Category: ‘Site Related’

Scam of the day – April 24, 2015 – Security danger found in 1,000 apps

April 24, 2015 Posted by Steven Weisman, Esq.

Cybersecurity company, SourceDNA has announced that it found a major security flaw in a version of the open source code AFN Networking software used by app developers to create apps for iPhones, iPods and iPads.  This security flaw would enable a hacker to easily bypass the app’s security and provide a hacker to gain access to the app user’s credentials and banking data.  Fortunately, the flaw does not affect all of the 100,000 apps that use AFNetworking.  Only 1,000 are affected by the version of AFNetworking that contains the flaw, however, this number includes apps from major companies including Microsoft, Yahoo and Uber.  Some app developers have already patched the problem, however not all of the affected apps have been patched yet so everyone who uses iPhones, iPods and iPads should check to make sure that the apps they are using are safe and secure.  You can go to SourceDNA’s website with this link to find out if your apps are secure http://searchlight.sourcedna.com/lookup

TIPS

If you are not using an iPhone, iPod or iPad, you do not need to worry about this particular threat.  If you do use these devices you should check out at the link provided above to see if the apps you use are still affected.  If the any of the apps you use are still affected, you should stop using those apps until the flaw is patched.  You also should change your password for apps that have been affected.

 

Scam of the day – April 23, 2015 – Medicare to finally stop using Social Security numbers on Medicare cards

April 22, 2015 Posted by Steven Weisman, Esq.

As we all know, a person’s Social Security number is the key to making that person a victim of identity theft.  Armed with that number, an identity thief can access a person’s credit, file a phony income tax return in the name of the victim and, in general make life miserable for the person whose Social Security number has been compromised.  Where at one time it was commonplace for states to use a person’s Social Security number as the number on a person’s driver’s license, it is now illegal for states to do so.  The Department of Defense, the Veteran’s Administration and numerous other private and governmental entities no longer use the Social Security number as an identifying number in order to reduce identity theft.  However, for more than ten years, the Department of Health and Human Services, the government agency that supervises Medicare, the governmental health insurance program in which 50 million Americans are enrolled, refused to heed the advice of the Government Accountability Office (GAO), the White House Office of Management and Budget and the Inspector General of Social Security to change the identifying number prominently displayed on a person’s Medicare card from the person’s Social Security number to a safer identifying number.  But now, a new federal law was passed that requires Medicare to start issuing cards with a randomly generated Medicare beneficiary identifier rather than the person’s Social Security number, however, Medicare does not have to start doing so for four years.  They have an additional four years to replace the cards of current beneficiaries with new cards with the new identifying numbers.  When fully implemented, this law will significantly reduce the vulnerability of Medicare recipients to identity theft.

TIPS

This legislation is a good step from many perspectives.  It was passed with bipartisan support and does show that Republicans and Democrats can work together.  There is much that can be done to protect us from scams and identity theft that should be able to be done with bipartisan support and hopefully, this law is just the first of many that will help provide greater security to Americans from scams and identity theft.  However, people who are present Medicare recipients with cards that will for years still contain their Social Security numbers should take greater precautions to protect these cards from being used by identity thieves.  One of the primary things to do is to not carry the card in their wallets or purses unless they absolutely need to bring it with them to a medical appointment.  Additionally, they should take precautions to make sure that documentation that carries their Social Security or Medicare number is properly secured and away from the eyes of caregivers or others who might seek out this information for purposes of identity theft.  Finally, when disposing of documents that contain their Social Security number, they should cross shred the documents to prevent dumpster diving identity thieves from getting this information.

Scam of the day – April 22, 2015 – Watch out for the Simda botnet

April 21, 2015 Posted by Steven Weisman, Esq.

Recently the Department of Homeland Security joined Interpol and the FBI to issue a serious warning about a botnet called the Simda botnet.  A botnet, as readers familiar with Scamicide will know, is a network of infected computers used by cybercriminals to spread malware.  According to the Department of Homeland Security more than 770,000 computers have already been affected by the Simda botnet which has been around since 2009 preying on computers that are not properly protected by up to date anti-malware software.  The Simda malware not only enables the cybercriminals to use their victims’ computers to spread this and other malware, but it also enables the cybercriminals to steal personal information from the infected computers that make up the botnet and then use that information for purposes of identity theft.

TIPS

Here is a link to which you can go to find out if your computer has been infected with the Simda malware.  http://www.cyberdefense.jp/simda/

If you have been a victim of the Simda malware, you should install anti-virus and anti-malware software to rid your computer of the Simda malware.  You should then change the passwords for all of your accounts because they have been compromised.  You should also get a copy of your credit report from each of the three credit reporting agencies, Equifax, TransUnion and Experian to determine if you have already become a victim of identity theft.  You should also lock up your credit reports with a credit freeze at each of the three credit reporting agencies.  You can find instructions as to how to do this here in the Scamicide archives.

Even if you have not become a victim of the Simda malware, you should make sure that your anti-virus and anti-malware software is constantly updated.

Scam of the day – April 21, 2015 – 14 year old charged with felony hacking

April 21, 2015 Posted by Steven Weisman, Esq.

Domanik Green a 14 year old, eighth grader from Florida has been charged with a felony for hacking the computer of one of his teachers and changing the desktop background to a picture of two men kissing.  The hacking was easy to accomplish because the teacher used an easily guessed password.  The hacking itself was more of an innocuous prank than a serious hack.  The student made no attempt to change grades or even access other data.  Yet under Florida law, Green was charged with a felony, which, if he is convicted of, could have a serious effect on his ability to get a job or go to college.  More than anything else, the incident highlighted the school’s security failings.  It has been reported that the particular school attended by Green used weak passwords and that students were even able to view the teachers entering their passwords.

TIPS

Hopefully, a more appropriate sanction other than a felony conviction will be done in this case.  This case also, once again, highlights the importance of using strong passwords and keeping them secret.  It is also important for people to use unique passwords for every account that they have.  A strong password will combine capital letters, small letters and symbols.  A good way to pick a password is to choose a short phrase, such as IDon’tLikePasswords and then add a couple of symbols so it reads IDon’tLikePasswords!!! which can then be used as a base password to be adapted by a few letters to indicate a particular account so, for instance using this password for an Amazon account would make it IDon’tLikePasswords!!!Ama.  That would be a strong and unique password.

Scam of the day – April 20, 2015 – Latest security updates from the Department of Homeland Security

April 19, 2015 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  Users of the affected programs should make sure that they update their software with these latest security patches as soon as possible.  Today’s updates include important security patches for Google Chrome, Oracle, Adobe Flash, Adobe ColdFusion, Flex, and Microsoft Windows.  The Adobe Flash vulnerability had been exploited by Russian hackers to obtain information from the computers of other governments.

TIPS

Here are links to the latest security updates from the Department of Homeland Security:

https://www.us-cert.gov/ncas/current-activity/2015/04/15/Google-Releases-Security-Update-Chrome

https://www.us-cert.gov/ncas/current-activity/2015/04/15/Oracle-Releases-April-2015-Security-Advisory

https://www.us-cert.gov/ncas/current-activity/2015/04/15/Adobe-Releases-Security-Updates-Flash-Player-ColdFusion-and-Flex

https://www.us-cert.gov/ncas/current-activity/2015/04/14/Microsoft-Releases-April-2015-Security-Bulletin

Scam of the day – April 19, 2015 – American Express phishing scam

April 19, 2015 Posted by Steven Weisman, Esq.

Many people are reporting receiving the following email which appears to have been sent by American Express.  It reads as follows:

“Dear American Express customer:

We have recently detected that a different computer user has attempted gaining access to your online account and multiple passwords were attempted with your user ID. Hence it is necessary to re-confirm your account information and complete a profile update. You can do this by downloading the attached file and updating the necessary fields. Note: If this process is not completed within 24-48 hours we will be forced to suspend your account online access as it may have been used for fraudulent purposes. Completion of this update will avoid any possible problems with your account. Thank you for being a valued customer.”

American Express is a popular credit card with more than a hundred million cardholders worldwide so when scammers send out a blast of emails such as the one above, they are bound to find a considerable number of American Express cardholders among the people receiving this email.  This type of email scam, which is called “phishing” attempts to scare the person receiving the email into downloading the attachment or, in other instances, clicking on a link, in order to fix the problem described in the email.  Because the problem is both plausible and serious, many people fall for this scam and download the attachment or click on the link.  In this particular scam, the attachment downloaded malware that stole personal information from the computers of the people downloading the attachment and used that information to make them victims of identity theft.  In addition, the attachment also asked for personal information that also could be used for identity theft purposes.

TIPS

Regardless of how legitimate an email or text message appears and regardless of how much it may appear to require immediate action on your part, you should never click on a link or download an attachment in any email or text message unless you are absolutely sure that it is legitimate.  In this case, the mere fact that the email is addressed to “Dear American Express customer” rather than to the email recipient by name is an indication that this is a scam.  In any event, the best thing to do, if you believe that the email might be legitimate, is to contact American Express directly at the phone number on the back of your American Express credit card to find out whether or not the email or text message was legitimate.

Scam of the day – April 18, 2015 – TD Bank hit by a skimmer

April 18, 2015 Posted by Steven Weisman, Esq.

The Chelmsford Massachusetts police are investigating a skimmer that was found installed on a branch of TD Bank in Chelmsford Massachusetts.  Skimmers are small electronic devices that are easily installed by an identity thief on ATMs and other card reading devices, such as at gas pumps.  The skimmer steals all of the information from the credit card or debit card which then permits the identity thief to access that information to access the victim’s bank account when the skimmer is used on a debit card attached to a bank account.  Each skimmer can hold information on as many as 2,400 cards.

TIPS

Always look for signs of tampering on any machine through which you swipe your credit card or debit card.  If the card inserting mechanism appears loose or in any other way tampered, don’t use it.   Debit cards, which are used at ATMs when compromised through a skimmer put the customers at risk of having the bank accounts tied to their cards entirely emptied if they do not report a theft promptly.   Skimmers at ATMs are often coupled with a thin, clear electronic device that goes on top of the keyboard to capture the victim’s PIN to enable the identity thief to access the account of the victim whose account number was captured through the skimmer.

Scam of the day – April 17, 2015 – Mass email service hacked

April 16, 2015 Posted by Steven Weisman, Esq.

Many people may not be aware of SendGrid, but there is a good chance that you have received an email from them.  SendGrid is a mass email service that is used by 180,000 companies worldwide including Uber, Pinterest, Spotify and Foursquare when companies wish to send mass email messages to their customers, such as when a company wants to alert customers to a service update. When you receive an email from SendGrid or other such mass email services, it appears that the message is being sent by the company with which you have an account, but it actually comes from SendGrid or other mass email services.  Last week one of the companies that uses SendGrid had its SendGrid account hacked in an attempt to hack into the company’s account with Coinbase, a Bitcoin exchange.  Although the company, unnamed by SendGrid, had its account with Coinbase hacked,  according to SendGrid no Bitcoins were stolen.  Last year a similar attack aimed at stealing Bitcoins from another SendGrid client, ChunkHost was foiled because, Chunkhost used dual factor authentication, preventing the hacker from accessing the Bitcoins in Chunkhost’s account even after the hackers had managed to steal ChunkHost’s password.  More and more hackers are trying to hack into the accounts of users of mass email services such as SendGrid because it enables the hacker to make his or malware containing message appear to come from a trusted source.

TIPS

Remember my motto, “trust me, you can’t trust anyone.”  Merely because an email or text message appears legitimate or appears to come from a trusted email address is no reason to trust the message and click on links contained in the email or text message or download attachments to such emails or text messages.  The risk is too great.  Never click on links or download attachments unless you are absolutely sure that they are safe and legitimate.  Even if you are protected by the latest security software, you are still not safe because the most updated anti-malware and anti-virus software is always at least a month behind the latest malware.

Scam of the day – April 16, 2015 – Airline hacking danger

April 16, 2015 Posted by Steven Weisman, Esq.

As more and more devices that we use, such as everything from refrigerators to cars become connected to the Internet for convenience, the threat of these devices being hacked has become a significant problem.  I wrote about this recently in my USA Today column dealing with the danger of what has come to be known as the Internet of Things.  Here is a link to that column.  http://www.usatoday.com/story/money/columnist/2015/04/04/weisman-internet-of-things-cyber-security/70742000/  In that column, I referred to a previous GAO study that indicated security threats involving the FAA’s air traffic control system and its vulnerability to hackers.

Earlier this week the General Accountability Office (GAO) issued a new report detailing the security threat posed to commercial airplanes due to the extensive connection of many of its systems to the Internet.  According to the GAO, “Modern aircraft are increasingly connected to the internet.  This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”  The WiFi used by passengers on an airplane is part of the same IP network used for the cockpit controls.    The GAO went on to note that “According to cybersecurity experts we interviewed, internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.”  Even though firewalls separate these functions, as we have seen in numerous hacking of the computer systems of major companies, firewalls certainly do not guarantee security from sophisticated hackers.   As a part of its report, the GAO made three recommendations for the FAA to follow in order to increase the safety and security of air travel.

TIPS

There is little that we as individuals can do to insure our safety while flying, however, as consumers we can demand of the companies with which we do business that they build safety and security into their products that are a part of the Internet of Things.  And while we have little control over our security while flying, we can protect our security elsewhere on the Internet of Things in regard to webcams, heating systems and elsewhere by taking some elementary steps, such as:

1. Don’t store personal identifying information on any device. Don’t even use your real name.
2. Use a unique and complex password for all of your devices so that if one is hacked, all of your devices are not jeopardized.
3. Read the fine print and find out what information is gathered and stored by your devices as well as how that information is used by the manufacturer.
4. Your smartphone is the entrance way to your car’s connectivity. Keep your smartphone protected with a strong and unique password as well as anti-virus and anti-malware security software.
5. Change the default usernames and passwords on all of your home network devices.
6. Use and update anti-virus and anti-malware software on your home computer network.