Category: ‘Site Related’

Scam of the day – October 28, 2016 – Yet another Adobe Flash emergency security patch

October 28, 2016 Posted by Steven Weisman, Esq.

For the sixteenth time in the last twelve months, Adobe has issued new security updates for Adobe Flash software.  I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.  According to security company, Symantec 80% of the newly discovered software vulnerabilities which can be exploited by malware created by cybercriminals involved Adobe Flash.

Beginning on October 11th Microsoft began blocking outdated versions of Adobe Flash from running in Internet Explorer on Windows 7.  If you use Windows 8.1, Windows 10 or Windows Server 2012R2, this will not affect you because these systems automatically install Adobe Flash security patches.  In addition, Google has indicated that it will drop support for Adobe Flash in Chrome later this year.

It appears that just as companies retire certain programs when it is just too difficult to patch them, this may well be the time for Adobe to retire Flash and if it doesn’t, you should consider retiring it yourself and replacing it with another plugin that performs the same function, but is safer.    Adobe Flash has already been proven to be so vulnerable to successful attacks by hackers that installing new security patches as quickly as they are issued is little more than putting a Band-aid on the Titanic if I can mix my metaphors.


Here is the link to the latest Adobe Flash security update which I urge you to download as soon as possible if you wish to continue to use Adobe Flash:

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: while GNU Gnash can be downloaded free at this link:

Scam of the day – October 27, 2016 – The truth about the Volkswagen settlement

October 27, 2016 Posted by Steven Weisman, Esq.

Earlier this week, Federal Judge, Charles Breyer gave final approval to a settlement of the class action brought on behalf of the 475,000 purchasers and lessees of Volkswagen and Audi 2.0 liter diesel cars.  As you may remember Volkswagen had tampered with software used to measure emissions of the cars to make them appear to comply with EPA regulations. The class action is based upon false advertising and will result in payments of more than ten billion dollars to VW and Audi owners and lessees of the VW Beetle and Beetle Convertibles for the years 2013-2015, VW Golf & Golf SportWagens for the years 2010-2015, VW Jetta & Jetta Sportwagens for the years 2009-2015, VW Passats for the years 2012-2015 and Audi A3s for the years 2010-2013.  Consumers will have the choice of a buyback or to have their cars fixed in addition to payments ranging from $5,100 to $10,000 per owner.

Consumers should be aware that there are people trying to take advantage of this settlement by contacting affected car owners and making alternative offers.  Some of these offers are even coming from independently owned VW dealers.  In some instances, these offers are falsely implying that the new offers are part of the court approved settlement as well as misrepresenting to customers that the customers are required to take any payments received pursuant to the settlement and apply it to new purchases of Volkswagens or Audis.  Finally, as with so many scams, the scammers misrepresenting the terms of the settlement pressure their victims into acting quickly, implying that the they will miss out on an opportunity unless they act immediately.


If you are an affected car owner, don’t feel pressured into accepting offers from sources other than through the approved Volkswagen settlement process.  For more detailed information about the settlement including charts to help you estimate how much you will receive if you purchased or leased one of the affected automobiles, go to the top of the first page of to the FTC Scam Refunds tab and click on the link to the official information from the FTC for details about the settlement.

Scam of the day – October 26, 2016 – How to protect yourself in the Internet of Things

October 25, 2016 Posted by Steven Weisman, Esq.

Distributed Denial of Service (DDoS) attacks against companies that temporarily shut down websites by flooding them with more traffic than they have the capacity to accommodate are nothing new, however, what was unusual about last week’s DDoS against Dyn a prominent Domain Name System (DNS) provider that hosted such popular sites as Amazon, Twitter, Spotify, Netflix and Paypal was that the botnet of hijacked devices used to launch the attack was not made up of hacked computers, but rather was made up of hacked devices such as smart televisions and webcams that make up the Internet of Things which are devices connected to the Internet that one would not generally think of as requiring security.   However, anything that  is connected to the Internet can be hacked and used to become a part of a botnet and therefore requires security precautions.

So what can you do to protect yourself from having your devices hacked and becoming part of a botnet?


Your first line of defense is your router so it is important to change the default password with which your router came.  In addition, each of your Internet of Things devices should have its own distinct password.  Unfortunately, particularly for older devices that are a part of the Internet of Things, security was not built into these devices and they may not even be password enabled. Another helpful device is an Internet hub which is a a device that can control multiple Internet of Things devices through a single mobile app that utilizes dual factor authentication and encryption.  The manufacturers of these Internet hubs such as Samsung’s SmartThings also provide regular security updates.  Not all Internet of Things devices are hub certified which is why when buying an Internet of Things device, you should look for hub certification as an indication that the manufacturer is security conscious.

Finally, and perhaps of greatest importance in protecting yourself from becoming part of a botnet is to do what you already should be doing which is refraining from clicking on links or downloading attachments in emails that may contain the malware enabling a hacker to access first your computer and move through it to your entire network of Internet enabled devices.  Never click on links or download attachments unless you have absolutely confirmed they are legitimate.

Scam of the day – October 25, 2016 – Russian hacker indicted

October 25, 2016 Posted by Steven Weisman, Esq.

Last week a Russian hacker, Yevegeniy Aleksandrovich Nikulin was arrested in the Czech Republic twelve hours after an International Criminal Police Organization (Interpol)  Red Notice was issued notifying law enforcement officials that Nikulin who operates with impunity inside Russia was vacationing with his girl friend in Prague.  A Red Notice is akin to an international arrest warrant.  Nikulin was under indictment in California for hacking into LinkedIn, Dropbox and another company, Formspring.  Through hacking into these companies, Nikulin was able to steal personal information on more than 167 million people.  Nikulin’s arrest came just two days after the Obama administration stated that it was the Russian government that had stolen emails from the Democratic National Committee and others in the United States.  The Russian government has demanded that Nikulin be returned to Russia.  A Czech judge has ordered Nikulin to remain in custody until an extradition hearing.


Nikulin is the second Russian hacker arrested when he has left the safe confines of Russian on vacation.  In 2014, Roman Valerevich Seleznev was arrested in Guam and extradited to the United States where he was convicted of hacking into the cash register systems of American companies.  Zeleznev was convicted on 38 counts last summer and is awaiting sentencing.  In the wake of increased Russian hacking and cybercrimes being perpetrated against the American government, American companies and individuals, the Obama administration has indicated that it will be responding accordingly.  Meanwhile an American vigilante hacker who goes by the name of “The Jester” hacked into the website of the Russian Foreign Affairs ministry and posted a threat that if Russia did  not cease cybercrimes against the United States, he would hack Russian targets.

October 24, 2016 – Steve Weisman’s latest column for USA Today

October 24, 2016 Posted by Steven Weisman, Esq.

I submit my columns for USA Today a week in advance so this particular column that was published in today’s edition of USA Today was written prior the massive DDoS attack that occurred on Friday, October 21st.  However, the exploitation of the Internet of Things as was done to perpetrate the DDoS attack is the subject of my column.  Here is a link to it.

Scam of the day – October 24, 2016 – Phony political poll scam

October 23, 2016 Posted by Steven Weisman, Esq.

Political polls have been a major part of our election process for many years.  Generally, people are contacted by telephone to answer questions about the candidates and their policies.  Because it is so common at this time of year to be called by a political pollster, scammers also will call posing as pollsters in an effort to trick their victims into providing information that can be used for purposes of identity theft.  Often they will dangle the reward of a gift card or other prize to lure people into participating in the scam poll.  Scammers can also manipulate your Caller ID through a technique called “spoofing” to make it appear that their calls are coming from legitimate pollsters.


Legitimate pollsters do not offer prizes or other compensation for participating in their polls.  They also will never ask for personal information such as your Social Security number, credit card number or banking information.  Anyone posing as a pollster asking for such information is a scammer and you should hang up immediately.

Scam of the day – October 23, 2016 – SEC bars financial adviser for churning

October 23, 2016 Posted by Steven Weisman, Esq.

Churning is the name for the practice by unscrupulous stockbrokers who make excessive stock trades on behalf of their clients, not in effort to maximize the profit of their clients, but to maximize their own fees for making the trades since the stockbroker gets paid every time he or she makes a trade.  Recently the Securities and Exchange Commission (SEC) barred former financial adviser Paul T. Lebel from acting in the future as a broker or investment adviser due to his having fraudulently churned accounts of some of his clients in a manner that was inconsistent with their investment objectives, but instead maximized his fees as a broker.  Lebel did not contest the action taken by the SEC although he did not admit guilt.


Some people give their investment advisers too much authority when it comes to executing trades on their behalf.  It rarely makes sense to give your stockbroker the authority to trade whenever he or she wants.  Make sure that you make the final decision on any recommended trade.   More importantly for everyone, you should carefully read your monthly brokerage statement.  Many people fail to do so because the monthly statements may appear to be too confusing and end up missing early evidence that their account is being manipulated by a financial adviser churning their account.

Scam of the day – October 22, 2016 – Massive DDoS attack hits Eastern United States

October 21, 2016 Posted by Steven Weisman, Esq.

For a few hours yesterday many Internet users on the East Coast of the United States were unable to access some of the most popular destinations on the Internet including Amazon, Twitter, Spotify, Netflix and PayPal as a result of a massive Distributed Denial of Service (DDoS) attack on Dyn a prominent Domain Name System (DNS) provider that hosts the attacked companies’ websites.  Domain Name System providers permit you to type in a simple web address such as which then gets translated into the long, complicated numeric Internet address of the company and connects you to their website.  A DDoS occurs when the DNS provider gets flooded with an overwhelming amount of traffic which causes the website to shut down.  Often the traffic comes from an army of botnet computers which are computers of unsuspecting people that become infected and can be remotely used to send the huge amounts of communications necessary to cause a DDoS.  This problem has become magnified as the cybercriminals infiltrate and incorporate into their botnet not just computers, but also the myriad of devices that make up the burgeoning Internet of Things.  Anything that  is connected to the Internet can be hacked and used to become a part of a botnet.  Too often, many of these devices that make up the Internet of Things are poorly protected with weak passwords and are easily hacked.

While this particular DDoS was remedied after a few hours, the threat of DDoS attacks continues to increase.  Banks and other financial institutions have found themselves particularly targeted in the last year by DDoS attacks.  The potential for major disruption of the Internet by DDoS attacks is significant.


While there is nothing that we as consumers can do to stop DDoS other than to maintain the security of our own computers and devices connected to the Internet to keep them from becoming a part of a botnet, there are a number of steps that companies should be taking to protect themselves from future DDoS attacks in addition to the regular Firewalls and routers configured as best they can be to reject malicious traffic including the use of load balancers to spread traffic across multiple servers within a network to create additional capacity to handle the traffic as well as cloud based programs to identify and divert malicious traffic.

Already we have seen the threats of DDoS attacks used to extort money from companies and the threat that DDoS attacks pose is increased because cybercriminals are now selling the malware necessary to carry out such attacks on the Dark Web which is that part of the Internet where cybercriminals do business.  In addition, cybercriminals can also rent the use of botnets on the Dark Web as well to assist them in carrying out their crimes.

Scam of the day – October 21, 2016 – Report issued critical of IRS efforts to fight identity theft

October 21, 2016 Posted by Steven Weisman, Esq.

Yesterday, the Treasury Inspector General for Tax Administration (TIGTA) issued a report regarding its investigation into the IRS’ electronic authentication controls.  The investigation was prompted by identity thieves using the IRS’ Get Transcript program to obtain the former income tax returns filed by an estimated 724,000 taxpayers and use the information contained in those income tax returns to file phony income tax returns using the names of the victimized taxpayers and obtain fraudulent refunds.   The IRS did not become aware of the vulnerability of the Get Transcript program until May of 2015 and shut down the program until it was reintroduced with what the IRS said was increased security in June of 2016.   The idea behind the IRS’ Get Transcript program was a good one, namely permitting taxpayers to get access to copies of their tax returns from previous years conveniently and electronically.  An essential element of such a program is a strong authentication process to keep identity thieves from accessing this sensitive material and unfortunately, the authentication protocol used by the IRS was quite inadequate and did not meet industry standards resulting in the data breaches affected 724,000 taxpayers.  In one instance the TIGTA report indicated that the IRS missed an attempt by a hacker to attempt to gain access to a victim’s tax return 902 times in a single 24 hour period.

The TIGTA report made seven specific recommendations for increased IRS security in regard to the electronic authentication process to gain access to taxpayers’ records and the IRS has agreed with all seven, however, a number of the recommendations have still not been implemented by the IRS and the system is still not as secure as it should be.


The best way to avoid income tax identity theft is to file your income tax return as soon as possible because even an identity thief in possession of your Social Security number and other personal information that would enable him or her to file a phony income tax return in your name would not be able to get a payment from the IRS if you had already filed your return.

Scam of the day – October 20, 2016 – Utility company scam

October 20, 2016 Posted by Steven Weisman, Esq.

The electric utility company National Grid is warning its customers about phony telephone calls in which scammers posing as National Grid employees are calling customers and threatening to turn off their electricity if payment is not made immediately by wired funds or prepaid cash cards such as Green Dot MoneyPak.  Whenever you receive a call regarding anything in response to which you are advised to make a payment by way of a Green Dot MoneyPak card or any other prepaid card you should be skeptical because these prepaid cards are a favorite method for scam artists to scam you out of your money.  This is because once the scammer has the card number, it is the same as cash and you cannot stop the payment nor trace to whom the payment was made.   The scammers making these calls posing as National Grid are often quite intimidating and threatening.  Your Caller ID may even indicate that the call is indeed from your utility company, but it is an easy thing for a scammer to “spoof” or make it appear that a call from them is coming from your utility company.  You can never be sure when you receive a telephone call as to who is really calling you which is why you should never provide personal information or make a payment to someone over the phone unless you have absolutely verified that the call is legitimate.  Although National Grid is warning its customers about this scam, this type of scam is going on with other scammers posing as other utility companies, as well.


Never make a payment to a utility company in response to a telephone call you receive demanding immediate payment.  No utility will require immediate payment by way of a prepaid cash card, such as the Green Dot MoneyPak card or iTunes gift cards.  If you are behind in your utility payments, call the utility company at a number that you know is accurate and discuss a payment plan with a legitimate representative of the utility company.  If you receive a call about your account that you think might be legitimate, merely hang up and call the customer service number for your utility which you can find on the back of your bill.