Scam of the day – August 12, 2016 – Important Microsoft security patches and updates

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.    Microsoft recently issued a large number of security patches necessary to fix critical vulnerabilities in software such as Internet Explorer, Edge and Office. The particular vulnerabilities being patched with these updates will protect users from being hacked when they merely visit a tainted website.  Other of the patches will fix  problems with how Windows, Office and Skype handle specific types of fonts such that hackers could exploit this vulnerability to take control of the victim’s computer if the victim views files with certain fonts or by visiting a malicious website.

TIPS

Here is the link to the recent Microsoft security updates: https://www.us-cert.gov/ncas/current-activity/2016/08/09/Microsoft-Releases-August-2016-Security-Bulletin

Scam of the day – August 10, 2016 – Apple now paying bounties to white hat hackers

I have reported to you many times about the “bug bounty” programs used by private companies such as Google and Facebook as well as, more recently, the Department of Defense which offers a “bug bounty” to vetted hackers who are able to identify vulnerabilities in their web pages and computer networks. Private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal, black hat hackers, who identified vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.

Now Apple, which had long resisted paying bounties to people finding the worms in their Apples recently announced that it will pay $25,000 to people who find vulnerabilities in its digital compartments and into its customers’ data, $50,000 for identifying bugs enabling hackers to gain access into iCloud data and a whopping $100,000 to anyone who finds vulnerabilities in Apple’s firmware.

TIPS

Bug bounties are a positive strategy for businesses and  government to enhance cybersecurity.  Not long ago Facebook paid a bounty to a ten year old Finnish boy.  Although the ten year old white hat hacker used his talents for good, the fact that a ten year old boy has the technological sophistication to identify and exploit vulnerabilities in commonly used software programs must give us all a bit of  concern.  As for us as individuals, the best things we can do to protect our own cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.

Scam of the day – August 9, 2016 – 900 million Android smartphones at risk of hacking

Researchers from security company Check Point just announced at the recent DEF CON 24 hacking convention that they had discovered a group of four vulnerabilities affecting all Android devices using Qualcomm chipsets.  The group of four vulnerabilities is being called QuadRooter.  A hacker can take control of an affected smartphone and gain access to all data found on the smartphone by exploiting any one of the four vulnerabilities.  The long list of smartphones affected by this vulnerability include the Samsung Galaxy S7, Samsung Galaxy S7 Edge, Google Nexus 5X, Nexus 6, Nexus 6P and many more.  The vulnerabilities are exploited through the downloading of a malicious app.  This is a serious problem although Google is saying it has patched three of the four problems in its August security updates.

TIPS

The first thing to do if you have a smartphone that uses the Android operating system is to to use the free QuadRooter scanner app which can be found on Google Play in order to find out if your smartphone is affected.  Here is a link to the app. https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter

Also, whenever a security update for your smartphone becomes available, make sure you download it immediately.   Because so much smartphone hacking comes, as in this instance, from malicious apps, only download apps from legitimate sources, such as Google Play.  Also, always read the permission requests when before downloading any app and be on the lookout for permissions that appear to be unusual or unnecessary.

Scam of the day – August 8, 2016 – Yet another Facebook scam

During the years that I have been writing Scamicide I have written many times about various Facebook scams.  The reason for this is that with more than a billion users, Facebook is obviously popular and anything popular with that many people will be sought after as a vehicle for scammers to scam people.  Recently, I wrote about the dangers of Facebook cloning when a new Facebook account is set up using your name and information in an effort to lure people into trusting messages and links that will appear to be sent by you.  But Facebook accounts are relatively easy to hack as well with the same goal of using your name to lure someone who trusts you into becoming a victim of a scam.

I urge Scamicide readers to contact me with scams they encounter so we can share these with everyone.  Recently I was contacted by Erica Kenney who was Facebook chatting with someone that she thought was her aunt after her aunt contacted her on Facebook to wish Erica a happy birthday.  The conversation evolved into Erica’s “aunt” informing  Erica that she had just won $100,00 from the Hugh Trust Foundation and that she saw Erica’s name on the list of winners too. All Erica had to do was contact the people her aunt referred her to in order to get her prize.  Of course, if Erica had followed up on the scam, she would have either clicked on a link and downloaded keystroke logging malware that would steal her personal information from her computer and use it to make her a victim of identity theft or be tricked into providing personal information directly when she went to the website to claim her prize.  Once again, there would be no prize except the booby prize of having your identity stolen due to providing the information to the scammer.

Fortunately, Erica was too smart to fall for this scam.

TIPS

A strong password and security question can help increase your security on Facebook.  Unfortunately, however, a very simple flaw in Facebook procedures allows a hacker to get access to your account and the ability to change your password after the hacker is unable to answer your security question merely by having the hacker provide three “friends” with Facebook accounts to whom Facebook will send security codes that the hacker can use to gain access to your account and change your password.  The hacker, of course, has already set up Facebook accounts for three phony “friends” to whom Facebook will send the security codes which can be used to hack your account.  Other times, the personal information that is readily available about people on line is sufficient to answer the security question.  Regardless of how the account is hacked into, the result can bring an increased risk of identity theft to your real friends who may trust a message from you that contains a link with dangerous keystroke logging malware that can result in your real friend’s computer being infiltrated and all of the information on it stolen such as Social Security number, account passwords and credit card numbers that can result in identity theft.

Be careful what personal information you put on Facebook.  Always consider how that information can be used against you to make you a victim of identity theft.  When setting up a security question, pick an answer that is nonsensical to protect it from hackers, such as “Where did I go to High School?” with an answer of “blue.”  Finally and most importantly, never, and  I mean never, click on links in messages that you receive unless you are absolutely sure that they are legitimate.  Merely because a message appears to be from a friend does not mean that the friend actually sent it.  His or her account may have been hacked or they may even be passing on tainted material without knowing it.  Never click on a link until you are absolutely sure that it is legitimate.  Call your friend to confirm that the message was from them and confirm from where they got the link they are sending to make sure that it is legitimate.  It may seem paranoid, but even paranoids have enemies.

 

Scam of the day – August 7, 2016 – Copy machines pose identity theft risk

We all use copy machines to copy all manner of documents containing sensitive personal information, such as income tax returns, however, many people don’t take the time to think about the fact that today’s copy machines generally contain computers and are a part of the Internet of Things whereby data can be transmitted by them and, of course, anything that can store and transmit data can be hacked.  Since 2002 most copy machines have contained hard drives that store the images of everything that is copied.  Enterprising identity thieves buy used copiers, often those returned after being leased for a period of time, to steal the information contained in the copy machine’s hard drive and use it for identity theft.

In 2010, the Affinity Health Plan lost sensitive personal data on 344, 579 people when copy machines with unerased data were returned to the leasing agent following the completion of the leases on the copy machines.  In this case, the information lost included pay stubs and Social Security numbers.

Newer copy machines can encrypt the data in its hard drive or erase the data, however, some purchasers or leasers of copy machines neglect to pay the extra cost for those services, leaving the people whose data is copied into the machine in greater potential jeopardy of identity theft.

TIPS

If you are using a copy machine at a copy center to copy sensitive documents, make sure that the copy center encrypts the data it stores.  You should also make sure that copy machines you may use at work to copy documents with sensitive personal information also encrypt the stored data and that the hard drive is removed when the copy machine is returned at the end of a lease or replaced by a new copy machine.  Most home copiers that generate fewer than 20 pages per minute do not have a hard drive and do not pose the same problem of identity theft.

Scam of the day – August 6, 2016 – A free way to stop robocalls

Automated robocalls, such as those which we have all received from “Rachel from card services” that try to induce us to get a new credit card or any other service are a scam that has been with us for many years and despite the best efforts of the Federal Trade Commission, still is victimizing many people.  The calls sound legitimate and if you are not sufficiently skeptical, you can end up having your identity stolen or scammed out of money for a worthless product being sold.  It is easy to identify a robocall that is a scam.  If you get a robocall, it is a scam.  Commercial robocalls are illegal.  In 2013 I reported to you about  how the FTC, in an effort to combat robocalls held a contest with a $50,000 prize to the person who came up with the best solution to stop robocalls. The winners that year were Aaron Foss and Serdar Danis who split the prize.  Their solution involved software that will filter out calls being placed by a computer or someone identified as an unwanted caller.  When you use the software, if a robocall comes in, it rings once on your phone and then your phone automatically hangs up on the call.  So all you have to do is let the phone ring and if it stops after one ring, it was a robocall.

TIPS

The software developed by Foss and Danis is now available to anyone for free for your landline and for $4.99 per month for both your landline and mobile phone.  The company providing the service is Nomorobo and you can sign up for the service at   https://www.nomorobo.com/

Long time Scamicide reader Marty Kenney recently reminded me about nomorobo.  He has used it for a long time successfully.

Scam of the day – August 5, 2016 – Amazon phishing scam

Using Amazon as a hook for a phishing scam is not surprising since so many people shop through Amazon.  Reproduced below is an Amazon themed email phishing scam that is presently circulating.  DO NOT CLICK ON THE LINK.  As with so many phishing scams, this one appears legitimate as it lures you into clicking on a link in order to provide information purportedly to process your refund. However, the real purpose of the phony email is to persuade you to either provide information that will be used to make you a victim of identity theft or to click on the link which can download keystroke logging malware that will lead to your becoming a victim of identity theft or to download ransomware that will encrypt all of the data on your computer which the hacker will threaten to destroy if you do not pay a ransom.

TIPS
There are a number of indications that phishing emails, such as this, are not legitimate.  Sometimes the address from which it is sent has nothing to do with the company, which is an indication that the email was sent through a botnet of computers hacked into for the purposes of sending out large numbers of such phishing emails while hiding the real source of the email.  However, even if the address of the sender looks correct, it still can be a phishing email.  Grammar and spelling also apparently are not great strengths of many scammers.  Often such messages will contain such errors as in this one the misspelling of the word “system” as “sytem.”  In any event, even if you think when you get such an email that it might be legitimate, the risk of identity theft or ransomware is too great to trust it. Instead, call the company at a telephone number that you know is accurate to confirm whether or not the email is legitimate.  Finally, make sure that you have up to date security software on all of your devices, recognizing, however, that such security software will not protect you from the latest strains of malware.

Scam of the day – August 4, 2016 – Olympic scams

Tomorrow brings the much anticipated opening ceremonies of the 2016 Rio Olympic Games and scammers will be taking advantage of the public’s interest in the event to lure them into scams.  As the Games get underway many people will be receiving emails and text messages purporting to contain updates, photos and videos of Olympic events.  Unfortunately, if you click on the links or download the attachments in these emails, you will end up downloading keystroke logging malware that will steal your personal information from your computer, laptop, tablet or smartphone and use that information to make you a victim of identity theft.   You also run the risk this year of downloading ransomware that will encrypt all of the data on your computer and threaten to destroy it if you do not pay a ransom.

Also, If you are shopping for Olympic merchandise, you should be wary of the large amount of counterfeit and poor value fake Olympic merchandise that is being sold on the Internet.

TIPS

As I have warned you many times, never click on a link or download an attachment unless you are absolutely sure that it is legitimate.  In regard to Olympic email or text message updates you are better off not downloading or clicking on links in any emails or text messages you may receive even if they appear to be from a legitimate source because the URL may appear to be legitimate, but it may merely be “spoofed” or copied from a legitimate site so it appears legitimate, but in truth is not.  You are better off going directly on your own to sources such as www.espn.com that you know are legitimate.  Also, make sure that your anti-malware and anti-virus software is installed and up to date on all of your electronic devices.  Also, be wary of links sent to you through social media such as Facebook even if they look legitimate because it is easy to hack someone’s social media accounts to send out malware that unwary victims click on.

In regard to purchasing official Olympic merchandise, go directly to the official Olympic website of https://www.olympic.org/rio-2016.  If you want Team USA merchandise, go the official Team USA website of http://www.teamusa.org/road-to-rio-2016.   Both of these websites are safe and secure places to purchase official Olympic merchandise and apparel.

Scam of the day – August 3, 2016 – Police charity scams

The recent fatal shootings of five Dallas police officers has brought out the compassion and best charitable instincts of people around the country.  Unfortunately, it has also brought out scammers who have set up phony charities seeking to take advantage of people wanting to help the families of the fallen officers.  Texas Attorney General Ken Paxton is warning people about these scams which come through text messages, emails, websites and telephone calls.  In every instance, whenever you are contacted directly by someone soliciting for a particular charity, you not only do not know whether the charity is a scam, you also don’t know how much of your contribution to a “legitimate” charity goes to the charitable work of the charity and how much goes to the salaries of the charity’s management.

TIPS

In regard to people wanting to help the families of the five Dallas police officers killed recently, the Dallas Police Department is suggesting that people make their contributions to the Assist the Officer Foundation http://atodallas.org/?utm_content=&utm_medium=email&utm_name=&utm_source=govdelivery&utm_term= the Dallas Fallen Officer Foundation http://www.dallasfof.org/?utm_content=&utm_medium=email&utm_name=&utm_source=govdelivery&utm_term= or the Dallas Foundation https://lineofdutyfund.kimbia.com/lineofduty

In general, before you give to any charity, it is a good idea to check out the charity with www.charitynavigator.org where you can find out whether or not the charity is a scam as well as how much of what it collects actually goes toward its charitable work and how much goes to pay for salaries and fund raising.