Hacking Humans: How Cybercriminals Trick Their Victims

Intel Security has compiled a list of the top ways cybercriminals play with the minds of their targeted victims. And the chief way that the cybercriminals do this is via phishing scams—that are designed to take your money.

11DThe fact that two-thirds of all the emails out there on this planet are phishy tells me that there’s a heck of a lot of people out there who are easily duped into giving over their money. I’m riled because many of these emails (we all get them) scream “SCAM!” because their subject lines are so ridiculous, not to mention the story of some befallen prince that’s in the message

I bet there’s a dozen phishing emails sitting in your junk folder right now. Unfortunately, a lot of these scam emails find their way into your inbox as well.

McAfee Labs™ has declared that there’s over 30 million URLS that may be of a malicious nature. Malicious websites are often associated with scammy emails—the email message lures you into clicking on a link to the phony website.

Clicking on the link may download a virus, or, it may take you to a phony website that’s made to look legitimate. And then on this phony site, you input sensitive information like your credit card number and password because you think the site really IS your bank’s site, or some other service that you have an account with.

6 ways hackers get inside your head:

  1. Threatening you to comply…or else. The “else” often being deactivation of their account (which the scammer has no idea you have, but he sent out so many emails with this threat that he knows that the law of numbers means he’ll snare some of you in his trap).
  2. Getting you to agree to do something because the hacker knows that in general, most people want to live up to their word. That “something,” of course, is some kind of computer task that will compromise security—totally unknown to you, of course.
  3. Pretending to be someone in authority. This could be the company CEO, the IRS or the manager of your bank.
  4. Providing you with something so that you feel obligated to return the favor.
  5. “If everyone else does it, it’s okay.” Hackers apply this concept by making a phishing email appear that it’s gone out to other people in the your circle of friends or acquaintances.
  6. Playing on your emotions to get you to like the crook. A skilled fraudster will use wit and charm, information from your social profiles, or even a phony picture he took off of a photo gallery of professional models to win your trust.

In order to preventing human hacking via phishing scams, you need to be aware of them. Aware of the scams, ruses, motivations and then simply hit delete. Whenever in doubt, pick up the phone and call the sender to confirm the email is legit.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Background Checks aren’t as easy as you’d think

With seemingly more and more people being harassed, stalked and getting their identities stolen, the rate of background check requests (e.g., a small business owner hiring a private investigator) has increased quite a bit.

The background check is no longer some snoopy kind of thing for extra-curious people; it’s become a necessary tool in a world fraught with frivolous lawsuits but also cybercrime and identity theft. For example, if the “furnace guy” rapes and murders the homeowner, his company would be held accountable. We hear of cases like this all the time—another example would be a bus driver fondling a student. The bus company is held liable.

It’s a no-brainer that background checks should be conducted for people ranging from school officials, nannies and cafeteria workers to home health aides…you name it: all adult employees and volunteers. If you own a business, you’ll never regret getting a background check on your employees.

As crucial as this practice is, however, it’s full of land mines. But don’t let that stop you from acquiring a professional-grade background check to screen for criminality.

First off, the subject’s identity must be validated. But even if you have the correct name, the subject’s birthdate must also be correct. Usually, a photo ID will suffice. But when it’s not available, there are other methods. To see if the subject’s claimed name and DOB match, their driving record is pulled via the state DMV. But there again, we have a loophole: How do you know that the given name and DOB, that pops up in the DMV results, belongs to the subject?

A background check requires the SSN. When the SSN is run through, it will bring up a history of names and addresses, plus previous residential locations of the subject. We now can zero in on various locations to narrow down the investigation. If any aliases pop up, these too must be checked.

The third stop is the court record check in all the counties where the subject has resided in   the past decade. The court’s website should have this information. However, it can also be obtained in person at the courthouse. The investigation will also include the federal court level.

The general criminal check comes next, and is often called a “nationwide” criminal check. It’s not 100 percent accurate but will turn up criminal history if, indeed, the subject is a crook. In addition, the state prison records need to be checked to see if the subject has served some time.

But zero results here don’t mean that the subject was never incarcerated, due to flaws in the search system. On the other hand, if a red flag appears, the investigator will know to dig deeper. To aid with this, the investigator should do an online search on the federal prison site.

The sex offender history is even tougher. Unfortunately in some states, a sex offender history can’t be used to refuse employment to someone. But this doesn’t mean that the investigator can’t investigate, including going straight to the affiliated court and then turning this information over to the individual wanting the background check. Sex offender checks usually turn up empty, but they should always be done.

The investigator should also search for arrest reports, but there’s no guarantee that the unveiled information can be legally presented to the client who hired the investigator.

And finally, is the subject wanted by the police? Historically, PIs were not privy to this information (it was available only to law enforcement). But fairly recently, PIs can now get ahold of this information, though the search process has flaws. Nevertheless, it should be done, especially since the fee is low.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

It’s Beginning to Look a Lot Like the Holiday Shopping Season

The holiday season is in full force. Not only is it time to bring out the tinsel while jamming out to holiday music, it’s also time to buckle down on your holiday shopping. Have you made your holiday shopping list yet? Luckily, in the U.S., the biggest shopping days of the year are coming up meaning lots of shopping deals at stores on and offline to help you complete your holiday shopping list.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294There are people out there who are really gung-ho about Black Friday—camping outside a department store the night before and fighting the masses for the half-price widescreen tv. That’s not really my style; I’m more of a Cyber Monday kind of guy. I just fire up my computer or tablet and start clicking and then boxes magically arrive at my house…well maybe not magically.

Online shopping is convenient for the holiday shopper. No lines, no braving the sometimes nasty winter weather, no crowds—you can buy almost anything and never leave your couch. Although online shopping is a great way to complete your holiday shopping list, you should take a couple precautions while online to keep your personal and financial information safe from hackers.  Along with avoiding the 12 Scams of the Holidays, here are the top 5 tips to help you stay safe while shopping online this holiday season.

  • Be wary of deals. Does that 90% off blowout sale of iPhones sounds too good to be true? It probably is. Any offer you see online that has an unbelievable price shouldn’t be believable. Beware of spam emails with links to awesome deals, as it’s particularly dangerous to buy on a site advertised in a spam email. I recommend using web protection, like McAfee® SiteAdvisor® provides easy to results to protect you from going to a malicious website.
  • Use credit cards rather than debit cards. If the site turns out to be fraudulent, your credit card company will usually reimburse you for the purchase; and in the case of credit card fraud, the law should protect you. With debit cards, it can be more difficult to get your money back and you don’t want your account to be drained while you’re sorting things out with your bank. Another option savvy shoppers sometimes use is a one-time use credit card, which includes a randomly generated number that can be used for one transaction only. If the number is stolen it cannot be used again. Using this type of credit card also ensures that a thief does not have access to your real credit card number.
  • Review the company’s policies. Look to see how the merchant uses your personal information and check to make sure that it will not be shared with third parties. You should only disclose facts necessary to complete your purchase and not any additional information about yourself. Also, check the website’s shipping policy and make sure it seems reasonable to you. You want to make sure that you understand all your shipping options and how they will affect your total cost of your online purchase.
  • Check that the site is secure. Find out if a company’s website is secure by looking for a security seal, like the McAfee SECURE™ trustmark, which indicates that the site will protect you from identity theft, credit card fraud, spam and other malicious threats. Make sure the site uses encryption—or scrambling—when transmitting information over the Internet by looking for a lock symbol on the page and checking to make sure that the web address starts with httpS://.
  • Only use secure devices and connections.  If you are using a public computer, information such as your browsing history and even your login information may be accessible to strangers who use the computer after you. Also, never shop using an unsecured wireless network because hackers can access your payment information if the network is not protected.  To protect yourself, do all of your online shopping from your secure home computer. When shopping at home, make sure all your devices are protected with comprehensive security like McAfee LiveSafe™ service which protects all your PCs, tablets and smartphones.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

What is a Computer Worm?

Worms. Most of us probably think of them as those squirmy invertebrates we dissected as a kid or found on the sidewalk after a storm. You might have used them as bait for fishing (not phishing), to pull a prank or have even eaten them (no judgment).

6DWhether you like worms or not, there’s one kind of worm that definitely isn’t your friend—the computer worm. This kind of worm is a computer program that can replicate and send copies of itself to other computers in a network. Worms are considered a subset of viruses, but unlike viruses they can travel without any human action.

Most worms are designed to exploit known security holes in software, although some spread by tricking Internet users. Mass-mailing worms, for instance, spread via email or instant message (IM). They arrive in message attachments and once you download them the worm silently infects your machine. Peer-to-peer (P2P) networks are another avenue for worms: cybercriminals upload infected files with desirable names to entice users into downloading them. And once you download the file your computer is infected.

Once your machine is infected, the worm can corrupt files, steal sensitive information, install a backdoor giving cybercriminals access to your computer, or modify system settings to make your machine more vulnerable. They can also degrade your Internet connection and overall system performance.

The good news is there are steps you can take to keep your computer from being infected:

  • Don’t download or open any files on P2P sites.
  • Since some worms now have a phishing component—meaning that they try to trick users into running the malicious code—do not click on links in unexpected emails and IMs, or download attachments connected to them.
  • Use comprehensive security software, like McAfee LiveSafe™ service, with a software firewall to block unauthorized traffic to and from your computer. Make sure to keep your security software updated.

If you fear that your machine is already infected, immediately run a security scan.

Of course, given the fast-moving nature of Internet worms, your best bet is to be cautious and take steps to avoid getting infected in the first place.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Hackers and Banks win, Clients lose

Don’t blame the hackers; don’t blame the bank; apparently it’s the victim’s fault that a Missouri escrow firm was robbed of $440,000 in a cybercrime, says a report on computerworld.com.

11DThe attack occurred in 2010, but the appeals court’s March 2013 ruling declared that the firm, Choice Escrow and Title LLC, can’t hold its bank accountable. The victimized firm might even have to pay the bank’s attorney fees. The court says that the firm failed to abide by the bank’s recommended security procedures.

BancorpSouth Bank was sued by Choice Escrow following a cyber assault in which the password and username to the firm’s online bank account was stolen.

The victim asserted that the bank failed to implement sufficient security measures, allowing the attack to take place. The firm also insisted that the bank should have detected that the wire transfer of the money to Cyprus was fraudulent because it was initiated outside the U.S.—an unprecedented type of transaction.

BancorpSouth’s defense was that Choice Escrow failed to instill the security precautions for wire transfers that the bank recommended.

At first it seems like the bank here is bucking culpability, but according to the bank:

  • It had controls in place for Choice Escrow to use.
  • The bank requested that the firm use a dual-control process for wire transfer requests that would require two people to sign.
  • The bank asked the firm to enforce an upper limit on wire transfers.
  • Choice failed to follow these two recommendations.

The bank also points out that the wire transfer was started by someone who used the firm’s legitimate banking credentials, along with a computer that seemed to belong to the company. Had the company followed the bank’s recommendations, the crime may not have occurred.

Stealing legitimate banking credentials and using them to initiate criminal wire transfers to overseas accounts is nothing new to cyber criminals. This crime causes disputes between banks and their customers and heightens awareness over how much responsibility each entity should carry.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

What’s Your Click IQ?

The recent celebrity photo hacks are an unfortunate reminder of how devastating or embarrassing it can be to have your data compromised.  But celebrities are not the only ones getting hacked. Cybercriminals aren’t choosy—they’ll send malicious texts, emails, and website links to Jennifer Lawrence and your grandma. And while the celebrity hacks are more publicized, the fact is, every day, hundreds of ordinary people are falling prey to phishing scams.

So how can you protect yourself from these cybercriminals? The best defense is actually you.

Many of these scams involve a similar thing—the click. So if you learn how to click wisely, 95% of cybercrime techniques—including phishing, bad URLs, fake text messages, infected pdfs, and more—are eliminated.

And that’s the idea behind Intel Security’s new campaign, #ClickSmart. Intel Security wants to empower you with the skills and sense to avoid those dastardly scams.

Here are some tips to get you started

  • Check URLs for misspellings or interesting suffixes. For example, if you see www.faceboook.ru, don’t click it.
  • Only open texts and emails from people you know. But even if you do know the sender, be wary for any suspicious subject lines or links. Hackers can try to lure you through your friends and family.
  • Beware of emails, texts, and search results offering anything for free. If it sounds too good to be true, then it probably isn’t true.

Print

Are you ready to take the #ClickSmart challenge? If so, go to digitalsecurity.intel.com/clicksmart and see if you’re a Click head or a Click wizard.

To learn more on how to #ClickSmart, join @IntelSecurity, @McAfeeConsumer, @cyber, @GetCyberSafe, @STOPTHNKCONNECT  for Twitter chat on October 14th at 12 PM PT. Use #ChatSTC to join in on the conversation. Click here for more information.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Botnets Here, Botnets There, Botnets EVERYWHERE

What are these “botnets” you keep hearing about? Botnets (think roBOT + NETwork—gets you “BOTNET”) are a network of secretly compromised, run-of-the-mill home and office computers that have malicious software—controlled by a solitary hacker or cybercrime ring.

6DHackers use botnets to execute a variety of cybercrimes like page rank sabotage, mass spamming, bitcoin mining, and more. The FBI says there are 18 botnet infections every second worldwide and these infiltrations pose one of the gravest online threats ever. That figure means over 500 million computers a year are infected.

Needless to say, these attacks can occur without the user knowing it. Botnets will swipe the user’s personal and financial data and can result in stolen credit cards, website crashes and even record your keystroke habits.

The FBI is trying fervently to crumble the botnet empire, as this costs billions of dollars in fallout. And botnetting is on the rise. Hackers aren’t just going after Joe Smo’s credit cards, but top government secrets and technology.

This situation is compounded by another facet of the U.S. government using botnets to build up its power. Think NSA, with its pervasive surveillance program. NSA is assuming control over botnet-infected devices, using these for their own purposes.

NSA, in fact, has a legion of “sleeper cells,” according to the document that was leaked by Edward Snowden. These are remote-controlled computers infested with malware, and as of 2012, were on 50,000 networks.

So we have our government fighting to dismantle botnets, yet simultaneously, building up their arsenal with…botnets. So how on earth will this problem ever be mitigated?

It starts with you.

  • Pay attention if you notice that your Internet connection is unusually slow or you can’t access certain sites (and that your Internet connection is not down)
  • Make sure you have comprehensive Antivirus security installed on all your devices.
  • Be careful when giving out your email address, clicking on links and opening attachments, especially if they are from people you don’t know
  • Stay educated on the latest tactics that hackers and scammers use so that you’re aware of tricks they use
  • Keep your devices operating systems critical security patches updated.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Majority of Executives believe Attackers will overcome Corporate Defenses

Many technology executives don’t have a favorable outlook on their ability to sideswipe cybercriminals, according to research conducted by McKinsey and World Economic Forum.

2DThe research also shows that both big and small businesses lack the ability to make sturdy decisions, and struggle to quantify the effect of risk and resolution plans. As the report authors state, “Much of the damage results from an inadequate response to a breach rather than the breach itself”.

These results come from interviews with more than 200 business leaders such as chief information officers, policy makers, regulators, law enforcement officials and technology vendors spanning the Americas, Europe, Asia, Africa and the Middle East.

Cybercrimes are extremely costly and the cost can hit the trillions of dollars mark.

Several concerning trends regarding how decision makers in the business world perceive cyber risks, attacks and their fallouts were apparent in the research findings:

  • Over 50 percent of all respondents, and 70 percent of financial institution executives, think that cybersecurity is a big risk. Some executives believe that threats from employees equal those from external sources.
  • A majority of executives envision that cyber criminals will continue being a step ahead of corporate defenses. 60 percent believe that the gap between cyber crooks and corporate defense will increase, with, of course, the crooks in the lead.
  • The leaking of proprietary knowledge is a big concern for companies selling products to consumers and businesses.
  • Service companies, though, are more worried about the leaking of their customers’ private information and of disruptions in service.
  • Large organizations, says ongoing McKinsey research, reported cross-sector gaps in risk-management competency.
  • Some companies spend a lot but don’t have much sophistication in risk-management capabilities, while other companies spend little but are relatively good at making risk-management decisions. Even large companies can stand to improve their risk management capabilities substantially.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Russian Organized Crime: Krem D’la Krem of Hackers

The Russians have definitely come…in the world of cybercrime. A Russian ring of hackers has amassed 1.2 billion stolen passwords and usernames involving 400,000 websites. The criminals have also garnered 542 million e-mail addresses.

11DAnd these Russians didn’t discriminate: Any website they could bust into, they did, ranging from big U.S. companies to little websites—anything. Most of these sites remain vulnerable.

Apparently, the thieves are not working for Russia’s government (which rarely goes after hackers anyways), nor have they sold the stolen information…yet. They’ve been paid by third-party entities who want to send out spam.

This gang of thieves operates like a business, with some doing the programming and others doing the stealing. The crooks use botnets to scope a site’s weaknesses, then plow in there.

This massive breach has called attention to the reliance that businesses have on usernames and passwords; this will need to be changed.

Tips for Preventing Getting Hacked

  • Say NO to clicking on links inside e-mails, even if the apparent (note “apparent”) recipient is your bank or a friend.
  • URL security. Trust only sites whose URL starts with a padlock icon and “https.” An “http” won’t cut it.
  • Two-step verification. If your financial institution offers this, then activate it. Call the bank if its website doesn’t have this information.
  • Online banking. If possible, conduct this on a separate computer just for this purpose.
  • Change the router’s default password; otherwise it will be easy for hackers to do their job.
  • Wired ethernet link. This is better than a powerline or Wi-Fi for protection. To carry out an ethernet attack, the thief would probably have to break into a home and set up a device, whereas Wi-Fi data can be snatched out of the air, and powerline data can leak into next-door.
  • Encryption. If you must use Wi-Fi or powerline networks, encryption will scramble data, but a hacker can crack into Wi’Fi’s WEP.
  • Say no to third-party Wi-Fi hotspots.
  • Security updates. Keeping up to date will guard against hackers who use a keylogger to figure out your keystroke pattern—which can tell him your passwords.
  • Hotshot Shield; This service protects you from fraudulent activity when you’re working online in an unprotected network (wired or wireless), such as at airports, hotels or coffee houses.
  • Get identity theft protection. Generally your identity is protected from new account fraud. Many of the services monitor your data on the dark web.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

How Law Enforcement Detects Breaches Before Victims

Law enforcement agencies detect data breaches before businesses do because the former seeks evidence of the cyber crime, reports a networkworld.com article.

1GUnlike law enforcement agencies, businesses don’t go undercover in hacker forums. Nor do they get court permission to bust into enclaves of cyber thieves. Businesses don’t have moles. It continues: Law enforcement agencies interview imprisoned cyber crooks. The FBI does a lot of undercover work.

Law enforcement may then approach a company and say, “You’re being victimized; we have the evidence.” But often, the company may be skeptical of such a claim. Admittance means facing government response and upset customers

The law is always buffing up on its skills at fighting cybercrime to keep up with its evolution, such as a drastic decrease in solitary criminals and an increase in complex crime rings. These rings have all sorts of technical tricks up their sleeves, including hosting their own servers and changing up their communication methods to vex law enforcement. It doesn’t help that some foreign countries don’t place an emphasis on fighting cybercrime.

The evidence that the law presents to the business when that time comes is rock solid, though again, the company may lack aggression in its immediate response. The company’s legal counsel is commonly the first person to get the forensics report. Upper management usually gets involved before the IT department does. This is all part of keeping legal control over potentially harmful situation.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.