Viruses as Cyberweapons for sale

It’s all about code—the building blocks of the Internet. Software code is full of unintentional defects. Governments are paying heavy prices to skilled hackers who can unearth these vulnerabilities, says an article at nytimes.com.

6DIn fact, the FBI director, James B. Comey, recommended that the FBI pay hackers a whopping $1.3 million to figure out how to circumvent Apple’s iPhone security.

So driven is this “bug-and-exploit trade market,” that a bug-and-exploit hacking company, Hacking Team, ended up being hacked last summer.

The software companies that create code don’t get to learn what the vulnerabilities are that the richly paid hackers discover. This has been going on for two decades-plus.

Here are some sizzling facts from nytimes.com:

  • Over a hundred governments have reported they have an offensive cyberwar program.
  • Iran boasts being in the No. 3 spot in the world for digital army size (trailing the U.S. and China), though this can’t be confirmed.
  • However, Iranian hackers have demonstrated their skill more than once, and it’s not pretty. For instance, they were responsible for the rash of U.S. bank hacking incidents in 2013.
  • Though Iran’s cyber power lags behind that of the U.S.’s, they’re steadily closing the big gap.
  • Most nations keep details of their cyberwar programs classified.

It has been surmised by many a security expert that WWIII will be largely digital. Imagine how crippling it would be if a nation’s grid was dismantled—affecting major networks across that country—such as healthcare, shipping and banking and other critical infrastructures such as food and water supply.

There’s not a whole ton you can do about this battle. However, you should, at a minimum, prepare your physical life for any digital disasters. Prepare the same way you would if you knew there was a severe storm coming. Store dry foods, water, extra climate appropriate clothing, and cash, preferably lots of small bills. This is just a short list. Seek out numerous resources on ready.gov to learn more.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Businesses Struggling to Keep Up with Latest Wave of Malware Attacks

Companies have been struggling for years to keep cyber-attacks at bay. Cyberthieves are working faster than ever before to send out their malicious attacks, and it’s become increasingly difficult for companies to keep up.

CNN reports that almost one million malware strains are released every day. In 2014, more than 300 million new types of malicious software were created. In addition to new forms of malware, hackers continue to rely on tried and true bugs because many companies simply haven’t found a fix or haven’t updated their systems to mitigate the threats.

In almost 90% of these cases, the bugs have been around since the early 2000s, and some go back to the late 1990s. The irony here is that companies can protect themselves and create patches for these bugs, but there tends to be a lack of effort and resources when it comes to getting the job done.

Some industries are targeted more than others. After hackers get information from these companies, such as proprietary data, they attempt to sell the information on the black market.

Cyberattacks are spreading quickly, and it takes almost no time after an email is sent for a victim to fall for the scheme. When a hacker is successful at breaking into a certain type of company, such as a bank or insurance firm, they will typically use the same exact method to quickly attack another company in the same industry.

New and improved cyber attacks

While old methods of cyber-attack can still be effective, it is the new scams that users should be nervous about. Here are some examples:

  • Social media scams
    Social media scams work and cybercriminals just love them because the people being scammed do most of the work. Cybercriminals release links, videos or stories that lead to viruses, and people share them with their friends because they are cute, funny or eye-raising. These tend to spread quickly because people feel as if they are safe.
  • Likejacking
    Hackers may also use a practice known as “likejacking” to scam people on social media. In this case, they will use a fake “like” button that tricks people into installing malware. The programs then post updates on the user’s wall or newsfeed to spread the attack.
  • Software update attacks
    Hackers are also focusing on more selective attacks. For example, a hacker may hide malware inside of a software update. When a user downloads and installs the update, the virus is set free.
  • Ransomware
    These attacks, where thieves steal or lock files on a person’s computer and then demand a ransom for access, climbed more than 110% in the last year alone. Once infected, the only way to regain access to the files is to pay a fee, usually between $300 and $500, for a decryption key.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Scareware Scam almost snags Victim

Cybercriminals know that the best way to get their claws on the next victim is to appeal to their emotions, not logic.

4DThere’s lots of scary things in life, and one is learning that your computer has been infected with a virus. If this happens, you’re now vulnerable to spending money on getting rid of the malware. The tactic of scaring users is called scareware.

  • A pop up tells you “Warning! Your Computer Has Been Infected with Malware!”
  • The pop-up can be triggered by visiting an infected website or by making a bad click.
  • The pop-up can’t be closed out, or if it can, another appears.
  • Additional information in the pop-up lures you into clicking a link inside it, such as buy some downloadable security software that will destroy the virus.
  • Once the alleged security software is downloaded/installed, it crashes your computer—even if you already have a legitimate security software program in place.
  • You’re screwed at this point. (Hope you had all your data backed up before this happened!)

Here’s another way the scam can unfold, from someone who wrote to me:

I was notified by a notice supposedly from Windows Security that my PC has been attacked.  They claim that all my PC ID numbers were stolen and that Russia had got about 8-12 other IDs.  They took control of my computer and said they scanned it to find this out. They claimed the only way that I could clear this problem was to have them clear it for $199.99 and security for 1year (sic) for $149.99.  They said the only way to accomplish this was by check.  They said it couldn’t be done by credit card because them (sic) numbers would be stolen too.  I refused to go along with that plan and closed them out.  

P.S. I checked my account and it is paid thru 6/2016.  How do I know if I get a notice from Windows that it is legit? 

All windows notifications come via Windows Update. That “pop-up” emanates via your notifications area on your taskbar and NOT a popup via your browser. What a mess.

Protect Yourself

  • Use security software only from a name-brand company.
  • Keep it updated.
  • See a pop-up? Close it out. Never click inside it—which you can’t do if you close it out immediately.
  • Exit the site you think triggered it.
  • Play it safe and run a scan using your legitimate security software.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Why Are Cyber Hucksters so successful?

Often, hucksters prey on the consumer’s desperation, which is why it’s no surprise that the No. 1 rip-off (at least between 2011 and 2012)) was bogus products promising weight loss.

6DVICE (vice.com) interviewed psychologist Maria Konnikova about how cyber cons are so successful—even with the most ridiculous sounding bait (Nigerian prince, anyone?).

The bait becomes more attractive when the target is receiving an influx of cyber attention. Sad to say, this trips up a person’s rationale, making them susceptible to the huckster’s plan.

Konnikova is quoted as stating, “Few things throw us off our game as much as so-called cognitive load: how taxed our mental capacities are at any given moment.” She explains that people are vulnerable when the con artist hits them up with their scheme while the victim is distracted with Twitter, texting, etc. In short, it’s cognitive overload.

Konnikova is the author of the book, “The Confidence Game: Why We Fall For It, Every Time.” In the book, she mentions that victims such as the U.S. Navy were too humiliated to prosecute the crooks who conned them. She tells vice.com: “Because admitting it [getting rooked] would mean admitting you’re a sap.”

And in this day of rapidly evolving cyber technology, the huckster’s job is becoming easier, what with all sorts of pathways he can snag a victim, such as dating sites and pop-up ads warning your computer has been infected. But something else is on the crook’s side: the false sense of security that all this techy mumbo jumbo gives the common user—who hence lets down their guard.

And despite all the parodies and mockeries surrounding the so-called Nigerian prince scam (aka 419 scam), it’s still out there in full force and effect. Look how technology has made it swell. And it will continue evolving as long as people want something for nothing. Why else would the Powerball swell to over 1.3 billon. “The basic contours of the story won’t change,” Konnikova tells vice.com.

Another factor is that some people equate online with credibility: “It’s online so it must be legitimate,” is the mindset. According to this mindset, the Loch Ness Monster must really exist, since there are many stories about it online. Despite how irrational this mindset is, scammers know that many people think this way and will design their ploys to look even more legitimate (with creative layouts, slogans, links, etc.).

Though it takes skill to be a successful huckster, they can’t get the job done without the victim being “vulnerablized” by cognitive overload.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to shop securely with a Mobile Phone

“You can buy things with your phone!” No kidding! But imagine what the response would have been had you made this statement in 1984: “Off your meds, eh?”

7WPurchasing via the smartphone may very well eclipse the popularity of shopping via laptop. And cyber thieves know this. They’re counting on you to slip up.

  • Never click a link inside an e-mail, even if the subject line is a warning or alert to a fabulous sale. Cyber crooks know that the small screens on mobiles can easily hide tell-tale signs of scam e-mails, people are especially vulnerable to subject lines blaring great deals.
  • If you’re too tempted to ignore the great deal, then visit the merchant’s site by typing their name into the search engine rather than clicking the link inside the e-mail! That link could lead to a virus download.
  • Never use public Wi-Fi (e.g., at the airport or hotel) to shop. Stick to your phone’s mobile broadband network or at a minimum use a virtual private network (VPN).
  • When shopping with your phone, use a credit card, never a debit.
  • When using your phone, make sure nobody is spying. This really happens; it’s called visual hacking. It can even be done with the crook’s phone—capturing on video the sensitive information you’re entering on your phone.
  • You accidentally mis-type the URL of a major retailer (but don’t know it), and you end up on their site. It’s called typo squatting. How is this possible? The site is the crook’s. He knows people will commit typos and he takes advantage of this: owning a website that mocks the real one, and you’re lured into “buying” off of it—entering your credit card or PayPal information—which he then has. And he knows you won’t pick up that the site is an imposter because your phone’s screen is so small.
  • Keep the phone’s software updated.
  • Deactivate autosave logins.
  • Your phone contains so much sensitive information about you and your family, financial data, maybe medical history, etc. What if a crook gets ahold of it? Set up a personal identification number (PIN) for login.

Download only from official app stores: Apple App Store, Google Play and Amazon. Don’t download from third-party vendors.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Nineways to shop safely on Cyber Monday

With Cyber Monday, you don’t have to camp outside in the cold overnight so you can be the first person busting through the doors like on Black Friday. But you still may get trampled to a pulpby cyber scammers waiting for their prey.

2DHow can you avoid these predators?

  • You know that old mantra: If it’s too good to be true, it probably is. Be highly suspicious of outrageously great deals, and also assume that e-mails that link to unbelievable savings are scams. You may think it won’t hurt to just “check it out,” but consider the possibility that simply clicking on the link will download a virus to your computer.
  • Back up your data. Shopping online means it’s inevitable that you’ll stumble upon an infected website designed to inject malicious code into your computer or phone. “Ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the “ransom.”
  • Say “No” to debit cards. At least if you purchase with a credit card, and the sale turns out to be fraudulent, the credit card company will likely reimburse you. Try getting your money back from a scam with a debit card purchase. Good luck.
  • If you’re leery about using a credit card online, see if the issuer offers a one-time use credit card. If someone steals this one-time number, it’s worthless for a second purchase.
  • Make sure you understand the online merchant’s shipping options.
  • When buying online, read up on the retailer’s privacy policy.
  • When completing the purchase, if the merchant wants you to fill in information that makes you think, “Now why do they need to know that?” this is a red flag. See if you can purchase the item from a reputable merchant.
  • Never shop online using public Wi-Fi such as at a hotel, coffee house or airport.

If the retailer’s URL begins with “https” and has a padlock symbol before that, this means the site uses encryption (it’s secure). If it doesn’t, don’t buy from that merchant if the product is something you can buy from a secure site. Of course, I don’t expect, for instance, Veronikka’s Death by Chocolate Homemade Cookies to have an encrypted site, but if you’re looking for more common merchandise, go with the big-name retailers.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Sales Staff Targeted by Cyber Criminals

Companies that cut corners by giving cybersecurity training only to their technical staff and the “big wigs” are throwing out the welcome mat to hackers. Cyber criminals know that the ripe fruit to pick is a company’s sales staff. Often, the sales personnel are clueless about the No. 1 way that hackers “get in”: the phishing e-mail. Salespeople are also vulnerable to falling for other lures generated by master hackers.

11DIn a recent study, Intel Security urges businesses to train non-technical (including sales) employees. Sales personnel are at highest risk of making that wrong click because they have such frequent contact in cyberspace with non-employees of their company.

Next in line for the riskiest positions are call center and customer service personnel. People tend to think that the company’s executives are at greatest risk, but look no further than sales, call center and customer service departments as the employees who are most prone to social engineering.

It’s not unheard of for businesses to overlook the training of sales employees and other non-technical staff in cybersecurity. Saving costs explains this in some cases, but so does the myth that non-technical employees don’t need much cybersecurity training.

Intel Security’s report says that the most common methods of hackers is the browser attack, stealth attack, SSL attack, network abuse and evasive technologies.

In particular, the stealth attack is a beast. Intel Security has uncovered 387 new such threats per minute. IT teams have their work cut out for them, struggling to keep pace with these minute-by-minute evolving threats. This doesn’t make it any easier to train non-technical staff in cybersecurity, but it makes it all the more crucial.

Training non-technical staff, particularly those who have frequent online correspondence and have the gift of cyber gab, is the meat and potatoes of company security.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Dept. of Homeland Security Computers Vulnerable

There’s a problem on the home front: security lapses in the computers of the Secret Service and Immigration and Customs Enforcement, says a report on townhall.com. These departments were recently audited, and weaknesses were revealed.

1DRecently, hackers got into the White House, State Department and the Office of Personnel Management, among other entities. And this has caused the public to wonder about just how strong cybersecurity is for the U.S. government. So thus, the audit was carried out.

The root of the problem may be inadequate training of the investigators and analysts for the Department of Homeland Security. This seems to have stemmed from Congress cutting corners with the training budget. The internal websites for the Secret Service and ICE were shown to be deficient.

How many employees are in the Department of Homeland Security? 240,000. That’s a lot of potential for inadequate training to result in the accidental opening of a back door for hackers.

The audit made nine recommendations to the DHS. The DHS has reported that it’s been making efforts to address these recommendations.

  • The Secret Service and ICE are responsible for coming down on financial fraud, money laundering, identity theft and fraud involving banks and credit cards.
  • The National Protection and Programs Directorate (NPPD) was also audited, and this entity is responsible for the security of government computers.
  • ICE, the Secret Service and the NPPD blame Congress for the security lapses. They point out that Congress has a stop-and-go style of funding for cybersecurity, because Congress will not authorize ongoing funding throughout the year.
  • In fact, an ICE analyst revealed that he had to pay out of pocket for cybersecurity training, and thanks to the limited budget for this, was not able to attend formal training in four years.

The report states that employees may not be able to perform assigned incident responses to a cyber attack, nor efficiently investigate such an incident, as long as training was come-and-go and only peppered throughout the DHS instead of being department-wide.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

The Impact of Ransomware on Small Businesses

What’s going on this September? National Preparedness Month. This will be the time to increase your awareness of the safety of your business, family, pets and community. During disasters, communication is key. National Preparedness Month concludes on September 30 with the National PrepareAthon! Day.

celebrateIt would be like a science fiction movie: You go to pull up the file detailing the records of your last quarter’s profit and loss statement, and instead you get a flashing notice: “Your computer has been compromised! To see your file, you must pay money!”

This is called ransomware: a type of malware sent by criminal hackers. Welcome to the world of cybercrime. In fact, ransomware can prevent you from doing anything on your computer.

Where does this ransomware come from? Have you clicked a link inside an e-mail lately? Maybe the e-mail’s subject line really grabbed your attention, something like: “Your FedEx shipment has been delayed” or “Your Account Needs Updating.”

Maybe you opened an attachment that you weren’t expecting. Maybe you were lured to a website (“Dash Cam Records Cyclist Cut in Half by Car”) that downloaded the virus. Other common ways crooks trick you into downloading ransomware include:

  • Hackers impersonate law enforcement; claim you downloaded illegal material; demand a fine for your “violation.”
  • You receive a message that your Windows installation requires activation because it’s counterfeit.
  • Or, the message says your security software isn’t working.

What should you do?

  • Never pay the ransom, even if you’re rich. Paying up doesn’t guarantee you’ll regain access. Are you kidding?
  • Double check that all of the newly encrypted (and utterly useless) files are backed up, wipe your disk drive and restore the data.
  • Wait a minute—your files weren’t backed up?

An ounce of prevention is worth a pound of hacking.

  • Don’t open links or attachments you’re not expecting! This includes from senders you know or companies you patronize.
  • Install an extension on your browser that detects malicious websites.
  • Use a firewall and security software and keep it updated.
  • Regularly back up data, every day ideally.

Needless to say, ransomware attacks occur to businesses. Small companies are particularly vulnerable because they lack the funds to implement strong security. Attacks on businesses usually originate overseas and are more sophisticated than attacks on the common Internet user at home or at the coffee house.

And just like the common user, the business should never pay the ransom, because this will only prolong the situation.

  • Make the criminal think you’re going to pay. Tell them you need time to prepare the fee.
  • Build your defense by gathering all the correspondence.
  • Present this to your webhosting provider, not the police.
  • The webhoster will get to work on this.
  • If the loss is extensive, present the correspondence to the FBI.
  • If the attack is in virus form, you’re finished.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained in how “phishing” e-mails work and other tricks that cyber thieves use. To learn more about preparing your small business against viruses like ransomware, download Carbonite’s e-book, “5 Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures

Very Bad People for hire online

The Deep Web is not a nice place. Here, people can hire assassins, take ransomware payments, purchase U.S. citizenship without revealing their identity, among other things, says an article on darkreading.com.

6DThis information comes from Trend Micro, which used a tool called the “Deep Web analyzer,” something of a web crawler, that collected URLS that were linked to TOR- and I2P-hidden sites, domains with nonstandard TLDs and Freenet resource identifiers, says darkreading.com.

The Deep Web is that portion of cyberspace that’s not indexed by the search engines. The Dark Web is part of the bigger Deep Web, accessible only via special tools.

A Dark Web user could literally hire a rapist or assassin. In fact, assassins even advertise, such as the group C’thulhu. Pay them their fee and they’ll maim, cripple, bomb and kill for you.

$3,000 will get you a “simple beating” to a “low-rank” target. $300,000 pays for the killing of a high-ranking political figure, staged to look like an accident.

Users can also hire (and do so much more commonly than the above) cybercriminals and child exploitation services.

The article points to additional research of the Deep Web, that cybercrooks use anonymization tools in creative ways. In fact, they are using TOR for the hosting of their command-and-control infrastructure. TorrentLocker is a type of malware, and it uses TOR to accept Bitcoin payments and host payment sites.

In other words, cybercriminals are using the Deep Web/Dark Web more and more commonly these days. TOR is being used for cybercriminals to receive payments for their hacking services.

But that’s not the biggest problem of the deep, dark Web, is it? As mentioned, it can be used to hire someone to murder. Just what will all of this eventually evolve into in the next 10 years?

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.