There are other steps that can and should be taken as well, but these two are the best and easiest to implement.

Scam of the day – December 2, 2016 – FTC settles with debt relief scammers

December 2, 2016 Posted by Steven Weisman, Esq.

A group of defendants including Steven D. Short and his wife Karissa L. Dyer  have settled Federal Trade Commission (FTC)  charges that they operated a scam debt relief business.  Under the terms of the settlement the defendants are barred from conducting debt relief services in the future and must also surrender assets frozen by the court while the charges were pending.  The scam originated with a phone call to victims in which the defendants identified themselves as “card services,” “credit services” or “card member services.”  They represented that they were doing business with the victims’ credit card companies and promised the victims that they would reduce the victims’ credit card interest rates and reduce the amount that they owed within 90 days for a fee of between $500 and $1,500.  In addition,  they promised  a full money back guarantee if there were not successful.  Unfortunately, it was all a scam and no one got anything in return for the money they paid to the scammers nor did anyone receive a refund.  The scammers managed to steal more than 12 millions through this scam.

TIPS

You should never give personal information such as credit card numbers or Social Security numbers to someone who calls you on the phone because you can never be sure who is really on the other end of the line.  Even if your caller ID indicates the call is from a legitimate source, your Caller ID can be manipulated through a technique called spoofing to make it appear that the call is legitimate when it is not.

While there are some companies that provide debt relief services for a fee, the law requires that you not be required to pay any fee before your credit card rate is reduced or your debt lowered. Some of the legitimate debt relief companies may require you to deposit money into a special bank account to be administered by an independent third party who will charge you a reasonable fee for paying funds from your account to your creditors and the debt settlement company after settlements have been reached.  Generally, you are better working directly with your credit card company to restructure your debt or using the services of the legitimate American Consumer Credit Counseling, a non-profit corporation that can help you with debt relief.

Scam of the day – December 1, 2016 – Capital One online banking phishing scam

December 1, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email that download malware or  trick you into providing personal information that will be used to make you a victim of identity theft, are nothing new. They are a staple of identity thieves and scammers and with good reason because they work.   The Capital One phishing email reproduced below uses the common ploy of indicating that the bank needs you to update personal information for security purposes.   As phishing emails go, this one is not too bad, but it does have some telltale flaws.   Although the email address from which it was sent appears to be legitimate, upon closer examination you can determine it is not an official email address of Capital One.  Also, the email is not directed to you by name and does not contain your account number in the email.

TIPS

Obviously if you do not have an account with Capital One bank, you know that this is a phishing scam, but even if you do have an account with this bank, there are a number of indications that this is not a legitimate email from Capital One,  but instead is a phishing email.  Legitimate banks would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number  for your bank where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to purchase phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Capital One to trap you if you make a mistake in dialing the real number.

DO NOT CLICK ON THE LINKS IN THE PHISHING EMAIL REPRODUCED BELOW

About your Capital One® account.
As part of our continuing effort to ensure we provide adequate security for your Online Banking.
We’re providing this update notification for your account security.
We need you to certify your account immediately to avoid third party access.
Please visit here to complete verification process.
Thanks for choosing Capital One® Online Banking

Scam of the day – November 30, 2016 – San Francisco commuter rail system hacked

November 30, 2016 Posted by Steven Weisman, Esq.

Late on November 25th, the San Francisco Municipal Transportation Agency (SFMTA), which operates the municipal rail system in San Francisco, referred to as “Muni” was hacked when an SFMTA employee unwittingly clicked on a link in a phishing email and downloaded ransomware that locked and encrypted all of the SFMTA computer systems.  The hacker, who is thought to be Iranian, demanded a ransom of 100 bitcoins which is approximately $73,000 or he would destroy the data.  The SFMTA is refusing to pay the ransom and has indicated that it has backed up the encrypted data which, it says will be restored shortly.

Meanwhile, according to security research Brian Krebs, a white hat hacker hacked into the email of the original hacker and managed to take over the original extortionist’s email account by answering the extortionists security question.  The email account provided evidence that the hacker had been active in installing ransomware and obtaining ransom payments from numerous companies.

TIPS

There are a number of lessons for all of us as individuals to learn from this incident.  First and foremost is to install and maintain good security software including software that will help defend you against phishing emails.  However, no security software is totally effective against phishing emails, so you never click on links in any email unless you have absolutely confirmed that the email is legitimate.  Second, you should back up all of your data either in the cloud or on a portable USB hard drive to protect yourself from the danger of ransomware. Finally, in regard to security questions, which when answered give someone the ability to change your password, you should use a nonsensical answer to the question so it cannot be guessed or obtained through research about you.  For instance, if the question is what is your mother’s maiden name, you might make the answer “firetruck.”  You will remember it because it is so silly, but no one will be able to guess it by going through online data bases or social media.

Scam of the day – November 29, 2016 – Giving Tuesday scams

November 29, 2016 Posted by Steven Weisman, Esq.

Following the major shopping days referred to as Black Friday and Cyber Monday now comes Giving Tuesday which was first designated as a special day to focus on helping out people in need through charitable gifts in 2012.  This is a time of the year when many people are receptive to solicitations from charities.  Unfortunately, not all of those solicitations will be from legitimate charities.  Many of those calls, letters and emails will be from scammers posing as charities.

Even if you are on the federal Do-Not-Call List, which I strongly recommend unless you want to talk to telemarketers, the law permits charities to contact you by phone.  Unfortunately, whenever you receive a telephone call, you can never be sure who is really calling you.  Even if your Caller ID indicates that the call you are getting is coming from a charity whose name you recognize, the call actually may be from a scammer using a technique called Spoofing to make it appear that the call is legitimate when it is not.  The truth is that the call you receive may or may not be from a legitimate charity or a telemarketer on behalf of a legitimate charity and you have no way of knowing who is really on the other end of the line.

TIPS

When you receive such a call from a telemarketer or someone purporting to represent a charity, if you are interested in the particular charity, the best thing you can do is just to ask them to send you written material.  Do not provide your credit card number over the phone to anyone who calls you because you cannot be sure that they are legitimate.   Also, as I have warned you in the past, many phony charities have names that are similar to real charities so it is always a good idea to investigate a charity before you make a charitable contribution.  In addition, when you receive a charitable solicitation telephone call from a telemarketer, the telemarketer is generally being paid a commission for the money he or she collects.  Thus, your contribution to the charity is diluted by the amount that goes to the telemarketer although as Jerry Seinfeld would say, “not that there is anything wrong with that.”    However, if you really want to make your charitable contribution go farther, you will  be  better served by first checking out the particular charity at www.charitynavigator.org where you can find out not only if the particular charity is legitimate, but also how much of your contribution goes toward administrative costs and how much actually goes toward the charity’s charitable work.  Charitynavigator.org will also show you the best address to send your contribution.  Then you can make your contribution directly to the charity without any amount being deducted for fund raising expenses.

Scam of the day – November 28, 2016 – How to protect yourself on Cyber Monday

November 28, 2016 Posted by Steven Weisman, Esq.

In recent years, the Monday after Thanksgiving has come to be known as Cyber Monday, the day on which many people shop online to get holiday bargains.  According to the National Retail Federation, 56.5% of holiday shoppers will be making their purchases on line either through their computer, smartphone or other electronic device.

Hackers and identity thieves are always on the prowl trying to lure people into providing their usernames and passwords for their various accounts in order to use that information for purposes of identity theft.  A strong password is essential for cybersecurity, but it is not enough to keep you safe.  In addition to a unique password for every online account with which you do business, such as your bank account or an often frequented shopping website, you should also use enhanced authentication to provide further protection particularly in the event that your password is compromised.

TIPS

There are essentially three types of enhanced authentication from which you can choose to provide greater cybersecurity than merely using a password.   The first is a biometric such as your fingerprint that can be used to confirm your identity when accessing a particular account. The second is a one time code that is sent to your smart phone as a text message each time you attempt to log into one of your online accounts.  In order to access your account, you must include this one time code.  The third form of enhanced security is a security key, which is a small device that can fit on your key chain and is inserted into a USB port on the device you are using to access your online account to confirm that it is you that is attempting to gain access to your account.  All of these methods can work well and some people will even use more than one in conjunction for greater security.

Scam of the day – November 27, 2016 – Holiday package delivery scams

November 27, 2016 Posted by Steven Weisman, Esq.

Today’s scam of the day is one that is with us throughout the year, but becomes much more common during the holiday shopping season.  It involves package deliveries from UPS, Federal Express or other delivery services and has a number of different variations.  In one variation, you receive an email that looks quite official and may even carry the logo for UPS, Federal Express or some other courier service.  The email tells you that there is a package for you, but you need to make delivery arrangements.  You then are instructed to either provide personal information, such as your credit card number or merely to click on a link.  If you provide personal information, you have just turned over that information to an identity thief.  If you click on the link, you will be downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.

In another variation of the scam, a notice of attempted delivery is left on your door with a telephone number for you to call and arrange for delivery of the package.  Once you call, the person answering requires you to provide personal information in order to confirm the order.  Of course, no delivery service needs any personal information from someone to whom they are delivering a package.  If they ask for such information, it is a scam.  And think about it.  Why would a deliver service need your Social Security number or credit card number if you are receiving a package?

TIPS

As I have told you many times, you cannot trust any link in an email until you have confirmed that the email is legitimate.  In this case, you should call the delivery service at a number that you know is accurate to confirm whether or not the email was legitimate.  You will then find that the email was a scam.  Delivery services do not send emails to the people receiving packages.  They don’t even know your email.  As for a telephone call from someone purporting to be a delivery service employee, you can never be sure whether someone really is who they say they are on the phone, so once again, you should call the delivery company at a number that you know is accurate to confirm whether or not the call was legitimate.  Finally, remember, no delivery service ever needs your personal information such as credit card number, Social Security number or birth date.  Anytime anyone asks for that information on a phone call to you, you should just hang up.