Posts Tagged: ‘spear phishing’

Scam of the day – April 28, 2013 – LivingSocial hacked, data on 50 million customers stolen – what it means to you

April 28, 2013 Posted by Steven Weisman, Esq.

LivingSocial, which is an online company that provides an assortment of deals on all types of goods and services just announced that it had been hacked and data on 50 million of its customers was stolen.  The good news is that the hackers did not get customers’ credit card numbers.  The bad news is that they did get their names, email addresses, dates of birth and encrypted passwords.  It is important to remember that even though the passwords were encrypted, due to the manner of the encryption of the passwords, it is still possible, albeit difficult, for the hackers to crack the encryption and gain access to the passwords.  The danger to LivingSocial customers cannot be overestimated.  Identity thieves and scam artists can use the email addresses and names to enable them to do a type of scam called “spear phishing” through which you will get a phony email from the scammer posing as a company or agency with which you have a relationship in which you are lured to click on a link or download a document that contains malware such as a keystroke logging malware program that can steal all of the information on your computer, such as passwords, credit card numbers, your Social Security number and other information that can be used to make you a victim of identity theft.  People are more likely to fall for a spear phishing scam because the email uses your name and is directed to you personally.  Having your email address also makes it easier for a scammer or identity thief to take control of your email account and send phony emails to friends of yours that may contain malware.  Finally, since many people use the same password for multiple accounts, if your LivingSocial password is cracked, you are in danger on any account where you use that password.

TIPS

This hacking once again illustrates that you are only as safe as the companies with which you do business with the weakest security.  Never leave your credit card number to be stored by a company merely for convenience in making purchases in the future.  If you are a LivingSocial user, change your password for LivingSocial as well as every other company with which you do business.   In fact, it is a good idea to regularly change your passwords and make them different for each company.  Check your email for indications that it has been hacked into and if it is, follow the instructions for remedying the situation found elsewhere on Scamicide and in my book “50 Ways to Protect Your Identity in a Digital Age.”  Never click on links or downloads unless you are absolutely sure that they are legitimate and keep your security software up to date.

Read full article |Leave a comment
Tags: , , , , , ,
Categories: Site Related

April 25, 2013 – Associated Press hack attack – what it means to you

April 25, 2013 Posted by Steven Weisman, Esq.

On Tuesday, the Twitter account of the Associated Press (AP) was hacked into and a phony message describing a terrorist attack on the White House was sent out to the close to two million followers of AP’s Twitter account.  Immediately thereafter the Dow Jones Industrial Average lost 140 points as computerized program trading reacted automatically to the news without any verification of the truth of the report.  The phony tweet was corrected within minutes and the market recovered just as quickly as it went down, however the problem exposed by this hacking still remains.  In May of 2010 the Dow Jones Industrial average quickly lost almost 1,000 points due to a glitch in the computerized trading programs used on Wall Street.  Problems with computerized programmed trading which automatically order trades in response to perceived information are quite significant.  However, another problem is the hacking into the sources of our information.  The AP hacking is only the most recent hacking of a major provider of information.  Just last week the CBS news programs “60 Minutes” and “48 Hours” were hacked.  Also recently NPR and the BBC had their Twitter accounts hacked.   But it is not just the media that is being hacked.   Hacking is a major problem for all companies.  A recent study by Verizon indicated that 75% of the hacks were done last year by criminals seeking financial gain.  Sometimes it is to gain trade secrets, but other times it is to steal information about customers to make them victims of identity theft.  In 76% of the data breaches, according to the Verizon report, the hackers were able to exploit weak passwords.  In 29% of the hacks, tactics such as “spear phishing” were used to install keystroke logging malware on to the hacked companies’ computers to steal their data.   Spear phishing is a targeted phishing attack, often done through phony emails purporting to be from employees’ friends or business partners of the companies that contain the malware.

TIPS

Both government entities and companies are not doing what they need to do to properly protect their data from hacking.  The Associated Press Twitter account should have been protected by two-factor authentication when logging in so that even if a password is obtained by a hacker, he still would not be able to access the account.  Two-factor authentication requires not just a password, but also a code that is sent to a person’s cell phone.  Some companies such as Apple already use this technique.  The problem is that even if you and I do all we can to protect ourselves from identity theft, we are only as safe as the company or governmental agency with the worse security holding information about us.  Therefore you should try to limit as much as possible the places that hold your personal information and we all should impress upon the government and private industry the absolute necessity for better data protection.  The technology is available.  It just has to be used.

Read full article |Leave a comment
Tags: , , , , , , , , , , ,
Categories: Site Related

Scam of the day – March 6, 2013 – Evernote hacking danger

March 5, 2013 Posted by Steven Weisman, Esq.

Evernote is a popular on line service that helps you store notes, files, web pages and images on all of your electronic devices.  It has both a free and a premium service for which you pay.  Unfortunately Evernote is also popular with identity thieves as evidenced by its being hacked.  Evernote announced the hacking a couple of days ago.  According to Evernote, the hackers managed to steal the names, email addresses and encrypted passwords of its customers.  Evernote is confident that its encryption program will protect the passwords of its users, but only time will tell.  Evernote also stated that it did not believe that credit card numbers used by its premium customers had been accessed.  Again, however, premium users of Evernote should be particularly vigilant in monitoring their credit cards.  Despite its position that no passwords had been stolen, Evernote is requiring all of its customers to obtain new passwords.  The ONLY place to do this is on Evernote’s website at www.evernote.com.

TIPS

Users of Evernote should be particularly wary of an identity theft tactic called “spear phishing.”  Spear phishing occurs when you get an email that lures you to a phony website or link where you either become victimized by providing information that is used to make you a victim of identity theft or causes a keystroke logging malware program to be downloaded when you click on the link or download tainted material that steals all of the information from your computer including bank account numbers, Social Security number, credit card numbers and other information that makes you a quick victim of identity theft.  What makes spear phishing particularly insidious is that unlike most phishing emails which never use your name, spear phishing is directed to you by name which makes many people more trusting of the email.  As I always say, “Trust me, you can’t trust anyone.”  Identity thieves will be contacting people by email posing as Evernote and telling them that they need to change their password by clicking on a link contained in the email or by providing other information.  Do not fall for this ruse.  Evernote is not contacting people by email, but the identity thieves who stole their email list will be.  The only place to change your password is www.evernote.com.  This is also another good example of the fact that your security is only as safe as the weakest place that holds your information.  Limit the places that do have personal information about you as much as possible.

Read full article |Leave a comment
Tags: , , , , , , , , , , ,
Categories: Site Related

Scam of the day – October 3, 2012 – Email mailbox scam

October 3, 2012 Posted by Steven Weisman, Esq.

I always share scams and identity theft schemes aimed at me because I know that if I am being targeted so are you.  Recently I received an email that purported to be from my email system administrator telling me that my email mailbox had exceeded its storage limits.  This scam is a particularly dangerous one because, as all good scams do, it has a grain of truth and appears to be legitimate.  Many of us, myself included, do not delete many emails that are not important to keep and if you do truly exceed your email mailbox size, it can effect your ability to send or receive emails.  In that instance, you will receive a warning from your system’s administrator telling you  to move items to your folders and to delete items.  The phony email request purporting to be from your system’s administrator will tell you to respond to the email with your account user name and your password in order to increase the size of your mailbox and restore its availability.  If you do, you will turn over control of your account to a scammer who can go through your emails and take information that can make you a victim of identity theft as well as hijack your account to send out emails to your friends and correspondents that will appear to come from you, but will be loaded with malware that will catch your friends and correspondents unaware.  That scam is called spearphishing where your email address is hijacked and emails are sent to your friends that look like they are coming from you.

TIPS

Your real systems administrator will never ask for your user name and password.  If you do get such an email and you think that it may be legitimate, contact your system’s administrator at an email address or telephone number that you know is accurate to inquire as to the status of your account.  Any email that you get that asks for you to turn over your user name and password is undoubtedly a phishing scam.

Read full article |Leave a comment
Tags: , , , , , , , , , , , , , , , , , , , , , , , ,
Categories: Site Related

Scam of the day – September 11, 2012 – Spearphishing

September 11, 2012 Posted by Steven Weisman, Esq.

By now, most people are aware of the scam tactic referred to as “phishing,” by which you receive an email purportedly from a legitimate company or government agency that has all of the appearances of being a true and legitimate communication from the company or agency, but in fact is from an identity thief who under the pretext of a problem with your account or some other such emergency lures you into clicking on a link contained in the email, which unbeknownst to you downloads harmful malware on to your computer, such as keystroke logging programs, sometimes called Trojan Horses that will steal all of the information from your computer and lead to your becoming a victim of identity theft.  Most often these phishing emails are not directed at you by name, but rather to you as “customer” or “consumer.”  They also may appear to come from companies with which you do not do business as from a bank where you have no accounts.  However, with the epidemic of hacking of large companies and governmental agencies, many identity thieves are able to use the hacked information to send you a personal phony email that contains your name and is definitely from a company or agency with which you do business making you more likely to respond to the urging to click on the dangerous link contained in the email.  This type of targeted phishing is called “spearphishing” and it is extremely dangerous.

TIPS

Never click on links in emails unless you are absolutely sure they are legitimate.  If you get such an email from a company, you should always be skeptical and make sure that you call the company or federal agency before considering clicking on the link to confirm whether or not the email is legitimate.  Merely because the email uses your name and even your account number does not mean that the email is legitimate.

Read full article |Leave a comment
Tags: , , , , , , , , , , , , ,
Categories: Site Related