Posts Tagged: ‘Phishing’

Scam of the day – March 13, 2015 – Latest developments in the Sony hacking and data breach

March 13, 2015 Posted by Steven Weisman, Esq.

Nine former employees who had filed individual lawsuits against Sony in December and January in response to the massive hacking and data breach apparently done by North Koreans have joined together to file an amended class action lawsuit on their own behalf and on behalf of a large number of employees and former employees whose personal information was compromised in the massive data breach.  Among the new information contained in the civil complaint filed by the former employees is reference to a September 2014 audit done by PricewatershouseCoopers that indicated that Sony did not do an adequate job of monitoring its systems.  The complaint when on to also assert that Sony has yet to contact all of its former employees to inform them whether or not their information was among that stolen.  The lawsuit alleged that more than 47,000 Social Security numbers were taken in the data breach including 15,200 from present and former employees who worked for the company as far back as 1955.

TIPS

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings.

The lesson to all of us as individuals is once again that we are only as safe as the places with the weakest security that hold our personal information.  It is also a warning to us all to limit, as much as possible, the places that do hold that information.  Many companies including medical providers, a particularly rich target of hackers recently, request your Social Security number as an identifying number although they have no real need for your Social Security number.  We all should resist providing our Social Security numbers to companies that request it unless they have  legitimate need for it.

Scam of the day – February 28, 2015 – Carnegie Mellon phishing scam

February 28, 2015 Posted by Steven Weisman, Esq.

Carnegie Mellon University is one of the country’s foremost universities in various areas of technology, but that does not mean that Carnegie Mellon employees are any better than anyone else at recognizing phishing emails.  Phishing remains the primary way that many major data breaches are initiated when employees of a company receive a legitimate appearing email that prompts the person receiving the email to click on a link under various guises.  Unfortunately, what happens in many instances is that by clicking on the link, malware becomes installed that enables the hacker to steal information and data from the computer data banks of the company.  This simple technique was how the Sony hacking and the recent billion dollar hacking of a hundred banks around the world was accomplished.  Another way that phishing works is by luring the victims to enter their usernames and passwords into legitimate appearing communications thus providing that information to hackers and identity thieves.   That is what happened to an undetermined number of Carnegie Mellon employees who  were lured into providing their log-in information when they responded to an email entitled “Your Salary Raise Information.”

TIPS

This phishing scam is particularly noteworthy because it once again shows that sophisticated, technologically savvy people can fall for the lures of phishing emails, which is why everyone should always be skeptical before responding to any email or text message that requires you to provide personal information or click on a link.  In either situation, you can never be sure when you receive an email or text message that the communication is legitimate.  So along with maintaining the latest security software on your electronic devices, it is important to make it a habit to never to provide personal information or click on links in response to text messages or emails until you have absolutely confirmed that the communication is legitimate.

Scam of the day – February 17, 2015 – Billion dollar international bank hacking

February 17, 2015 Posted by Steven Weisman, Esq.

Russian cybersecurity company, Kasperky Lab issued a report yesterday disclosing what may well be the biggest bank hacking in history.  The hacking of more than 100 banks in the United States, Japan, Switzerland, the Netherlands and primarily Russia was accomplished by a criminal group called the Carbanak cybergang composed of Russians, Chinese and Europeans who through advanced malware installed on the computers of the targeted banks permitted the hackers to infiltrate the computers of the banks’ employees in charge of cash transfer systems and ATMs.  They then installed a remote access tool (RAT) on these employees’ computers that enabled the hackers to see everything done on these employees’ computers with the goal of mimicking the look of legitimate transactions when the hackers activated electronic transactions and programmed ATMs to dispense money at specific times to steal as much as a billion dollars over the last two years.

TIPS

As of today, no bank has admitted that it was one of the affected banks.  This makes fighting similar attacks more difficult, which is one reason President Obama has recently been advocating for a law to mandate public disclosure of such security breaches by financial institutions.  An important aspect to this hacking that has been often overlooked in some early reporting of the story is that although the malware used to perpetrate this crime is amazingly sophisticated, the planting of the sophisticated malware into the computers of the targeted banks was accomplished by old-fashioned phishing emails that lured the bank employees to click on infected link.  Everyone including companies, governments and private individuals have got to do a better job of not clicking on links no matter how legitimate they may appear until you have confirmed that they are indeed legitimate. Remember my motto, “trust me, you can’t trust anyone.”

Scam of the day – February 16, 2015 – Turbo Tax scam update

February 16, 2015 Posted by Steven Weisman, Esq.

As I reported to you previously, earlier this month following a rash of fraudulent state income tax filings using Turbo Tax software in nineteen states, Turbo Tax temporarily suspended electronic state income tax filings through Turbo Tax.  Although the matter is still under investigation, it does not appear that Turbo Tax was hacked.  More likely it is that identity thieves who already obtained the Social Security  numbers of their victims were using Turbo Tax’s convenient software to file fraudulent return in which they claim phony refunds.  On the federal level, this is a 5.2 billion dollar problem annually.  Now, enterprising identity thieves are sending out phishing emails that appear to be sent by Turbo Tax in which the email recipient is told that there is a problem with the person’s electronically filed income tax return and that they need to click on a link and provide personal information in order to rectify the problem.  This is a scam that is intended either to lure the victim into downloading keystroke logging malware that will steal personal information from the victim’s computer or other electronic device and use that information to make the person  a victim of identity theft or to lure the victim into providing the personal information directly to the identity thief posing as Turbo Tax.

TIPS

Whenever you get an email or a text message either asking for personal information directly or instructing you to click on a link, you should not respond until you have absolutely confirmed that the email or text message is legitimate.  Making a counterfeit email look official is child’s play so even if the communication looks legitimate, you should not trust it.  The better course of action is to contact the company directly at a telephone number, email address or website that you know is legitimate to confirm whether the original communication was legitimate.  Scammers and identity thieves always take advantage of the latest public concerns to convince people to provide information used to make them victims of identity theft.

Scam of the day – February 12, 2015 – Anthem hacking lawsuits filed

February 11, 2015 Posted by Steven Weisman, Esq.

Although the disclosure of the hacking and data breach at Anthem, the country’s second largest health insurance company was only disclosed eight days ago, the first lawsuits alleging negligence on the part of Anthem in failing to take proper steps to protect the personal data on the as many as 80 million Anthem customers were filed in Indiana, California, Alabama and Georgia.  It now appears that the actual hacking was first detected by Anthem on January 27th, but started as early as December 10th.  Once again, as is the pattern with so many major data breaches, it appears that the hackers gained access to Anthem’s, what have been reported to be, unencrypted data bases through phishing emails that tricked five Anthem employees  into either providing their passwords or clicking on malware loaded links that stole the passwords from the Anthem employees’ computers.

TIPS

Many companies are just not doing enough to protect their sensitive data including personal information of their customers.   There are many steps that companies can and should be taking including greater encryption of data, employee education about phishing and limiting of access to information from off-site computers.  Whether companies need to be prompted by lawsuits or legislation, the problem is so significant that companies must take action now to better protect themselves from hacking.

As for we, the customers, all we can do is try to limit as best we can the personal information provided to the companies with which we do business (your doctor, does not need your Social Security number) and monitor our financial and medical dealings for signs of identity theft.  Putting a credit freeze on your credit reports at each of the three major credit reporting agencies is another good step to take in order to reduce your risk of identity theft.  You can find information about how to put a credit freeze on your credit reports here on Scamicide in the archives.

Scam of the day – February 3, 2015 – Affordable Care Act phishing scam

February 3, 2015 Posted by Steven Weisman, Esq.

Recently the United States Computer Emergency Readiness Team which is a part of the Department of Homeland Security issued a warning about a phishing scam related to the Affordable Care Act, commonly referred to as Obamacare.  Since its inception, there has been much confusion about many aspects of the Affordable Care Act and scammers are taking advantage of this confusion by sending emails to their intended victims that purport to come from a federal agency involved with the Affordable Care Act in which the person receiving the email is asked for personal information or directed to a website by way of a link that, if clicked on, will cause keystroke logging malware to be downloaded on to the victim’s computer or other electronic device that will enable the scammer to steal the personal information of the victim and make him or her a victim of identity theft.

TIPS

The rules to follow in order to avoid becoming a victim of this scam are simple and easy to follow.  Never provide personal information in response to an email, text message or phone call from someone until you have confirmed that the communication is legitimate.  You can never trust any communication to be from who it purports to be until you have independently confirmed that it is both legitimate and that there is a legitimate need for your personal information.  You can determine whether or not a communication is legitimate or not through a phone call or other communication with the real company or agency that the communication purports to be. Don’t use the phone number, website or email address supplied to you in the communication itself.  You cannot trust it.

Also, never, and I mean never, click on links in any email or text message until you have again confirmed that the communication is legitimate.  Even if the email address from which the message is that of a legitimate company or agency, their email could have been hacked, so never click on a link until you have independently confirmed that it is legitimate.

Finally, make sure you have a good firewall as well as anti-virus and anti-malware software on all of your electronic devices and keep these security programs updated with the latest patches.

Scam of the day – November 12, 2014 – Post office hacked

November 12, 2014 Posted by Steven Weisman, Esq.

Earlier this week the United States Postal Service announced that it had been hacked, most likely by Chinese hackers, who stole personal information including names, birth dates, Social Security numbers, home addresses and other personal information on as many as 800,000 employees of the Postal Service.  Although generally this is the type of hacking that would lead to massive instances of identity theft, the Chinese, who usually limit their state sponsored hacking to corporate espionage of trade secrets of companies with which they compete, may have been looking for just additional data on Americans.  Earlier this year, the Chinese hacked into the records of the federal Office of Personnel Management which conducts security clearance checks and this hacking was thought to be more closely related to counterintelligence or even recruitment purposes.  However, in the Postal Service hacking it is purely speculative as to why the Chinese government did this hack.

TIP

Once again, we see that the federal government just like private industry is not doing enough to secure its data.  Just as in the breaches of Home Depot and Target, the data breach was accomplished by the planting of sophisticated malware by way of phishing emails to federal employees who were lured into clicking on links in the tainted malware.  A recent federal study showed that 20% of hacking of federal computers was started through federal employees clicking on links in phishing emails against federal policy.

So what does this mean to you and me?  This is just another reminder that both government and the private sector have got to do a better job of protecting the data they store.  It also reminds us that we must remain eternally vigilant to identity theft threats and continue to monitor our financial accounts and credit reports regularly.

Below you can find a television interview I did yesterday about this on NewsMax TV.

 

 

 

Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

November 8, 2014 Posted by Steven Weisman, Esq.

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.