Posts Tagged: ‘spear phishing’

Scam of the day – May 24, 2015 – CareFirst Blue Cross Blue Shield hacked

May 23, 2015 Posted by Steven Weisman, Esq.

Health insurer Care First Blue Cross Blue Shield became the latest victim of hacking in the health care industry.  This latest hacking which was only just announced a couple of days ago, but occurred in June of 2014 is just the latest in a series of data breaches at major health care companies and insurers including Anthem and Premera.  More than a hundred million people have had their personal information compromised in these data breaches leaving them in serious danger of identity theft.  The Care First hacking affects more than a million of its present and former customers.  The breach was discovered a month ago during a routine forensic review of its computer networks.  Fortunately, neither Social Security numbers nor credit card numbers were lost in the data breach.  However, the hackers did manage to steal the names of present and former customers, email addresses, birth dates and Subscriber ID numbers, all of which could be used by the hackers for targeted email spear phishing by which intended targets of the identity thieves receive emails that, due to the information contained within them as well as the fact that they are directed to the individual by name, appear to be legitimate.  In these emails, in which the identity thief poses as a legitimate company doing business with the targeted person, the intended victim is lured into either clicking on links containing keystroke logging malware or into providing personal information in response to the email.  In either of these situations, if the intended victim clicks on the link or provides the information, he or she will quickly move from intended victim to actual victim.

TIPS

Remember my motto, “Trust me, you can’t trust anyone.”  Never provide personal information to anyone who contacts you by email, text message or phone.  You can never be sure if they are legitimate.  Never click on links in emails or text messages until you have actually confirmed that the communication is legitimate.  If you think such an email or text message might be legitimate, contact the real company at a phone number or email address that you know is accurate to confirm whether or not the email or text message you received was legitimate.  With so much information about all of us available either in public data bases or by way of data breaches of companies with which we do business, you can’t trust an email, text message or call regardless of how legitimate it may appear.  Always verify before providing personal information.

Scam of the day – January 19, 2015 – University employee payroll scam

January 19, 2015 Posted by Steven Weisman, Esq.

The Internet Crime Complaint Center, known as IC3 has issued an alert warning about a spear phishing scam aimed at university employees around the country.  It starts with an email addressed specifically with the name of the intended victim.  The email looks official and appears to have been sent by the Human Resources Department of the college or university where the intended victim works.  The email informs the potential victim that there has been a change of the employee’s status and that the employee is required to click on a link contained in the email that takes the employee to a website that appears to be that of the Human Resource Department for the college or university where the victim works where the employee is prompted to input information.  The website is  counterfeit.  The scam is a ruse intended to obtain the login information of the potential victim.  Once this information is provided to the scammer, he or she then logs on to the real Human Resources Department page and changes the bank account information for where the employee’s check is deposited so that the school sends the victim’s check to a bank account controlled by the identity thief.  In addition, since many people use the same user name and password for all of their accounts, the scammers may also attack other accounts of the victim.

TIPS

Although the IC3 warning deals specifically with university and college employees, this scam works just as well with any company that pays their employees through direct deposit so everyone who is paid through a direct deposit should be aware of this scam.  Remember my mantra, “trust me, you can’t trust anyone.”  Never click on links in emails unless you are sure they are legitimate.  In many instances, by clicking on the link, you are unwittingly downloading malware on to your computer or other electronic device.  You also should never provide personal information in a reply to an email.  Confirm whether or not the request for personal information is legitimate and even then, go directly to a website for the company or other institution that you know is legitimate to provide such information.  Finally, as I have warned you many times, (sorry to be a nag) use a unique password for all of your accounts so that if your password from a particular account is jeopardized, your other accounts are still safe.  This is not as difficult as it might seem.  In my book “Identity Theft Alert,” I provide instructions as to how to pick easy to remember, strong passwords.

Scam of the day – January 12, 2015 – Hackers attack German steel mill

January 12, 2015 Posted by Steven Weisman, Esq.

With all of the attention directed at the hacking of Sony Pictures by hackers associated with North Korea, much less attention was given to perhaps an even more ominous cyberattack done around the same time to a German steel mill.  Unknown hackers gained access to the steel mills computers, as they often do in attacks against major companies, through spear phishing of employees by which they lured unwitting employees to click on links or provide information under the belief that the emails they received were sent by upper management within the company.  Armed with the information gathered through the spear phishing, the hackers gained control of the blast furnaces of the steel mill that contained intensely heated molten metal.  According to BSI the German government’s office of information security, massive damage was done through the hacking although BSI did not specify what physical damage occurred as a result of the hacking.  This is only the second confirmed hacking event where a cyberattack has been used to destroy physical materials and equipment.  You have to go back all the way to 2007, when the Stuxnet malware was used to destroy Iranian centrifuges at a uranium enrichment plant to find a precedent.

TIPS

Many of us have warned governments and private industry of the extreme danger posed by cyber sabotage of essential infrastructure of countries around the world.  It is hoped that in the light of the this threat and the attention brought to hacking by the Sony hacking, that a more concerted effort will be made by both governments and corporations to make their systems more secure.  President Obama has tried unsuccessfully for years to get Congress to act and will highlight cybersecurity in his upcoming State of the Union address.  It is hoped that his words and the words of security experts around the world will be heeded.

Scam of the day – December 15, 2014 – FBI warns American businesses of Iranian hackers

December 15, 2014 Posted by Steven Weisman, Esq.

The FBI has sent out a confidential warning to American businesses about an imminent threat of hacking by Iranian hackers who may, or may not, be state sponsored.  The attack appears to be focused on the always vulnerable educational institutions as well as energy companies, airlines and defense contractors.  The FBI warning provides detailed technical information about the different types of malware used in the attack as well as information about techniques such as spear phishing that are being used by the hackers to enable their malware to be unwittingly downloaded on to the computer networks of the targeted companies.  Spear phishing, as you may remember is a technique whereby the victim receives a seemingly legitimate email message addressed to the victim by name that lures the victim into clicking on a link that downloads the malware used to attack the company.

TIPS

This particular Iranian hacking scheme may be the same one recently identified as Operation Cleaver by the security firm Cylance  recently that uncovered attacks on more than fifty companies in sixteen countries including the United States.  As for us as individuals, we need to recognize that regardless of how careful we are at protecting the security of our own personal information, that information, as seen in the recent Sony hacking is only as safe as the companies with the weakest security practices that hold our information.  Therefore, whenever possible you should limit the companies and governmental agencies that have your personal information.

Scam of the day – November 11, 2014 – New study on effectiveness of phishing

November 11, 2014 Posted by Steven Weisman, Esq.

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at teh most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.

TIPS

Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

November 8, 2014 Posted by Steven Weisman, Esq.

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.

Scam of the day – August 7, 2014 – Russian gang steals 1.2 billion user names and passwords

August 6, 2014 Posted by Steven Weisman, Esq.

It was revealed yesterday that a Russian gang of about 20 hackers committed what may be the largest data theft in history by stealing 1.2 billion user names and passwords along with 500 million email addresses.  This particular gang has been operating since 2011, but this is their largest data theft.  The data breach was discovered by a computer security company, Hold Security who indicated that the data breach involved more than 420,000 websites around the world including those of large companies as well as small websites.  The companies hacked included companies involved in the auto industry, real estate, oil industry, consulting firms, care rental businesses, hotels, computer hardware companies, software companies and the food industry.  The gang used a technique to hack these websites that I have warned you about for two years.  They exploited security vulnerabilities in the software used to create websites, such as Adobe Cold Fusion, which has proven to be vulnerable in the past (although at this point in time, it is still too soon to know exactly which vulnerable programs were exploited) that permit a type of hacking called an SQL injection in which the hacker is able to inject his data collection software into the targeted website which can often go undetected for long periods of time.  The hacker then retrieves the collected information and then either uses it themselves for identity theft and fraudulent purposes or sell the information on black market websites to other criminals.

TIPS

The first thing to remember is that you are only as safe as the security of the weakest company or website that holds your personal information including your user name and password.  Although it is an inconvenience, it is important to maintain separate, unique passwords and user names for all of your accounts and to change them somewhat frequently.  If you use the same password for a small retailer and your online banking, you become extremely vulnerable to having your bank account hacked if the retailer with which you do business is hacked.  Also, do not store your user name, password or credit card information on any website.  It may be convenient for you, but it is also extremely convenient for identity thieves as well.  You can expect a wave of “spear phishing” by which you will receive emails that appear to come from someone you know and trust when in reality it is coming from an identity thief.  Many of these spear phishing emails will have links and attachment that contain keystroke logging malware that, when downloaded, will permit the identity thief to steal all of your personal information from your computer and use it to make you a victim of identity theft.  It is for this reason that I always advise you  not to download an attachment or click on a link unless you have confirmed and are absolutely positive that the email is legitimate.  This is an important story and I will update you as more information becomes known.

Scam of the day – June 19, 2014 – Domino’s Pizza hacked

June 19, 2014 Posted by Steven Weisman, Esq.

Late last week, the websites of Domino’s Pizza in France and Belgium were hacked by a hacker group that calls itself Rex Mundi.  As a result of the hacking, Rex Mundi was able to obtain information including names, addresses, phone numbers, email addresses and passwords of approximately 600,000 Domino’s customers in France and Belgium.  Rex Mundi then threatened to publicly disclose the information on Monday, June 16th unless a ransom of $46,000 was paid.  As of today, Rex Mundi has not disclosed the information although it is not clear whether or not Domino’s paid the ransom.  This type of extortion is nothing new to Rex Mundi which has done so repeatedly in the past.  In 2012 it hacked and stole loan application information of thousands of customers of the payday loan company AmeriCash Advance.

TIPS

Although financial information, such as credit card data was not a part of this security breach, there is much to be concerned about for customers whose information was compromised.  Spear phishing by which victims are lured into clicking on malware infected links in legitimate-looking emails that are directed to them specifically by name rather than to “Dear Customer” often follows the release of names and email information to criminals eager to exploit this information.  Also, particularly dangerous is the unfortunate practice of many people to use the same password for all of their accounts thereby putting the online banking accounts of victims of data breaches in danger.  It is important to have a different, distinct and complex password for all of your accounts.

Scam of the day – May 22, 2014 – The real danger in the hacking of eBay

May 21, 2014 Posted by Steven Weisman, Esq.

The online auction website eBay just announced yesterday that it had been hacked and customer’s names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth of as many as 112 million customers were stolen.  At this time, it does not appear that credit card information was taken, but that is only of minor consolation.  eBay is urging its customers to change their passwords for eBay and, if you are one of the many people who use the same user name and password for all of your accounts, you should change your user name and password for those accounts as well.  If you are an eBay user, it is very important that you do this right away because it is already quite late.  Although eBay only discovered this hacking within the last couple of days, the hacking went on between late February and early March so hackers already have this information which they may be using themselves or selling on the black market to identity thieves.  eBay is already notifying its customers by email to change their passwords, but if you get such an email and it contains a link to change your password, I urge you not to click on the link because it may be an email from an identity thief posing as eBay through a counterfeit phishing email that appears to come from eBay and if you click on a link in the email, you may end up downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  Instead, I suggest you go directly to the eBay website on your own and not through a link in order to change your password.

Even though the passwords stolen were encrypted, you should not feel too safe because if your password is not complex, there are computer programs that identity thieves use to break the encryption and gain access to your password.  Once they have that password and your user name, if you are one of the many people who use the same user name and password for all of your accounts, you are in serious jeopardy in regard to all of your online accounts including your online banking.

TIPS

If you are an eBay user, go to the eBay website and change your password to a complex, but easy to remember password that includes a  combination of capital and small letters as well as other signs.  Something like “Idon’tLikePasswords!!!” would actually be a great password and easy to remember.  Also, make sure you use different passwords for each of your accounts so that when, not if, your password information is a part of a data breach, all of your accounts are not in danger.  Again, a good way to remember your password is to take the basic password and adapt it to the particular account, such as “Idon’tLikePasswordsAmazon!!!”  If you are an eBay user, you should be particularly vigilant because hackers have your contact information such that you are now more likely to receive personally adapted phishing emails which is called spear phishing by which the email you receive purporting to be from a company with which you may do business may be directed to you by name rather than “Dear customer” or the like.  As always, remember my motto, “Trust me you can’t trust anyone” and never click on links in emails unless you have absolutely confirmed that they are legitimate.  Also make sure that you have anti-malware and anti-virus security software on all of your electronic devices and keep these programs up to date with the latest patches.

Scam of the day – May 9, 2014 – Mobile app identity theft threats

May 8, 2014 Posted by Steven Weisman, Esq.

A recent report from computer security company, Kaspersky Labs confirms what I have been telling you for the last few years.  As people use their smartphones more and more, hackers and identity thieves are focusing their attention on our mobile devices.  The tactic they use is the same type of phishing technique used for years to lure people through tainted messages in emails to click on infected links that download keystroke logging malware on to their victims’ computers that then steal personal information such as credit card numbers, Social Security numbers and banking information from the computer and use that information for identity theft purposes.  Many people are far too trusting of the apps, social media and text messages on their smartphones which have now become a prime source of links with malware that unwitting victims click on and the become victims of identity theft when the identity thieves steal information from their victims’ smartphones.

TIPS

You can never trust any email, phone call, text message or any other form of communication that comes to you as being legitimate.  Never click on a link or download an attachment regardless of how your receive it even if it appears to come from a trusted source.  Your trusted source may have been hacked and you are being targeted through a technique called spear phishing where you receive a communication that appears to come from someone you trust and is addressed to you personally.  Never click on any link or download an attachment until you have confirmed that it is legitimate.  It is also important to install and maintain up to date anti-virus software and anti-malware  software on all of your electronic devices including your mobile devices.  Too many people fail to protect their smartphones even though they use them so much and store important information on them.