Posts Tagged: ‘Phishing’

Scam of the day – July 13, 2015 – Chase Bank email scam

July 13, 2015 Posted by Steven Weisman, Esq.

Today’s Scam of the day again comes directly from my own email.  It appears to be an email from Chase Bank informing me that there are problems with my online banking account that require me to click on a link to correct the urgent problem.  This is a typical phishing email scam by which you are lured into clicking on a link that will either download keystroke logging malware on to your computer and enable the scammer to steal your data and use it to make you a victim of identity theft or entice you into providing the personal information yourself on a phony intake form.  Again, the information will be used to make you a victim of identity theft.

Reproduced below is a copy of the email that I received.  DO NOT CLICK ON THE LINK.  What the copy does not show is the email address from which the message (not “massage,” spelling errors are a good indication of a scam email;  apparently scammers are either bad spellers or bad proof readers) was sent.  It was sent by chasemoorgain#@outlook.com.  If you look quickly at the email address, you might not notice the misspelling of “morgan.”  Other than the misspelling, the email looks pretty legitimate, which is why it often is hard to tell a phishing email from a legitimate email.

Massage from Customer Service

Dear Chase Online(SM) Customer

We have detected irregular activity on your account. For your protection, you must verify this activity before you can continue using your account.

Please visit Online Banking to review and verify your account to remove any restrictions placed on your account.

Linked E-mail:

We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.
Sincerely,
Chase Fraud Department
2015 JPMorgan Chase & Co

TIPS

For me, in addition to the email address sending it and the misspelling of “message,” a big indicator to me that this is a phishing email scam is the fact that I don’t have an online bank account with Chase.  However, if someone receiving such an email did have an online account with Chase, they might be tempted to click on the link or provide the information purported to be necessary to regain access to their account.  But trust me, you can’t trust anyone.  So if you receive such an email and you think it might be legitimate, do not click on links in the email or provide personal information.   Rather call the company at a telephone number that you know is legitimate to confirm whether or not the email was a scam.

Scam of the day – July 12, 2015 – New Amazon email scam

July 12, 2015 Posted by Steven Weisman, Esq.

Copied below is an email currently being circulated that is a good example of a social engineering phishing email designed to either get you to provide personal information or to click on a link that will download keystroke logging malware on your computer that will result in your data being stolen and used to make you a victim of identity theft.  The email appears to be an email from Amazon indicating that there is a problem with your account.  In order to remedy the problem, you are prompted to click on a link and either provide the requested personal information or just by clicking on the link you may unwittingly download the keystroke logging malware.  This type of phishing email is so effective because it looks so legitimate.  It also has a higher chance of being effective merely because so many people who receive it will indeed be Amazon customers.

Here is a copy of the email:  DO NOT CLICK ON THE LINK.

Amazon

Confirm your Amazon account.

Hello ,

We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?.
To ensure that your service is not interrupted, please update your billing information today.

Or contact Amazon Member Services Team. We’re available 24 hours a day, 7 days a week.
If you have recently updated your billing information, please disregard this message as we are processing the changes you have made.

f you need further assistance with your order.

Sincerely,
Amazon

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click “Contact Us” at the bottom of any page.

Copyright Å  2014 amzon, Inc. All rights reserved. amzon is located at 2211 N. First St., San Jose, CA 95131.

TIPS

There are a number of telltale signs that this is a scam.  First and foremost, the email address from which it was sent has no relation to Amazon.  Also, the salutation does not refer to the person receiving the email by name.  Finally, there are some misspellings and typographical errors in the email.  However, the quality of this phishing email certainly is good, which is why it is so dangerous.  The key to avoiding becoming a victim of this type of social engineering phishing scam is to follow my motto, “trust me, you can’t trust anyone.”  Never click on a link or provide personal information unless you have absolutely confirmed that the email or text message received by you is legitimate.  In this case, if you had any thought that the email might be legitimate, you should contact Amazon directly at an email address or telephone number that you know is accurate.  Don’t respond to phone numbers or email addresses contained in the email itself.

Scam of the day – July 4, 2015 – Update on hacking of Office of Personnel Management

July 4, 2015 Posted by Steven Weisman, Esq.

It was a month ago that I first reported to you about the hacking of the federal Office of Personnel Management (OPM) in which personal information on anywhere between 4 million and 14 million people was compromised.  The large discrepancy in the number of people who may have been affected by the hacking is due to the fact that although files on 4 million people were accessed, there was information on many millions more within those files.  The risk of identity theft is quite high for those affected by the data breach.  Meanwhile, as they always do, other scammers are taking advantage of people’s legitimate concern about their risk of identity theft and sending out emails that purport to be from the Office of Personnel Management appearing to offer help when all they really are doing is phishing for personal information that can be used to make the targeted person a victim of identity theft.  OPM has hired CSID, a company that provides identity theft protection and fraud resolution services and is offering 18 months of free credit report access, credit monitoring, identity theft insurance and recovery services to those people affected by the data breach.  However, be very skeptical of emails that appear to come from CSID offering assistance, but asking for information.  CSID’s URL for this purpose is opm.csid.com.  Be particularly wary if you receive an email purporting to be from CSID that is not from that address.  In fact, it is a good idea not to trust any email that asks for personal information without confirming first that it is legitimate.

TIPS

First, if you are one of the millions of people affected by this data breach, I suggest that you go to the OPM’s website for the latest announcements as to the status of the data breach and what you can and should do to protect yourself.  Here is a link to the OPM’s page with the latest information:  http://www.opm.gov/news/latest-news/announcements/

Also, if you are affected by the data breach, here is a link to CSID’s website where you can safely enroll for services: https://www.csid.com/opm/

As for all of us, a good lesson to avoid becoming a victim of phishing that leads to identity theft, never click on links in emails or text messages or provide information requested in an email or a text message unless you have absolutely confirmed that it is a legitimate.  It is easy to send a phony email that looks quite legitimate.

Scam of the day – May 5, 2015 – Data breach at Las Vegas Hard Rock Hotel and Casino

May 5, 2015 Posted by Steven Weisman, Esq.

Fool me once shame on you, fool me twice, shame on me.  In a repeat of a story we have heard over and over during the last few years, the Hard Rock Hotel and Casino in Las Vegas is notifying its customers of a major data breach that began on September 3, 2014 and was not discovered and stopped until April 2, 2015 at the restaurant, bar and various retail and service stores at its Las Vegas hotel and casino.  The data breach did not extend to charges made on credit and debit cards at the casino and hotel itself nor to some of other businesses operating there including Nobu, Affliction, John Varvatos, Rocks, Hart & Huntington Tatoo and Reliquary Spa & Salon.  However, numerous other retail stores and services at the Hard Rock Las Vegas property were affected with credit and debit card numbers, customer names, and CVV codes compromised.  Although we still do not know how the data breach was accomplished and the malware necessary to accomplish the data breach was planted in the computers of the affected companies, it is reasonable to speculate that the pattern of Target, Home Depot and so many other data breaches was followed here by which malware was implanted on the computers of the companies that were the victims of the data breaches through phishing emails that enabled the hackers to steal credit card and debit card information that could be used for purposes of fraud and identity theft.  Had the United States broadly adopted the smart card chip technology used throughout the rest of the world instead of the old magnetic strip technology still used in the United States, this type of a data breach would have been of little value to the hackers, but since companies such as those affected here at the Hard Rock continue to use this old technology, they continue to put their customers in danger of identity theft.

Here is a link to a column I wrote about this problem for USA Today in September of 2014 in which I predicted exactly how this would occur.

http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

TIPS

There is little we, as consumers, can do to convince retailers to move to the more advanced smart credit card chip technology that generates a new number for every transaction so that a data breach that steals that number would be worthless to an identity thief who could not use that number for future purchases.  However, until retailers switch to this technology which is not expected to be widely adopted until October of 2015, the most important things that we can do as consumers is to refrain from using debit cards for retail purchases because they do not provide the same level of protection from liability that credit cards do.  We also should regularly review our credit card bills to look for fraudulent purchases and evidence of identity theft so that we can stop the bleeding as quickly as possible.  If you find that your credit card has been compromised, you should contact your credit card issuer immediately, close the account and have fraudulent charges removed.  Although the law permits credit card companies to hold their customers responsible for up to $50 of fraudulent charges, most companies do not hold their customers responsible for any amount of fraudulent purchases when the fraud is reported promptly.

Scam of the day – May 1, 2015 – FBI warns of cyberthreats to law enforcement officers

May 1, 2015 Posted by Steven Weisman, Esq.

The FBI recently issued a warning to law enforcement personnel and other public officials that they are being targeted by cyberattacks of various hacktivist groups and others who, in many instances are posting on the Internet large amounts of personal information about their intended targets which can be used to threaten the security of the targets as well as put them in imminent danger of identity theft.  The trail to this information often starts with the law officers and government officials themselves and their families who not only have much information about them contained at a myriad of places accessible to the public online, but also put too much information online themselves through social media.

This situation is reminiscent of the Scam of the day from April 2, 2015 in which I told you about an ISIS inspired group that make public personal information about American military personnel.  Although the ISIS aligned group claimed it had hacked into military servers to obtain the information, in fact, the information was readily available merely by Googling public information available throughout the Internet.

This activity of exposing personal information of a targeted victim is called “doxing” and it presents a real threat to the security of the people exposed in this manner.  Information such as home addresses, phone numbers, email addresses, photographs and more are not difficult to obtain on line and this information can be used to obtain further information through phishing attacks against the intended victims.

TIPS

Some of the things the FBI are urging law enforcement personnel and public officials to do include refraining from posting photographs on social media that show they are affiliated with law enforcement or other government agencies.  In addition, they should be more cognizant of establishing the security settings on all of their computers, smartphones and social media to as strong a setting as possible.  The FBI also advises law enforcement personnel and public officials to limit their use of social media.    In addition it is a good idea for people who are potential targets to regularly do online searches about themselves to see what information is available about them online.  Finally, they should take the same precautions in regard to personal security as I describe in my book “Identity Theft Alert” that we all should do.  Privacy is an important thing to be protected.

Although the FBI warning was aimed at law enforcement officers and public officials, the same advice including being extremely careful about the information you make available online through social media and elsewhere, truly applies to us all.

Scam of the day – April 10, 2015 – Member of international computer hacking ring pleads guilty to hacking video game manufacturers

April 10, 2015 Posted by Steven Weisman, Esq.

Nineteen year old Austin Alcala recently became the fourth member of an international hacking ring to plead guilty to hacking into the computer networks of a number of videogame developers including  Microsoft Corporation, Epic, Games Inc., Valve Corporation and Zombie studios.  In the course of the hacking of these companies, the hackers stole information and intellectual property valued at one-hundred million dollars including software source codes, trade secrets and other information regarding the Microsoft Xbox Live online gaming system and popular games including FIFA, Call of Duty: Modern Warfare 3 and Gears of War 3.  Sentencing is scheduled for July 29th.

TIPS

It should come as no surprise that nineteen year olds without the resources of state governments and large companies have sufficient computer power to hack into the biggest companies in the world.  This case is just another example of the fact that all of us and the companies with which we do business have got to do a better job of protecting the security of important information.  As individuals, there is little we can do to compel companies and government agencies to better protect the data they hold, however, for ourselves, there are many things including the use of strong passwords, encryption programs and security software that is constantly updated to enhance our security.  In addition, the avoiding of clicking on links in emails and text messages unless you are absolutely sure that is legitimate is a good way to avoid becoming a victim of phishing.

Scam of the day – April 9, 2015 – White House computers hacked

April 8, 2015 Posted by Steven Weisman, Esq.

The Obama Administration  has confirmed that White House computers were hacked last year, however, they emphasized that the extent of the cyberintrusion was limited to systems that only carried unclassified information.  It is theorized that it was Russian government hackers that were responsible for the attack and that they managed to download the malware used to access the computers’ data by way of phishing emails with tainted links that came using email addresses from the State Department which has long been infiltrated by Russian government hackers.  This revelation highlights the concerns about the private email server used by former Secretary of State Hillary Clinton during her tenure as Secretary of State although the most recent disclosures could bolster both her defenders and her critics.  Her defenders could say that the State Department email system was unsafe and constantly targeted by Russia, China and others and that Secretary Clinton was prudent to use her own system over which she could maintain strict controls.  Her critics could argue that it is unlikely that her private server would be as safe as that of the official government email system.

TIPS

The revelation of the White House hacking reinforces the fact that the United States, Russia, China and others are constantly engaged in cyberwarfare.  But what does this story tell us as individuals in regard to our own security and protecting our own data from hackers and identity thieves?  The primary lesson is one that we constantly need to remind ourselves of again and again, namely that in almost all data breaches, whether of individuals, governments or companies, the sophisticated malware necessary to accomplish the theft of data starts with the victim clicking on a link in a phishing email.  Therefore it is critical that you never click on links in emails or text messages regardless of how legitimate they appear until you have confirmed that they are legitimate.  You also may wish to even consider using a separate computer for financial matters and a separate computer for emails so that even if you make a mistake and download malware, there is nothing in that computer worth stealing.

Scam of the day – April 8, 2015 – Tewksbury Police Department pays ransom to retrieve files

April 7, 2015 Posted by Steven Weisman, Esq.

The Tewksbury, Massachusetts Police Department became the latest in a long list of police departments that became a victim of ransomware, the malware that, generally through phishing, manages to become downloaded on to the department’s computers that locks and encrypts the victim’s files making them unusable.  In this particular case, the Tewksbury Police Department’s arrest and incident records were locked and a message appeared that read, “Your personal files are encrypted.  File decryption costs – $500.”  The particular type of ransomware used in this case has been called KEYHolder and despite the efforts of federal and state law enforcement agencies as well as two computer security companies, the data could not be retrieved.  Ultimately, the Tewksbury Police Department paid the five hundred dollar ransom electronically in bitcoins as demanded, making it pretty much impossible to trace.

In recent years, particularly since the development of CryptoLocker, one of the early ransomware malware programs, ransoming of computer data has brought criminals as much as 28 million dollars in ransom payments.  Many government agencies and police departments have been targeted along with the computers of ordinary citizens.  No one is safe.  The Colinsville, Alabama Police Department became a victim of ransomware last summer, refused to pay the ransom and lost their infected database of mugshots.  The Durham, New Hampshire Police Department also refused to pay a ransomware, but wisely had backed up its information so it lost nothing of value.  Other police departments, companies, government agencies and individuals have not been so fortunate, however and have either paid the ransom or lost their data in many instances.  Depending on the sophistication of the malware used, sometimes the ransomware can be defeated, but often it cannot.

TIPS

Certainly you want to always keep your anti-virus and anti-malware software up to date on all of your electronic devices, however, you can never be fully confident that this will keep you safe because the latest viruses and malware are always at least a month ahead of the software security updates created to deal with these issues.  Since generally the ransomware is downloaded on to the victim’s computer by clicking on a link in an email, it is critical that you not click on links in emails unless you are absolutely sure that the link is legitimate.  Finally, it is very important to back up all of your data independently every day so that even in a worst case scenario, you will not need to give into the demands of extortionists.

Scam of the day – March 13, 2015 – Latest developments in the Sony hacking and data breach

March 13, 2015 Posted by Steven Weisman, Esq.

Nine former employees who had filed individual lawsuits against Sony in December and January in response to the massive hacking and data breach apparently done by North Koreans have joined together to file an amended class action lawsuit on their own behalf and on behalf of a large number of employees and former employees whose personal information was compromised in the massive data breach.  Among the new information contained in the civil complaint filed by the former employees is reference to a September 2014 audit done by PricewatershouseCoopers that indicated that Sony did not do an adequate job of monitoring its systems.  The complaint when on to also assert that Sony has yet to contact all of its former employees to inform them whether or not their information was among that stolen.  The lawsuit alleged that more than 47,000 Social Security numbers were taken in the data breach including 15,200 from present and former employees who worked for the company as far back as 1955.

TIPS

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings.

The lesson to all of us as individuals is once again that we are only as safe as the places with the weakest security that hold our personal information.  It is also a warning to us all to limit, as much as possible, the places that do hold that information.  Many companies including medical providers, a particularly rich target of hackers recently, request your Social Security number as an identifying number although they have no real need for your Social Security number.  We all should resist providing our Social Security numbers to companies that request it unless they have  legitimate need for it.