Scam of the day – October 13, 2014 – Attention Kmart shoppers: You have been hacked

October 13, 2014 Posted by Steven Weisman, Esq.

Yesterday, I told you about Dairy Queen becoming the most recent company to announce that it had been hacked.  Today, it is my duty to tell you that Dairy Queen has lost that honor to Kmart, which, in a filing with the SEC announced that it too had been hacked and suffered a data breach in which debit card numbers and credit card numbers had been compromised through the same type of “Backoff” malware that I have been warning you about for months.  The data breach began in early September and was discovered by Kmart on October 9th.   Required filings with the SEC have become the most common way for the public to learn that they have been involved with a data breach at the companies where they shop.  The pattern of this data breach again follows what I described in my column for USA Today on September 27th entitled “Coming soon:  Another major retailer hacked” in which I provided a fill-in-the-blank format for the stories of future data breaches in which I predicted exactly how they would occur in the future which is precisely what happened at Kmart.  Here is a link to that column: http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

Kmart has assured its customers that no debit card PINs were compromised, but this is of little consolation since as I described in my Scam of they day of January 1, 2014, identity thieves can often decipher PINs using computer programs that easily crack the many common PINs that people use.  To make things worse, even if you have a very secure PIN, as I described in my Scam of the day for September 12, 2014, identity thieves are exploiting vulnerabilities in bank security systems to merely change the PINs of the stolen cards and thereby bypass the need to know the PINs of the cards they steal.  Heads they win, tails you lose.

TIPS

As I so often say, you are only as safe as the places you do business with who have the weakest security.  Despite government warnings last July to retailers about the dangers of the “Backoff” malware, thousands of retailers have still not taken the necessary steps to protect their computer systems.  All that we can do is to refrain from using debit cards for retail purchases and only use credit cards.  The laws protecting you from fraudulent use of debit cards are not as strong as those that pertain to fraudulent use of credit cards.  Also, since there is always a time lag from the time that the data breach actually occurs and when the company realizes that it has been hacked, it is important to regularly monitor your credit card statements for fraudulent purchases.

These kind of retail hackings will continue to happen and provide tremendous profits to hackers and identity thieves until retailers in the United States join the rest of the world and implement the smart card with chip technology used throughout the rest of the world.

Kmart will be offering free credit monitoring to affected customers.  For more information, go to their website www.kmart.com or call them at 888-488-5978.

Scam of the day – October 12, 2014 – Dairy Queen latest data breach victim

October 12, 2014 Posted by Steven Weisman, Esq.

Dairy Queen announced a few days ago that it had become the latest company to become a victim of a major data breach at 395 of its stores by way of the infamous “Backoff” malware downloaded on to the computer systems of the affected stores by first hacking into a third-party vendor of Dairy Queen that had access to the Dairy Queen computers.  Although the data breach was only recently discovered, the actual breach occurred in August and September.  The information stolen as a result of this data breach included the names of customers, their credit card and debit card numbers as well as the expiration dates of their cards.  This is the same malware and same method of implanting the malware that was first used on a large scale in the Target data breach and repeated in numerous other data breaches since then.  In fact, I wrote a column for USA Today on September 27th entitled “Coming soon:  Another major retailer hacked” in which I provided a fill-in-the-blank format for the stories of future data breaches in which I predicted exactly how they would occur in the future which is precisely what happened at Dairy Queen.  Here is a link to that column: http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

TIPS

As I so often say, you are only as safe as the places you do business with who have the weakest security.  Despite government warnings last July to retailers about the dangers of the “Backoff” malware, thousands of retailers have still not taken the necessary steps to protect their computer systems.  All that we can do is to refrain from using debit cards for retail purchases and only use credit cards.  The laws protecting you from fraudulent use of debit cards are not as strong as those that pertain to fraudulent use of credit cards.  Also, since there is always a time lag from the time that the data breach actually occurs and when the company realizes that it has been hacked, it is important to regularly monitor your credit card statements for fraudulent purchases.

Scam of the day – October 11, 2014 – Nude photos of Emily Watson scam

October 11, 2014 Posted by Steven Weisman, Esq.

Emma Watson is a popular, young actress who is best known for her role as Hermione in the Harry Potter movies.  She is one of the most well searched celebrities on the Internet.  This intelligent Brown University graduate also may be one of the few celebrities who did not have nude photos of her stolen from the cloud.  It may even because she has not taken such pictures.  Regardless, there are many people who would very much like to see nude photographs of her which is why a new scam first reported by the security firm Bitdefender comes as no surprise.  This scam starts with a Facebook posting that promises nude videos of Emma Watson for free, merely by clicking on a link.  If you click on the link the image reproduced below appears on your screen.  Unfortunately, if you download the attachment in order to view the promised video, you will not succeed in seeing a video of Emma Watson, but you will succeed in downloading malware called Trojan.Agent.BFQZ which will steal the information from your computer or other electronic device and use it to make you a victim of identity theft, make postings using your name on Facebook and sign you up for expensive text message services for which you will be billed through your cellular service.

The Emma Watson Trojan virus being shared on Facebook

TIPS

Without even getting into the morality and ethics of viewing what appear to be privacy invading, stolen nude videos of public figures, the plain, hard truth is that many of these solicitations to view these videos are just bait by scammers and identity thieves to lure you into clicking on links and downloading attachments that will install malware on your computer or other electronic device that will end up costing you money and making you a victim of identity theft.  Trust me, you can’t trust anyone.  Never click on links or download attachments unless you are absolutely sure that they are legitimate.

 

Scam of the day – October 10, 2014 – Increasing threat of smartphone hacking

October 10, 2014 Posted by Steven Weisman, Esq.

Hacking of smartphones was in the news recently with the revelation by Lacoon Mobile Security that the Chinese government through a phishing scam lured democracy protestors in Hong Kong into downloading a malware ladened app on to their smartphones that enabled the Chinese government to monitor the communications of protestors.  In this instance, smartphone users in Hong Kong were responding to a message on WhatsApp that read “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL.”  Those responding to the message and clicking on the link provided ended up downloading malware that enabled the Chinese government to monitor the smartphone users’ communications as well as provide access to all of the personal information stored on the phone.  Code4HK is the name of a group of computer programmers who have been working with the pro-democracy movement in Hong Kong, but had nothing to do with this software or message.  As we all become more and more dependent upon our smartphones, use them for sensitive financial transactions and store more personal information on them, they have become an increasing target for hackers and identity thieves.  Security company McAffee has said that the incidences of mobile malware increased 197% just between 2012 and 2013.

TIPS

The key to protecting the security of your smartphone from the threat of malware is to not downloading the malware in the first place.  One important rule to follow is to not install apps only from legitimate vendors.  Most carriers will also provide security software for your smartphone as well as an app that will scan your smartphone for malicious apps you may have unwittingly downloaded.  Check with your carrier as to what security software and apps are available to you on your particular smartphone.  Never click on a link in an email, text message or other communication unless you have absolutely verified that it is legitimate.  The risk of downloading malware is too great.  Protect your smartphone with a strong password, install security software and encryption software as well as anti-malware programs such as the app Lookout which has a feature that continually scans your smartphones for viruses and malware.

Scam of the day – October 9, 2014 – Latest security updates and patches for the Bash virus

October 9, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates include important updates for the Bash virus and updates to Google and Google Chrome.  The Bash virus involved not just computer software, but router software and included in today’s updates are security patches for routers.

TIPS

Here are the links to the latest security updates as issued by the Department of Homeland Security:https://www.us-cert.gov/ncas/current-activity/2014/10/07/Google-Releases-Security-Updates-Chrome-and-Chrome-OS   and

https://www.us-cert.gov/ncas/current-activity/2014/10/07/Oracle-Patches-Bash-Vulnerabilities and

https://www.us-cert.gov/ncas/current-activity/2014/10/08/Cisco-Releases-Security-Advisory-ASA

Scam of the day – October 8, 2014 – Justice Department indicts members of international computer hacking gang

October 8, 2014 Posted by Steven Weisman, Esq.

Recently the U.S. Department of Justice indicted four members of an international computer hacking gang on charges of hacking into the computer networks of Microsoft Corporation, Epic Games, Inc., Valve Corporation, Zombie Studios and the U.S. Army and stealing more than a hundred million dollars worth of trade secrets and intellectual property.  The hacking involved software and data related to the Xbox One console, Xbox Live online gaming system, games, such as “Call of Duty:  Modern Warfare 3″ as well as software used to train military helicopter pilots for the U.S. Army.  Those indicted included three Americans, Nathan Leroux, Sandadoleh Nesheiwat and eighteen year old Austin Alcala.  Also indicted was David Pokora, a Canadian.  Additionally, an Australian citizen has been charged under Australian law in regard to the same criminal enterprise.  Two of the defendants have already pleaded guilty including David Pokora who thus becomes the first foreigner convicted of stealing trade secrets.

TIPS

Hacking into companies in order to obtain trade secrets has become commonplace.  According to a government report, more than 3,000 companies have been hacked by Chinese hackers.  FBI Director James Comey said recently on the television show 60 Minutes that there are two types of companies in the United States, those that have been hacked by the Chinese and those that just don’t realize that they have been hacked by the Chinese.  The government and business  have both got to a better job of protecting the security of data.   Legislation, regulation and training has got to be improved to meet a threat from government sponsored hacking as well as hacking by private criminals.

Scam of the day – October 7, 2014 – Latest security updates from Department of Homeland Security

October 7, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates include a number of important security patches related to the Bash virus.

TIPS

Here are the links to the latest security updates as issued by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB14-279

Scam of the day – October 6, 2014 – Important Message from FBI Headquarters scam

October 6, 2014 Posted by Steven Weisman, Esq.

Obviously if you were to receive an important message from the FBI, you would take it seriously.  However, the FBI is not going to be sending you important messages by email and the FBI is not going to be notifying you about money you have won in a lottery.  However, a scam email is appearing around the country that appears to be come from FBI director James Comey.  In this email you are told that you have won ten million dollars and all that you need to do is to respond and provide information in order to collect your prize.  By the way, one of the agents mentioned in the email copied below is Bode Williams which is a name that has often occurred in various Nigerian email scams.  In all lottery scams, once you contact the person in charge, you will be told that you need to send in money for administrative fees or income taxes.  Don’t do it.  It is a scam.  The best thing to do is to ignore the email.  Here is a copy of the presently circulating email.  Although it does not show it here, the email does not come from the FBI, but rather from someone whose email address has been hijacked by a scammer and made a part of a botnet to send out these emails in massive numbers.

“This is to officially inform you that it has come to our notice and we have thoroughly completed an investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $10,000,000.00 USD. from a Lottery Company Inside the United States of America. During our investigation we discovered that your e-mail won the money from an Online Balloting System and we have authorized this winning to be paid to you via a Certified Cashier’s Check.

In order to proceed with this transaction, you will be required to contact the agent in-charge (Derek Roland) via e-mail. Kindly look below to find appropriate contact information:

CONTACT AGENT NAME: Bode Williams

James B. Comey
Director – FBI.”

TIPS

It is hard to win a lottery you have entered. It is impossible to win one that you never even entered.  Lottery scams are one of the most common and profitable scams done by scam artists.  No legitimate lottery requires you to pay administrative fees after you have won and no lottery collects income tax money for the IRS.  A legitimate lottery will either deduct your taxes from the prize before paying you or will, most often, provide you with the entire amount of the prize and it is your responsibility to pay the taxes to the IRS.  Also, never provide your personal information such as your Social Security number to anyone who tells you that you have won a lottery you did not enter.  They may tell you that they need this information to file with the IRS and legitimate lotteries do, but a scammer is only asking for you this information to make you a victim of identity theft.

Scam of the day – October 5, 2014 – More banks hacked by suspected hackers of J.P. Morgan Chase

October 4, 2014 Posted by Steven Weisman, Esq.

With news of the massive data breach at J.P. Morgan Chase in which names, addresses, phone numbers and email addresses of 76 million households and 7 million small businesses were stolen by what appears to be Russian hackers who may or may not be affiliated with the Russian government dominating the news, it seems perfectly appropriate to wish you a happy National Cybersecurity Awareness month.  As frightening as the spectre of a major American bank being vulnerable to vulnerable to such a massive data breach, you may remember that when the story broke last August of the possible data breach at J.P. Morgan Chase, reports were that there were as many as four other banks that had similarly been hacked.  Now, according to a report in the New York Times, that number is actually risen to nine other major financial institutions that may have suffered data breaches at the hands of the same hackers.  Therefore even if you are not a customer of J.P. Morgan Chase, you should be extra vigilant in regard to all of your financial accounts.

TIPS

Now is the time to implement a eight step approach to protecting yourself from identity theft and data breaches.  The first step is to change your password regularly, such as every six months.  A good password has a mixture of capital letters, small letters, symbols and digits.  Don’t use any word in the dictionary because hackers have computer programs that can guess your password. Instead use a phrase, such as IHate2UsePasswords!!.  This is a very secure password.  You should also have a separate and distinct password for each of your accounts, but you can merely adapt this basic password by adding a couple of distinguishing letters for each account.  For example, you could make this your Amazon password by adding the letters “Am” at the end of your basic password so it reads IHate2UsePasswords!!Am.  This is easy to remember.

You should also use dual factor authentication on your accounts when available.  Dual factor identification provides you with an extra level of security by which more than a password is necessary to gain access to your account.  Generally, when you log in through your password to an account a code is then sent to your smartphone which you then must input in order to access your account.

You also should change the answer to your security question to something completely nonsensical.  Answering a security question is required if you forget your password or if you want to change your password.  Unfortunately the answers to common security questions, such as your mother’s maiden name can be found with a little effort by an identity thief in the many places on the Internet that store personal information.  So instead of the answer to your mother’s maiden name being “Jones,” change it to “Grapefruit.”  No identity thief will find it or guess it and it is silly enough for you to remember.

Don’t click on links or download attachments in any email, text message or social media posting unless you have absolutely confirmed that it is legitimate.  Identity thieves and hackers lure people into clicking on links in such communications that results in the victims downloading keystroke logging malware that can steal all of the information from your computer.

Don’t provide personal information over the phone to anyone whom you have not called.  You can never be sure if the person calling you is legitimate regardless of how compelling the reason he or she gives for you to provide personal information.  Don’t rely on your Caller ID because through a technique called “spoofing” an identity thief can make it appear that his or her call is from the IRS, your bank or some other legitimate entity.  If you think the call may be legitimate, hang up and call the company or agency at a number that you know is real, not the number the caller gives you.

Review all of your accounts regularly and carefully to note the smallest charge that should not be there.  Sometimes identity thieves will put regular reoccurring charges on your credit card or phone bill in the hope that you will not bother to look further into it because the charge is so small.  The earlier you catch identity theft, the easier it is to deal with.

Check your credit report from each of the three major credit reporting agencies every year for evidence of fraud or even mistakes that need to be corrected.  Here is the link to the only official place to get your free credit report https://www.annualcreditreport.com/index.action

Put a credit freeze on your credit report so that even if an identity thief obtains your Social Security number, he or she cannot gain access to your credit report.  Yesterday’s Scam of the day contains the links to the credit reporting agencies to use to freeze your credit.

Scam of the day – October 4, 2014 – J.P. Morgan update and credit freeze information

October 4, 2014 Posted by Steven Weisman, Esq.

Last Thursday, in a required SEC filing,  J.P. Morgan Chase & Co. reported that the data breach, which we reported to you about when it was first discovered during the summer, was much larger than initially thought.  At the time, J.P. Morgan believed that only a million accounts were compromised, but now, J.P. Morgan is indicated that information on 76 million households and 7 million small businesses was stolen by hackers thought to be from Russia or another Eastern European country.  According to the SEC filing, J.P. Morgan says that the information stolen included names, addresses, phone numbers and email addresses.  At this time J.P. Morgan is saying that they are not aware of fraudulent activities tied to the data breach and that no account numbers, passwords, user IDs or Social Security numbers were stolen.  The data breach apparently began in June and went on until discovered in mid August, which is especially troubling because it provided time for the hackers to cover their tracks for what may have been their true goal.  The hackers did manage to gain access to the entire list of applications and programs used by J.P. Morgan Chase on its computers which could then be evaluated by the hackers for inevitable vulnerabilities that could be exploited at a later time.  Obviously J.P. Morgan is busy trying to protect against this threat.

TIPS

For customers of J.P. Morgan Chase, now is not the time to run and hide nor take your money out of the bank.  In fact, at the time that the FBI began its initial investigation of this data breach during the summer, it indicated that it was looking into possible data breaches of as many as four other banks as well.  It may well be that we are not yet aware of the breaches that occurred and may still be going on in other banks.  You can expect either the hackers, people who the hackers sell the information they gathered and even totally independent identity thieves to start contacting people through emails, text messages and phone calls purporting to be from J.P. Morgan Chase.  In these contacts, they will attempt to lure unsuspecting victims into providing personal information under various guises or clicking on links to obtain what may appear to be important information.  However, if you provide that personal information all you will do is end up a victim of identity thief.  If you click on the links in emails or text messages appearing to be from J.P. Morgan you may well end up downloading keystroke logging malware that will steal all of the information from your computer that will be used to make you a victim of identity theft.  Trust me, you can’t trust anyone.  Even if your Caller ID appears to show that the call you receive is form J. P. Morgan Chase, scammers are able to make their calls appear to be from J.P. Morgan Chase through a tactic called spoofing.  The best course of action if you receive any purported communication from the bank is to not respond directly, but instead contact the bank independently on your own to find out what the truth is.

This also may be a good time to consider putting a credit freeze on your credit report so that even if someone manages to obtain your Social Security number and other personal information, they will be unable to access your credit report and run up large debt in your name.  A separate credit freeze needs to be established at each of the three major credit reporting agencies to be effective.  Here are the links to the pages at Experian, TransUnion and Equifax where you can put a credit freeze on your report and get some peace of mind.

TransUnion http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page

Equifax https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

Experian https://www.experian.com/freeze/center.html