Phisher Use Olympic Lottery Scams For Summer Games

Fishing, of course, is the sport of tossing a baited hook into the water and then patiently waiting for a fish to bite.

Phishing is similar. The cybercrook sends out spam email and waits for a victim to take the bait. A phisher can send thousands of phishing emails a day, and eventually some people will get hooked.

Phishing is a multi-billion dollar business. Unlike the ongoing depletion of the ocean’s fisheries, there are still plenty of people out there to phish. Today, many victims in developing nations like India and China have only recently gotten broad­band Internet access, and are considered fresh meat by the bad guys.

Phishers follow a similar editorial calendar as newspaper and magazine editors, coordinating their attacks around holidays and the change in seasons. They capitalize on significant events and natural disasters, such as Hurricane Katrina, the Japanese Tsunami and the swine flu. On their radar right now is the 2012 Olympics.

Francois Paget, Senior Threat Researcher at McAfee discovered numerous emails combining scam lotteries and the Olympics. Like chocolate and peanut butter these two topics go great together.

“These mails inform the recipients that they have won a substantial amount of money. After contacting the lottery manager, the victims of these rip-offs will be asked to pay “processing fees” or “transfer charges” so that the winnings can be distributed. In some cases, the organizers ask for a copy of the winner’s passport, national ID, or driver’s license. With that personal information compromised, future identity theft activities are guaranteed.”

Awareness is the best way to avoid being scammed. Knowing what the bad guys are doing to hook their victims and learning not getting caught is your best protection. Here’s  a video that explains what phishing is and how to detect if an email is phishing. You should also be aware of phishing when reading emails on our mobile phone. For more information about mobile phishing, read this.

Invest in security software that includes antivirus, anti-spyware anti-phishing and a firewall.

Never click links in the body of an email unless you are 100% sure it’s legit

Don’t go snooping around your spam folders opening emails that look suspect.

When in doubt, delete. Like mom said, if it’s too good to be true, it is.

Robert Siciliano is an Online Security Expert to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Understanding Your BYOD Policy

An employee may pay for their device and its monthly plan, but employees who use their personal devices at work should be required to adhere to a Bring Your Own Device (BYOD) policy that sets the ground rules. If you choose to use your personal device for work purposes at any time for any reason, then your employer will more than likely want control over that device. This means like in a company mobile liability policy, the employer may have remote capabilities to monitor activity and in the event of loss or employee termination, wipe the data.

The day after you get your new and shiny mobile or tablet, chances are you’ll take it right to work and request the IT department set it up with your email and access to the company network. And as more and more companies agree to this, they are also requiring you to agree to their terms as well.

Expect an acceptable use policy. This is one that is governed by the company’s CIO and others basically telling you what you can and can’t do. Read it carefully because once you sign it, your job will be on the line of you don’t abide by it.

Running in the background will be an application that you will be required to download and install. This app may have a certificate authenticating you and the device to connect to the company network and run company programs.

The installed application should provide the enterprise the ability to essentially remotely control your mobile at some level. I wouldn’t be concerned about this unless of course you’re not abiding by the agreement you signed.

At a minimum expect the application to have the ability to locate your mobile if its lost or stolen via the phone’s GPS, lock your phone locally whether you want to or not, (by default you have to choose 1-5 minutes).  Mobile security software apps should also remotely wipe your mobile of all its data. Having encryption, antivirus and a firewall is a key factor in protecting data.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Yahoo! Hacked: 15 Tips To Better Password Security

In light of the Yahoo Voices hack where 450,000 passwords have been compromised, it’s time again to let the world know what they are doing wrong when it comes to passwords. CNET pointed out that:

2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.

Protect your information by creating a secure password that makes sense to you, but not to others.

Most people don’t realize there are a number of common techniques used to crack passwords and plenty more ways we make our accounts vulnerable due to simple and widely used passwords.

Common Ways Hacks Happen

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

Tips to Make Your Passwords Secure

Make sure you use different passwords for each of your accounts.

Be sure no one watches when you enter your password.

Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.

Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.

Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.

Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.

Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.

Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.

Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy

Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

In the end, it’s the responsibility to the public to protect themselves. This disclosure now requires those currently exposed to change their password. The rule of thumb is to change your passwords frequently, every six months. It’s a cliché, but true, passwords need to be strong. Let the keyboard be your palate and be creative. A common mistake people make is that they use dictionary or slang terms. Beware. Dictionary attacks use software that automatically plugs common words into password fields making password cracking effortless for various tools.

Robert Siciliano is an Online Security Expert to McAfee. See him discussing identity theft on YouTube. (Disclosures)

Is A Password Enough? A Closer Look at Authentication

Yahoo reported the theft of some 400,000 user names and passwords to access its website, acknowledging hackers took advantage of a security vulnerability in its computer systems.

The Mountain View, California-based LinkedIn, an employment and professional networking site which has 160 million members, was hacked and suffered a data breach of 6 million of its clients and is now involved in a class-action lawsuit.

These sites did something wrong that allowed those passwords to get hacked. However passwords themselves are too hackable. If multi-factor authentication was used in these cases, then the hacks may be a moot point and the hacked data useless to the thief.

The biggest part of the password problem is in 2 parts: first, we are lazy with passwords, for example in regards to the Yahoo breach  CNET pointed out that:

2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.

Second: spyware, malware and viruses on a user’s device can easily record passwords.  Which means this username (which is often a publically known email address) and password is easy to obtain from an infected device.

The numerous scams which entice users to cough up sensitive data is a proven con that works enough to keep hackers hacking.

Multi-factor authentication, which your bank uses is far better and more secure and it requires a username, password and “something you have”—a personal security device separate from the PC

While additional authentication measures might be a burden to some, it’s a blessing to others who recognize the vulnerabilities of their online accounts otherwise.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

 

NFC at the Summer Games Could Be Exploited

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point of sale device at a checkout counter.

Visa is testing out its NFC service PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

All of this is good and well, however, there are security issues with NFC that still need addressing. McAfee researchers point out a scam called “fuzzing the hardware”, which involves feeding corrupt or damaged data to an app to discover vulnerabilities. Once such vulnerability is found, the attacker must research and develop an exploit to perform various attacks (e.g. steal credit card info. export the data to the attacker, leak credit card info to any requester). The attacker will then need to find a method to have the victim run the exploit. This entire process costs attackers and criminals in time and money, which can be justified in the case of NFC enabled phones and a multitude of stores with card readers.

McAfee discovered exploitable vulnerabilities on Android and iOS phones. If someone has NFC turned on, an attacker in close proximity can pick up every signal to gather private information or payment information on an athlete’s device.  It is almost like pick pocketing, but they don’t even have to touch you.

McAfee researcher Jimmy Shah stated an attacker wishing to target the Samsung Galaxy SIII devices at the summer games can purchase one easily and use the researcher’s data to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases.

Users can protect themselves by obtaining apps from the Google Play Market, Amazon’s Appstore, or their carrier’s app store, avoiding 3rd party stores that may have pirated or maliciously modified software. Reviews from other users are also helpful in determining safer apps.

NFC handsets are set to increase to about 80 million next year. Gartner estimates that that 50% of Smartphone’s will have NFC capability by 2015. Pay attention to what’s happening in the world of NFC, mobile payment and mobile security  because before you know it, your wallet will be your mobile phone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

ID Thief Gets 5 Years for Stealing Identities of More Than 50 People

In California, an identity thief was recently sentenced to five years in prison for committing what appears to be classic new account fraud. The thief reportedly used a victim’s identity to open a mailbox at a shipping store in Modesto, which he often used to have fraudulently issued credit cards and other financial and identity information mailed.

Typically, new account fraud refers to financial identity theft in which the victim’s personally identifying information ¾ generally a Social Security number ¾ is used to open new accounts on the strength of the victim’s name and good credit standing, which are then used to obtain products and services.

Since a thief typically provides an alternate mailing address, such as the shipping store mailbox used in this particular case, the victim never receives the bills accumulating in his or her name, and may remain entirely unaware of the accounts’ existence until the debts have gone unpaid long enough to prompt creditors to track down the victim.

This thief used victims’ information to create fake drivers licenses with his photo, which helped make the scam stick when he was asked for ID when using fraudulently obtained credit cards.

There are technologies that help credit issuers detect and stop new account fraud by providing real-time intelligence on the device being used to apply for online credit. This technology, called device reputation by iovation Inc., not only alerts businesses when velocity thresholds have been met, it also exposes whether financial fraud, identity theft and other frauds have attempted by the device or associated computers.

Credit issuers can set up and customize their own unique business rules, and iovation analyze each application and then return a recommendation to allow, deny, or review response for the transaction, along with an explanation of the factors involved.

By identifying new account fraud in real time, credit issuers can save millions of dollars in fraud losses annually. In one case, a Fortune 100 company used iovation to identify 43,000 fraudulent credit applications and save themselves $8 million in fraud loss over two years.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Will The Rise Of Tablets Affect Security Measures In The Workplace?

With unit sales of smartphones and tablets eclipsing those of desktop and notebook PCs, cybercriminals will continue setting their sights on mobile, and increased mobile Internet use will continue exacerbating security and data breach issues in the workplace.

The issues of “BYOD” or Bring Your Own Device to work is plaguing IT managers everywhere. While your company’s IT guy has a relative hold on all the work laptops and desktops, and even some of the mobiles, he is quickly losing control when you bring your new Droid and connect it to the corporate network.  Now he has to worry if that last app you downloaded will infect the network when you plug your device into the company’s PC to update or sync something.

A study by ESET/Harris Interactive shows less than 10% of people using their own tablets for work auto lock them and people were more security-savvy about their smartphones, with 25% using autolock.

McAfee Labs™ points out today’s tablets are more powerful than notebooks were just a few years ago. Although their lack of real keyboards makes them unsuitable for many tasks (editing texts, programming, and design), they are very suitable for browsing the Web, which today is a primary source of malware.

Tablets mainly differ in the size of the screen of a mobile phone, but they share the same software, operating systems, and processors so their security concerns are nearly identical. About the only difference is that some tablets can use USB devices, which increases the attack surface of such devices.

And because like our mobile phone, tablets tend to be portable and one of our most personal computing devices, you need to take steps to protect it. Many of the best practices you use on your computer can be transferred to your tablet.

To help ensure that your tablet is protected, you should:

  • Always password protect your device and set it to auto-lock after a certain period of time to increase your mobile security
  • Never leave your tablet unattended in a public place
  • Don’t click on links on emails and text messages from people you don’t know
  • Even if you know the company or person, use a browser to search for a link or use the company’s official app to navigate to the site
  • Always double-check the web address of a site when doing a search on your mobile phone.
  • If you use online banking and shopping sites, always log out and don’t select the “remember me” function
  • Before downloading a third-party app, check other users’ reviews to see if it is safe, and read the app’s privacy policy to make sure that it is not sharing your personal information

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

One-Third of Banking Account Takeover Attempts Successful

The Financial Services Information Sharing and Analysis Center (FS-ISAC), which works with the Department of Homeland Security, has released a study indicating that attacks on customer bank accounts have increased considerably in recent years.

The FS-ISAC, in collaboration with the American Bankers Association, surveyed large financial institutions to collect data on fraud attempts. The responding banks reported a combined 314 break-in attempts in 2011, up from 239 in 2010 and 87 in 2009.

Roughly one third of these attempts were successful in fraudulently transferring money out of hacked customer accounts, with institutions losing a total of $777,064, which is actually a decrease from $3.12 million in 2010. Customers lost only $489,672 in 2011, down from $1.16 million in 2010.

While less money was ultimately siphoned from banks and customers than in past years, there are new attack strategies on the horizon, which may push these numbers up in 2012. Threats, defenses, and vulnerabilities continually emerge, so stay tuned as we track the shifts in our evolving security landscape.

When asked what they were doing to prevent fraud and theft, banks’ three most common responses were:

  • Increased customer education
  • Multi-factor authentication
  • Anomalous behavior detection

This year, the FFIEC updated the security requirements recommended for banks. One of the recommendations encourages financial institutions to employ complex device identification. Oregon-based security firm iovation goes a step further offering device reputation technology, which builds on device identification by offering real-time risk assessments, exposing any history of fraud associated with a particular device or group of devices, and investigating relationships between devices and accounts that have been associated with fraud in order to expose fraudsters working in cahoots to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

The Role Of The CIO: What’s Really at Stake

The Chief Information Officer (CIO) has become as important as the CEO. It’s a pivotal position that often can make or break the success of a corporation. As criminal hackers have launched various campaigns against numerous organizations, the CIO has become much more than an information officer. They are the guardian of corporate secrets, instrument of progress and the pulse of all communications and connectivity.

Securitymanagement.com recently reported the global cybersecurity market is expected to reach $120.1 billion by 2017. This is nearly twice its current size of $63.7 billion, according to a report by MarketsandMarkets, a Dallas-based research and consulting firm. The increase would represent an annual compound growth rate of 11.3 percent from 2012 to 2017.

Cyberspace is becoming an ever-important part of people’s lives. It’s also powered by a gamut of devices and applications that have made it vulnerable to threats from people and groups including students, spies, hackers, propagandists, and terrorists. Cybersecurity is also becoming an important aspect of the military realm. This has helped make battles “fought in cyberspace as imperative as battles occurring on the ground.”

As a result, as reported by CIO magazine,“the IT leader will still be the nucleus of any company, working closely with business executives and strategizing about future technology directions, leading a staff of highly trained professionals and championing streamlined technical operations. The position will still require a mix of analytical foresight and management prowess over the next decade.”

Going forward the role of the CIO will be critical not only to the organization, but to the public who does business with it and the governments who rely on it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Do You Know What Your Teens Are Doing Online?

A new study called “The Digital Divide: How the Online Behavior of Teens is Getting Past Parents” (conducted by Tru Research and commissioned by McAfee) shows an alarming 70% of teens have hidden their online behavior from their parents, up from 45% in 2010. And yet half of parents live under the assumption that their teen tells them everything he/she does online.

It’s perfectly normal for teens to be less than forthcoming during these years when their hormones are raging and teen angst boggles their brain and body. However the Internet has drastically changed our culture and teens today have access to an incredible amount of information that they didn’t have, just a decade ago.

This instant access to information and digital devices is having an impact on our teens that many of us as parents don’t realize. Some of the revealing consequences are:

Friendships – 20% of teens said they had ended a friendship with someone because of something that happened on a social network.

Physical safety – 7% feared for their safety because of something that happened online, and 5% reported getting into a physical fight because of a problem that started online. More than 1 in 10 (12%) of teens have met someone in real life that they only knew online.

Criminal record – 15% said they have hacked someone’s social networking account and 31% have pirated music and movies.

Cheating – 48% of teens admitted to looking for test answers online, and 16% have used a smartphone to do this.

Innocence – 46% of teens report accidentally accessing pornography online and 32% reported accessing pornography intentionally.

 

 

 

 

 

 

 

 

 

And what about the parents? The study showed:

1 in 3 believes their teen to be much more tech-savvy then they are, leaving them feeling helpless to keep up with their teen’s online behaviors.

22% of parents do not believe their kids can get into trouble online.

Less than 1 in 10 parents are aware their teens are hacking accounts or downloading pirated content.

78% of parents are not worried about their kids cheating at school.

Only 12% of parents thought their children accessed pornography online.

 

 

 

 

 

 

 

 

 

Parents, you must stay in-the-know. Since your teens have grown up in an online world, they may be more online savvy than their parents, but you can’t give up. You must challenge yourselves to become familiar with the complexities of the teen online universe and stay educated on the various devices your teens are using to go online.

As a parent of two young girls, I proactively participate in their online activities and talk to them about the “rules of the road” for the Internet. I’m hoping that this report opens other parent’s eyes so they’ll become more involved in educating their teens with advice and tools.

For more information, please visit:

Full report: http://www.mcafee.com/us/resources/misc/digital-divide-study.pdf

Press release: http://www.mcafee.com/us/about/news/2012/q2/20120625-01.aspx

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)