Posts Tagged: ‘spear phishing’

Scam of the day – September 22, 2016 – New Aol phishing scam

September 22, 2016 Posted by Steven Weisman, Esq.

Millions of people still use AOL.  One reason is that you get greater email privacy when compared to some other email carriers. Due to its popularity, scammers and identity thieves often send out phishing emails that appear to come from AOL, such as the one reproduced below.  The logo and format of this particular email that is presently circulating is quite poor.  Compare it to the excellent counterfeit phishing email I included in the Scam of the Day for May 31, 2014.  This one comes from an email address that has no relation to the company, AOL.  Further, it is not directed to the recipient specifically by name.  Like many similar scams, this one works by luring you into clicking on a link in the email in order to resolve a problem.  However, if you click on the link, one of two things will happen.  You either will be prompted to provide information that will be used to make you a victim of identity theft or by clicking on the link you will unwittingly download a keystroke logging malware program that will steal all of the information from your computer and use it to make you a victim of identity theft.   Here is how the email appears.  DO NOT CLICK ON THE LINK:
AOL HELP.
Your two incoming mails were placed on pending status due to the recent upgrade to our database,In order to receive the messages CLICK HERE to Login and wait for response from AOL Mail.We apologies for any inconveniences
Best Regards,
The AOL! Mail Team
TIPS
When AOL communicates with its customers about their accounts, they do so by AOL Certified Mail, which will appear as a blue envelope in your inbox and will have an official AOL Mail seal on the border of the email.  This particular email had neither and only had an easy to counterfeit Aol logo appear on the email.  Whenever you get an email, you cannot be sure of from whom it really comes.  Never click on a link unless you are absolutely sure that it is legitimate.  If you think the email might be legitimate, The best thing to do is to contact the real company that the email purports to be from at an address or phone number that you know is accurate in order to find out if the communication was legitimate or not.  Remember, never click on links in emails unless you have confirmed that they are legitimate.

Scam of the day – September 15, 2016 – What the data breach at the World Anti-Doping Agency means to you

September 14, 2016 Posted by Steven Weisman, Esq.

The World Anti-Doping Agency (WADA), the international agency that enforces the rules regarding the use of performance enhancing drugs and other prohibited substances by athletes around the world was hacked, apparently by Russian hackers who released the medical files of American athletes Simone Biles, Venus Williams, Serena Williams and Elena Delle Donne.  In each case, the records show that these athletes used drugs that were permitted under the Therapeutic Use Exemptions for legitimate medical reasons.  In the case of Simone Biles, the records indicated that she took Ritalin for ADHD.  None of the use of these drugs appeared to be related to improper drug use for performance enhancement.

Perhaps the bigger aspect of this story and one that is being overlooked in much of the media is how the hacking was accomplished.  Once again it appears that the hacking was done by exploiting information obtained through spear phishing.  Spear phishing occurs when you receive an email or text message specifically tailored to you with a link in it that the victim clicks on and unwittingly downloads keystroke logging malware that enables the hacker to be able to steal all of the information from the victim’s computer or smartphone including passwords and other critical information.

TIPS

Spear phishing has been used successfully by hackers in most of the major data breaches of the last few years including Sony, Target and the Office of Personnel Management (OPM).  Spear phishing is distinguished from the usual phishing email that can be easily spotted because, unlike ordinary phishing emails and text messages, spear phishing emails and text messages often appear to come from a trusted source and contain sufficient personal or relevant information that they appear to be genuine.  Often, we are our own worst enemies because we provide too much personal information on social media that can be used by clever cybercriminals to fashion spear phishing emails and text messages.  It is for this reason that you should never click on any links in an email or text message until you have confirmed that the email is legitimate.  You should also use security software and make sure that it is constantly updated with the latest patches although even doing that won’t protect you from the newest zero day exploits which exploit computer vulnerabilities that have previously not been discovered.  It usually takes the security software companies about a month to come up with defenses against the latest zero day exploits.

Scam of the day – September 12, 2016 – Four year old data breach revealed

September 12, 2016 Posted by Steven Weisman, Esq.

It was recently disclosed that Brazzers, a porn website had been hacked four years ago.   Personal information of users of its forum in which subscribers communicated about porn movies was stolen and is now available on the Internet.  The information stolen included not only user names, email addresses and passwords, but also the substance of their  conversations in the forum, which could be embarrassing to Brazzer subscribers if the information became public leading to concerns about blackmail by cybercriminals with access to this information.  This data breach is reminiscent of the data breach at Ashley Madison, which proved to be extremely embarrassing to customers of that website that dealt with extra-marital affairs.  Of course, any data breach in which user names, email addresses and passwords are compromised poses a threat to the victims of the data breach who can be more seriously victimized by cybercriminals using that information to advance spear phishing schemes targeting the victims and luring them to click on links that will download keystroke logging malware that will steal personal information from the victim’s computer, smartphone or other electronic device and use that information to make the person a victim of identity theft.  In addition, many people use the same password for all of their accounts and once their password at one website becomes known, it can lead to attacks at other places such as online banking.

TIPS

The website Have I Been Pwned https://haveibeenpwned.com/ is a good place to go to find out if you have been victimized in a data breach.  This website gathers information about data breaches and you can put in your email address to find out if you have been a victim of any data breaches such as Brazzers where information is being circulated on the Internet.  It is also important to use a distinct and unique password for each of your online accounts so if you do become a victim of a data breach at one account, the security of your other accounts are not threatened.  Finally, for people who go to websites that they would prefer no one to know about, they should consider using a different user name and separate email address from their usual use name and email address.

Scam of the day – September 10, 2016 – A new Chase phishing email

September 10, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which  download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email presently circulating that appears to come from Chase Bank.  DO NOT CLICK ON THE LINK.  Chase is a popular target for this type of phishing email because it is one of the largest banks in the United States.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond. As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Chase and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   The grammar and spelling is good, but a minor flaw is the inconsistent capitalization in the phrase, “All Rights reserved.” Also, as so often is the case, the email is not directed to you by name and does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit.

Chase logo

Chase Bank Online® Department Notice:

Your online account has been suspended (Reason: the violation of terms of service).
Update and Restore your online account Now
Log On
Thank you for using Chase Bank.
Member FDIC © 2016 Chase Bank Financial Corporation. All Rights reserved.
TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would specifically direct the email to you by your name.  This email has no salutation whatsoever.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer or smartphone and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – August 30, 2016 – NASCAR team becomes victim of ransomware

August 29, 2016 Posted by Steven Weisman, Esq.

This past Spring, the computer of the crew chief of the NASCAR Circle Sport-Leavine Family Racing (CSLFR) team was infected with ransomware.  Ransomware, as regular readers of Scamicide know is malware that gets unwittingly downloaded on to a person’s or company’s computer, which when downloaded encrypts the data of the victim.  The victim is then told to either pay a ransom, generally in bitcoins within a short period of time or the hacker will destroy the data.  In this case, the racing team paid the $500 bitcoin ransom and got their  huge amounts of data back.  The particular type of ransomware used in this attack was TeslaCrypt for which there already existed security software that could have prevented the malware from being able to encrypt the files, however,  CSLFR did not have such security software on their computers.

Ransomware has become one of the most common and effective cybercrimes in the last year, successfully targeting individuals and a wide range of companies including law firms, accounting firms and even police departments.  As big data becomes more and more a part of sports teams, particularly in Major League Baseball, the National Basketball Association and the National Football League, you can expect future attacks against professional sports teams to become more common.

TIPS

The key to not becoming a victim of a ransomware attack is to prevent it in the first place.  Generally, the malware is installed unwittingly by victims when they are lured through phishing and spear phishing emails to click on links infected with the malware.  Never click on links in emails or text messages regardless of how legitimate they may appear until you have verified that it is legitimate.  You should also install anti-phishing software.  It is also important to not only have anti-malware software installed on all of your electronic devices, but to make sure that you update the security software with the latest security patches and updates.  In the case of CSLFR, they fell victim to a type of ransomware for which there already existed security software to prevent the TeslaCrypt ransomware from operating.  Always keep your security software up to date.  Finally, always back up your computer’s data daily, preferably in two different ways in order to protect your data in the event you do become a victim of ransomware.

Scam of the day – August 25, 2016 – Another Chase phishing email

August 24, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Reproduced below is a copy of a new phishing email that is presently circulating that appears to come from Chase bank.  DO NOT CLICK ON THE LINK.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond.  As phishing emails go, this one is pretty good.  It looks legitimate.  However, the email address from which it was sent is that of an individual totally unrelated to Chase and is most likely the address of an email account of someone whose email account was hacked and made a part of a botnet of computers used by scammers to send out phishing emails.   The grammar and spelling is good, but as so often is the case, the email is not directed to you by name and does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit.

Chase logo

Dear Chase OnlineSM Customer,
Please confirm that you or someone authorized to use your account made
the following transaction(s) on your account:

www.Chase.com/validate/account:

Your online account will be fully restored and protected after the verification process.
Thank you for being a valued customer.

Customer Service Center.
JPMorgan Chase & Co ©2016

TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would not use the generic greeting “Dear Chase  OnlineSM Customer,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

 

Scam of the day – July 23, 2016 – Six month jail term for celebrity hacker

July 23, 2016 Posted by Steven Weisman, Esq.

Earlier this week, twenty-nine year old Andrew Helton was sentenced to six months in prison for hacking hundreds of Apple and Google accounts including many of celebrities  and stealing 161 nude or partially nude photos from thirteen people.  I first reported to you about Helton when he pleaded guilty to the hacking charges in February of this year.

Between March 2011 and May 2013, Helton used a simple phishing scheme to steal the usernames and passwords of 363 Apple and Google email accounts including those of many celebrities.  Once he had access to his victims’ email accounts he was able to access all of the contents of their email accounts including 161 sexually explicit or nude images of thirteen of his victims.  It should be noted that Helton did not post any of the stolen photos online and his case is totally unrelated to the stealing and posting of nude photos of celebrities including Jennifer Lawrence and Kate Upton that occurred in September of 2014 although a similar phishing tactic was used to obtain the usernames and passwords of the victims.

Helton obtained the usernames and passwords of his victims by sending emails to his victims that appeared to come from Apple or Google in which his victims were asked to verify their accounts by clicking on a link which took them to a website that appeared to be a login page for Apple or Google.  Once they entered their information, Helton had all that he needed to access his victims’ accounts.  It is interesting to note that in a letter to the court, Helton emphasized his lack of computer talent saying, “There was no expertise involved.  All I did was essentially copy and paste.” Even the email addresses of his targets were obtained from easily accessed contact lists online.  The fact that such havoc could be spread by someone without having particular computer skills points out how easily any of us can be victimized if we do not take proper precautions.

TIPS

The type of phishing scam used by Helton is one used by many other scammers and it is easy to defend against.  Always be skeptical when you are asked to provide your personal information, such as your user name, password or any other personal information in response to an email or text message.  Trust me, you can’t trust anyone.  Always look for telltale signs that the communication is phony, such as bad grammar or the sender’s email address which may not relate to the real company purporting to send you the email.  Beyond this, even if the email or text message appears legitimate, it is just too risky to provide personal information in response to any email or text message until you have independently verified by contacting the company that the communication is legitimate.

In addition, you should not store personal data or any photos or other material on your email account. Store such data in the cloud or some other secure place.

Scam of the day – July 4, 2016 – New Chase phishing email

July 3, 2016 Posted by Steven Weisman, Esq.

Phishing emails, by which scammers and identity thieves attempt to lure you into either clicking on links contained within the email which will download malware or providing personal information that will be used to make you a victim of identity theft, are nothing new.   They are a staple of identity thieves and scammers and with good reason because they work.  Here is a copy of a new phishing email that appears to come from Chase bank that is presently circulating.  DO NOT CLICK ON THE LINK.  Like so many phishing emails, this one attempts to lure you into responding by making you think there is an emergency to which you must respond.  As phishing emails go, this one is pretty good.  It looks legitimate.  The email address from which it is sent looks like a legitimate Chase email address instead of, as is so often the case, an email from a botnet that carries the email address of a person’s hacked computer hijacked and used to send out this type of phishing email.  The grammar and spelling is good, but as so often is the case, it is not directed to you by name and does not contain your account number in the email.  It carries a legitimate looking Chase logo, but that is easy to counterfeit. However, it also has an Uber logo at the top of the email which is extremely odd as Uber has nothing to do with Chase.

Dear Chase Online(SM) Customer

We have detected irregular activity on your account.So We Have Limited Your Account.
For your protection, you have to verify this activity before you can continue using your account.

Please Visit https://chaseonline.chase.com/Logon
to remove any restrictions placed on your account.

Reference Number: PP-184-107-163

Chase Bank – EP-MN-L20D – 200 South Sixth Street – Minneapolis, MN 55402
© 2016 Chase Bank . All rights reserved.

TIPS

There are a number of indications that this is not a legitimate email from Chase, but instead is a phishing email. Legitimate credit card companies would refer to your specific account number in the email.  They also would not use the generic greeting “Dear Chase  Online Customer,” but would rather specifically direct the email to you by your name.  As with all phishing emails, two things can happen if you click on the links provided.  Either you will be sent to a legitimate looking, but phony webpage where you will be prompted to input personal information that will be used to make you a victim of identity theft or, even worse, merely by clicking on the link, you may download keystroke logging malware that will steal all of your personal information from your computer and use it to make you a victim of identity theft.  If you receive an email like this and think it may possibly be legitimate, merely call the customer service number on the back of your credit card where you can confirm that it is a scam, but make sure that you dial the telephone number correctly because scammers have been known to buy phone numbers that are just a digit off of the legitimate numbers for financial companies, such as Chase to trap you if you make a mistake in dialing the real number.

Scam of the day – June 15, 2016 – SEC fines Morgan Stanley a million dollars over a data breach

June 15, 2016 Posted by Steven Weisman, Esq.

For over a year, the Securities and Exchange Commission (FTC) has been actively enforcing the “Safeguards Rule” requiring investment advisers to implement policies and procedures to protect the privacy and security of the information of their clients.  In 2015, R. T. Jones Capital Equities Management paid $75,000 to settle SEC charges related to the theft of customer information in a data breach.  Now Morgan Stanley Smith Barney has just agreed to pay a million dollars to settle charges that it did not have proper policies and procedures in place to protect customer information resulting in the hacking of 730,000 customer accounts and theft of information including names, phone numbers, addresses, account numbers, account balances and securities holdings.

TIPS

Regardless of how careful you are about protecting your personal information, you are only as safe and secure as the places that have your personal information with the weakest security. Therefore it is critical whenever you do business with a company that will have sensitive personal information of yours that you inquire as the commitment to security of the company and what it does to protect your data.  In this particular data breach while the information itself should not directly result in identity theft, this type of information is often gathered by cybercriminals who use it to craft carefully worded and targeted spear phishing emails that lure their victims into either trusting the email and providing personal information used by the cybercriminals for purposes of identity theft or luring the victims into clicking on malware infested links in the emails that will enable the cybercriminal to steal all of the information from your computer and use it to make you a victim of identity theft.

Scam of the day – May 17, 2016 – Russian cybercriminal innovator sentenced

May 16, 2016 Posted by Steven Weisman, Esq.

Although you probably have not heard of Nikita Kuzman or the Gozi malware he created, Kuzman has dramatically changed the world in which we live.  Kuzman, a Russian with degrees earned in computer science at two major Russian universities invented the Gozi malware which was unleashed on an unsuspecting public in 2007.  This malware was among the first to be able to steal bank account related data including usernames and passwords from the infected computers of its victims and then use this information to steal money from the victims’ accounts.  Gozi infected more than a million computers throughout the world and was used to steal tens of millions of dollars from individuals, companies and even government agencies such as NASA.  However, what distinguishes Kuzman from other cybercriminals who have created similar types of malware is that Kuzman then created the business model for implementing the use of the malware by leasing the use of Gozi to less sophisticated cybercriminals, who would pay Kuzman a fee of $500 per week for the use of the Gozi malware which would send the stolen information to computers controlled by Kuzman who would, in turn, provide the data to the criminals spreading the malware so long as they paid their weekly leasing costs.

According to Troels Oerting, the head of Interpol’s European Cybercrime Centre, there are only about a hundred cybercriminal masterminds like Guzman in the world today.  The proliferation of small and large scale computer crimes perpetrated against individuals, companies and government agencies is primarily accomplished by less accomplished cybercriminals who have purchased or leased the malware from innovators such as Kuzman who initiated this business model.  And like any business, the criminals who do create this malware also routinely provide tech support and updates for a price.

Kuzman was recently sentenced in the U.S. District Court for the Southern District of New York to various computer crimes and was required to pay a financial penalty of $6,934,979.  The prison sentence imposed was a mere 37 months of time served pending his trial.  The reason for this light sentence is that Kuzman because of his continuing cooperation with federal investigators regarding others charged with similar crimes.

TIPS

An important element of the story about the Gozi malware and other similar types of malware is that regardless of how sophisticated the malware is, it is useless until it is downloaded on to the computers of its intended victims and this is generally done not through complex software or technology, but rather by luring unsuspecting victims into clicking on links and downloading attachments in socially engineered phishing emails.  And just as the malware itself has gotten more sophisticated over the years, so have the psychologically compelling spear phishing emails used to spread the malware.  Malware tainted phishing emails formerly addressed to “Dear Customer” now come addressed to you by name and often contain sufficient personal information to cause victims to trust the emails and click on the tainted links.  The lesson is clear.  Trust me, you can’t trust anyone.  Never click on a link or download an attachment until you have absolutely confirmed that the email or text message sent with a link or attachment is legitimate.