Posts Tagged: ‘Phishing’

Scam of the day – April 20, 2016 – DocuSign phishing scam

April 20, 2016 Posted by Steven Weisman, Esq.

DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures.  The company is used by many companies.  Recently I received a phishing email, reproduced below that purported to be from an attorney that I know and with whom I do business asking me to click on a link to open a document that needed my signature.  The phishing email looked very professional and contained the DocuSign logo and appeared legitimate.  In the copy of the email below, I have blocked out the name and other personal information used to identify the attorney who was purported to have sent me the document.  DO NOT CLICK ON THE LINK TO VIEW DOCUMENTS.

This is a spear phishing email designed to lure the person receiving the email to click on the link and either provide personal information that could be used for identity theft, or, as more likely in this particular phishing attempt, merely by clicking on the link would have downloaded keystroke logging malware into the computer of the person clicking on the link.  This malware would have enabled the cybercriminal to steal all of the personal information from the computer and make that person a victim of identity theft.  This email was particularly dangerous because it came from someone with whom I do business whose email account was hacked and used to send out the spear phishing email.

Here is the email without the logo.

Please review and sign your document
 

From: XXXXXXXXX (XXX@aol.com)

Hello

Thomas has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

View Documents
XXXXXXXX
Law Office of XXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXX
Fax: XXXXXXXXX
Email: XXX@aol.com

__________________________________________________________________________
CONFIDENTIALITY NOTICE: This email message contains confidential information intended only for the person(s) or entity to whom it is addressed and is subject to attorney-client privilege. If you have received this email message in error, please destroy the original message.

CIRCULAR 230 DISCLOSURE: Pursuant to U.S. Treasury Regulations, we are now required to advise you that, unless otherwise indicated, any federal tax advice contained in this communication, including attachments and enclosures, is not intended and may not be used for the purpose of (1) avoiding tax related penalties under the IRC or (2) promoting, or recommending to another party any tax related matters addressed herein.

TIPS

In this case, I actually followed my own advice as to never click on a link regardless of how legitimate the email or text message may appear until confirming that the message is legitimate.  I emailed back to the attorney and asked him to confirm that it was legitimate and answer a question which I knew only he would know the answer to.  The response I got from him was that he had been hacked and I should not click on the link.

The lesson here is clear.  You can never be sure when you receive an email as to who is really contacting you.  Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware.  Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.

 

Scam of the day – April 10, 2016 – Sony hacking settlement approved by judge

April 9, 2016 Posted by Steven Weisman, Esq.

Last November I reported to you about the tentative settlement of the lawsuit brought by former Sony Pictures Entertainment employees against the company that related to the massive 2014 data breach at Sony in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees was stolen.  The plaintiffs alleged that Sony was negligent in failing to protect their personal information.  I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015. Now Judge Gary Kausner has given final approval to the settlement.  Under the terms of the settlement, Sony will provide payments of up to $10,000 to  individual employees who suffered identity theft related financial losses related to the data breach up to a total of 2.5 million dollars for all claimants.  An additional 2 million dollars will be set aside to provide up to $1,000 to reimburse affected employees for the cost of their identity theft protection services.  Sony will also provide credit monitoring services through AllClear through December 31, 2017.    To date 18,000 people have signed up for the free credit monitoring services.

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings, however, many of these failings are shared by many companies that hold personal information of all of us.

TIPS

There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer.  Additionally, we should try to limit as much as possible the personal information that we provide to such companies.  For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it.  The Sony lawsuit was the first of a wave of lawsuits against companies such as Sony and Ashley Madison that have suffered data breaches that many believe could have been prevented with better security.  Perhaps being held financially responsible for their lax security will serve as an incentive for companies to do a better job of protecting our information.

Scam of the day – March 29, 2016 – SEC settles insider trading charges with Russian hedge fund manager

March 29, 2016 Posted by Steven Weisman, Esq.

As I first  reported to you this past August and numerous times thereafter as the story developed, forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  In December, Alexander Garkusha, one of the defendants pleaded guilty to making trades based upon the stolen information that personally gained him $125,000. Garkusha is cooperating with the government at this time.  His sentencing is scheduled for May 6th.  In January, Igor Dubovoy also pleaded guilty to conspiracy to commit wire fraud and agreed to forfeit more than 11 million dollars.

Now the SEC has announced that it has settled civil charges against Moscow-based hedge fund manager David Amaryan and his funds Copperstone Alpha Fund, Copperstone Capital, Ocean Prime, Inc and Intertrade Pacific SA through which Amaryan earned more than eight million dollars in profits through the illegal scheme.  Pursuant to the settlement, Amaryan and his companies will pay the SEC ten million dollars.  Of course, as is typical in such settlements, Amaryan neither admitted nor denied any wrongdoing, however pursuant to the settlement he is prohibited from using such tactics in the future, which is akin to Amaryan saying he didn’t do anything wrong and he promises not to do it again while also agreeing to pay ten million dollars to the SEC.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Phishing and the more targeted spear phishing is also the way that the ransomware used against the Hollywood Presbyterian Medical Center was implanted in its computers.   Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us, as individuals, should also learn in our own lives because identity thieves and hackers use the same phishing techniques to enable criminals to hack into the computers of individuals and steal their personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Scam of the day – March 16, 2016 – New Chase phishing email

March 15, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from Chase bank that is presently circulating.  DO NOT CLICK ON THE LINK.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond.

Dear Chase customer:

As part of our commitment to help keep your account secure, 
we have detected an irregular activity on your account and we are placing a hold on your account for your protection.
 

Please visit the confirmation of accounts system
www.chase.com

Please enter your information carefully


Sincerely, 

Chase Online Banking Team 

 

 

ABOUT THIS MESSAGE:

We sent this email from an unmonitored mailbox. Go to chase.com/CustomerService to find the best way to contact us.

Your privacy is important to us. See our online Security Center to learn how to protect your information. Chase Privacy Operations, PO Box 659752, San Antonio, TX 78265-9752.

© 2016 JPMorgan Chase Bank, N.A. Member FDIC

TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email.  The email address from which it was sent has nothing to do with Chase, but most likely was from a hacked email account that is a part of a botnet of computers controlled remotely by the scammer.  In addition, legitimate credit card companies would refer to your specific account number in the email.  They also would not use the generic greeting “Dear Chase Customer,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam and make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – March 7, 2016 – Bank of America phishing scam

March 7, 2016 Posted by Steven Weisman, Esq.

Here is another good example of a phishing email that is presently being circulated.   It makes for compelling reading, but it is a scam.  Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.  They are a staple of identity thieves and scammers and with good reason because they work.  As always, they lure you by making it appear that there is an emergency that requires your immediate attention or else dire consequences will occur.  Here is a copy of a new phishing email that appears to come from Bank of America that is presently circulating.  This particular one came with particularly good looking graphics and a Bank of America logo, but it is a scam.  DO NOT CLICK ON THE LINK.

http://
Online Banking Alert
Unauthorized Sign-In
As part of our security measures, during our system regularly scheduled account maintenance and verification procedures, we have detected a slight error in your online banking information. Our system requires account verification for more security and protection to your account.

To confirm this verification log into Online Banking and update your information.

Once you have verified your records, your Account Services will not be interrupted and will continue as normal.
Security Checkpoint: This email includes a Security Checkpoint. The information in this sectionnlets you know this is an authentic communication from Bank of America.
Bank of America, N.A. Member FDIC. Equal Housing Lenderhttp://
© 2016 Bank of America Corporation. All rights reserved.

TIPS

An indication that this is a phishing email is that the email address from which it was sent had nothing to do with Bank of America, but most likely was from a computer that was part of a botnet of computers hacked into and controlled remotely by the scammer.  In addition, legitimate emails from your bank would include the last four digits of your account.  This email does not use the customer’s name or account number anywhere in the email.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call your bank at a telephone number that you know is accurate and you will be able to confirm that it is a scam.

Scam of the day – February 23, 2016 – Oregon man pleads guilty to hacking celebrity email accounts

February 23, 2016 Posted by Steven Weisman, Esq.

After pleading guilty to a charge of felony computer hacking, 29 year old Andrew Helton of Portland Oregon is facing a sentence of up to five years in prison when he is sentenced on June 2nd. Between March 2011 and Mary 2013, Helton used a phishing scheme to steal the usernames and passwords of 363 Apple and Google email accounts including those of many celebrities.  Once he had access to his victims’ email accounts he was able to access all of the contents of their email accounts including 161 sexually explicit or nude images of thirteen of his victims, some of whom were celebrities.  It should be noted that Helton did not post any of the stolen photos online and his case is totally unrelated to the stealing and posting of nude photos of celebrities including Jennifer Lawrence and Kate Upton that occurred in September of 2014.

Helton obtained the usernames and passwords of his victims through a simple phishing scheme by which he sent emails to his victims that appeared to come from Apple or Google in which his victims were asked to verify their accounts by clicking on a link which took them to a website that appeared to be a login page for Apple or Google.  Once they entered their information, Helton had all that he needed to access his victims’ accounts.

TIPS

The type of phishing scam used by Helton is one used by many other scammers as well and it is easy to defend.  Always be skeptical when you are asked to provide your personal information, such as your user name, password or any other personal information in response to an email or text message.  Trust me, you can’t trust anyone.  Always look for telltale signs that the communication is phony, such as bad grammar or the sender’s email address which may not relate to the real company purporting to send you the email.  Beyond this, even if the email or text message appears legitimate, it is just too risky to provide personal information in response to any email or text message until you have independently verified by contacting the company that the communication is legitimate.

In addition, you should not store personal data or any photos or other material on your email account. Store such data in the cloud or some other secure place.

Scam of the day – February 20, 2016 – Nine new defendants in cyber stock scam

February 20, 2016 Posted by Steven Weisman, Esq.

As I first  reported to you this past August and twice thereafter, more than thirty people were  indicted in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  In December, Alexander Garkusha, one of the defendants pleaded guilty to making trades based upon the stolen information that personally gained him $125,000. Garkusha is cooperating with the government at this time.  His sentencing is scheduled for May 6th.  In January, Igor Dubovoy also pleaded guilty to conspiracy to commit wire fraud and agreed to forfeit more than 11 million dollars.

Now the SEC has filed fraud charges against nine new defendants in this case including both companies and individuals who traded with a brokerage company in Malta using the stolen information.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Phishing and the more targeted spear phishing is also the way that the ransomware used against the Hollywood Presbyterian Medical Center was implanted in its computers.   Apparently corporations still have not learned to train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us, as individuals, should also learn in our own lives because identity thieves and hackers use the same phishing techniques to enable the stealing of the identities of individual victims.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Scam of the day – January 25, 2016 – Cracka strikes again

January 25, 2016 Posted by Steven Weisman, Esq.

Back in October I told you about CIA Director John Brennan’s personal email account being hacked.  The hacking was not done by Russian, Iranian or Chinese government hackers.  Instead, it was done by a teen aged hacker who calls himself Cracka and his group Crackas With Attitude.  Among the data stolen by the hackers were government documents stored in Brennan’s personal email account.   Now it has been disclosed that Cracka has also recently hacked online accounts of James Clapper, the Director of US National Intelligence and John Holdren, the Director of the White House’s Office of Science and Technology. Policy.  What is particularly troubling about these hackings is how easy it was for Cracka and his cohorts to hack the accounts of top level government officials using basic phishing social engineering techniques.  In the case of John Holdren, Cracka has indicated that he gained access to his accounts merely by sending an email posing as Holdren to Holdren’s wife telling here he lost the password for their Xfinity account and merely asked for it which she supplied him. In the case of the hacking of Brennan,  Cracka started the hack by doing a reverse lookup of Brennan’s smartphone and found that he was a customer of Verizon.   He then called Verizon and posed as as Verizon technician and merely asked for Brennan’s personal information which was provided upon Cracka providing the Verizon employee to whom he was talking with a phony V code assigned to all Verizon employees.  The Verizon employee then provided Cracka with Brennan’s account number, his PIN, the backup cell phone number on the account, his email address and the last four digits of his bank card.  Armed with this information, Cracka then contacted Brennan’s email provider and after answering security questions with the information they had managed to get from Verizon,  changed Brennan’s password and took over the account.

TIPS

So what does this mean to you?  We all have important and sensitive information in our email accounts and perhaps we shouldn’t.   A better habit would be to store personal information and sensitive information in a secure folder on your computer.  This hacking is also a reminder that whenever possible, you should use dual factor authentication by which when you wish to access a particular account such as your email you can only do so by providing a one time code sent to your smartphone each time you attempt to log in.  Dual factor authentication would have prevented this hacking.  In addition, a problem that has come up time and time again is that when security questions are used to enable someone to change their password,  the answers to many of  the security questions we use can be obtained from a variety of sources including social media and public records.  One way to make your security question stronger is to provide a nonsensical answer to your security question.  So if the question is  what is your mother’s maiden name, an often used and particularly weak security question, pick a nonsensical answer such as “grapefruit.”  You will remember it because it is so ludicrous, but no one is going to be able to obtain the information necessary to answer your security question.  If Brennan had used such a nonsensical security question, the hackers would not have been able to take over his account.  Also, Holdren could have avoided his being hacked had his wife contacted her husband directly before responding to an email posing as him asking for a password.  Trust me, you can’t trust anyone.

Scam of the day – January 4, 2016 – Nigerian charged with “whaling”

January 4, 2016 Posted by Steven Weisman, Esq.

Whaling may be a term, when referring to cybercrime, with which you may not be familiar.  By now, everyone is aware of the term “phishing” which refers to the social engineering crime by which scammers send emails purporting to be from a legitimate source in which they lure you into either clicking on malware infected links or directly sending them money.   Often phishing emails are easy to spot because they may not be directed to you by name, but rather by a salutation, such as “Dear Customer” and not contain the type of information that would make you tend to believe that the email is legitimate. “Spear Phishing” is more refined phishing where the scammer has gathered, often through hacking of various websites and companies, personal information about you such that when you receive the phony email from the scammer it appears more legitimate.  The latest criminal version of this tactic is called “whaling” and it is a type of spear phishing aimed at the big fish.

Recently, Amechi Colvis Amuegbunam, a Nigerian in the United States on a student visa  was arrested and charged with wire fraud based on scamming 17 Texas companies out of more than $600,000 through whaling.  Amuegbunam is alleged to have sent emails that appeared to be from high level company executives to lower level company employees who had the authority to wire funds on behalf of the company requesting that funds be wired to bank accounts he controlled.  The FBI has said that in the last two years 7,000 American companies have been swindled out of approximately 740 million dollars using this technique.

The scammers who use whaling are sophisticated criminals who gather much personal information about the companies and individuals targeted before sending their whaling emails.  They use this information to tailor their emails to make them appear legitimate.  Often they are able to gather much of this information through social media such as Facebook where people sometimes have a tendency to share too much personal information.

TIPS

In the case of Amuegbunam, one of the emails he is alleged to have sent was to a company executive for Luminant Corp which is a Texas electric utility company.  However, if the company executive had looked closely at the email address of the sender, he would have noticed that the name Luminant was misspelled in the email address so that it actually read “lumniant.”  This is an easy misspelling to miss, which is why scammers are able to get email addresses that when looked at quickly may appear to come from someone at the legitimate company, rather than a scammer.  In this particular case, had the employee noticed that the email address of the sender was not legitimate, it would have saved the company $98,550.

The lesson for companies is to both educate employees as to the telltale signs of spear phishing and whaling as well as also have a confirmation protocol in place to be followed when authorizing the wiring of funds, particularly when they are being sent to companies or individuals that their company had not done business with in the past.

As for the rest of us, we should be careful to avoid spear phishing too.  Consider how information that you post on social media could be used to defraud you before you post anything and remember that personal information about you and your business accounts can also be gathered through data breaches at companies with which you do business.  Therefore, as I always advise you, never click on links in emails, send money or provide personal information in response to emails that you receive regardless of how legitimate they may appear until you have confirmed that they are indeed not scams.

Scam of the day – November 12, 2015 – New Chase phishing email

November 12, 2015 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.  They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from Chase bank that is presently circulating.  This particular one came with quite good looking graphics and a Chase logo, but it is a scam.
“Confirmation of Recent Account Activity –
Unable to Contact You- Action Required
Your Account Ending in *46*

Dear Customer:

As part of our commitment to help keep your account secure, we routinely verify activity that seems unusual based on your general account usage. We called you to help us verify recent activity, but we weren’t able to reach you.  If you’ve already taken the required action about this recent activity, there’s nothing you need to do at this time. Otherwise, we ask that you Follow the next required action: •Log in to your account now and follow the instructions..Click here
We are here to assist you anytime. Your account security is our priority. Thank you for choosing Chase.

Sincerely,
Chase Fraud Department

Is your contact information current? Make sure we can reach you if we notice suspicious activity on your account. Update your information by logging into your account at Click here.

ABOUT THIS MESSAGE:
This service message was delivered to you as a Chase customer to provide you with account updates and information about your card benefits. Chase values your privacy and your preferences.

If you want to contact Chase, please do not reply to this message, but instead go to Click here. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by state-of-the-art technology. For more detailed security information, view our Online Privacy Policy. To request in writing: Chase Privacy Operations, PO Box 659752, San Antonio, Texas 78265-9752

© 2015 JPMorgan Chase & Co. ”

TIPS

An indication that this is a phishing email is that the email address from which it was sent had nothing to do with Chase, but most likely was from a computer that was part of a botnet of computers controlled remotely by the scammer.  In addition, legitimate credit card companies do not refer merely to the last two digits of your account in emails, but instead refer to the last four digits.  They also would not use the generic greeting “Dear Customer,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam.