Scam of the day – December 20, 2016 – Hacker convicted of selling stolen bank accounts on the Dark Web

Recently, Aaron James Glende, a hacker known a IcyEagle was convicted of hacking into the bank accounts of eleven Sun Trust customers and selling their account information on the Dark Web for $229.99 per account.  Each of these accounts had balances of between $250,000 and $500,000.  He also stole thirty-two accounts with balances of between $100 and $300 which he sold for $9.99 for each account.  Glende was sentenced to four years and two months in prison.

The Dark Web is that part of the Internet where criminals buy and sell stolen goods and data as well as malware and other cybercriminal tools.

TIPS

The information stolen by Glende included usernames and passwords for online banking accounts.  In order to protect yourself from becoming a victim of a similar theft, you should use a complex password, a security question the answer to which cannot be guessed or obtained through research and use strong software security programs on all of your electronic devices.  It is also important to keep your security software updated with the latest security patches.  Also, never provide your personal information including passwords in response to emails unless you have absolutely confirmed that the email or text message is legitimate.  Too often, messages seeking this information are just phishing scams designed to trick you into turning over this information to an identity thief.

Here is an image of Glende’s account on the Dark Web site Alpha Bay.

AlphaBay portal

Scam of the day – December 16, 2016 – Yet another major data breach disclosed at Yahoo

It was just in September that I told you about a massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   However, as I often say, “things aren’t as bad as you think — they are far worse.”  Earlier this week it was disclosed that Yahoo had also been a victim of an earlier data breach in 2013 that was only recently discovered in which personal information on a billion Yahoo customers was stolen. Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers only some of which were encrypted.

Gaining access to someone’s email account can provide a tremendous amount of personal information that can be leveraged to make that person a victim of identity theft.  This should be a wake up call to everyone, even if you do not use Yahoo email to implement stronger email security measures.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate. In addition, scammers armed with personal information gained through a data breach such as this will be targeting people with spear phishing emails attempting to lure you to click on malware infected links.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

Don’t store sensitive information in your email account where it could be accessed in the event your account is hacked.  You also should encrypt your emails.  There are many simple, free software programs you can use to encrypt your emails.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can better detect unusual activity.

Scam of the day – December 9, 2016 – Celebrity hacker sentenced

Since 2014 I have been reporting to you about a string of celebrity hackings in which nude photos, videos and other personal material were stolen by a number of different hackers who have been caught, put on trial and sentenced.  The latest celebrity hacker to be convicted for his crimes is Alonzo Knowles who hacked into the emails of various celebrities and athletes from whom he stole not just nude photos and videos, but also unreleased movie and television scripts, unreleased music and financial documents all of which he tried to sell for profit.  Knowles pleaded guilty and his attorneys asked for a sentence of fourteen months in prison.  Instead the judge sentenced him to five years in prison which was considerably more than the recommended federal sentencing guidelines of 27-33 months.  Contributing to the larger sentence was the fact that while in prison awaiting sentencing, Knowles used the monitored prison email system to send out emails in which he bragged about his plans to write a book including photographs in which he would expose the secrets of his victims.  For a sophisticated cybercriminal, this was an incredibly stupid action that showed a lack of remorse to the sentencing judge.

TIPS

Knowles managed to hack into the email accounts of his victims by first targeting friends of his victims.  He identified friends of his victims through photographs appearing on line and then hacked into the email accounts of these people, taking control of the accounts, gathering personal information including telephone numbers from the accounts and then emailing his celebrity targets with spear phishing emails that enabled him to get information from the celebrity victims.   You may remember that the fact that Hillary Clinton was using a private email server while acting as Secretary of State was disclosed not by a hacking of her email, but by a hacking of the email account of one of her advisers, Sidney Blumenthal.

This case serves as another reminder of the important cybersecurity steps we all need to take, particularly in regard to using email.  For personal emails you may wish to use a separate email account than the one you use generally that may be more easily discovered.  You should also use a security question that is not easily guessed or obtained through research.  Colin Powell and many others became victims of email hacking because their security questions were easily guessed enabling the hacker to change their passwords.  I suggest using a nonsensical answer to the email question, such that if the question is what is the maiden name of your mother, you indicate something totally unrelated, such as “firetruck.”  Another option, as cleverly suggested by a regular Scamicide reader is to just add some digits at the end of the answer so, for example, your mother’s maiden name could be “Smith1234.”

It is also important not to store sensitive data in your email folder.  To protect yourself from hackers, you may wish to both encrypt sensitive information on your computer and store it in a portable USB hard drive to protect it from ransomware attacks.  It is important to recognize that anytime you are asked for personal or sensitive information in an email, you can’t be sure if the person contacting you is someone you know and trust or whether their email account had been hacked as was done in this case so never provide personal information in response to an email or text message unless you have confirmed the identity of the person contacting you.   Trust me, you can’t trust anyone.

Dual factor authentication for all accounts where you may have sensitive information is also important.

 

Scam of the day – November 30, 2016 – San Francisco commuter rail system hacked

Late on November 25th, the San Francisco Municipal Transportation Agency (SFMTA), which operates the municipal rail system in San Francisco, referred to as “Muni” was hacked when an SFMTA employee unwittingly clicked on a link in a phishing email and downloaded ransomware that locked and encrypted all of the SFMTA computer systems.  The hacker, who is thought to be Iranian, demanded a ransom of 100 bitcoins which is approximately $73,000 or he would destroy the data.  The SFMTA is refusing to pay the ransom and has indicated that it has backed up the encrypted data which, it says will be restored shortly.

Meanwhile, according to security research Brian Krebs, a white hat hacker hacked into the email of the original hacker and managed to take over the original extortionist’s email account by answering the extortionists security question.  The email account provided evidence that the hacker had been active in installing ransomware and obtaining ransom payments from numerous companies.

TIPS

There are a number of lessons for all of us as individuals to learn from this incident.  First and foremost is to install and maintain good security software including software that will help defend you against phishing emails.  However, no security software is totally effective against phishing emails, so you never click on links in any email unless you have absolutely confirmed that the email is legitimate.  Second, you should back up all of your data either in the cloud or on a portable USB hard drive to protect yourself from the danger of ransomware. Finally, in regard to security questions, which when answered give someone the ability to change your password, you should use a nonsensical answer to the question so it cannot be guessed or obtained through research about you.  For instance, if the question is what is your mother’s maiden name, you might make the answer “firetruck.”  You will remember it because it is so silly, but no one will be able to guess it by going through online data bases or social media.

Scam of the day – September 24, 2016 – Massive Yahoo data breach

Today’s Scam of the day will be a bit longer than usual, but the added length is necessary to discuss the recent announcement of the massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   Yesterday, Yahoo announced that it had been the victim of a data breach that began two years ago.  Yahoo has attributed the attack to what it called a “state-sponsored actor” and indicated that the compromised information included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions.  The good news is that no bank account, credit card or debit card information appears to have been involved in the data breach.  However, the information that was stolen is more than sufficient to be utilized for spear phishing emails specifically tailored for purposes of identity theft.

The first indication that there was a problem occurred in June when word of stolen Yahoo data started to be discussed in online forums on the Dark Web where cybercriminals communicate as well as buy and sell stolen data.  Later, in August large batches of stolen Yahoo customers’ data began being sold on a black market website on the Dark Web called TheRealDeal.  Now that the data breach has been confirmed, Yahoo is contacting affected customers, however it is important to remember that scammers are going to also be contacting people through phishing emails attempting to lure people into clicking on links that will download keystroke logging malware that will steal information to be used for purposes of identity theft or to trick people into providing personal information directly in response to the email. Official Yahoo emails will display the Yahoo icon and will not ask you to click on links, download attachments or provide personal information.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy.  Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can detect unusual activity.

Scam of the day – July 11, 2015 – Charlotte McKinney topless photos hacked

In my Scam of the day for September 2, 2014 I told you about the stealing of nude photos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Kim Kardashian and Hope Solo that were posted online.  Now it has just been reported that model/actress Charlotte McKinney who recently was a contestant on Dancing With the Stars had topless photos hacked which were then posted on Instagram  for a short period of time.    This story has two lessons.  The first is that everyone, regardless of whether or not you are a celebrity should take the steps necessary to protect the security of their photos and other data.  Although we do not yet know precisely how Ms. McKinney’s photos were hacked, it is reasonable to conjecture that they were stolen in the same manner that photos were stolen in last year’s celebrity hacking.  According to FBI records, the hacking had less to do with Apple’s iPhone and iCloud security and more to do with the celebrities falling prey to phishing emails and password resetting that enabled the hacker to gain access to the victims’ iCloud accounts and other times stealing the photos directly from the hacked phones.

In addition to stealing the photographs from Ms. McKinney, the hackers also managed to gain access to her Instagram account to temporarily post the photos before they were taken down.  Anyone who has access to your email address who is able to either guess or steal your password can gain access to your Instagram account.

Using the “forgot password” link on Apple’s iCloud, it appears in last year’s hacking in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the photos were stolen directly from the victims’ smartphones which were hacked.

The second lesson is for people who may be curious about seeing the topless photos of Charlotte McKinney to be very wary of emails, text message, websites or links that promise to take you to those photos, which have already been removed from Instagram.  Trust me, you can’t trust anyone.  Identity thieves will attach malware to links that promise to provide you with the photos.  This malware will steal all of the information from your computer or smartphone and put you in danger of identity theft.  Don’t fall for this scam.

TIPS

All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others when possible although Instagram does not offer this service.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – November 11, 2014 – New study on effectiveness of phishing

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at tHE most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.

TIPS

Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – October 5, 2014 – More banks hacked by suspected hackers of J.P. Morgan Chase

With news of the massive data breach at J.P. Morgan Chase in which names, addresses, phone numbers and email addresses of 76 million households and 7 million small businesses were stolen by what appears to be Russian hackers who may or may not be affiliated with the Russian government dominating the news, it seems perfectly appropriate to wish you a happy National Cybersecurity Awareness month.  As frightening as the spectre of a major American bank being vulnerable to vulnerable to such a massive data breach, you may remember that when the story broke last August of the possible data breach at J.P. Morgan Chase, reports were that there were as many as four other banks that had similarly been hacked.  Now, according to a report in the New York Times, that number is actually risen to nine other major financial institutions that may have suffered data breaches at the hands of the same hackers.  Therefore even if you are not a customer of J.P. Morgan Chase, you should be extra vigilant in regard to all of your financial accounts.

TIPS

Now is the time to implement a eight step approach to protecting yourself from identity theft and data breaches.  The first step is to change your password regularly, such as every six months.  A good password has a mixture of capital letters, small letters, symbols and digits.  Don’t use any word in the dictionary because hackers have computer programs that can guess your password. Instead use a phrase, such as IHate2UsePasswords!!.  This is a very secure password.  You should also have a separate and distinct password for each of your accounts, but you can merely adapt this basic password by adding a couple of distinguishing letters for each account.  For example, you could make this your Amazon password by adding the letters “Am” at the end of your basic password so it reads IHate2UsePasswords!!Am.  This is easy to remember.

You should also use dual factor authentication on your accounts when available.  Dual factor identification provides you with an extra level of security by which more than a password is necessary to gain access to your account.  Generally, when you log in through your password to an account a code is then sent to your smartphone which you then must input in order to access your account.

You also should change the answer to your security question to something completely nonsensical.  Answering a security question is required if you forget your password or if you want to change your password.  Unfortunately the answers to common security questions, such as your mother’s maiden name can be found with a little effort by an identity thief in the many places on the Internet that store personal information.  So instead of the answer to your mother’s maiden name being “Jones,” change it to “Grapefruit.”  No identity thief will find it or guess it and it is silly enough for you to remember.

Don’t click on links or download attachments in any email, text message or social media posting unless you have absolutely confirmed that it is legitimate.  Identity thieves and hackers lure people into clicking on links in such communications that results in the victims downloading keystroke logging malware that can steal all of the information from your computer.

Don’t provide personal information over the phone to anyone whom you have not called.  You can never be sure if the person calling you is legitimate regardless of how compelling the reason he or she gives for you to provide personal information.  Don’t rely on your Caller ID because through a technique called “spoofing” an identity thief can make it appear that his or her call is from the IRS, your bank or some other legitimate entity.  If you think the call may be legitimate, hang up and call the company or agency at a number that you know is real, not the number the caller gives you.

Review all of your accounts regularly and carefully to note the smallest charge that should not be there.  Sometimes identity thieves will put regular reoccurring charges on your credit card or phone bill in the hope that you will not bother to look further into it because the charge is so small.  The earlier you catch identity theft, the easier it is to deal with.

Check your credit report from each of the three major credit reporting agencies every year for evidence of fraud or even mistakes that need to be corrected.  Here is the link to the only official place to get your free credit report https://www.annualcreditreport.com/index.action

Put a credit freeze on your credit report so that even if an identity thief obtains your Social Security number, he or she cannot gain access to your credit report.  Yesterday’s Scam of the day contains the links to the credit reporting agencies to use to freeze your credit.

Scam of the day – January 19, 2014 – Guccifer

What do Steve Martin, Colin Powell, George W. Bush, John Dean, Mariel Hemingway, Lorne Michaels, Carl Bernstein, Rupert Everett, Eric Idle, Whoopi Goldberg and Julian Fellowes the writer of “Downton Abbey” have in common?  All have had their email hacked by the legendary hacker who calls himself “Guccifer.”  Guccifer has not exploited his hacking targets for financial gain although the information he obtained would allow him to do so.  Rather his goals, more often appear to be to embarrass his victims and shake the world up a bit.  Through hacking of his victims’ email accounts he has gained access to and made public the final episode of Downton Abbey, months before it was aired.  He has made public embarrassing information he obtained through his hacking efforts of politicians and celebrities on both sides of the Atlantic.

Although, Guccifer, who recently did an extensive interview with the celebrity gossip website TMZ refused to indicate precisely how he has managed to hack into the emails of so many famous people, there does appear to be some evidence that one technique he uses is to get an email address of someone such as he did with media icon, Tina Brown, who has an extensive email address book.  He then uses simple techniques to answer his victim’s security question and change the password to the account whereupon he is able to take over the account and have access to all of the information stored there.  Simple, publicly available information such as birth dates, schools attended and other such information has provided the keys to answering the security questions of his victims.  He also apparently has used lists of the name of pets to answer security questions as well.  And herein lies the lesson for us all.  Even if you are not a celebrity, there is so much information about us all that is publicly available; sometimes the information is even provided by us through our Facebook pages and other social media, that it is an easy task for a hacker to get at our email accounts and other password and security question protected accounts.

TIPS

Since protecting your email address is an impossible task, the key to protecting your account from being hacked is to have strong security questions and the key to that is to provide a question to which the answer can never be guessed by a hacker.  So if your security question is “What is my favorite vegetable?” you should make the answer “electronic clock” or some other totally illogical response.  Don’t worry about remembering it yourself because if the question and answer are as ridiculous as this, you will remember it.