Scam of the day – March 20, 2017 – Hacker uses SQL attack to steal data from colleges and government agencies

According to security company Recorded Future, a notorious Russian hacker known as Rasputin used a SQL injection attack to hack into the data of sixty-three targets that included prominent colleges in the United States and the UK as well as state and federal government agencies.    The various targets were chosen because of their storage of personal information that could be sold on the Dark Web where cybercriminals buy and sell such data to be exploited for purposes of identity theft.

Among the colleges suffering a data breach were Purdue University and Cornell University.  Among the government agencies hacked was the Department of Housing and Urban Development (HUD).  Among the city government computers hacked were Pittsburgh, Pennsylvania and Springfield, Massachusetts.

Structure Query Language (SQL) is a computer language widely used in data bases.  In a SQL injection, a web app vulnerability is exploited in order to give the hacker access to all of the stored data.  A SQL injection can result in not only data being stolen, but also change or delete data as well.  The entrance point for a SQL injection is generally in login forms, sign up forms or other forms where visitors to a website can input information.

TIPS

SQL injection attacks are quite common, but they can be defended against through proper security practices including constantly updating servers, applications and services with the latest security updates.  As for consumers, the best we can do is limit, as much as possible, the information we provide various websites with which we do business recognizing that we are only as safe as the places with which we do business with the weakest security.

Scam of the day – March 19, 2017 – Publishers Clearing House lottery scam

It is hard to win any lottery. It is impossible to win one that you have not even entered and yet scam artists, the only criminals we refer to as artists have found that it is extremely lucrative to scam people by convincing them that they have won various lotteries. Most lottery scams involve the victim being told that they need to pay taxes or administrative fees directly to the lottery sponsor; however no legitimate lottery requires you to do so.

As with many effective scams, the pitch of the scammer seems legitimate. Income taxes are due on lottery winnings, but with legitimate lotteries they are either deducted from the lottery winnings before you receive your prize or you are responsible for paying the taxes directly to the IRS. No legitimate lottery collects taxes on behalf of the IRS from lottery winners.  Other times, the scammer tell the “winners” that in order to collect their prizes, they need to pay administrative fees. Often, the victims are told to send the fees back to the scammer by prepaid gift cards or Green Dot MoneyPak cards. Prepaid cards are a favorite of scammers because they are the equivalent of sending cash. They are impossible to stop or trace. Again, no legitimate lottery requires you to pay administrative fees in order to claim your prize.

Everyone is familiar with the Publishers Clearing House sweepstakes from television commercials where the winners are shown being surprised by the delivery of their giant check. Publishers Clearing House is a real company that operates a legitimate lottery that many people enter which is one reason that scammers pose as representatives of Publishers Clearing House.   Scammers often take advantage of the fact that people are so familiar with the Publishers Clearing House sweepstakes to pose as being representatives of the Publishers Clearing House to scam people out of their money.  Reports are circulating around the country of this presently occurring.  One potential victim in Alabama was contacted by phone, told that she had won the sweepstakes, but had to pay $90,000 in taxes in order to claim her prize.

TIPS
Fortunately, there is an easy way to know when you are contacted by Publishers Clearing House by phone, email or text message informing you that you have won one of its multi-million dollar prizes whether you have been contacted by the real Publishers Clearing House.   Publishers Clearing House only contacts major prize winners in person or by certified or express mail. They do not contact such winners by phone, email or text message so if you do receive a notification of your winning one of their multi-million dollar prizes in this fashion you know it is a scam.   In addition, no winners of the Publishers Clearinghouse sweepstakes are ever required to make a payment of any kind to claim their prize.  As for other lotteries, remember, you can’t win a lottery you haven’t entered and no legitimate lottery asks you to pay them administrative fees or taxes.

Scam of the day – March 18, 2017 – Adobe Flash security patch

Adobe has just issued a new critical update  for its popular Adobe Flash software.  I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.  According to security company, Symantec in 2015 80% of the newly discovered software vulnerabilities which can be exploited by malware created by cybercriminals involved Adobe Flash.

It appears that just as companies retire certain programs when it is just too difficult to patch them, this may well be the time for Adobe to retire Flash and if it doesn’t, you should consider retiring it yourself and replacing it with another plugin that performs the same function, but is safer.    Adobe Flash has already been proven to be so vulnerable to successful attacks by hackers that installing new security patches as quickly as they are issued is little more than putting a Band-aid on the Titanic if I can mix my metaphors.

Microsoft now blocks Adobe Flash by default in its Edge browser due to security concerns.  Microsoft also blocks outdated versions of Adobe Flash from running in Internet Explorer on Windows 7.  If you use Windows 8.1, Windows 10 or Windows Server 2012R2, this will not affect you because these systems automatically install Adobe Flash security patches.  In addition, to Microsoft both Google, Apple and Mozilla have  indicated that are blocking Adobe Flash.

TIPS

Here is a link to the latest Adobe Flash updates:

https://www.us-cert.gov/ncas/current-activity/2017/03/14/Adobe-Releases-Security-Updates

However, it may well be time for you to replace Adobe Flash to avoid problems.

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: https://www.microsoft.com/silverlight/

while GNU Gnash can be downloaded free at this link: http://www.gnu.org/software/gnash/

Scam of the day – March 17, 2017 – Four people indicted for massive Yahoo data breach

On Wednesday, the Justice Department unsealed an indictment of two Russian intelligence officers and two hackers, one Russian and the other from Kazakhstan, who, the indictment alleges were responsible for the 2014 massive data breach of Yahoo in which tremendous amounts of personal data was stolen.  The indictment was originally filed on February 28th, but was only unsealed two days ago.  The intelligence officers used the information to spy on specific targeted companies and individuals for political purposes while the hackers were permitted to use the data for a wide range of profit producing scams including credit card fraud and spamming operations.  The indictment even details how the hackers diverted Yahoo users looking for erectile dysfunction drugs to a particular pharmacy chosen by the hackers.

This indictment confirms what many of us have long known, which is that the Russian government’s cyberintelligence and cyberwarfare operations are done through a joint venture between criminal hackers with tremendous computer skills and conventional Russian intelligence officers.  Under the terms of this joint venture, the hackers working with the government are permitted to perform their own cybercriminal acts without fear of government interference so long as they do not attack Russian targets.  This is quite different from what is generally found in other centers of cybercriminal activity such as North Korea and China where the hackers are state workers.

Here is a link to a copy of the indictment:

https://www.justice.gov/opa/press-release/file/948201/download

TIPS

Whether the cybercriminals trying to attack you are state sponsored or not, the threat is still the same and the defensive measures you must take are no different.  Cybersecurity requires constant diligence along with the recognition that you are only as safe as the places that have your information with the weakest security.  Limit the amount of personal information you provide to anyone with which you do business.   It is also important to use and constantly update security software on all of your devices as well as avoid clicking on links or downloading attachments unless you are absolutely sure that they are legitimate.  These are some of the basic steps we all should take to make ourselves safer in cyberspace.

 

Scam of the day – March 16, 2017 – IRS temporarily removes FAFSA-Autofill tool

If you are a college student, a parent of a college student or a parent of a high school student considering attending college, you are familiar with the online FAFSA form.  FAFSA stands for Free Application for Federal Student Aid and it is a form used by the U.S. Department of Education’s office of Federal Student Aid to determine eligibility for billions of dollars of federal grants, loans and work-study funds for college students.

The FAFSA form can be completed online and until recently contained an Autofill tool that enabled someone filling in the form to have specific financial information from their previous income tax returns automatically retrieved by the IRS and entered in the form thereby making the application process simpler and easier.  However, the IRS is now suspending the data retrieval feature on the FAFSA form due to concern about security and potential identity theft.  The IRS is estimating that it may take several weeks to remedy the problem.  Until then, anyone filling in a FAFSA form will need their previous income tax returns in order to insert the information required to complete the form.

TIPS

Anyone filling in a FAFSA form at this time will need to get the income tax information necessary to complete the form from hard copies of their income tax returns or from the software used to complete their income tax returns.  If an applicant has neither a hard copy nor a digital record of his or her income tax returns, he or she can obtain a transcript of past federal income tax returns from from the IRS.  Here is a link to information about how to obtain copies of past tax returns from the IRS.

https://www.irs.gov/uac/newsroom/how-do-i-get-my-tax-transcript

Everyone should keep copies of past income tax returns, but you should not store them on the hard drive of your computer because storing them on your computer makes you susceptible to identity theft in the event that your computer is hacked.  Rather you should store this data either in the cloud or on a portable hard drive.

Scam of the day – March 15, 2017 – Arrests made in Craigslist apartment rental scam

Police in Linden, New Jersey have arrested Allan Betancourt and Myra Sullivan on charges related to a scam in which they are accused of listing apartments they did not own for rent on Craigslist and swindling victims out of thousands of dollars of security deposits and upfront rental payments.

Craigslist is a popular place to go for people looking for a home or apartment to rent.  It is also a popular place for scammers to place phony ads to cheat unsuspecting victims.  Last year, New York University’s School of Engineering did a study entitled Understanding Craigslist Rental Scams in which they analyzed more than two million home and apartment rental ads for twenty cities and found that 29,000 of the ads were most likely scams.

The most common scam involved an ad for rental housing that required the person responding to the ad to obtain their credit score by clicking on a link in the email by which the scammer replied when the victim responded to the advertisement.  Under affiliate programs with companies that provide credit scores, the scammers would get up to $18 for every referral.  The victim ends up paying for a credit score he or she doesn’t need.

Other scammers place phony listings and trick people into wiring money as a security deposit or first month’s rent before the victim finds out that the scammer does not own the home.  It is a simple matter for a scammer to copy and paste a legitimate real estate advertisement or listing into the scammer’s Craigslist ad, often indicating a temptingly low rent. Unfortunately, once the victim finds out that the scammer never owned the property and the ad was a scam, it is too late to get his or her money back.

TIPS

The vast majority of the listings on Craigslist are legitimate, but you only have to be cheated once to feel the pain.  When the rent looks too good to be true, you should immediately be skeptical.  When the landlord is out of the country and wants you to wire money, you should be even more skeptical and if by out of the country we mean Nigeria, you should really be skeptical.  Scammers prefer people to wire money because unlike a check or a credit card payment, it is almost impossible to stop payment or get the money back.

If you are considering responding to a rental housing advertisement on Craigslist, confirm that the person who says he or she is the owner by going to the tax assessors listings which are available online.  If the names don’t match, that is a recipe for disaster.  Also, go on line and see if you can find a duplicate listing for the home advertised on Craigslist.

Here is a link to the NYU study http://engineering.nyu.edu/files/McCoycraigslist.pdf

Scam of the day – March 14, 2017 – Email phishing scam

As I have mentioned many times before, email phishing scams start when you receive an email that purports to be sent from your email server informing you that there is some problem with your account which requires you to click on a link in order to remedy the problem.  Many times the email purports to come from your specific provider; sometimes from a provider you do not even use.   Today’s phishing email scam, however, is generic in that it doesn’t even indicate the name of your email server.

Here is a copy of an email that is presently finding its way into many people’s email boxes.  This is a phishing scam.  DO NOT CLICK ON THE LINK.  Clicking on the link will result in either your downloading a keystroke logging malware program that will steal all of the information from your computer such as your Social Security number, credit card numbers and banking information that will then be used to make you a victim of identity theft or when you click on the link you will be prompted to provide personal information that will also be used to make you a victim of identity theft.

“Your mailbox has exceeded the storage limit 1 GB, which is defined by the administrator, you are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
To renew the mailbox,

Click Here
WARNING! Protect your privacy. Logout when you are done and completely exit your browser.”

Some phishing emails are better than others and this one was not very convincing.  The email address from which it was sent was not from an email provider.  Instead, the address of someone whose email had been hacked and made a part of a botnet of computers used by identity thieves to send out their phishing emails was used  In addition, this email is not directed to you by name.    As with many of these scams that often originate in foreign countries where English is a second language, the grammar is suspect as where in the email commas are used improperly.

TIPS

The most important thing to remember is to never click on links in emails or download attachments unless you are absolutely sure that they are legitimate.  In this particular case, it is easy to see that it is a scam.  Additionally, you should make sure that your anti-malware and anti-virus software are installed and up to date with the latest security updates while remembering that you cannot totally rely on your security software to protect you because it generally takes about thirty days from the discovery of new malware for the security software companies to come up with new patches and updates.

Scam of the day – March 13, 2017 – Reshipping scam warning

Pennsylvania State Police are warning people about reshipping scams, however these scams are found everywhere.  Reshipping scams sound appealing.  You get to work at home and all you have to do is receive goods your new employer sends you, which are often electronics, inspect them and reship them to an address provided to you by your new employer.  The problem is that these goods have been purchased with stolen credit cards and you have just become an accomplice to the crime when you ship them to someone else who will then sell them to turn the merchandise into cash.  The term scammers use to describe the people doing the reshipping is a “mule” and it can get you into a lot of trouble.  It makes you an accomplice to the crime and participating in money laundering.   The companies offering this type of work may seem legitimate, but they are not.   Often the advertisements for these work at home scams appear in legitimate media that have not properly checked out the legitimacy of the advertisements they run so you can’t rely on the fact that the advertisement  appears in a trusted media source.

TIPS

As always, if it sounds too good to be true, it usually is.  Check out any work at home scams with the big three – your local attorney general, the Better Business Bureau and the FTC.  And as always, you can Google the name of the particular company offering you the work at home program with the word “scam” next to it and see what turns up.  You also can use Google Earth to look into the physical address of the potential employer to see if it matches what the advertisement and communications with this employer indicate.  As for reshipping scams, they are always a scam and you should steer clear of them.

Scam of the day – March 12, 2017 – Massive credit card identity theft fraud ring busted

Earlier this week law enforcement officials in Queens, New York arrested thirty people accused of operating a credit card identity theft fraud ring in which they are accused of using the fraudulent credit cards to purchase more than 3.5 million dollars of costly electronics and fashion merchandise that would then be sold and turned into cash.  The indictments name Muhammad Rana and Inderjeet Singh as the kingpins of the scam.

The  primary manner by which they are accused of accomplishing the fraud was through identity theft of personal information of their victims that was then used to set up new credit card accounts.  Particularly in the last year since the implementation of EMV chip credit cards, new account fraud, as indicated by research company Javelin in its 2016 Identity Fraud study, has increased 113% over the previous year.

In this case, the Queens District Attorney is alleging that the criminals obtained the personal information of their victims necessary to establish new accounts  such as their names, dates of birth, current and past addresses, Social Security numbers, bank account information and credit information from one of their co-conspirators who worked at a car dealership where he had access to this information provided by potential car buyers.

TIPS

You are only as secure as the places that have your personal information with the weakest security.  Whenever you provide personal information to any entity, you should inquire as to who has access to this information, how it is stored, how it is protected and the policy for deleting such information when it is no longer needed.

In addition, you should regularly monitor your credit reports to identify incidents of identity theft as early as possible.

March 11, 2017 – Steve Weisman’s latest column for USA Today

Mystery shopper scams continue to victimize many people.  Here is a link to my latest column for USA Today in which I describe how these scams operate and how to protect yourself from this scam.

http://www.usatoday.com/story/money/columnist/2017/03/11/beware-mystery-shopper-scam/98903708/