Posts Tagged: ‘spear phishing’

Scam of the day – May 2, 2016 – Another new USAA phishing scam

May 2, 2016 Posted by Steven Weisman, Esq.

Yet another phishing email is turning up purporting  to be from USAA, the insurer of millions of members of the military as well as many veterans, telling you that you need to click on links in the email in order to resolve security issues.  Like many phishing emails,this one tries to convince you into thinking you must click on a link and provide personal information or suffer dire consequences when the truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the criminal will use the information you provide to make you a victim of identity theft.  Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft.  Here is a copy of the newest phishing email that is presently circulating.  DO NOT CLICK ON THE CONTINUE BUTTON.  As phishing emails go, the graphics are pretty impressive, however there are several grammatical errors including the word “temporal” being used instead of “temporary”.  It also  should be noted that the email is directed to “Dear Valued Customer” rather than your name and no account number is provided.  These are further indications that this is a scam.  Finally, this email was sent by an email address that had nothing to do with USAA, but was undoubtedly part of a botnet of computers using email addresses of hacked email accounts to send out the phishing email.

TIPS

Frankly, whenever you get an email, you can never be sure who is really sending it to you.  Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate.  Remember, even paranoids have enemies.

Scam of the day – April 21, 2016 – Criminals steal nuts

April 21, 2016 Posted by Steven Weisman, Esq.

Stealing nuts may not sound like a profitable criminal enterprise, but with the worldwide popularity of  nuts as a healthy snack and truckloads of nuts such as walnuts, almonds or pistachios valued as high as $500,000, criminals, particularly in California have increasingly targeted the nut industry in the last few years.  Last year alone the number of cases of truckloads of nuts being stolen exceeded the total number of the previous three years with the cost to nut companies reaching 4.6 million dollars.

Today’s thieves often use technology as part of their arsenal with criminals using spear phishing techniques to hack into the computers of the nut companies to find out when shipments are ready to be picked up.  Sometimes the criminals arrive at the nut warehouses with counterfeit shipping papers and pick up truckloads of these valuable products.  Other times, the criminals pose as legitimate companies and hire a legitimate trucking company to pick up the nuts and then tell the truck driver that there has been a change of plans and divert the shipment.

Nuts are a valuable commodity on the black market, particularly in Europe and Asia.  In addition, it is hard to track nuts.  They contain no serial numbers and are easy to transport leaving little evidence of a crime.

TIPS

The nut industry is busy adapting to these new threats while the criminals continue to adapt to new security measures.  Better data security at nut companies will help.  In addition, many companies are now requiring photo IDs and fingerprint identification of drivers picking up nuts for delivery.  Confirmation of orders is also something that will help.  But for now the criminals seem to be getting much more than peanuts out of this crime.

Scam of the day – April 20, 2016 – DocuSign phishing scam

April 20, 2016 Posted by Steven Weisman, Esq.

DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures.  The company is used by many companies.  Recently I received a phishing email, reproduced below that purported to be from an attorney that I know and with whom I do business asking me to click on a link to open a document that needed my signature.  The phishing email looked very professional and contained the DocuSign logo and appeared legitimate.  In the copy of the email below, I have blocked out the name and other personal information used to identify the attorney who was purported to have sent me the document.  DO NOT CLICK ON THE LINK TO VIEW DOCUMENTS.

This is a spear phishing email designed to lure the person receiving the email to click on the link and either provide personal information that could be used for identity theft, or, as more likely in this particular phishing attempt, merely by clicking on the link would have downloaded keystroke logging malware into the computer of the person clicking on the link.  This malware would have enabled the cybercriminal to steal all of the personal information from the computer and make that person a victim of identity theft.  This email was particularly dangerous because it came from someone with whom I do business whose email account was hacked and used to send out the spear phishing email.

Here is the email without the logo.

Please review and sign your document
 

From: XXXXXXXXX (XXX@aol.com)

Hello

Thomas has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

View Documents
XXXXXXXX
Law Office of XXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXX
Fax: XXXXXXXXX
Email: XXX@aol.com

__________________________________________________________________________
CONFIDENTIALITY NOTICE: This email message contains confidential information intended only for the person(s) or entity to whom it is addressed and is subject to attorney-client privilege. If you have received this email message in error, please destroy the original message.

CIRCULAR 230 DISCLOSURE: Pursuant to U.S. Treasury Regulations, we are now required to advise you that, unless otherwise indicated, any federal tax advice contained in this communication, including attachments and enclosures, is not intended and may not be used for the purpose of (1) avoiding tax related penalties under the IRC or (2) promoting, or recommending to another party any tax related matters addressed herein.

TIPS

In this case, I actually followed my own advice as to never click on a link regardless of how legitimate the email or text message may appear until confirming that the message is legitimate.  I emailed back to the attorney and asked him to confirm that it was legitimate and answer a question which I knew only he would know the answer to.  The response I got from him was that he had been hacked and I should not click on the link.

The lesson here is clear.  You can never be sure when you receive an email as to who is really contacting you.  Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware.  Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.

 

April 9, 2016 – Steve Weisman’s latest column for USA Today

April 9, 2016 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for USA Today which deals with the data breach at Verizon Enterprise Solutions, which, ironically, is the unit of Verizon that helps companies deal with data breaches.  However, as indicated in the column, there is a lesson to all of us in this story.

http://www.usatoday.com/story/money/columnist/2016/04/09/lessons-latest-verizon-data-breach/82677920/

Scam of the day – March 29, 2016 – SEC settles insider trading charges with Russian hedge fund manager

March 29, 2016 Posted by Steven Weisman, Esq.

As I first  reported to you this past August and numerous times thereafter as the story developed, forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  In December, Alexander Garkusha, one of the defendants pleaded guilty to making trades based upon the stolen information that personally gained him $125,000. Garkusha is cooperating with the government at this time.  His sentencing is scheduled for May 6th.  In January, Igor Dubovoy also pleaded guilty to conspiracy to commit wire fraud and agreed to forfeit more than 11 million dollars.

Now the SEC has announced that it has settled civil charges against Moscow-based hedge fund manager David Amaryan and his funds Copperstone Alpha Fund, Copperstone Capital, Ocean Prime, Inc and Intertrade Pacific SA through which Amaryan earned more than eight million dollars in profits through the illegal scheme.  Pursuant to the settlement, Amaryan and his companies will pay the SEC ten million dollars.  Of course, as is typical in such settlements, Amaryan neither admitted nor denied any wrongdoing, however pursuant to the settlement he is prohibited from using such tactics in the future, which is akin to Amaryan saying he didn’t do anything wrong and he promises not to do it again while also agreeing to pay ten million dollars to the SEC.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Phishing and the more targeted spear phishing is also the way that the ransomware used against the Hollywood Presbyterian Medical Center was implanted in its computers.   Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us, as individuals, should also learn in our own lives because identity thieves and hackers use the same phishing techniques to enable criminals to hack into the computers of individuals and steal their personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Scam of the day – March 28, 2016 – Verizon Enterprise Solutions suffers data breach

March 28, 2016 Posted by Steven Weisman, Esq.

Announcements of data breaches are generally not terribly startling these days, however, the recent announcement by Verizon Enterprise Solutions acknowledging that it had suffered a massive data breach is particularly noteworthy because Verizon Enterprise Solutions, is the unit of Verizon that assists companies when they have become victims of data breaches.  OOPS!  In fact, one of the things that Verizon Enterprise Solutions does every year is issue an annual data breach investigations report that is read by many.  Next year, it appears the report will be including information about their own data breach,   According to Verizon, they recently discovered and fixed ” a security vulnerability on our enterprise client portal.”  According to Verizon,  the information accessed by the hackers was limited to basic contact information for many of its customers.  According to Verizon, no customer proprietary network information (CPNI) was stolen.   Verizon is in the process of contacting affected customers.   The stolen information is already being sold on the Dark Web, where there are found Internet sites where criminals buy and sell such information.

One might question the value  to cybercriminals of the theft of basic personal information, however, that information can be quite valuable for creating spear phishing emails that lure unsuspecting victims to click on links in the emails that contain malware that may steal more valuable data from targeted companies including banking information and credit card information.  A specifically tailored spear phishing email that appears to come from Verizon Enterprise Solutions directed by name to a specific person in the targeted company could be more likely to cause an unsuspecting employee of the targeted company to believe that the spear phishing email was legitimate and click on links or provide personal information that could be used for identity theft or cybercrime.

TIPS

This data breach is another good example of why my motto is “trust me, you can’t trust anyone.”  Regardless of how legitimate an email or text message may appear that asks you to click on a link or provide personal information, you can never be sure that such communications are legitimate.  Never click on links or provide personal information in emails or text messages until you have independently confirmed that the email or text message is indeed legitimate.  Remember, even paranoids have enemies.

Scam of the day – March 12, 2016 – Hackers steal 81 million dollars from Bangladesh bank

March 12, 2016 Posted by Steven Weisman, Esq.

Early last month cybercriminals hacked into Bangladesh’s central bank and managed to steal approximately 81 million dollars, however, it could have been worse.  If it weren’t for a spelling error, the theft could have approached a billion dollars.   Although the investigation into this crime is still in its early stages, it appears that as with so many types of cybercrimes, this one started with social engineering spear phishing which lured bank employees to unwittingly download the malware used by the hackers to infiltrate the bank’s computers and obtain not just the passwords and cryptographic keys used for electronic fund transfers, but also the emails of bank employees so that they could copy and adapt the emails by which they made their transfers appear legitimate.    Armed with this information, the cybercriminals sent dozens of account transfer requests from the Bangladesh central bank to the Federal Reserve Bank of New York where the Bangladesh central bank has accounts containing billions of dollars.  The account transfer requests processed by the Federal Reserve Bank of New York electronically sent about 81 million dollars to accounts in the Philippines where the funds were transferred multiple times including transfers to Philippine casinos in an effort to launder the money.

Four transfer requests totaling approximately 81 million dollars were processed in this cyber bank heist when the fifth transfer request to a supposed Sri Lankan non-profit organization aroused suspicion with Deutsche Bank, a routing bank in the transaction due to the misspelling of “foundation” as “fandation” prompting  a closer investigation of the transfer request.  At the same time, the Federal Reserve also became suspicious at the large number of transfer requests being made to private entities instead of banks, halted the remaining transfer requests and contacted the Bangladesh central bank.

TIPS

All businesses and governmental agencies have got to do a better job at cybersecurity in general.  In particular, greater attention has to be paid to the dangers of social engineering spear phishing which has been at the root of the almost all of the major data breaches at both companies like Target and governmental agencies, such as the Office of Personnel Management.

Scam of the day – February 20, 2016 – Nine new defendants in cyber stock scam

February 20, 2016 Posted by Steven Weisman, Esq.

As I first  reported to you this past August and twice thereafter, more than thirty people were  indicted in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  In December, Alexander Garkusha, one of the defendants pleaded guilty to making trades based upon the stolen information that personally gained him $125,000. Garkusha is cooperating with the government at this time.  His sentencing is scheduled for May 6th.  In January, Igor Dubovoy also pleaded guilty to conspiracy to commit wire fraud and agreed to forfeit more than 11 million dollars.

Now the SEC has filed fraud charges against nine new defendants in this case including both companies and individuals who traded with a brokerage company in Malta using the stolen information.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Phishing and the more targeted spear phishing is also the way that the ransomware used against the Hollywood Presbyterian Medical Center was implanted in its computers.   Apparently corporations still have not learned to train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us, as individuals, should also learn in our own lives because identity thieves and hackers use the same phishing techniques to enable the stealing of the identities of individual victims.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Scam of the day – February 14, 2016 – FBI and British law enforcement arrest alleged hacker of CIA director

February 14, 2016 Posted by Steven Weisman, Esq.

As first reported by CNN, British law enforcement in conjunction with the FBI have arrested a sixteen year old in Britain on charges related to the hacking of high level officials at the CIA, FBI, Department of Homeland Security, the White House and other federal agencies.  Among those who were hacked by the hacker who described himself as Cracka and often referred to a group with which he was affiliated as “Crackas With Attitude” were CIA Director, John Brennan and Director of National Intelligence, James Clapper.  I have previously described these hackings in earlier Scams of the day here on Scamicide.  Just this past week, Cracka had released online some personal information about employees of the FBI, Justice Department and Department of Homeland Security although the government has downplayed the significance of the recently released information as being nothing more than an internal phone directory.  However, it is entirely possible that more sensitive information was also accessed by Cracka.

TIPS

Perhaps the most disturbing part of this entire scenario is not merely that email accounts and more of important government agencies and officials were hacked, but that they were hacked by a relatively unsophisticated teenaged hacker without the skills or software available to foreign governments and sophisticated cybergangs.  Once again, it initially appears that Cracka used elemental social engineering techniques to obtain the information he needed to hack his various targets.  Social engineering techniques such as spear phishing remain a huge problem to individuals, companies and governments who have not done enough to protect themselves from this threat.

Scam of the day – February 6, 2016 – American Chamber of Commerce scam

February 6, 2016 Posted by Steven Weisman, Esq.

In Romeo and Juliet, Shakespeare asked, “What’s in a name?”  The answer, according to recent reports from the Better Business Bureau, is a scam if a business receives a telephone purportedly from the American Chamber of Commerce.  Business owners and employees may confuse that name with the U.S. Chamber of Commerce.  There is no American Chamber of Commerce that operates in the United States although organizations with that name operate in foreign countries such as Australia and Ireland.  The caller supposedly representing the American Chamber of Commerce explains in the call that they are updating the information about the company being called in the Chamber’s latest directory and they just need to confirm some basic company information such as company officers, phone numbers and other, what would appear to be, innocuous information.  But it isn’t.  Once this information has been gathered the scammers use this information for more targeted spear phishing attacks against the company in a variety of scams including phony invoices and scams in which company employees are lured into clicking on malware infected links in emails that appear to be quite legitimate due to the large amounts of accurate and relevant information contained in the email.

TIPS

Trust me, you can’t trust anyone.   This motto of mine is valuable to businesses and individuals.  Whenever you receive an email, text message or phone call, you can never be sure who actually is contacting you.  In this particular scam, even if your Caller ID would make it appear that the caller is who they say they are, Caller ID can be fooled through a technique called spoofing to make it appear that it is a legitimate person or company calling when, in fact, it is a scammer contacting you.  Providing even what would appear to be unimportant information can be used by scammers to make their spear phishing more effective and believable including phony invoices sent to the proper person in a company.  When it comes to invoices, nothing should be paid until the exact bill has been confirmed as being legitimate.  As for providing information in regard to a phone call, email or text message, the best thing to do is to refrain from providing it until you have confirmed not only that the inquiry is legitimate, but also that the company asking for the information, even if they are a real company, has a legitimate reason for having that information.  Limiting the availability of too much information about you or your company will help protect you from scams and identity theft schemes.