Posts Tagged: ‘Phishing’

Scam of the day – January 25, 2016 – Cracka strikes again

January 25, 2016 Posted by Steven Weisman, Esq.

Back in October I told you about CIA Director John Brennan’s personal email account being hacked.  The hacking was not done by Russian, Iranian or Chinese government hackers.  Instead, it was done by a teen aged hacker who calls himself Cracka and his group Crackas With Attitude.  Among the data stolen by the hackers were government documents stored in Brennan’s personal email account.   Now it has been disclosed that Cracka has also recently hacked online accounts of James Clapper, the Director of US National Intelligence and John Holdren, the Director of the White House’s Office of Science and Technology. Policy.  What is particularly troubling about these hackings is how easy it was for Cracka and his cohorts to hack the accounts of top level government officials using basic phishing social engineering techniques.  In the case of John Holdren, Cracka has indicated that he gained access to his accounts merely by sending an email posing as Holdren to Holdren’s wife telling here he lost the password for their Xfinity account and merely asked for it which she supplied him. In the case of the hacking of Brennan,  Cracka started the hack by doing a reverse lookup of Brennan’s smartphone and found that he was a customer of Verizon.   He then called Verizon and posed as as Verizon technician and merely asked for Brennan’s personal information which was provided upon Cracka providing the Verizon employee to whom he was talking with a phony V code assigned to all Verizon employees.  The Verizon employee then provided Cracka with Brennan’s account number, his PIN, the backup cell phone number on the account, his email address and the last four digits of his bank card.  Armed with this information, Cracka then contacted Brennan’s email provider and after answering security questions with the information they had managed to get from Verizon,  changed Brennan’s password and took over the account.

TIPS

So what does this mean to you?  We all have important and sensitive information in our email accounts and perhaps we shouldn’t.   A better habit would be to store personal information and sensitive information in a secure folder on your computer.  This hacking is also a reminder that whenever possible, you should use dual factor authentication by which when you wish to access a particular account such as your email you can only do so by providing a one time code sent to your smartphone each time you attempt to log in.  Dual factor authentication would have prevented this hacking.  In addition, a problem that has come up time and time again is that when security questions are used to enable someone to change their password,  the answers to many of  the security questions we use can be obtained from a variety of sources including social media and public records.  One way to make your security question stronger is to provide a nonsensical answer to your security question.  So if the question is  what is your mother’s maiden name, an often used and particularly weak security question, pick a nonsensical answer such as “grapefruit.”  You will remember it because it is so ludicrous, but no one is going to be able to obtain the information necessary to answer your security question.  If Brennan had used such a nonsensical security question, the hackers would not have been able to take over his account.  Also, Holdren could have avoided his being hacked had his wife contacted her husband directly before responding to an email posing as him asking for a password.  Trust me, you can’t trust anyone.

Scam of the day – January 4, 2016 – Nigerian charged with “whaling”

January 4, 2016 Posted by Steven Weisman, Esq.

Whaling may be a term, when referring to cybercrime, with which you may not be familiar.  By now, everyone is aware of the term “phishing” which refers to the social engineering crime by which scammers send emails purporting to be from a legitimate source in which they lure you into either clicking on malware infected links or directly sending them money.   Often phishing emails are easy to spot because they may not be directed to you by name, but rather by a salutation, such as “Dear Customer” and not contain the type of information that would make you tend to believe that the email is legitimate. “Spear Phishing” is more refined phishing where the scammer has gathered, often through hacking of various websites and companies, personal information about you such that when you receive the phony email from the scammer it appears more legitimate.  The latest criminal version of this tactic is called “whaling” and it is a type of spear phishing aimed at the big fish.

Recently, Amechi Colvis Amuegbunam, a Nigerian in the United States on a student visa  was arrested and charged with wire fraud based on scamming 17 Texas companies out of more than $600,000 through whaling.  Amuegbunam is alleged to have sent emails that appeared to be from high level company executives to lower level company employees who had the authority to wire funds on behalf of the company requesting that funds be wired to bank accounts he controlled.  The FBI has said that in the last two years 7,000 American companies have been swindled out of approximately 740 million dollars using this technique.

The scammers who use whaling are sophisticated criminals who gather much personal information about the companies and individuals targeted before sending their whaling emails.  They use this information to tailor their emails to make them appear legitimate.  Often they are able to gather much of this information through social media such as Facebook where people sometimes have a tendency to share too much personal information.

TIPS

In the case of Amuegbunam, one of the emails he is alleged to have sent was to a company executive for Luminant Corp which is a Texas electric utility company.  However, if the company executive had looked closely at the email address of the sender, he would have noticed that the name Luminant was misspelled in the email address so that it actually read “lumniant.”  This is an easy misspelling to miss, which is why scammers are able to get email addresses that when looked at quickly may appear to come from someone at the legitimate company, rather than a scammer.  In this particular case, had the employee noticed that the email address of the sender was not legitimate, it would have saved the company $98,550.

The lesson for companies is to both educate employees as to the telltale signs of spear phishing and whaling as well as also have a confirmation protocol in place to be followed when authorizing the wiring of funds, particularly when they are being sent to companies or individuals that their company had not done business with in the past.

As for the rest of us, we should be careful to avoid spear phishing too.  Consider how information that you post on social media could be used to defraud you before you post anything and remember that personal information about you and your business accounts can also be gathered through data breaches at companies with which you do business.  Therefore, as I always advise you, never click on links in emails, send money or provide personal information in response to emails that you receive regardless of how legitimate they may appear until you have confirmed that they are indeed not scams.

Scam of the day – November 12, 2015 – New Chase phishing email

November 12, 2015 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.  They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from Chase bank that is presently circulating.  This particular one came with quite good looking graphics and a Chase logo, but it is a scam.
“Confirmation of Recent Account Activity –
Unable to Contact You- Action Required
Your Account Ending in *46*

Dear Customer:

As part of our commitment to help keep your account secure, we routinely verify activity that seems unusual based on your general account usage. We called you to help us verify recent activity, but we weren’t able to reach you.  If you’ve already taken the required action about this recent activity, there’s nothing you need to do at this time. Otherwise, we ask that you Follow the next required action: •Log in to your account now and follow the instructions..Click here
We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.

Sincerely,
Chase Fraud Department

Is your contact information current? Make sure we can reach you if we notice suspicious activity on your account. Update your information by logging into your account at Click here.

ABOUT THIS MESSAGE:
This service message was delivered to you as a Chase customer to provide you with account updates and information about your card benefits. Chase values your privacy and your preferences.

If you want to contact Chase, please do not reply to this message, but instead go to Click here. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by state-of-the-art technology. For more detailed security information, view our Online Privacy Policy. To request in writing: Chase Privacy Operations, PO Box 659752, San Antonio, Texas 78265-9752

© 2015 JPMorgan Chase & Co. ”

TIPS

An indication that this is a phishing email is that the email address from which it was sent had nothing to do with Chase, but most likely was from a computer that was part of a botnet of computers controlled remotely by the scammer.  In addition, legitimate credit card companies do not refer merely to the last two digits of your account in emails, but instead refer to the last four digits.  They also would not use the generic greeting “Dear Customer,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam.

 

Scam of the day – November 8, 2015 – More AOL phishing scams

November 8, 2015 Posted by Steven Weisman, Esq.

I have written about AOL phishing scams many times, but an abundance of AOL phishing emails that are presently being circulated make this a topic worth writing about again. Reproduced below are three of them, the last of which is a phishing email about a generic account that doesn’t even attempt to tell you the name of your email carrier.   Scammers and identity thieves send out phishing emails to lure people into clicking on links in these emails that will either download keystroke logging malware on to the victim’s computer that will enable the identity thief to steal personal information from the victim’s computer and use it to make him or her a victim of identity theft or by clicking on the link, the victim will be directed to an official looking page requesting personal information under some legitimate sounding guise.  If the victim provides the requested personal information, it is used to make him a victim of identity theft.

“Aol!
Dear Member,Your mail-box might be shutdown within 24hrs due to your recent termination request. To cancel RE-SET , Log-in and wait response from Aol.

Sincerely

Webmail 2015 Security Team”

and

“​​A0l.​
​​​​​​​​​​​​​​Account Termination

​Dear A0L User,

We received your request to terminate your A0L Mail Account and the process has started by our A0L Mail Team, Please give us 2 working days to close your A0L Mail Account.
​​please if you did not wish to termination , click below and sign in to cancel the termination request :”

This last one is not specific to AOL, but contains many of the same phishing elements:

Dear User,
Your E-mail has exceeded the storage limit. You can not send or receive new messages until you re-validate your mail.  To re-validate the mailbox:- = Click to restore

Thank you!
Mail Administrator.”

TIPS

Phishing emails such as these always wish to create a sense that immediate action is required in order to avoid some negative event such as your account being closed.  These particular emails are easy to identify as scams.  None of them came from an email address that was connected with an email provider.  In fact, they all came from personal email addresses that were probably those of innocent victims of a botnet where a cybercriminal takes control of the computers of innocent people and uses those computers to send out phishing emails and other such communications.  None of the emails reproduced above carried a company logo although, this is easy to counterfeit and shouldn’t be something that makes you consider such emails to automatically be legitimate if you do receive an email with an official corporate logo.  Finally, such phishing emails often contain, as these do, grammatical or spelling errors.  You should never click on any link or provide any personal information in response to an email unless you are absolutely sure that it is legitimate and safe to provide the requested information.  The best thing you can do is to contact the company that is purporting to be sending the email and inquire as to the legitimacy of the email you received.
​​

Scam of the day – September 28, 2015 – New iTunes phishing scam

September 28, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes right from my own email account although many people are reporting receiving the same email.  It appears to be from iTunes and indicates that in order to continue to use iTunes, I must verify information in my account.  The email is a scam and works in one of two ways, both of which are bad.  In one scenario if you click on the link to provide information, you will be turning over your personal information to an identity thief who will use the information to make you a victim of identity theft.  Even worse is the other possible scenario which is that when you click on the link, you will unwittingly download a keystroke logging malware account that will permit the identity thief to steal all of the information on your computer and use it to access your credit cards, bank accounts and other financial accounts and use that information to make you a victim of identity theft.  This particular email which is reproduced below contains a number of clues that it is a scam.  Often these emails come from botnet zombie computers that have been hacked into to send out these emails and so the email address from which it was sent will not have anything to do with Apple or iTunes, but will carry the address of the unfortunate person whose email was hacked and taken over.  In my case, the email was sent by a non-business account in the United Kingdom  Also, although it is easy to copy logos, identity thieves, particularly when they are from foreign countries do not use proper grammar or proper English.  For instance, in this email the word “cooperation” is spelled incorrectly.  Finally, the email is addressed merely to “Dear iTunes User” instead of using my name in the salutation thereby indicating that this is being sent out widely to many individuals rather than sent merely to people to whom it would apply if it were legitimate.

Here is a copy of the email I received.  DO NOT CLICK ON THE LINK.

“Dear iTunes User,

Your account requires verification due to our recent upgrade. It is mandatory that you confirm your details through our secure link below.

Connect

Thank you for your co-operation.

Sincerely Yours,

iTunes Admin
Copyright © 2015 Apple Inc. All rights reserved”

.

TIPS

Never click on a link unless you are absolutely sure that it is legitimate and unfortunately whenever you receive an email or a text message with a link, you cannot be sure that the message is legitimate.  Many times you will receive emails or texts such as this purporting to be from companies that you do not even do business with and you obviously can ignore these.  But if you have any concerns that the email might be legitimate, you still shouldn’t click on the link.  Instead you should call the particular agency or company at a telephone number that you know is accurate to inquire as to whether the email or text message was legitimate.  Chances are that you will find out that it is a scam.  Once, I received a large invoice from a company with which I do business for goods I did not order, but rather than click on the link provided in the email, I went directly to the company’s website to question the invoice.  When the website came up, the first thing I saw was a large announcement that the invoice was a scam and that many people had received these phony invoices.  If I had clicked on the link, I would have become a victim of identity theft.

Scam of the day – September 20, 2015 – Stock trading hackers and SEC settle charges

September 20, 2015 Posted by Steven Weisman, Esq.

In mid August I told you about the SEC civil action against thirty-two people charged in the largest hacking and securities fraud enterprise in American history.  The group of defendants is made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the stock traders to make trades based on this inside information before it became known to the public.  It is estimated that between 2010 and 2015, the defendants made profits of 100 million dollars on 800 trades during this time.

Now, the SEC has settled the claims against two of the defendants, Jaspen Capital Partners Limited a Ukrainian company and its CEO Andrly Supranonok who, the SEC alleged made 25 million dollars in illegal profits from this enterprise.  It is interesting to note, however, that not only did the SEC determine to prosecute this case civilly rather than criminally, but in its settlement, the SEC were not required to admit responsibility.  In effect, what the defendants did is deny that they did anything wrong and promise not to do it again.  They also, however paid a fine of 30 million dollars, which is 5 million dollars more than they earned through their improper actions.

TIPS

The topic of when the SEC and the Justice Department prosecute white collar crimes as civil violations and when as criminal violations is a major topic of discussion with many people believing that white collar crime is not prosecuted criminal enough to serve as a disincentive to would-be white collar criminals.

However, for all of us as individuals, one of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Apparently corporations still have not learned to train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us as individuals should also learn in our own lives because identity thieves and hackers use the same phishing technique to steal the identities of individual victims.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.

Scam of the day – September 15, 2015 – Google Docs phishing scam

September 15, 2015 Posted by Steven Weisman, Esq.

Scammers are sending phishing emails that appear to come from a company recruiting you for a position at their company.  The email looks legitimate, is written with good grammar and contains a legitimate looking company logo.  The email indicates that the recruiter found your resume on on LinkedIn.  Attached to the email is a link to Google Doc purportedly with a description of the job for which you are being recruited.  Clicking on the link will take you to a legitimate looking, but phony log-in page that looks like Google’s login page.  The scammers actually open a Google Drive account and mark it as public.  They then load their phishing program on to the file.  If you enter your user name and password, you will have turned over this information to an identity thief.

TIPS

As I often warn you, “trust me, you can’t trust anyone.”  This scam is particularly insidious because it looks so legitimate.  However, you should never click on a link in an email or text message unless you have absolutely confirmed that it is legitimate.  In this case, you should check out the company on Google or some other search engine to find out if it is a real company.  But even that is not sufficient to confirm that the email is legitimate because a scammer can use the name of a legitimate company to send out what appears to be legitimate emails that are, in fact, scams.  If a job is being offered by a real company, you can get information about the job posting on the website of the legitimate company or by calling the company’s HR department.

Scam of the day – September 14, 2015 – Federal government unveils new cybersecurity plan

September 13, 2015 Posted by Steven Weisman, Esq.

It is no secret that the federal government, as evidenced by the recent hacking of the Office of Personnel Management (OPM) in which personnel data on 22 million people was stolen, is a target of hackers, both nation-state and ordinary (or perhaps not so ordinary) criminals.  The OPM data breach was initiated as was the Target data breach and 90% of all data breaches through a phishing email.  A phishing email is an email sent by the hacker that appears to be legitimate and lures the victim at the targeted company or agency to click on a link or download an attachment that contain malware that enables the hacker to steal the information contained in the victim’s computer system.  It is fascinating in almost all major data breaches, the most complex and sophisticated malware is downloaded on to the victim’s computer through the simple trickery of phishing.  Here is a link to a column I wrote about this last year.  http://www.usatoday.com/story/money/personalfinance/2014/10/18/malware-data-breach-phishing/17458411/

In response to the OPM and other data breaches, William Evanina, the Director of the National Counterintelligence and Security Center has announced a new campaign to raise the awareness of federal workers to the dangers of phishing and specifically targeted phishing emails referred to as spear phishing.

TIPS

Phishing and spear phishing represent threats not just to companies and governmental agencies, but to all of us as individuals as well.  Identity theft is often accomplished through individuals being targeted by phishing or spear phishing emails who unwittingly click on links or download attachments that contain keystroke logging malware that enables the identity thief to steal all of the information including passwords, credit card numbers, Social Security numbers and other personal information from the victim’s computer and use that information to make that person a victim of identity theft.  Other types of malware, such as ransomware, which encrypts and locks all of the data in your computer, followed by a threat to destroy your data unless you pay a ransom, is generally downloaded through clicking on a link or downloading an attachment from a phishing email.

The key to avoiding becoming a victim is to never click on a link or download any attachment unless you have absolutely confirmed that the link or attachment is legitimate.  Even if the link is contained in an email from someone you know and trust, it is possible that their email may have been hijacked so you must always be a bit skeptical.  It may seem a bit paranoid, but remember that even paranoids have enemies.

Scam of the day – August 26, 2015 – Bank of America security message scam

August 26, 2015 Posted by Steven Weisman, Esq.

This is another phishing scam that is making the rounds these days.  It appears to be a legitimate email from Bank of America informing you that due to upgrades being done to the Bank of America computer systems, it is necessary for you to confirm personal account information in order to maintain your account.  Of course, if you click on the link contained in the email, you will only succeed in either unwittingly downloading keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft or you will be sent to another website that prompts you to provide your personal information directly, which then wil be used to make you a victim of identity theft.  Either way you lose.  Here is a copy of the email presently being circulated:

“Member:

We need you to confirm your Bank of America account due to our new upgrading. It is mandatory that you confirm your details through our secure link below.

CONNECT
Thank you for your co-operation.
Bank of America Admin
Copyright © 2015 BOA Inc.”

TIPS

There are a number of ways to know that this is a phishing scam.  First of all, if you are not an account holder at Bank of America, you can rest assured that the email is a scam.  Unfortunately, there are so many people that are account holders at Bank of America, the scammers just send out the email in large numbers hoping to reach Bank of America account holders among the random people being sent the email.  The email address from which it is sent was not that of Bank of America, but rather that of a private individual whose email account was hacked, taken over and made part of a botnet to send these emails in large numbers.  Because you can never be sure whenever you receive an email that asks you to provide personal information whether it is legitimate or not, the best thing to do is to remember my motto, “trust me, you can’t trust anyone” and confirm whether it is legitimate or not by calling the real company, in this case Bank of America to learn whether or not the email is phony or not.  Chances are, you will be told that it is a scam.

Scam of the day – August 15, 2015 – Paypal email phishing scam

August 14, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day comes directly from my own email and I am sure it has turned up in yours as well.  PayPal is a popular payment service used by many people particularly with eBay.  Therefore it can seem plausible when you receive an email that purports to come from PayPal asking you to update your credit card information.  However, anyone responding to the email copied below would either end up providing credit card information to an identity thief or merely by clicking on the link could download keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  DO NOT CLICK ON THE LINK.

“Account User,

The credit card in your account has expired; you are required to update your payment method to keep your account active.

Rectify payment method today by following the link below:

https://www.paypal.com/ca/cgi-bin/webscr?cmd=_add%id3752891

You can always add a new card

Sincerely,
PayPal”

This particular phishing email is not particularly sophisticated.  It comes from an email address of a private person rather than that of PayPal.  The address used, most likely is that of someone whose email account and computer was hacked in order for the identity thief to send out these phishing emails in mass quantities. It is not addressed to me personally, no logo of the company appears anywhere in the email and the language of “rectify payment” is somewhat inappropriate.  It is a pretty amateurish attempt.

TIPS

The primary question we all face when we receive such an email asking for credit card information or other personal information that may appear to be legitimate is how do we know whether to trust it or not.  The answer is, as I always say, trust me, you can’t trust anyone.  Regardless of how legitimate such email appear, you should not provide any personal information until you have independently verified by phone call or email to an email address that you know is accurate that the request for personal information is legitimate.