Scam of the day – February 11, 2017 – Arby’s suffers major data breach

Fast food company Arby’s became the latest announced victim of a major data breach which appears to have occurred between October 25, 2016 and January 19, 2017, but was only disclosed by the company yesterday.  The data breach which affected hundreds of the company owned stores, but not those of franchise owners may have resulted in more than 335,000 credit and debit cards being compromised.

As is often the case, the data breach was originally discovered by a bank which first found a pattern of fraudulent credit card use and was able to trace the source back to Arby’s restaurants.  In this case PSCU, a credit union service group for more than 800 credit unions uncovered the fraud.

At the present time it has not been determined how the point of sale credit and debit card processing equipment was compromised with the malware that was downloaded to the equipment to steal the credit and debit card information.  Often the problem can be traced back to spear phishing.

TIPS

This type of data breach continues to occur as many retail stores and restaurants still have not replaced their magnetic strip credit and debit card processing equipment with EMV chip card processing equipment. Whenever possible you should use your EMV chip card and never use your debit card for a retail purchase because the consumer protection laws regarding debit card fraud are not as strong as the laws protecting consumers from credit card fraud.

Anyone who has used their credit card at an Arby’s restaurant between October 25, 2016 and January 19, 2017 should carefully monitor their credit card statements for evidence of fraudulent use and if you find it, you should report it immediately to your credit card company.  If you used a debit card at an Arby’s restaurant during that time period, you should monitor the bank account attached to the card particularly carefully and refrain from using your debit card for retail purchases in the future.

Scam of the day – January 28, 2017 – Hacker of nude photos of celebrities sentenced

In 2014 nude photos of as many as one hundred celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst and Hope Solo turned up online on websites such as Reddit.com and 4chan.org.   The photos were taken from both the Apple’s iCloud accounts of the hacked celebrities as well as their email accounts.  The hacker, a 29 year old self-described “computer nerd” named Edward Majerczyk pleaded guilty to one count of unauthorized access to a protected computer to obtain information and was sentenced earlier this week to nine months in prison.

The manner by which Majerczyk accomplished the hacking was simple, but effective.  He sent spear phishing emails to his intended victims that appeared to come from Apple or Google security in which, under various pretenses, he requested the victims’ usernames and passwords, which he then used to access their email accounts and iCloud accounts from which he stole the photos and videos.

Using a similar tactic, Ryan Collins hacked 600 celebrities thereby obtaining nude photos, as well.  He was convicted and sentenced to eighteen months in prison.

TIPS

There are a number of lessons to be learned from this crime about how to protect our own security.    It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate, which such requests seldom are.  If you have any concern that such a request might be legitimate, merely call the real company to confirm the legitimacy of the communication.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts.  Had Jennifer Lawrence and the other hacked celebrities used dual-factor identification, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be accurate.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – January 23, 2017 – Latest Gmail phishing scam

An effective new phishing email scam is presently circulating that is targeting users of Gmail.  It starts when you receive an email that appears to be sent from the email address of one of your real friends and, in fact, the email may have been sent from a friend’s email account that unfortunately has been hacked and taken over in order to send out phishing emails that victims will trust because it appears to come from a trusted source.  The email has an attachment and when you click on the attachment, a sign-in page for your Gmail account appears requiring you to type in your email address and password.  Unfortunately, if you do so, you have just turned over this information to a cybercriminal who can wreak havoc with this information.

TIPS

Although this particular spear phishing email scam is quite sophisticated, there are a number of simple steps you can take to prevent yourself from becoming a victim of the scam.  Primarily, you should follow my rule and never click on any link or download any attachment unless you have absolutely confirmed that the communication sending the link or attachment is legitimate.  Even if the email address from which the communication is sent appears legitimate, your friend’s email may have been hacked and it is a cybercriminal sending you the email.

It is also a good idea to use dual factor authentication when possible for your email account.  If you use dual factor authentication, such as where a one time code is sent to your smartphone each time you want to access your email, you are protected from having your email account taken over even if the cybercriminal has your password and username.  Finally, it is a good idea not to store sensitive information in your email account.

Scam of the day – December 31, 2016 – President takes action against Russian hackers

In the last Scam of the day for 2016 it is appropriate that we discuss the issue of Russian hacking of American organizations that occurred in 2015 and 2016 that were intended to influence the Presidential election.  Two days ago, President Obama ordered sanctions against Russia including the ejection of 35 Russians spies that the administration said were posing as diplomats and specific actions against three organizations that it said supported the hacking operations.  The possibility of further covert actions against Russia was also hinted at.

A day prior to the President’s announced sanctions, the Department of Homeland Security and the FBI issued a joint analysis report entitled “Grizzly Steppe – Russian Malicious Cyber Activity” in which it provided details about the hackings.  Here is a link to the report.

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

TIPS

Although the report contains important information about Russian hacking of American institutions, the report also provides a long list of specific steps that institutions and individuals can take to avoid being a victim of cybercrime.

Here are just a few of the things that all of us as individuals should consider.

  1. Backup all important information offline.
  2. Be on the alert for spear phishing. The report emphasizes, as I have warned you about for years, that the primary cause of hacking is people clicking on links in spear phishing emails that download malware.  Use both anti-phishing security software as well as your own brain to refrain from clicking on links in emails unless you have absolutely confirmed that they are legitimate.
  3. Use strong firewalls with whitelisting configurations by which only approved applications will be allowed to be downloaded on to your computers.  This is much better than blacklisting because it protects you from threats about which you know nothing.
  4. Limit the personal information you provide on social media.
  5. Use dual factor authentication whenever possible.

December 18, 2016 – Steve Weisman’s latest column for USA Today

Looking ahead to the new year and the challenges it will present in regard to cybersecurity, here is my latest column from USA Today in which I present my predictions for the world of cybersecurity for 2017.  Although it may seem a bit daunting, there are steps we can all take to protect ourselves and I will describe those in my next column.

http://www.usatoday.com/story/money/columnist/2016/12/17/think-cyberthreats-bad-now-theyll-get-worse-2017-spear-phishing-etc/95262574/

Scam of the day – December 3, 2016 – Implications of Saudia Arabian hacking

It has just been disclosed that unidentified hackers, thought to be Iranians, hacked into and destroyed thousands of computers at six Saudi Arabian government agencies including its General Authority of Civil Aviation.  This attack echoes a previous  2012 cyberattack thought to be the work of Iranian hackers that wreaked havoc on the Saudi state oil company Saudi Aramco and in fact both attacks used the same malware called Shamoon.  The malware was installed using passwords that appear to have been accessed through spear phishing emails. This escalation of cyberwarfare is indeed troubling.

TIPS

It is well established that the infrastructure of the United States including banks and a dam in New York were targeted by Iranian hackers in recent years.  The lesson for governments, companies and individuals from this latest Saudi hacking is clear.  Much greater attention has to be given to cybersecurity.  The fact that the same Shamoon malware that was used in 2012 was able to be effectively used again is an indictment of the failure of the Saudis to implement updated security software that might have thwarted this attack.  Further, as we have seen time after time, the malware appears to have been downloaded through simple spear phishing in which a Saudi employee clicked on an infected link.  Better anti-phishing analytics security software should have been used and the employees should have been better trained to avoid clicking on links in emails unless they have been confirmed to be legitimate.  There are other steps that can and should be taken as well, but these two are the best and easiest to implement.

Scam of the day – November 23, 2016 – Increased threat to ATMs

For years I have been warning you about the dangers of skimmers, which are small devices installed at ATMs, gas pumps and other card readers that are used to steal the information from your credit card or debit card to gain access to your credit or your bank account respectively.  However, recently a new threat is emerging around the world that poses a greater threat to ATM security.  Cybercriminals including the Russian cybergang known as Buhtrap are using newly developed malware to target not just individual accounts, but the internal networks of banks and ATMs in order to program the ATMs to spit out huge amounts of cash at a specific time.  This technique has been used in Taiwan and Thailand earlier this year to deliver cash to the criminals who go to the infected ATMs at a specific time when the ATM’s programming has been altered  programmed to spit out cash to the awaiting criminals.  The threat to banks around the world is quite real and has been the subject of multiple FBI warnings to financial institutions in the United States since the summer.

TIPS

In the recent attacks against banks in Taiwan and Thailand, the malware infecting the banks’ internal networks and ATM systems was installed when bank employees clicked on links in phishing emails that appeared to come from other banks or ATM vendors and unwittingly downloaded the malware enabling the cybercriminals to take over the banks’ internal systems and ATM systems.    The danger of phishing cannot be overestimated.  According to Jeh Johnson, the Secretary of the Department of Homeland Security, “the most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.”

This is a lesson to us all.  Whether at work or at home, the danger of phishing emails is tremendous, but it is easy to avoid.  Install anti-phishing security software on all of your electronic devices, however, you cannot depend on this software to keep you totally safe so the best rule to follow is to never click on any link or download any attachment in an email or text message unless you have absolutely confirmed that it is legitimate.

Scam of the day – November 4, 2016 – Security flaws exploited by Russian hackers

Earlier this week it was disclosed that an older version of Microsoft’s Windows software along with the much exploited Adobe Flash software had been exploited by Russian hackers to attack computer systems to gain access to information.  The group that had done these recent hacks appears to be the same Russian hackers responsible for hacking the Democratic National Committee earlier this year.  Adobe has already issued a security update to patch the vulnerability.  A link to the security update can be found in yesterday’s Scam of the day.  Microsoft has said that it will have a security patch available on November 8th.  As soon as it is available, I will let you know here at Scamicide.  Users of Windows 10, the latest version of Windows and the Microsoft’s Edge browser are protected from the attack.

Once again, the malware necessary to spread these computer hacks was spread, as so often is the case, by spear phishing emails luring unsuspecting victims into clicking on links that downloaded the malware.

TIPS

The best thing you can do to help protect yourself from being hacked is to never click on links in emails or text messages from anyone until you have absolutely verified that the messages and the links are legitimate.  Trust me, you can’t trust anyone.

It is also important to update your security software on all of your electronic devices as soon as security updates become available.  Hackers constantly exploit vulnerabilities in software for which there already exist security patches, but which have not been installed by consumers.

Scam of the day – September 22, 2016 – New Aol phishing scam

Millions of people still use AOL.  One reason is that you get greater email privacy when compared to some other email carriers. Due to its popularity, scammers and identity thieves often send out phishing emails that appear to come from AOL, such as the one reproduced below.  The logo and format of this particular email that is presently circulating is quite poor.  Compare it to the excellent counterfeit phishing email I included in the Scam of the Day for May 31, 2014.  This one comes from an email address that has no relation to the company, AOL.  Further, it is not directed to the recipient specifically by name.  Like many similar scams, this one works by luring you into clicking on a link in the email in order to resolve a problem.  However, if you click on the link, one of two things will happen.  You either will be prompted to provide information that will be used to make you a victim of identity theft or by clicking on the link you will unwittingly download a keystroke logging malware program that will steal all of the information from your computer and use it to make you a victim of identity theft.   Here is how the email appears.  DO NOT CLICK ON THE LINK:
AOL HELP.
Your two incoming mails were placed on pending status due to the recent upgrade to our database,In order to receive the messages CLICK HERE to Login and wait for response from AOL Mail.We apologies for any inconveniences
Best Regards,
The AOL! Mail Team
TIPS
When AOL communicates with its customers about their accounts, they do so by AOL Certified Mail, which will appear as a blue envelope in your inbox and will have an official AOL Mail seal on the border of the email.  This particular email had neither and only had an easy to counterfeit Aol logo appear on the email.  Whenever you get an email, you cannot be sure of from whom it really comes.  Never click on a link unless you are absolutely sure that it is legitimate.  If you think the email might be legitimate, The best thing to do is to contact the real company that the email purports to be from at an address or phone number that you know is accurate in order to find out if the communication was legitimate or not.  Remember, never click on links in emails unless you have confirmed that they are legitimate.