Ransomware Scammers get the Big Bucks

/in , /by

It sounds almost like science fiction, even in this cyber age: A thief hacks into your computer and encrypts your files, meaning, scrambles the information so you can’t make sense of any of it. He demands you pay him a big fat payment to “unlock” the encryption or to give you the “key,” which is contained on the thief’s remote server.

10DYou are being held ransom. The FBI’s Internet Crime Complaint Center has sent out a warning to both the common Internet user and businesspeople about this ransomware, says an article on arstechnica.com.

And if you think this is one helluva dirty trick, it can be worse: The thief gets your payment, but you don’t get the cyber key.

The article says that the biggest ransomware threat is the CryptoWall. The FBI’s IC3 has received reports from 992 victims of this ransomware, but it’s estimated that there are many more victims who have not notified the IC3 (would you or your friends necessarily know to do this?) and instead just paid the ransom—or didn’t, resigning to never being able to access their files again.

In addition to the ransom cost, there are also the costs associated with cleaning up the mess, and the fallout especially hits businesses, because they suffer lost productivity and having to pay IT services.

The arstechnica.com article quotes Stu Sjouwerman, CEO of KnowBe4, a security training company: “CryptoWall 3.0 is the most advanced crypto-ransom malware at the moment.”

According to the IC3, there are $18 million in losses associated with CryptoWall, but remember, that’s only what has been reported. Many businesses do not notify the FBI of breaches: the ransom payment as well as the heavy cost of impaired productivity.

How does an individual or business avoid getting sucked into this trap? The FBI offers the following recommendations:

  • Back up all of your data on a regular basis.
  • Protect all of your devices with antivirus software and a firewall—from reputable companies.
  • Keep your security software updated.
  • Clicking on a malicious website could download ransomware; therefore, you should enable pop-up blockers that will prevent these dangerous clicks.
  • Do not visit suspicious websites.
  • Avoid clicking on links inside e-mails.
  • Protect your WiFi connection. A criminal can insert a virus on your device while on unencrypted WiFi. Use a VPN, a virtual private network encrypts your data over free WiFi.
  • Avoid opening attachments that come from strangers or people for whom it would be out of character for them to send you an attachment or who’d have absolutely no reason to. This includes the IRS, UPS, Microsoft, Walmart, etc.
  • CryptoWall can still make its way into your device if you’ve clicked on a malicious ad that’s on a legitimate website, says the arstechnica.com article. Here is where an updated antivirus software program would come into play to detect the malware.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Big Bad Hackers taken down

/in /by

Darkode anyone? Not anymore. This underground bad hackers’ forum was recently demolished by the FBI, says a report on www.justice.gov. The dozen hackers associated with Darkode are facing criminal charges.

4DThough there are about 800 of such forums, Darkode was among the worst (or shall I say “best”?), presenting a serious threat to worldwide computers. Gone is Darkode’s ventures of buying, selling and trading malware, and exchanging hacking strategies—to actually carry out crimes, not just fun brainstorming.

The dismantling of Darkode comes as a result of infiltration also by the efforts of law enforcement representing 20 countries including Australia, Colombia, Canada, Germany, Latvia, Denmark, Finland, Romania, Nigeria, Sweden and the UK. This is the biggest bust of a black hat forum to date.

Here is the cyber smut list from the www.justice.gov article:

  • J. Gudmunds, 27. He created a botnet that stole data on 200 million occasions.
  • M. Culbertson, 20. He’s the brains behind Dendroid, malware for sale on Darkode that was supposed to steal and control data from Google Android. Clever name, too: “Dend” refers to branching out (as in neuronal dendrites).
  • E. Crocker, 29. He’s the mastermind behind a Facebook spreader that infected the computers of FB users, converting them to bots.
  • N. Ahmed, P. Fleitz and D. Watts, 27, 31 and 28, respectively. They’re behind the spam that sent out millions of e-mails intended to bypass spam filters of cell phones.
  • M. Saifuddin, 29. He tried to transfer credit card numbers to other Darkode members.
  • D. Placek, 27. He allegedly created Darkode and sold malware on it.
  • M. Skorjanc, F. Ruiz and M. Leniqi, 28, 36 and 34, respectively. They’ve been charged with conspiracy to commit wire and bank fraud, racketeering conspiracy and conspiracy to commit computer fraud and extortion.
  • Rory Stephen Guidry. He reportedly sold botnets on Darkode.

The article points out that all of these wrongdoings are accusations at this point, and that these defendants are presumed innocent until proven guilty.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

5 Auto Repair Scams

/in /by

You take your car to the mechanic; it’s been making a funny grinding noise when you press on the gas pedal. The mechanic tells you what’s wrong and what needs to be fixed, then socks you with the estimate.

1SHow can you tell he’s not embellishing a lot of the “diagnosis”? You know nothing about cars. You have to take his word for it. What if the second opinion is also from a scammer and sounds a lot like the first opinion? You’re screwed.

An article at carbuying.jalopnik.com describes five auto repair scams.

Charging for repairs you don’t need.

  • The mechanic says he fixed the problem.
  • The problem still persists.
  • You take the car back and he “diagnoses” the “real” problem and fixes that.
  • The problem still exists.
  • The game repeats but finally the issue is corrected, but you get charged for the first two “repairs,” which never had to be made in the first place. The mechanic scammed you, and this is illegal.

Saying something is wrong when it’s not.

  • What an easy way for a mechanic to make money and get away with it, especially if the “something wrong” is a small repair. He can really clean up if he pulls this stunt on dozens of customers.
  • A version of this is to find something out of place or not working optimally and tell you it needs to be replaced—even though a repair will fix the problem.
  • This is illegal in many states.

Overcharging for parts or labor. 

  • It’s so easy for a mechanic to do this. How do you know that the four-hour job wasn’t really a two-hour job?
  • Do you know how much a shock absorber or new brakes should cost?
  • Though prices for the same product vary from one shop to the next, consider yourself scammed when the charge is way over the norm.
  • You also shouldn’t pay a mechanic for his inexperience. If he honestly took four hours to do a job that should have taken two hours, you should not be charged for the extra two hours.
  • Get a price and labor estimate before authorizing the work. AND GET IT IN WRITING.

Theft

  • Yes, mechanics have been known to steal valuables including performance features of the vehicle. Even taking a candy bar is illegal.
  • The shop may tell you to file an insurance claim. They’re scamming you because this isn’t how it should work. Since they had possession of your car, the onus is on them that something is missing.
  • Don’t leave valuables in your car.

Joyriding

  • In your car, that is.
  • After the work is completed, the mechanic takes your wheels for a spin.

Damaging your car by accident.

  • They owe you to fix the damage.

If you believe you were scammed, call your lawyer, not your insurance company.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect your small business against viruses with these tips

/in , /by

It is September and it’s National Preparedness Month—a great time to get involved in the safety of your community. Make plans to stay safe, and this includes maintaining ongoing communications. National Preparedness Month culminates September 30th with National PrepareAthon! Day.

6DI learned in high school biology class that one of the things that distinguishes life forms from inanimate objects is that living things replicate. Therefore, a computer virus is, well, alive; it replicates itself. It’s alive enough to cause billions of dollars of destruction from the time it attacks a computer network until the disaster is cleaned up.

But just what is a computer virus?

Not only does this nasty program file duplicate itself, but it can spread to other computers without human involvement.

Unlike a virus with DNA, a tech virus usually doesn’t produce symptoms to give you an early warning. But it’s hell-bent on harming your network for financial gain.

Though a virus is malicious, it may impersonate something harmless, which is why the user lets it in. One type of virus is spyware— which allows your computer to run smoothly as always, while the spyware enables criminals to watch your login activities.

Though viruses often corrupt in secret, others can produce symptoms including:

  • Computer programs and smartphone applications open and close spontaneously.
  • Computer runs very slowly for no apparent reason.
  • Someone you know emails you about the global email you recently sent out promoting a product you have nothing to do with.

You can protect yourself or your business from a virus in the following ways:

  • A malment is a common way to let a virus into your computer. This is a malicious attachment that, when clicked, downloads the virus. The email message tricks employees into clicking that attachment. Unless it’s been confirmed by the sender that you’ll be receiving an attachment shortly, never open attachments. Or at a minimum, scan them with antivirus software.
  • Never open an attachment sent out of the blue by the IRS, company bank, credit union, medical carrier, etc.
  • Apply the above rules to links inside emails. A “phishing” email is designed to look legitimate, like it came from the bank. Click on the link and a virus is released. Or, the link takes you to a site that convinces you to update some login credentials—letting the hacker know your personal information.
  • Never use public Wi-Fi unless you have a VPN (virtual private network) encryption software.
  • All devices should have continually updated security software including a firewall.
  • Browser and operating system as well should be updated with the latest versions.
  • Prevent unauthorized installations by setting up administrative rights.
  • Employees, from the ground to the top, should be aggressively trained in these measures as well as bring-your-own-device protocols.
  • Back up your data. Why? Because when all else fails and your data and devices have been destroyed by malware, a cloud backup allows you to not only recover all your data, but it helps you sleep at night.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained in how malware works and other tricks that cyber thieves use. To learn more about preparing your small business against viruses, download Carbonite’s e-book, “5 Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures.

Back to school Tech Security Tips for College Students

/in , , , /by

Some of us remember college dorm days, when students were envied if they had their own typewriter. These days, college students must have a personal laptop computer, and a smartphone, and their lives revolve around these connected devices.  Such dependency should be proactively protected from loss or theft.  Campus security now means more than just being beware of who might be hiding in the bushes at night.

1SWhen you send your college kid off into the world, you want them to be prepared for life’s curveballs, and unfortunately, the occasional criminal too. How prepared are they? How prepared are you? Do you or they know that if they leave their GPS service on, some creep could be “following” them? Are they aware of how to lock down their devices to prevent identity theft?

For cybersecurity and personal security, college students should:

How might students get hacked and how can they prevent it?

  • They can fall for a scam via a campus job board, the institution’s e-mail system, off-campus public Wi-Fi or on social media. Be aware of what you click on.
  • It’s easy for devices to be stolen; never leave devices alone whether it’s in the library or a café.
  • Shoulder surfing: Someone peers over their shoulder in the study lounge or outside on a bench to see what’s on their computer screen. A privacy filter will make shoulder surfing difficult.
  • Be careful when buying a used device (which can be infected) and simply taking it as is. Wipe it clean and start fresh with the installation of a new operating systems.
  • If you’re not using your devices, consider keeping them in a lockbox or a hidden place instead of exposed in a shared living space like a dorm.
  • All devices should have a password protected screen lock.
  • Data should be backed up every day. Imagine how you’d feel if you lost that term paper you’ve been slaving over!
  • Get a password manager, which will create strong, complex passwords unique to every account. And you won’t have to remember them.
  • Avoid jailbreaking your smartphone, as this increases its hackability.
  • Avoid using public Wi-Fi for transactions involving money or sensitive information, since hackers could easily snoop on the data transmissions. A virtual private network (VPN) will prevent snooping by encrypting transactions.

All devices should have security software that should be updated automatically. Virus scans should be done every day, or at least no less frequently than once a week.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Man Breaks into Home, hides under Bed for Days

/in , /by

Wow, it’s true: The monster under the bed really does exist!

5HRecently in New Jersey a man broke into a home and hid under a bed in a spare room for possibly five days before being arrested. Margaret Adamcewicz reportedly stated that the man, Jason Hubbard, had dated her daughter five years ago, and it didn’t end well, and he decided to live under her bed.

Hubbard slithered his way into the home when one of its residents left a door open to take out the garbage. He slipped his way upstairs to the spare bedroom and made camp under the bed, even charging several cell phones using an outlet under the bed.

He was discovered when Adamcewicz’ husband heard a noise in the room, peeked under the bed and saw the freeloader. An adult son restrained him until the police arrived.

Not only was Hubbard charged with burglary, but he was also charged with stealing electricity.

How can you prevent a person from sneaking into your house and “living” under a bed? The same way you can help prevent someone from breaking in and stealing your valuables or abducting your child:

  • Keep doors locked at all times. If you can’t keep an eye on the door that you go through to get outside to take out the garbage or collect the mail, then lock it, even though you’ll be back in less than a minute.
  • Use “door reinforcement technology” (google it) for your door or some other beefed-up device to reinforce door security and prevent kick-throughs.
  • Never leave a note on your door that indicates you’re not home.
  • Keep windows locked, at least overnight and when you’re not home, and use a bar or special device that’s placed in the track to prevent horizontal-sliding windows from being slid open by intruders.
  • Keep your shades and curtains lowered and closed as much as possible so nobody can peer inside.
  • Before leaving the house for even short errands, turn the phone’s ringer to mute so prowlers don’t hear an unanswered phone.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

These are the Bigtime Hackers

/in /by

Hackers with big skills and a big ego will be drawn to Facebook and Twitter as their targets. But they’ll also target dozens of other companies, reports an article on arstechnica.com.

11DOne group in particular stands out as the attackers, using zero-day exploits. They are known as Wild Neutron and Morpho, says the article, and have been active possibly since 2011, burrowing their way into various businesses: healthcare, pharmaceutical, technology.

It’s been speculated that the hackers want the inside information of these companies for financial gain. They’ve been at it for three or four years; we can assume they’ve been successful.

Researchers believe that these hackers have begun using a valid digital certificate that is issued to Acer Incorporated to bypass code-signing requirements that are built into modern operating systems, explains the arstechnica.com report.

Experts also have identified use of some kind of “unknown Flash Player exploit,” meaning that the hackers are using possibly a third zero-day exploit.

The report goes on to explain that recently, Reuters reported on a hacking group that allegedly busted into corporate e-mail accounts to get their hands on sensitive information for financial gain.

You’re probably wondering how these big companies could be so vulnerable, or how it is that hackers can figure out a password and username. Well, it doesn’t really work that way. A company may use passwords that, according to a password analyzer, would take nine million years to crack.

So hackers rely on the gullibility and security un-awareness of employees to bust in. They can send employees an e-mail, disguised to look like it’s from a company executive or CEO, that tricks the employee into either revealing passwords and usernames, or clicking on a malicious link that downloads a virus, giving the hacker access to the company system’s stored data. It’s like removing a dozen locks from the steel chamber door to let in the big bad wolf.

The security firms interviewed estimate that a minimum of 49 companies have been attacked by the hacking ring’s surveillance malware. The cybercriminals have, in at least one instance, got into a company’s physical security information management system.

The arstechnica.com article notes that this consists of swipe card access, HVAC, CCTV and other building security. This would allow the hackers to surveil employees, visually following them around.

This hacking group is smart. They don’t reuse e-mail addresses; they pay hosting services with bitcoins; they use multi-staged control/command networks that have encrypted virtual machines to foil forensics detectives. The only good news is that the group’s well-documented code suggests it’s a small band of hackers, not some giant one.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Idiot Burglar takes Selfie

/in , , /by

About 7 a.m. on a Saturday a burglar entered a home through an unlocked side door (how anyone can sleep overnight while a door stays unlocked is a whole new article).

3BThe dumb criminal saw an iPhone and unknowingly triggered a video selfie—showing him standing in the living room during this recent L.A. crime—while three residents were fast asleep including two teen girls. (Again, why didn’t the adult of the home, a woman, lock all the doors…)

A similar scene played out in the UK when a woman tried to unlock a hot iPhone. It had an app called iGotYa. This application automatically sends a photo to the owner.

Another case has the owner of a phone receiving an e-mail of a photo of a man who tried to access the phone with a wrong PIN.

These “got ya” moments can happen to an innocent finder of a lost phone.

There’s yet another case of a man who apparently stole a phone on the beach while its lax female owner went skinny dipping. This occurred in Dubai, and the thief was not able to figure out how to switch off the auto-photo upload tool. As a result, a video ensued called “Life of a stranger who stole my iPhone.”

There are easier ways to locate a lost phone than a “got ya” type app, though this application might one day come in handy for the woman whose unlocked door let in the burglar—who is still at large and nameless.

Android

  • Google has a “Find My Phone” tool. Just type this into the Google search engine and take it from there.
  • There are many paid and free apps that provide numerous commands for remote control such as wiping data, locking the phone, setting off an alarm and resetting the passcode.

Apple

  • Apple has “Find my iPhone”.
  • The lost phone is tracked.
  • Users can remotely wipe it.
  • Just locking it (without wiping it) can still leave messages viewable to anyone who comes upon the phone.

A “kill switch” would allow the phone’s owner to remotely wipe all data and render the phone unusable. In California a new law was passed mandating that, starting this past July, all mobiles sold in the state must have a kill switch.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Phishing Scams: Don’t Click that Link!

/in , , /by

You’re sitting on your front porch. You see a stranger walking towards your property. You have no idea whom he is. But he’s nicely dressed. He asks to come inside your house and look through your bank account records, view your checkbook routing number and account number, and jot down the 16-digit numbers of your credit cards. Hey, he also wants to write down all your passwords.

13DYou say, “Sure! Come on in!”

Is this something you’d be crazy enough to do? Of course not!

But it’s possible that you’ve already done it! That’s right: You’ve freely given out usernames, passwords and other information in response to an e-mail asking for this information.

A common scam is for a crook to send out thousands of “phishing” e-mails. These are designed to look like the sender is your bank, UPS, Microsoft, PayPal, Facebook, etc.

The message lures the recipient into clicking a link that either leads to a page where they then are tricked into entering sensitive information or that link is infected and downloads malware to the users’ device.

The cybercriminal then has enough of your information to raid your PayPal or bank account and open up a new line of credit—in your name.

The message typically says that the account holder’s account is about to be suspended or deactivated due to (fill in the blank; crooks name a variety of reasons), and that to avoid this, the account holder must immediately re-enter login information or something like that.

Sometimes a phishing e-mail is an announcement that the recipient has won a big prize and must fill out a form to collect it. Look for emails from FedEx or UPS requiring you to click a link. This link may be infected.

Aside from the ridiculousness of some subject lines (e.g., “You’ve Won!” or “Urgent: Your Account Is in Danger of Being Deactivated”), many phishing e-mails look legitimate.

If you receive an e-mail from a company that services you in any way, simply phone them before you click on any link. If you click any of the links you could end up with malware.

Watch this video to learn about how to avoid phishing:

https://youtu.be/c-6nD3JnZ24

Save yourself the time and just call the company. But you don’t even have to do that. Just ignore these e-mails; delete them. Nobody ever got in trouble for doing this. If a legitimate company wants your attention, you’ll most likely receive the message via snail mail, though they may also call.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Getting attacked by a Police Dog

/in /by

Have you ever seen men getting “attacked” by a police or military dog as part of the dog’s training? The men (I’ve never seen a woman, but I’d like to think there are some strong, feisty women who suit up for this role) wear either just a big padded thing on one of their arms, or they’re engulfed entirely in a padded suit.

The dog lunges for the padded arm, and the “victim” can’t do squat while this occurs.

So from the man’s point of view, what is this all like? According to an article on indefinitelywild.gizmodo.com, a 125-pound Military Working Dog named Fritz “attacked” the author who was wearing a “heavily padded safety suit” that included a “rubber prosthetic arm.”

He was instructed to hold out his arm while Fritz sat obediently. The dog was given orders by a handler to clamp onto the author’s arm. The 150-pound author had no control over his body being thrashed about. The goal is to prevent the dog from biting up and down the arm, which the author was not able to do.

The dog instantly released his “victim” upon hearing commands. The author was then told to “say something mean to the dog and then run away” to “provoke him.” So the author said “Profane-you Fritz!” and bolted.

Fritz bolted after him “at full speed, in anger.” Now let me interject here. I question that the dog was angry. A human might be if you said something mean, but not a dog. I’m no dog expert, although Ive had 2 German Shepherds in the past 2 years, but it’s fair to suppose that the combination of tone in the author’s voice, and his sudden sprinting away, kicked up Fritz’s instinct to charge after prey. This is why dogs run after a tossed ball.

The author was brought to the ground in an instant. Fritz remained clamped onto him as the handlers escorted him and the dog towards some spectators. Fritz was rewarded with just a pat on the head (but hey, maybe to a dog, that’s serious stuff).

I’ve always wondered what this is like from the dog’s point of view. If the dog was truly in attack, shred-him-up mode, wouldn’t he go for the face instead of clinging on to just a padded arm that tastes like rubber and not live flesh? When people are attacked by dogs while jogging, walking or inside their homes, almost always, they receive injuries (sometimes very serious) to the face and scalp, even neck. Such dogs will also often tear out chunks of the victim’s legs.

But police or military dogs in training always go after that big rubber arm—and stay with it. To a degree, the dogs think it’s just a game, especially since sometimes, the “victim” is the dog’s own handler—who in the next scene is lovingly interacting with the animal.

Anyway, most dogs are a great layer for home protection no matter their size or abilities. Clearly some dogs aren’t, but, if it is remotely territorial it can act as an additional set of eyes and ears. And if the dog barks upon hearing an intruder, it can act as a layer added to an alarm system.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.