Scam of the day – April 13, 2017 – Amazon marketplace hit by hackers

According to some estimates, Amazon may account for as much as 30% of the total online sales in the United States, however about half of these sales are not done directly by Amazon, but by third party merchants using the Amazon platform to sell their goods.  Recently there have been a number of cyberattacks against these merchants by hackers who have, in many instances, managed to hack into the Amazon accounts of these merchants and perform two different types of crimes.  In one, the hackers will change the bank account information of the merchant so that funds from sales are sent to accounts controlled by the hackers.  In another, hackers will take over the Amazon third party seller account of a seller who has been inactive for a considerable period of time and use the account to market non-existent goods, such as popular electronic goods including the Nintendo Switch, at very low prices to lure unsuspecting consumers into sending their money to the scammers who send nothing in return.

What appears to be a common thread in the hacking of the accounts of the third party vendors on Amazon is that their user names and passwords were stolen and used to gain access to the accounts.  Often this occurs when the third party vendors use the same usernames and passwords that they use for other accounts where there have been data breaches and the usernames and passwords have been sold on the Dark Web to other criminals.

TIPS

Whether or not you are a third party vendor of Amazon or not, the lesson is the same, which is that you should use a unique username and password for each of your online accounts to help prevent this type of crime.  Creating a unique and easy to remember password is not hard to do.  A strong password should have capital letters, small letters and symbols.  You can take a short sentence, such as IDon’tLikePasswords and make that your base password.  Add a couple of symbols such as !! to the end of the password and you have a strong base password which you can then adapt by adding a few distinguishing letters at the end of the password for each account.  For example, your Amazon password could be IDon’tLikePasswords!!Ama.  This is easy to remember and a strong password.

In addition, whenever possible you should use dual factor authentication for further protection.

Scam of the day – December 28, 2014 – Hackers release personal information of 13,000 people

Yesterday a group of hackers posted personal information including usernames, passwords and credit card information of 13,000 people on its Twitter account @AnonymousGlobo.  The hackers indicated that they had stolen the information from a large number of popular websites that they listed.  Among the websites listed by the hackers were Amazon, Walmart, PlayStation Network, Xbox Live and a large number of popular pornography sites including Brazzers.  The hackers later wrote “We did it for the Lulz” which is slang for doing it just for their own personal enjoyment and satisfaction.  While we do that much personal information was made public and thus putting the victims in danger of identity theft, we do not know if, indeed, the hackers actually did, as they stated, steal the information by hacking into the particular websites they stated or, alternatively, if they used phishing emails to their thousands of victims luring them to click on links in the emails and download keystroke logging malware that provided through which the victims’ own computers supplied the information to the hackers.  Either alternative is a source for concern.

TIPS

There are a number of lessons to be learned from this hacking.  One is to never leave your credit card information on file with an online retailer with which you do business for the sake of convenience.  It may save you a few seconds the next time you make a purchase with the particular retailer, but it also makes your credit card information vulnerable in the event that the retailer is hacked.  A second lesson is to use different usernames and passwords for each of your online accounts because if you do, as many people do, use the same username and password for all of your online accounts, in the event of a data breach at one company with which you do business, the hackers would be able to get your user name and password for all of your accounts, thereby putting you in greater jeopardy of serious identity theft.  Finally, it is important never to click on links in emails or text messages unless you are absolutely sure that the communication is legitimate and you have confirmed that fact.  Identity thieves are adept at tricking people into clicking on links that contain malware by making the communications look legitimate or even by hijacking the email account of someone you trust.

Scam of the day – April 10, 2014 – Serious security danger on the Internet of Heartbleed

The term “Heartbleed” sounds serious and it is.  Heartbleed is the name of the recently discovered security flaw in the Open SSL encryption security technology that is used by up to 2/3 of websites on the Internet.  An indication that the website you are communicating with uses Open SSL is the presence of the tiny padlock icon next to the website address.  Another indication of the use of Open SSL being used is the letter “s” appearing after the initial “http” at the beginning of a website address.  The padlock and the “s” indicated to people communicating with websites that your communications were encrypted and safe from hackers.  Now we have discovered that this encryption technology had been cracked by attackers as long as two years ago.  This means that your communications online with your bank and retailers may have been compromised.  Many websites that have used the Open SSL encryption technology including Amazon and Facebook have fixed the problem or are working on it.  There are patches available.

TIPS

The first thing that you should do is to change your passwords at websites you have used that utilized the Open SSL encryption because your password may be in the possession of hackers.   However, do not change your password until you have confirmed with the Website that it has patched the security flaw.   Heartbleed is a good reminder to us all that we should change our passwords on a regular basis as well as have different passwords for every website where we use a password so that if one gets hacked, identity thieves would not have the passwords for all of our other accounts.  It doesn’t have to be a difficult task as just adding or changing a letter or two can do the trick if you have a good, complex password with letters both capital and small as well as figures and signs.  Also, again as we all should be doing, monitor all of your accounts regularly for evidence of fraudulent use.

Here is a helpful link you can go to in order to check and see if the websites you go to were among those affected by Heartbleed.  One word of caution, this is not guaranteed by its creator to be 100% accurate: http://filippo.io/Heartbleed/

For people who have websites that use Open SSL, here is a link to the notice from the Department of Homeland Security with the links to rectify the situation.https://www.us-cert.gov/ncas/alerts/TA14-098A