Posts Tagged: ‘spear phishing’

Scam of the day – February 6, 2016 – American Chamber of Commerce scam

February 6, 2016 Posted by Steven Weisman, Esq.

In Romeo and Juliet, Shakespeare asked, “What’s in a name?”  The answer, according to recent reports from the Better Business Bureau, is a scam if a business receives a telephone purportedly from the American Chamber of Commerce.  Business owners and employees may confuse that name with the U.S. Chamber of Commerce.  There is no American Chamber of Commerce that operates in the United States although organizations with that name operate in foreign countries such as Australia and Ireland.  The caller supposedly representing the American Chamber of Commerce explains in the call that they are updating the information about the company being called in the Chamber’s latest directory and they just need to confirm some basic company information such as company officers, phone numbers and other, what would appear to be, innocuous information.  But it isn’t.  Once this information has been gathered the scammers use this information for more targeted spear phishing attacks against the company in a variety of scams including phony invoices and scams in which company employees are lured into clicking on malware infected links in emails that appear to be quite legitimate due to the large amounts of accurate and relevant information contained in the email.

TIPS

Trust me, you can’t trust anyone.   This motto of mine is valuable to businesses and individuals.  Whenever you receive an email, text message or phone call, you can never be sure who actually is contacting you.  In this particular scam, even if your Caller ID would make it appear that the caller is who they say they are, Caller ID can be fooled through a technique called spoofing to make it appear that it is a legitimate person or company calling when, in fact, it is a scammer contacting you.  Providing even what would appear to be unimportant information can be used by scammers to make their spear phishing more effective and believable including phony invoices sent to the proper person in a company.  When it comes to invoices, nothing should be paid until the exact bill has been confirmed as being legitimate.  As for providing information in regard to a phone call, email or text message, the best thing to do is to refrain from providing it until you have confirmed not only that the inquiry is legitimate, but also that the company asking for the information, even if they are a real company, has a legitimate reason for having that information.  Limiting the availability of too much information about you or your company will help protect you from scams and identity theft schemes.

Scam of the day – January 12, 2016 – Data on 320,000 customers of Time Warner Cable stolen

January 12, 2016 Posted by Steven Weisman, Esq.

Time Warner Cable is the country’s second largest cable telecommunications company.  Recently the FBI discovered that personal information including email addresses and passwords of 320,000 Time Warner customers had been stolen.  It has still not yet been determined whether the data was lost as a result of a hacking of Time Warner’s computers or of one of the companies it uses to handle account data.  This again points out the problem that your data is only as safe as the security at the companies that hold your data with the weakest security.

TIPS

Time Warner is contacting its customers by email and advising them to change their passwords.  If you are a Time Warner customer, you should change your password even if you do not receive an email from Time Warner urging you to do so.  This is also a reminder to all of us to make sure that we use unique passwords for all of our accounts so that in the event of a data breach such as occurred here, your other accounts are not in jeopardy.  Finally, information stolen in hackings such as this are often used by scammers for spear phishing emails which are phishing emails that appear to come from a company with which you do business in which the email prompts you to click on links within the email or provide personal information.  Because the email has been tailored to you personally, it is easy to fall prey to such a scam, which is why you should remember one of my primary rules, “trust me, you can’t trust anyone.”  Never provide personal information or click on links in emails unless you have independently confirmed that they are legitimate.

Scam of the day – January 4, 2016 – Nigerian charged with “whaling”

January 4, 2016 Posted by Steven Weisman, Esq.

Whaling may be a term, when referring to cybercrime, with which you may not be familiar.  By now, everyone is aware of the term “phishing” which refers to the social engineering crime by which scammers send emails purporting to be from a legitimate source in which they lure you into either clicking on malware infected links or directly sending them money.   Often phishing emails are easy to spot because they may not be directed to you by name, but rather by a salutation, such as “Dear Customer” and not contain the type of information that would make you tend to believe that the email is legitimate. “Spear Phishing” is more refined phishing where the scammer has gathered, often through hacking of various websites and companies, personal information about you such that when you receive the phony email from the scammer it appears more legitimate.  The latest criminal version of this tactic is called “whaling” and it is a type of spear phishing aimed at the big fish.

Recently, Amechi Colvis Amuegbunam, a Nigerian in the United States on a student visa  was arrested and charged with wire fraud based on scamming 17 Texas companies out of more than $600,000 through whaling.  Amuegbunam is alleged to have sent emails that appeared to be from high level company executives to lower level company employees who had the authority to wire funds on behalf of the company requesting that funds be wired to bank accounts he controlled.  The FBI has said that in the last two years 7,000 American companies have been swindled out of approximately 740 million dollars using this technique.

The scammers who use whaling are sophisticated criminals who gather much personal information about the companies and individuals targeted before sending their whaling emails.  They use this information to tailor their emails to make them appear legitimate.  Often they are able to gather much of this information through social media such as Facebook where people sometimes have a tendency to share too much personal information.

TIPS

In the case of Amuegbunam, one of the emails he is alleged to have sent was to a company executive for Luminant Corp which is a Texas electric utility company.  However, if the company executive had looked closely at the email address of the sender, he would have noticed that the name Luminant was misspelled in the email address so that it actually read “lumniant.”  This is an easy misspelling to miss, which is why scammers are able to get email addresses that when looked at quickly may appear to come from someone at the legitimate company, rather than a scammer.  In this particular case, had the employee noticed that the email address of the sender was not legitimate, it would have saved the company $98,550.

The lesson for companies is to both educate employees as to the telltale signs of spear phishing and whaling as well as also have a confirmation protocol in place to be followed when authorizing the wiring of funds, particularly when they are being sent to companies or individuals that their company had not done business with in the past.

As for the rest of us, we should be careful to avoid spear phishing too.  Consider how information that you post on social media could be used to defraud you before you post anything and remember that personal information about you and your business accounts can also be gathered through data breaches at companies with which you do business.  Therefore, as I always advise you, never click on links in emails, send money or provide personal information in response to emails that you receive regardless of how legitimate they may appear until you have confirmed that they are indeed not scams.

Scam of the day – December 29, 2015 – Data on 191 million American voters exposed online

December 29, 2015 Posted by Steven Weisman, Esq.

In a disturbing discovery, security researcher Chris Vickery announced that he found a database of information on more than 191 million American voters from all fifty states available and exposed on the Internet due to an incorrectly configured database.  The information includes the names, addresses, phone numbers, dates of birth and political affiliations of the people contained in the database.  Chris Vickery, you may remember was the researcher who also recently found a similar data vulnerability with the Hello Kitty website.  There is no indication at this time that the information had been accessed by identity thieves and scammers who could use the information to advance any number of illegal activities such as spear phishing to lure people into downloading keystroke logging malware that would enable the identity thief to steal the victim’s personal information from their computer and use it to make them a victim of identity theft.  As I write this Scam of the day, the vulnerable database remains available online.

Generally, voter registration data is a matter of public record in most states.  The various states have differing rules limiting the use of the data.  For instance, South Dakota requires that such data not be provided to people for use commercially.  Compiling all of the data from all of the states is a time consuming effort, but the effort is worthwhile for companies that gather the data and sell it to political campaigns to assist them in getting their message out in an effective and targeted manner.

TIPS

This is just another example of the need for greater regulation regarding access to the vast amounts of personal information about us all that is so accessible in the computer age.  This also serves as a warning to everyone to follow my motto of “trust me, you can’t trust anyone.”  Scammers and identity thieves with access to personal information about you can tailor their messages and scams to make them appear more legitimate because of the information about you that they have, which is why you should never provide personal information such as credit card numbers, bank account information or Social Security numbers to anyone who contacts you unless you have confirmed that they are legitimate.  Too often they may be a scammer or identity thief who is just using personal information he or she gained elsewhere to entice you into providing personal information under some legitimate sounding guise that will, in turn, be used against you to make you a victim of identity theft or the victim of a scam.

Scam of the day – December 21, 2015 – Phony job scams on LinkedIn

December 21, 2015 Posted by Steven Weisman, Esq.

LinkedIn is a popular social media website used by business professionals to network with other professionals.  According to LinkedIn, it has more than 400 million users.  LinkedIn is used by these people to get ideas, explore opportunities and even to list job postings.  Anything with 400 million members is attractive to scam artists so it is not surprising that scammers are constantly trying and often successful in posting phony job offers despite the best efforts of LinkedIn to recognize and take down these phony ads.  Here at Scamicide we have been reporting on job scams at LinkedIn for two years. Security software company Symantec recently issued a warning about an increase during the last year of LinkedIn job scams.   Symantec identified a common pattern found in many of these phony job listings on  LinkedIn.  The pattern includes fake accounts set up by the scammers posing as recruiters for nonexistent businesses.  They also often use photographs of women that they obtain from websites that provide images or copied from other online sources.  To make the ads seem more legitimate, they will  copy the exact wording of real advertisements appearing elsewhere.   What makes this scam particularly dangerous is that real recruiters use LinkedIn to contact prospective job recruits.  While some of the older job scams would ask for money from their victims to pay for credit checks or other administrative costs, the newer scams seem primarily to be done with a goal of gaining information, such as email addresses and other information about the people targeted and the companies where they work in order to facilitate directed spear phishing used to lure employees to unwittingly download malware into their companies’ computers.

TIPS

Although LinkedIn and other websites that carry job postings try to identify and either prevent or remove phony ads from appearing on their websites, you cannot depend on these companies to fully protect you.  Certainly a little skepticism helps when you see a job posting for a job that sounds too good to be true.  Ads that ask for you to pay upfront costs for any reason should be considered to be a scam.

To check on the legitimacy of photographs in these ads you can do a reverse image search using Google or websites such as tineye.com.  You can also check to see if the wording of the advertisement has been used elsewhere by merely copying a substantial amount of the text into your search engine and see what comes up.  Finally, research the company itself to determine if it is a legitimate company.  You can’t be too careful before providing someone with personal information.

Steve Weisman’s latest bankrate.com column

October 16, 2015 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for bankrate.com entitled “Don’t get hooked by spear phishing.”

http://www.bankrate.com/financing/identity-protection/dont-get-hooked-by-spear-phishing/

Scam of the day – September 20, 2015 – Stock trading hackers and SEC settle charges

September 20, 2015 Posted by Steven Weisman, Esq.

In mid August I told you about the SEC civil action against thirty-two people charged in the largest hacking and securities fraud enterprise in American history.  The group of defendants is made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the stock traders to make trades based on this inside information before it became known to the public.  It is estimated that between 2010 and 2015, the defendants made profits of 100 million dollars on 800 trades during this time.

Now, the SEC has settled the claims against two of the defendants, Jaspen Capital Partners Limited a Ukrainian company and its CEO Andrly Supranonok who, the SEC alleged made 25 million dollars in illegal profits from this enterprise.  It is interesting to note, however, that not only did the SEC determine to prosecute this case civilly rather than criminally, but in its settlement, the SEC were not required to admit responsibility.  In effect, what the defendants did is deny that they did anything wrong and promise not to do it again.  They also, however paid a fine of 30 million dollars, which is 5 million dollars more than they earned through their improper actions.

TIPS

The topic of when the SEC and the Justice Department prosecute white collar crimes as civil violations and when as criminal violations is a major topic of discussion with many people believing that white collar crime is not prosecuted criminal enough to serve as a disincentive to would-be white collar criminals.

However, for all of us as individuals, one of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Apparently corporations still have not learned to train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us as individuals should also learn in our own lives because identity thieves and hackers use the same phishing technique to steal the identities of individual victims.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.

Scam of the day – September 14, 2015 – Federal government unveils new cybersecurity plan

September 13, 2015 Posted by Steven Weisman, Esq.

It is no secret that the federal government, as evidenced by the recent hacking of the Office of Personnel Management (OPM) in which personnel data on 22 million people was stolen, is a target of hackers, both nation-state and ordinary (or perhaps not so ordinary) criminals.  The OPM data breach was initiated as was the Target data breach and 90% of all data breaches through a phishing email.  A phishing email is an email sent by the hacker that appears to be legitimate and lures the victim at the targeted company or agency to click on a link or download an attachment that contain malware that enables the hacker to steal the information contained in the victim’s computer system.  It is fascinating in almost all major data breaches, the most complex and sophisticated malware is downloaded on to the victim’s computer through the simple trickery of phishing.  Here is a link to a column I wrote about this last year.  http://www.usatoday.com/story/money/personalfinance/2014/10/18/malware-data-breach-phishing/17458411/

In response to the OPM and other data breaches, William Evanina, the Director of the National Counterintelligence and Security Center has announced a new campaign to raise the awareness of federal workers to the dangers of phishing and specifically targeted phishing emails referred to as spear phishing.

TIPS

Phishing and spear phishing represent threats not just to companies and governmental agencies, but to all of us as individuals as well.  Identity theft is often accomplished through individuals being targeted by phishing or spear phishing emails who unwittingly click on links or download attachments that contain keystroke logging malware that enables the identity thief to steal all of the information including passwords, credit card numbers, Social Security numbers and other personal information from the victim’s computer and use that information to make that person a victim of identity theft.  Other types of malware, such as ransomware, which encrypts and locks all of the data in your computer, followed by a threat to destroy your data unless you pay a ransom, is generally downloaded through clicking on a link or downloading an attachment from a phishing email.

The key to avoiding becoming a victim is to never click on a link or download any attachment unless you have absolutely confirmed that the link or attachment is legitimate.  Even if the link is contained in an email from someone you know and trust, it is possible that their email may have been hijacked so you must always be a bit skeptical.  It may seem a bit paranoid, but remember that even paranoids have enemies.

Scam of the day – May 31, 2015 – Online dating website hacked

May 31, 2015 Posted by Steven Weisman, Esq.

FriendFinder Networks, the parent company of a number of online dating services including AdultFriendFinder.com, Amigos.com, BigChurch.com and SeniorFriendFinder.com is reporting that it has been hacked and that personal data on up to 3.9 million of its 634 million members had been stolen.  Included in the compromised information were names, email addresses as well as information about the sexual orientation and habits of the company’s members.  This information puts these people in great jeopardy of identity theft.  FriendFinder Networks has hired Mandiant, a prominent cybersecurity company to investigate the matter.  Meanwhile, FriendFinder Networks is advising its members to change their user names and passwords.

TIPS

This hacking again emphasizes what I have been telling you for years.  You are only as safe and secure as the places with the weakest security that have your personal information.  It is for this reason that you should limit the amount of personal information that you provide the companies with which you do business as much as possible.

In regard to this particular hacking.  If you were a member of any of FriendFinder Networks’ dating sites, you should be particularly be wary of spear phishing, which is when specifically targeted emails and text messages are sent to you with personal information obtained through the hacking that make the messages appear legitimate.  These messages lure you into clicking on links with malware that will steal the information from your computer and use it to make you a victim of identity theft.

Scam of the day – May 24, 2015 – CareFirst Blue Cross Blue Shield hacked

May 23, 2015 Posted by Steven Weisman, Esq.

Health insurer Care First Blue Cross Blue Shield became the latest victim of hacking in the health care industry.  This latest hacking which was only just announced a couple of days ago, but occurred in June of 2014 is just the latest in a series of data breaches at major health care companies and insurers including Anthem and Premera.  More than a hundred million people have had their personal information compromised in these data breaches leaving them in serious danger of identity theft.  The Care First hacking affects more than a million of its present and former customers.  The breach was discovered a month ago during a routine forensic review of its computer networks.  Fortunately, neither Social Security numbers nor credit card numbers were lost in the data breach.  However, the hackers did manage to steal the names of present and former customers, email addresses, birth dates and Subscriber ID numbers, all of which could be used by the hackers for targeted email spear phishing by which intended targets of the identity thieves receive emails that, due to the information contained within them as well as the fact that they are directed to the individual by name, appear to be legitimate.  In these emails, in which the identity thief poses as a legitimate company doing business with the targeted person, the intended victim is lured into either clicking on links containing keystroke logging malware or into providing personal information in response to the email.  In either of these situations, if the intended victim clicks on the link or provides the information, he or she will quickly move from intended victim to actual victim.

TIPS

Remember my motto, “Trust me, you can’t trust anyone.”  Never provide personal information to anyone who contacts you by email, text message or phone.  You can never be sure if they are legitimate.  Never click on links in emails or text messages until you have actually confirmed that the communication is legitimate.  If you think such an email or text message might be legitimate, contact the real company at a phone number or email address that you know is accurate to confirm whether or not the email or text message you received was legitimate.  With so much information about all of us available either in public data bases or by way of data breaches of companies with which we do business, you can’t trust an email, text message or call regardless of how legitimate it may appear.  Always verify before providing personal information.