Posts Tagged: ‘spear phishing’

Scam of the day – November 11, 2014 – New study on effectiveness of phishing

November 11, 2014 Posted by Steven Weisman, Esq.

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at teh most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.

TIPS

Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

November 8, 2014 Posted by Steven Weisman, Esq.

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.

Scam of the day – August 7, 2014 – Russian gang steals 1.2 billion user names and passwords

August 6, 2014 Posted by Steven Weisman, Esq.

It was revealed yesterday that a Russian gang of about 20 hackers committed what may be the largest data theft in history by stealing 1.2 billion user names and passwords along with 500 million email addresses.  This particular gang has been operating since 2011, but this is their largest data theft.  The data breach was discovered by a computer security company, Hold Security who indicated that the data breach involved more than 420,000 websites around the world including those of large companies as well as small websites.  The companies hacked included companies involved in the auto industry, real estate, oil industry, consulting firms, care rental businesses, hotels, computer hardware companies, software companies and the food industry.  The gang used a technique to hack these websites that I have warned you about for two years.  They exploited security vulnerabilities in the software used to create websites, such as Adobe Cold Fusion, which has proven to be vulnerable in the past (although at this point in time, it is still too soon to know exactly which vulnerable programs were exploited) that permit a type of hacking called an SQL injection in which the hacker is able to inject his data collection software into the targeted website which can often go undetected for long periods of time.  The hacker then retrieves the collected information and then either uses it themselves for identity theft and fraudulent purposes or sell the information on black market websites to other criminals.

TIPS

The first thing to remember is that you are only as safe as the security of the weakest company or website that holds your personal information including your user name and password.  Although it is an inconvenience, it is important to maintain separate, unique passwords and user names for all of your accounts and to change them somewhat frequently.  If you use the same password for a small retailer and your online banking, you become extremely vulnerable to having your bank account hacked if the retailer with which you do business is hacked.  Also, do not store your user name, password or credit card information on any website.  It may be convenient for you, but it is also extremely convenient for identity thieves as well.  You can expect a wave of “spear phishing” by which you will receive emails that appear to come from someone you know and trust when in reality it is coming from an identity thief.  Many of these spear phishing emails will have links and attachment that contain keystroke logging malware that, when downloaded, will permit the identity thief to steal all of your personal information from your computer and use it to make you a victim of identity theft.  It is for this reason that I always advise you  not to download an attachment or click on a link unless you have confirmed and are absolutely positive that the email is legitimate.  This is an important story and I will update you as more information becomes known.

Scam of the day – June 19, 2014 – Domino’s Pizza hacked

June 19, 2014 Posted by Steven Weisman, Esq.

Late last week, the websites of Domino’s Pizza in France and Belgium were hacked by a hacker group that calls itself Rex Mundi.  As a result of the hacking, Rex Mundi was able to obtain information including names, addresses, phone numbers, email addresses and passwords of approximately 600,000 Domino’s customers in France and Belgium.  Rex Mundi then threatened to publicly disclose the information on Monday, June 16th unless a ransom of $46,000 was paid.  As of today, Rex Mundi has not disclosed the information although it is not clear whether or not Domino’s paid the ransom.  This type of extortion is nothing new to Rex Mundi which has done so repeatedly in the past.  In 2012 it hacked and stole loan application information of thousands of customers of the payday loan company AmeriCash Advance.

TIPS

Although financial information, such as credit card data was not a part of this security breach, there is much to be concerned about for customers whose information was compromised.  Spear phishing by which victims are lured into clicking on malware infected links in legitimate-looking emails that are directed to them specifically by name rather than to “Dear Customer” often follows the release of names and email information to criminals eager to exploit this information.  Also, particularly dangerous is the unfortunate practice of many people to use the same password for all of their accounts thereby putting the online banking accounts of victims of data breaches in danger.  It is important to have a different, distinct and complex password for all of your accounts.

Scam of the day – May 22, 2014 – The real danger in the hacking of eBay

May 21, 2014 Posted by Steven Weisman, Esq.

The online auction website eBay just announced yesterday that it had been hacked and customer’s names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth of as many as 112 million customers were stolen.  At this time, it does not appear that credit card information was taken, but that is only of minor consolation.  eBay is urging its customers to change their passwords for eBay and, if you are one of the many people who use the same user name and password for all of your accounts, you should change your user name and password for those accounts as well.  If you are an eBay user, it is very important that you do this right away because it is already quite late.  Although eBay only discovered this hacking within the last couple of days, the hacking went on between late February and early March so hackers already have this information which they may be using themselves or selling on the black market to identity thieves.  eBay is already notifying its customers by email to change their passwords, but if you get such an email and it contains a link to change your password, I urge you not to click on the link because it may be an email from an identity thief posing as eBay through a counterfeit phishing email that appears to come from eBay and if you click on a link in the email, you may end up downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  Instead, I suggest you go directly to the eBay website on your own and not through a link in order to change your password.

Even though the passwords stolen were encrypted, you should not feel too safe because if your password is not complex, there are computer programs that identity thieves use to break the encryption and gain access to your password.  Once they have that password and your user name, if you are one of the many people who use the same user name and password for all of your accounts, you are in serious jeopardy in regard to all of your online accounts including your online banking.

TIPS

If you are an eBay user, go to the eBay website and change your password to a complex, but easy to remember password that includes a  combination of capital and small letters as well as other signs.  Something like “Idon’tLikePasswords!!!” would actually be a great password and easy to remember.  Also, make sure you use different passwords for each of your accounts so that when, not if, your password information is a part of a data breach, all of your accounts are not in danger.  Again, a good way to remember your password is to take the basic password and adapt it to the particular account, such as “Idon’tLikePasswordsAmazon!!!”  If you are an eBay user, you should be particularly vigilant because hackers have your contact information such that you are now more likely to receive personally adapted phishing emails which is called spear phishing by which the email you receive purporting to be from a company with which you may do business may be directed to you by name rather than “Dear customer” or the like.  As always, remember my motto, “Trust me you can’t trust anyone” and never click on links in emails unless you have absolutely confirmed that they are legitimate.  Also make sure that you have anti-malware and anti-virus security software on all of your electronic devices and keep these programs up to date with the latest patches.

Scam of the day – May 9, 2014 – Mobile app identity theft threats

May 8, 2014 Posted by Steven Weisman, Esq.

A recent report from computer security company, Kaspersky Labs confirms what I have been telling you for the last few years.  As people use their smartphones more and more, hackers and identity thieves are focusing their attention on our mobile devices.  The tactic they use is the same type of phishing technique used for years to lure people through tainted messages in emails to click on infected links that download keystroke logging malware on to their victims’ computers that then steal personal information such as credit card numbers, Social Security numbers and banking information from the computer and use that information for identity theft purposes.  Many people are far too trusting of the apps, social media and text messages on their smartphones which have now become a prime source of links with malware that unwitting victims click on and the become victims of identity theft when the identity thieves steal information from their victims’ smartphones.

TIPS

You can never trust any email, phone call, text message or any other form of communication that comes to you as being legitimate.  Never click on a link or download an attachment regardless of how your receive it even if it appears to come from a trusted source.  Your trusted source may have been hacked and you are being targeted through a technique called spear phishing where you receive a communication that appears to come from someone you trust and is addressed to you personally.  Never click on any link or download an attachment until you have confirmed that it is legitimate.  It is also important to install and maintain up to date anti-virus software and anti-malware  software on all of your electronic devices including your mobile devices.  Too many people fail to protect their smartphones even though they use them so much and store important information on them.

Scam of the day – February 19, 2014 – Syrian Electronic Army hacks Forbes.com

February 19, 2014 Posted by Steven Weisman, Esq.

The Syrian Electronic Army (SEA) , about whom I have reported to you many times (you can go to the archives of Scamicide to see these stories) has struck again.  This time its victim is Forbes.com, the website of Forbes Magazine.  For those of you unfamiliar with the Syrian Electronic Army, it is a group of hackers sympathetic to Syrian President Bashar al-Assad.  Forbes was targeted by the SEA because of what it called Forbes’ hatred for Syria.  Along with planting a false story on the Forbes website, the SEA also stole user names and email addresses of Forbes.com customers, raising the possibility of “spear phishing” attacks against Forbes.com’s customers.  The SEA has threatened to make the information available on the Internet to identity thieves.  Identity thieves who send phishing emails and texts often do so in large numbers without knowing the names of the people to whom the phony messages corrupted with keystroke logging malware are sent.  However, in spear phishing the identiy thief knows the name of the intended victim and can make the communication look more legitimate by containing the victim’s name.  In addition, the spear phishing text or email can be made to look as if it comes from Forbes.com or some other entity that is trusted and used by the victim which also can lead the victim to be less skeptical of the message and make the victim more likely to click on links in the message or download attachments to the message corrupted with malware.

TIPS

Again, the lesson is that you are only as secure as the places with the weakest security that hold your personal information.  If you are a subscriber to Forbes.com, you should change your password.  If you use the same password elsewhere, change it too.  For convenience many people make the mistake of using the same password for all of their accounts, which means that when your password is stolen from one place, all of your accounts using that password are in jeopardy.  This is a good lesson for all of us regardless of whether or not you were a victim in this particular data breach.  This hacking once again raises the question as to why major corporate websites, such as the many who have been hacked by the SEA are not doing more to keep their computers secure.  Finally, as I always remind you, never click on links in emails or text messages or download attachments unless you are absolutely sure that they a legitimate and have confirmed this to be so.

Scam of the day – February 17, 2014 – Kickstarter hacked – the lesson for all of us

February 17, 2014 Posted by Steven Weisman, Esq.

Over the last couple of years I have often reported to you about data breaches at major companies who have been hacked.  The recent Target hacking although particularly large, was not particularly unusual.  Two days ago, Kickstarter disclosed that it had been hacked.  Kickstarter is a crowdfunding platform that helps creative people raise fund for their projects by appealing to the public for funds.  In the almost four years since it was launched, Kickstarter has helped fund more than 50,000 artistic endeavors.  According to Kickstarter’s CEO, no credit card data of its customers was compromised, however user names, email addresses, mailing addresses, phone numbers and encrypted passwords were stolen.  This information can readily lead to identity theft through a technique called “spear phishing” by which emails and text messages can be sent to the potential victims by name which may make them appear more legitimate.  These texts and emails lure people into either providing personal information under various legitimate appearing pretexts or by getting the victims to click on links or download attachments riddled with keystroke logging malware that will steal all of the information from your computer or smartphone and use it to make you a victim of identity theft.  In addition, people with weak passwords, such as  the popular”123456″ or “password” may have their Kickstarter encrypted passwords easily unencrypted providing access not only to the victim’s Kickstarter account, but possibly other accounts where the victim uses the same password.

TIPS

If you are a customer of Kickstarter, change your password immediately and everyone who uses the same password for all of their accounts should change their passwords to unique passwords for each account.  You can get detailed information as to how to pick an easy to remember, complex password in my book “50 Ways to Protect Your Identity in a Digital Age,” but a simple rule is to use a phrase, capital letters, small letters and symbols, such as “ICan’tRememberit!!!.”  This is easy to remember and hard to break.  Also, make sure that you have the most current, updated anti-malware software and anti-virus software installed on all of your electronic devices including your computer, tablet and smartphone.

Scam of the day – February 4, 2014 – What does the Yahoo email breach mean to you?

February 4, 2014 Posted by Steven Weisman, Esq.

A few days ago, Yahoo announced that its email security had been breached.  Yahoo is the second largest email provider with approximately 273 million users.  The actual breach which involved the theft of both usernames and passwords was accomplished not by hacking Yahoo directly, but rather by hacking a third party website’s database that allowed the use of Yahoo email addresses to establish customer accounts.  Similarly, the recent breach of Target also appears to have been accomplished by hacking into a Target vendor’s systems to obtain the credentials necessary to, in turn breach the security of Target.  Many people may not be particularly alarmed that all was taken in the Yahoo hacking were usernames an passwords, however, because people often use the same user name and passwords for multiple accounts, including online banking, the threat posed by this hacking could be quite serious.  In addition, these usernames and passwords could be used by identity thieves for “spear phishing” a technique by which identity thieves are able to send specifically targeted messages to potential victims that appear to come from trusted sources thereby making the potential victim more likely to click on a link or download an attachment in the email that would be riddled with malware that will steal all of the information from a person’s computer or other electronic device and use that information to make the person a victim of identity theft.

TIPS

If you haven;t already done so, change your username and password for Yahoo email if you are a user of Yahoo email.  Even if you are not a Yahoo email user, you should make sure that all of your online accounts have different user names and passwords because the risk of your being a future victim of a similar type of data breach is very high.  It is a good idea to change your passwords every few months and make sure that the password is at least eight characters long and is a mixture of letters and symbols.  For tips on how to pick a good password, check out my book “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – January 10, 2014 – Important Target update

January 11, 2014 Posted by Steven Weisman, Esq.

Yesterday, Target announced that it had just become aware that its recent hacking went beyond the credit card and debit card data including PINs of 40 million of its customers to also include names, mailing addresses and phone numbers of up to 70 million of its customers.  This disclosure means that unlike previously thought, the hacking was not limited to hacking of the point of sale credit card processing devices found at the checkout stations, but was far more extensive into the data systems of Target.  It also opens up a new avenue of scams where Target customers can expect to get contacted by phone, email or text messages from scammers posing as Target representatives who will be seeking personal information which they will use to make the Target customer a victim of identity theft.  These emails and text messages will be directly addressed to the customer by name prompting the customer to click on links or download attachments for further assistance, however, if the customer does so, he or she will only succeed in downloading a keystroke logging malware program that can steal all of the information from the victim’s computer that will also lead to the customer becoming a victim of identity theft.  Phone calls will also be directed to the customer by name and you should be wary there, as well.  This type of scam is called spear phishing.

TIPS

You can never be sure when you receive a telephone call, email or text message if the person communicating with you is who he or she represents himself to be.  Therefore, never click on links or download attachments in emails or text messages unless you are absolutely positive that the communication is legitimate and because in this case ,as in others, the identity thief has your name, the communication may appear to be directed personally to you, you cannot trust the communication merely because it appears to be legitimate.  In this case, as in others, if you think the communication may not be a scam, check it out by calling or going to the  real website of the person or company purporting to send the communication at a phone number or website that you know is correct to find out whether or not the original communication was legitimate or not.  The same goes for telephone calls.  You can never be sure who is calling, so never give personal information over the phone to anyone whom you have not called.  Instead call them back at a number you know is accurate.