Posts Tagged: ‘Phishing’

Scam of the day – April 10, 2015 – Member of international computer hacking ring pleads guilty to hacking video game manufacturers

April 10, 2015 Posted by Steven Weisman, Esq.

Nineteen year old Austin Alcala recently became the fourth member of an international hacking ring to plead guilty to hacking into the computer networks of a number of videogame developers including  Microsoft Corporation, Epic, Games Inc., Valve Corporation and Zombie studios.  In the course of the hacking of these companies, the hackers stole information and intellectual property valued at one-hundred million dollars including software source codes, trade secrets and other information regarding the Microsoft Xbox Live online gaming system and popular games including FIFA, Call of Duty: Modern Warfare 3 and Gears of War 3.  Sentencing is scheduled for July 29th.

TIPS

It should come as no surprise that nineteen year olds without the resources of state governments and large companies have sufficient computer power to hack into the biggest companies in the world.  This case is just another example of the fact that all of us and the companies with which we do business have got to do a better job of protecting the security of important information.  As individuals, there is little we can do to compel companies and government agencies to better protect the data they hold, however, for ourselves, there are many things including the use of strong passwords, encryption programs and security software that is constantly updated to enhance our security.  In addition, the avoiding of clicking on links in emails and text messages unless you are absolutely sure that is legitimate is a good way to avoid becoming a victim of phishing.

Scam of the day – April 9, 2015 – White House computers hacked

April 8, 2015 Posted by Steven Weisman, Esq.

The Obama Administration  has confirmed that White House computers were hacked last year, however, they emphasized that the extent of the cyberintrusion was limited to systems that only carried unclassified information.  It is theorized that it was Russian government hackers that were responsible for the attack and that they managed to download the malware used to access the computers’ data by way of phishing emails with tainted links that came using email addresses from the State Department which has long been infiltrated by Russian government hackers.  This revelation highlights the concerns about the private email server used by former Secretary of State Hillary Clinton during her tenure as Secretary of State although the most recent disclosures could bolster both her defenders and her critics.  Her defenders could say that the State Department email system was unsafe and constantly targeted by Russia, China and others and that Secretary Clinton was prudent to use her own system over which she could maintain strict controls.  Her critics could argue that it is unlikely that her private server would be as safe as that of the official government email system.

TIPS

The revelation of the White House hacking reinforces the fact that the United States, Russia, China and others are constantly engaged in cyberwarfare.  But what does this story tell us as individuals in regard to our own security and protecting our own data from hackers and identity thieves?  The primary lesson is one that we constantly need to remind ourselves of again and again, namely that in almost all data breaches, whether of individuals, governments or companies, the sophisticated malware necessary to accomplish the theft of data starts with the victim clicking on a link in a phishing email.  Therefore it is critical that you never click on links in emails or text messages regardless of how legitimate they appear until you have confirmed that they are legitimate.  You also may wish to even consider using a separate computer for financial matters and a separate computer for emails so that even if you make a mistake and download malware, there is nothing in that computer worth stealing.

Scam of the day – April 8, 2015 – Tewksbury Police Department pays ransom to retrieve files

April 7, 2015 Posted by Steven Weisman, Esq.

The Tewksbury, Massachusetts Police Department became the latest in a long list of police departments that became a victim of ransomware, the malware that, generally through phishing, manages to become downloaded on to the department’s computers that locks and encrypts the victim’s files making them unusable.  In this particular case, the Tewksbury Police Department’s arrest and incident records were locked and a message appeared that read, “Your personal files are encrypted.  File decryption costs – $500.”  The particular type of ransomware used in this case has been called KEYHolder and despite the efforts of federal and state law enforcement agencies as well as two computer security companies, the data could not be retrieved.  Ultimately, the Tewksbury Police Department paid the five hundred dollar ransom electronically in bitcoins as demanded, making it pretty much impossible to trace.

In recent years, particularly since the development of CryptoLocker, one of the early ransomware malware programs, ransoming of computer data has brought criminals as much as 28 million dollars in ransom payments.  Many government agencies and police departments have been targeted along with the computers of ordinary citizens.  No one is safe.  The Colinsville, Alabama Police Department became a victim of ransomware last summer, refused to pay the ransom and lost their infected database of mugshots.  The Durham, New Hampshire Police Department also refused to pay a ransomware, but wisely had backed up its information so it lost nothing of value.  Other police departments, companies, government agencies and individuals have not been so fortunate, however and have either paid the ransom or lost their data in many instances.  Depending on the sophistication of the malware used, sometimes the ransomware can be defeated, but often it cannot.

TIPS

Certainly you want to always keep your anti-virus and anti-malware software up to date on all of your electronic devices, however, you can never be fully confident that this will keep you safe because the latest viruses and malware are always at least a month ahead of the software security updates created to deal with these issues.  Since generally the ransomware is downloaded on to the victim’s computer by clicking on a link in an email, it is critical that you not click on links in emails unless you are absolutely sure that the link is legitimate.  Finally, it is very important to back up all of your data independently every day so that even in a worst case scenario, you will not need to give into the demands of extortionists.

Scam of the day – March 13, 2015 – Latest developments in the Sony hacking and data breach

March 13, 2015 Posted by Steven Weisman, Esq.

Nine former employees who had filed individual lawsuits against Sony in December and January in response to the massive hacking and data breach apparently done by North Koreans have joined together to file an amended class action lawsuit on their own behalf and on behalf of a large number of employees and former employees whose personal information was compromised in the massive data breach.  Among the new information contained in the civil complaint filed by the former employees is reference to a September 2014 audit done by PricewatershouseCoopers that indicated that Sony did not do an adequate job of monitoring its systems.  The complaint when on to also assert that Sony has yet to contact all of its former employees to inform them whether or not their information was among that stolen.  The lawsuit alleged that more than 47,000 Social Security numbers were taken in the data breach including 15,200 from present and former employees who worked for the company as far back as 1955.

TIPS

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings.

The lesson to all of us as individuals is once again that we are only as safe as the places with the weakest security that hold our personal information.  It is also a warning to us all to limit, as much as possible, the places that do hold that information.  Many companies including medical providers, a particularly rich target of hackers recently, request your Social Security number as an identifying number although they have no real need for your Social Security number.  We all should resist providing our Social Security numbers to companies that request it unless they have  legitimate need for it.

Scam of the day – February 28, 2015 – Carnegie Mellon phishing scam

February 28, 2015 Posted by Steven Weisman, Esq.

Carnegie Mellon University is one of the country’s foremost universities in various areas of technology, but that does not mean that Carnegie Mellon employees are any better than anyone else at recognizing phishing emails.  Phishing remains the primary way that many major data breaches are initiated when employees of a company receive a legitimate appearing email that prompts the person receiving the email to click on a link under various guises.  Unfortunately, what happens in many instances is that by clicking on the link, malware becomes installed that enables the hacker to steal information and data from the computer data banks of the company.  This simple technique was how the Sony hacking and the recent billion dollar hacking of a hundred banks around the world was accomplished.  Another way that phishing works is by luring the victims to enter their usernames and passwords into legitimate appearing communications thus providing that information to hackers and identity thieves.   That is what happened to an undetermined number of Carnegie Mellon employees who  were lured into providing their log-in information when they responded to an email entitled “Your Salary Raise Information.”

TIPS

This phishing scam is particularly noteworthy because it once again shows that sophisticated, technologically savvy people can fall for the lures of phishing emails, which is why everyone should always be skeptical before responding to any email or text message that requires you to provide personal information or click on a link.  In either situation, you can never be sure when you receive an email or text message that the communication is legitimate.  So along with maintaining the latest security software on your electronic devices, it is important to make it a habit to never to provide personal information or click on links in response to text messages or emails until you have absolutely confirmed that the communication is legitimate.

Scam of the day – February 17, 2015 – Billion dollar international bank hacking

February 17, 2015 Posted by Steven Weisman, Esq.

Russian cybersecurity company, Kasperky Lab issued a report yesterday disclosing what may well be the biggest bank hacking in history.  The hacking of more than 100 banks in the United States, Japan, Switzerland, the Netherlands and primarily Russia was accomplished by a criminal group called the Carbanak cybergang composed of Russians, Chinese and Europeans who through advanced malware installed on the computers of the targeted banks permitted the hackers to infiltrate the computers of the banks’ employees in charge of cash transfer systems and ATMs.  They then installed a remote access tool (RAT) on these employees’ computers that enabled the hackers to see everything done on these employees’ computers with the goal of mimicking the look of legitimate transactions when the hackers activated electronic transactions and programmed ATMs to dispense money at specific times to steal as much as a billion dollars over the last two years.

TIPS

As of today, no bank has admitted that it was one of the affected banks.  This makes fighting similar attacks more difficult, which is one reason President Obama has recently been advocating for a law to mandate public disclosure of such security breaches by financial institutions.  An important aspect to this hacking that has been often overlooked in some early reporting of the story is that although the malware used to perpetrate this crime is amazingly sophisticated, the planting of the sophisticated malware into the computers of the targeted banks was accomplished by old-fashioned phishing emails that lured the bank employees to click on infected link.  Everyone including companies, governments and private individuals have got to do a better job of not clicking on links no matter how legitimate they may appear until you have confirmed that they are indeed legitimate. Remember my motto, “trust me, you can’t trust anyone.”

Scam of the day – February 16, 2015 – Turbo Tax scam update

February 16, 2015 Posted by Steven Weisman, Esq.

As I reported to you previously, earlier this month following a rash of fraudulent state income tax filings using Turbo Tax software in nineteen states, Turbo Tax temporarily suspended electronic state income tax filings through Turbo Tax.  Although the matter is still under investigation, it does not appear that Turbo Tax was hacked.  More likely it is that identity thieves who already obtained the Social Security  numbers of their victims were using Turbo Tax’s convenient software to file fraudulent return in which they claim phony refunds.  On the federal level, this is a 5.2 billion dollar problem annually.  Now, enterprising identity thieves are sending out phishing emails that appear to be sent by Turbo Tax in which the email recipient is told that there is a problem with the person’s electronically filed income tax return and that they need to click on a link and provide personal information in order to rectify the problem.  This is a scam that is intended either to lure the victim into downloading keystroke logging malware that will steal personal information from the victim’s computer or other electronic device and use that information to make the person  a victim of identity theft or to lure the victim into providing the personal information directly to the identity thief posing as Turbo Tax.

TIPS

Whenever you get an email or a text message either asking for personal information directly or instructing you to click on a link, you should not respond until you have absolutely confirmed that the email or text message is legitimate.  Making a counterfeit email look official is child’s play so even if the communication looks legitimate, you should not trust it.  The better course of action is to contact the company directly at a telephone number, email address or website that you know is legitimate to confirm whether the original communication was legitimate.  Scammers and identity thieves always take advantage of the latest public concerns to convince people to provide information used to make them victims of identity theft.

Scam of the day – February 12, 2015 – Anthem hacking lawsuits filed

February 11, 2015 Posted by Steven Weisman, Esq.

Although the disclosure of the hacking and data breach at Anthem, the country’s second largest health insurance company was only disclosed eight days ago, the first lawsuits alleging negligence on the part of Anthem in failing to take proper steps to protect the personal data on the as many as 80 million Anthem customers were filed in Indiana, California, Alabama and Georgia.  It now appears that the actual hacking was first detected by Anthem on January 27th, but started as early as December 10th.  Once again, as is the pattern with so many major data breaches, it appears that the hackers gained access to Anthem’s, what have been reported to be, unencrypted data bases through phishing emails that tricked five Anthem employees  into either providing their passwords or clicking on malware loaded links that stole the passwords from the Anthem employees’ computers.

TIPS

Many companies are just not doing enough to protect their sensitive data including personal information of their customers.   There are many steps that companies can and should be taking including greater encryption of data, employee education about phishing and limiting of access to information from off-site computers.  Whether companies need to be prompted by lawsuits or legislation, the problem is so significant that companies must take action now to better protect themselves from hacking.

As for we, the customers, all we can do is try to limit as best we can the personal information provided to the companies with which we do business (your doctor, does not need your Social Security number) and monitor our financial and medical dealings for signs of identity theft.  Putting a credit freeze on your credit reports at each of the three major credit reporting agencies is another good step to take in order to reduce your risk of identity theft.  You can find information about how to put a credit freeze on your credit reports here on Scamicide in the archives.