Posts Tagged: ‘spear phishing’

Scam of the day – August 7, 2014 – Russian gang steals 1.2 billion user names and passwords

August 6, 2014 Posted by Steven Weisman, Esq.

It was revealed yesterday that a Russian gang of about 20 hackers committed what may be the largest data theft in history by stealing 1.2 billion user names and passwords along with 500 million email addresses.  This particular gang has been operating since 2011, but this is their largest data theft.  The data breach was discovered by a computer security company, Hold Security who indicated that the data breach involved more than 420,000 websites around the world including those of large companies as well as small websites.  The companies hacked included companies involved in the auto industry, real estate, oil industry, consulting firms, care rental businesses, hotels, computer hardware companies, software companies and the food industry.  The gang used a technique to hack these websites that I have warned you about for two years.  They exploited security vulnerabilities in the software used to create websites, such as Adobe Cold Fusion, which has proven to be vulnerable in the past (although at this point in time, it is still too soon to know exactly which vulnerable programs were exploited) that permit a type of hacking called an SQL injection in which the hacker is able to inject his data collection software into the targeted website which can often go undetected for long periods of time.  The hacker then retrieves the collected information and then either uses it themselves for identity theft and fraudulent purposes or sell the information on black market websites to other criminals.

TIPS

The first thing to remember is that you are only as safe as the security of the weakest company or website that holds your personal information including your user name and password.  Although it is an inconvenience, it is important to maintain separate, unique passwords and user names for all of your accounts and to change them somewhat frequently.  If you use the same password for a small retailer and your online banking, you become extremely vulnerable to having your bank account hacked if the retailer with which you do business is hacked.  Also, do not store your user name, password or credit card information on any website.  It may be convenient for you, but it is also extremely convenient for identity thieves as well.  You can expect a wave of “spear phishing” by which you will receive emails that appear to come from someone you know and trust when in reality it is coming from an identity thief.  Many of these spear phishing emails will have links and attachment that contain keystroke logging malware that, when downloaded, will permit the identity thief to steal all of your personal information from your computer and use it to make you a victim of identity theft.  It is for this reason that I always advise you  not to download an attachment or click on a link unless you have confirmed and are absolutely positive that the email is legitimate.  This is an important story and I will update you as more information becomes known.

Scam of the day – June 19, 2014 – Domino’s Pizza hacked

June 19, 2014 Posted by Steven Weisman, Esq.

Late last week, the websites of Domino’s Pizza in France and Belgium were hacked by a hacker group that calls itself Rex Mundi.  As a result of the hacking, Rex Mundi was able to obtain information including names, addresses, phone numbers, email addresses and passwords of approximately 600,000 Domino’s customers in France and Belgium.  Rex Mundi then threatened to publicly disclose the information on Monday, June 16th unless a ransom of $46,000 was paid.  As of today, Rex Mundi has not disclosed the information although it is not clear whether or not Domino’s paid the ransom.  This type of extortion is nothing new to Rex Mundi which has done so repeatedly in the past.  In 2012 it hacked and stole loan application information of thousands of customers of the payday loan company AmeriCash Advance.

TIPS

Although financial information, such as credit card data was not a part of this security breach, there is much to be concerned about for customers whose information was compromised.  Spear phishing by which victims are lured into clicking on malware infected links in legitimate-looking emails that are directed to them specifically by name rather than to “Dear Customer” often follows the release of names and email information to criminals eager to exploit this information.  Also, particularly dangerous is the unfortunate practice of many people to use the same password for all of their accounts thereby putting the online banking accounts of victims of data breaches in danger.  It is important to have a different, distinct and complex password for all of your accounts.

Scam of the day – May 22, 2014 – The real danger in the hacking of eBay

May 21, 2014 Posted by Steven Weisman, Esq.

The online auction website eBay just announced yesterday that it had been hacked and customer’s names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth of as many as 112 million customers were stolen.  At this time, it does not appear that credit card information was taken, but that is only of minor consolation.  eBay is urging its customers to change their passwords for eBay and, if you are one of the many people who use the same user name and password for all of your accounts, you should change your user name and password for those accounts as well.  If you are an eBay user, it is very important that you do this right away because it is already quite late.  Although eBay only discovered this hacking within the last couple of days, the hacking went on between late February and early March so hackers already have this information which they may be using themselves or selling on the black market to identity thieves.  eBay is already notifying its customers by email to change their passwords, but if you get such an email and it contains a link to change your password, I urge you not to click on the link because it may be an email from an identity thief posing as eBay through a counterfeit phishing email that appears to come from eBay and if you click on a link in the email, you may end up downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  Instead, I suggest you go directly to the eBay website on your own and not through a link in order to change your password.

Even though the passwords stolen were encrypted, you should not feel too safe because if your password is not complex, there are computer programs that identity thieves use to break the encryption and gain access to your password.  Once they have that password and your user name, if you are one of the many people who use the same user name and password for all of your accounts, you are in serious jeopardy in regard to all of your online accounts including your online banking.

TIPS

If you are an eBay user, go to the eBay website and change your password to a complex, but easy to remember password that includes a  combination of capital and small letters as well as other signs.  Something like “Idon’tLikePasswords!!!” would actually be a great password and easy to remember.  Also, make sure you use different passwords for each of your accounts so that when, not if, your password information is a part of a data breach, all of your accounts are not in danger.  Again, a good way to remember your password is to take the basic password and adapt it to the particular account, such as “Idon’tLikePasswordsAmazon!!!”  If you are an eBay user, you should be particularly vigilant because hackers have your contact information such that you are now more likely to receive personally adapted phishing emails which is called spear phishing by which the email you receive purporting to be from a company with which you may do business may be directed to you by name rather than “Dear customer” or the like.  As always, remember my motto, “Trust me you can’t trust anyone” and never click on links in emails unless you have absolutely confirmed that they are legitimate.  Also make sure that you have anti-malware and anti-virus security software on all of your electronic devices and keep these programs up to date with the latest patches.

Scam of the day – May 9, 2014 – Mobile app identity theft threats

May 8, 2014 Posted by Steven Weisman, Esq.

A recent report from computer security company, Kaspersky Labs confirms what I have been telling you for the last few years.  As people use their smartphones more and more, hackers and identity thieves are focusing their attention on our mobile devices.  The tactic they use is the same type of phishing technique used for years to lure people through tainted messages in emails to click on infected links that download keystroke logging malware on to their victims’ computers that then steal personal information such as credit card numbers, Social Security numbers and banking information from the computer and use that information for identity theft purposes.  Many people are far too trusting of the apps, social media and text messages on their smartphones which have now become a prime source of links with malware that unwitting victims click on and the become victims of identity theft when the identity thieves steal information from their victims’ smartphones.

TIPS

You can never trust any email, phone call, text message or any other form of communication that comes to you as being legitimate.  Never click on a link or download an attachment regardless of how your receive it even if it appears to come from a trusted source.  Your trusted source may have been hacked and you are being targeted through a technique called spear phishing where you receive a communication that appears to come from someone you trust and is addressed to you personally.  Never click on any link or download an attachment until you have confirmed that it is legitimate.  It is also important to install and maintain up to date anti-virus software and anti-malware  software on all of your electronic devices including your mobile devices.  Too many people fail to protect their smartphones even though they use them so much and store important information on them.

Scam of the day – February 19, 2014 – Syrian Electronic Army hacks Forbes.com

February 19, 2014 Posted by Steven Weisman, Esq.

The Syrian Electronic Army (SEA) , about whom I have reported to you many times (you can go to the archives of Scamicide to see these stories) has struck again.  This time its victim is Forbes.com, the website of Forbes Magazine.  For those of you unfamiliar with the Syrian Electronic Army, it is a group of hackers sympathetic to Syrian President Bashar al-Assad.  Forbes was targeted by the SEA because of what it called Forbes’ hatred for Syria.  Along with planting a false story on the Forbes website, the SEA also stole user names and email addresses of Forbes.com customers, raising the possibility of “spear phishing” attacks against Forbes.com’s customers.  The SEA has threatened to make the information available on the Internet to identity thieves.  Identity thieves who send phishing emails and texts often do so in large numbers without knowing the names of the people to whom the phony messages corrupted with keystroke logging malware are sent.  However, in spear phishing the identiy thief knows the name of the intended victim and can make the communication look more legitimate by containing the victim’s name.  In addition, the spear phishing text or email can be made to look as if it comes from Forbes.com or some other entity that is trusted and used by the victim which also can lead the victim to be less skeptical of the message and make the victim more likely to click on links in the message or download attachments to the message corrupted with malware.

TIPS

Again, the lesson is that you are only as secure as the places with the weakest security that hold your personal information.  If you are a subscriber to Forbes.com, you should change your password.  If you use the same password elsewhere, change it too.  For convenience many people make the mistake of using the same password for all of their accounts, which means that when your password is stolen from one place, all of your accounts using that password are in jeopardy.  This is a good lesson for all of us regardless of whether or not you were a victim in this particular data breach.  This hacking once again raises the question as to why major corporate websites, such as the many who have been hacked by the SEA are not doing more to keep their computers secure.  Finally, as I always remind you, never click on links in emails or text messages or download attachments unless you are absolutely sure that they a legitimate and have confirmed this to be so.

Scam of the day – February 17, 2014 – Kickstarter hacked – the lesson for all of us

February 17, 2014 Posted by Steven Weisman, Esq.

Over the last couple of years I have often reported to you about data breaches at major companies who have been hacked.  The recent Target hacking although particularly large, was not particularly unusual.  Two days ago, Kickstarter disclosed that it had been hacked.  Kickstarter is a crowdfunding platform that helps creative people raise fund for their projects by appealing to the public for funds.  In the almost four years since it was launched, Kickstarter has helped fund more than 50,000 artistic endeavors.  According to Kickstarter’s CEO, no credit card data of its customers was compromised, however user names, email addresses, mailing addresses, phone numbers and encrypted passwords were stolen.  This information can readily lead to identity theft through a technique called “spear phishing” by which emails and text messages can be sent to the potential victims by name which may make them appear more legitimate.  These texts and emails lure people into either providing personal information under various legitimate appearing pretexts or by getting the victims to click on links or download attachments riddled with keystroke logging malware that will steal all of the information from your computer or smartphone and use it to make you a victim of identity theft.  In addition, people with weak passwords, such as  the popular”123456″ or “password” may have their Kickstarter encrypted passwords easily unencrypted providing access not only to the victim’s Kickstarter account, but possibly other accounts where the victim uses the same password.

TIPS

If you are a customer of Kickstarter, change your password immediately and everyone who uses the same password for all of their accounts should change their passwords to unique passwords for each account.  You can get detailed information as to how to pick an easy to remember, complex password in my book “50 Ways to Protect Your Identity in a Digital Age,” but a simple rule is to use a phrase, capital letters, small letters and symbols, such as “ICan’tRememberit!!!.”  This is easy to remember and hard to break.  Also, make sure that you have the most current, updated anti-malware software and anti-virus software installed on all of your electronic devices including your computer, tablet and smartphone.

Scam of the day – February 4, 2014 – What does the Yahoo email breach mean to you?

February 4, 2014 Posted by Steven Weisman, Esq.

A few days ago, Yahoo announced that its email security had been breached.  Yahoo is the second largest email provider with approximately 273 million users.  The actual breach which involved the theft of both usernames and passwords was accomplished not by hacking Yahoo directly, but rather by hacking a third party website’s database that allowed the use of Yahoo email addresses to establish customer accounts.  Similarly, the recent breach of Target also appears to have been accomplished by hacking into a Target vendor’s systems to obtain the credentials necessary to, in turn breach the security of Target.  Many people may not be particularly alarmed that all was taken in the Yahoo hacking were usernames an passwords, however, because people often use the same user name and passwords for multiple accounts, including online banking, the threat posed by this hacking could be quite serious.  In addition, these usernames and passwords could be used by identity thieves for “spear phishing” a technique by which identity thieves are able to send specifically targeted messages to potential victims that appear to come from trusted sources thereby making the potential victim more likely to click on a link or download an attachment in the email that would be riddled with malware that will steal all of the information from a person’s computer or other electronic device and use that information to make the person a victim of identity theft.

TIPS

If you haven;t already done so, change your username and password for Yahoo email if you are a user of Yahoo email.  Even if you are not a Yahoo email user, you should make sure that all of your online accounts have different user names and passwords because the risk of your being a future victim of a similar type of data breach is very high.  It is a good idea to change your passwords every few months and make sure that the password is at least eight characters long and is a mixture of letters and symbols.  For tips on how to pick a good password, check out my book “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – January 10, 2014 – Important Target update

January 11, 2014 Posted by Steven Weisman, Esq.

Yesterday, Target announced that it had just become aware that its recent hacking went beyond the credit card and debit card data including PINs of 40 million of its customers to also include names, mailing addresses and phone numbers of up to 70 million of its customers.  This disclosure means that unlike previously thought, the hacking was not limited to hacking of the point of sale credit card processing devices found at the checkout stations, but was far more extensive into the data systems of Target.  It also opens up a new avenue of scams where Target customers can expect to get contacted by phone, email or text messages from scammers posing as Target representatives who will be seeking personal information which they will use to make the Target customer a victim of identity theft.  These emails and text messages will be directly addressed to the customer by name prompting the customer to click on links or download attachments for further assistance, however, if the customer does so, he or she will only succeed in downloading a keystroke logging malware program that can steal all of the information from the victim’s computer that will also lead to the customer becoming a victim of identity theft.  Phone calls will also be directed to the customer by name and you should be wary there, as well.  This type of scam is called spear phishing.

TIPS

You can never be sure when you receive a telephone call, email or text message if the person communicating with you is who he or she represents himself to be.  Therefore, never click on links or download attachments in emails or text messages unless you are absolutely positive that the communication is legitimate and because in this case ,as in others, the identity thief has your name, the communication may appear to be directed personally to you, you cannot trust the communication merely because it appears to be legitimate.  In this case, as in others, if you think the communication may not be a scam, check it out by calling or going to the  real website of the person or company purporting to send the communication at a phone number or website that you know is correct to find out whether or not the original communication was legitimate or not.  The same goes for telephone calls.  You can never be sure who is calling, so never give personal information over the phone to anyone whom you have not called.  Instead call them back at a number you know is accurate.

Scam of the day – August 31, 2013 – Lesson of New York Times hacking

August 31, 2013 Posted by Steven Weisman, Esq.

By now you are probably aware of the recent hacking of the website of the New York Times.  A hacking group known as the Syrian Electronic Army (SEA) who are vocal supporters of embattled Syrian President Bashar Assad, managed to take over control of the New York Times’ Website and disrupt it for much of the day.  In recent weeks, the SEA has also hacked into Twitter, The Washington Post and CNN among other companies as well as another successful attack against the New York Times which apparently did not learn its lesson and tighten its security.  Without boring you with the precise details, the weakness exploited by the hackers involves the connection of corporate websites with the companies involved in the Domain Name System and underscored that when it comes to security, you are only as secure as the security of the weakest entity with which you are involved.  Using a simple technique called spear phishing, the hackers were able to fool an internet service provider in India who was tied to the New York Times website by tricking the Indian employee into downloading tainted software that enabled the hackers to get his user name and password and ultimately gain access up the line to the New York Times’ website.

TIPS

The lesson for us all is a simple one.  Your security is always in jeopardy even if you appear to be doing all the right things including not downloading attachments or clicking on links that may contain the type of malware that ultimately brought down the New York Times.  So what can you do?  Recognizing that your password and user name may be able to be hacked somewhere else other than your own electronic devices, you should consider using multiple-factor verification as much as possible.  With multiple-factor verification, access to your various accounts is protected by more than just a password and a user name.  Multiple-factor verification may require you to obtain a changing PIN through a text to your smartphone before you can log on to a particular account or you may be required to answer a security question.  Following a major hacking into Twitter, it now offers two-factor verification.  Other companies that offer it are Dropbox, Facebook, Google, Hotmail, LinkedIn, PayPal and Twitter.  It may seem like a time consuming burden to you to use multiple-factor verification, but the inconvenience is really quite slight, particularly compared to the potential problems if your accounts are hacked.

Scam of the day – June 24, 2013 – Facebook data leak

June 24, 2013 Posted by Steven Weisman, Esq.

Facebook has just announced that through a technical flaw that first started over a year ago, the telephone numbers and email addresses of six  million of its users were improperly provided to other Facebook users who downloaded contact data of their “friends.”  In and of itself, this dos not create a problem and Facebook was quick to point out that there presently is no indications that the information has been used for purposes of identity theft or the specialized form of phishing called “spear phishing” where identity thieves are able to more effectively lure their victims to websites tainted with dangerous malware that can be used to steal personal information from the victim’s computer or portable device.  In spear phishing, people are more apt to believe the phony email that starts the scam because it is directed to them by name and appears to be from a company with which they do business.  The problem is many faceted.  Many people accept too many other people as their “friends” on Facebook without even really knowing these people who in many instances are identity thieves and scam artists out to exploit their Facebook connection with their victims.  Additional personal information such as telephone numbers and email addresses can be used by identity thieves to help steal their victim’s identity .   Just as troubling is the fact that this situation once again shows that your personal information is only as safe as the person or company with the worst security measures that has your information.

TIPS

In general, you should try to limit, as much as possible, the number of places that have personal information about you.  If someone with whom you do business wants to use your Social Security number as an identifying number, you should propose to them that they use another number, such as your driver’s license number instead of your Social Security number.  In particular, as to Facebook, you should limit the amount of personal information that you provide.  Information such as your birthday or the name of your pet can put you in jeopardy as to identity theft or guessing your passwords.  For more detailed instructions as to how to protect your privacy and security on Facebook, check out my book “50 Ways to Protect Your Identity in a Digital Age.”