7 Ways to Combat Scareware

/in , , , /by

You may have seen this before, it goes like this: a pop-up pops and it looks like a window on
your PC. Next thing a scan begins. It often grabs a screenshot of your “My Computer” window
mimicking your PCs characteristics then tricking you into clicking on links. The scan tells you
that a virus has infected your PC. And for $49.95 you can download software that magically
appears just in time to save the day.

From that point on if you don’t download and install the software, your computer goes kooky
and pop-ups will invade you like bedbugs in New York City.

Web pages may be infected or built to distribute scareware. The goal is to trick you into clicking
on links and download their crappy software.

Information Week reports those behind a new fake antivirus software have added a new social engineering element — live support agents who will try to convince potential victims that their PCs are infected and that payment is the cure.

The rogue software comes equipped with a customer support link leading to a live session with the bad guy. Real scammers on the other end of chat have the ability to offer live remote access support instructed by support to click a link initiating remote access to their PC.  Once connected remotely, the scammer can potentially retrieve documents to steal your identity.

Another new twist on the scam involves a popup in the form of a browser with a warning that looks like what your browser may present to you when you visit a page that might have an expired security certificate, malware warning or be a potential phishing site. The page is usually red with a warning: “Visiting This Site May Harm Your Computer” then it provides you with a link, button or pop-up that gives you the option of downloading security software or to update your browsers security.

The software is sometimes known as “AntiVirus2010” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2010” or something like “Security Toolkit”. These are actually viruses or spyware that infect your PC, or just junk software that does nothing of value.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

Protect yourself:

#1 Use the most updated browser. Whether Internet Explorer 8, Chrome or Firefox, download the latest and greatest. At least download whatever security updates there are for your exiting browser.

#2 Usually by default, a pop-up blocker is turned on in new browsers. Keep it on. No pop-ups, no scareware.

#3 If you are using another browser and a pop-up –pops-up, shut down your browser. If the pop-up won’t let you shut it down, do a Ctrl-Alt-Delete and shut down the browser that way.

#4 Never click links in pop-ups.  If the pop-ups are out of your control, do a hard shutdown before you start clicking links.

#5 Persistence counts. Shutting off this pop-up is often difficult and any buttons you press within this pop-up could mean downloading the exact virus they warned you of.

#6 Employ the most recent versions of anti-virus and keep it set to automatically update your virus definitions.

#7 Never click on links in the body of a “WARNING” webpage that is suggesting to download updates for your browser or suggesting to download security software. Just hit the little red X in the upper right corner.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

Typosquatting for Fun and Profit

/in , , /by

Typosquatting, which is also known as URL hijacking, is a form of cybersquatting that targets Internet users who accidentally type a website address into their web browser incorrectly. When users make a typographical error while entering the website address, they may be led to an alternative website owned by a cybersquatter or criminal hacker.

Typosquatters often create spoofed sites that may have the look and feel of the intended site. Operations like these may actually sell products and services that are in direct competition with the site you wanted to go to or they may be a front to steal your credentials including credit cards or social security numbers. Examples from Veralab might be “leson vs. lesson” or extra double characters such as “yahhoo vs. yahoo” or wrong character sequencies such as “IMB vs. IBM”, or a wrong key pressed such as “fesex vs. fedex.”

In some cases the typosquatters employ phishing to get you to visit the site. Phishing of course is the criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Typosquatting and phishing go hand in hand.

SC Magazine reports “in most cybersquatting cases, the web address can be similar in appearance to the actual corporate site, but will instead contain pay-per-click advertisements, according to a 2007 McAfee report, which studied 1.9 million typographical variations of 2,771 of the most trafficked websites.”

Last year Scammers created a website imitating Twitter.com called tvvitter that’s t-v-v-itter, cute huh? They sent phishing emails to millions of users, many of whom clicked on the link contained within the emails, which sends them to the phishing site, where they enter their user names and passwords in order to log in.

When doing a search online look carefully at any links you click.

When typing in a browser, before hitting “enter” look at the address bar to confirm you spelled it properly.

Do business with e-tailers you are familiar with and carefully spell their domain.

Set up your favorites menu with your most visited sites.

So heads up, be careful out there and don’t get hooked.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

Half Billion Records Breached in 5 Years

/in , , , , /by

In the late 90s and early 2000s, hacking had evolved from “phreaking” (hacking phone systems) to “cracking” (breaking into networks). At the time, hackers hacked for fun, for the challenge, and for fame and popularity within the hacking community. But soon enough, the public began spending more time online, shopping, banking, and managing personal affairs. Hackers are no longer wreaking havoc for its own sake, deleting files, or tormenting IT administrators. Now, they’re stealing proprietary data. Instead of fun and fame, today’s hackers are motivated by illegal financial gain.

Over the past five years, criminal hackers from all over the world have been targeting huge databases of Social Security and credit card numbers. The endgame for criminal hackers is identity theft. Once they obtain stolen data, their objective is to turn it into cash as quickly as possible. This either entails selling the data to identity thieves on black market forums, or using the information to create new accounts or to take over existing credit card accounts.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

So when a so-called “identity theft expert” claims that you can protect yourself from identity theft for free, simply by shredding documents, not giving out your Social Security number, locking your mailbox, and monitoring your online accounts, that person does not have the full picture. You should take all these precautions. But when almost everyone’s personal information has been stolen or compromised once or twice, as a result of breaches that are entirely out of our control, it’s clear that you simply can’t protect yourself on your own. This is why identity theft protection is a must.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft pandemic on CNBC. (Disclosures)

5 Ways to Prevent Check Fraud Scams

/in , , /by

Check fraud is a billion dollar problem. Check fraud victims include banks, businesses and consumers. Our current system for cashing checks is somewhat flawed. Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

There are 5 main forms of check fraud to watch out for:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized. An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check written to someone else, forges and endorsement and cashes or deposits it.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn. A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud. When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves.

Uni-ball pens contain specially formulated gel ink that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

Consider a locked mailbox so nobody can access your bank statements.

Using online banking and discontinuing paper statements.

Never toss old checks in the rubbish, always shred them.

Have checks delivered to the bank for pick up opposed to your home.

Guard your checks in your home or office, lock them up.

Go over your bank statements carefully.
Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

11 Ways To Prevent Home Invasions

/in , , , , , /by

Strangers and posers: You tell your children not to talk to strangers, so why do you open the door to a total stranger? And never talk to strangers via an open or screen door. Home-invaders pose as delivery people, law enforcement or  public workers.

Distress: If someone is in distress tell him or her you will call the police for them. Don’t open the door for them.

Make a call: Under no circumstances do you open the door unless you get phone numbers to call their superiors. Even if that means making them wait outside while you call 411.

Money, jewels and drugs : One simple reason your house is chosen is someone tipped off the home-invader that you have valuables. You may have done it via social media or your friends or children or baby sitter might have unintentionally bragged. In states where medical marijuana is legal that may be an additional consideration.

Peephole: Install peepholes, talk through the door.

Do not call the police!: If you live in a high crime area where law enforcement takes a while to respond, and if someone is trying to break into your house while you are in it, calling the fire department will sometimes get help to the scene quicker. Do this only if you are desperate. Firefighters are not equipped to handle violence. However squealing sirens can deter a criminal. And call the police!

Get armed: Having a non-lethal weapon in the form of a Taser or a Pepper spray in close proximity to your bed or front door can debilitate your attacker before they gain control. But realize these can be used against you.

Have your mobile handy: Consider a second line or a cell phone in your bedroom. Burglars sometimes cut phone lines and often remove a telephone from the receiver when they enter a home.

Get alarmed: An alarm system activated while you are sleeping will prevent a burglar from getting to far. And keep it on 24/7/365. With a home alarm system on, when someone knocks on the door, a conscious decision has to be made to turn off the alarm. Most people will keep it on.

Locks: Call a qualified locksmith to take a physical security survey to help you determine the most efficient way to lock up. Many products on the market are a false sense of security. A qualified locksmith should be a professional associated with well known manufacturers.

Cameras: Install a 24-hour camera surveillance system. Cameras are a great deterrent.  Have them pointed to every door and access point.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams. Disclosures

Triple Murder Home Invasion Testimony Ends

/in , , , , , , /by

This is just a bad, bad story with no happy ending.

There are home invasions, then there is this home invasion. Just when you think humans can’t get any meaner towards each other there is Steven Hayes and Joshua Komisarjevsky, the 2 men accused of a home invasion in Connecticut in 2007. Hayes and his lowlife accomplice allegedly met at a halfway house. They saw the mother (who was eventually murdered) in a parking lot one day and followed her home. A total random act.

The home was invaded at 3am. The father was immediately beaten and tied up in the basement. The father was held captive for a time but he escaped alive. The kids were tied to their beds and the mother was forced to go to the bank and withdraw money.

While at the bank the mother told a bank representative what was happening. The bank called the police who sent cruisers to the scene.

The police were outside for over 30 minutes to prevent the murderers from escaping. At one point the home invaders assaulted one of the children then killed the mother. They set the home on fire and the 2 kids died from smoke inhalation.

The NY Times reported that the state’s attorney John A. Connelly had “described the case as the ‘most horrendous murder in the state of Connecticut in the last 30 years,’ adding, ‘There are about five ways you could charge capital felony.'”

These guys might get the death penalty. But will justice be done? No. There is no justifying the death of a woman and two children and no justice in the prosecution or even death of the accused. And the father of the deceased, he will only mourn his loss, while he might crack a smile if they are prosecuted, he will never celebrate.

I can tell you right now my home security system will be on when I go to bed tonight. And then some.
Robert Siciliano personal security expert to Home Security Source discussing home invasions on the Gordon Elliot Show. Disclosures

Social Media is a Criminals Playground

/in , , , /by

Social media has become a playground for adults, teens, and tweens. And like on any playground, when you hit the jungle gym or horseplay on the seesaw, there is always a chance that you may go home with an egg on your forehead. Or, if you are like me, a broken collarbone.

Twitter and Facebook have become the most popular sites for frolicking, and the most popular sites for identity thieves — the bullies in the playground. These criminal hackers make social media very dangerous. They are attacking these sites to get at you, the end user. Users’ computers can become infected after users click links that appear to be safe, but actually prompt a malicious download or lead to a spoofed website.

New worms and viruses are infecting social networking websites every day. As these sites expand, they adopt new technologies that sometimes create holes through which they can be attacked. Social networking websites’ open nature allows users to upload content including files that may contain “scripts,” or code, designed to infect the site. Participating in user-submitted surveys, quizzes, and other applications may result in spam or stolen data.

The websites themselves host millions of users and they simply can’t protect every user. New technology is developed at a rate that vastly outpaces the security necessary to keep those technologies bulletproof. Essentially, you’re on your own.

While it is rare for a user to post Social Security numbers, which can directly lead to identity theft, on a social networking website, these websites or their users’ actions can compromise PCs, which does ultimately lead to identity theft.

Always make sure to run antivirus software, such as McAfee Total Protection, and invest in McAfee Identity Protection, which monitors your Social Security number and several other parameters of your identity. Learn more about how to protect yourself at http://www.counteridentitytheft.com/.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Facebook scammers on CNN. (Disclosures)

Women Proved “Securest” in the Defcon Social Engineering Game

/in /by

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon), I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have.

Of 135 “targets” of the social engineering “game,” 130 blurted out too much information. All five holdouts were women who gave up zero data to the social engineers.

Computerworld reports, “Contestants targeted 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a plexiglass booth, with an audience watching, they called up company employees, trying to get them to give up information.”

Contestants had twenty minutes to call unsuspecting employees at the target companies and obtain specific bits of (non-sensitive) information about the business for additional points. Participants were not allowed to make the target company feel at risk by pretending to represent a law enforcement agency.

The players extracted data that could be used to compile an effective “attack,” including “information such as what operating system, antivirus software, and browser their victims used. They also tried to talk marks into visiting unauthorized Web pages.”

Social engineering is the most effective way to bypass any hardware or software systems in place. Organizations can spend millions on security, only to have it all bypassed with a simple phone call.

The players in this game were all men. Maybe the women didn’t give up any data because they were simply untrusting. It could be that the women were properly trained in how to deter social engineers and protect company data over the phone. Or maybe the women simply paid attention to their sixth sense, and felt they were being conned.

Any time the phone rings, a new email comes in, someone knocks on your door, or visits your office, question those who present themselves in positions of authority.

Don’t automatically trust or give the benefit of the doubt.

Within your home or business, communicate what can and can’t be said or done, or what information can or cannot be provided.

Keep in mind that when you lock a door, it’s locked, but it can be opened with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face to face, with a cynical eye for a potential agenda.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers using social engineering to hack email on Fox News. Disclosures

Criminal Hackers Create 3 Million Fraudulent Websites Annually

/in , /by

A recent study shows that organized criminals create approximately 8,000 malicious websites every day, or over 57,000 each week.

These malicious websites model legitimate websites that we visit every day, such as bank websites, online shopping sites, and eBay. According to this study, the most frequently impersonated companies include Visa, Amazon.com, PayPal, HSBC, and the United States Internal Revenue Service.

People are typically directed to these scam sites in one of three ways:

1. Often, potential victims end up visiting these spoofed websites via phishing scams. Phishing, of course, occurs when you receive an email that appears to be sent from your bank or other trusted entity, and a link in the email brings you to a website that is designed to steal your login credentials.

2. Scammers lure victims to their scam sites via search engines. When a website is created and uploaded to a server, search engines index the scam sites as they would any legitimate site. Doing a Google search can sometimes lead you to a website designed to steal your identity.

3. Social media sites like Facebook and Twitter are free, and this gives scammers an advertising platform. Criminals simply post links in status messages, on group pages, or fan message boards, using the legitimate appearance of the site to gain credibility.

Once a computer user clicks one of these links, he or she ends up on a website that is riddled with malicious software, which may install itself on the victim’s computer even if the victim doesn’t click or download anything on the scam site. This tactic is called a “drive by.” Or, users may be tricked into clicking links to download files. Either way, the ultimate goal is to gather usernames, passwords, and, if possible, credit card or Social Security numbers in order to steal identities.

By understanding how these scams work, PC users can begin to learn what to do while online and, more importantly, what not to do.

Never click on links in the body of an email. NEVER. Always go to your favorites menu or manually type the address into the address bar. This means that you should never copy and paste links from emails, either.

When searching out a product or service, be aware that you could be led to a scam site. A properly spelled web address is one indicator of an established, legitimate site. Try to restrict your business to sites you know and trust. Also, before entering credit card information, look for “https://” in the address bar. This means it’s a secure page and less likely to be a scam.

Just because a link for a tempting deal appears on a popular social networking website doesn’t mean it’s legitimate. I’d shy away from clicking links. Use your common sense. If it seems too good to be true, it is.

Forewarned is forearmed.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses phishing on NBC Boston. Disclosures

Identity Theft Consumer Education is Paramount

/in , , , , /by

Credit card companies, banks, financial advisors, retailers, hospitals, insurance companies, and just about every other industry and organization that deals with finances has been affected by identity theft.

All these entities have to deal with fraud at some level. For some it’s an occasional nuisance and for others it’s a part of their daily grind. Most have heavily invested in multiple layers of security, but all remain targets. Each has its own set of issues to overcome and each copes with the same underlying constant: the consumer is often the most vulnerable variable in the equation.

Joe and Sally Main Street generally offer the path of least resistance when a scam is launched. Everything from phishing emails, spoofed websites, un-patched or unprotected PCs, open wireless connections, lack of attention to statements, not shredding data, carrying too much information in a wallet, and overall lack of attention to personal security allows fraud to flourish.

Anne Wallace, president of the Identity Theft Assistance Center, explains that the risks are compounded by the increasing popularity of new technologies like mobile banking and social networking. “The crooks are ever-creative,” she says. “They’re always exploiting new schemes to extract information from consumers.” According to Wallace, ITAC members have an obligation to educate consumers about the security threats posed by emerging technology. “It’s so important to keep talking to people about the old threats, the new threats – on a recurring basis.”

I totally agree. Every institution that deals with identity theft has an obligation to effectively inform and educate their client base about how they can protect themselves from fraud.

Many of these organizations have policies that shift the burden of loss away from the consumers. This is a double-edged sword that does not stop fraud. I’m a big believer in personal responsibility. Whether fraud is the fault of the consumer or a larger entity, a resolution in the best interest of both parties should be sought. It is imperative, however, that the party responsible acknowledges that responsibility. This is how we learn from our mistakes, and how we will eventually overcome fraud. If all parties escape blame, only the scammer wins, and fraud flourishes.

For additional tips and identity theft education, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft victims on The Morning Show with Mike & Juliet.(Disclosures)