Scam of the day – October 19, 2017 – Congress forces IRS to suspend multi-million dollar Equifax contract

In the Scam of the Day for October 8th, I reported to you about the recent announcement that Equifax, the company responsible through its own negligence for 145 million Americans becoming in serious danger of identity theft for the rest of their lives, was awarded a 7.25 million dollar contract to provide security and fraud detection services to the IRS.  Making the problem even worse was the fact that the contract was a no-bid contract.

Now under pressure from numerous members of Congress the IRS has temporarily suspended the contract while the IRS investigates Equifax’s systems and security.  The suspension of the contract means that taxpayers wishing to set up accounts with the IRS through its Secure Access program which enables taxpayers to access certain online services will be unable to do so.  Taxpayers who already had set up accounts with the IRS to use the Secure Access program, however,  will still be able to use their accounts.

 

TIPS

Relying on the IRS to protect the security of our data is somewhat problematic because the IRS itself has had a number of instances where its security practices have been lacking.  When it comes to protecting ourselves from identity theft there are numerous simple steps we should all take in order to protect ourselves.  I provide them in great detail in my book “Identity Theft Alert.”  However, here are a few of the things we all should do:  Freeze your credit, monitor your credit reports and all of your accounts, use complex passwords, use nonsensical security questions, use dual factor authentication, use security software on all of your devices and keep the software updated with the latest security patches,  never click on links or download attachments unless you have verified that they are legitimate and limit the places you provide your Social Security number as much as possible.  Your doctor, for instance,  may ask for it, but he or she doesn’t need it.

Scam of the day – October 3, 2017 – Mac computers vulnerability to hacking exposed

This past week at a conference in Brazil, Duo Labs researchers Rich Smith and Pepijn Bruienne presented a technical paper in which they disclosed serious vulnerabilities of Apple Mac computers to being hacked through their EFI firmware.  This firmware boots and manages functions for the computer’s hardware systems.  This is a real problem because while Mac users may be receiving automatic software updates, they are not receiving automatic hardware updates.  Older versions of the Mac operating system are particularly vulnerable.  Here is a link to a posting by Duo Labs that indicates the 16 Mac models that are the most vulnerable to this type of attack because they have not received any EFI firmware updates.  In addition this link also contains information about how to fix the situation.

https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research

TIPS

Now that I have scared you, the good news is that it would take an incredibly sophisticated and targeted attack for someone to exploit this vulnerability and ordinary hackers would be unable to do so, however, sophisticated hackers in the employ of countries such as Russia, North Korea or Iran would have the capabilities to exploit this vulnerability.  So for individual Mac users your risk of being targeted in an attack of this kind is extremely unlikely.  However, this does again point out the importance for all of us to make sure that we constantly update our computer’s operating system and software whenever updates are available and the best way to do that is automatically when possible.

Scam of the day – July 27, 2017 – Adobe Flash to finally be retired

Continue reading “Scam of the day – July 27, 2017 – Adobe Flash to finally be retired”

Scam of the day – June 9, 2017 – Ukranian hacker sentenced to prison

I have been reporting to you for two years about developments in this ingenious and massive stock fraud since the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  Now Ukranian hacker Vadym Iermolovych was sentenced to thirty months in prison and ordered to pay more than 3 million dollars in restitution for his role in this scheme.

The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of as much as 100 million dollars on 800 trades during this time.  A number of the defendants have already pleaded guilty to charges related to this scam.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.

Scam of the day – Mary 19, 2017 – WiFi networks at Mar-a-Lago vulnerable

A recent report by ProPublica and Gizmodo has found security vulnerabilities in the WiFi networks at Mar-a-Lago, the resort often visited by President Trump as well as a number of other Trump destinations including the Trump National Golf Club in New Jersey, Trump International Hotel in Washington D.C. and Trump National Golf Club in Virginia.  According to the report, “Our inspections found weak and open WiFi networks, wireless printers without passwords, servers with outdated and vulnerable software and unencrypted login pages to back-end databases containing sensitive information.”  As would be expected the White House is not commenting on this report other than to indicate that these locations follow cybersecurity best practices.  However, the important lesson to us all is to remind us that public WiFi is never secure. However, with some precautions it can be made safer.

TIPS

Whatever electronic device you are using to connect to a WiFi network, whether it is a computer, laptop, tablet or smartphone should be equipped with security software.  In addition, you should use encryption software so that your communications are encoded.  You also should go to your settings and turn off sharing.  In addition, you should make sure that your firewall is current and turned on.  Finally, and perhaps most importantly, you should consider using a Virtual Private Network (VPN) which enables you to send your communications through a separate and secure private network even while you are on a public network.

Scam of the day – December 28, 2016 – Tech support scammers to pay 10 million dollars to FTC

A telemarketing scam through which consumers were scammed out of millions of dollars when they were lured into purchasing worthless tech support software which they did not need has been halted by the Federal Trade Commission (FTC) which has entered into a settlement with the scammers who will be paying 10 million dollars to the FTC to be returned to victims of the scam.

The scam began when the victims downloaded free phony security software that promptly informed the victims about serious security issues with the victims’ computers that, in truth, did not exist. The software then prompted the victims to call the scammers who convinced the victims to buy the full version of the  useless software as well as tech support services that totaled as much as $500.

TIPS

As provisions are made by the FTC to make payments to the victims of this scam, I will report it to you here in Scamicide.

This scam is a common one.  Everyone should have security software installed on all of their electronic devices including smartphones.  There even are some good security software programs that are free, but regardless of whether you are using free security software or paying for it, you should only do business with established companies that you can trust, such as McAfee, Malwarebytes or Symantec.

Scam of the day – November 20, 2016 – Sex or cybersecurity? That is the question.

Although the question of whether you would give up sex for a year in return for total cybersecurity seems like an odd question, it is one that was posed to 2,000 adults in a poll taken by the Harris pollsters.  The response to the question might be startling to many people.  According to the poll, 39% of Americans are so fearful of their cybersecurity that they would willingly give up sex for an entire year in return for a lifetime of cybersecurity.

Unfortunately, you can never totally control your own cybersecurity because often people become victims of identity theft and other cybercrimes due to the neglect and failure of companies and government agencies to properly secure our personal information.  However, fortunately, the good news is that there are a number of relatively simple steps you can take to dramatically increase your personal cybersecurity and you don’t have to give up sex for a year in order to implement these steps.

TIPS

Here are a few of the more important steps you can take.  You can find even more things you can do to protect your cybersecurity in my book “Identity Theft Alert,” which you can order from Amazon by merely clicking on the icon on the right hand side of this page.

  1.  Use strong unique passwords for each of your online accounts so that even if there is a data breach at one account, all of your accounts will not be in jeopardy.  A strong password contains capital letters, small letters and symbols.  A password base made up of a phrase such as “IDon’tLike Passwords!!!” is strong and can be personally adapted for each  of your accounts by merely adding a few letters at the end to distinguish the particular account, such as  adding “Ama” to the base password to become your Amazon password.
  2. Install security software on your computer, smartphone and all of your electronic devices.
  3. Use dual factor authentication whenever possible.
  4. Don’t click on links or download attachments without confirming that the links or attachments are legitimate.  They may contain malware.
  5. Trust me, you can’t trust anyone.  Don’t provide personal information to anyone who contacts you by email, phone or text message unless you have confirmed both the legitimacy of the communication and the need for the information.
  6. Limit, as much as possible, the places that have your personal information.  Your doctor doesn’t need your Social Security number.
  7. Put a credit freeze on your reports at each of the three major credit reporting agencies.
  8. Only download apps from legitimate app stores and check the reviews and the privacy rules regarding the app before downloading them.
  9. Protect your smartphone with a password.
  10. Store important data on a portable hard drive to reduce the danger of ransomware.
  11. Avoid public WIFI for anything requiring personal information.  Use a Virtual Private Network (VPN).
  12. Monitor all of your accounts online regularly.

Scam of the day – October 3, 2016 – Latest edition of most dangerous celebrities on the Internet

Each year, computer security company, McAfee releases a list of the most dangerous celebrities on the Internet.  These are people whose popularity is exploited by identity thieves and hackers who lure unsuspecting people through links in emails, social media and text messages relating to these celebrities to malware filled websites where they unknowingly download ransomware or keystroke logging malware that enables the identity thieves to steal all of the personal information from the victim’s computer, laptop, smartphone or other electronic device and use that information to make the person a victim of identity theft.  This year comedian Amy Schumer tops the list followed by Justin Bieber, Carson Daly, Will Smith, Rihanna, Miley Cyrus, Chris Hardwick, Daniel Tosh, Selena Gomez and Kesha.

TIPS

It is important to remember that merely because a website turns up high on a Google search does not mean that it is legitimate.  Google doesn’t check out websites for legitimacy in ranking sites.  The ranking is done by secret algorithms that some identity thieves are adept at manipulating.  Also, as I constantly warn you, never click on links or download attachments unless you are absolutely sure that they are legitimate.  Merely because it appears that a friend is passing them on to you does not make them legitimate.  As for celebrity videos and photos, you should have a healthy mistrust of websites with which you are not entirely familiar.  For gossip, www.tmz.com is a good place to go.  They always have the latest gossip and they are legitimate.  Finally make sure that you keep all of your electronic devices secure with anti-malware and anti-virus software and keep your security software current with the latest security patches.

Scam of the day – September 13, 2016 – Phony Hillary Clinton video contains malware

A common way that hackers manage to trick people into downloading malware used to steal the information from your computer or smartphone and enable them to make you a victim of identity theft is to send the malware disguised as an attachment for a video of something of great interest to many people.  It may be something related to a celebrity, such as purported nude videos or it may be of an event in the news, such as a video purporting to show formerly unavailable footage of, for instance, the shootings in the Orlando nightclub.  The presidential election is tremendous fodder for people seeking videos of candidates in compromising situations and scammers are taking advantage of this with malware attached to emails promising to provide newsworthy events. Such is the situation, as reported by computer security company Symantec, with an email presently circulation promising that the attached video shows Hillary Clinton accepting money from an ISIS leader in 2013.  In addition to being a totally outrageous accusation not based in any fact, the email is fraught with poor grammar.  However, that is not stopping some people who are clicking on the link and unwittingly downloading malware that can result in their becoming a victim of identity theft.

TIPS

Regardless of who sends you an email or a text message with a link attached, you should never click on the link until you have confirmed that the communication is legitimate.  Even if the message appears to come in the email or text message from a trusted friend, you can’t be sure that your friend has not had his email or smartphone hacked and used by a scammer to spread malware.  You should have security software on all of your electronic devices including your computer and smartphone and make sure that you keep your security software up to date with the latest security patches, but you cannot totally rely on that software to protect you from all malware dangers because it generally takes the software security companies about a month to catch up with the latest strains of malware.  Finally, in regard to communications promising startling videos or pictures of celebrities or newsworthy events, you should be particularly skeptical as to their authenticity.   Instead, it is better to rely on legitimate news sources that you can trust to be safer and more accurate.

Scam of the day – December 19, 2015 – Security update threatens 40 million cellphone users

The ability to use your smartphone or computer safely when online is of concern to everyone.  Hacks and data breaches by which information is stolen and then used to make millions of people victims of identity theft is an ever present threat of life today.  This is why when the CA/Browser Forum a trade group which mandates web encryption programs used throughout the web by the companies we all connect with online such as Facebook, Google and Twitter was told that its present encryption algorithm SHA-1 was vulnerable to hacking, it acted promptly and rolled out a new and more secure encryption algorithm, SHA-2.  Companies are required to use the new SHA-2 on January 1, 2016 and this is a good thing, however, it is not a good thing for people who use smartphones that are more than five years old to surf the web.  Their phones are generally incompatible with SHA-2.  It has been estimated that about 40 million people worldwide still use smartphones that won’t support SHA-2 and, unless something is done, they will no longer be able to use their phones to surf the web as of January 1, 2016.  Facebook has proposed a solution by which older browsers will be able to use the SHA-1 algorithm and newer ones the SHA-2, but as of the writing of this posting, no decision has yet been made by the CA/Browser Forum.

TIPS

If your smartphone is less than five years old, you do not have to do anything.  The security changes will happen automatically.  However, if your smartphone is five years old or older, you should check with your service provider to see about your options.  Even if Facebook’s proposal is accepted by the CA/Browser Forum, the old SHA-1 encryption algorithm is no longer safe and you should consider switching to a device that will support the new SHA-2 encryption algorithm.