Posts Tagged: ‘Phishing’

Scam of the day – November 12, 2014 – Post office hacked

November 12, 2014 Posted by Steven Weisman, Esq.

Earlier this week the United States Postal Service announced that it had been hacked, most likely by Chinese hackers, who stole personal information including names, birth dates, Social Security numbers, home addresses and other personal information on as many as 800,000 employees of the Postal Service.  Although generally this is the type of hacking that would lead to massive instances of identity theft, the Chinese, who usually limit their state sponsored hacking to corporate espionage of trade secrets of companies with which they compete, may have been looking for just additional data on Americans.  Earlier this year, the Chinese hacked into the records of the federal Office of Personnel Management which conducts security clearance checks and this hacking was thought to be more closely related to counterintelligence or even recruitment purposes.  However, in the Postal Service hacking it is purely speculative as to why the Chinese government did this hack.

TIP

Once again, we see that the federal government just like private industry is not doing enough to secure its data.  Just as in the breaches of Home Depot and Target, the data breach was accomplished by the planting of sophisticated malware by way of phishing emails to federal employees who were lured into clicking on links in the tainted malware.  A recent federal study showed that 20% of hacking of federal computers was started through federal employees clicking on links in phishing emails against federal policy.

So what does this mean to you and me?  This is just another reminder that both government and the private sector have got to do a better job of protecting the data they store.  It also reminds us that we must remain eternally vigilant to identity theft threats and continue to monitor our financial accounts and credit reports regularly.

Below you can find a television interview I did yesterday about this on NewsMax TV.

 

 

 

Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

November 8, 2014 Posted by Steven Weisman, Esq.

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.

Scam of the day – October 26, 2014 – Myverizon38.com scam

October 26, 2014 Posted by Steven Weisman, Esq.

This scam is a slight variation of the scam I reported to you about on March 6, 2014 in the Scam of the day. “Spoofing” is the name for the tactic used by identity thieves to make a call that you receive appear to come from a legitimate source, when, in truth it is from a scammer who has merely managed to make it look like the call is legitimate.  Many people are reporting receiving calls on their smart phones or landlines that on Caller ID appear to be from “Technical Support” and carrying a telephone number that is a real number for Verizon Wireless technical support.  The call received is an automated robocall that informs you that you have are eligible for a $38 reward and then directs you to the website www.myverizon.38.com.  This website is a phony website which lures you into providing personal information that is then used to make you a victim of identity theft.  In other variations of this scam, merely by clicking on a link on the phony website, you will unwittingly download keystroke logging malware that will steal the personal information from your computer and use this information to make you a victim of identity theft.   This type of scam by which a legitimate-looking, phony website tricks you into providing personal information or clicking on tainted links is called “phishing.”  Back when I first reported on this scam to you, the phony website was www.verizon54.com and the amount of the phony reward was $54.

TIPS

You can never trust a phone call to actually be from whom the caller says.  Spoofing is easy to accomplish by identity thieves.  Don’t be tricked into trusting a telephone call.  In addition, robocalls are illegal so you should never trust a prerecorded call.  Nor should you click on links that you are not sure are legitimate.  If you have any thought that the original contact might be legitimate, contact the company directly at a website address or telephone number that you know is accurate to inquire about the particular matter.

Scam of the day – October 2, 2014 – Important update on Bash bug

October 2, 2014 Posted by Steven Weisman, Esq.

On September 27th I warned you about the revelation that there was a bug called Shellshock in the Bash command-line interpreter on many operating systems including Linux, Unix and Apple’s OSX that had just been discovered after more than twenty years.  This bug is simple to exploit and tremendously dangerous since when exploited by hackers, permits the hacker to take over the computers using the infected operating systems.   The Federal Financial Institution Examinations Council (FFIEC) has warned the banking industry that it should take immediate steps to protect itself from this major threat.  Hackers have been busy trying to take advantage of this security flaw by attacking servers using affected operating systems while security experts have been equally as busy trying to create new patches.   A series of security patches have been released just in the last couple of days. It is also important to know that, as individual computer users, your firewall should protect you unless a hacker tricks you through phishing into clicking on a link and download malware to exploit the flaw.

TIPS

For all of us, this is a reminder to never click on a link in an email, text message or social media posting unless you are absolutely sure that it is legitimate.  Too often, what appear to be legitimate communications with emails are phishing scams with malware attached.

Here are links provided by the Department of Homeland Security which in turn have links to the latest security patches issued by Apple and others to deal with this problem.

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

https://www.us-cert.gov/ncas/current-activity/2014/09/30/Apple-Releases-OS-X-bash-Update-10

Scam of the day – September 23, 2014 – How LinkedIn can be used to hack companies

September 22, 2014 Posted by Steven Weisman, Esq.

LinkedIn is a very popular social networking service site for business people where 300 million people share knowledge and opportunities.  Unfortunately, however the information provided on LinkedIn can be manipulated in the hands of a hacker to provide information that can be used to hack a business’ computers and data.  If you look up a company on LinkedIn you will find a number of profiles for individual employees of the company.  Many of these will include the employee’s email address.  After viewing a few employee profiles a hacker can determine the protocol used for emails within the company, such as initial of first name, last name@companyname.com.   Using this information, the hacker can send a legitimate appearing email to a company employee that looks like it comes from within the company luring the real employee to either click on a tainted link or enter a username and password.  This can be used to either directly install malware on to the company’s computers through the tainted link or get access through the user name and password of the employee victimized by the scam.  From there it is an easy thing to install malware to steal information from the company.

TIPS

Never click on links in emails, text messages or social media or download attachments until you have absolutely confirmed that they are legitimate.  Also, when it comes to network security, most companies will never ask for an employee’s user name or password.  Again, never provide this information on any website or anywhere else until you have first confirmed that the website is legitimate.  It might be a phony, tainted website merely phishing for your information.  Trust me, you can’t trust anyone.

Scam of the day – September 21, 2014 – Qantas phishing scam

September 21, 2014 Posted by Steven Weisman, Esq.

Qantas airline has issued  warning about a Facebook scam in which the banner advertisement featured below invites people to “like” it and then to share it with their friends in order to win a $1,500 travel voucher.  If you click on the page, you are directed to a phony Qantas Facebook page where you are asked to provide personal information.  People providing the information are in great danger of identity theft as the phony ad is just a phishing scam to get your personal information.

This is the fake Qantas Facebook account which is being investigated 

TIPS

In the case of Qantas, it only runs its promotional campaigns from its own authenticated Facebook page or though the official Qantas website.  As I always warn you, never click on links unless you are absolutely sure that they are legitimate.  Merely because it appears on your Facebook page does not make it legitimate.  If you believe it may be a legitimate promotional offer, ignore the social media posting, email or text message that sends you a legitimate looking offer and go directly to the company’s own website and make sure that you type in the name of the company’s website correctly to avoid being directed to another phony website.

Scam of the day – July 21, 2014 – Yahoo email phishing scam

July 21, 2014 Posted by Steven Weisman, Esq.

A number of times I have written about email phishing scams that start when you receive an email that purports to be sent from AOL informing you that there is some problem with your AOL account which requires you to click on a link in order to rectify the problem.  Recently, another email server is the subject of a phishing scam.  This time it is Yahoo.  Here is a copy of an email that is presently finding its way into many people’s email boxes.  This is a phishing scam.  DO NOT CLICK ON THE LINK.  Clicking on the link will result in either your downloading a keystroke logging malware program that will steal all of the information from your computer such as your Social Security number, credit card numbers and banking information that will then be used to make you a victim of identity theft or when you click on the link you will be prompted to provide personal information that will also be used to make you a victim of identity theft.  Some phishing emails are better than others and this one was not very convincing.  The email address from which it was sent was not even a Yahoo email address.  It was the address of someone whose email had been hacked and made a part of a botnet of computers used by identity thieves to send out their phishing emails.  In addition, this email is not directed to you by name, but rather as “Yahoo user.”  As with many of these scams that often originate in foreign countries where English is a second language, the grammar is suspect as where in this email the word “responds” is used instead of the correct word “response.”

“Dear Yahoo! User

Your two incoming mails were placed on pending status due to the recent upgrade to our database, In order to receive the messages Click Here to login and wait for responds.

Customer! Mail Product Management.

Copyright © 2014 Mail! Inc. (Co. Reg.. No. 2344507D)All Rights
Reserved. Intellectual Property Rights Policy
Please do not reply to this message. Mail sent to this address cannot be answered.”

TIPS

The most important thing to remember is to never click on links in emails or download attachments unless you are absolutely sure that they are legitimate.  In this particular case, it is easy to see that it is a scam.  Additionally, you should make sure that your anti-malware and anti-virus software are installed and up to date with the latest security updates while remembering that you cannot rely on your security software because it is generally about thirty days behind the latest viruses and malware programs.

Scam of the day – July 15, 2014 – Mailbox identity theft danger

July 15, 2014 Posted by Steven Weisman, Esq.

Identity theft can be high tech, low tech or no tech and although much attention is often focused on computer phishing schemes, malware and other high tech methods of turning you into a victim of identity theft, low tech and no tech methods of identity theft can be equally as effective in stealing your identity.  One low tech method that has been around for a long time, but seems to be making a resurgence is when identity thieves put strong glue like the kind used on mouse trap paper is put on the inside of the swing-down chute in the mailboxes you find scattered throughout your city.  This glue traps mail on the chute rather than letting it go down into the mailbox when the lid is closed making it easy pickings for an identity thief who can be looking for checks you may be mailing to a business or a credit card payment.  Your check can either be altered through a process called “washing” so that the check is made to appear to be payable to the identity thief.   The identity thieves can also take the information from your check and make counterfeit checks in order to access your checking account.   They may also steal the information from your credit card statement to gain access to your credit card.

Another similar type of scam involves the identity thief putting the glue on a small object at the end of a string and lowering the string into the mailbox to go fishing for mail with checks, credit card statements or other information that can be used to make you a victim of identity theft.

TIPS

Although it seems like you should be able to trust the U.S. mail, you would be prudent to mail payments and letters with financial information directly from the post office rather than use vulnerable mailboxes.  You also should consider making your payments electronically which is even safer.  When you do use checks, you should use a type of pen called a gel pen which you can purchase at any office supply store.  The ink from these pens is almost impossible to wash off of a check by a counterfeiter.  Finally, do not put mail with personal information or checks in your own personal mailbox at your home.  Often people do this and raise the red flag on the mail box to inform the letter carrier  that there is outgoing mail to be picked up from your box.  Unfortunately, it also informs an identity thief cruising your neighborhood that there are “goodies” in your mailbox.

 

Scam of the day – July 13, 2014 – Bank of Hawaii text message scam

July 13, 2014 Posted by Steven Weisman, Esq.

Recently many residents of Hawaii have been receiving a text message that appears to come from the Bank of Hawaii informing them that their accounts have been blocked or suspended or their lines of credit have been reduced.  They are also told in the text message to call 857-453-3714 and enter their account number and PIN in order to rectify the situation.  This is a  phishing scam and anyone providing that information to the scammer would end up becoming a victim of identity theft and having their accounts emptied.

TIPS

Regardless of how official such a text message may appear, you should never provide personal information to anyone in response to a telephone call, email or text message because in none of those situations can you be sure that the person contacting you is legitimate.  If you do receive a communication from a bank, government agency or any other person or entity that you think might have a legitimate need for personal information from you, you should call the real entity at a telephone number that you know is legitimate in order to ascertain the truth.  Banks do not call, text or email their customers asking for personal information.  You should always be skeptical of anyone asking for such information.  As  I always say, “trust me, you can’t trust anyone.”  This particular scam involved the Bank of Hawaii, but this scam is constantly being done around the country using the names of other banks.  As for those of you in Hawaii who may have fallen for this scam.  You should contact the real Bank of Hawaii at 888-643-3888 or by email at icare@boh.com for help.