Posts Tagged: ‘spear phishing’

Scam of the day – July 23, 2016 – Six month jail term for celebrity hacker

July 23, 2016 Posted by Steven Weisman, Esq.

Earlier this week, twenty-nine year old Andrew Helton was sentenced to six months in prison for hacking hundreds of Apple and Google accounts including many of celebrities  and stealing 161 nude or partially nude photos from thirteen people.  I first reported to you about Helton when he pleaded guilty to the hacking charges in February of this year.

Between March 2011 and May 2013, Helton used a simple phishing scheme to steal the usernames and passwords of 363 Apple and Google email accounts including those of many celebrities.  Once he had access to his victims’ email accounts he was able to access all of the contents of their email accounts including 161 sexually explicit or nude images of thirteen of his victims.  It should be noted that Helton did not post any of the stolen photos online and his case is totally unrelated to the stealing and posting of nude photos of celebrities including Jennifer Lawrence and Kate Upton that occurred in September of 2014 although a similar phishing tactic was used to obtain the usernames and passwords of the victims.

Helton obtained the usernames and passwords of his victims by sending emails to his victims that appeared to come from Apple or Google in which his victims were asked to verify their accounts by clicking on a link which took them to a website that appeared to be a login page for Apple or Google.  Once they entered their information, Helton had all that he needed to access his victims’ accounts.  It is interesting to note that in a letter to the court, Helton emphasized his lack of computer talent saying, “There was no expertise involved.  All I did was essentially copy and paste.” Even the email addresses of his targets were obtained from easily accessed contact lists online.  The fact that such havoc could be spread by someone without having particular computer skills points out how easily any of us can be victimized if we do not take proper precautions.

TIPS

The type of phishing scam used by Helton is one used by many other scammers and it is easy to defend against.  Always be skeptical when you are asked to provide your personal information, such as your user name, password or any other personal information in response to an email or text message.  Trust me, you can’t trust anyone.  Always look for telltale signs that the communication is phony, such as bad grammar or the sender’s email address which may not relate to the real company purporting to send you the email.  Beyond this, even if the email or text message appears legitimate, it is just too risky to provide personal information in response to any email or text message until you have independently verified by contacting the company that the communication is legitimate.

In addition, you should not store personal data or any photos or other material on your email account. Store such data in the cloud or some other secure place.

Scam of the day – July 4, 2016 – New Chase phishing email

July 3, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from Chase bank that is presently circulating.  DO NOT CLICK ON THE LINK.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond.  As phishing emails go, this one is pretty good.  It looks legitimate.  The email address from which it is sent looks like a legitimate Chase email address instead of, as is so often the case, an email from a botnet that carries the email address of a person’s hacked computer hijacked and used to send out this type of phishing email.  The grammar and spelling is good, but as so often is the case, it is not directed to you by name and does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit. However, it also has an Uber logo at the top of the email which is extremely odd as Uber has nothing to do with Chase.

Dear Chase Online(SM) Customer

We have detected irregular activity on your account.So We Have Limited Your Account.
For your protection, you have to verify this activity before you can continue using your account.

Please Visit https://chaseonline.chase.com/Logon
to remove any restrictions placed on your account.

Reference Number: PP-184-107-163

Chase Bank – EP-MN-L20D – 200 South Sixth Street – Minneapolis, MN 55402
© 2016 Chase Bank . All rights reserved.

TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would not use the generic greeting “Dear Chase  Online Customer,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – June 15, 2016 – SEC fines Morgan Stanley a million dollars over a data breach

June 15, 2016 Posted by Steven Weisman, Esq.

For over a year, the Securities and Exchange Commission (FTC) has been actively enforcing the “Safeguards Rule” requiring investment advisers to implement policies and procedures to protect the privacy and security of the information of their clients.  In 2015, R. T. Jones Capital Equities Management paid $75,000 to settle SEC charges related to the theft of customer information in a data breach.  Now Morgan Stanley Smith Barney has just agreed to pay a million dollars to settle charges that it did not have proper policies and procedures in place to protect customer information resulting in the hacking of 730,000 customer accounts and theft of information including names, phone numbers, addresses, account numbers, account balances and securities holdings.

TIPS

Regardless of how careful you are about protecting your personal information, you are only as safe and secure as the places that have your personal information with the weakest security. Therefore it is critical whenever you do business with a company that will have sensitive personal information of yours that you inquire as the commitment to security of the company and what it does to protect your data.  In this particular data breach while the information itself should not directly result in identity theft, this type of information is often gathered by cybercriminals who use it to craft carefully worded and targeted spear phishing emails that lure their victims into either trusting the email and providing personal information used by the cybercriminals for purposes of identity theft or luring the victims into clicking on malware infested links in the emails that will enable the cybercriminal to steal all of the information from your computer and use it to make you a victim of identity theft.

Scam of the day – May 17, 2016 – Russian cybercriminal innovator sentenced

May 16, 2016 Posted by Steven Weisman, Esq.

Although you probably have not heard of Nikita Kuzman or the Gozi malware he created, Kuzman has dramatically changed the world in which we live.  Kuzman, a Russian with degrees earned in computer science at two major Russian universities invented the Gozi malware which was unleashed on an unsuspecting public in 2007.  This malware was among the first to be able to steal bank account related data including usernames and passwords from the infected computers of its victims and then use this information to steal money from the victims’ accounts.  Gozi infected more than a million computers throughout the world and was used to steal tens of millions of dollars from individuals, companies and even government agencies such as NASA.  However, what distinguishes Kuzman from other cybercriminals who have created similar types of malware is that Kuzman then created the business model for implementing the use of the malware by leasing the use of Gozi to less sophisticated cybercriminals, who would pay Kuzman a fee of $500 per week for the use of the Gozi malware which would send the stolen information to computers controlled by Kuzman who would, in turn, provide the data to the criminals spreading the malware so long as they paid their weekly leasing costs.

According to Troels Oerting, the head of Interpol’s European Cybercrime Centre, there are only about a hundred cybercriminal masterminds like Guzman in the world today.  The proliferation of small and large scale computer crimes perpetrated against individuals, companies and government agencies is primarily accomplished by less accomplished cybercriminals who have purchased or leased the malware from innovators such as Kuzman who initiated this business model.  And like any business, the criminals who do create this malware also routinely provide tech support and updates for a price.

Kuzman was recently sentenced in the U.S. District Court for the Southern District of New York to various computer crimes and was required to pay a financial penalty of $6,934,979.  The prison sentence imposed was a mere 37 months of time served pending his trial.  The reason for this light sentence is that Kuzman because of his continuing cooperation with federal investigators regarding others charged with similar crimes.

TIPS

An important element of the story about the Gozi malware and other similar types of malware is that regardless of how sophisticated the malware is, it is useless until it is downloaded on to the computers of its intended victims and this is generally done not through complex software or technology, but rather by luring unsuspecting victims into clicking on links and downloading attachments in socially engineered phishing emails.  And just as the malware itself has gotten more sophisticated over the years, so have the psychologically compelling spear phishing emails used to spread the malware.  Malware tainted phishing emails formerly addressed to “Dear Customer” now come addressed to you by name and often contain sufficient personal information to cause victims to trust the emails and click on the tainted links.  The lesson is clear.  Trust me, you can’t trust anyone.  Never click on a link or download an attachment until you have absolutely confirmed that the email or text message sent with a link or attachment is legitimate.

Scam of the day – May 12, 2016 – Another BEC scam victim

May 12, 2016 Posted by Steven Weisman, Esq.

In April 19th’s Scam of the day I told you about the recent FBI warning about a dramatic increase in what it calls the Business email compromise scam (BEC). The scam involves an email to the people who control payments at a targeted company.  These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

Now we have just learned about Pomeroy Investment Corp, a Michigan investment company that lost $495,000 through this scam when one of its employees responded to an email purportedly from another employee of the company and wired $495,000 to a Hong Kong bank.

Companies both large and small have fallen for this scam, which has increased 270% in the last year and over the last couple of years has cost companies more than 2.3 billion dollars in losses. American toy manufacturer, Mattel lost three million dollars to this scam in 2015.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email.  Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam.  Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Scam of the day – May 2, 2016 – Another new USAA phishing scam

May 2, 2016 Posted by Steven Weisman, Esq.

Yet another phishing email is turning up purporting  to be from USAA, the insurer of millions of members of the military as well as many veterans, telling you that you need to click on links in the email in order to resolve security issues.  Like many phishing emails,this one tries to convince you into thinking you must click on a link and provide personal information or suffer dire consequences when the truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the criminal will use the information you provide to make you a victim of identity theft.  Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft.  Here is a copy of the newest phishing email that is presently circulating.  DO NOT CLICK ON THE CONTINUE BUTTON.  As phishing emails go, the graphics are pretty impressive, however there are several grammatical errors including the word “temporal” being used instead of “temporary”.  It also  should be noted that the email is directed to “Dear Valued Customer” rather than your name and no account number is provided.  These are further indications that this is a scam.  Finally, this email was sent by an email address that had nothing to do with USAA, but was undoubtedly part of a botnet of computers using email addresses of hacked email accounts to send out the phishing email.

TIPS

Frankly, whenever you get an email, you can never be sure who is really sending it to you.  Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate.  Remember, even paranoids have enemies.

Scam of the day – April 21, 2016 – Criminals steal nuts

April 21, 2016 Posted by Steven Weisman, Esq.

Stealing nuts may not sound like a profitable criminal enterprise, but with the worldwide popularity of  nuts as a healthy snack and truckloads of nuts such as walnuts, almonds or pistachios valued as high as $500,000, criminals, particularly in California have increasingly targeted the nut industry in the last few years.  Last year alone the number of cases of truckloads of nuts being stolen exceeded the total number of the previous three years with the cost to nut companies reaching 4.6 million dollars.

Today’s thieves often use technology as part of their arsenal with criminals using spear phishing techniques to hack into the computers of the nut companies to find out when shipments are ready to be picked up.  Sometimes the criminals arrive at the nut warehouses with counterfeit shipping papers and pick up truckloads of these valuable products.  Other times, the criminals pose as legitimate companies and hire a legitimate trucking company to pick up the nuts and then tell the truck driver that there has been a change of plans and divert the shipment.

Nuts are a valuable commodity on the black market, particularly in Europe and Asia.  In addition, it is hard to track nuts.  They contain no serial numbers and are easy to transport leaving little evidence of a crime.

TIPS

The nut industry is busy adapting to these new threats while the criminals continue to adapt to new security measures.  Better data security at nut companies will help.  In addition, many companies are now requiring photo IDs and fingerprint identification of drivers picking up nuts for delivery.  Confirmation of orders is also something that will help.  But for now the criminals seem to be getting much more than peanuts out of this crime.

Scam of the day – April 20, 2016 – DocuSign phishing scam

April 20, 2016 Posted by Steven Weisman, Esq.

DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures.  The company is used by many companies.  Recently I received a phishing email, reproduced below that purported to be from an attorney that I know and with whom I do business asking me to click on a link to open a document that needed my signature.  The phishing email looked very professional and contained the DocuSign logo and appeared legitimate.  In the copy of the email below, I have blocked out the name and other personal information used to identify the attorney who was purported to have sent me the document.  DO NOT CLICK ON THE LINK TO VIEW DOCUMENTS.

This is a spear phishing email designed to lure the person receiving the email to click on the link and either provide personal information that could be used for identity theft, or, as more likely in this particular phishing attempt, merely by clicking on the link would have downloaded keystroke logging malware into the computer of the person clicking on the link.  This malware would have enabled the cybercriminal to steal all of the personal information from the computer and make that person a victim of identity theft.  This email was particularly dangerous because it came from someone with whom I do business whose email account was hacked and used to send out the spear phishing email.

Here is the email without the logo.

Please review and sign your document
 

From: XXXXXXXXX (XXX@aol.com)

Hello

Thomas has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

View Documents
XXXXXXXX
Law Office of XXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXX
Fax: XXXXXXXXX
Email: XXX@aol.com

__________________________________________________________________________
CONFIDENTIALITY NOTICE: This email message contains confidential information intended only for the person(s) or entity to whom it is addressed and is subject to attorney-client privilege. If you have received this email message in error, please destroy the original message.

CIRCULAR 230 DISCLOSURE: Pursuant to U.S. Treasury Regulations, we are now required to advise you that, unless otherwise indicated, any federal tax advice contained in this communication, including attachments and enclosures, is not intended and may not be used for the purpose of (1) avoiding tax related penalties under the IRC or (2) promoting, or recommending to another party any tax related matters addressed herein.

TIPS

In this case, I actually followed my own advice as to never click on a link regardless of how legitimate the email or text message may appear until confirming that the message is legitimate.  I emailed back to the attorney and asked him to confirm that it was legitimate and answer a question which I knew only he would know the answer to.  The response I got from him was that he had been hacked and I should not click on the link.

The lesson here is clear.  You can never be sure when you receive an email as to who is really contacting you.  Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware.  Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.

 

April 9, 2016 – Steve Weisman’s latest column for USA Today

April 9, 2016 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for USA Today which deals with the data breach at Verizon Enterprise Solutions, which, ironically, is the unit of Verizon that helps companies deal with data breaches.  However, as indicated in the column, there is a lesson to all of us in this story.

http://www.usatoday.com/story/money/columnist/2016/04/09/lessons-latest-verizon-data-breach/82677920/

Scam of the day – March 29, 2016 – SEC settles insider trading charges with Russian hedge fund manager

March 29, 2016 Posted by Steven Weisman, Esq.

As I first  reported to you this past August and numerous times thereafter as the story developed, forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  In December, Alexander Garkusha, one of the defendants pleaded guilty to making trades based upon the stolen information that personally gained him $125,000. Garkusha is cooperating with the government at this time.  His sentencing is scheduled for May 6th.  In January, Igor Dubovoy also pleaded guilty to conspiracy to commit wire fraud and agreed to forfeit more than 11 million dollars.

Now the SEC has announced that it has settled civil charges against Moscow-based hedge fund manager David Amaryan and his funds Copperstone Alpha Fund, Copperstone Capital, Ocean Prime, Inc and Intertrade Pacific SA through which Amaryan earned more than eight million dollars in profits through the illegal scheme.  Pursuant to the settlement, Amaryan and his companies will pay the SEC ten million dollars.  Of course, as is typical in such settlements, Amaryan neither admitted nor denied any wrongdoing, however pursuant to the settlement he is prohibited from using such tactics in the future, which is akin to Amaryan saying he didn’t do anything wrong and he promises not to do it again while also agreeing to pay ten million dollars to the SEC.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Phishing and the more targeted spear phishing is also the way that the ransomware used against the Hollywood Presbyterian Medical Center was implanted in its computers.   Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us, as individuals, should also learn in our own lives because identity thieves and hackers use the same phishing techniques to enable criminals to hack into the computers of individuals and steal their personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.