Posts Tagged: ‘Phishing’

Scam of the day – May 5, 2015 – Data breach at Las Vegas Hard Rock Hotel and Casino

May 5, 2015 Posted by Steven Weisman, Esq.

Fool me once shame on you, fool me twice, shame on me.  In a repeat of a story we have heard over and over during the last few years, the Hard Rock Hotel and Casino in Las Vegas is notifying its customers of a major data breach that began on September 3, 2014 and was not discovered and stopped until April 2, 2015 at the restaurant, bar and various retail and service stores at its Las Vegas hotel and casino.  The data breach did not extend to charges made on credit and debit cards at the casino and hotel itself nor to some of other businesses operating there including Nobu, Affliction, John Varvatos, Rocks, Hart & Huntington Tatoo and Reliquary Spa & Salon.  However, numerous other retail stores and services at the Hard Rock Las Vegas property were affected with credit and debit card numbers, customer names, and CVV codes compromised.  Although we still do not know how the data breach was accomplished and the malware necessary to accomplish the data breach was planted in the computers of the affected companies, it is reasonable to speculate that the pattern of Target, Home Depot and so many other data breaches was followed here by which malware was implanted on the computers of the companies that were the victims of the data breaches through phishing emails that enabled the hackers to steal credit card and debit card information that could be used for purposes of fraud and identity theft.  Had the United States broadly adopted the smart card chip technology used throughout the rest of the world instead of the old magnetic strip technology still used in the United States, this type of a data breach would have been of little value to the hackers, but since companies such as those affected here at the Hard Rock continue to use this old technology, they continue to put their customers in danger of identity theft.

Here is a link to a column I wrote about this problem for USA Today in September of 2014 in which I predicted exactly how this would occur.


There is little we, as consumers, can do to convince retailers to move to the more advanced smart credit card chip technology that generates a new number for every transaction so that a data breach that steals that number would be worthless to an identity thief who could not use that number for future purchases.  However, until retailers switch to this technology which is not expected to be widely adopted until October of 2015, the most important things that we can do as consumers is to refrain from using debit cards for retail purchases because they do not provide the same level of protection from liability that credit cards do.  We also should regularly review our credit card bills to look for fraudulent purchases and evidence of identity theft so that we can stop the bleeding as quickly as possible.  If you find that your credit card has been compromised, you should contact your credit card issuer immediately, close the account and have fraudulent charges removed.  Although the law permits credit card companies to hold their customers responsible for up to $50 of fraudulent charges, most companies do not hold their customers responsible for any amount of fraudulent purchases when the fraud is reported promptly.

Scam of the day – May 1, 2015 – FBI warns of cyberthreats to law enforcement officers

May 1, 2015 Posted by Steven Weisman, Esq.

The FBI recently issued a warning to law enforcement personnel and other public officials that they are being targeted by cyberattacks of various hacktivist groups and others who, in many instances are posting on the Internet large amounts of personal information about their intended targets which can be used to threaten the security of the targets as well as put them in imminent danger of identity theft.  The trail to this information often starts with the law officers and government officials themselves and their families who not only have much information about them contained at a myriad of places accessible to the public online, but also put too much information online themselves through social media.

This situation is reminiscent of the Scam of the day from April 2, 2015 in which I told you about an ISIS inspired group that make public personal information about American military personnel.  Although the ISIS aligned group claimed it had hacked into military servers to obtain the information, in fact, the information was readily available merely by Googling public information available throughout the Internet.

This activity of exposing personal information of a targeted victim is called “doxing” and it presents a real threat to the security of the people exposed in this manner.  Information such as home addresses, phone numbers, email addresses, photographs and more are not difficult to obtain on line and this information can be used to obtain further information through phishing attacks against the intended victims.


Some of the things the FBI are urging law enforcement personnel and public officials to do include refraining from posting photographs on social media that show they are affiliated with law enforcement or other government agencies.  In addition, they should be more cognizant of establishing the security settings on all of their computers, smartphones and social media to as strong a setting as possible.  The FBI also advises law enforcement personnel and public officials to limit their use of social media.    In addition it is a good idea for people who are potential targets to regularly do online searches about themselves to see what information is available about them online.  Finally, they should take the same precautions in regard to personal security as I describe in my book “Identity Theft Alert” that we all should do.  Privacy is an important thing to be protected.

Although the FBI warning was aimed at law enforcement officers and public officials, the same advice including being extremely careful about the information you make available online through social media and elsewhere, truly applies to us all.

Scam of the day – April 10, 2015 – Member of international computer hacking ring pleads guilty to hacking video game manufacturers

April 10, 2015 Posted by Steven Weisman, Esq.

Nineteen year old Austin Alcala recently became the fourth member of an international hacking ring to plead guilty to hacking into the computer networks of a number of videogame developers including  Microsoft Corporation, Epic, Games Inc., Valve Corporation and Zombie studios.  In the course of the hacking of these companies, the hackers stole information and intellectual property valued at one-hundred million dollars including software source codes, trade secrets and other information regarding the Microsoft Xbox Live online gaming system and popular games including FIFA, Call of Duty: Modern Warfare 3 and Gears of War 3.  Sentencing is scheduled for July 29th.


It should come as no surprise that nineteen year olds without the resources of state governments and large companies have sufficient computer power to hack into the biggest companies in the world.  This case is just another example of the fact that all of us and the companies with which we do business have got to do a better job of protecting the security of important information.  As individuals, there is little we can do to compel companies and government agencies to better protect the data they hold, however, for ourselves, there are many things including the use of strong passwords, encryption programs and security software that is constantly updated to enhance our security.  In addition, the avoiding of clicking on links in emails and text messages unless you are absolutely sure that is legitimate is a good way to avoid becoming a victim of phishing.

Scam of the day – April 9, 2015 – White House computers hacked

April 8, 2015 Posted by Steven Weisman, Esq.

The Obama Administration  has confirmed that White House computers were hacked last year, however, they emphasized that the extent of the cyberintrusion was limited to systems that only carried unclassified information.  It is theorized that it was Russian government hackers that were responsible for the attack and that they managed to download the malware used to access the computers’ data by way of phishing emails with tainted links that came using email addresses from the State Department which has long been infiltrated by Russian government hackers.  This revelation highlights the concerns about the private email server used by former Secretary of State Hillary Clinton during her tenure as Secretary of State although the most recent disclosures could bolster both her defenders and her critics.  Her defenders could say that the State Department email system was unsafe and constantly targeted by Russia, China and others and that Secretary Clinton was prudent to use her own system over which she could maintain strict controls.  Her critics could argue that it is unlikely that her private server would be as safe as that of the official government email system.


The revelation of the White House hacking reinforces the fact that the United States, Russia, China and others are constantly engaged in cyberwarfare.  But what does this story tell us as individuals in regard to our own security and protecting our own data from hackers and identity thieves?  The primary lesson is one that we constantly need to remind ourselves of again and again, namely that in almost all data breaches, whether of individuals, governments or companies, the sophisticated malware necessary to accomplish the theft of data starts with the victim clicking on a link in a phishing email.  Therefore it is critical that you never click on links in emails or text messages regardless of how legitimate they appear until you have confirmed that they are legitimate.  You also may wish to even consider using a separate computer for financial matters and a separate computer for emails so that even if you make a mistake and download malware, there is nothing in that computer worth stealing.

Scam of the day – April 8, 2015 – Tewksbury Police Department pays ransom to retrieve files

April 7, 2015 Posted by Steven Weisman, Esq.

The Tewksbury, Massachusetts Police Department became the latest in a long list of police departments that became a victim of ransomware, the malware that, generally through phishing, manages to become downloaded on to the department’s computers that locks and encrypts the victim’s files making them unusable.  In this particular case, the Tewksbury Police Department’s arrest and incident records were locked and a message appeared that read, “Your personal files are encrypted.  File decryption costs – $500.”  The particular type of ransomware used in this case has been called KEYHolder and despite the efforts of federal and state law enforcement agencies as well as two computer security companies, the data could not be retrieved.  Ultimately, the Tewksbury Police Department paid the five hundred dollar ransom electronically in bitcoins as demanded, making it pretty much impossible to trace.

In recent years, particularly since the development of CryptoLocker, one of the early ransomware malware programs, ransoming of computer data has brought criminals as much as 28 million dollars in ransom payments.  Many government agencies and police departments have been targeted along with the computers of ordinary citizens.  No one is safe.  The Colinsville, Alabama Police Department became a victim of ransomware last summer, refused to pay the ransom and lost their infected database of mugshots.  The Durham, New Hampshire Police Department also refused to pay a ransomware, but wisely had backed up its information so it lost nothing of value.  Other police departments, companies, government agencies and individuals have not been so fortunate, however and have either paid the ransom or lost their data in many instances.  Depending on the sophistication of the malware used, sometimes the ransomware can be defeated, but often it cannot.


Certainly you want to always keep your anti-virus and anti-malware software up to date on all of your electronic devices, however, you can never be fully confident that this will keep you safe because the latest viruses and malware are always at least a month ahead of the software security updates created to deal with these issues.  Since generally the ransomware is downloaded on to the victim’s computer by clicking on a link in an email, it is critical that you not click on links in emails unless you are absolutely sure that the link is legitimate.  Finally, it is very important to back up all of your data independently every day so that even in a worst case scenario, you will not need to give into the demands of extortionists.

Scam of the day – March 13, 2015 – Latest developments in the Sony hacking and data breach

March 13, 2015 Posted by Steven Weisman, Esq.

Nine former employees who had filed individual lawsuits against Sony in December and January in response to the massive hacking and data breach apparently done by North Koreans have joined together to file an amended class action lawsuit on their own behalf and on behalf of a large number of employees and former employees whose personal information was compromised in the massive data breach.  Among the new information contained in the civil complaint filed by the former employees is reference to a September 2014 audit done by PricewatershouseCoopers that indicated that Sony did not do an adequate job of monitoring its systems.  The complaint when on to also assert that Sony has yet to contact all of its former employees to inform them whether or not their information was among that stolen.  The lawsuit alleged that more than 47,000 Social Security numbers were taken in the data breach including 15,200 from present and former employees who worked for the company as far back as 1955.


The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings.

The lesson to all of us as individuals is once again that we are only as safe as the places with the weakest security that hold our personal information.  It is also a warning to us all to limit, as much as possible, the places that do hold that information.  Many companies including medical providers, a particularly rich target of hackers recently, request your Social Security number as an identifying number although they have no real need for your Social Security number.  We all should resist providing our Social Security numbers to companies that request it unless they have  legitimate need for it.

Scam of the day – February 28, 2015 – Carnegie Mellon phishing scam

February 28, 2015 Posted by Steven Weisman, Esq.

Carnegie Mellon University is one of the country’s foremost universities in various areas of technology, but that does not mean that Carnegie Mellon employees are any better than anyone else at recognizing phishing emails.  Phishing remains the primary way that many major data breaches are initiated when employees of a company receive a legitimate appearing email that prompts the person receiving the email to click on a link under various guises.  Unfortunately, what happens in many instances is that by clicking on the link, malware becomes installed that enables the hacker to steal information and data from the computer data banks of the company.  This simple technique was how the Sony hacking and the recent billion dollar hacking of a hundred banks around the world was accomplished.  Another way that phishing works is by luring the victims to enter their usernames and passwords into legitimate appearing communications thus providing that information to hackers and identity thieves.   That is what happened to an undetermined number of Carnegie Mellon employees who  were lured into providing their log-in information when they responded to an email entitled “Your Salary Raise Information.”


This phishing scam is particularly noteworthy because it once again shows that sophisticated, technologically savvy people can fall for the lures of phishing emails, which is why everyone should always be skeptical before responding to any email or text message that requires you to provide personal information or click on a link.  In either situation, you can never be sure when you receive an email or text message that the communication is legitimate.  So along with maintaining the latest security software on your electronic devices, it is important to make it a habit to never to provide personal information or click on links in response to text messages or emails until you have absolutely confirmed that the communication is legitimate.

Scam of the day – February 17, 2015 – Billion dollar international bank hacking

February 17, 2015 Posted by Steven Weisman, Esq.

Russian cybersecurity company, Kasperky Lab issued a report yesterday disclosing what may well be the biggest bank hacking in history.  The hacking of more than 100 banks in the United States, Japan, Switzerland, the Netherlands and primarily Russia was accomplished by a criminal group called the Carbanak cybergang composed of Russians, Chinese and Europeans who through advanced malware installed on the computers of the targeted banks permitted the hackers to infiltrate the computers of the banks’ employees in charge of cash transfer systems and ATMs.  They then installed a remote access tool (RAT) on these employees’ computers that enabled the hackers to see everything done on these employees’ computers with the goal of mimicking the look of legitimate transactions when the hackers activated electronic transactions and programmed ATMs to dispense money at specific times to steal as much as a billion dollars over the last two years.


As of today, no bank has admitted that it was one of the affected banks.  This makes fighting similar attacks more difficult, which is one reason President Obama has recently been advocating for a law to mandate public disclosure of such security breaches by financial institutions.  An important aspect to this hacking that has been often overlooked in some early reporting of the story is that although the malware used to perpetrate this crime is amazingly sophisticated, the planting of the sophisticated malware into the computers of the targeted banks was accomplished by old-fashioned phishing emails that lured the bank employees to click on infected link.  Everyone including companies, governments and private individuals have got to do a better job of not clicking on links no matter how legitimate they may appear until you have confirmed that they are indeed legitimate. Remember my motto, “trust me, you can’t trust anyone.”

Scam of the day – February 16, 2015 – Turbo Tax scam update

February 16, 2015 Posted by Steven Weisman, Esq.

As I reported to you previously, earlier this month following a rash of fraudulent state income tax filings using Turbo Tax software in nineteen states, Turbo Tax temporarily suspended electronic state income tax filings through Turbo Tax.  Although the matter is still under investigation, it does not appear that Turbo Tax was hacked.  More likely it is that identity thieves who already obtained the Social Security  numbers of their victims were using Turbo Tax’s convenient software to file fraudulent return in which they claim phony refunds.  On the federal level, this is a 5.2 billion dollar problem annually.  Now, enterprising identity thieves are sending out phishing emails that appear to be sent by Turbo Tax in which the email recipient is told that there is a problem with the person’s electronically filed income tax return and that they need to click on a link and provide personal information in order to rectify the problem.  This is a scam that is intended either to lure the victim into downloading keystroke logging malware that will steal personal information from the victim’s computer or other electronic device and use that information to make the person  a victim of identity theft or to lure the victim into providing the personal information directly to the identity thief posing as Turbo Tax.


Whenever you get an email or a text message either asking for personal information directly or instructing you to click on a link, you should not respond until you have absolutely confirmed that the email or text message is legitimate.  Making a counterfeit email look official is child’s play so even if the communication looks legitimate, you should not trust it.  The better course of action is to contact the company directly at a telephone number, email address or website that you know is legitimate to confirm whether the original communication was legitimate.  Scammers and identity thieves always take advantage of the latest public concerns to convince people to provide information used to make them victims of identity theft.