Scam of the day – October 5, 2017 – Yahoo data breach update

Not wanting to be outdone by Equifax and its data breach affecting 145 million Americans (sarcasm), Yahoo, which was recently bought by Verizon has just announced that its massive 2013 data breach which it had previously said “only” affected a billion people actually affected all 3 billion of its customers.

Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords as well as security questions and answers, only some of which were encrypted.

While no credit card information or Social Security numbers were lost in this data breach, which has been attributed to Russian hackers by the Justice Department, the risk of identity theft from this data breach is significant.

Scammers are already contacting people through phishing emails posing as Yahoo and in an attempt to lure the targeted victims to click on links or download attachments containing malware.  In other instances, the scammers will ask for personal information in an effort to gain information that can be used for purposes of identity theft.  The real Yahoo does not do this.  If you have questions about your Yahoo account, you can contact help.yahoo.com for free assistance.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.  Yahoo provides for dual factor authentication.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.

Scam of the day – December 20, 2016 – Hacker convicted of selling stolen bank accounts on the Dark Web

Recently, Aaron James Glende, a hacker known a IcyEagle was convicted of hacking into the bank accounts of eleven Sun Trust customers and selling their account information on the Dark Web for $229.99 per account.  Each of these accounts had balances of between $250,000 and $500,000.  He also stole thirty-two accounts with balances of between $100 and $300 which he sold for $9.99 for each account.  Glende was sentenced to four years and two months in prison.

The Dark Web is that part of the Internet where criminals buy and sell stolen goods and data as well as malware and other cybercriminal tools.

TIPS

The information stolen by Glende included usernames and passwords for online banking accounts.  In order to protect yourself from becoming a victim of a similar theft, you should use a complex password, a security question the answer to which cannot be guessed or obtained through research and use strong software security programs on all of your electronic devices.  It is also important to keep your security software updated with the latest security patches.  Also, never provide your personal information including passwords in response to emails unless you have absolutely confirmed that the email or text message is legitimate.  Too often, messages seeking this information are just phishing scams designed to trick you into turning over this information to an identity thief.

Here is an image of Glende’s account on the Dark Web site Alpha Bay.

AlphaBay portal

Scam of the day – December 16, 2016 – Yet another major data breach disclosed at Yahoo

It was just in September that I told you about a massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   However, as I often say, “things aren’t as bad as you think — they are far worse.”  Earlier this week it was disclosed that Yahoo had also been a victim of an earlier data breach in 2013 that was only recently discovered in which personal information on a billion Yahoo customers was stolen. Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers only some of which were encrypted.

Gaining access to someone’s email account can provide a tremendous amount of personal information that can be leveraged to make that person a victim of identity theft.  This should be a wake up call to everyone, even if you do not use Yahoo email to implement stronger email security measures.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate. In addition, scammers armed with personal information gained through a data breach such as this will be targeting people with spear phishing emails attempting to lure you to click on malware infected links.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

Don’t store sensitive information in your email account where it could be accessed in the event your account is hacked.  You also should encrypt your emails.  There are many simple, free software programs you can use to encrypt your emails.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can better detect unusual activity.

Scam of the day – November 20, 2016 – Sex or cybersecurity? That is the question.

Although the question of whether you would give up sex for a year in return for total cybersecurity seems like an odd question, it is one that was posed to 2,000 adults in a poll taken by the Harris pollsters.  The response to the question might be startling to many people.  According to the poll, 39% of Americans are so fearful of their cybersecurity that they would willingly give up sex for an entire year in return for a lifetime of cybersecurity.

Unfortunately, you can never totally control your own cybersecurity because often people become victims of identity theft and other cybercrimes due to the neglect and failure of companies and government agencies to properly secure our personal information.  However, fortunately, the good news is that there are a number of relatively simple steps you can take to dramatically increase your personal cybersecurity and you don’t have to give up sex for a year in order to implement these steps.

TIPS

Here are a few of the more important steps you can take.  You can find even more things you can do to protect your cybersecurity in my book “Identity Theft Alert,” which you can order from Amazon by merely clicking on the icon on the right hand side of this page.

  1.  Use strong unique passwords for each of your online accounts so that even if there is a data breach at one account, all of your accounts will not be in jeopardy.  A strong password contains capital letters, small letters and symbols.  A password base made up of a phrase such as “IDon’tLike Passwords!!!” is strong and can be personally adapted for each  of your accounts by merely adding a few letters at the end to distinguish the particular account, such as  adding “Ama” to the base password to become your Amazon password.
  2. Install security software on your computer, smartphone and all of your electronic devices.
  3. Use dual factor authentication whenever possible.
  4. Don’t click on links or download attachments without confirming that the links or attachments are legitimate.  They may contain malware.
  5. Trust me, you can’t trust anyone.  Don’t provide personal information to anyone who contacts you by email, phone or text message unless you have confirmed both the legitimacy of the communication and the need for the information.
  6. Limit, as much as possible, the places that have your personal information.  Your doctor doesn’t need your Social Security number.
  7. Put a credit freeze on your reports at each of the three major credit reporting agencies.
  8. Only download apps from legitimate app stores and check the reviews and the privacy rules regarding the app before downloading them.
  9. Protect your smartphone with a password.
  10. Store important data on a portable hard drive to reduce the danger of ransomware.
  11. Avoid public WIFI for anything requiring personal information.  Use a Virtual Private Network (VPN).
  12. Monitor all of your accounts online regularly.

Scam of the day – May 20, 2016 – First criminal conviction in massive securities fraud scheme

I have been reporting to you about developments in this ingenious and massive stock fraud since last summer when the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  A number of the civil defendants have already pleaded guilty to charges related to this scam, but earlier this week, Vaym Iermolovych became the first person involved to plead guilty to criminal charges in regard to this scam.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   In addition, this case also illustrates the danger of using the same password for all of your accounts.  This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.

Scam of the day – April 6, 2016 – Guccifer extradited to the United States

Guccifer, the alias of an infamous Romanian hacker whose real name is Marcel Lazar Lehel was extradited by Romanian authorities to the United States and had his first appearance last Friday before a federal judge to answer a nine count indictment related to his hacking of the emails of a number of celebrities and politicians.  In fact, it was Guccifer who first exposed the fact that Hillary Clinton, while Secretary of State was using a private email server for government purposes when he hacked into the email account of one of her advisers, Sidney Blumenthal and found that  Blumenthal sent Clinton detailed memos to the personal email address of hdr22@clintonemail.com rather than her government email address.  Among the other famous people whose email accounts he hacked were Steve Martin, Colin Powell, George W. Bush, John Dean, Mariel Hemingway, Lorne Michaels, Carl Bernstein, Rupert Everett, Eric Idle, Whoopi Goldberg and Julian Fellowes the writer of “Downton Abbey.”  Although  Guccifer hacked into the email accounts of many  entertainers and politicians, he did not exploit his hacking targets for financial gain even though the information he obtained would have allowed him to do so.  Rather his goals, more often, appeared to be to embarrass his victims and shake the world up a bit.  Through hacking of his victims’ email accounts he gained access to and made public the final episode of Downton Abbey, months before it was aired.  He also made public embarrassing information he obtained through his hacking efforts of politicians and celebrities on both sides of the Atlantic including allegations that former Secretary of State Colin Powell had an affair with a European Parliament member, Corina Cretu.

One technique Guccifer used was to get an email address of someone, such as he did with media icon, Tina Brown, who has an extensive email address book and harvest more email addresses there of the rich and famous.  He then used simple techniques to answer his victim’s security question and change the password to the account whereupon he was able to take over the account and have access to all of the information stored there.  Simple, publicly available information such as birth dates, schools attended and other such information provided the keys to answering the security questions of his victims.  He also apparently used lists of the name of pets to answer security questions as well.  And herein lies the lesson for us all.  Even if you are not a celebrity, there is so much information about us all that is publicly available.   Sometimes the information is even provided by us through our Facebook pages and other social media, making it is an easy task for a hacker to get at our email accounts and other password and security question protected accounts.

TIPS

Protecting your email address is a difficult task.  The key to protecting your account from being hacked is to have strong security questions because it is often too easy for a hacker to guess the answer to common security questions and gain access to the password for your email account. The key to an unbreakable security question is to have an answer  that can never be guessed by a hacker.  So if your security question is “What is my favorite vegetable?” you should make the answer “fire truck” or some other totally illogical response.  Don’t worry about remembering it yourself because if the question and answer are as ridiculous as this, you will remember it.

Scam of the day – January 12, 2016 – Data on 320,000 customers of Time Warner Cable stolen

Time Warner Cable is the country’s second largest cable telecommunications company.  Recently the FBI discovered that personal information including email addresses and passwords of 320,000 Time Warner customers had been stolen.  It has still not yet been determined whether the data was lost as a result of a hacking of Time Warner’s computers or of one of the companies it uses to handle account data.  This again points out the problem that your data is only as safe as the security at the companies that hold your data with the weakest security.

TIPS

Time Warner is contacting its customers by email and advising them to change their passwords.  If you are a Time Warner customer, you should change your password even if you do not receive an email from Time Warner urging you to do so.  This is also a reminder to all of us to make sure that we use unique passwords for all of our accounts so that in the event of a data breach such as occurred here, your other accounts are not in jeopardy.  Finally, information stolen in hackings such as this are often used by scammers for spear phishing emails which are phishing emails that appear to come from a company with which you do business in which the email prompts you to click on links within the email or provide personal information.  Because the email has been tailored to you personally, it is easy to fall prey to such a scam, which is why you should remember one of my primary rules, “trust me, you can’t trust anyone.”  Never provide personal information or click on links in emails unless you have independently confirmed that they are legitimate.

Scam of the day – January 11, 2016 – Former St. Louis Cardinals official pleads guilty to hacking the Houston Astros

In July of 2014 I first reported to you about the hacking of the computers of the Houston Astros baseball team.   Now, after a prolonged investigation, Christopher Correa has pleaded guilty to hacking the private online data base of the Astros called Ground Control that contained tremendous amounts of confidential data including scouting reports and statistics on baseball players.  At the time he did the hacking, Correa was the Director of Baseball Development for the St. Louis Cardinals.   Correa was fired by the Cardinals when he first became a suspect in the hacking of the Astros.  A current Astros employee had worked previously for the Cardinals and Correa was able to easily guess the password used by him to access Ground Control by merely using variations of the password the Astro employee had used when he worked for the Cardinals.  Armed with this password, Correa stole data from Ground Control for use by the Cardinals.  Correa will be sentenced on April 11th which, coincidentally is the day of the Cardinals’ home opener for the 2016 baseball season.

TIPS

Although this story reads like fiction, perhaps the biggest lesson for all of us from this story is the danger of using the same password or slight variations thereof for all of your accounts, which unfortunately is a habit that many people have gotten into.  Hackers will often steal passwords of customers from companies when they commit a data breach and then use those passwords for identity theft purposes at banks, brokerage houses and other companies where the victim can suffer substantial financial losses.  The best course to follow is to have a difficult to crack password that is unique for every account.

 

Scam of the day – September 21, 2015 – Dangerous new development in Ashley Madison hacking

By now everyone is aware of the major data breach at the Ashley Madison, the dating site for married people seeking to have an affair, in August the hackers followed through with their threat and released 9.7 gigabytes of the stolen data including email addresses, credit card transaction details, partial credit card numbers, addresses and even dating profiles.  Now a new and potentially dangerous development has been uncovered by the hacking group known as CynoSure Prime which discovered vulnerabilities in the password security algorithms used by Ashley Madison that put the passwords of 11.7 million users of Ashley Madison in danger of being hacked.  Ashley Madison switched over to a secure encryption program for protecting passwords in 2012, however, anyone who used Ashley Madison prior to June 14, 2012 continued to have their passwords protected by the weaker and more hackable security program used at that time.  Particularly, because many people use the same password for all of their accounts including online banking, those early users of Ashley Madison are in extreme danger of identity theft by hackers who can readily discover their passwords and use them to gain access to the online accounts of the early Ashley Madison users.

TIPS

The lesson here for early users of Ashley Madison is to change their passwords to all of their accounts as soon as possible.  The lesson to the rest of us is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.