Scam of the day – September 27, 2016 – Business email scammer sentenced

Whaling may be a term, when referring to cybercrime, with which you may not be familiar.  By now, everyone is aware of the term “phishing” which refers to the social engineering crime by which scammers send emails purporting to be from a legitimate source in which they lure you into either clicking on malware infected links or directly sending them money.   Often phishing emails are easy to spot because they may not be directed to you by name, but rather by a salutation, such as “Dear Customer” and not contain the type of information that would make you tend to believe that the email is legitimate. “Spear Phishing” is more refined phishing where the scammer has gathered, often through hacking of various websites and companies, personal information about you such that when you receive the phony email from the scammer it appears more legitimate.  The latest criminal version of this tactic is called “whaling” and it is a type of spear phishing aimed at the big fish.

In January of 2016 I told you about Amechi Colvis Amuegbunam, a Nigerian in the United States on a student visa being arrested and charged with wire fraud based on scamming 17 Texas companies out of more than $600,000 through whaling.  Amuegbunam is sent emails that appeared to be from high level company executives to lower level company employees who had the authority to wire funds on behalf of the company requesting that funds be wired to bank accounts he controlled.  The FBI has said that in the last two years 7,000 American companies have been swindled out of approximately 740 million dollars using this technique.

The scammers who use whaling are sophisticated criminals who gather much personal information about the companies and individuals targeted before sending their whaling emails.  They use this information to tailor their emails to make them appear legitimate.  Often they are able to gather much of this information through social media such as Facebook where people sometimes have a tendency to share too much personal information.

TIPS

In the case of Amuegbunam, one of the emails he is alleged to have sent was to a company executive for Luminant Corp which is a Texas electric utility company.  However, if the company executive had looked closely at the email address of the sender, he would have noticed that the name Luminant was misspelled in the email address so that it actually read “lumniant.”  This is an easy misspelling to miss, which is why scammers are able to get email addresses that when looked at quickly may appear to come from someone at the legitimate company, rather than a scammer.  In this particular case, had the employee noticed that the email address of the sender was not legitimate, it would have saved the company $98,550.

The lesson for companies is to both educate employees as to the telltale signs of spear phishing and whaling as well as also have a confirmation protocol in place to be followed when authorizing the wiring of funds, particularly when they are being sent to companies or individuals that their company had not done business with in the past.

As for the rest of us, we should be careful to avoid spear phishing too. Consider how information that you post on social media could be used to defraud you before you post anything and remember that personal information about you and your business accounts can also be gathered through data breaches at companies with which you do business.  Therefore, as I always advise you, never click on links in emails, send money or provide personal information in response to emails that you receive regardless of how legitimate they may appear until you have confirmed that they are indeed not scams.

As for Amuegbunam, he has been sentenced to 46 months in prison and ordered to make restitution to his victims.

Scam of the day – September 26, 2017 – North Korea hacking Bitcoin exchanges

A recent report of security company FireEye disclosed that North Korea’s state operated cybercriminals have moved beyond their attacks on individual companies and the international banking system to cryptocurrency exchanges.  Cryptocurrency is the name for digital currencies first created in 2009 that have become increasingly popular. Perhaps the most well known cryptocurrency is Bitcoin.

FireEye reported about continuing cyberattacks on cryptocurrency exchanges that began earlier this year.  As with so many computer crimes, the attacks begin with spear phishing emails carrying malware that when downloaded enabled the hackers to steal from individual accounts.

It can be expected that these attacks will increase.  In fact, my prediction is that while there is little likelihood of a missile attack by North Korea on the United States in the foreseeable future, we can well expect a significant increase in cyberattacks by North Korean cybercriminals on vulnerable American companies, financial institutions and even governmental agencies.

TIPS

Bitcoins and other cryptocurrencies are popular with many people due to the anonymity involved with cryptocurrency transactions as well as the lack of fees involved in their use.  However, digital currencies, just as everything else tied to computers carry inherent vulnerabilities.  The best ways to avoid problems is to take particular care in choosing where you store your Bitcoins online.  Many Bitcoin exchanges have had security breaches and will always be a prime target for hackers.  Additionally, you should use not just a strong password, but also dual factor authentication to provide greater security, encrypt your wallet and backup your entire wallet.  Finally, make sure that your Bitcoin software is updated with the latest security patches as soon as they become available.

Scam of the day – August 26, 2017 – Business email scammer charged

The Business Email Compromise scam continues to be an effective scam perpetrated against many companies, however recently one alleged criminal operating this scam has been arrested.  Daniel Adekunie Ojo, was charged with fraud and identity theft in regard to using this scam against school systems in Connecticut and Minnesota.

Generally this scam involves an email to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with which the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

In a variation of this scam, Ojo, posing as a school official asked for W-2s of all employees and received thousands of these documents which he used for purposes of income tax identify theft by filing phony income tax returns in the names of his victims and collected phony refunds based upon counterfeit W-2s that he submitted with the phony tax returns.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Companies should also be protective of personal information such as W-2s and should not provide it electronically unless they have confirmed that the request for the documentation is legitimate.

Scam of the day – August 16, 2017 – Hackers targeting hotel Wi-Fi

The security company Bitdefender has identified new tactics being used by a notorious hacking group known as DarkHotel to hack into the computers of hotel guests.  DarkHotel has been operating for about ten years now and until recently had been specifically targeting business travelers in order to gain access to their companies’ computers and the data contained therein. Recently , however, DarkHotel has expanded its targets to include political figures, as well.  DarkHotel has exploited vulnerabilities in hotel Wi-Fi to achieve its attacks.

A key element in the success of DarkHotel has been their successful use of spear phishing emails that have been used to lure unsuspecting victims into clicking on links and downloading malware.

TIPS

Whether you are a high profile business person, a politician or a regular citizen, spear phishing is one of the biggest threats to your security and well being.  Spear phishing emails or text messages are personally crafted emails or text messages that have been created using information about you, your job, your interests and other aspects of your life to lure you into clicking on a link and downloading malware.  Most of the major data breaches as well as personal data breaches have been initiated through phishing so the lesson is clear.  Trust me, you can’t trust anyone.  Never click on links in emails or text messages unless you have absolutely confirmed that they are legitimate.

Scam of the day – July 17, 2017 – WWE data breach puts millions at risk of identity theft

The World Wrestling Entertainment (WWE) formerly known as the World Wrestling Federation (WWF) until it lost an intellectual property dispute with the World Wide Fund For Nature (WWF), is the popular company that promotes professional wrestling around the globe.  Recently it was disclosed that databases filled with personal information of users of its website were stored in an unprotected server making them accessible to anyone who came upon them.

The good news is that the compromised information did not include credit card information or passwords, which would have posed a tremendous threat of identity theft to the people whose information was stored in the unprotected servers.  However the bad news is that the type of information that was compromised included names, email addresses, ages and other information that could be used to formulate spear phishing emails that could be used to attack the victims of the data breach.

Spear phishing occurs when you receive an email or a text message intended to lure you into clicking on a malware infected link that can be used for purposes of identity theft, ransomware or other sinister purposes. What distinguishes spear phishing from mere phishing is that with spear phishing, the communications to you have been specifically tailored with personal information to trick you into trusting it.

TIPS

One lesson from this data breach is to remember that you are only as secure as the places that have your personal information with the weakest security.  Therefore limit the places to which you provide your personal information as best you can.  In addition, there is no law that requires you to provide accurate and truthful information when going to a website asking for your age or other personal information so you can make up information to provide in order to gain access to a particular website.

Another important lesson is to always be skeptical of any email or text message that you receive that asks you to click on a link.  You can never be sure it is legitimate so never click on a link until you have confirmed that the communication is legitimate.

Finally, remember to keep all of your electronic devices updated with the latest security software recognizing that even the newest updates will not protect you from new zero day defects that have not been seen previously.

Scam of the day – June 18, 2017 – Identity thieves hack Federal Student Aid website

The Free Application for Federal Student Aid (FAFSA) is a part of the U.S. Department of Education used by college students to apply for much needed financial aid to assist them in furthering their education.  Some of the forms used in the application process require inserting information from past income tax returns.  To make the process more convenient, FAFSA provided for a data retrieval service directly to the IRS to obtain the necessary information, however scammers, such as two recently indicted men from Indiana and Georgia are alleged to have hacked into the data retrieval system of FAFSA applicants to get the tax information which they then used to commit income tax identity theft, attempting to steal approximately 12.7 million dollars in phony income tax refunds.

In response to these problems, FAFSA suspended its data retrieval system until two weeks ago when they reinstituted the Data Retrieval Tool with the IRS in a manner that the tax return information will be encrypted and hidden from view of even the borrower as well as someone hacking into the borrower’s account.

TIPS

Quite often, as Shakespeare said, the fault is not in the stars, the fault is in ourselves. Too often we become victims of identity theft when the security of particular websites, companies or government agencies that have our personal data is compromised because we provide our passwords and user names to identity thieves by falling prey to spear phishing emails or downloading malware.   It is important to never click on a link in an email or download an attachment unless you have confirmed that it is legitimate.  Also, never provide personal information to anyone unless you have confirmed that the request is legitimate.

As for students seeking to use the Data Retrieval Tool of the IRS for filing a FAFSA form, you can safely use this service by going to StudentLoans.gov.

Scam of the day – June 9, 2017 – Ukranian hacker sentenced to prison

I have been reporting to you for two years about developments in this ingenious and massive stock fraud since the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  Now Ukranian hacker Vadym Iermolovych was sentenced to thirty months in prison and ordered to pay more than 3 million dollars in restitution for his role in this scheme.

The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of as much as 100 million dollars on 800 trades during this time.  A number of the defendants have already pleaded guilty to charges related to this scam.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.

Scam of the day – June 3, 2017 – Hackers and scammers turning to social media

Recent reports by various security companies are indicating that state-sponsored Russian hackers, such as those that managed to plant fake news stories in an effort to disrupt the 2016 presidential election are increasingly turning to targeting social media accounts to download malware and spread disinformation.  This is a complex story and one worth knowing more about, however, as an individual, you are also susceptible to scams, ransomware and malware downloaded through clicking on links in social media postings.

We have long known that phishing emails and the more personally targeted spear phishing emails are how most malware gets downloaded on to the computers of individuals, companies and government agencies. However, as successful as phishing is in spreading malware, postings on social media, according to cybersecurity firm ZeroFOX are twice as successful in spreading malware.

And it makes sense.

In my May 5, 2017 Scam of the day I warned you about the risks of the Facebook “10 concerts, but there is one act that I haven’t seen live” quiz.   I highlighted the fact that scammers use social media to gather personal information that can later be used to tailor a message sent through social media such as Facebook or Twitter that you are more likely to trust and click on links in the messages that will download malware.

TIPS

Trust me, you can’t trust anyone.  Always be skeptical when you receive any kind of electronic communication that requires you to click on a link in the message.  Always confirm it before clicking on the link regardless of how trustworthy it may seem.  Further, you may well consider limiting the amount of personal information that you post on social media that can be used to tailor spear phishing emails to lure you a victim of identity theft or some other scam by appealing to something in which you are known to be interested.

Scam of the day – May 30, 2017 – Apple iTunes phishing scam

Phishing emails, and the more personally tailored spear phishing emails are the most common way that people and companies are tricked into downloading malware such as ransomware or keystroke logging malware used to steal information from the victim for purposes of identity theft. Effective phishing emails will appear to be legitimate and lure victims into downloading malware filled attachments or clicking on links tainted with malware.

Reproduced below is a new phishing email presently being circulated that is one of the worst examples of a phishing email.   It purports to be from the Apple Store informing the recipient that his or her account has been used to make a purchase and urges the targeted victim to download an attachment if they did not make the purchase.

As regular readers of Scamicide have seen, many of the phishing emails we have shown you over the years are quite convincing, however this particular email is so filled with indications that it is phony, it is hard to imagine someone falling for the scam although I am sure some people will do so.

The email address of the sender has nothing to do with Apple which is an early indication that this is a scam.  There is no logo that appears on the email and the email is not addressed to anyone in particular nor does it indicate an account number.  Finally, their are spelling errors and horrible grammatical errors throughout the email.

Here is a copy of the email that is presently circulating.

“[ApplePay] – iTunes was used to purchase in App Store on Macbook Pro 13
Date and time: 27 May 2017 10.32 hrs
Transaction: 7BA6818XL0333C2U
Order number: MQ3N7F0G8Q
OS: OS X 10.12.4
Browser: Safari
Location: New York, United States of America
If the information looks familiar, you can ignore this email.
If you have not recently purchased an article or in-apps apps on a MacBook Pro 13 “
With its appIe lD and thinking that your account has been accessed,
Please read our binding and follow the instuction to back up your account.
Best regards,
AppIe account department
Copyright @ 1998-2017. 2211 N 1st St, San Jose, CA 95131, USA. All rights reserved.”
TIPS
Whenever you get any email that attempts to lure you into downloading an attachment or clicking on a link, you should be skeptical and never consider doing so unless you have absolutely confirmed that the email is legitimate.  Also, look for telltale signs that the email is a phishing email by examining the address of the sender, the spelling and grammar and a lack of your account number or name appearing although in more professionally done spear phishing emails real account numbers and your name might be used which is why it is always imperative to never click on links or download attachments unless you are totally convinced that the email is not phony.

Scam of the day – May 2, 2017 – Facebook and Google lost 100 billion dollars to a scammer

In my scam of the day for December 26, 2016 I told you about the Boston Division of the FBI warning companies about a huge surge of Business E-Mail Compromise scams (BEC).  The scam involves an email sent to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with which the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

In March, Evaldas Rimasauskas, a Lithuanian citizen was arrested and charged with perpetrating this type of a scam against both Facebook and Google from which he was able to steal more than a hundred million dollars by posing as a Taiwanese company, Quanta Computer which is a major supplier to American high tech companies.  When Rimasauskas was first indicted, the indictment did not provide the names of the companies he was alleged to have swindled nor the company he is alleged to have posed as, but a recent investigation by Fortune Magazine uncovered these facts.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.