Scam of the day – July 2, 2014 – Russian hackers attack energy companies

July 2, 2014 Posted by Steven Weisman, Esq.

Cybersecurity security company, Symantec has uncovered a vast hacking of hundreds of oil and gas companies in the United States, Spain, France, Italy, Germany, Turkey and Poland.  The hacking appears to be the work of a group of Russian hackers referred to by Symantec as “Dragonfly.”  Although such industrial espionage has been common for the last few years, it has become much more concentrated in the last six months.  According to Symantec, the purpose of the hacking into the computers of these companies is not to destroy oil rigs, power generators or other infrastructure, but rather more to steal information about the operation of the victims’ companies, their technology and their trade secrets.  The manner in which the malware has been implanted by the hackers is particularly interesting as it is indicative of a newer trend in such hackings.  Similar to the hacking of Target, where Target was not hacked directly, but a third party vendor of Target’s with less computer security was hacked and then the access of the third party vendor to Target’s computers was used to infiltrate Target’s computer systems and download malware, so in this case Dragonfly initially hacked into the computer systems of a number of industrial control software developers whose programs were used by the targeted energy companies.  By inserting the malware into the programs of the software developers, the malware was, in turn, passed on to the targeted energy companies when they downloaded the infected software from these vendors with whom they did business.  Another way that malware has been passed on to energy companies in recent years has been through what is called “watering hole attacks” by which the hackers infect a website frequented by the intended target such that when the intended victims visit the infected website, which may be a restaurant from which employees of the targeted company wish to order take-out food, they unwittingly download the malware into their companies’ computers.

TIPS

Corporations around the world have got to to a better job of protecting their computers.  In addition to the risk to these companies of having their information stolen and harming them in the competitive marketplace, the real risk of sabotage exists as well.  Cyberterrorism aimed at crucial infrastructure such as utilities is a very real risk throughout the world.  As for the rest of us, as individuals, we can also fall victim to the same kind of hacking which may be used by hackers primarily interested in identity theft.  The best protection for us as individuals is to make sure that your computer’s anti-malware and anti-virus software is up to date at all times.  If you are particularly prudent, you may wish to restrict your financial information storage and financial transactions to a separate computer in your home so that if you do end up having the latest malware unwittingly installed on a computer that you use for other purposes, you will not run the risk of having your important personal information stolen.

Scam of the day – July 1, 2014 – Income tax identity theft update

June 30, 2014 Posted by Steven Weisman, Esq.

Income tax identity theft is a huge problem and it is only getting worse.  Income tax identity theft occurs when an identity thief files a phony income tax return using the Social Security number of his or her victim.  The phony income tax return includes a counterfeit w-2 which results in a large, undeserved refund check being sent to the identity thief.  Meanwhile, the real taxpayer is delayed in obtaining their legitimate refund while the IRS slowly investigates the crime.    According to the Treasury Inspector General for Tax Administration it takes almost a year for the IRS to resolve individual claims of legitimate taxpayers.  According to the GAO in 2008 there were 47,730 recorded incidents of income tax identity theft, but that number grew to 641,690 incidents in 2012 and shows no indication of slowing down.  Florida Senator Marco Rubio has repeatedly contacted the IRS for information as to what the IRS is doing about this problem.  Income tax identity theft, particularly affecting senior citizens occurs more in Florida than in any other state.  The IRS has been slow to respond to Senator Rubio in his inquiries over the past year who is continuing to press the IRS for answers.

TIPS

Along with protecting the privacy of your Social Security number, the best thing you can do to protect yourself from income tax identity theft is to file your income tax return early.  Income tax identity thieves file before their victims do so they receive their refund before their victims have filed their legitimate returns.

Scam of the day – June 30, 2014 – Even hackers use weak passwords

June 29, 2014 Posted by Steven Weisman, Esq.

I am constantly warning people to use complex, distinct passwords for all of their online accounts in order to prevent the passwords from being stolen and deciphered when encrypted.  The easiest passwords for an identity thief to decipher are those that use any word in the English language or passwords less than twelve characters.  A complex password should also mix small letter, capital letters, figures and symbols for maximum protection.  However, many people do not do this and are at great risk of identity theft because of their lack of prudence in choosing a password.  These people should feel a little better about themselves, however, because a recent study by computer security company Avast found that even the hackers don’t generally use strong passwords.  According to Avast only about 10% of hackers use difficult to decipher passwords, with the average hacker password only six characters long.  In fact, the most popular password for hackers, was “hack.”

TIPS

Just because hackers don’t take enough precautions to protect themselves does not mean that you should neglect having a strong password.  You should have a separate password for all of your online accounts so if your password for one account falls into the hands of an identity thief, your entire online life is not threatened.  You should also change your passwords about every six months.  Creating an easy to remember, but complex password is not very difficult.  Start with a phrase, such as “AVeryComplexPassword” and then add a some numbers and symbols, such as “AVeryComplexPassword1**.”  You can then personalize it to a particular account by adding an abbreviation for that account at the end.  For example, your password for Amazon could be “AVeryComplexPassword1**Ama.”  Easy to remember and hard to break.

Scam of the day – June 29, 2014 – Smart television hacking

June 28, 2014 Posted by Steven Weisman, Esq.

In many Scams of the day, I have warned you about the dangers of hacking into what is referred to as the “Internet of things” and how that can threaten you.  Basically, anything you use that is connected to the Internet or Blue Tooth makes you susceptible to identity theft or other dangers.  The Internet of things includes cars, refrigerators and heating systems.  It also includes smart televisions.  Researchers at Columbia University of New York’s Network Security Lab have been warning about the dangers that will come when, not if, but when, hackers hack into broadband connected smart televisions using radio frequency transmitters, which is what your remote control is.  These transmitters can be used to steal personal information from your smart television including social media passwords, shopping account passwords and credit cards.  These attacks will be hard to prevent and hard to discover.  All to often, as new technological advances occur, not enough thought is put into securing these systems.

TIPS

If you are considering purchasing a smart television, you should look into the security systems for your particular television.  You also may wish to refrain from using your smart television for making purchases online where you must supply a credit card.

Scam of the day – June 28, 2014 – Sony settles video game class action

June 27, 2014 Posted by Steven Weisman, Esq.

In 2011 Sony disclosed that its PlayStation video gaming network and Qriocity streaming music and video networks had been hacked and that personal data including credit card information on more than 101 million users had been stolen.  A class action was filed in the Federal District Court for the Southern District of California on behalf of the people whose data had been stolen alleging that Sony had failed to properly secure the network and protect the information of its users.  Now a proposed settlement has been submitted to the judge for approval.  I will report to you when the settlement becomes official.

TIPS

This is just another example of the fact that regardless of how careful you are in regard to protecting the security of your personal data, you are only as secure as the companies with the weakest security with which you do business.

In regard to the proposed settlement, people who had a PlayStation Network account or sub-account as well as those who had a Qriocity account or a Sony Online Entertainment account prior to May 15, 2011 will be eligible for compensation.  The settlement provides for cash reimbursements of up to $2,500 per person for identity theft related expenses incurred as well as free PlayStation 3 and PlayStation Portable games, PlayStation Plus subscriptions, Music Unlimited service subscriptions and virtual currency.

Scam of the day – June 27, 2014 – Student loan scams

June 27, 2014 Posted by Steven Weisman, Esq.

For many college students, graduation day is the culmination of years of hard work.  It is a day to look back and see all that they have accomplished.  However, it is also a time to look forward to a future of paying off expensive student loans.  Most government and private students loans give students a six month grace period before they have to start repaying the loans, however once loan repayments begin, it can be a crushing burden for many new graduates.  Scam artists, the only criminals whom we refer to as artists, see new graduates as new victims as they contact them with a number of different loan scams that all share one important aspect.  The graduate gets no debt relief and loses money to the scammer in the process.  The most prevalent student loan scam is a loan consolidation scam by which the scammer tells the graduate that he can consolidate numerous student loans into one loan that is more affordable.  Usually, they require an advance fee before they start the process.  The fee goes by many different names including processing fee, administrative fee and consolidation fee, however, whatever you call it, it is a scam.  Legitimate lenders do not charge advance fees so if you are approached by someone who offers to assist with consolidating or finding you a lower interest loan and they ask for an advance fee, it is a scam.

TIPS

Federal student loans can be consolidated by you at no cost by going to the Federal Student Aid website www.loanconsolidation.ed.gov.  For other assistance you can go to the Federal Student Aid website that deals with federal student loan servicing at https://studentaid.ed.gov/repay-loans/understand/servicers.  For private loans, you should go directly to your lender for assistance.  Don’t waste money on “help” that will only cost you more money.

Scam of the day – June 26, 2014 – Hedge funds hacked

June 26, 2014 Posted by Steven Weisman, Esq.

Hedge funds are aggressively managed investment portfolios that are largely unregulated.   They generally are used by only the wealthiest of people.  They also have become a ripe target for hackers who, according to a recent report by computer security firm BAE System, have been hacking into the computers of these funds and causing financial harm in a multitude of ways.  According to BAE, one unnamed hedge fund lost millions of dollars after hackers managed to infiltrate their computers through simple spear phishing tactics by which the hackers tricked hedge fund employees into clicking on links in infected emails that downloaded malware into the hedge fund’s computers that enabled the hackers to learn about impending trades and then delay the trades while the hackers traded first based upon the stolen information.   Another way that the hedge funds have been attacked is through the ransomware  program Cryptolocker, about which I warned you repeatedly since November of 2013.  Cryptolocker is a type of malware that infects the computer of the unwary victim and encrypts all of the victim’s data making it unusable unless they pay a ransom to the criminal hacker.

TIPS

The financial industry as a whole has not taken sufficient security precautions and steps to protect themselves and our economy from the attacks of scammers, hackers and identity thieves.  Just because you have not heard of many of these hackings as much as with high profile hackings of Target and other companies is very much because quite often the companies do not disclose that they have been hacked.  The hedge fund industry’s sophisticated digital trading systems have become attractive targets to hackers and the hedge fund industry has not taken the necessary security steps to protect the integrity of their business from attack.  Unfortunately, this type of crime is something that is going to get worse before it gets better.  Whenever you are investing your money with a company, you should first inquire as to the security steps taken by the company.

Scam of the day – June 25, 2014 – World Cup scams

June 25, 2014 Posted by Steven Weisman, Esq.

With an estimated 46% of the planet’s population eagerly watching the FIFA World Cup tournament it should come as no surprise that this event will also spawn scams and identity theft schemes concocted by criminals around the world.  One of the most common scams involves an email informing you that you have won tickets to the tournament in Brazil.  However, if you click on the link in the email, you will only succeed in downloading malware on your computer that will steal your information which will then be used to make you a victim of identity theft.  Another common scam being seen now is one in which you are promised that by clicking on links in the email you will either be able to get free access to the games streamed on the Internet or free news and highlight videos.  Again, however, if you click on the links, you will end up installing malware on your computer.

TIPS

The advice is the same as always, never click on links in emails unless you are absolutely sure that they are legitimate.  It is impossible to win a contest you have not entered so that should be warning enough not to click on links in emails regarding contests you apparently have won although you never entered.  It is impossible to know if any of these emails that you receive regarding the World Cup are legitimate, so do yourself a favor and stick to either the official FIFA website, www.fifa.com or other sports websites that you know are legitimate, such as ESPN’s www.espn.go.com.  Also, make sure that your anti-malware and anti-virus security software is up to date.

Scam of the day – June 24, 2014 – Japanese app accounts hacked

June 24, 2014 Posted by Steven Weisman, Esq.

Line is a popular phone messenger app in Asia where four hundred million people, mostly in Japan, use it to make free phone calls, send instant message, post photos or post videos.  Between May and June there were hundreds of hackings into the accounts of Line users, however, it does not appear that there was a security breach at Line.  Rather, it seems that hackers managed to steal the passwords of Line users from other online services and, where those passwords were also used for Line, were able to access their victims’ Line accounts.  This case strongly indicates why it is so important to have a different and complex password for all of your accounts.  Identity thieves rely on the fact that so many people use the same password for all of their accounts so if they are able to hack into a company with lax security and obtain customers’ passwords, they can use those passwords elsewhere, such as for online banking where the harm can be significant.

TIPS

It is important to have distinct, separate passwords for all of your online accounts.  It is also important to make sure that they are complex and that they combine capital letters, small cap letters, digits and symbols in order to make them able to withstand the password deciphering programs used by identity thieves.  To make them easy to remember, you may wish to use a phrase, such as “EasyToRemember1***.”  You can also adapt this password to each of your accounts, such as making “EasyToRemember1Amazon***” your password for your Amazon account.

Scam of the day – June 23, 2014 – Duke University Press data breach

June 23, 2014 Posted by Steven Weisman, Esq.

Duke University has announced that its Duke University Press has suffered a data breach.  Although no financial information was stolen, usernames and encrypted passwords were stolen.  However even though the passwords were encrypted, it is not uncommon for sophisticated hackers to use software programs to decipher passwords that are not particularly strong.  This is just the latest hacking of an institution of higher learning.  In just the last four months, personal information on more than 750,000 students was stolen in data breaches at Iowa State University, University of Maryland, North Dakota University and Indiana University.

TIPS

Again, the advice to follow, if you were a victim of the Duke University Press hacking is to change your passwords immediately.  It also is a good time to consider changing your passwords for all of your password protected accounts and making them strong enough to withstand hackers’ decryption software.  A good password will be a combination of lower case letters and higher case letters, figures and symbols.  In order to make the passwords memorable, you can use a phrase, such as “IDon’tLikePasswords**” you can also adapt the password to different accounts, such that you make your Amazon password “IDon’tLikePasswordsAMA**.”  In this way you can establish easy to remember, but difficult to decipher passwords.