Posts Tagged: ‘spear phishing’

Scam of the day – February 19, 2014 – Syrian Electronic Army hacks Forbes.com

February 19, 2014 Posted by Steven Weisman, Esq.

The Syrian Electronic Army (SEA) , about whom I have reported to you many times (you can go to the archives of Scamicide to see these stories) has struck again.  This time its victim is Forbes.com, the website of Forbes Magazine.  For those of you unfamiliar with the Syrian Electronic Army, it is a group of hackers sympathetic to Syrian President Bashar al-Assad.  Forbes was targeted by the SEA because of what it called Forbes’ hatred for Syria.  Along with planting a false story on the Forbes website, the SEA also stole user names and email addresses of Forbes.com customers, raising the possibility of “spear phishing” attacks against Forbes.com’s customers.  The SEA has threatened to make the information available on the Internet to identity thieves.  Identity thieves who send phishing emails and texts often do so in large numbers without knowing the names of the people to whom the phony messages corrupted with keystroke logging malware are sent.  However, in spear phishing the identiy thief knows the name of the intended victim and can make the communication look more legitimate by containing the victim’s name.  In addition, the spear phishing text or email can be made to look as if it comes from Forbes.com or some other entity that is trusted and used by the victim which also can lead the victim to be less skeptical of the message and make the victim more likely to click on links in the message or download attachments to the message corrupted with malware.

TIPS

Again, the lesson is that you are only as secure as the places with the weakest security that hold your personal information.  If you are a subscriber to Forbes.com, you should change your password.  If you use the same password elsewhere, change it too.  For convenience many people make the mistake of using the same password for all of their accounts, which means that when your password is stolen from one place, all of your accounts using that password are in jeopardy.  This is a good lesson for all of us regardless of whether or not you were a victim in this particular data breach.  This hacking once again raises the question as to why major corporate websites, such as the many who have been hacked by the SEA are not doing more to keep their computers secure.  Finally, as I always remind you, never click on links in emails or text messages or download attachments unless you are absolutely sure that they a legitimate and have confirmed this to be so.

Scam of the day – February 17, 2014 – Kickstarter hacked – the lesson for all of us

February 17, 2014 Posted by Steven Weisman, Esq.

Over the last couple of years I have often reported to you about data breaches at major companies who have been hacked.  The recent Target hacking although particularly large, was not particularly unusual.  Two days ago, Kickstarter disclosed that it had been hacked.  Kickstarter is a crowdfunding platform that helps creative people raise fund for their projects by appealing to the public for funds.  In the almost four years since it was launched, Kickstarter has helped fund more than 50,000 artistic endeavors.  According to Kickstarter’s CEO, no credit card data of its customers was compromised, however user names, email addresses, mailing addresses, phone numbers and encrypted passwords were stolen.  This information can readily lead to identity theft through a technique called “spear phishing” by which emails and text messages can be sent to the potential victims by name which may make them appear more legitimate.  These texts and emails lure people into either providing personal information under various legitimate appearing pretexts or by getting the victims to click on links or download attachments riddled with keystroke logging malware that will steal all of the information from your computer or smartphone and use it to make you a victim of identity theft.  In addition, people with weak passwords, such as  the popular”123456″ or “password” may have their Kickstarter encrypted passwords easily unencrypted providing access not only to the victim’s Kickstarter account, but possibly other accounts where the victim uses the same password.

TIPS

If you are a customer of Kickstarter, change your password immediately and everyone who uses the same password for all of their accounts should change their passwords to unique passwords for each account.  You can get detailed information as to how to pick an easy to remember, complex password in my book “50 Ways to Protect Your Identity in a Digital Age,” but a simple rule is to use a phrase, capital letters, small letters and symbols, such as “ICan’tRememberit!!!.”  This is easy to remember and hard to break.  Also, make sure that you have the most current, updated anti-malware software and anti-virus software installed on all of your electronic devices including your computer, tablet and smartphone.

Scam of the day – February 4, 2014 – What does the Yahoo email breach mean to you?

February 4, 2014 Posted by Steven Weisman, Esq.

A few days ago, Yahoo announced that its email security had been breached.  Yahoo is the second largest email provider with approximately 273 million users.  The actual breach which involved the theft of both usernames and passwords was accomplished not by hacking Yahoo directly, but rather by hacking a third party website’s database that allowed the use of Yahoo email addresses to establish customer accounts.  Similarly, the recent breach of Target also appears to have been accomplished by hacking into a Target vendor’s systems to obtain the credentials necessary to, in turn breach the security of Target.  Many people may not be particularly alarmed that all was taken in the Yahoo hacking were usernames an passwords, however, because people often use the same user name and passwords for multiple accounts, including online banking, the threat posed by this hacking could be quite serious.  In addition, these usernames and passwords could be used by identity thieves for “spear phishing” a technique by which identity thieves are able to send specifically targeted messages to potential victims that appear to come from trusted sources thereby making the potential victim more likely to click on a link or download an attachment in the email that would be riddled with malware that will steal all of the information from a person’s computer or other electronic device and use that information to make the person a victim of identity theft.

TIPS

If you haven;t already done so, change your username and password for Yahoo email if you are a user of Yahoo email.  Even if you are not a Yahoo email user, you should make sure that all of your online accounts have different user names and passwords because the risk of your being a future victim of a similar type of data breach is very high.  It is a good idea to change your passwords every few months and make sure that the password is at least eight characters long and is a mixture of letters and symbols.  For tips on how to pick a good password, check out my book “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – January 10, 2014 – Important Target update

January 11, 2014 Posted by Steven Weisman, Esq.

Yesterday, Target announced that it had just become aware that its recent hacking went beyond the credit card and debit card data including PINs of 40 million of its customers to also include names, mailing addresses and phone numbers of up to 70 million of its customers.  This disclosure means that unlike previously thought, the hacking was not limited to hacking of the point of sale credit card processing devices found at the checkout stations, but was far more extensive into the data systems of Target.  It also opens up a new avenue of scams where Target customers can expect to get contacted by phone, email or text messages from scammers posing as Target representatives who will be seeking personal information which they will use to make the Target customer a victim of identity theft.  These emails and text messages will be directly addressed to the customer by name prompting the customer to click on links or download attachments for further assistance, however, if the customer does so, he or she will only succeed in downloading a keystroke logging malware program that can steal all of the information from the victim’s computer that will also lead to the customer becoming a victim of identity theft.  Phone calls will also be directed to the customer by name and you should be wary there, as well.  This type of scam is called spear phishing.

TIPS

You can never be sure when you receive a telephone call, email or text message if the person communicating with you is who he or she represents himself to be.  Therefore, never click on links or download attachments in emails or text messages unless you are absolutely positive that the communication is legitimate and because in this case ,as in others, the identity thief has your name, the communication may appear to be directed personally to you, you cannot trust the communication merely because it appears to be legitimate.  In this case, as in others, if you think the communication may not be a scam, check it out by calling or going to the  real website of the person or company purporting to send the communication at a phone number or website that you know is correct to find out whether or not the original communication was legitimate or not.  The same goes for telephone calls.  You can never be sure who is calling, so never give personal information over the phone to anyone whom you have not called.  Instead call them back at a number you know is accurate.

Scam of the day – August 31, 2013 – Lesson of New York Times hacking

August 31, 2013 Posted by Steven Weisman, Esq.

By now you are probably aware of the recent hacking of the website of the New York Times.  A hacking group known as the Syrian Electronic Army (SEA) who are vocal supporters of embattled Syrian President Bashar Assad, managed to take over control of the New York Times’ Website and disrupt it for much of the day.  In recent weeks, the SEA has also hacked into Twitter, The Washington Post and CNN among other companies as well as another successful attack against the New York Times which apparently did not learn its lesson and tighten its security.  Without boring you with the precise details, the weakness exploited by the hackers involves the connection of corporate websites with the companies involved in the Domain Name System and underscored that when it comes to security, you are only as secure as the security of the weakest entity with which you are involved.  Using a simple technique called spear phishing, the hackers were able to fool an internet service provider in India who was tied to the New York Times website by tricking the Indian employee into downloading tainted software that enabled the hackers to get his user name and password and ultimately gain access up the line to the New York Times’ website.

TIPS

The lesson for us all is a simple one.  Your security is always in jeopardy even if you appear to be doing all the right things including not downloading attachments or clicking on links that may contain the type of malware that ultimately brought down the New York Times.  So what can you do?  Recognizing that your password and user name may be able to be hacked somewhere else other than your own electronic devices, you should consider using multiple-factor verification as much as possible.  With multiple-factor verification, access to your various accounts is protected by more than just a password and a user name.  Multiple-factor verification may require you to obtain a changing PIN through a text to your smartphone before you can log on to a particular account or you may be required to answer a security question.  Following a major hacking into Twitter, it now offers two-factor verification.  Other companies that offer it are Dropbox, Facebook, Google, Hotmail, LinkedIn, PayPal and Twitter.  It may seem like a time consuming burden to you to use multiple-factor verification, but the inconvenience is really quite slight, particularly compared to the potential problems if your accounts are hacked.

Scam of the day – June 24, 2013 – Facebook data leak

June 24, 2013 Posted by Steven Weisman, Esq.

Facebook has just announced that through a technical flaw that first started over a year ago, the telephone numbers and email addresses of six  million of its users were improperly provided to other Facebook users who downloaded contact data of their “friends.”  In and of itself, this dos not create a problem and Facebook was quick to point out that there presently is no indications that the information has been used for purposes of identity theft or the specialized form of phishing called “spear phishing” where identity thieves are able to more effectively lure their victims to websites tainted with dangerous malware that can be used to steal personal information from the victim’s computer or portable device.  In spear phishing, people are more apt to believe the phony email that starts the scam because it is directed to them by name and appears to be from a company with which they do business.  The problem is many faceted.  Many people accept too many other people as their “friends” on Facebook without even really knowing these people who in many instances are identity thieves and scam artists out to exploit their Facebook connection with their victims.  Additional personal information such as telephone numbers and email addresses can be used by identity thieves to help steal their victim’s identity .   Just as troubling is the fact that this situation once again shows that your personal information is only as safe as the person or company with the worst security measures that has your information.

TIPS

In general, you should try to limit, as much as possible, the number of places that have personal information about you.  If someone with whom you do business wants to use your Social Security number as an identifying number, you should propose to them that they use another number, such as your driver’s license number instead of your Social Security number.  In particular, as to Facebook, you should limit the amount of personal information that you provide.  Information such as your birthday or the name of your pet can put you in jeopardy as to identity theft or guessing your passwords.  For more detailed instructions as to how to protect your privacy and security on Facebook, check out my book “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – April 28, 2013 – LivingSocial hacked, data on 50 million customers stolen – what it means to you

April 28, 2013 Posted by Steven Weisman, Esq.

LivingSocial, which is an online company that provides an assortment of deals on all types of goods and services just announced that it had been hacked and data on 50 million of its customers was stolen.  The good news is that the hackers did not get customers’ credit card numbers.  The bad news is that they did get their names, email addresses, dates of birth and encrypted passwords.  It is important to remember that even though the passwords were encrypted, due to the manner of the encryption of the passwords, it is still possible, albeit difficult, for the hackers to crack the encryption and gain access to the passwords.  The danger to LivingSocial customers cannot be overestimated.  Identity thieves and scam artists can use the email addresses and names to enable them to do a type of scam called “spear phishing” through which you will get a phony email from the scammer posing as a company or agency with which you have a relationship in which you are lured to click on a link or download a document that contains malware such as a keystroke logging malware program that can steal all of the information on your computer, such as passwords, credit card numbers, your Social Security number and other information that can be used to make you a victim of identity theft.  People are more likely to fall for a spear phishing scam because the email uses your name and is directed to you personally.  Having your email address also makes it easier for a scammer or identity thief to take control of your email account and send phony emails to friends of yours that may contain malware.  Finally, since many people use the same password for multiple accounts, if your LivingSocial password is cracked, you are in danger on any account where you use that password.

TIPS

This hacking once again illustrates that you are only as safe as the companies with which you do business with the weakest security.  Never leave your credit card number to be stored by a company merely for convenience in making purchases in the future.  If you are a LivingSocial user, change your password for LivingSocial as well as every other company with which you do business.   In fact, it is a good idea to regularly change your passwords and make them different for each company.  Check your email for indications that it has been hacked into and if it is, follow the instructions for remedying the situation found elsewhere on Scamicide and in my book “50 Ways to Protect Your Identity in a Digital Age.”  Never click on links or downloads unless you are absolutely sure that they are legitimate and keep your security software up to date.

April 25, 2013 – Associated Press hack attack – what it means to you

April 25, 2013 Posted by Steven Weisman, Esq.

On Tuesday, the Twitter account of the Associated Press (AP) was hacked into and a phony message describing a terrorist attack on the White House was sent out to the close to two million followers of AP’s Twitter account.  Immediately thereafter the Dow Jones Industrial Average lost 140 points as computerized program trading reacted automatically to the news without any verification of the truth of the report.  The phony tweet was corrected within minutes and the market recovered just as quickly as it went down, however the problem exposed by this hacking still remains.  In May of 2010 the Dow Jones Industrial average quickly lost almost 1,000 points due to a glitch in the computerized trading programs used on Wall Street.  Problems with computerized programmed trading which automatically order trades in response to perceived information are quite significant.  However, another problem is the hacking into the sources of our information.  The AP hacking is only the most recent hacking of a major provider of information.  Just last week the CBS news programs “60 Minutes” and “48 Hours” were hacked.  Also recently NPR and the BBC had their Twitter accounts hacked.   But it is not just the media that is being hacked.   Hacking is a major problem for all companies.  A recent study by Verizon indicated that 75% of the hacks were done last year by criminals seeking financial gain.  Sometimes it is to gain trade secrets, but other times it is to steal information about customers to make them victims of identity theft.  In 76% of the data breaches, according to the Verizon report, the hackers were able to exploit weak passwords.  In 29% of the hacks, tactics such as “spear phishing” were used to install keystroke logging malware on to the hacked companies’ computers to steal their data.   Spear phishing is a targeted phishing attack, often done through phony emails purporting to be from employees’ friends or business partners of the companies that contain the malware.

TIPS

Both government entities and companies are not doing what they need to do to properly protect their data from hacking.  The Associated Press Twitter account should have been protected by two-factor authentication when logging in so that even if a password is obtained by a hacker, he still would not be able to access the account.  Two-factor authentication requires not just a password, but also a code that is sent to a person’s cell phone.  Some companies such as Apple already use this technique.  The problem is that even if you and I do all we can to protect ourselves from identity theft, we are only as safe as the company or governmental agency with the worse security holding information about us.  Therefore you should try to limit as much as possible the places that hold your personal information and we all should impress upon the government and private industry the absolute necessity for better data protection.  The technology is available.  It just has to be used.

Scam of the day – March 6, 2013 – Evernote hacking danger

March 5, 2013 Posted by Steven Weisman, Esq.

Evernote is a popular on line service that helps you store notes, files, web pages and images on all of your electronic devices.  It has both a free and a premium service for which you pay.  Unfortunately Evernote is also popular with identity thieves as evidenced by its being hacked.  Evernote announced the hacking a couple of days ago.  According to Evernote, the hackers managed to steal the names, email addresses and encrypted passwords of its customers.  Evernote is confident that its encryption program will protect the passwords of its users, but only time will tell.  Evernote also stated that it did not believe that credit card numbers used by its premium customers had been accessed.  Again, however, premium users of Evernote should be particularly vigilant in monitoring their credit cards.  Despite its position that no passwords had been stolen, Evernote is requiring all of its customers to obtain new passwords.  The ONLY place to do this is on Evernote’s website at www.evernote.com.

TIPS

Users of Evernote should be particularly wary of an identity theft tactic called “spear phishing.”  Spear phishing occurs when you get an email that lures you to a phony website or link where you either become victimized by providing information that is used to make you a victim of identity theft or causes a keystroke logging malware program to be downloaded when you click on the link or download tainted material that steals all of the information from your computer including bank account numbers, Social Security number, credit card numbers and other information that makes you a quick victim of identity theft.  What makes spear phishing particularly insidious is that unlike most phishing emails which never use your name, spear phishing is directed to you by name which makes many people more trusting of the email.  As I always say, “Trust me, you can’t trust anyone.”  Identity thieves will be contacting people by email posing as Evernote and telling them that they need to change their password by clicking on a link contained in the email or by providing other information.  Do not fall for this ruse.  Evernote is not contacting people by email, but the identity thieves who stole their email list will be.  The only place to change your password is www.evernote.com.  This is also another good example of the fact that your security is only as safe as the weakest place that holds your information.  Limit the places that do have personal information about you as much as possible.

Scam of the day – October 3, 2012 – Email mailbox scam

October 3, 2012 Posted by Steven Weisman, Esq.

I always share scams and identity theft schemes aimed at me because I know that if I am being targeted so are you.  Recently I received an email that purported to be from my email system administrator telling me that my email mailbox had exceeded its storage limits.  This scam is a particularly dangerous one because, as all good scams do, it has a grain of truth and appears to be legitimate.  Many of us, myself included, do not delete many emails that are not important to keep and if you do truly exceed your email mailbox size, it can effect your ability to send or receive emails.  In that instance, you will receive a warning from your system’s administrator telling you  to move items to your folders and to delete items.  The phony email request purporting to be from your system’s administrator will tell you to respond to the email with your account user name and your password in order to increase the size of your mailbox and restore its availability.  If you do, you will turn over control of your account to a scammer who can go through your emails and take information that can make you a victim of identity theft as well as hijack your account to send out emails to your friends and correspondents that will appear to come from you, but will be loaded with malware that will catch your friends and correspondents unaware.  That scam is called spearphishing where your email address is hijacked and emails are sent to your friends that look like they are coming from you.

TIPS

Your real systems administrator will never ask for your user name and password.  If you do get such an email and you think that it may be legitimate, contact your system’s administrator at an email address or telephone number that you know is accurate to inquire as to the status of your account.  Any email that you get that asks for you to turn over your user name and password is undoubtedly a phishing scam.