Scam of the day – August 28, 2017 – Chinese national arrested on hacking charges

Last week the FBI arrested Chinese national Yu Pingan in Los Angeles where he came to attend a technology conference.  Yu was charged with distributing and using malware including the rarely used Sakula malware program used in the massive data breach against the Office of Personnel Management (OPM) in 2014 and 2015 that resulted in huge amounts of personal information including Social Security numbers and fingerprints of more than 20 million present and former government employees being stolen.

It is interesting to note that while the Sakula malware is quite sophisticated, to a great extent Yu’s arrest was as a result of his failing to do little to hide his name in communications regarding the use of the malware.  An indication of Yu’s hubris is that he felt confident enough in his anonymity to attend a conference in the United States, which ultimately led to his arrest.

TIPS

This arrest  signals the continuing efforts the FBI is putting into apprehending cybercriminals.  It also serves again as a warning to all of us to remember that despite our best efforts to protect our personal data, we are only as secure as the places that hold our personal data with the weakest security, which is why, whenever possible, you should limit the amount of personal information you provide institutions and companies with which you do business.

 

Scam of the day – November 13, 2016 – Important update for victims of the OPM data breach

I initially reported to you in 2014  that  the federal Office of Personnel Management (OPM) was hacked by Chinese hackers who stole personal information of  what was initially thought to be the personal information of about four million present and former federal employees as well as non-employees whose information was gathered by the OPM during the course of background investigations of federal employees.  At that time, the OPM offered free credit restoration services and credit monitoring to the victims through Winvale/CSID.  Then in 2015,  the OPM discovered a much larger data breach affecting more than twenty-one million people and again offered free credit restoration services and credit monitoring services.   Now the contract of  OPM with Winvale/CSID to supply those free credit restoration and monitoring services will end on December 1st.  If you were affected by the initial breach and had availed yourself of the free services offered by OPM, you will need to re-register with the new company, ID Experts.  You can do so by clicking on this link. https://www.opm.gov/cybersecurity

Victims of the second OPM data breach who applied for free credit restoration and monitoring services were already covered by ID Experts so they need not reapply.

TIPS

If you were a victim of the first  OPM data breach,  you should click on the link above and sign up for the free services.

It is important to remember that no identity theft protection company can prevent you from becoming a victim of identity theft.  The best they can do is notify you earlier that you have become a victim.    In fact, the OPM offered these services a year after the data breach actually occurred so the danger of identity theft is significant.   None of the identity theft protection companies help you with the one best step you can take to protect yourself from identity theft which is to put a credit freeze on your credit report.  With a credit freeze on your credit report, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.  You can find information about how to put a credit freeze on your credit reports at each of the three major credit reporting agencies by going to the Archives section of Scamicide and putting in the words “credit freeze.”

Scam of the day – March 12, 2016 – Hackers steal 81 million dollars from Bangladesh bank

Early last month cybercriminals hacked into Bangladesh’s central bank and managed to steal approximately 81 million dollars, however, it could have been worse.  If it weren’t for a spelling error, the theft could have approached a billion dollars.   Although the investigation into this crime is still in its early stages, it appears that as with so many types of cybercrimes, this one started with social engineering spear phishing which lured bank employees to unwittingly download the malware used by the hackers to infiltrate the bank’s computers and obtain not just the passwords and cryptographic keys used for electronic fund transfers, but also the emails of bank employees so that they could copy and adapt the emails by which they made their transfers appear legitimate.    Armed with this information, the cybercriminals sent dozens of account transfer requests from the Bangladesh central bank to the Federal Reserve Bank of New York where the Bangladesh central bank has accounts containing billions of dollars.  The account transfer requests processed by the Federal Reserve Bank of New York electronically sent about 81 million dollars to accounts in the Philippines where the funds were transferred multiple times including transfers to Philippine casinos in an effort to launder the money.

Four transfer requests totaling approximately 81 million dollars were processed in this cyber bank heist when the fifth transfer request to a supposed Sri Lankan non-profit organization aroused suspicion with Deutsche Bank, a routing bank in the transaction due to the misspelling of “foundation” as “fandation” prompting  a closer investigation of the transfer request.  At the same time, the Federal Reserve also became suspicious at the large number of transfer requests being made to private entities instead of banks, halted the remaining transfer requests and contacted the Bangladesh central bank.

TIPS

All businesses and governmental agencies have got to do a better job at cybersecurity in general.  In particular, greater attention has to be paid to the dangers of social engineering spear phishing which has been at the root of the almost all of the major data breaches at both companies like Target and governmental agencies, such as the Office of Personnel Management.

Scam of the day – December 9, 2015 – Is the letter you received from OPM real or a scam?

As you all know by now and as I first reported to you in 2014 and again last summer, the federal Office of Personnel Management (OPM) was hacked by Chinese hackers who stole personal information of more than 21 million present and former federal employees as well as non-employees whose information was gathered by the OPM during the course of background investigations of federal employees.  In October, the OPM began notifying victims of the massive data breach about the identity theft protection services the government will make available to them for the next three years.  The notification process is taking about three months with many notification letters only recently having been sent.  I have been contacted by clients of mine inquiring as to whether the notices they received are real.   It is important to remember that the official notice is only being sent by regular mail.  No email notices will be sent so if you get an email that purports to be from the OPM, it is a scam.   The federal government has chosen Identity Theft Guard Solutions to provide  three years of identity theft protection to victims. In the notification letter you are urged to contact the OPM’s security website to enroll in the free identity monitoring program and you are provided a PIN to use in order to enroll.

Identity thieves have been copying the letter and changing the website address where you are directed to go to enroll in the identity theft protection services, directing people to a phony website where they will be prompted to provide personal information purportedly to enroll in the program.  If you provide personal information to these scammers, you will end up a victim of identity theft.  Here is a link to the official website for enrolling in the credit monitoring services being offered by the OPM:  https://www.opm.gov/cybersecurity/#Services

Once there you will be prompted to input your PIN and only the last four digits of your Social Security number.

TIPS

If you were a victim of the OPM data breach, you should be on the lookout for a notification letter with information about how to apply for benefits under the program.  The OPM is only notifying people by regular mail.  If you have been notified by email, text message or telephone, the notice is a scam and you should ignore it.  Even if you receive a letter, you should make sure that the web address you go to is accurate.  For convenience, you can use the web address I have indicated above.  In any event, remember, the legitimate website will not ask for your complete Social Security number.  It is important to remember that no identity theft protection company can prevent you from becoming a victim of identity theft.  The best they can do is notify you earlier that you have become a victim.    In fact, the OPM is offering these services a year after the data breach actually occurred so the danger of identity theft has increased.   None of the identity theft protection companies help you with the one best step you can take to protect yourself from identity theft which is to put a credit freeze on your credit report.  With a credit freeze on your credit report, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.  You can find information about how to put a credit freeze on your credit reports at each of the three major credit reporting agencies by going to the Archives section of Scamicide and putting in the words “credit freeze.”

Scam of the day – September 14, 2015 – Federal government unveils new cybersecurity plan

It is no secret that the federal government, as evidenced by the recent hacking of the Office of Personnel Management (OPM) in which personnel data on 22 million people was stolen, is a target of hackers, both nation-state and ordinary (or perhaps not so ordinary) criminals.  The OPM data breach was initiated as was the Target data breach and 90% of all data breaches through a phishing email.  A phishing email is an email sent by the hacker that appears to be legitimate and lures the victim at the targeted company or agency to click on a link or download an attachment that contain malware that enables the hacker to steal the information contained in the victim’s computer system.  It is fascinating in almost all major data breaches, the most complex and sophisticated malware is downloaded on to the victim’s computer through the simple trickery of phishing.  Here is a link to a column I wrote about this last year.  http://www.usatoday.com/story/money/personalfinance/2014/10/18/malware-data-breach-phishing/17458411/

In response to the OPM and other data breaches, William Evanina, the Director of the National Counterintelligence and Security Center has announced a new campaign to raise the awareness of federal workers to the dangers of phishing and specifically targeted phishing emails referred to as spear phishing.

TIPS

Phishing and spear phishing represent threats not just to companies and governmental agencies, but to all of us as individuals as well.  Identity theft is often accomplished through individuals being targeted by phishing or spear phishing emails who unwittingly click on links or download attachments that contain keystroke logging malware that enables the identity thief to steal all of the information including passwords, credit card numbers, Social Security numbers and other personal information from the victim’s computer and use that information to make that person a victim of identity theft.  Other types of malware, such as ransomware, which encrypts and locks all of the data in your computer, followed by a threat to destroy your data unless you pay a ransom, is generally downloaded through clicking on a link or downloading an attachment from a phishing email.

The key to avoiding becoming a victim is to never click on a link or download any attachment unless you have absolutely confirmed that the link or attachment is legitimate.  Even if the link is contained in an email from someone you know and trust, it is possible that their email may have been hijacked so you must always be a bit skeptical.  It may seem a bit paranoid, but remember that even paranoids have enemies.

Scam of the day – September 8, 2015 – Company picked to provide identity theft protection for victims of OPM data breach

The Office of Personnel Management (OPM) which was hacked by Chinese hackers who stole personal information of more than 21 million present and former federal employees has chosen Identity Theft Guard Solutions to provide  three years of identity theft protections to the victims.  Notifications will be going out from the Defense Department to the victims starting at the end of September and it will take about three months to notify all of the victims.  Also covered by the program will be more than 6 million children whose parent’s information was compromised in the data breach.   When the data breach was initially discovered, the OPM hired another company to provide 18 months of identity theft protection services, however, the company had its website crash and the call center answering questions about the services to be provided often had delays of hours before callers could speak to a representative.

TIPS

If you were a victim of the OPM data breach, you should be on the lookout for notification from the Defense Department with information about how to apply for benefits under the program.  However, it is important to remember that no identity theft protection company can prevent you from becoming a victim of identity theft.  The best they can do is notify you earlier that you have become a victim.  None of the identity theft protection companies help you with the one best step you can take to protect yourself from identity theft which is to put a credit freeze on your credit report.  With a credit freeze on your credit report, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.  You can find information about how to put a credit freeze on your credit reports at each of the three major credit reporting agencies by going to the Archives section of Scamicide and putting in the words “credit freeze.”

Scam of the day – August 9, 2015 – FTC telephone scam

As if the data breach at the Office of Personnel Management (OPM) wasn’t bad enough, now people are receiving telephone calls from someone saying he is with the Federal Trade Commission (FTC) offering money to the 21.5 million people affected by the data breach.  All he needs is  some personal information.  Of course, the call is a scam and if you provide the personal information to the caller, all you will end up doing is becoming a victim of identity theft.  Even if the call appears on your Caller ID as coming from the FTC,  you cannot trust it because through a technique called “spoofing” a telephone call can be made to appear on Caller ID as if it is coming from the FTC when, in truth, it is coming from a scammer.

TIPS

One of the phony names being used in these scam phone calls is Dave Johnson of the FTC office in Las Vegas.  However, not only is there no Dave Johnson at the FTC office in Las Vegas, there is no FTC office in Las Vegas.  In any event, never give personal information over the phone to anyone whom you have not called because you can never be sure if the call is legitimate.  If you think the call might be legitimate, you can call back the FTC or whatever real agency or company the caller says he or she is from to confirm whether the call was legitimate.  Finally, it is important to note that neither the FTC nor the OPM is paying anything at this time to the victims of the data breach.

Scam of the day – July 4, 2015 – Update on hacking of Office of Personnel Management

It was a month ago that I first reported to you about the hacking of the federal Office of Personnel Management (OPM) in which personal information on anywhere between 4 million and 14 million people was compromised.  The large discrepancy in the number of people who may have been affected by the hacking is due to the fact that although files on 4 million people were accessed, there was information on many millions more within those files.  The risk of identity theft is quite high for those affected by the data breach.  Meanwhile, as they always do, other scammers are taking advantage of people’s legitimate concern about their risk of identity theft and sending out emails that purport to be from the Office of Personnel Management appearing to offer help when all they really are doing is phishing for personal information that can be used to make the targeted person a victim of identity theft.  OPM has hired CSID, a company that provides identity theft protection and fraud resolution services and is offering 18 months of free credit report access, credit monitoring, identity theft insurance and recovery services to those people affected by the data breach.  However, be very skeptical of emails that appear to come from CSID offering assistance, but asking for information.  CSID’s URL for this purpose is opm.csid.com.  Be particularly wary if you receive an email purporting to be from CSID that is not from that address.  In fact, it is a good idea not to trust any email that asks for personal information without confirming first that it is legitimate.

TIPS

First, if you are one of the millions of people affected by this data breach, I suggest that you go to the OPM’s website for the latest announcements as to the status of the data breach and what you can and should do to protect yourself.  Here is a link to the OPM’s page with the latest information:  http://www.opm.gov/news/latest-news/announcements/

Also, if you are affected by the data breach, here is a link to CSID’s website where you can safely enroll for services: https://www.csid.com/opm/

As for all of us, a good lesson to avoid becoming a victim of phishing that leads to identity theft, never click on links in emails or text messages or provide information requested in an email or a text message unless you have absolutely confirmed that it is a legitimate.  It is easy to send a phony email that looks quite legitimate.

Steve Weisman’s USA Today column on the OPM data breach

The massive data breach at the Office of Personnel Management may be our cyber 9/11.  Here is a link to Steve Weisman’s column on the subject from USA Today:

http://www.usatoday.com/story/money/columnist/2015/06/13/hacking-opm-weisman/28697915/