I have been reporting to you for two years about developments in this ingenious and massive stock fraud since the story first broke. Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history. The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine. Now Ukranian hacker Vadym Iermolovych was sentenced to thirty months in prison and ordered to pay more than 3 million dollars in restitution for his role in this scheme.
The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release. This enabled the rogue stock traders to make trades based on this inside information before it became known to the public. Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania It is estimated that between 2010 and 2015, the defendants made profits of as much as 100 million dollars on 800 trades during this time. A number of the defendants have already pleaded guilty to charges related to this scam.
The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work. The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.
One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers. This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information. Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate. It well could contain keystroke logging malware that will steal all of the information from your computer. Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware. However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.
Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened. Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts. Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective. Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.
A recent report by ProPublica and Gizmodo has found security vulnerabilities in the WiFi networks at Mar-a-Lago, the resort often visited by President Trump as well as a number of other Trump destinations including the Trump National Golf Club in New Jersey, Trump International Hotel in Washington D.C. and Trump National Golf Club in Virginia. According to the report, “Our inspections found weak and open WiFi networks, wireless printers without passwords, servers with outdated and vulnerable software and unencrypted login pages to back-end databases containing sensitive information.” As would be expected the White House is not commenting on this report other than to indicate that these locations follow cybersecurity best practices. However, the important lesson to us all is to remind us that public WiFi is never secure. However, with some precautions it can be made safer.
Whatever electronic device you are using to connect to a WiFi network, whether it is a computer, laptop, tablet or smartphone should be equipped with security software. In addition, you should use encryption software so that your communications are encoded. You also should go to your settings and turn off sharing. In addition, you should make sure that your firewall is current and turned on. Finally, and perhaps most importantly, you should consider using a Virtual Private Network (VPN) which enables you to send your communications through a separate and secure private network even while you are on a public network.
A telemarketing scam through which consumers were scammed out of millions of dollars when they were lured into purchasing worthless tech support software which they did not need has been halted by the Federal Trade Commission (FTC) which has entered into a settlement with the scammers who will be paying 10 million dollars to the FTC to be returned to victims of the scam.
The scam began when the victims downloaded free phony security software that promptly informed the victims about serious security issues with the victims’ computers that, in truth, did not exist. The software then prompted the victims to call the scammers who convinced the victims to buy the full version of the useless software as well as tech support services that totaled as much as $500.
As provisions are made by the FTC to make payments to the victims of this scam, I will report it to you here in Scamicide.
This scam is a common one. Everyone should have security software installed on all of their electronic devices including smartphones. There even are some good security software programs that are free, but regardless of whether you are using free security software or paying for it, you should only do business with established companies that you can trust, such as McAfee, Malwarebytes or Symantec.
Although the question of whether you would give up sex for a year in return for total cybersecurity seems like an odd question, it is one that was posed to 2,000 adults in a poll taken by the Harris pollsters. The response to the question might be startling to many people. According to the poll, 39% of Americans are so fearful of their cybersecurity that they would willingly give up sex for an entire year in return for a lifetime of cybersecurity.
Unfortunately, you can never totally control your own cybersecurity because often people become victims of identity theft and other cybercrimes due to the neglect and failure of companies and government agencies to properly secure our personal information. However, fortunately, the good news is that there are a number of relatively simple steps you can take to dramatically increase your personal cybersecurity and you don’t have to give up sex for a year in order to implement these steps.
Here are a few of the more important steps you can take. You can find even more things you can do to protect your cybersecurity in my book “Identity Theft Alert,” which you can order from Amazon by merely clicking on the icon on the right hand side of this page.
- Use strong unique passwords for each of your online accounts so that even if there is a data breach at one account, all of your accounts will not be in jeopardy. A strong password contains capital letters, small letters and symbols. A password base made up of a phrase such as “IDon’tLike Passwords!!!” is strong and can be personally adapted for each of your accounts by merely adding a few letters at the end to distinguish the particular account, such as adding “Ama” to the base password to become your Amazon password.
- Install security software on your computer, smartphone and all of your electronic devices.
- Use dual factor authentication whenever possible.
- Don’t click on links or download attachments without confirming that the links or attachments are legitimate. They may contain malware.
- Trust me, you can’t trust anyone. Don’t provide personal information to anyone who contacts you by email, phone or text message unless you have confirmed both the legitimacy of the communication and the need for the information.
- Limit, as much as possible, the places that have your personal information. Your doctor doesn’t need your Social Security number.
- Put a credit freeze on your reports at each of the three major credit reporting agencies.
- Only download apps from legitimate app stores and check the reviews and the privacy rules regarding the app before downloading them.
- Protect your smartphone with a password.
- Store important data on a portable hard drive to reduce the danger of ransomware.
- Avoid public WIFI for anything requiring personal information. Use a Virtual Private Network (VPN).
- Monitor all of your accounts online regularly.
Each year, computer security company, McAfee releases a list of the most dangerous celebrities on the Internet. These are people whose popularity is exploited by identity thieves and hackers who lure unsuspecting people through links in emails, social media and text messages relating to these celebrities to malware filled websites where they unknowingly download ransomware or keystroke logging malware that enables the identity thieves to steal all of the personal information from the victim’s computer, laptop, smartphone or other electronic device and use that information to make the person a victim of identity theft. This year comedian Amy Schumer tops the list followed by Justin Bieber, Carson Daly, Will Smith, Rihanna, Miley Cyrus, Chris Hardwick, Daniel Tosh, Selena Gomez and Kesha.
It is important to remember that merely because a website turns up high on a Google search does not mean that it is legitimate. Google doesn’t check out websites for legitimacy in ranking sites. The ranking is done by secret algorithms that some identity thieves are adept at manipulating. Also, as I constantly warn you, never click on links or download attachments unless you are absolutely sure that they are legitimate. Merely because it appears that a friend is passing them on to you does not make them legitimate. As for celebrity videos and photos, you should have a healthy mistrust of websites with which you are not entirely familiar. For gossip, www.tmz.com is a good place to go. They always have the latest gossip and they are legitimate. Finally make sure that you keep all of your electronic devices secure with anti-malware and anti-virus software and keep your security software current with the latest security patches.
A common way that hackers manage to trick people into downloading malware used to steal the information from your computer or smartphone and enable them to make you a victim of identity theft is to send the malware disguised as an attachment for a video of something of great interest to many people. It may be something related to a celebrity, such as purported nude videos or it may be of an event in the news, such as a video purporting to show formerly unavailable footage of, for instance, the shootings in the Orlando nightclub. The presidential election is tremendous fodder for people seeking videos of candidates in compromising situations and scammers are taking advantage of this with malware attached to emails promising to provide newsworthy events. Such is the situation, as reported by computer security company Symantec, with an email presently circulation promising that the attached video shows Hillary Clinton accepting money from an ISIS leader in 2013. In addition to being a totally outrageous accusation not based in any fact, the email is fraught with poor grammar. However, that is not stopping some people who are clicking on the link and unwittingly downloading malware that can result in their becoming a victim of identity theft.
Regardless of who sends you an email or a text message with a link attached, you should never click on the link until you have confirmed that the communication is legitimate. Even if the message appears to come in the email or text message from a trusted friend, you can’t be sure that your friend has not had his email or smartphone hacked and used by a scammer to spread malware. You should have security software on all of your electronic devices including your computer and smartphone and make sure that you keep your security software up to date with the latest security patches, but you cannot totally rely on that software to protect you from all malware dangers because it generally takes the software security companies about a month to catch up with the latest strains of malware. Finally, in regard to communications promising startling videos or pictures of celebrities or newsworthy events, you should be particularly skeptical as to their authenticity. Instead, it is better to rely on legitimate news sources that you can trust to be safer and more accurate.
The ability to use your smartphone or computer safely when online is of concern to everyone. Hacks and data breaches by which information is stolen and then used to make millions of people victims of identity theft is an ever present threat of life today. This is why when the CA/Browser Forum a trade group which mandates web encryption programs used throughout the web by the companies we all connect with online such as Facebook, Google and Twitter was told that its present encryption algorithm SHA-1 was vulnerable to hacking, it acted promptly and rolled out a new and more secure encryption algorithm, SHA-2. Companies are required to use the new SHA-2 on January 1, 2016 and this is a good thing, however, it is not a good thing for people who use smartphones that are more than five years old to surf the web. Their phones are generally incompatible with SHA-2. It has been estimated that about 40 million people worldwide still use smartphones that won’t support SHA-2 and, unless something is done, they will no longer be able to use their phones to surf the web as of January 1, 2016. Facebook has proposed a solution by which older browsers will be able to use the SHA-1 algorithm and newer ones the SHA-2, but as of the writing of this posting, no decision has yet been made by the CA/Browser Forum.
If your smartphone is less than five years old, you do not have to do anything. The security changes will happen automatically. However, if your smartphone is five years old or older, you should check with your service provider to see about your options. Even if Facebook’s proposal is accepted by the CA/Browser Forum, the old SHA-1 encryption algorithm is no longer safe and you should consider switching to a device that will support the new SHA-2 encryption algorithm.
Following the embarrassing hacking and data breach at the Italian spyware company Hacking Team which sells spyware to governments, it has been learned that the release of the 400 gigabytes of files, source code and emails stolen and made public has enabled hackers and identity thieves to use that information to construct malware to exploit the vulnerabilities uncovered by creating zero day exploits which are malware for which there are no known security patches yet developed. These zero day exploit kits are presently being sold on the black market to hackers and identity thieves around the world.
Now Rook Security, a computer security company is offering a free scan that can identify if your computer has already been infected by one of these new malware programs. Here is the link to their website and the free scan. https://www.rooksecurity.com/hacking-team-malware-detection-utility/
Everyone should make sure that they have all of their computers, smartphones and electronic devices protected by anti-malware and anti-virus software and that your security software is constantly and automatically updated with the latest security updates. The failure to update security software when new vulnerabilities are discovered and patched is a major factor in many data breaches and identity thefts. In addition, the primary way that most data breaches and identity thefts are accomplished with malware is through phishing where victims are lured into clicking on links in emails and text messages containing malware. The lesson is clear. Don’t click on links unless you are absolutely sure that they are legitimate.
Many people may not be aware of SendGrid, but there is a good chance that you have received an email from them. SendGrid is a mass email service that is used by 180,000 companies worldwide including Uber, Pinterest, Spotify and Foursquare when companies wish to send mass email messages to their customers, such as when a company wants to alert customers to a service update. When you receive an email from SendGrid or other such mass email services, it appears that the message is being sent by the company with which you have an account, but it actually comes from SendGrid or other mass email services. Last week one of the companies that uses SendGrid had its SendGrid account hacked in an attempt to hack into the company’s account with Coinbase, a Bitcoin exchange. Although the company, unnamed by SendGrid, had its account with Coinbase hacked, according to SendGrid no Bitcoins were stolen. Last year a similar attack aimed at stealing Bitcoins from another SendGrid client, ChunkHost was foiled because, Chunkhost used dual factor authentication, preventing the hacker from accessing the Bitcoins in Chunkhost’s account even after the hackers had managed to steal ChunkHost’s password. More and more hackers are trying to hack into the accounts of users of mass email services such as SendGrid because it enables the hacker to make his or malware containing message appear to come from a trusted source.
Remember my motto, “trust me, you can’t trust anyone.” Merely because an email or text message appears legitimate or appears to come from a trusted email address is no reason to trust the message and click on links contained in the email or text message or download attachments to such emails or text messages. The risk is too great. Never click on links or download attachments unless you are absolutely sure that they are safe and legitimate. Even if you are protected by the latest security software, you are still not safe because the most updated anti-malware and anti-virus software is always at least a month behind the latest malware.