Posts Tagged: ‘Malware’

Scam of the day – May 2, 2016 – Another new USAA phishing scam

May 2, 2016 Posted by Steven Weisman, Esq.

Yet another phishing email is turning up purporting  to be from USAA, the insurer of millions of members of the military as well as many veterans, telling you that you need to click on links in the email in order to resolve security issues.  Like many phishing emails,this one tries to convince you into thinking you must click on a link and provide personal information or suffer dire consequences when the truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the criminal will use the information you provide to make you a victim of identity theft.  Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft.  Here is a copy of the newest phishing email that is presently circulating.  DO NOT CLICK ON THE CONTINUE BUTTON.  As phishing emails go, the graphics are pretty impressive, however there are several grammatical errors including the word “temporal” being used instead of “temporary”.  It also  should be noted that the email is directed to “Dear Valued Customer” rather than your name and no account number is provided.  These are further indications that this is a scam.  Finally, this email was sent by an email address that had nothing to do with USAA, but was undoubtedly part of a botnet of computers using email addresses of hacked email accounts to send out the phishing email.

TIPS

Frankly, whenever you get an email, you can never be sure who is really sending it to you.  Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate.  Remember, even paranoids have enemies.

Scam of the day – April 15, 2016 – Tax scams multiply as filing deadline approaches

April 15, 2016 Posted by Steven Weisman, Esq.

Today, April 15th is the usual deadline for filing your federal income tax return, however, as many people know, if the 15th falls on a weekend, the filing deadline is pushed back to the next Monday.  If April 15th is a holiday, the filing date is also pushed back.  This year, April 16th is Emancipation Day, which is a legal holiday in Washington D.C. and because it falls on a Saturday, federal employees have the preceding Friday, April 15th, off from work which pushes the filing deadline to the next business day, which is Monday, April 18th.  If that isn’t complicated enough, if you live in Massachusetts or Maine, you have until April 19th to file your tax returns because April 18th is Patriot’s Day, a state holiday in those two states.

In any event, scammers and identity thieves don’t take off holidays and the IRS is warning people again about an increase in income tax scams that are occurring in the final days before the income tax filing deadline.  There are a number of various scams tied to income tax filings, but they generally fall into four categories.  The first is when you get a telephone call purporting to be from the IRS informing you that if you don’t send them money right away, you will be arrested or suffer some other serious penalty.  The second is when you receive an email or text message apparently from the IRS requiring you to verify information in order to receive your refund.  You supply this information by clicking on a link.  The third is when you receive a telephone call apparently from the IRS asking you to confirm personal information over the phone in order to receive your refund.  The fourth is when you receive a call, text message or email from your online tax preparation company requiring you to confirm personal information.

All of these are scams that will either directly steal your money or provide the identity thieves with personal information they can use to make you a victim of identity theft.

TIPS

The IRS will not call you and threaten you in order to collect outstanding taxes and they will not require you to wire money to them.  Even if your Caller ID indicates it is the IRS calling, scammers using a technique called “spoofing” can make it appear on your Caller ID that it is the IRS calling when it is not.  If you get a call from someone purporting to be from the IRS initiating contact about collecting overdue taxes, it is a scam.  It is that simple.  Just hang up.

The IRS will not be contacting you by phone, email or text messages to confirm information regarding your tax return, so never provide personal information in response to being contacted in these ways by someone pretending to be with the IRS.  In addition, merely by clicking on a link contained in such electronic messages could download malware that could steal your personal information from your computer and use it to make you a victim of identity theft.

Phony emails or text messages from your online tax preparation company requesting personal information is a very prevalent scam this year.  Whenever you get an email or text message from anyone asking for personal information, do not provide it unless you have independently confirmed that it was legitimate.  Trust me, you can’t trust anyone.

Here is a link to the IRS’ recent warning.  https://www.irs.gov/uac/Newsroom/IRS-Warns-of-Continued-Scams-and-Varied-Tactics-as-the-Tax-Deadline-Nears

Scam of the day – March 18, 2016 – Guilty plea in celebrity nude photo hacking

March 17, 2016 Posted by Steven Weisman, Esq.

I first reported to you about a major hacking of nude photos of celebrities on September 2, 2014.   At that time, news of stolen nude photos and videos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Jenny McCarthy, Rhianna, Avril Lavigne, Hayden Pannettiere, Hope Solo, Cat Deeley, Kayley Cuoco, Kim Kardashian, Scarlet Johansson and others was sweeping across the Internet. The photos were taken from  the Apple’s iCloud accounts of the hacked celebrities as well as their email accounts.  Now the U.S. Attorney for the Central District of California has issued a press release indicating that Ryan Collins has agreed to plead guilty to a felony violation of the Computer Fraud and Abuse Act admitting responsibility for the hackings.

The manner by which Collins accomplished the hacking was simple, but effective.  He sent spear phishing emails to his intended victims that appeared to come from Apple or Google in which under various pretenses he requested the victims usernames and passwords, which he then used to access their email accounts and iCloud accounts from which he stole the photos and videos.

TIPS

There are a number of lessons to be learned from this crime about how to protect our own security.  You should use a unique password for all of your accounts so if any of your accounts are hacked, all of your other accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.   Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions that can permit a hacker to gain access to your email account.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the two-factor identification protocols offered by Apple and many others.  With two-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the two-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

It is also important to resist providing your username and passwords in response to emails and text messages unless you have absolutely independently confirmed that the request is legitimate, which such requests seldom are.

Finally, for people considering looking up these nude celebrity photos on line, my advice is simple.  Don’t do it.   Ethically, it is the wrong thing to do.  However practically speaking, it also is too risky an activity.  You cannot trust any email, text message or social media posting that promises access to these photos and videos.  Many of these will be laced with malware and you cannot know which one’s to trust.  Trust me, you can’t trust anyone.  In addition, identity thieves set up phony websites that promise to provide these photos and videos, but instead install malware on your computer when you click on links in these websites.  Identity thieves are often adept at search engine optimizing so a phony website might appear high in a search from your web browser.

 

Scam of the day – March 4, 2016 – Pentagon offers bug bounty to hackers

March 4, 2016 Posted by Steven Weisman, Esq.

In a creative and unprecedented move for a federal agency, the Department of Defense announced this week that it is offering a “bug bounty” to vetted hackers who are able to identify vulnerabilities in its web pages and computer networks.  The program is scheduled to start next month and white hat hackers participating in the program will have to pass a rigorous background check.  According to Secretary of Defense Ash Carter, “I am always challenging our people to think outside the five-sided box that is the Pentagon.  Inviting responsible hackers to test our cybersecurity certainly meets that test.”

As unusual as this might appear for the federal government to be taking such a step, private companies, such as Google and Facebook have long made cash payments to independent hackers who identified vulnerabilities in their computer code

TIPS

This is a positive strategy for the government to follow as it increases its cybersecurity efforts.  As for us as individuals, the best things we can do to protect our cybersecurity are to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.

Scam of the day – February 13, 2016 – Valentine’s day scams

February 13, 2016 Posted by Steven Weisman, Esq.

Tomorrow is Valentine’s day, which is a very important day to many people including scammers and identity thieves who always manage to find an opportunity in whatever is going on to scam you out of your money.  There are many Valentine’s day scams, but the most prevalent are phony florists, online dating scams, phony Valentine’s day electronic greeting cards and delivery scams.

Scammers set up phony florist websites or send you an email purporting to be from a local florist with a great deal you merely have to click on in order to save a great deal of money on flowers.

Online dating scams are plentiful with most revolving around scammers quickly professing true love for you and then asking for money.

Electronic greeting cards are a great way to send a Valentine’s day card at the last minute when you forgot to get one ahead of time, but phony electronic greeting cards can be filled with malware and if you click on the link to open the card, you will infect your computer or other electronic device with malware that will steal your personal information and use it to make you a victim of identity theft.

A common delivery scam operating on Valentine’s day involves a delivery of a gift basket of wine and flowers to you, however the person delivering the gift basket requests a small payment, generally five dollars or less, as a delivery fee because alcohol is being delivered.  The person delivering the basket will only accept a credit card as payment.  When you turn over your credit card, the scammer then takes down the information and runs up charges on your credit card.

TIPS

Never trust an online florist or other retailer until you have checked them out to make sure that they are valid.  Otherwise, you might be turning over your credit card information to a scammer.  It is also important to remember, as I constantly warn you, that you can never be confident when you receive an email, particularly one with a link in it or an attachment to download, if the person sending you the email is who they claim to be.  Clicking on links sent by scammers can download keystroke logging malware on to your computer or other electronic device that will, in turn, enable the identity thief to steal personal information from your computer and use it to make you a victim of identity theft.  Always confirm the legitimacy of an email or text message before clicking on links contained in the message.

As for online dating scams, of course you should be wary of anyone who immediately indicates he or she is in love with you and then asks for money.  Some other telltale signs of an online romance scam include wanting to communicate with you right away on an email account outside of the dating site, claiming to be working abroad, asking for your address and poor grammar which is often a sign of a foreign romance scammer.  Many romance scams originate in Eastern Europe.

Never trust an online greeting card, particularly if it does not indicate from whom it is being sent.  Be very wary of a card sent by “an admirer.”  Even if you recognize the name, confirm that it was really sent from that person before you click on the link and open the card.

In regard to the delivery scam, there is no special delivery charge for alcohol so if someone requires a payment for such a delivery and on top of that won’t accept cash, merely decline the gift.

Happy Valentine’s day and be safe.

Scam of the day – February 8, 2016 – The dangers of Facebook farming

February 8, 2016 Posted by Steven Weisman, Esq.

We have all seen Facebook postings urging us to click that we “like”them.  Sometimes it is an emotional appeal to show support for a sick child.  Sometimes it is to show support for a political message. Sometimes these appeals are legitimate, but unfortunately sometimes they are not.  Often they are done to take advantage of Facebook’s algorithms that value the popularity measured by likes and shares which then appear on the Facebook pages of more people.  Although the original content liked or shared may appear sincere or entertaining, the scammers who use this technique, which is called “farming,” then are able to change the content to something entirely different from what was originally shared or liked.  This can be done for purposes of sending advertising or gathering marketing information, but, at its worst, it can be used to send malware infected content that can steal personal information from your computer and use it to make you a victim of identity theft.

TIPS

So what should you do?  Posts that promise some sort of prize for sharing or liking are most likely scams. As for the other scams, you may wish to be a bit skeptical before automatically sharing or liking a post. You may wish to even do a little research yourself to find out if the posting is legitimate.    A 2007 photo of a seven year old Pennsylvania girl with Stage IV cancer posing in her cheerleading uniform has been used numerous times for Facebook farming.  Today that girl is a cancer free teenager whose family is understandably outraged that their daughter’s photograph has been abused by scammers through Facebook farming.

Scam of the day – February 1, 2016 – Police issue warnings about sextortion

February 1, 2016 Posted by Steven Weisman, Esq.

Sex extortion or sextortion has been around for years on the Internet with criminals tricking people into performing sexual acts online that are recorded and then used to blackmail the victims.  In other cases, hackers have gained access to the webcams of women and used them to take photographs of the women who unwittingly undressed in front of computers in their rooms, not knowing they were being recorded.  In one notorious case, Miss Teen USA, Cassidy Wolf refused to be a victim of sextortion and helped law enforcement find and prosecute Jared James Abrahams who was sentenced to 18 months in prison in March of 2014.

Now, however, as with many scams, sextortion has evolved.  In the latest incarnation, uncovered by cybersecurity firm Trend Micro, Cybercriminals in Asia set up fake profiles on social media such as Facebook and then lure their victims to platforms with both video and voice capabilities such as Skype and entice them into performing sexual acts, which are recorded by the cybercriminals.  In a new twist on this scam, however, the cybercriminals then pretend that they are having audio difficulties and convince their victims into downloading a specific Android app on to their Android smartphone which they represent will remedy the problem.  However, instead of fixing the problem, the app is malware that steals all of the contact information stored on the victim’s smartphone.  The cybercriminal then threatens to send the videos to everyone on the victim’s contact list unless the victim pays a ransom.

The York Regional Police in Canada have recently issued a warning about an increase in sextortion criminal activity, much of which has been traced to the Phillipines.  This follows the warning issued by the University of Colorado about this crime that I told you about in the Scam of the day for September 11, 2015.

TIPS

The best solution to any problem is to avoid the problem altogether.  An easy and decidedly low-tech way to protect yourself from webcam surveillance is to merely put a post-it over the camera when you are not using it.  If you are going to indulge in cybersex or phone sex, it should only be done with people whom you totally trust.  Engaging in such activities with strangers or people you do not know well is asking for trouble.  Also, make sure that all of your electronic devices including your smartphone and computer are protected with the latest updated security software.  Even then, however, no security software is 100% effective against the latest viruses and malware so you should never click on links or download attachments unless you have absolutely confirmed that they are legitimate and you should never download apps from anywhere other than legitimate app stores.  The risk of malware is just too high.

Scam of the day – January 20, 2016 – Real estate home buying scam

January 20, 2016 Posted by Steven Weisman, Esq.

Intricate email scams targeting people involved in the sales of residential real estate have increased over the past year both in the United States and the UK.  The scams begin with the hacking into the email accounts of one of the parties involved with a residential real estate conveyance.  This can be either the buyer, seller, lawyers, real estate agent or banker.  Unfortunately, hacking into email accounts is a relatively easy thing for a skilled identity thief to do.  They then monitor the communications regarding the progress of the sale of a particular piece of real estate and when the time is right,  generally posing as one of the lawyers or the bank mortgage officer, the scammer will email the buyer, telling him or her that funds necessary to complete the sale need to be wired to the phony lawyer’s or banker’s account provided in the email.  Everything appears normal so unsuspecting buyers too often are wiring the money to the cyberthieves who then move the funds from account to account to make it difficult to trace the funds.

TIPS

Even if you are not involved in buying or selling a home, it is always a good idea to protect your email account from being hacked.  This means having a strong password and security question as well as changing your passwords on a regular basis.  You can find information about how to pick strong passwords and security questions here in the Scamicide archives as well as in my book “Identity Theft Alert.”  Maintain good anti-virus and anti-malware software on all of your electronic devices including your computer as well as your smartphone and keep your security software up to date with the latest security patches as soon as they are made available.  Don’t click on links in emails or text messages that may contain malware that can steal your personal information from your electronic devices and remember, your security software is always at least thirty days behind the latest malware.

Don’t use public wifi for any financial or business purposes.  Use a virtual private network to encrypt your data when using your electronic devices in public.  Never provide personal information in response to an email regardless of how legitimate it may appear until you have independently confirmed that the email is legitimate.  Finally, whenever you are asked through an email or text message to wire funds as a part of a real estate or other business transaction, don’t do so until you have confirmed that the request and the account to which you are being asked to wire the funds are legitimate.  Appearances can be deceiving so always confirm.

Scam of the day – November 30, 2015 – Data breach at VTech Learning Lodge

November 30, 2015 Posted by Steven Weisman, Esq.

Hong Kong company VTech Holdings Limited has announced that its Learning Lodge app store has been hacked.  The data breach may involve as many as 4.8 million accounts and include personal information on more than 200,000 children which brings a new level of concern about this particular data breach.  Learning Lodge is an app store for  high tech learning games and other educational toys for children.

The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses.  Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals.  This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.

In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach.  Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud.  Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.

TIPS

Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business.  However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  The lesson is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – October 2, 2015 – Update on data breach at Trump hotels

October 2, 2015 Posted by Steven Weisman, Esq.

It has just been disclosed by the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York that its hotels had been hit with a Target-like credit card and debit card data breach that appears to have occurred between May 19, 2014 and June 2, 2015.  Although the Trump Hotel Collection is just announcing this now and much of the media is reporting this as a new story, here at Scamicide, we reported to you about this data breach in our Scam of the day on July 5, 2015.  As with so many data breaches, it was discovered not by the company hacked, but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.    The malware used to perform this data breach was installed on computers at Trump hotels front desk terminals as well as as payment card terminals in the hotels’ restaurants and gift shops.  This type of hacking and data breach could have been prevented had the Trump Hotel Collection switched to the modern EMV smart chip credit cards now being required to be used according to credit card regulations that just went to effect yesterday.  Instead the Trump Hotel Collection, as many companies still do, used the old fashioned credit and debit cards with magnetic strips which are so susceptible to hacking.

TIPS

If you used your credit and debit card at one of the affected Trump hotels between May 19, 2014 and June 2, 2015, you should obtain your credit report from each of the three major credit reporting agencies and look for indications of identity theft.  You should also carefully monitor your credit card account and bank accounts for unusual activity.  You should also consider putting a credit freeze on your credit reports, which is always a good idea.  The Trump Hotel Collection is offering free credit monitoring for people who used their cards at their hotels during the time period indicated above.  For more information about this offer, call them at 877-803-8586.  Here also is a link to the statement of the Trump Hotel Collection about this data breach. https://www.trumphotelcollection.com/cc-security-faq

As for the rest of us, there is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which we do business.  One important thing to do is to refrain from using your debit card except at ATMs.  Using your debit card at retail establishments puts you at a much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Also, if you have not yet received a new EMV smart chip credit card from your credit card company, you should ask your credit card company for a replacement credit card with a computer chip now.