Protect your Data during Holiday Travel

You’re dreaming of a white Christmas, and hackers are dreaming of a green Christmas: your cash in their pockets. And hackers are everywhere, and are a particular threat to travelers.
http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813

  • Prior to leaving for your holiday vacation, have an IT specialist install a disk encryption on your laptop if you plan on bringing it along; the hard drive will have encryption software to scramble your data if the device it lost or stolen.
  • Try to make arrangements to prevent having to use your laptop to handle sensitive data. If you must, then at least store all the data in an encrypted memory stick or disk encryption as stated above. Leave as much personal data behind when you travel.
  • Before embarking on your vacation, make sure that your devices are equipped with comprehensive security software such as antivirus, antispyware, antiphishing and a firewall so that you can have safe online connections.
  • If your device has a virtual private network (VPN), this will encrypt all of your transmissions when you use public Wi-Fi. Hackers will see gibberish and thus won’t have any interest in you. Don’t ever connect to an unprotected Wi-Fi network!
  • Always have your laptop and other devices with you, even if it’s to momentarily leave the hotel’s lobby (where you’re using your device) to get some water. When staying at friends or family, don’t leave your devices where even other guests in the house you’re staying at can get to them, even if they’re kids. Just sayin’.
  • Add another layer of protection from “visual hackers,” too. Visual hackers peer over the user’s shoulder to see what’s on their screen. If they do this enough to enough people, sooner or later they’ll catch someone with their data up on the screen.
  • Visual hackers can also use cameras and binoculars to capture what’s on your screen. All these thieves need to do is just hang nearby nonchalantly with your computer screen in full view, and wait till you enter your data. They can then snap a picture of the view.
  • This can be deterred with 3M’s ePrivacy Filter, when combined with their 3M Privacy Filter. When a visual hacker tries to see what’s on your screen it provides up to 180 degree comprehensive privacy protection. Filters provide protection by blackening the screen when viewed from the side. Furthermore, you’ll get an alert that someone is creeping up too close to you. The one place where a visual hacker can really get an “in” on your online activities is on an airplane. Do you realize how easy it would be for someone sitting behind you (especially if you both have aisle seats) to see what you’re doing?

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

What is Pharming?

I was surfing on YouTube the other day and found this hilarious video mash-up of Taylor Swift’s song “Shake It Off” and an 80s aerobics video. For a lot of kids today, mash-ups are all the rage—whether it’s combining two videos, two songs, or two words.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294Mash-ups have even caught on in the tech world. The word pharming is actually a mash-up of the words phishing and farming. Phishing is when a hacker uses an email, text, or social media post asking for your personal and financial information. On the other hand, pharming doesn’t require a lure. Instead of fishing for users, the hacker just sets up a fake website, similar to farming a little plot of land, and users willingly and unknowingly come to them and give them information.

How does it work? Most hackers use a method called DNS cache poisoning. A DNS, or domain name system, is an Internet naming service that translates meaningful website names you enter in (like twitter.com) into strings of numbers for your computer to read (like 173.58.9.14). The computer then takes you to the website you want to go to. In a pharming attack, the hacker poisons the DNS cache by changing the string of numbers for different websites to ones for the hacker’s fake website(s). This means that even if you type in the correct web address, you will be redirected to the fake website.

Now, you go to the site and thinking that it is a legitimate site, you enter your credit card information, or passwords. Now, the hacker has that information and you are at risk for identity theft and financial loss.

To prevent yourself from a pharming attack, make sure you:

  • Install a firewall. Hackers send pings to thousands of computers, and then wait for responses. A firewall won’t let your computer answer a ping. The firewalls of some operating systems are “off” as a default, so make sure your firewall is turned on and updated regularly.
  • Protect against spyware. Spyware is malware that’s installed on your device without your knowledge with the intent of eavesdropping on your online activity. Spyware can be downloaded with “free” programs so be leery of downloading free software and don’t click links in popup ads or in suspicious e-mails.
  • Use comprehensive security software. McAfee LiveSafe™ service includes a firewall and scans your computer for spyware. It also protects all your smartphones and tablets as well. And make sure to keep your security software updated.

For more tips on protecting your digital life, like Intel Security on Facebook or follow@IntelSec_Home on Twitter!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

How to win the War on Phishing

A phishing attack is a trick e-mail sent randomly to perhaps a million recipients, and the thief counts on the numbers game aspect: Out of any given huge number of people, a significant percentage will fall for the trick.

13DThe trick is that the e-mail contains certain information or is worded in such a way as to get the recipient to click on the link in the message. Clicking on the link brings the user to a website that then downloads malware.

Or, the website is made to look like it’s from the user’s bank or some other major account, asking for their account number and other pertinent information like passwords and usernames; they type it in (and it goes straight to the thief). Sometimes this information is requested straight in the e-mail’s message, and the user sends the information in a direct reply.

The Google Online Security Blog did some analysis of phishing e-mails and came up with the following:

Malicious websites really do work: 45 percent of the time. As for getting users to actually type in their personal information, this happened 14 percent of the time. Even very fake looking sites went over the heads of three percent. Three percent sounds like peanuts, but what’s three percent of one million?

Hasty hackers. Once the hacker gets the login information, he’s into the victim’s account within 30 minutes 20 percent of the time. They may spend a lot of time roaming around in the account, which often includes changing the password to keep the victim out.

Those strange e-mails. Ever get an e-mail in which the sender is a very familiar person, but the message was also cc’d to a hundred other people? And the body message only says, “Hi there!” and then there’s a link? This is likely an e-mail from the victim’s e-mail account (which the hacker knows how to get into), and the thief copied everyone in the victim’s address book. Recipients of these phishing attacks are 36 percent more likely to fall for the ruse than if the attack comes as a single message from an unfamiliar sender.

Fast adaption. Phishing specialists are good at quickly changing their strategies to keep up with changes in security.

The Google Online Security Blog recommends:

  • Not all “spam blockers” block 100 percent of all the phishing e-mails. Some will always slip through to your in-box. Never send personal information back to the sender of e-mails requesting personal information. Never visit the site through the link in the e-mail.
  • Use two-step verification whenever an account setup offers it. This will make it difficult for the hacker to get into your account.
  • Make sure your accounts have a backup e-mail address and phone number.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Phishing Alert: 8 Tips to protect yourself from Attacks

It’s as easy for hackers to phish out your personal data as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.

13DSo many people fail to learn about phishing scams, a favorite and extremely prevalent scam among cybercriminals.

A type of phishing scam is to lure the user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites; visit that site and it will download a virus to your device that will steal your online banking information, then forward it to a remote server, where the thief will obtain it. Very clever.

But that ingenuity is contingent on someone being gullible enough to open a phishing e-mail, and then taking that gullibility one step further by clicking on the link to the malicious site.

10 Phishing Alerts

  • An unfamiliar e-mail or sender. If it’s earth-shaking news, you’ll probably be notified in person or via a voice phone call.
  • An e-mail that requests personal information, particularly financial. If the message contains the name and logo of the business’s bank, phone the bank and inquire about the e-mail.
  • An e-mail requesting credit card information, a password, username, etc.
  • A subject line that’s of an urgent nature, particularly if it concludes with an exclamation point.

Additional Tips

  • Keep the computer browser up-to-date.
  • If a form inside an e-mail requests personal information, enter “delete” to chuck the e-mail.
  • The most up-to-date versions of Chrome, IE and Firefox offer optional anti-phishing protection.
  • Check out special toolbars that can be installed in a web browser to help guard the user from malicious sites; this toolbar provides fast alerts when it detects a fraudulent site.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Phishing Alert: 10 Tips To Protect Your Business From Attacks

It’s becoming too easy for criminals to get their hands on your banking information, due to your employees’ ignorance of phishing scams.

13DMalware attacks have soared recently, targeting banks for the purpose of stealing online banking information. Over 200,000 new infections occurred between July and September 2013—the highest jump in the past 11 years, according to a TrendsLab Security report. Cyber-criminals are ubiquitous on this planet, and phishing is a favorite among their arsenal of attacks, a way to gain access to computers, as well as infecting a computer.

ZeuS (aka Zbot) is a common malware planted on websites. If a website is infested with ZeuS, or other malware, and you visit that site, your computer will become infested with ZeuS. Once settled in, ZeuS steals online banking credentials, and then transmits these details to a remote server, where the cyber-criminals can access it. But for ZeuS to spread, that means someone is opening a phishing email and clicking on the link that leads to the virus-inhabited website.

Who’s clicking on these links? Unfortunately, some of your employees probably are. According to a recent eWeek article, 18 percent of phishing messages are opened in the workplace—and yes, this includes clicking the accompanying malicious link.

That’s not all—sometimes the numbers can go even higher. According to the report, one particular phishing campaign yielded a 72 percent clicking response on the link.

Furthermore, the report states, 71 percent of users’ computers have a higher susceptibility of infection due to having outdated versions of popular software such as Microsoft Silverlight and Adobe Acrobat.

How To Stop Your Employees

Monthly training of employees to avoid suspicious emails helps knock down the percentage of clicks to 2 percent, much better than quarterly training does (to 19 percent). The report adds that cleaning recipients’ invaded computers costs the company, even though 57 percent of companies rated phishing attacks as “minimal.” However, even “minimal” impact still means a lot of cleanup for a high volume of attacks, involving IT staff response and employee downtime during system restoration.

Those who take the bait are costing you money, and the potential risk to your business is enormous. The Anti-Phishing Working Group recommends the follow tips. Share them with your employees ASAP.

  • A big red flag should go with emails that request personal financial information. If the name of the company bank is mentioned, arrange a phone call to that bank regarding the suspicious email.
  • Be leery of exciting or worrisome statements designed to rattle emotions rather than sink in logically; think before you click!
  • Be highly suspicious of a message asking for a password, username, credit card information, date of birth or other very private details of yourself or your company.
  • If you don’t recognize the sender’s name or address, or have no idea what the message could pertain to, simply ignore it altogether. It’s never urgent to click a link; you won’t get fired if you don’t.
  • Never enter confidential financial (or personal) data in a form inside the email.
  • A special toolbar, installed in the Web browser, can help protect you from fraudulent sites. The toolbar compares online addresses with those of known phishing sites and will provide a prompt alert before you have a chance to click or give out private information.
  • The latest versions of Chrome, Firefox and Internet Explorer have optional anti-phishing protection.
  • Bank, debit and credit account statements should be regularly checked for suspicious transactions.
  • If any transactions look suspicious or unfamiliar, alert appropriate personnel to contact the relevant financial institution.
  • The computer browser should always be kept up-to-date. Security patches should be installed.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

iTunes a Platform for Phish Scammers

iTunes users all over the world are being hooked in a possible phishing scam that siphons cash out of their PayPal accounts. Phishing scams, of course, consist of emails that appear to be coming from a legitimate, trusted business. These emails are often designed to trick the victim into revealing login credentials. Once the phishers have access to the account, they begin withdrawing funds.

In this case, scammers used victims’ iTunes accounts to purchase gift cards, which were paid for by the victims’ linked PayPal accounts. Some victims of this particular scam have has just a few dollars stolen, while others have had their accounts emptied.

Gift cards are a form of currency created by the issuer. Their value is in the products or services available when cashed in. A scammer can purchase a $100 gift card and sell it online for $50. Pure profit.

There are many variations of iTunes gift card scams:

1. Scammers can easily set up websites posing as a legitimate retailer offering gift cards at a discount, having fraudulently obtained those gift cards. They may accept people’s credit cards and make fraudulent charges. In these cases, the victim can refute the charge, but will need to either cancel the credit card or persistently check their statements once their card has been compromised. Like Mom said, if it sounds too good to be true, it probably is.

2. The system for generating codes that are embedded on a plastic card or offered as a download is nothing more than software created by the card issuer or a third party. At least one major retailer has had their gift code generation compromised, and who knows how many more have been or will be compromised in this way. Criminal hackers can then offer the codes at a significant discount.

3. iTunes gift card scams are so effective, in part due to the limited availability of iTunes downloads in certain countries. There are numerous copyright issues, with some music companies making deals with musicians and iTunes, while others refuse to do so. Scammers have capitalized on this, using it as a marketing tactic.

The best way to avoid phishing scams is to never click on links in the body of an email. Always go to your favorites menu or manually type the familiar address into your address bar. And never provide you login credentials to anyone, for any reason.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses iTunes gift card scams on NBC Boston. (Disclosures)

Phishing Scam: Using the U.S. General Commander in Iraq as Phish Food

Fishing of course is the sport of tossing a tasty wormy baited hook connected to a fishing line and patiently waiting for a fish to take the bait.

Phishing is the sport of tossing a wormy baited tasty lie connected to a wormy human and the degenerate patiently waits for a naïve victim to take the bait.

A phisher can send thousands of phish emails a day and eventually someone will get hooked.

Phishing is a $9 billion business. Unlike the ongoing depleting of the oceans fisheries, there are PLENTY of people out there to phish. Many of them today are from developing nations like India and China who are just getting a broadband connection to the internet and are considered fresh meat to the bad guy.

The New York Times reports “if you get an Internet appeal from Gen. Ray Odierno, the senior American commander in Iraq, asking you to pay lots of money to get your son or daughter out of combat duty, don’t believe it. And certainly don’t send the $200,000. General Odierno acknowledged that he is but one more victim of a social networking scheme offering a big — but fake — benefit, if you send big amounts of real money.

“I’ve had several scam artists on Facebook use my Facebook page and then go out asking people for all kinds of money: ‘If you pay $200,000, your son can get sent home early,’” General Odierno said at a Pentagon news conference.

Criminals may seek out military families and target them one by one or send a blast to thousands at a time and use a ruse that pulls at the heart strings of unsuspecting families who simply want their loved-one back home.

The General posted a large warning on his social networking site. “I have this big thing on my Facebook that says, If anybody asks you for money in my name, don’t believe it,” he said. “But it’s a problem.”

Frankly, I don’t like the idea of an American General having a Facebook page. It weird’s me out. Hopefully the high commander isn’t uploading pictures of himself doing shots of tequila while driving a tank.

My guess is there is someone out there who has the money and is probably acutely unaware of this type of scam, then is probably capable of getting hooked.  But more than likely nobody will cough up $200,000. But the scammers know to start high and they will go low. They will take a $1000.00 when it comes down to it. But they also know that people won’t argue with a General and nobody will “discount” the value of their loved-ones life. So overall it’s a pretty good scam. Just don’t take the bait.

Robert Siciliano personal security expert to ADT Home Security Source discussing Facebook scams on CNN. Disclosures.

Facebook + Hackers – Privacy = You Lose

I’m as sick of writing about it as you are sick of reading about it. But because Facebook has become a societal juggernaut: a massive inexorable force that seems to crush everything in its way, we need to discuss it because it’s messing with lots of functions of society.

We should all now know that whatever you post on Facebook is not private. You may think it is, but it isn’t. Even though you may have gone through all kinds of privacy settings and locked down your profile, Facebook has changed them up internally so many times that they may have defaulted to something far less private then what you previously set.

Furthermore, no matter how private you have set them to, if you friend someone who you don’t know (like that human resource officer), they see what’s “private” and anyone on the “inside” can easily replicate anything you post to the world.

The activist groups waging what amounts to an undeclared war against the social-networking site for the last year, complete with no fewer than three letters to federal regulators claiming Facebook’s actions are illegal said that they’re hardly ready to declare a truce.

Attacks targeting Facebook users will continue, and they could easily become even more dangerous. Computerworld reports “There are limitations to what Facebook can do to stop this,” said Patrik Runald, a U.K.-based researcher for Websense Security Labs. “I wouldn’t be surprised to see another attack this weekend. Clearly, they work.”

Websense has identified more than 100 variations of the same Facebook attack app used in the two attacks, all identical except for the API keys that Facebook requires.

What does this mean to you?

For crying out loud stop telling the world you hate your boss, neighbor, students’ teachers, or spouse and you’d like to boil a bunny on the stove to teach them a lesson. I guarantee even if you are kidding, someone won’t like it. What you say/do/post, lasts forever.

Stop playing the stupid 3rd party games. When you answer “25 questions about whatever” that data goes straight into the hands of some entity that you would never have volunteered it to.

Make sure you PC is secured. Keep your operating system up to date with security patches and anti-virus and don’t download anything from any email you receive or click links in the body of any email. Once you start messing with these files you become a Petri dish spreading a virus.

Robert Siciliano personal security expert to Home Security Source discussing Facebook scams on CNN.

Beware of Facebook Dangers

Robert Siciliano Identity Theft Expert

Danger!! Hows that for a blog title that screams fear, uncertainty and doubt!? Fact is Facebook boast 400 million users and is in so many ways seems out of the control of its founder, and is looking dangerous. This is a company that has grown faster than fast and has a (very intelligent) 20 something CEO just out of puberty calling the shots. It seems the amount they (his Board? CIO? ) lets him run at the mouth that privacy is no big deal, shows an immature lack of control over this operation. Any company that wields this much power needs to be checked and balanced.

Their growing pains are publicly played out in numerous lawsuits and visceral rants by every possible pundit (like me) and privacy professional on the block.

Sure when you are that big there will always be someone who wants to take you down. But every week there is a new story about a security breach or a privacy violation. That tells me it’s more than growing pains or jealousy. There are serious management problems there resulting in reputation issues for the company and for the user, security issues.

DANGER, DANGER!

The 3rd party applications in the form of games and quizzes are sharing data that’s not meant to be shared. While the user may agree to the terms of service, they aren’t reading the fine print. Is it really in Facebooks interest to allow this?

Seems like every 2 weeks they change whatever privacy settings there are and the public gets more pissed off with each change. Why doesn’t someone inside this company have a clue what the public wants? What’s more obvious is they don’t care!

Criminals and scammers set up fake profiles of companies and individuals all day every day. These social media identity theft profiles are designed to get people to provide data for free gift cards or other offers that ultimately allow for financial fraud to occur. Is there no way they can more effectively police this?

Recently, the chat feature was made public. For a period of time users chats were available for anyone to see. They had to shut it down to calm the mess. How the heck does that happen? Don’t they have redundancy built in to prevent this?

Ads appearing on Facebook are sanctioned in some way by Facebook and some are malicious. When clicked they can infect your PC. You would think that a private company worth billions would have systems in place to prevent its users from getting hacked via ads placed on their own servers?

So now that I’m done throwing up, protect your identity. Because when it gets hacked on Facebook, don’t say I didn’t warn you.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN.

Phishers Ties Up Victims Phones, Killing Notification

Identity Theft Expert Robert Siciliano

Many of today’s automated processes are designed with security and/or convenience in mind. For example, if a credit card companies’ anomaly detection software detects irregular spending on your credit card the software may freeze your account or call you to make sure you are infact the one making the charge. While this may help to secure you, it also may inconvenience you if you are traveling overseas and are declined or just in a hurry and trying to catch a flight.

These same technologies may or may not involve a human at different touch points during their activation periods. What’s happening today is the bad guys are figuring this out and they are determining when theses touch points occur and are tricking the system so they can move forward with their fraudulent activities.

In some cases when a money transfer may prompt an automated call alerting an account holder to the transaction the only requirement of the system is to make the call. The automated system doesn’t necessarily have to talk to a human and the human doesn’t need to do anything. This seems like a flawed system.

In the case of a Florida doctor a telephony denial-of-service attack flooded the victim’s phone with diversionary calls while the thieves drained the victim’s account. In some cases, the victim heard recordings from sex chat lines and in other calls he heard dead air when answering the phone. Sometimes he heard a brief advertisement or other recorded message.

Wired reports the doctor discovered that $399,000 had been drained from his Ameritrade retirement account. About $18,000 was transferred then $82,000-transfer followed two days later. Five days after that, another $99,000 was drained, followed by two transfers of $100,000. The thieves withdrew the money in New York.

Most likely the initial compromise was via a phishing email that he responded to. Once he responded to the phish, the criminals began the process of setting up VOIP telephones systems to bombard his telephone lines so he couldn’t answer the phone to receive the alert.

Currently any financial institution that employees technology that automatically relies on the telephone system to notify account holders of a transaction is at risk.

If you mistakenly respond to a phish email and give up your data, knowingly or unknowingly, and find yourself being bombarded with a flurry of odd phone calls, it may be a sign you’re being scammed.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing criminal hackers on Fox News.