Scam of the day – August 20, 2016 – Guilty plea in insider trading hacking case

I have been reporting to you about developments in this ingenious and massive stock fraud for a year since when the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of as much as 100 million dollars on 800 trades during this time.  A number of the civil defendants have already pleaded guilty to charges related to this scam and now Leonid Momotok, a Russian naturalized American citizen pleaded guilty to conspiracy to commit wire fraud in regard to this scam.  According to prosecutors, Momotok made more than 1.2 million dollars in illegal profits by trading Panera Bread Co. and DealerTrackTechnologies based upon the stolen inside information.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.

Scam of the day – June 7, 2016 – Mark Zuckerberg hacked – he should have paid attention to Scamicide

On May 22nd, I told you about the 117 million email addresses and passwords of LinkedIn users captured in a 2012 data breach of LinkedIn  that were being offered for sale on the Dark Web, which is that part of the Internet where cybercriminals buy and sell stolen data.    I also told you that stolen passwords are useful to hackers because too many people use the same password for all of their accounts and therefore a person’s LinkedIn password may be the same as those used for other accounts so that due to a single data breach, your online security for every online account you use becomes in jeopardy. Mark Zuckerberg, the founder of Facebook should have heeded this lesson because his Twitter and Pinterest accounts were hacked and taken over  for a short time because the hackers had found his password “dadada” in the LinkedIn data breach and used it to access his Twitter accounts and Pinterest accounts.

TIPS

Once again, this serves as a reminder to everyone that you should have unique passwords for all of your accounts.  A strong password contains capital letters, small letters and symbols.  A good way to pick a strong password is to take an easily remembered phrase as your base password.  For instance, you can use the phrase IDon’tLikePasswords as your base password.  Add a couple of !! at the end of the password and you have a strong password.  Since you should have a unique password for each of your accounts, you can adapt this base password for particular accounts by merely adding a couple of letters to distinguish each account at the end of the password so it may read, for instance for a Bank of America account, IDon’tLikePasswords!!BnkoAm.

In addition, Twitter provides for dual factor authentication as an option to be used as an additional security measure when accessing your Twitter account whereby a one-time code will be sent to your smartphone for you to use in order to access your Twitter account.  Zuckerberg failed, however, to take advantage of this option.

Scam of the day – Mary 22, 2016 – Five year old LinkedIn data breach comes back to haunt users

Recently  117 million email addresses and passwords of LinkedIn users captured in a 2012 data breach of LinkedIn were offered for sale on the Dark Web, which is that part of the Internet where cybercriminals buy and sell stolen data.  It may seem odd, but it is not unusual for such stolen material to turn up for sale long after the initial data breach.   Back in 2012 LinkedIn thought that the data breach was limited to 6.5 million user names and passwords, however, earlier this week the company acknowledged that the data of 100 million more LinkedIn members were indeed compromised.  In an effort to combat this problem LinkedIn is invalidating the compromised passwords and contacting affected members directing them to reset their passwords.

The stolen information is of value to the hackers to assist in formulating spear phishing emails that will seem to be from LinkedIn and will attempt to lure the recipient into clicking on links that will download dangerous malware such as keystroke logging malware or ransomware on to the intended victim’s computer.  The stolen passwords are also of use to the hackers because too many people use the same password for all of their accounts and therefore a person’s LinkedIn password may be the same as their banking password which could enable the hacker to gain access to the intended victim’s bank account.

TIPS

LinkedIn is contacting people affected by the data breach and instructing them to change their passwords.  It is important to note that LinkedIn will not ask people to click on a link to change their password in any email so if you get such an email, it is from a hacker seeking to steal your identity.  If you are affected by this data breach, here is a link to where you can safely change your LinkedIn password.  https://www.linkedin.com/uas/request-password-reset?trk=li_corpblog_corp_security

LinkedIn also offers dual factor authentication by which you can have a one time numerical code sent to your smartphone each time you need to access your LinkedIn account.  This is a good security measure to take.

Finally, this case serves as another reminder that you should have unique passwords for all of your accounts.  A strong password contains capital letters, small letters and symbols.  A good way to pick a strong password is to take an easily remembered phrase as your password.  For instance, you can use the phrase IDon’tLikePasswords as your base password.  Add a couple of !! at the end of the password and you have a strong password.  Since you should have a unique password for each of your accounts, you can adapt this base password for particular accounts by merely adding a couple of letters to designate the company at the end of the password so it may read, for instance for a Bankr of America account, IDon’tLikePasswords!!BnkoAm.

Scam of the day – May 20, 2016 – First criminal conviction in massive securities fraud scheme

I have been reporting to you about developments in this ingenious and massive stock fraud since last summer when the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  A number of the civil defendants have already pleaded guilty to charges related to this scam, but earlier this week, Vaym Iermolovych became the first person involved to plead guilty to criminal charges in regard to this scam.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   In addition, this case also illustrates the danger of using the same password for all of your accounts.  This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.

Scam of the day – December 16, 2015 – Arrest made in hacking of VTech

I first reported to you in November 30th’s scam of the day of the hacking of Hong Kong company VTech Holdings Limited. The data breach involved data of almost 12 million people and included personal information on more than 200,000 children.  VTech’s Learning Lodge is an app store for  high tech learning games and other educational toys for children.  Now police in the United Kingdom have announced the arrest of a 21 year old man on charges of unauthorized access to a computer and causing a computer to enable unauthorized access to data.

The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses.  Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals.  This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.

In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach.  Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud.  Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.

An interesting aspect of this arrest is the age of the person arrested and charged with the crime.  A recent study by the UK’s National Crime Agency found that the average age of cybercriminals in the UK has dropped to 17.  Last year, a similar report indicated the average age for British cybercriminals was 24.

TIPS

Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business.  However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  The lesson is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – November 30, 2015 – Data breach at VTech Learning Lodge

Hong Kong company VTech Holdings Limited has announced that its Learning Lodge app store has been hacked.  The data breach may involve as many as 4.8 million accounts and include personal information on more than 200,000 children which brings a new level of concern about this particular data breach.  Learning Lodge is an app store for  high tech learning games and other educational toys for children.

The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses.  Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals.  This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.

In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach.  Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud.  Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.

TIPS

Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business.  However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  The lesson is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – November 25, 2015 – Gigi Hadid being blackmailed after apparent hacking

Victoria’s Secret model, Gigi Hadid is reportedly being blackmailed by hackers who allegedly stole photographs of her  from her iCloud account and are threatening to make them public unless she pays a ransom.  Hadid has indicated that she has no intention of paying anything to the hackers.  This case brings back memories of the hacking and release of nude photos of a number of celebrities including Jennifer Lawrence, Kate Upton and Kim Kardashian in September of 2014.  Although presently it is unconfirmed whether her iCloud account actually has been hacked and, if so, how it was done, it is helpful to look back at how the celebrity iCloud accounts were hacked last year.  Using the “forgot password” link on Apple’s iCloud, it appears in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the phones were hacked directly from where the photos were stolen.

TIPS

There are a number of lessons that we all can learn from how easy it was for hackers to gain access to someone’s iCloud account.  And to paraphrase Shakespeare  the fault is most often not “in the stars,” but our own responsibility.   All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is available online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have put in your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol last year, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – November 10, 2015 – Comcast freezes 200,000 compromised accounts

Cable and telecommunications company Comcast, which has approximately 28 million customers took the unusual step of freezing the accounts of 200,000 of its customers yesterday upon becoming aware that these particular customers had their personal information including email addresses and passwords being sold on the black market to identity thieves.  The black market used by cybercriminals to sell stolen personal information to other cybercriminals is often referred to as the dark web, which can only be accessed through the use of special software.  Similar to the hacking of accounts at British telecom company Vodafone about which I reported to you last week, in this instance it was not Comcast that suffered a data breach, but rather other companies from which the cybercriminals got the email addresses and passwords and then were attempting to sell them to be used to hack into the victims’ Comcast accounts because the victims used the same passwords at multiple websites.  Using the same password at multiple websites and accounts is a very bad practice and makes you much more vulnerable to identity theft because if your security is compromised at one company with poor security, your security at important accounts, such as your bank is endangered.

Comcast is now requiring the 200,000 affected customers to change their passwords before they can have access to their accounts again.

TIPS

The primary lesson here is that you should always use a separate and unique password for each of your online accounts.  Many people fail to do so out of a concern about remembering a large number of different passwords, but this does not have to be the case.  There is a simple way to make your passwords strong.   Start off by taking a phrase that is easy to remember, such as “IDon’tLikePasswords.” This can be the basic element of all your passwords. Then for added security add a few symbols, so it reads, for example, IDon’tLikePasswords!!!. This is a strong password that is long and combines small letters, capital letters and symbols. Now all you need to do is to adapt that basic password for each of your accounts to make it unique for each account. For example, you could adapt this for your Amazon account by adding “Ama” at the end of the basic password making your Amazon password IDon’tLikePasswords!!!Ama. That is a strong password that is easy to remember.

Steve Weisman’s latest Bankrate.com column

Here is a link to my column for Bankrate.com entitled “How identity thieves target your password.”  In this column I provide information about how to choose a strong password that is easy to remember.

http://www.bankrate.com/financing/identity-protection/how-id-thieves-target-your-password/