Posts Tagged: ‘hackers’

Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

November 8, 2014 Posted by Steven Weisman, Esq.

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.

Scam of the day – October 7, 2014 – Latest security updates from Department of Homeland Security

October 7, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates include a number of important security patches related to the Bash virus.

TIPS

Here are the links to the latest security updates as issued by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB14-279

Scam of the day – October 2, 2014 – Important update on Bash bug

October 2, 2014 Posted by Steven Weisman, Esq.

On September 27th I warned you about the revelation that there was a bug called Shellshock in the Bash command-line interpreter on many operating systems including Linux, Unix and Apple’s OSX that had just been discovered after more than twenty years.  This bug is simple to exploit and tremendously dangerous since when exploited by hackers, permits the hacker to take over the computers using the infected operating systems.   The Federal Financial Institution Examinations Council (FFIEC) has warned the banking industry that it should take immediate steps to protect itself from this major threat.  Hackers have been busy trying to take advantage of this security flaw by attacking servers using affected operating systems while security experts have been equally as busy trying to create new patches.   A series of security patches have been released just in the last couple of days. It is also important to know that, as individual computer users, your firewall should protect you unless a hacker tricks you through phishing into clicking on a link and download malware to exploit the flaw.

TIPS

For all of us, this is a reminder to never click on a link in an email, text message or social media posting unless you are absolutely sure that it is legitimate.  Too often, what appear to be legitimate communications with emails are phishing scams with malware attached.

Here are links provided by the Department of Homeland Security which in turn have links to the latest security patches issued by Apple and others to deal with this problem.

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

https://www.us-cert.gov/ncas/current-activity/2014/09/30/Apple-Releases-OS-X-bash-Update-10

Scam of the day – August 7, 2014 – Russian gang steals 1.2 billion user names and passwords

August 6, 2014 Posted by Steven Weisman, Esq.

It was revealed yesterday that a Russian gang of about 20 hackers committed what may be the largest data theft in history by stealing 1.2 billion user names and passwords along with 500 million email addresses.  This particular gang has been operating since 2011, but this is their largest data theft.  The data breach was discovered by a computer security company, Hold Security who indicated that the data breach involved more than 420,000 websites around the world including those of large companies as well as small websites.  The companies hacked included companies involved in the auto industry, real estate, oil industry, consulting firms, care rental businesses, hotels, computer hardware companies, software companies and the food industry.  The gang used a technique to hack these websites that I have warned you about for two years.  They exploited security vulnerabilities in the software used to create websites, such as Adobe Cold Fusion, which has proven to be vulnerable in the past (although at this point in time, it is still too soon to know exactly which vulnerable programs were exploited) that permit a type of hacking called an SQL injection in which the hacker is able to inject his data collection software into the targeted website which can often go undetected for long periods of time.  The hacker then retrieves the collected information and then either uses it themselves for identity theft and fraudulent purposes or sell the information on black market websites to other criminals.

TIPS

The first thing to remember is that you are only as safe as the security of the weakest company or website that holds your personal information including your user name and password.  Although it is an inconvenience, it is important to maintain separate, unique passwords and user names for all of your accounts and to change them somewhat frequently.  If you use the same password for a small retailer and your online banking, you become extremely vulnerable to having your bank account hacked if the retailer with which you do business is hacked.  Also, do not store your user name, password or credit card information on any website.  It may be convenient for you, but it is also extremely convenient for identity thieves as well.  You can expect a wave of “spear phishing” by which you will receive emails that appear to come from someone you know and trust when in reality it is coming from an identity thief.  Many of these spear phishing emails will have links and attachment that contain keystroke logging malware that, when downloaded, will permit the identity thief to steal all of your personal information from your computer and use it to make you a victim of identity theft.  It is for this reason that I always advise you  not to download an attachment or click on a link unless you have confirmed and are absolutely positive that the email is legitimate.  This is an important story and I will update you as more information becomes known.

Scam of the day – June 30, 2014 – Even hackers use weak passwords

June 29, 2014 Posted by Steven Weisman, Esq.

I am constantly warning people to use complex, distinct passwords for all of their online accounts in order to prevent the passwords from being stolen and deciphered when encrypted.  The easiest passwords for an identity thief to decipher are those that use any word in the English language or passwords less than twelve characters.  A complex password should also mix small letter, capital letters, figures and symbols for maximum protection.  However, many people do not do this and are at great risk of identity theft because of their lack of prudence in choosing a password.  These people should feel a little better about themselves, however, because a recent study by computer security company Avast found that even the hackers don’t generally use strong passwords.  According to Avast only about 10% of hackers use difficult to decipher passwords, with the average hacker password only six characters long.  In fact, the most popular password for hackers, was “hack.”

TIPS

Just because hackers don’t take enough precautions to protect themselves does not mean that you should neglect having a strong password.  You should have a separate password for all of your online accounts so if your password for one account falls into the hands of an identity thief, your entire online life is not threatened.  You should also change your passwords about every six months.  Creating an easy to remember, but complex password is not very difficult.  Start with a phrase, such as “AVeryComplexPassword” and then add a some numbers and symbols, such as “AVeryComplexPassword1**.”  You can then personalize it to a particular account by adding an abbreviation for that account at the end.  For example, your password for Amazon could be “AVeryComplexPassword1**Ama.”  Easy to remember and hard to break.

Scam of the day – June 26, 2014 – Hedge funds hacked

June 26, 2014 Posted by Steven Weisman, Esq.

Hedge funds are aggressively managed investment portfolios that are largely unregulated.   They generally are used by only the wealthiest of people.  They also have become a ripe target for hackers who, according to a recent report by computer security firm BAE System, have been hacking into the computers of these funds and causing financial harm in a multitude of ways.  According to BAE, one unnamed hedge fund lost millions of dollars after hackers managed to infiltrate their computers through simple spear phishing tactics by which the hackers tricked hedge fund employees into clicking on links in infected emails that downloaded malware into the hedge fund’s computers that enabled the hackers to learn about impending trades and then delay the trades while the hackers traded first based upon the stolen information.   Another way that the hedge funds have been attacked is through the ransomware  program Cryptolocker, about which I warned you repeatedly since November of 2013.  Cryptolocker is a type of malware that infects the computer of the unwary victim and encrypts all of the victim’s data making it unusable unless they pay a ransom to the criminal hacker.

TIPS

The financial industry as a whole has not taken sufficient security precautions and steps to protect themselves and our economy from the attacks of scammers, hackers and identity thieves.  Just because you have not heard of many of these hackings as much as with high profile hackings of Target and other companies is very much because quite often the companies do not disclose that they have been hacked.  The hedge fund industry’s sophisticated digital trading systems have become attractive targets to hackers and the hedge fund industry has not taken the necessary security steps to protect the integrity of their business from attack.  Unfortunately, this type of crime is something that is going to get worse before it gets better.  Whenever you are investing your money with a company, you should first inquire as to the security steps taken by the company.

Scam of the day – June 1, 2014 – Stoners need not apply – at least not yet

June 1, 2014 Posted by Steven Weisman, Esq.

The FBI takes cybercrime seriously as do many law enforcement agencies and companies around the world.  In a creative move to enhance its cybersecurity, British banks began hiring hackers to hack into their banks in an effort to learn where the vulnerabilities of their security systems are and how to correct those flaws.  Similarly, the FBI is reaching out to hire young hackers to come work for the FBI to help combat cybercrime and black hat hacking.  However, in a recent speech to the White Collar Crime Institute, FBI Director, James B. Comey spoke about the difficulty of finding hackers who meet the FBI requirement of not having smoked marijuana for the preceding three years.  Director Comey acknowledges that this presents a problem to the bureau when it comes to hiring knowledgeable hackers.  According to Comey, “I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview.”  Comey did say, however, that the FBI is considering changing its drug policy in the future, which would help tremendously in hiring the knowledgeable hackers it desires.

TIPS

If the FBI maintains its present drug policy, it stands little chance of hiring sufficient new agents to combat the serious cybercrimes of today.  With the laws and public perception of marijuana use dramatically changing, hopefully the FBI will make the necessary changes to its drug policy to enable it to hire the new agents it needs.

Scam of the day – April 21, 2014 – IRS misses Windows XP deadline

April 21, 2014 Posted by Steven Weisman, Esq.

It has been six years since Microsoft informed its customers that it would no longer support the Windows XP operating system, thus giving its users plenty of time to install a newer operating system, such as Windows 7.  Without continuing technical support, the Windows XP operating system will be dramatically vulnerable to hackers exposing flaws in the program to the detriment of stubborn people still using this program.  This is not a matter of Microsoft being greedy.  It is merely a reflection of the fact that Windows XP is too old in terms of computer software and just like after a while it becomes advisable to buy a new car instead of pouring money into repairs for an old car, it is prudent to move to another and better operating system.  It is unfortunate that many banks in the world that use Windows XP to operate ATMs and many government agencies that also use Windows XP failed to act before the April 8, 2014 deadline for Microsoft no longer providing updates.  What many of these companies and the IRS (yes, the IRS) are now doing is paying for short term support of Windows XP until they make the change over to a newer operating system.  The failure to act in a timely manner is  needlessly costing these companies and government agencies large amounts of money.  If they had merely acted in a timely manner, they would not have to be paying for these emergency services.  In a Congressional hearing last week numbers between $500,000 and $30 million dollars were tossed about as the additional cost incurred by the IRS due to their lateness in acting.  This is inexcusable.  Hackers have already been taking advantage of vulnerabilities in Windows XP to steal from ATMs and there is concern in some circles that government agencies such as the IRS may find problems due to their delay in updating their operating systems.

TIPS

Here is a warning to banks and government agencies including the IRS:  Microsoft has indicated that it will no longer do security updates for Windows 7 in January of 2020.  Don’t make the same mistake twice.

What do you think will happen?

Scam of the day – March 29, 2014 – Microsoft warns of danger in .rtf files

March 29, 2014 Posted by Steven Weisman, Esq.

Microsoft has issued a warning to people not to open files with the rtf extension due to a vulnerability that Microsoft has just discovered that could enable a hacker to send you an email with an .rtf file attached that if you download will enable the hacker to take control of your computer.  At the moment, although Microsoft has discovered the problem, they do not have a solution so they are advising people not to open such files and to consider disabling the opening of .rtf files.  RTF is an acronym for rich text format files which is a file format Microsoft developed for use with Word software.

TIPS

Microsoft has released a security advisory with more details about this threat and what you can do to reduce the danger. Here is a link to Microsoft’s security advisory about this problem: http://technet.microsoft.com/en-us/security/advisory/2953095.  For now, the best course of action is to totally avoid rtf files.

Scam of the day – March 10, 2014 – Netflix phishing scam

March 9, 2014 Posted by Steven Weisman, Esq.

Phishing is the term for a scam where you are lured to a phony website and either induced into providing personal information to what you think is a legitimate company or even a government agency or persuaded to click on what appears to be a legitimate link only to learn that by clicking on the link, you unwittingly download keystroke logging malware that will steal all of the information from your computer, smartphone, tablet or other device.  In either situation, the end result is the same.  You end up a victim of identity theft.  Recently a phony, but very good looking copy of a Netflix website was found on the Internet.  The URL for the website did have the word “Netflix” in it, but it also had a number of apparently random characters also in the URL which to a careful viewer would have been a sufficient tip off that this is a scam.  On the website was a message to call an 800 support telephone number.  If you call the number, you are told that your Netflix account has been shut down because it had been illegally accessed by hackers.  You are then told to enable the “support” team to have access to your computer or other device in in order to remotely download necessary security software to protect your account in the future.  Instead of security software, what is installed remotely is a keystroke logging malware program that enables the scammers to steal all of the information from your device and use it to make you a victim of identity theft.  In addition, the support team also asks for a photo of the customer’s identification and a credit card, which is readily able to be done using the victim’s computer or phone camera, which was actually able to be enabled through software already downloaded unwittingly by the customer.  In closing, the phony support team tells the customer that the customer will be charged as much as $400 for the security update, however, in his or her case, they will offer a discounted rate.

TIPS

This particular scam is no longer being done.  The phony website has been taken down.  However, it is a typical type of phishing scam that you must take great care to avoid.  Identity thieves are quite adept at creating legitimate looking websites that appear to be those of legitimate companies or even governmental agencies.  Whenever you go to a website for a company or agency with which you do business, make sure that you have the correct URL.  Double check it.  In this case, a savvy consumer would also know that Netflix does not supply security software.  In any event, never provide personal information, click on links or download attachments unless you are absolutely sure that you are dealing with a legitimate company that has a real reason for your information.  Although this particular scam is now down, you can expect the same pattern to repeat itself time and time again.