Scam of the day – May 6, 2017 – Google Docs phishing scam

A phishing email is presently being sent to unsuspecting victims that urges you to click on a Google Docs link.  A copy of one version of the email is reproduced below. Clicking on the link will turn over your Gmail account to the scammer which not only will give the hacker access to all of your emails, but also your contact list which will enable the hacker to contact your friends with emails that appear to come from you and will be used to lure your trusting friends into clicking on links that can download keystroke logging malware that can lead to identity theft or ransomware.

TIPS

Never click on links or download attachments regardless of from where they may appear to originate unless you have verified that the email is legitimate.  In addition, even people who fell for this scam, would be safe if they used dual factor authentication for their Gmail account which would prevent someone who had your password from accessing your account.  With dual factor authentication, when you go to access your account a special code is sent to your cell phone if the request to access your account comes from a different computer or device that you generally use.  You can sign up for Google’s dual factor authentication by clicking on this link:  https://www.google.com/landing/2step/

Scam of the day – March 4, 2017 – New York financial service company regulations go into effect

In September I first told you about the New York Department of Financial Services new cybersecurity rules for banks and financial services companies doing business in New York. These regulations come in the wake of repeated cybersecurity breaches at many banks and other financial services companies.  While the regulations set minimal standards all institutions must follow, the regulations were written in a manner to encourage companies to go further and not limit security innovation. Among the provisions of the regulations are the establishment of the position of chief information security officer at each company as well as increased use of encryption and dual factor authentication.  In addition, the proposed regulations also carry potential criminal liability for officials of companies not meeting the new standards.  The regulations were originally to go into effect on January 1, 2017, however the effective date was postponed until March 1, 2017.  Financial firms have an additional 180 days to make the changes necessary to comply with the regulations before any enforcement actions will be taken by New York authorities who have also promised a transitional period for compliance with the rules.

TIPS

While these regulations are a good start toward more secure banking, it is still important for all of us to take responsibility for our own secure banking.  First and foremost you should monitor your bank accounts often for indications of any irregularities.  You should be particularly careful when banking with your smartphone or on your computer.  Use a strong password, strong security question and multi factor authentication whenever possible.  Here is a link to a column which I wrote for USA Today with more tips on how to protect yourself when banking online or on your phone.

http://www.usatoday.com/story/money/columnist/2016/02/27/e-banking-tip-moms-maiden-name-say-grapefruit/80756330/

Scam of the day – February 26, 2017 – Data leak at Cloudflare threatens everyone

Many of you many not be aware of Cloudflare which is one of the biggest Internet security companies in the world whose services are used by literally millions.  Recently, security researcher Tavis Ormandy discovered a massive vulnerability in Cloudflare’s code that for six months has been leaking massive amounts of data including passwords and personal information across the Internet.

Among the many companies that use Cloudflare’s services are Uber, OKCupid and FitBit.  The code vulnerability has been fixed and at this time we do not know if hackers had already exploited the vulnerability and stolen the massive amounts of data affected by the leak, however some of the data  is available through search engines such as Google and Yahoo and it will take a while for Cloudflare to purge the data from the caches readily available through search engines.  Quite frankly everyone is in jeopardy due to this data leak.

TIPS

This incident, once again, reminds us all that we are only as secure as the places that have our personal information with the weakest security.  This is probably a good time to consider changing your passwords and as an extra security measure add dual factor authentication to whatever accounts you use that offer it.

Scam of the day – February 19, 2017 – WhatsApp adds dual factor authentication

WhatsApp is a mobile messaging app for your smartphone that allows you to send text messages, photographs, videos and audio.  With more than a billion people using WhatsApp, it is not surprising that it has become attractive to scammers seeking to use its popularity to lure people into becoming scam victims.  Also, like many popular apps, it has been a target of hackers seeking to take over the accounts of legitimate users of the app and send out malware filled messages that appear to be trustworthy because the messages look like they are coming from someone the victim trusts.

Mere passwords have not proven to be a particular secure method of authentication.  Many people use simple to guess passwords and even what may appear to be complex passwords can often be identified by sophisticated hackers using password cracking software.  However, more and more companies such as Facebook, Twitter, Google, Tumblr, Yahoo and others are using dual factor authentication by which when your password is used to access you account, a special code is sent to your smartphone that must be used in order to complete access to the account. This provides dramatically enhanced security.  Now WhatsApp has become the latest app to offer dual factor authentication.

TIPS

Passwords are just too vulnerable to be the sole method of authentication for important apps or accounts.  Whenever you are able to use dual factor authentication for a particular website, account or app, you should take advantage of this.  Some dual factor authentication protocols do not require it to be used when you are accessing the account from the computer or smartphone that you usually use, but only if the request to access the account comes from a different device, which still provides security without even having to use the special code.

Scam of the day – February 6, 2017 – IRS issues urgent alert about evolving W-2 scam

Income tax identity theft is a multi billion dollar problem that costs the government and, by extension,  we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund.  Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.

A year ago, when this scam first surfaced, I first warned you about identity thieves tricking companies into providing employee W-2s to them.  These stolen W-2s  contain all of the information the identity thieves need to file a fraudulent income tax return.  The scam works by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises.  Other times, payroll management companies have been targeted using the same type of phishing emails.  In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.

Now the IRS has issued an urgent alert indicating that the scam has evolved from merely targeting companies to school districts, non-profit organizations, restaurants, temporary staffing agencies and others.  In addition, the IRS is saying that the scammers are now combining this scam with the business email scam by which the employees receiving the email asking for W-2s to be sent are also asking the employees to wire money for various purposes.  According to IRS Commissioner John Koskinen, “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.”

TIPS

All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs.  In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are.  These same lessons that apply to companies also apply to all of us as individuals, as well.  Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.”  Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information.  Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft.  Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.

Scam of the day – January 28, 2017 – Hacker of nude photos of celebrities sentenced

In 2014 nude photos of as many as one hundred celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst and Hope Solo turned up online on websites such as Reddit.com and 4chan.org.   The photos were taken from both the Apple’s iCloud accounts of the hacked celebrities as well as their email accounts.  The hacker, a 29 year old self-described “computer nerd” named Edward Majerczyk pleaded guilty to one count of unauthorized access to a protected computer to obtain information and was sentenced earlier this week to nine months in prison.

The manner by which Majerczyk accomplished the hacking was simple, but effective.  He sent spear phishing emails to his intended victims that appeared to come from Apple or Google security in which, under various pretenses, he requested the victims’ usernames and passwords, which he then used to access their email accounts and iCloud accounts from which he stole the photos and videos.

Using a similar tactic, Ryan Collins hacked 600 celebrities thereby obtaining nude photos, as well.  He was convicted and sentenced to eighteen months in prison.

TIPS

There are a number of lessons to be learned from this crime about how to protect our own security.    It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate, which such requests seldom are.  If you have any concern that such a request might be legitimate, merely call the real company to confirm the legitimacy of the communication.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts.  Had Jennifer Lawrence and the other hacked celebrities used dual-factor identification, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be accurate.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – December 31, 2016 – President takes action against Russian hackers

In the last Scam of the day for 2016 it is appropriate that we discuss the issue of Russian hacking of American organizations that occurred in 2015 and 2016 that were intended to influence the Presidential election.  Two days ago, President Obama ordered sanctions against Russia including the ejection of 35 Russians spies that the administration said were posing as diplomats and specific actions against three organizations that it said supported the hacking operations.  The possibility of further covert actions against Russia was also hinted at.

A day prior to the President’s announced sanctions, the Department of Homeland Security and the FBI issued a joint analysis report entitled “Grizzly Steppe – Russian Malicious Cyber Activity” in which it provided details about the hackings.  Here is a link to the report.

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

TIPS

Although the report contains important information about Russian hacking of American institutions, the report also provides a long list of specific steps that institutions and individuals can take to avoid being a victim of cybercrime.

Here are just a few of the things that all of us as individuals should consider.

  1. Backup all important information offline.
  2. Be on the alert for spear phishing. The report emphasizes, as I have warned you about for years, that the primary cause of hacking is people clicking on links in spear phishing emails that download malware.  Use both anti-phishing security software as well as your own brain to refrain from clicking on links in emails unless you have absolutely confirmed that they are legitimate.
  3. Use strong firewalls with whitelisting configurations by which only approved applications will be allowed to be downloaded on to your computers.  This is much better than blacklisting because it protects you from threats about which you know nothing.
  4. Limit the personal information you provide on social media.
  5. Use dual factor authentication whenever possible.

Scam of the day – December 9, 2016 – Celebrity hacker sentenced

Since 2014 I have been reporting to you about a string of celebrity hackings in which nude photos, videos and other personal material were stolen by a number of different hackers who have been caught, put on trial and sentenced.  The latest celebrity hacker to be convicted for his crimes is Alonzo Knowles who hacked into the emails of various celebrities and athletes from whom he stole not just nude photos and videos, but also unreleased movie and television scripts, unreleased music and financial documents all of which he tried to sell for profit.  Knowles pleaded guilty and his attorneys asked for a sentence of fourteen months in prison.  Instead the judge sentenced him to five years in prison which was considerably more than the recommended federal sentencing guidelines of 27-33 months.  Contributing to the larger sentence was the fact that while in prison awaiting sentencing, Knowles used the monitored prison email system to send out emails in which he bragged about his plans to write a book including photographs in which he would expose the secrets of his victims.  For a sophisticated cybercriminal, this was an incredibly stupid action that showed a lack of remorse to the sentencing judge.

TIPS

Knowles managed to hack into the email accounts of his victims by first targeting friends of his victims.  He identified friends of his victims through photographs appearing on line and then hacked into the email accounts of these people, taking control of the accounts, gathering personal information including telephone numbers from the accounts and then emailing his celebrity targets with spear phishing emails that enabled him to get information from the celebrity victims.   You may remember that the fact that Hillary Clinton was using a private email server while acting as Secretary of State was disclosed not by a hacking of her email, but by a hacking of the email account of one of her advisers, Sidney Blumenthal.

This case serves as another reminder of the important cybersecurity steps we all need to take, particularly in regard to using email.  For personal emails you may wish to use a separate email account than the one you use generally that may be more easily discovered.  You should also use a security question that is not easily guessed or obtained through research.  Colin Powell and many others became victims of email hacking because their security questions were easily guessed enabling the hacker to change their passwords.  I suggest using a nonsensical answer to the email question, such that if the question is what is the maiden name of your mother, you indicate something totally unrelated, such as “firetruck.”  Another option, as cleverly suggested by a regular Scamicide reader is to just add some digits at the end of the answer so, for example, your mother’s maiden name could be “Smith1234.”

It is also important not to store sensitive data in your email folder.  To protect yourself from hackers, you may wish to both encrypt sensitive information on your computer and store it in a portable USB hard drive to protect it from ransomware attacks.  It is important to recognize that anytime you are asked for personal or sensitive information in an email, you can’t be sure if the person contacting you is someone you know and trust or whether their email account had been hacked as was done in this case so never provide personal information in response to an email or text message unless you have confirmed the identity of the person contacting you.   Trust me, you can’t trust anyone.

Dual factor authentication for all accounts where you may have sensitive information is also important.