Scam of the day – July 10, 2015 – Navy Federal Credit Union scam

July 9, 2015 Posted by Steven Weisman, Esq.

Below is a good example of a scam phishing email send by an identity thief attempting to lure the receiver of the email, (in this case, me) to download the attachment, which will then cause of one of two things to happen, both of which are bad.   Either by downloading the attachment, you will either unwittingly download keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft or the download will, under the guise of providing greater security to you, require you to provide personal information that will be used to make you a victim of identity theft.  Here is a copy of the email I received.  DO NOT CLICK ON THE LINK OR DOWNLOAD THE ATTACHMENT.   You can see that the email looks quite legitimate and the logo looks real.  However, one good indication that this is a scam is that the salutation is “Dear Customer” instead of inserting a real name.

 


Dear Customer,

We’re writing to let you know that your online account has been temporarily

suspended due to recent access to your account from an unknown IP address.

To re-activate your account, download “Navy_Federal_Update_Form”

attached to this message and complete the process.

Thank you for helping us serve you .

Yours sincerely,
� 2015 Navy Federal Credit Union, All Rights Reserved.

TIPS

My advice whenever you get an email or text message with an attachment or a link is not to download the attachment or click on the link unless you have confirmed that it is legitimate.  In this case, I am certain that this is a scam because, among other indications, I do not have an account with the Navy Federal Credit Union.  However, even if I did, I would not click on the link or download any attachment.  Instead I would call the Navy Federal Credit Union at a telephone number that I knew was accurate to check on this email.

Steve Weisman speaks to IRS town meeting about income tax identity theft

July 9, 2015 Posted by Steven Weisman, Esq.

Income tax identity theft continues to be a major problem costing taxpayers 5.8 billion dollars last year and causing tremendous hardship to the individuals whose identities were stolen and used to file fraudulent income tax returns.  Here is a link to a video of a speech given by Steve Weisman to an IRS town meeting of tax preparers and IRS officials.  http://ezwp.tv/V8VcuLNq

Scam of the day – July 9, 2015 – Spyware company hacking leads to discovery of critical new Adobe Flash flaw

July 9, 2015 Posted by Steven Weisman, Esq.

It was only a week ago that I told you about a critical vulnerability in the popular Adobe Flash software so many people use for viewing videos.  Now following the embarrassing hacking and data breach at the Italian spyware company Hacking Team which sells spyware to governments, it has been learned that among the 400 gigabytes of files, source code and emails stolen and made public was source code for Adobe Flash software that can be and has been exploited by hackers to take control of computers running Adobe Flash.  Unlike the previous Adobe Flash flaw, which was discovered by security company FireEye, which notified Adobe in timely fashion to enable them to produce a security update, the new flaw discovered by Hacking Team had been kept secret by them which allowed them to exploit the vulnerability with its own spyware.  Since the time of the making public of this software vulnerability, enterprising hackers have already started selling kits on black market websites to other hackers that enable them to hack into computers running Adobe Flash.   Everyone using Adobe Flash is extremely vulnerable to identity theft and having their computer data stolen.

TIPS

Adobe Flash has been a constant target of hackers and some people are just choosing to disable it and use other video viewing software.  Some alternatives include LightSpark, Unity Web Player, GNU Gnash, and Silverlight.  Silverlight can be downloaded directly from the Microsoft website.  Adobe Flash has just released a security patch to fix the flaw.  Here is a link to the critical security patch to fix your Adobe Flash software: https://www.us-cert.gov/ncas/current-activity/2015/07/08/Adobe-Releases-Security-Updates-Flash-Player

 

Scam of the day – July 8, 2015 – Harvard hacked: what does it mean to you?

July 8, 2015 Posted by Steven Weisman, Esq.

Harvard University recently announced that it had been hacked for the second time in just four months.  The data breach appears to be limited to the Faculty of Arts and Sciences and Central Administration information technology networks and, fortunately, does not appear to have compromised either research data or personal information of students and faculty, such as Social Security numbers.  More and more colleges and universities are targets of hackers, as I described to you most recently in May 16th’s Scam of the day regarding the major data breach at Penn State.  American engineering schools, including MIT, and Carnegie Mellon, have been targets of Chinese state sponsored hacking for many years.  The goal of these hackings have been to gain information for both commercial and national defense purposes.  However, colleges in general are targeted by hackers seeking personal information for purposes of identity theft.  One reason that colleges and universities are such a tempting target for identity thieves is that they gather and retain so much personal information on applicants, students, faculty and alumni.  Making the problem worse is that college and university computer networks are generally readily accessible by so many people that it becomes difficult to secure these networks.

TIPS

I have written many times of the extreme vulnerability of colleges and universities, which gather and keep much personal information for which they have no real need, such as the Social Security numbers of applicants to the schools or Social Security numbers of alumni.  Coupled with lax security at many colleges and universities, this gathering and keeping of personal information for which the schools have no need puts the people whose information is affected in great danger of identity theft.  It is important for all of us to always inquire as to any company or agency that has personal information of ours as to what they do to keep this information secure.

For those people who may have been affected by the Harvard data breach, here is a link to Harvard’s official announcement of the data breach with details of the breach as well as suggestions for action by those affected.  http://security.harvard.edu/cyber-alert/faqs

Steve Weisman’s appearance on the Free Talk Live radio show

July 7, 2015 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s interview on Mark Edge’s Free Talk Live syndicated radio show in which Steve speaks about cybersecurity.

Scam of the day – July 7, 2015 – New Apple security updates

July 7, 2015 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  This was never more evident than with the recent hacking of people who did not update their Adobe Flash software promptly.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  Users of the affected programs should make sure that they update their software with these latest security patches as soon as possible.  Today’s updates from Apple include critical updates for many of their software programs including QuickTime and Safari.

TIPS

Here is the link to Apple’s security updates:

https://www.us-cert.gov/ncas/current-activity/2015/06/30/Apple-Releases-Security-Updates-QuickTime-Safari-Mac-EFI-OS-X

Scam of the day – July 6, 2015 – Windows 10 update scams

July 5, 2015 Posted by Steven Weisman, Esq.

The new Windows 10 operating system is coming.  It is scheduled to start being released on July 29th.  However, if you are a user of Windows 7 or Windows 8.1 you are eligible to receive the new Windows 10 operating system for free.  Microsoft is letting these customers reserve the new operating system now.  Microsoft is notifying customers through a new icon on your taskbar or a popup message as indicated in the screen photo below.  Clicking on the message will take you to a page where you can sign up by merely providing your email address.  Once Windows 10 is available Microsoft will then download it to your computer. Over the years Microsoft has issued new operating systems after years of patches and updates of the previous operating systems.  When it became too cumbersome and difficult to patch the old operating systems, new ones were released.  Unfortunately, many individuals and companies still use the old operating systems, such as Windows XP although they were warned for years that new security update would no longer be issued after a specific date.  People and companies continuing to use the old operating systems, particularly Windows XP have become easy targets for hackers exploiting the vulnerabilities of the older operating systems.

W10_Laptop_AUX_Build_16x9_en-US_070115-01

TIPS

The release of Windows 10 will be exploited by scammers and identity thieves.  In particular you may receive emails or text messages with links or downloads that purport to be of Windows 10.  Don’t trust them.  Microsoft is not contacting people by emails or text messages regarding Windows 10.  Any email or text message, regardless of how legitimate it may look, that purports to be from Microsoft asking you to download an attachment or click on a link to install your Windows 10 is a scam.  If you click on those links or download those attachments all you will succeed in doing is downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  Microsoft will  also not be calling you on the phone to install Windows 10 either, so if you get a telephone call in which the caller represents that he or she is from tech support at Microsoft to help you download Windows 10, just hang up.  The call is from an identity thief only seeking to get access to your computer and its data.

Scam of the day – July 5, 2015 – Trump hotel chain hacked

July 4, 2015 Posted by Steven Weisman, Esq.

Donald Trump seems to be constantly in the news these days.  Whether it is for declaring his candidacy for President of the United States or for making inflammatory comments, Trump is omnipresent in the media.  However, the latest Trump news event is not one with which he must be pleased.  It has just been disclosed that the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York has been hit with a Target-like credit card and debit card data breach that appears to have started at least as far back as February.  As with so many data breaches, it was discovered not by the company hacked but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.  This type of hacking and data breach is expected to happen again and again as companies still cling to the use of old fashioned credit and debit cards using magnetic strips rather than the more modern smart credit cards with computer chips that create a new one-time authorizing number each time the card is used.

Here is a link to a column I wrote for USA Today in September of 2014 in which I both described how these data breaches occurred and correctly predicted their continuing pattern. http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

TIPS

There is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which you do business.  One important thing to do is to refrain from using your debit cards except in ATMs.  Using your debit card at retail establishments puts you at much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Although the deadline for companies being required to install smart credit card readers is months away, you should ask your credit card company for a replacement credit card with a computer chip now.  Some stores, most notably Wall Mart are already using the safer smart chip cards.  Whenever you can use the smart credit card, it is important to do so.

Scam of the day – July 4, 2015 – Update on hacking of Office of Personnel Management

July 4, 2015 Posted by Steven Weisman, Esq.

It was a month ago that I first reported to you about the hacking of the federal Office of Personnel Management (OPM) in which personal information on anywhere between 4 million and 14 million people was compromised.  The large discrepancy in the number of people who may have been affected by the hacking is due to the fact that although files on 4 million people were accessed, there was information on many millions more within those files.  The risk of identity theft is quite high for those affected by the data breach.  Meanwhile, as they always do, other scammers are taking advantage of people’s legitimate concern about their risk of identity theft and sending out emails that purport to be from the Office of Personnel Management appearing to offer help when all they really are doing is phishing for personal information that can be used to make the targeted person a victim of identity theft.  OPM has hired CSID, a company that provides identity theft protection and fraud resolution services and is offering 18 months of free credit report access, credit monitoring, identity theft insurance and recovery services to those people affected by the data breach.  However, be very skeptical of emails that appear to come from CSID offering assistance, but asking for information.  CSID’s URL for this purpose is opm.csid.com.  Be particularly wary if you receive an email purporting to be from CSID that is not from that address.  In fact, it is a good idea not to trust any email that asks for personal information without confirming first that it is legitimate.

TIPS

First, if you are one of the millions of people affected by this data breach, I suggest that you go to the OPM’s website for the latest announcements as to the status of the data breach and what you can and should do to protect yourself.  Here is a link to the OPM’s page with the latest information:  http://www.opm.gov/news/latest-news/announcements/

Also, if you are affected by the data breach, here is a link to CSID’s website where you can safely enroll for services: https://www.csid.com/opm/

As for all of us, a good lesson to avoid becoming a victim of phishing that leads to identity theft, never click on links in emails or text messages or provide information requested in an email or a text message unless you have absolutely confirmed that it is a legitimate.  It is easy to send a phony email that looks quite legitimate.

Scam of the day – July 3, 2015 – Turkish man arraigned in worldwide financial hacking scheme

July 2, 2015 Posted by Steven Weisman, Esq.

Ercan Findikoglu who had been arrested in Germany in December of 2013 finally was extradited to the United States where last week he was arraigned on charges related to three major cyberattacks on the global financial system.  Findikoglu, a Turkish citizen is alleged to be the kingpin of an international gang that hacked into three credit and debit card processors and then manipulated the account data on prepaid debit cards to be dramatically increase the balances.  Findikoglu then is alleged to have distributed the stolen debit card information to cohorts around the world who would create cards and then use the phony cards to withdraw money from ATMs around the world.  One plot targeted cards issued by JP Morgan Chase, another by the National Bank of Ras Al-Khaimah in the United Arab Emirates  and a third plot targeted cards issued by Bank Muscat in Oman.  The debit cards of Bank Muscat were distributed to gang members in 24 countries who within a two day period did 36,000 ATM withdrawals totaling 40 million dollars.  The total amount stolen through all three bank hacks was 55 million dollars.

TIPS

The international cooperation involved in this case is good news in the battle against cybercrime which is a crime that knows no borders.  Often the type of international cooperation required to effectively combat such cybercrime is lacking in the international community.  Hopefully, this case provides an indication of a positive change in the war against cybercrime.   Another positive change that is necessary in the battle against cybercrime is greater cooperation between hacked companies and law enforcement and other governmental agencies.  To date, Congress has not enacted the legislation necessary to make this happen, but it is expected that in the not too distant future we will see such laws mandating greater disclosure and cooperation between government and business.