Posts

How to Make $5 Million a Day in Cybercrime

This post isn’t exactly a “how to” but if your current employment isn’t bringing in the bacon, I’m sure your criminal mind can figure it out. In the biggest digital advertising fraud in the history of the U.S., it was recently found that a group of hackers is bringing in from $3 million to $5 million a day from media companies and brands. That’s some scratch!

11DWhite Ops, an online fraud-prevention firm, uncovered this campaign, which they have called “Methbot,” and the firm found that the campaign is generating more than 300 million video ad impressions each day.

AFT13, which is a cyber criminal gang, has worked to develop the Methbot browser, which spoofs all of the interactions that are necessary to initiate and carry out these ad transactions.

The hackers, which are allegedly Russia-based, have registered more than 250,000 distinct URLs and 6,000 domains, all of which impersonate US brand and companies, including Vogue, ESPN, Fox News, Huffington Post, and CBS Sports. They then take these sites and sell fake ad slots.

The cybercriminals that are behind Methbot are using their servers, which are hosted in Amsterdam and Texas, to give power to almost 600,000 bots. These have fake IP addresses, most of which belong to the US, and this makes it look like the ads are being viewed by visitors in the US. The criminals then get video-ad inventory, which they display on the fake media website that they have created. They get top dollar for this, and they trick the marketplace into believing that this content is being seen by legitimate visitors. In reality, however, these ads are being “viewed” by fake viewers thanks to an automated program that mimics a user watching an ad.

To make the bots look even more real, the group also uses methods such as fake clicks, mouse movements, and even social network login info. White Ops has also found that this fake army of viewers has amassed about 300 million ad views each day, and it has an average payout of about $13 per every 1000 views. If you multiply this by the compromised IP addresses out there, the money is rolling in.

White Ops believes that the Methbot empire has created from 200 to 300 million fake video ad impressions each day, which targets about 6,000 publishers. In a 24-hour period, this is generating somewhere between $3 and $5 million in each 24-hour period.

While the operation has its headquarters in Russia, White Ops can’t say for sure that Methbot has Russian origins. The good guys have been in contact with the FBI, and together, they have been working towards stopping this scam for several weeks.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

10 ways to beef up Digital Security

#1. Keep everything up to date. You know those annoying popups telling you updates are available? Do you ever click out of them? Don’t. Always update at the time these appear.

2D#2. Two-step verification. Two-step verification or authentication should be set up for all your accounts that offer it. A unique one-time code is sent to the user’s phone or via e-mail that must be entered in the login field.

#3. Unneeded browser extensions? Review your browser extensions. Uninstall the ones you don’t use. Too many extensions can slow down your computer.

#4. Encryption. Encryption software will scramble your e-mail and other correspondence so that prying eyes can’t read them, but you and your intended correspondent can. If you must use public Wi-Fi (like at a coffee house), install a virtual private network to encrypt transactions.

#5. Lock screen protection for your mobile device. Your smartphone has lock screen protection in the form of a password to prevent a non-authorized user from gaining access. If you leave your phone lying around or lose it, you’re protected if you have a password. Otherwise you are screwed.

In the same vein, your laptop should have protection from non-authorized users. Set up a password that allows access to using the device, including after hibernation periods.

#6. Check active logins. Some accounts allow you to check active logins to see if any unauthorized users have been in your accounts, such as Twitter, Facebook and Gmail.

#7. How easy can someone impersonate you? Could anyone phone your bank or medical carrier and give the correct information to bypass security, such as your “favorite pet’s name”? Who might know this information? Well, if it’s on your Facebook page, anyone who can view it. How much of your personal information is actually online?  Many accounts allow a “secondary password” Ask them.

#8. Simple but powerful layers of protection.

  • Don’t have login information written down on hardcopy.
  • Cover your webcam with tape (yes, cybercrooks have been known to spy on people this way).

#9. Sharing your personal life with the whole world. Set all of your social media accounts to the private settings you desire. Do you really want a potential employer to see you hurling at your late-night party? Make sure images that you post are not geo-tagged with your home address.

#10. Web tools. Check out the various toolbars that you can add to your browser to beef up security. Be selective and check ratings.

Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to digitally detox on Vacation

Many years ago when you were on vacation, before Facebook, Instagram and Twitter were invented (assuming you were an adult then), you had a great time, right? You weren’t “connected,” because there was no social media to be connected with.

2DIf today you can’t imagine being disconnected from social media while on vacation, ask yourself how this can be, if years ago, you never missed what had not yet been invented.

And what about constantly checking e-mail while on vacation? Or constantly perusing various websites with your mobile while at the beach?

Intel did a recent study:

  • 55% of Americans can’t disconnect while vacationing.
  • Two-thirds actually wanted to disconnect (detox), but less than half actually did so.
  • But when they did disconnect, 88% reported feeling okay about it and connecting better with travel mates.

Motivation to Detox

  • Know that cybercrooks are banking that vacationers do not disconnect.
  • Vacationers are especially vulnerable when they use public Wi-Fi, as cyberthieves can “snoop” on login entries and steal login information (such as to your bank, or get your credit card number when you online shop at the coffee house).
  • Can’t stay away from your e-mail when vacationing? Cybercrooks can gain access here, too.
  • Though installation of a virtual private network will prevent cyber snooping, it won’t prevent shoulder surfing, or thieves using high powered cameras to capture what you’re doing across the coffee house.
  • Of course, your devices should have security software that’s always updated.
  • Your devices should be password-protected as well.
  • Before embarking on your vacation (and not a few days before, but a few weeks before), practice disconnecting for 24 hours. If you must check your e-mail daily for business purposes, at least practice disconnecting from social media for 24, even 48 hours. Can you do it?
  • Can you stay off your mobile device while waiting at the dentist’s office or at the motor vehicle agency?
  • These “home” practice sessions can help you overcome withdrawal symptoms of not checking Twitter, Facebook or e-mail every 10 minutes.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Your Ransomware Response: Prepare for the Worst

A ransomware attack is when your computer gets locked down or your files become inaccessible, and you are informed that in order to regain use of your computer or to receive a cyber key to unlock your files, you must pay a ransom. Typically, cybercriminals request you pay them in bitcoins.

binaryThe attack begins when you’re lured, by a cybercriminal, into clicking a malicious link that downloads malware, such as CDT-Locker. Hackers are skilled at getting potential victims to click on these links, such as a phony e-mail, apparently from a company you do business with, luring you into clicking on a link or opening its attachment.

And if you find your computer is being held hostage:

  • Report it to law enforcement, although it’s unlikely they can provide help. It’s just good to have it recorded.
  • Disconnect your computer from its network to prevent the infection from spreading to other shared networks.
  • You need to remove the ransomware from your computer. Remember, removal of the ransomware won’t restore access to your files; they will still be encrypted. To remove ransomware from your computer, follow the steps provided here.
  • If you already had your data backed up offline, there’s no need to even consider paying the ransom. Still, you will want to remove the ransomware and make sure your backup solution was working.
  • But what if very important files were not backed up? Prepare to pay in bitcoins. The first step is to find out what the experts say about making payments in bitcoin.
  • The crook will be essentially impossible to trace. You’ll be required to make the payment over the Tor network (anonymous browsing).
  • Finally, don’t be shocked if the crook actually provides you the decryption key—essentially a password; ransomware thieves often follow through to maintain being taken seriously. Otherwise, nobody would ever pay them. But it would not be unprecedented to not receive the key. It’s a gamble.
  • The best course of action is to prevent a ransomware attack, and that means looking for all the clues to malware and phishing scams. Don’t let threatening e-mails, saying you owe back taxes or bank fees, jolt you into hastily clicking a suspicious link or attachment. If you regularly back up your data online and to an external drive, then you’ll never feel you must pay the ransom.

Robert is a security analyst, author and media personality who specializes in personal security and identity theft and appears regularly on Good Morning America, ABC News and The TODAY Show.

Viruses as Cyberweapons for sale

It’s all about code—the building blocks of the Internet. Software code is full of unintentional defects. Governments are paying heavy prices to skilled hackers who can unearth these vulnerabilities, says an article at nytimes.com.

6DIn fact, the FBI director, James B. Comey, recommended that the FBI pay hackers a whopping $1.3 million to figure out how to circumvent Apple’s iPhone security.

So driven is this “bug-and-exploit trade market,” that a bug-and-exploit hacking company, Hacking Team, ended up being hacked last summer.

The software companies that create code don’t get to learn what the vulnerabilities are that the richly paid hackers discover. This has been going on for two decades-plus.

Here are some sizzling facts from nytimes.com:

  • Over a hundred governments have reported they have an offensive cyberwar program.
  • Iran boasts being in the No. 3 spot in the world for digital army size (trailing the U.S. and China), though this can’t be confirmed.
  • However, Iranian hackers have demonstrated their skill more than once, and it’s not pretty. For instance, they were responsible for the rash of U.S. bank hacking incidents in 2013.
  • Though Iran’s cyber power lags behind that of the U.S.’s, they’re steadily closing the big gap.
  • Most nations keep details of their cyberwar programs classified.

It has been surmised by many a security expert that WWIII will be largely digital. Imagine how crippling it would be if a nation’s grid was dismantled—affecting major networks across that country—such as healthcare, shipping and banking and other critical infrastructures such as food and water supply.

There’s not a whole ton you can do about this battle. However, you should, at a minimum, prepare your physical life for any digital disasters. Prepare the same way you would if you knew there was a severe storm coming. Store dry foods, water, extra climate appropriate clothing, and cash, preferably lots of small bills. This is just a short list. Seek out numerous resources on ready.gov to learn more.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Anonymous Begins a 30 Day Assault Against Central Banks

“Anonymous” is an activist hacking group that has recently boasted that it will engage in 30 days of cyber assaults against “all central banks,” reports an article on cnbc.com.

2DAnd their bite is as big as their bark, as this announcement came soon after several major banks around the world were struck—and Anonymous proudly claimed credit. The banks that were apparently breached by Anonymous include:

  • Bangladesh Central Bank
  • National Bank of Greece
  • Qatar National Bank

Anonymous put up their plans on a YouTube video: a “30-day campaign against central banks around the world.” The hacking group calls their endeavor Operation Icarus, bragging about how they crumbled the Bank of Greece with a denial of service attack.

Anonymous has stated that it will target the following financial institutions:

  • Visa
  • MasterCard
  • Bank for International Settlements
  • London Stock Exchange
  • And of course, “all central banks” and “every major banking system”

Anonymous has a real gripe against banks, because they further state, “We will not let the banks win,” continues the report at cnbc.com. The hacking group wants everyone to know that their operation will be “one of the most massive attacks” ever committed in Anonymous’s history.

The article adds that another media outlet, Gulf News, reports that the hackers who infiltrated Qatar National Bank attacked yet another bank and intend on making the stolen data public for this second attack—very soon. It’s possible that this leaked data will be used for ransom.

For you, every day bank customer, don’t worry about any of this, BUT, always pay close attention to bank activity and make sure all transactions have been authorized by you. Sign up for alerts and notifications via text and email so you see every transaction in real-time.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Child Predator screws up, gets caught

If you’re a pedophile, you’d be wise not to keep any prescription containers in view of a webcam with your lewd pictures. The information on such a bottle is what helped pedophile Stephen Keating get 110 years in the slammer says a CNN article.

4HBut the amazing thing is that the bottle’s information was extracted from a blurry image of it in the background of a photo that Keating took of one of his 14 victims. Keating posted the photo online, not knowing that that innocent little prescription bottle would get him busted—along with the fingerprints that were extracted off his fingertips in the image.

Yes, this is what forensic technology can do these days. Only some of Keating’s name and the prescription number were actually extracted in a photo lab, but it was enough information for a record check of the pharmacy to get his identity.

Homeland Security Investigations Cyber Crimes Center specialist Jim Cole says his Project Vic teamviews half a million images every week.

How does this technology work?

  • Computers use “Photo DNA” to speedily sift through hundreds of thousands of photos, separating previously viewed ones from new ones, sparing investigators from having to see disturbing images more than necessary.
  • Cole says that what used to take nine months now takes one month.

In another case, an image showed a woman and her victim holding a fish at a campground. The woman was a known offender…but where was this campsite?

The image of the fish was sent to Cornell University for analysis of the species: Where is this type of fish found? The location was narrowed down to a specific area, and then the campsite image, minus the offender and young victim, was sent to all the campsite advertisers in that region. They got a hit, and in fact, the reception room of the particular camping grounds had the same image on display. All of this took place in under four hours.

Even a blurry company logo on a shirt can be extracted for identification. In one case this led to a plumbing business where an offender used to work.

Where are all these images coming from in the first place? The public sends in tips to the CyberTipline. So do giants like Google, Facebook and Twitter. Cole says that the advanced technology has caused an exponential increase in the number of victims rescued.

Good guys 1. Predators ZERO.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Don’t pick up that USB Drive!

What a very interesting experiment: Researches randomly deposited 297 USB drives (aka USB stick, flash drive, thumb drive) around the University of Illinois Urbana-Champaign campus. They wanted to see just how many, and how soon after dropping them off, they’d be collected by people.

2DTurns out that 48 percent of the drives were taken and inserted into computers. The report at theregister.co.uk says that in some cases, this was done minutes after the drives were left in the public spots.

Picking up a USB drive off the streets and plugging it into your computer is akin to picking up discarded food off a sidewalk and eating it. You just never know what kind of infection you’re going to get.

And what you might get is a virus crashing your computer or stealing your data. That USB stick could contain malware—either left in public as a prank, or innocently lost or discarded without the original owner knowing it’s infected.

Or…it might have been left in a public spot by a hacker with full intent of gaining control of your computer to collect your personal data and committing fraud, such as opening lines of credit in your name or emptying out your bank account.

The USB sticks for the study contained HTML files with embedded img tags. The tags allowed the researchers to track the USB activity, which is how they new that, for instance, one of them was plugged into a computer only six minutes after it was left to be “found.”

Only 16 percent of the people who picked up the sticks actually scanned them to check for viruses before plugging them into their computers. And 68 percent simply inserted them without any regards to what they could get transferred into their computers.

  • Some users trusted that there was no harm.
  • Some plugged in the drive to seek out the owner.
  • Some intended to keep the stick.
  • Conclusion: A cybercriminal could easily take control of a business’s system by leaving a rigged USB drive in the parking lot, let alone get control of a personal computer by leaving the stick in any public place frequented by lots of people.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Businesses Struggling to Keep Up with Latest Wave of Malware Attacks

Companies have been struggling for years to keep cyber-attacks at bay. Cyberthieves are working faster than ever before to send out their malicious attacks, and it’s become increasingly difficult for companies to keep up.

CNN reports that almost one million malware strains are released every day. In 2014, more than 300 million new types of malicious software were created. In addition to new forms of malware, hackers continue to rely on tried and true bugs because many companies simply haven’t found a fix or haven’t updated their systems to mitigate the threats.

In almost 90% of these cases, the bugs have been around since the early 2000s, and some go back to the late 1990s. The irony here is that companies can protect themselves and create patches for these bugs, but there tends to be a lack of effort and resources when it comes to getting the job done.

Some industries are targeted more than others. After hackers get information from these companies, such as proprietary data, they attempt to sell the information on the black market.

Cyberattacks are spreading quickly, and it takes almost no time after an email is sent for a victim to fall for the scheme. When a hacker is successful at breaking into a certain type of company, such as a bank or insurance firm, they will typically use the same exact method to quickly attack another company in the same industry.

New and improved cyber attacks

While old methods of cyber-attack can still be effective, it is the new scams that users should be nervous about. Here are some examples:

  • Social media scams
    Social media scams work and cybercriminals just love them because the people being scammed do most of the work. Cybercriminals release links, videos or stories that lead to viruses, and people share them with their friends because they are cute, funny or eye-raising. These tend to spread quickly because people feel as if they are safe.
  • Likejacking
    Hackers may also use a practice known as “likejacking” to scam people on social media. In this case, they will use a fake “like” button that tricks people into installing malware. The programs then post updates on the user’s wall or newsfeed to spread the attack.
  • Software update attacks
    Hackers are also focusing on more selective attacks. For example, a hacker may hide malware inside of a software update. When a user downloads and installs the update, the virus is set free.
  • Ransomware
    These attacks, where thieves steal or lock files on a person’s computer and then demand a ransom for access, climbed more than 110% in the last year alone. Once infected, the only way to regain access to the files is to pay a fee, usually between $300 and $500, for a decryption key.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Scareware Scam almost snags Victim

Cybercriminals know that the best way to get their claws on the next victim is to appeal to their emotions, not logic.

4DThere’s lots of scary things in life, and one is learning that your computer has been infected with a virus. If this happens, you’re now vulnerable to spending money on getting rid of the malware. The tactic of scaring users is called scareware.

  • A pop up tells you “Warning! Your Computer Has Been Infected with Malware!”
  • The pop-up can be triggered by visiting an infected website or by making a bad click.
  • The pop-up can’t be closed out, or if it can, another appears.
  • Additional information in the pop-up lures you into clicking a link inside it, such as buy some downloadable security software that will destroy the virus.
  • Once the alleged security software is downloaded/installed, it crashes your computer—even if you already have a legitimate security software program in place.
  • You’re screwed at this point. (Hope you had all your data backed up before this happened!)

Here’s another way the scam can unfold, from someone who wrote to me:

I was notified by a notice supposedly from Windows Security that my PC has been attacked.  They claim that all my PC ID numbers were stolen and that Russia had got about 8-12 other IDs.  They took control of my computer and said they scanned it to find this out. They claimed the only way that I could clear this problem was to have them clear it for $199.99 and security for 1year (sic) for $149.99.  They said the only way to accomplish this was by check.  They said it couldn’t be done by credit card because them (sic) numbers would be stolen too.  I refused to go along with that plan and closed them out.  

P.S. I checked my account and it is paid thru 6/2016.  How do I know if I get a notice from Windows that it is legit? 

All windows notifications come via Windows Update. That “pop-up” emanates via your notifications area on your taskbar and NOT a popup via your browser. What a mess.

Protect Yourself

  • Use security software only from a name-brand company.
  • Keep it updated.
  • See a pop-up? Close it out. Never click inside it—which you can’t do if you close it out immediately.
  • Exit the site you think triggered it.
  • Play it safe and run a scan using your legitimate security software.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.