Holiday Phishers Use Social Media

Every social media website in existence depends on advertising for its survival, to some extent. Criminals exploit this by mimicking these familiar platforms when sending millions of phishing emails designed to entice users into clicking malicious links or visiting spoofed websites that resemble legitimate social media. They also create pages within popular social media that are infected with malware, or malicious links designed to infect the PCs of anyone who clicks.

McAfee has exposed numerous Christmas-related scams. To avoid being snared in a holiday phisher’s net, beware of:

  • Promotional scams and contests: Scammers know that contests and free offers make attractive lures, and have sprinkled Facebook with phony promotions aimed at gathering personal information.
  • Holiday phishing scams: Since people tend to be busy and distracted during the holiday season, phishers incorporate holiday themes into their emails and social media messages, hoping to trick recipients into revealing personal details.
  • Coupon scams: When accepting an offer for an online coupon code, you may be asked to provide personal information, including credit card details, passwords, and other financial data.
  • “It Gift” scams: When a particular gift is hot, sellers tend to mark up the price. Scammers also like to advertise popular gifts on rogue websites and social networks, despite not actually having these items to sell.


Awareness is the key. If you can see a potential scam coming and behave proactively, you won’t get hooked.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto, and he is running the Boston Marathon in April 2012 to support Miles for Miracles for Children’s Hospital Boston.

2012 Threats: Are You Ready?

History is said to be a good indicator of what might come in the future. If you follow trends in how things are done and what tends to gain momentum then you can get a pretty good idea of what’s ahead.

McAfee Labs™ is made up of security professionals who spend all their waking hours observing and combating threats to our digital identifies. If anyone is in a position to give us a window into the future on information technology threats, it’s these guys and gals. Here’s what they are predicting we should watch out for in 2012:

–   Attacks on critical infrastructure and utilities— Attackers from all over the world have set their focus on critical life supporting utilities such as water and power to hold those utilities hostage for payment or to disable them to cause terror. This is the kind of industrial threat that many consumers fear. Unfortunately, many industrial and national infrastructure networks were not designed for modern connectivity, making them vulnerable.

–   Political hacktivism—Hactivism is the use of computers or computer networks to protest or promote political change. “Anonymous” is the group which was active last year doing high profile activities such as briefly taking down New York Stock Exchange’s website in support of the Occupy Wall Street protests.

–   Spam, spam, and more spam—Spam is getting easier and cheaper based on the U.S.’ CAN-SPAM Act. Shady, for profit, advertisers are making a mint selling lists to spammers, as advertisers are not required to receive consent before sending advertising.

–   Mobile malware—PCs are still the low hanging fruit. But as more mobiles are used for mobile commerce (mCommerce), virus makers are creating malware designed take over your phone or to deliver a variety of ads or even send expensive text messages from your phone.

–   Hacked cars, GPS and any wireless equipment—Cybercriminals are now targeting embedded operating systems or even hardware to gain control of everything from cars to global positioning system (GPS) trackers and medical equipment.

–   Cyberwar—Not trying to create fear here, just from observation, McAfee Labs has seen an increase in high-tech spying and other “cyber” techniques to gain intelligence.

As technology evolves and our use of the Internet and mobile devices becomes more complex, cybercriminals are also evolving and honing their skills with new types of attacks. But although some of the threats may seem scary, the reality is many offer new takes on old forms of attack and with a little bit of foresight and preparedness we can guard against them.

Robert Siciliano is a McAfee Online Security Evangelist. See him discussing attacks on our critical infrastructure on Fox News (Disclosures)

Seasonal Security: A Poem

It’s that time of year, for holiday cheer,

to give of ourselves and ring in the New Year.

But while you celebrate, please keep in mind,

criminals and hackers are not far behind.


Mobile malware is here; it’s increased since last year.

Be sure to install mobile malware protection,

so that you don’t receive an unwelcome infection.


QR codes are barcodes consumers can scan.

With their smartphones in hand,

a digital bar can locate a great deal, near or far.

But not so fast: these codes can be tricky.

Bad guys can use them to slip your cell a Mickey.

Before clicking that link, remember to think:

Is that code okay? Or might it be sticky?


Scareware pops up with frightening lies:

“Your PC has a virus! Install me, or it dies!”

But before you take action, be aware it’s a scam,

and shut down that pop-up before you get jammed.


Apples are targeted now more than ever,

‘cause when Mac users hear “virus,” they say, “Not me! No way! Never!”

But they ought to know, studies now show

there is plenty of malware that will plague Macs forever.

So install antivirus. Don’t think, “It can’t happen to me,”

or soon you will see, a Mac is as vulnerable as a PC.


Watch out! For holiday phishing!

Or you may wind up wishing

you didn’t believe the hysteria,

when that “prince” from Nigeria,

turns out to be a boldface con

and your money is gone.


Happy holidays to all! Enjoy the season! Have a ball!

And when you give, I implore you to heed,

it’s those that have not that are truly in need.


Robert Siciliano is a personal security expert contributor to Just Ask Gemalto, and he is running the Boston Marathon in April 2012 to support Miles for Miracles for Children’s Hospital Boston.

5 FFIEC Compliance Tips For Banks

Experian’s Chris Ryan addressed five major questions about compliance with the FFIEC’s recent guidance on banking authentication. What follows are his responses, summarized:

  • What does “layered security” actually mean?

“‘Layered security’ refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.”

  • What does “multi-factor” authentication actually mean?

“A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.”

  • Who does this guidance affect? And does it affect each type of credit grantor/ lender differently?

“The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment.”

  • What will the regulation do to help mitigate fraud risk in the near-term and long-term?

“The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly.”

  • How are organizations responding? 

“Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, ‘layered’ approach that the guidance is seeking.”

To learn more, watch Experian and iovation’s webinar, titled Ensuring Optimal Efficacy and Balance with Out-of-Wallet Questions and Device Identification, dedicated to discussing the recent FFIEC guidance and taking a defense-in-depth approach to fraud prevention.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Home Invasion Was “The Ultimate House of Horrors”

In a 2007 home invasion Steven Hayes and Joshua Komisarjevsky, the 2 men found guilty of a home invasion in Connecticut, brutally attacked and killed a mother and her daughters. The father was left for dead in the basement. Their crime began when they saw the mother (who was eventually murdered) in a parking lot and followed her home.

The home was invaded at 3am. The father was immediately beaten and tied up in the basement. He was held captive for a time but he escaped alive. The kids were tied to their beds and the mother was forced to go to the bank and withdraw money.

While at the bank the mother told a bank representative what was happening. The bank called the police who sent cruisers to the scene. It ended badly.

Hayes was sentenced to death and the prosecution has just rested in its case against Komisarjevsky. The AP reports the prosecutor said in his closing arguments “It was shockingly brutal. It was evil. It was vicious,” adding the men created a “hellish inferno.” The prosecutor continued by describing the murderous plan that involved “greed, sex, death and destruction.” He showed them the masks, bat and BB gun Komisarjevsky used.”

Here are 6 tips to help keep you safe and help prevent a home invasion:
1. Never talk to strangers via an open or screen door. Always talk to them through a locked door.

2. NEVER let children open the doors. Always require and adult to do it.

3. Install a home burglar alarm and keep it on 24/7/365. With a home alarm system on, when someone knocks on the door, a conscious decision has to be made to turn off the alarm. Most people will keep it on.

4. Not all home invaders knock, some break in without warning.  Just another reason to have that alarm on.

5. Install a 24-hour camera surveillance system. Cameras are a great deterrent.  Have them pointed to every door and access point

6. Install strong locks and solid core doors. Back up your door with door reinforcement technologies that make it difficult to kick in a door.

Robert Siciliano personal and home security specialist toHome Security Source discussing Home Invasions on Montel Williams. Disclosures

5 Quick Tips on How to Prevent the Next Data Breach

You may be aware of the uber techie bad boy hackers of Anonymous/Lulz/Anti-sec/Wikileaks/ScriptKiddies and the organized web mobs of the world.  Did you know they have wreaked havoc to the degree that almost a billion records have been compromised?  A recent study “gathered 3,765 publicly disclosed data breach incidents occurring in 33 countries during 2005-2010. The incidents included over 806.2 million known records being disclosed– averaging more than 388,000 records per day/15,000 records per hour every single day for the past six years.”

#1 Not all data is hacked. Exercise basic to advanced premise/physical security such as access control, security cameras and alarms.

#2 Limit the amount of data required from customers. If you don’t really need a Social Security number then don’t store it. If credit card information doesn’t need to be stored then don’t store it.

#3 Recognize that knowledge based authentication questions as password resets can bring down the house. Many of the answers can be found in social media sites.

#4 Laptops are one of the biggest data breach points. Laptop data should be encrypted. Laptops should never be left in a car overnight or left in a hotel room or office alone or on a coffee table in a café unattended. Laptop tracking software that locates and wipes data is essential.

#5 Train, train, train, train. Training on data security and what to do, and what not to do is priority number one.  Clicking links in emails, downloading anything from the web or email, opening attachments in emails, have all been recent successful ways to infect a network.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Banking Security Guidelines Go Into Effect in January 2012

As banking applications evolve, common attacks on banks are becoming correspondingly more sophisticated. Small businesses, municipalities, and moneyed individuals are often targeted for obvious reasons: they have hundreds of thousands of dollars, if not a few million, in the bank, but their security is often no more effective than that of an average American household.

The Federal Financial Institutions Examination Council’s (FFIEC) updated security guidelines go into effect in less than a month. It is imperative that financial institutions recognize that the security precautions currently in place are ineffective in the face of new, more sophisticated attacks. Criminals have gotten around the minor hurdles posed by the tools being used to authenticate clients and prevent unauthorized transactions.

Basic multifactor authentication may be relatively effective for bank accounts that generally contain only enough to pay a month’s worth of bills. But high value accounts are more prone to attacks, and require additional levels of security. Ultimately, what is most important is that a security program includes multiple layers of protection rather than relying on a single mechanism of defense.

Using advanced device identification is also essential. The FFIEC suggests complex device identification, which is more advanced than previous techniques, and the leader in this space is iovation Inc.  They take complex device identification much further by delivering to financial institutions, a reputation of the device as it accesses their site to apply for credit, create an account, transfer money and more.
This proven strategy not only utilizes advanced methods to identify the devices being used to connect to a bank, it also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect financial institutions from cybercrime.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Supermarket Skimming Scam Highlights Retailer Risk

A California supermarket chain recently sent letters informing customers that a security breach had been discovered at 20 of their stores. The breach notification letter released by Lucky Supermarkets reads, in part:

“Dear Lucky Customer:

In the course of regular store maintenance, we discovered our credit/debit card readers at the self-check lanes ONLY in 20 stores (listed below) had been tampered with. Steps were taken immediately to remove the tampered card readers in the affected stores, as well as enhance security to every credit/debit card reader in all 234 stores in our company. We are not aware nor have we been notified of any reports that customer accounts were compromised.”

The “tampering” referenced in this letter has been described as skimming, which occurs when a separate piece of hardware is affixed to an ATM or point-of-sale terminal. The hardware is designed to blend in with the face of the machine and record card data whenever a card is swiped. Criminals either remove the skimming device later or retrieve data remotely via wireless Bluetooth or mobile SMS.

In this particular case, however, it isn’t clear exactly what happened. What is known is that the POS terminals were compromised. When point-of-sale terminals have been compromised in the past, this has usually meant that criminals actually entered the store, physically removed an entire machine, and replaced it with one that resembled the original, but had been tweaked to capture and transmit customer data.

Consumers cannot protect themselves from this crime. All they can do is check their bank statements frequently and refute any unauthorized charges or withdrawals. On the other hand, online retailers who are subject to having stolen credit cards used on their sites can, in many cases, prevent fraudulent transactions upfront by checking the device’s reputation used during the transaction. Computers, tablets and smartphones are assessed for fraud, high-risk and suspicious activity in real-time, which means while that device is interacting with the retailer’s website.  By checking against iovation Inc.’s global shared database of more than 800 million unique devices and their associations, online retailers can protect themselves against chargeback losses, shipping fraud, account takeovers and identity theft attempts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses POS skimming on CBS. Disclosures.

Firm Documents Increase In Holiday Cyber Fraud

iovation is the leader in device reputation technology. They work to prevent all types of fraud and abuse on the Internet, including account takeovers, which occurs when your existing bank or credit card accounts are infiltrated and money is siphoned out. iovation also helps prevent new account fraud, which refers to financial identity theft in which the victim’s personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

During this year’s record-breaking Black Friday and Cyber Monday, iovation documented a significant rise in fraudulent transactions, which included account takeover attempts.

Their comparison of the two hottest shopping days of this year vs. last year found:

  • 400% increase in the rate of fraudulent transactions on Black Friday (up from 1% to 4%)
  • 25% increase in the rate of fraudulent transactions on Cyber Monday (up from 3% to 4%)
  • 15% greater transaction volume on Cyber Monday compared to Black Friday
  • 4% mobile fraud rate on both Black Friday and Cyber Monday.

These statistics are compounded by the dramatic and impressive consumer spending numbers for these dates. Consumers must understand that their credit card numbers are fueling the rise in cyber fraud. Throughout the holiday season and beyond, it is imperative that cardholders check their statements carefully, matching them up against receipts to confirm that each charge was authorized.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Holiday Shopping Security on Fox News  Disclosures

Feast of the 7 Phishes 2011

Every year at the Siciliano household, we have a holiday tradition based on the Italian Feast of the Seven Fishes, which is, as you probably guessed, a meal consisting entirely of fish. There’s lobster, mussels, clams, scallops, shrimp, smelt, and cod, all either fried or cooked in red sauce, spicy sauce, or white sauce. This year we’re dedicating our feast to “Miles for Miracles,” a fundraiser for Children’s Hospital Boston. I’ll be running the Boston Marathon this coming April in support of the cause.

Another of my holiday traditions is to expose the year’s phishing scams. The following examples come straight from my inbox or spam filter, and have been abbreviated to demonstrate the nature of the scam and specific hook being used.

1. This first phishing email appears to have been sent from LinkedIn, but the link that supposedly leads to the FDIC’s website is in fact a virus.

“From: LinkedIn

Temporary FDIC insurance coverage news. To obtain more information about temporary FDIC insurance coverage of transaction accounts, please refer to http://www.xxxxxx. Yours faithfully, Federal Deposit Insurance Corporation.”

2. In this phish, the sender claims to be Canadian, but the email suffix “.cn” is Chinese, and the scammer grammar is clearly East African in nature.

“From: Mrs.Martha Chery

Dear Beloved,

I am Mrs.Martha Chery from Canada,I am 58 years old,i am suffering from a long time cancer of my brain,from all indication my conditions is really deteriorating and it is quite obvious that i may not live for the next two months.”

3. Wow, my “email address has won.” Lucky me?


WINNING NUMBER: OL/656/020/018


4. This scammer responded to a Craigslist ad I had posted. Apparently I “sounded gorgeous in the ad.” I probably did!

“From: Justina Serini

Hi Robert, I found your posting and wanted to ask you something essential. I am in a relationship and caught my partner cheating on me so I decided to get even! My co-worker said Craigslist list would be the best place to find someone nearby who I can be with for one time only so thought the hell, I would email someone I thought sounded gorgeous in the ad and came across yours!”

5. In this phish, I’m being scammed in Hebrew!


יכול לחסוך לעצמו עשרות או מאות אלפי שקלים – ובקלות! גם אם לקחתם משכנתה והשגתם את התנאים הטובים ביותר,”

6. Oh, wow, the United Nations is contacting me directly. How exciting!


Attn: Beneficiary, This is to inform you that the International Community has received series Complaints from Beneficiaries who are yet to receive their outstanding Contract/Inheritance Funds.”

7. Download this report, and you’re as doomed as a boiled lobster.

“From: Jerry Bush

This report applies to the ACH transfer (ID: 963623905410) that was recently sent from your banking account. The current status of the referred transfer is: failed due to the technical error. Please find the detailed information in the report below.”

Hey, that reminds me, I have fish to fry!

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses phishing on Fox Business Disclosures