Here is a link to Steve Weisman’s latest column for bankrate.com entitled “Don’t get hooked by spear phishing.”
October 16, 2015 Posted by Steven Weisman, Esq.
Here is a link to Steve Weisman’s latest column for bankrate.com entitled “Don’t get hooked by spear phishing.”
September 20, 2015 Posted by Steven Weisman, Esq.
In mid August I told you about the SEC civil action against thirty-two people charged in the largest hacking and securities fraud enterprise in American history. The group of defendants is made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine. The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release. This enabled the stock traders to make trades based on this inside information before it became known to the public. It is estimated that between 2010 and 2015, the defendants made profits of 100 million dollars on 800 trades during this time.
Now, the SEC has settled the claims against two of the defendants, Jaspen Capital Partners Limited a Ukrainian company and its CEO Andrly Supranonok who, the SEC alleged made 25 million dollars in illegal profits from this enterprise. It is interesting to note, however, that not only did the SEC determine to prosecute this case civilly rather than criminally, but in its settlement, the SEC were not required to admit responsibility. In effect, what the defendants did is deny that they did anything wrong and promise not to do it again. They also, however paid a fine of 30 million dollars, which is 5 million dollars more than they earned through their improper actions.
The topic of when the SEC and the Justice Department prosecute white collar crimes as civil violations and when as criminal violations is a major topic of discussion with many people believing that white collar crime is not prosecuted criminal enough to serve as a disincentive to would-be white collar criminals.
However, for all of us as individuals, one of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers. This lesson is one that each of us as individuals should also learn in our own lives because identity thieves and hackers use the same phishing technique to steal the identities of individual victims. Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate. It well could contain keystroke logging malware that will steal all of the information from your computer. Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.
September 13, 2015 Posted by Steven Weisman, Esq.
It is no secret that the federal government, as evidenced by the recent hacking of the Office of Personnel Management (OPM) in which personnel data on 22 million people was stolen, is a target of hackers, both nation-state and ordinary (or perhaps not so ordinary) criminals. The OPM data breach was initiated as was the Target data breach and 90% of all data breaches through a phishing email. A phishing email is an email sent by the hacker that appears to be legitimate and lures the victim at the targeted company or agency to click on a link or download an attachment that contain malware that enables the hacker to steal the information contained in the victim’s computer system. It is fascinating in almost all major data breaches, the most complex and sophisticated malware is downloaded on to the victim’s computer through the simple trickery of phishing. Here is a link to a column I wrote about this last year. http://www.usatoday.com/story/money/personalfinance/2014/10/18/malware-data-breach-phishing/17458411/
In response to the OPM and other data breaches, William Evanina, the Director of the National Counterintelligence and Security Center has announced a new campaign to raise the awareness of federal workers to the dangers of phishing and specifically targeted phishing emails referred to as spear phishing.
Phishing and spear phishing represent threats not just to companies and governmental agencies, but to all of us as individuals as well. Identity theft is often accomplished through individuals being targeted by phishing or spear phishing emails who unwittingly click on links or download attachments that contain keystroke logging malware that enables the identity thief to steal all of the information including passwords, credit card numbers, Social Security numbers and other personal information from the victim’s computer and use that information to make that person a victim of identity theft. Other types of malware, such as ransomware, which encrypts and locks all of the data in your computer, followed by a threat to destroy your data unless you pay a ransom, is generally downloaded through clicking on a link or downloading an attachment from a phishing email.
The key to avoiding becoming a victim is to never click on a link or download any attachment unless you have absolutely confirmed that the link or attachment is legitimate. Even if the link is contained in an email from someone you know and trust, it is possible that their email may have been hijacked so you must always be a bit skeptical. It may seem a bit paranoid, but remember that even paranoids have enemies.
May 31, 2015 Posted by Steven Weisman, Esq.
FriendFinder Networks, the parent company of a number of online dating services including AdultFriendFinder.com, Amigos.com, BigChurch.com and SeniorFriendFinder.com is reporting that it has been hacked and that personal data on up to 3.9 million of its 634 million members had been stolen. Included in the compromised information were names, email addresses as well as information about the sexual orientation and habits of the company’s members. This information puts these people in great jeopardy of identity theft. FriendFinder Networks has hired Mandiant, a prominent cybersecurity company to investigate the matter. Meanwhile, FriendFinder Networks is advising its members to change their user names and passwords.
This hacking again emphasizes what I have been telling you for years. You are only as safe and secure as the places with the weakest security that have your personal information. It is for this reason that you should limit the amount of personal information that you provide the companies with which you do business as much as possible.
In regard to this particular hacking. If you were a member of any of FriendFinder Networks’ dating sites, you should be particularly be wary of spear phishing, which is when specifically targeted emails and text messages are sent to you with personal information obtained through the hacking that make the messages appear legitimate. These messages lure you into clicking on links with malware that will steal the information from your computer and use it to make you a victim of identity theft.
May 23, 2015 Posted by Steven Weisman, Esq.
Health insurer Care First Blue Cross Blue Shield became the latest victim of hacking in the health care industry. This latest hacking which was only just announced a couple of days ago, but occurred in June of 2014 is just the latest in a series of data breaches at major health care companies and insurers including Anthem and Premera. More than a hundred million people have had their personal information compromised in these data breaches leaving them in serious danger of identity theft. The Care First hacking affects more than a million of its present and former customers. The breach was discovered a month ago during a routine forensic review of its computer networks. Fortunately, neither Social Security numbers nor credit card numbers were lost in the data breach. However, the hackers did manage to steal the names of present and former customers, email addresses, birth dates and Subscriber ID numbers, all of which could be used by the hackers for targeted email spear phishing by which intended targets of the identity thieves receive emails that, due to the information contained within them as well as the fact that they are directed to the individual by name, appear to be legitimate. In these emails, in which the identity thief poses as a legitimate company doing business with the targeted person, the intended victim is lured into either clicking on links containing keystroke logging malware or into providing personal information in response to the email. In either of these situations, if the intended victim clicks on the link or provides the information, he or she will quickly move from intended victim to actual victim.
Remember my motto, “Trust me, you can’t trust anyone.” Never provide personal information to anyone who contacts you by email, text message or phone. You can never be sure if they are legitimate. Never click on links in emails or text messages until you have actually confirmed that the communication is legitimate. If you think such an email or text message might be legitimate, contact the real company at a phone number or email address that you know is accurate to confirm whether or not the email or text message you received was legitimate. With so much information about all of us available either in public data bases or by way of data breaches of companies with which we do business, you can’t trust an email, text message or call regardless of how legitimate it may appear. Always verify before providing personal information.
January 19, 2015 Posted by Steven Weisman, Esq.
The Internet Crime Complaint Center, known as IC3 has issued an alert warning about a spear phishing scam aimed at university employees around the country. It starts with an email addressed specifically with the name of the intended victim. The email looks official and appears to have been sent by the Human Resources Department of the college or university where the intended victim works. The email informs the potential victim that there has been a change of the employee’s status and that the employee is required to click on a link contained in the email that takes the employee to a website that appears to be that of the Human Resource Department for the college or university where the victim works where the employee is prompted to input information. The website is counterfeit. The scam is a ruse intended to obtain the login information of the potential victim. Once this information is provided to the scammer, he or she then logs on to the real Human Resources Department page and changes the bank account information for where the employee’s check is deposited so that the school sends the victim’s check to a bank account controlled by the identity thief. In addition, since many people use the same user name and password for all of their accounts, the scammers may also attack other accounts of the victim.
Although the IC3 warning deals specifically with university and college employees, this scam works just as well with any company that pays their employees through direct deposit so everyone who is paid through a direct deposit should be aware of this scam. Remember my mantra, “trust me, you can’t trust anyone.” Never click on links in emails unless you are sure they are legitimate. In many instances, by clicking on the link, you are unwittingly downloading malware on to your computer or other electronic device. You also should never provide personal information in a reply to an email. Confirm whether or not the request for personal information is legitimate and even then, go directly to a website for the company or other institution that you know is legitimate to provide such information. Finally, as I have warned you many times, (sorry to be a nag) use a unique password for all of your accounts so that if your password from a particular account is jeopardized, your other accounts are still safe. This is not as difficult as it might seem. In my book “Identity Theft Alert,” I provide instructions as to how to pick easy to remember, strong passwords.
January 12, 2015 Posted by Steven Weisman, Esq.
With all of the attention directed at the hacking of Sony Pictures by hackers associated with North Korea, much less attention was given to perhaps an even more ominous cyberattack done around the same time to a German steel mill. Unknown hackers gained access to the steel mills computers, as they often do in attacks against major companies, through spear phishing of employees by which they lured unwitting employees to click on links or provide information under the belief that the emails they received were sent by upper management within the company. Armed with the information gathered through the spear phishing, the hackers gained control of the blast furnaces of the steel mill that contained intensely heated molten metal. According to BSI the German government’s office of information security, massive damage was done through the hacking although BSI did not specify what physical damage occurred as a result of the hacking. This is only the second confirmed hacking event where a cyberattack has been used to destroy physical materials and equipment. You have to go back all the way to 2007, when the Stuxnet malware was used to destroy Iranian centrifuges at a uranium enrichment plant to find a precedent.
Many of us have warned governments and private industry of the extreme danger posed by cyber sabotage of essential infrastructure of countries around the world. It is hoped that in the light of the this threat and the attention brought to hacking by the Sony hacking, that a more concerted effort will be made by both governments and corporations to make their systems more secure. President Obama has tried unsuccessfully for years to get Congress to act and will highlight cybersecurity in his upcoming State of the Union address. It is hoped that his words and the words of security experts around the world will be heeded.
December 15, 2014 Posted by Steven Weisman, Esq.
The FBI has sent out a confidential warning to American businesses about an imminent threat of hacking by Iranian hackers who may, or may not, be state sponsored. The attack appears to be focused on the always vulnerable educational institutions as well as energy companies, airlines and defense contractors. The FBI warning provides detailed technical information about the different types of malware used in the attack as well as information about techniques such as spear phishing that are being used by the hackers to enable their malware to be unwittingly downloaded on to the computer networks of the targeted companies. Spear phishing, as you may remember is a technique whereby the victim receives a seemingly legitimate email message addressed to the victim by name that lures the victim into clicking on a link that downloads the malware used to attack the company.
This particular Iranian hacking scheme may be the same one recently identified as Operation Cleaver by the security firm Cylance recently that uncovered attacks on more than fifty companies in sixteen countries including the United States. As for us as individuals, we need to recognize that regardless of how careful we are at protecting the security of our own personal information, that information, as seen in the recent Sony hacking is only as safe as the companies with the weakest security practices that hold our information. Therefore, whenever possible you should limit the companies and governmental agencies that have your personal information.
November 11, 2014 Posted by Steven Weisman, Esq.
Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft. Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is. A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website. Other times, the phony email itself contains a request for personal information. Startlingly, the study showed that at teh most effective of these phishing websites up to 45% of people targeted provided the information requested. Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name. This type of phishing is called spear phishing. Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.
Never click on links or download attachments unless you are absolutely sure that they are legitimate. Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer. Never provide personal information on websites unless you have confirmed that it is legitimate.
If your email account is compromised here are the steps to take:
1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.
November 8, 2014 Posted by Steven Weisman, Esq.
Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.
So what does this mean to you and me?
It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name. This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails. Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.
Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot. This was the same tactic used in the Target hacking and many other data breaches. In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies. I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.
The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look. The risk is too great. You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring. Such a legitimate email was sent by Target to its affected customers after its major data breach. However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments. Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information. When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.