Scam of the day – February 28, 2014 – Important security patches for Mac users

February 28, 2014 Posted by Steven Weisman, Esq.

In my Scam of the day for February 23rd I warned you about the major security defect that had just been identified in programs operating iPhones, iPads and Ipods that if left unpatched would permit identity thieves to steal all of the information they would need to make the iPhone, iPad or iPod user a victim of identity theft without the victim ever knowing he or she had been hacked.  Fortunately, in the Scam of the day of February 23rd, I also provided you with a link to the security update you need to  download to cure the problem.  Hopefully, if you use any of these devices, you have already done so, but, if not, I urge you to do so now.

However in my Scam of the day for February 23rd, I also told you that Apple’s OS X Maverick software for Apple’s Macintosh computers were vulnerable to the same security defect and Apple had not yet come up with a security update to patch this problem.  I am happy to tell you today, that Apple has come up with a new security patch to cure this problem in it’s OS X Maverick software used on its Macintosh computers.  If you have a Macintosh computer and use this software you should download and install the new patch as soon as possible.

TIPS

Here is a link to the new security patch for the OS X Maverick software for you to download and install as soon as possible if you use a Macintosh:   https://www.us-cert.gov/ncas/current-activity/2014/02/27/Apple-Releases-Security-Updates-OSX-Mavericks-v1092-and-Security

Identity thieves and hackers count on people not promptly taking the identity theft protection steps necessary to keep themselves safe.   Don’t be a victim.  If you use a Mac, install the patch as soon as possible.  It is also important to remember that the battle with hackers and identity thieves is ongoing.  At the same time that you are installing a security patch, hackers and identity thieves are busy studying the new patches trying to find flaws.  I will always report to you as soon as new developments occur, so make it a point to check out www.scamicide.com each day.

Scam of the day – February 27, 2014 – Another Nigerian letter that isn’t from Nigeria

February 27, 2014 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes right from my email and I am sure that it has appeared in the email boxes of many of you.  Although it may appear that the Nigerian email scam began in the era of the Internet, the basis of the scam actually goes back to 1588 when it was known as the Spanish Prisoner Scam.  In those days, a letter was sent to the victim purportedly from someone on behalf of a wealthy aristocrat who was imprisoned in Spain under a false name.  The identity of the nobleman was not revealed for security reasons, but the victim was asked to provide money to obtain the release of the aristocrat, who, it was promised would reward the money-contributing  victim with great sums of money and, in some circumstances, the Spanish prisoner’s beautiful daughter in marriage.

Today’s scam of the day is yet another variation of what has come to be known as the Nigerian letter scam.  In the various versions of this scam circulating on the Internet today, you are promised great sums of money if you assist a Nigerian in his effort to transfer money out of his country.  Variations include the movement of embezzled funds by corrupt officials, a dying gentleman who wants to make charitable gifts or a minor bank official trying to move the money of deceased foreigners out of his bank without the government taking it.  the example below of the email I received isn’t from Nigeria, but the scam is the same.  Although generally, you are told that you do not need to contribute anything financially to the endeavor, you soon learn that it is necessary for you to contribute continuing large amounts of money for various reasons, such as various fees, bribes, insurance or taxes before you can get anything.  Of course, the victim ends up contributing money to the scammer, but never receives anything in return.

Here is a copy of the email, I recently received:

“Dear Friend,
i need your kind attention. I will be very glad if  you do assist me to relocate this sum of ( US$15.Million dollars.) to your bank account for the benefit of our both families.
only i cannot operate it alone without using a Foreigner who will stand as a beneficiary to the money, that is why i decided to contact you in a good manner to assist me and also to share the benefit together with me.
for the sharing of the fund 50/50 base on the fact that it is two man business note that you are not taking any risk because there will be a legal back up document as well which will back the money up into your bank account there in your country.
all i need from you now is to indicating your interest and I will send you the full details on how the business will be executed.
Thanks & Best Regards,
Dr Lahman”

TIPS

This is a simple scam to avoid.  It preys upon people whose greed overcomes their good sense.  The first thing you should ask yourself is why would you be singled out to be so lucky to be asked to participate in this arrangement.  Since there is no good answer to that question, you should merely hit delete and be happy that you avoided a scam.  As with many such scams, which are originating outside of the United States, the punctuation and grammar are not very good.

 

Scam of the day – February 26, 2014 – Update on Internet Explorer flaw

February 26, 2014 Posted by Steven Weisman, Esq.

In the Scam of the day of February 18th I warned you about a serious, recently discovered flaw in Internet Explorer 10.  It turns out that this flaw is also present in Internet Explorer 9, as well.  A full patch has still not been issued by Microsoft, the maker of Internet Explorer, however Microsoft has issued a fix that will block the attacks although not patch the underlying problem.  A link to the Microsoft fix can be found below.  This flaw, unless remedied, allows hackers to completely take over the systems of hacked users.  In addition, Adobe, has also issued a new security update for its Adobe Flash Player which is a program used by website developers that has flaws that can be exploited through Internet Explorer versions 9 and 10 that have not been fixed.  The fix to Adobe Flash is also an incomplete fix.  It is expected that a permanent patch will be provided by Adobe within the next few weeks.

TIPS

You should consider updating your Internet Explorer to IE 11, but if for whatever reason you must still use IE 9 or 10, make sure that you go to the following links to protect yourself, at least temporarily from this serious security breach.

http://technet.microsoft.com/en-us/security/advisory/2934088

https://www.us-cert.gov/ncas/current-activity/2014/02/20/Security-Updates-Available-Adobe-Flash-Player

Scam of the day – February 25, 2014 – Aleksi Kolarov convicted of identity theft

February 25, 2014 Posted by Steven Weisman, Esq.

Although the name of Bulgarian Aleksi Kolarov is probably not familiar to you, it probably should be.  Last Friday, he was convicted of identity theft in federal court in New Jersey.  For years, Kolarov was one of the leaders and operators of the website Shadowcrew.com, a black market website where stolen credit cards, debit cards and bank account information were sold to the approximately 4,000 members of the criminal website.  It has been estimated that Shadowcrew was responsible for the theft of 1.5 million credit cards, debit cards and bank account numbers resulting in fraud losses totaling millions of dollars to the banks issuing the cards and where the accounts were located.  Sentencing is scheduled for May 28th.

TIPS

One of the best things to come out of this case was the international cooperation of law enforcement agencies that it took to bring Kolarov to justice.  Too often today, particular in Russia and China, law enforcement agencies do not cooperate with efforts to arrest international criminals such as Kolarov.  Black market websites still are used to sell stolen credit cards and debit cards.  The credit cards and debit cards stolen in the Target data breach have been available for criminals to purchase on line since December and now as most of those credit and debit cards have been cancelled by the victims, the price of the remaining credit cards and debit cards involved in the data breach that remain unsold has dropped by more than 70% according to Brian Krebs of Krebs Security.  If your credit card or debit card was compromised in the breach and you have still not cancelled the card, you should do so immediately.

Scam of the day – February 24, 2014 – University of Maryland data breach

February 24, 2014 Posted by Steven Weisman, Esq.

A few days ago the University of Maryland disclosed that personal information of more than 300,000 students, faculty and other university employees connected with the university since 1998 was stolen by computer hackers.  In a statement disclosing the data theft, the university said that computer and data security was “a very high priority” the university which is hard to understand because of the lax security that led to the data theft.  Included in the compromised data were names, Social Security numbers, birth dates and other information for all faculty, staff, students and university personnel issued a university identification since 1998.  This information is a veritable treasure trove for hackers who, armed with this information, use it to for purposes of identity theft.  The University of Maryland is by no means alone when it comes to being hacked.  Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Rhode Island,  the University of Arizona, Marquette and more than 50 other colleges and universities have been the victims of data breaches in the last couple of years.  The reason for targeting universities and colleges is simple.  Generally they maintain tremendous amounts of personal information and their record for data security is not good.  Colleges and universities have much personal information that is often easily accessible within the school’s computer systems.  Too often schools have permitted the information to be on unencrypted laptops and flash drives.   In addition many schools do not have sufficient security programs in place to limit access to personal information, which the universities keep in their computers long after it is necessary to be kept, such as Social Security numbers for students who have long since graduated.

TIPS

The schools have got to start giving more than lip service to their commitment to data security. Data breach prevention systems should be implemented that include, but not be limited to updated firewalls, limited access to personal information, purging of unnecessary information  and encryption.  Personal information should not be as open and available as they presently are at this time at many universities.  if you are someone who is a victim of the University of Maryland’s data breach, you should contact the University and accept its offer of a year’s free credit monitoring.  You also should consider putting a credit freeze on your credit report because monitoring only tells you that you have become a victim of identity theft after the fact, a credit freeze can protect you from becoming a victim in many instances.  For information about credit freezes, click on the link on the right hand side of the page where it indicates, “credit freezes.”

Scam of the day – February 23, 2014 – Serious threat to Apple iPhones, iPads and iPods

February 23, 2014 Posted by Steven Weisman, Esq.

A major security defect has been discovered by Apple that if exploited would permit an identity thief to hack into the emails and other communications sent from iPhones, iPads and iPods even if they were encrypted.  This is a potentially devastating flaw as users would believe that their communications were safe because they were using Secure Sockets Layer encryption security to protect their communications.  However, hackers who might gain access through sharing the same wireless network in a public place, such as a coffee shop could exploit this flaw to the extreme detriment of iPhone, iPad, or iPod users who falsely believed that they had taken proper precautions to protect the privacy of their communications and data.  The good news, however is that Apple has come up with a security patch which I provide you with below.  The bad news is that some security experts are now saying that the flaw is also present in Mac OSX, running Apple laptop and desktop computers and as I write this Scam of the day, Apple has not yet come up with a patch for the Mac OSX operating system.

TIPS

If you are an iPhone, iPad or iPod user you should immediately install the critical patch just released to remedy the situation.  Here is the link:  https://www.us-cert.gov/ncas/current-activity/2014/02/21/Apple-Releases-Security-Updates-iOS-devices-and-Apple-TV

Identity thieves and hackers count on people not promptly taking identity theft protection steps necessary to keep themselves safe.   Don’t be a victim.  If you use any of these devices, install the patches as soon as possible.  It is also important to remember that the battle with hackers and identity thieves is ongoing.  At the same time that you are installing a security patch, hackers and identity thieves are busy studying the new patches trying to find flaws.  I will always report to you as soon as new developments occur, so make it a point to check out www.scamicide.com each day.

Scam of the day – February 22, 2014 – The lesson of the massive South Korean data breach

February 22, 2014 Posted by Steven Weisman, Esq.

You may not have heard about the massive credit card data breach that recently was uncovered in South Korea, but it is definitely worth discussing regardless of what country you live in.  Fully 40% of the entire South Korean population had their credit card numbers stolen.  Ironically, the breach has been traced to a rogue employee at the Korea Credit Bureau, a company that provides risk management and fraud detection services.  Itr is alleged that over a year and a half, the employee copied his company’s databases.  Included in the information stolen was identification numbers, addresses and credit card numbers of some of Korea’s largest banks including KB Kookmin Bank, and Nonghyup Bank as well as Lotte Group, a large supermarket chain.  What makes this story particularly intriguing, however is that Korean financial services regulators are punishing these companies for failing to protect their customers’ data.  The banks are now prohibited from issuing credit cards to new customers or making new loans until May as punishment for their lax security.

TIPS

This particular data breach illustrates that data breaches do not always have to be from outside hackers, but can be inside jobs where employees exploit their access to data to steal information that can be used for purposes of identity theft.   It is incumbent upon businesses and governments to provide protection against both inside threats and outside threats.  The technology and protocols to do this are available, yet too many companies and government agencies still neglect to take proper precautions.  Until they do, we the people will always be at risk of identity theft when others hold our personal information.  It is for this reason that you should vigilantly monitor all of your accounts regularly and consider having a credit freeze.  For more information about credit freezes, go to the section on credit freezes on the right hand side of this page or check out “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – February 21, 2014 – Telemarketing fraud is still with us

February 21, 2014 Posted by Steven Weisman, Esq.

Although it may seem like telemarketing fraud has been replaced as a source of scams and identity theft by computer-based fraud, according to the National Consumers League, more than 36% of all consumer complaints last year involved telemarketing scams and this figure is an 11% increase from 2012.  The truth is that many times sophisticated computer programs are used in today’s telemarketing scams that enable the scammers to make their calls appear on Caller ID as if they are coming from a legitimate source, such as the IRS through a technique called “spoofing” where your Caller ID is manipulated so that it does not show the real source of the call.  Other times, computers are able to produce millions of illegal robocalls that trick victims into paying a scammer under many different pretenses.  Phony robocalls are actually quite easy to distinguish from legitimate telemarketing calls.  Robocalls are illegal in all instances, so if you get a robocall from Rachel from card Services or anyone else, immediately hang up.  It is a scam.

TIPS

It is important to remember that you can never be sure who is on the other end of a telephone call and if they are legitimate.  For this reason you should never provide personal information or send money in response to any telephone call.  If you do want to take the calls of a telemarketer, ask them to send you written material, which you can then investigate for legitimacy before making any payment.  You also may wish to be more proactive and sign up, if you have not already, for the National Do Not Call List.  Here is the link to go to sign up: https://www.donotcall.gov/

Scam of the day – February 20, 2014 – Health Data Breaches

February 20, 2014 Posted by Steven Weisman, Esq.

The Security company Redspin, Inc. recently released its annual report on data breaches in the healthcare industry and the results were not good.  In 2013 there were 199 major breaches of hospitals, health insurers and others in the healthcare field affecting more than 7 million patients.  In addition, although it was just reported in February, St. Joseph Health System, a five-hospital delivery system in Bryan, Texas was hacked in December of 2013 compromising personal data including the all important Social Security numbers of 405,000 patients and employees.  One of the most disturbing elements of the hacking of these health care providers is that in many cases the breach of security was the result of stolen laptops with unencrypted data.  Astonishingly, federal law only requires health care providers to consider encrypting data when it should be mandatory.

TIPS

This is just another example of the fact that you are only as secure as the place with the weakest security that holds your personal data.  Even if you are doing everything you possibly can to protect the security and the privacy of your personal data, you can still end up as a victim of identity theft due to the negligence and carelessness of people and institutions with which you do business.  I urge you to limit, as much as possible the personal information you provide to businesses and agencies and when you must provide personal information, don’t do so until you have inquired as to the security practices of the company or agency.

Scam of the day – February 19, 2014 – Syrian Electronic Army hacks Forbes.com

February 19, 2014 Posted by Steven Weisman, Esq.

The Syrian Electronic Army (SEA) , about whom I have reported to you many times (you can go to the archives of Scamicide to see these stories) has struck again.  This time its victim is Forbes.com, the website of Forbes Magazine.  For those of you unfamiliar with the Syrian Electronic Army, it is a group of hackers sympathetic to Syrian President Bashar al-Assad.  Forbes was targeted by the SEA because of what it called Forbes’ hatred for Syria.  Along with planting a false story on the Forbes website, the SEA also stole user names and email addresses of Forbes.com customers, raising the possibility of “spear phishing” attacks against Forbes.com’s customers.  The SEA has threatened to make the information available on the Internet to identity thieves.  Identity thieves who send phishing emails and texts often do so in large numbers without knowing the names of the people to whom the phony messages corrupted with keystroke logging malware are sent.  However, in spear phishing the identiy thief knows the name of the intended victim and can make the communication look more legitimate by containing the victim’s name.  In addition, the spear phishing text or email can be made to look as if it comes from Forbes.com or some other entity that is trusted and used by the victim which also can lead the victim to be less skeptical of the message and make the victim more likely to click on links in the message or download attachments to the message corrupted with malware.

TIPS

Again, the lesson is that you are only as secure as the places with the weakest security that hold your personal information.  If you are a subscriber to Forbes.com, you should change your password.  If you use the same password elsewhere, change it too.  For convenience many people make the mistake of using the same password for all of their accounts, which means that when your password is stolen from one place, all of your accounts using that password are in jeopardy.  This is a good lesson for all of us regardless of whether or not you were a victim in this particular data breach.  This hacking once again raises the question as to why major corporate websites, such as the many who have been hacked by the SEA are not doing more to keep their computers secure.  Finally, as I always remind you, never click on links in emails or text messages or download attachments unless you are absolutely sure that they a legitimate and have confirmed this to be so.