Scam of the day – June 18, 2017 – Identity thieves hack Federal Student Aid website

The Free Application for Federal Student Aid (FAFSA) is a part of the U.S. Department of Education used by college students to apply for much needed financial aid to assist them in furthering their education.  Some of the forms used in the application process require inserting information from past income tax returns.  To make the process more convenient, FAFSA provided for a data retrieval service directly to the IRS to obtain the necessary information, however scammers, such as two recently indicted men from Indiana and Georgia are alleged to have hacked into the data retrieval system of FAFSA applicants to get the tax information which they then used to commit income tax identity theft, attempting to steal approximately 12.7 million dollars in phony income tax refunds.

In response to these problems, FAFSA suspended its data retrieval system until two weeks ago when they reinstituted the Data Retrieval Tool with the IRS in a manner that the tax return information will be encrypted and hidden from view of even the borrower as well as someone hacking into the borrower’s account.

TIPS

Quite often, as Shakespeare said, the fault is not in the stars, the fault is in ourselves. Too often we become victims of identity theft when the security of particular websites, companies or government agencies that have our personal data is compromised because we provide our passwords and user names to identity thieves by falling prey to spear phishing emails or downloading malware.   It is important to never click on a link in an email or download an attachment unless you have confirmed that it is legitimate.  Also, never provide personal information to anyone unless you have confirmed that the request is legitimate.

As for students seeking to use the Data Retrieval Tool of the IRS for filing a FAFSA form, you can safely use this service by going to StudentLoans.gov.

Scam of the day – June 9, 2017 – Ukranian hacker sentenced to prison

I have been reporting to you for two years about developments in this ingenious and massive stock fraud since the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  Now Ukranian hacker Vadym Iermolovych was sentenced to thirty months in prison and ordered to pay more than 3 million dollars in restitution for his role in this scheme.

The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of as much as 100 million dollars on 800 trades during this time.  A number of the defendants have already pleaded guilty to charges related to this scam.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.

Scam of the day – June 3, 2017 – Hackers and scammers turning to social media

Recent reports by various security companies are indicating that state-sponsored Russian hackers, such as those that managed to plant fake news stories in an effort to disrupt the 2016 presidential election are increasingly turning to targeting social media accounts to download malware and spread disinformation.  This is a complex story and one worth knowing more about, however, as an individual, you are also susceptible to scams, ransomware and malware downloaded through clicking on links in social media postings.

We have long known that phishing emails and the more personally targeted spear phishing emails are how most malware gets downloaded on to the computers of individuals, companies and government agencies. However, as successful as phishing is in spreading malware, postings on social media, according to cybersecurity firm ZeroFOX are twice as successful in spreading malware.

And it makes sense.

In my May 5, 2017 Scam of the day I warned you about the risks of the Facebook “10 concerts, but there is one act that I haven’t seen live” quiz.   I highlighted the fact that scammers use social media to gather personal information that can later be used to tailor a message sent through social media such as Facebook or Twitter that you are more likely to trust and click on links in the messages that will download malware.

TIPS

Trust me, you can’t trust anyone.  Always be skeptical when you receive any kind of electronic communication that requires you to click on a link in the message.  Always confirm it before clicking on the link regardless of how trustworthy it may seem.  Further, you may well consider limiting the amount of personal information that you post on social media that can be used to tailor spear phishing emails to lure you a victim of identity theft or some other scam by appealing to something in which you are known to be interested.

Scam of the day – May 30, 2017 – Apple iTunes phishing scam

Phishing emails, and the more personally tailored spear phishing emails are the most common way that people and companies are tricked into downloading malware such as ransomware or keystroke logging malware used to steal information from the victim for purposes of identity theft. Effective phishing emails will appear to be legitimate and lure victims into downloading malware filled attachments or clicking on links tainted with malware.

Reproduced below is a new phishing email presently being circulated that is one of the worst examples of a phishing email.   It purports to be from the Apple Store informing the recipient that his or her account has been used to make a purchase and urges the targeted victim to download an attachment if they did not make the purchase.

As regular readers of Scamicide have seen, many of the phishing emails we have shown you over the years are quite convincing, however this particular email is so filled with indications that it is phony, it is hard to imagine someone falling for the scam although I am sure some people will do so.

The email address of the sender has nothing to do with Apple which is an early indication that this is a scam.  There is no logo that appears on the email and the email is not addressed to anyone in particular nor does it indicate an account number.  Finally, their are spelling errors and horrible grammatical errors throughout the email.

Here is a copy of the email that is presently circulating.

“[ApplePay] – iTunes was used to purchase in App Store on Macbook Pro 13
Date and time: 27 May 2017 10.32 hrs
Transaction: 7BA6818XL0333C2U
Order number: MQ3N7F0G8Q
OS: OS X 10.12.4
Browser: Safari
Location: New York, United States of America
If the information looks familiar, you can ignore this email.
If you have not recently purchased an article or in-apps apps on a MacBook Pro 13 “
With its appIe lD and thinking that your account has been accessed,
Please read our binding and follow the instuction to back up your account.
Best regards,
AppIe account department
Copyright @ 1998-2017. 2211 N 1st St, San Jose, CA 95131, USA. All rights reserved.”
TIPS
Whenever you get any email that attempts to lure you into downloading an attachment or clicking on a link, you should be skeptical and never consider doing so unless you have absolutely confirmed that the email is legitimate.  Also, look for telltale signs that the email is a phishing email by examining the address of the sender, the spelling and grammar and a lack of your account number or name appearing although in more professionally done spear phishing emails real account numbers and your name might be used which is why it is always imperative to never click on links or download attachments unless you are totally convinced that the email is not phony.

Scam of the day – May 2, 2017 – Facebook and Google lost 100 billion dollars to a scammer

In my scam of the day for December 26, 2016 I told you about the Boston Division of the FBI warning companies about a huge surge of Business E-Mail Compromise scams (BEC).  The scam involves an email sent to the people who control payments at a targeted company. These people receive an email purportedly from the CEO, company attorney or even a vendor with which the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

In March, Evaldas Rimasauskas, a Lithuanian citizen was arrested and charged with perpetrating this type of a scam against both Facebook and Google from which he was able to steal more than a hundred million dollars by posing as a Taiwanese company, Quanta Computer which is a major supplier to American high tech companies.  When Rimasauskas was first indicted, the indictment did not provide the names of the companies he was alleged to have swindled nor the company he is alleged to have posed as, but a recent investigation by Fortune Magazine uncovered these facts.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email. Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam. Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Scam of the day – May 1, 2017 – Hackers leak “Orange is the New Black”episodes and more

After Netflix refused to pay a ransom to a hacker known as thedarkoverlord, the hacker posted nine episodes of the popular Netflix original series, “Orange is the New Black on a publicly available file sharing website on Saturday.  The hacker had already posted the season 5 opening episode on Friday as an indication he was serious in his threat.

The stolen episodes were obtained through hacking of Larson Studios, a post production digital mixing company that worked on “Orange is the New Black.”  This is just the latest example of a trend of hackers going after bigger targets through vulnerable companies working with the bigger company.  The 2013 massive data breach of retailer Target was achieved through accessing Target by initially hacking an HVAC company that worked with Target and had access to Target computers to monitor heating and air conditioning systems at Target stores.

Thedarkoverlord has performed a number of other ransomware attacks including one in which it hacked a small Indiana charity from which it demanded a ransomware of 50 bitcoins that the charity refused to pay and had its data destroyed.

This story is far from over with thedarkoverlord already claiming to have stolen unreleased shows of ABC, Fox, National Geographic and IFC.

TIPS

Ransomware continues to be a growing threat to individuals, large and small companies as well as government agencies, all of which have been targeted by ransomware.  Ransomware malware is readily available for unsophisticated cybercriminals to purchase on the Dark Web.  While in the past, the typical manner in which it has been used was to encrypt the data of the target and refuse to release the data back to the victim unless a ransom was paid, the scam has evolved to also include threats of making stolen data public as was done in this instance.

Some older strains of ransomware can be defeated through software that can recover data encrypted by older ransomware programs.  In 2016 through the efforts of international law enforcement organizations and private security companies, the website No More Ransom was launched on which victims of ransomware can go to get decryption tools for many strains of ransomware for free.  Thousands of people have utilized this tool to decrypt their files after a cyber attack  without having to pay a ransom.  Unfortunately, however, there are some newer forms of ransomware for which there are no known decrypting tools developed yet.

The key to not becoming a victim of a ransomware attack is to prevent it in the first place.  Generally, the malware is installed unwittingly by victims when they are lured through phishing and spear phishing emails to click on links infected with the malware.  Never click on links in emails or text messages regardless of how legitimate they may appear until you have verified that it is legitimate.  You should also install anti-phishing software.

It is also important to not only have anti-malware software installed on all of your electronic devices, but to make sure that you update the security software with the latest security patches and updates.  Many victims of ransomware have fallen victim to strains of ransomware for which there are already security software available to thwart it.   Finally, always back up your computer’s data daily, preferably in two different ways in order to protect your data in the event you do become a victim of ransomware.

Finally, it is important to note that a recent study done by Spiceworks found that of small to medium businesses who paid a ransom after being hacked, 45% did not get their data restored.  Apparently there is no honor among some thieves.

Scam of the day – April 3, 2017 – Scary email scam

Scammers are always finding ways to take what is in the news and make it the basis of a scam.  The reasons for doing so are obvious.  If you are aware or even concerned about something in the news, you are more likely to fall victim to a scam related to that newsworthy matter.  Such is the case now with a scam related to the recent Congressional passage of a bill that would overturn  Internet Service Provider privacy regulations enacted last year.  With the imminent overturning of these regulations, Internet Service Providers will be able without your specific knowledge to maintain records of everything you do online and sell that information to companies who may wish to use that information.  In its more benign form, you may find yourself receiving online advertisements for products that you may have searched for online, however, the threat to your privacy presented by the rescinding of the previously enacted privacy protection regulations cannot be overstated.

Now scammers are taking advantage of this concern and are sending out carefully crafted spear phishing emails directed to you personally by name that indicate that you have been found to have committed fraudulent conduct online by a company monitoring your online usage and that the information is going to be sent to law enforcement.  The email purports to provide the incriminating evidence in an attachment for you to see.  It is easy to imagine how someone confronted with such an email would immediately download the attachment to find out details. Unfortunately, anyone downloading the attachment would only succeed in downloading keystroke logging malware that would enable the scammer to steal all of the information in your computer and use it to make you a victim of identity theft.

TIPS

Never click on links in emails or download attachments unless you have absolutely confirmed that they are legitimate.  In this instance, a little research would have shown that the email was a scam.

It is also important to remember that the privacy regulations recently rescinded only related to Internet Service Providers.  Companies like Google, Facebook and Amazon have been gathering and selling information about you for a long time.  Unknown to many people, every time you click “like” on Facebook, that information is stored and used by Facebook.

For enhanced privacy online you should go to Facebook,  YouTube, Google and every other website you use and see what privacy rights you have and how you can set your preferences to a level with which you would be comfortable.

You also should consider using a Virtual Private Network while doing online browsing.  This will enable you to maintain your anonymity online. Here is a link to information about some free VPNs.  http://top5-vpn.com/free-vpn-services/

Scam of the day – February 11, 2017 – Arby’s suffers major data breach

Fast food company Arby’s became the latest announced victim of a major data breach which appears to have occurred between October 25, 2016 and January 19, 2017, but was only disclosed by the company yesterday.  The data breach which affected hundreds of the company owned stores, but not those of franchise owners may have resulted in more than 335,000 credit and debit cards being compromised.

As is often the case, the data breach was originally discovered by a bank which first found a pattern of fraudulent credit card use and was able to trace the source back to Arby’s restaurants.  In this case PSCU, a credit union service group for more than 800 credit unions uncovered the fraud.

At the present time it has not been determined how the point of sale credit and debit card processing equipment was compromised with the malware that was downloaded to the equipment to steal the credit and debit card information.  Often the problem can be traced back to spear phishing.

TIPS

This type of data breach continues to occur as many retail stores and restaurants still have not replaced their magnetic strip credit and debit card processing equipment with EMV chip card processing equipment. Whenever possible you should use your EMV chip card and never use your debit card for a retail purchase because the consumer protection laws regarding debit card fraud are not as strong as the laws protecting consumers from credit card fraud.

Anyone who has used their credit card at an Arby’s restaurant between October 25, 2016 and January 19, 2017 should carefully monitor their credit card statements for evidence of fraudulent use and if you find it, you should report it immediately to your credit card company.  If you used a debit card at an Arby’s restaurant during that time period, you should monitor the bank account attached to the card particularly carefully and refrain from using your debit card for retail purchases in the future.

Scam of the day – January 28, 2017 – Hacker of nude photos of celebrities sentenced

In 2014 nude photos of as many as one hundred celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst and Hope Solo turned up online on websites such as Reddit.com and 4chan.org.   The photos were taken from both the Apple’s iCloud accounts of the hacked celebrities as well as their email accounts.  The hacker, a 29 year old self-described “computer nerd” named Edward Majerczyk pleaded guilty to one count of unauthorized access to a protected computer to obtain information and was sentenced earlier this week to nine months in prison.

The manner by which Majerczyk accomplished the hacking was simple, but effective.  He sent spear phishing emails to his intended victims that appeared to come from Apple or Google security in which, under various pretenses, he requested the victims’ usernames and passwords, which he then used to access their email accounts and iCloud accounts from which he stole the photos and videos.

Using a similar tactic, Ryan Collins hacked 600 celebrities thereby obtaining nude photos, as well.  He was convicted and sentenced to eighteen months in prison.

TIPS

There are a number of lessons to be learned from this crime about how to protect our own security.    It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate, which such requests seldom are.  If you have any concern that such a request might be legitimate, merely call the real company to confirm the legitimacy of the communication.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts.  Had Jennifer Lawrence and the other hacked celebrities used dual-factor identification, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be accurate.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – January 23, 2017 – Latest Gmail phishing scam

An effective new phishing email scam is presently circulating that is targeting users of Gmail.  It starts when you receive an email that appears to be sent from the email address of one of your real friends and, in fact, the email may have been sent from a friend’s email account that unfortunately has been hacked and taken over in order to send out phishing emails that victims will trust because it appears to come from a trusted source.  The email has an attachment and when you click on the attachment, a sign-in page for your Gmail account appears requiring you to type in your email address and password.  Unfortunately, if you do so, you have just turned over this information to a cybercriminal who can wreak havoc with this information.

TIPS

Although this particular spear phishing email scam is quite sophisticated, there are a number of simple steps you can take to prevent yourself from becoming a victim of the scam.  Primarily, you should follow my rule and never click on any link or download any attachment unless you have absolutely confirmed that the communication sending the link or attachment is legitimate.  Even if the email address from which the communication is sent appears legitimate, your friend’s email may have been hacked and it is a cybercriminal sending you the email.

It is also a good idea to use dual factor authentication when possible for your email account.  If you use dual factor authentication, such as where a one time code is sent to your smartphone each time you want to access your email, you are protected from having your email account taken over even if the cybercriminal has your password and username.  Finally, it is a good idea not to store sensitive information in your email account.