Posts

Why Are Cyber Hucksters so successful?

Often, hucksters prey on the consumer’s desperation, which is why it’s no surprise that the No. 1 rip-off (at least between 2011 and 2012)) was bogus products promising weight loss.

6DVICE (vice.com) interviewed psychologist Maria Konnikova about how cyber cons are so successful—even with the most ridiculous sounding bait (Nigerian prince, anyone?).

The bait becomes more attractive when the target is receiving an influx of cyber attention. Sad to say, this trips up a person’s rationale, making them susceptible to the huckster’s plan.

Konnikova is quoted as stating, “Few things throw us off our game as much as so-called cognitive load: how taxed our mental capacities are at any given moment.” She explains that people are vulnerable when the con artist hits them up with their scheme while the victim is distracted with Twitter, texting, etc. In short, it’s cognitive overload.

Konnikova is the author of the book, “The Confidence Game: Why We Fall For It, Every Time.” In the book, she mentions that victims such as the U.S. Navy were too humiliated to prosecute the crooks who conned them. She tells vice.com: “Because admitting it [getting rooked] would mean admitting you’re a sap.”

And in this day of rapidly evolving cyber technology, the huckster’s job is becoming easier, what with all sorts of pathways he can snag a victim, such as dating sites and pop-up ads warning your computer has been infected. But something else is on the crook’s side: the false sense of security that all this techy mumbo jumbo gives the common user—who hence lets down their guard.

And despite all the parodies and mockeries surrounding the so-called Nigerian prince scam (aka 419 scam), it’s still out there in full force and effect. Look how technology has made it swell. And it will continue evolving as long as people want something for nothing. Why else would the Powerball swell to over 1.3 billon. “The basic contours of the story won’t change,” Konnikova tells vice.com.

Another factor is that some people equate online with credibility: “It’s online so it must be legitimate,” is the mindset. According to this mindset, the Loch Ness Monster must really exist, since there are many stories about it online. Despite how irrational this mindset is, scammers know that many people think this way and will design their ploys to look even more legitimate (with creative layouts, slogans, links, etc.).

Though it takes skill to be a successful huckster, they can’t get the job done without the victim being “vulnerablized” by cognitive overload.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to shop securely with a Mobile Phone

“You can buy things with your phone!” No kidding! But imagine what the response would have been had you made this statement in 1984: “Off your meds, eh?”

7WPurchasing via the smartphone may very well eclipse the popularity of shopping via laptop. And cyber thieves know this. They’re counting on you to slip up.

  • Never click a link inside an e-mail, even if the subject line is a warning or alert to a fabulous sale. Cyber crooks know that the small screens on mobiles can easily hide tell-tale signs of scam e-mails, people are especially vulnerable to subject lines blaring great deals.
  • If you’re too tempted to ignore the great deal, then visit the merchant’s site by typing their name into the search engine rather than clicking the link inside the e-mail! That link could lead to a virus download.
  • Never use public Wi-Fi (e.g., at the airport or hotel) to shop. Stick to your phone’s mobile broadband network or at a minimum use a virtual private network (VPN).
  • When shopping with your phone, use a credit card, never a debit.
  • When using your phone, make sure nobody is spying. This really happens; it’s called visual hacking. It can even be done with the crook’s phone—capturing on video the sensitive information you’re entering on your phone.
  • You accidentally mis-type the URL of a major retailer (but don’t know it), and you end up on their site. It’s called typo squatting. How is this possible? The site is the crook’s. He knows people will commit typos and he takes advantage of this: owning a website that mocks the real one, and you’re lured into “buying” off of it—entering your credit card or PayPal information—which he then has. And he knows you won’t pick up that the site is an imposter because your phone’s screen is so small.
  • Keep the phone’s software updated.
  • Deactivate autosave logins.
  • Your phone contains so much sensitive information about you and your family, financial data, maybe medical history, etc. What if a crook gets ahold of it? Set up a personal identification number (PIN) for login.

Download only from official app stores: Apple App Store, Google Play and Amazon. Don’t download from third-party vendors.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Career Criminal goes down

A sharp nine-year-old girl has a biting message to a 51-year-old man, according to an article on myfoxboston.com:

1G“You deserve to stay in jail because you break into peoples houses. Stop breaking into peoples houses and do something with your life.”

This advice was directed to Pedro Gomez, whom police are labeling a career criminal. According to investigators, he attempted to break into over a dozen houses—all within the span of hours.

One of the failed attempts occurred to a house where the nine-year-old was at at the time. Gomez’s floundering break-in attempts occurred in Shrewsbury, Mass. I’m not so sure he’s a true “career criminal,” because he certainly didn’t do things like a prolific burglar would. This sounds more like random, haphazard, desperate, non-calculated attempts to bust into the nearest homes.

Pedro even apparently stacked patio furniture up against windows in one of his break-in attempts.

There are different kinds of robbers, and one of them is that of the unskilled kind who breaks into homes to get whatever cash or small sellable items he could get his hands on to support his next drug fix. This could very well be the type of criminal that Gomez is.

Gomez tripped an alarm when he tried to get in through a slider type of door, continues the myfoxboston.com article. It was there that the police caught up with him. The report says that he had already broken into houses in three other towns.

Though he didn’t exactly hang his head upon being arrested, he will have plenty of time in prison to reflect upon the advice of the nine-year-old girl.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Nineways to shop safely on Cyber Monday

With Cyber Monday, you don’t have to camp outside in the cold overnight so you can be the first person busting through the doors like on Black Friday. But you still may get trampled to a pulpby cyber scammers waiting for their prey.

2DHow can you avoid these predators?

  • You know that old mantra: If it’s too good to be true, it probably is. Be highly suspicious of outrageously great deals, and also assume that e-mails that link to unbelievable savings are scams. You may think it won’t hurt to just “check it out,” but consider the possibility that simply clicking on the link will download a virus to your computer.
  • Back up your data. Shopping online means it’s inevitable that you’ll stumble upon an infected website designed to inject malicious code into your computer or phone. “Ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the “ransom.”
  • Say “No” to debit cards. At least if you purchase with a credit card, and the sale turns out to be fraudulent, the credit card company will likely reimburse you. Try getting your money back from a scam with a debit card purchase. Good luck.
  • If you’re leery about using a credit card online, see if the issuer offers a one-time use credit card. If someone steals this one-time number, it’s worthless for a second purchase.
  • Make sure you understand the online merchant’s shipping options.
  • When buying online, read up on the retailer’s privacy policy.
  • When completing the purchase, if the merchant wants you to fill in information that makes you think, “Now why do they need to know that?” this is a red flag. See if you can purchase the item from a reputable merchant.
  • Never shop online using public Wi-Fi such as at a hotel, coffee house or airport.

If the retailer’s URL begins with “https” and has a padlock symbol before that, this means the site uses encryption (it’s secure). If it doesn’t, don’t buy from that merchant if the product is something you can buy from a secure site. Of course, I don’t expect, for instance, Veronikka’s Death by Chocolate Homemade Cookies to have an encrypted site, but if you’re looking for more common merchandise, go with the big-name retailers.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

State sponsored Attacks big Problem

The U.S. Office of Personnel Management, an identity database, was attacked by hackers rather recently, and they hit the jackpot: More than 21 million federal workers are at risk of identity theft for perhaps the rest of their lives, reports an article on forbes.com.

1DThe hackers from overseas now have security clearance documents for these employees that contain some very sensitive personal information. And nobody can take these documents away from the hackers.

That’s the problem with these centralized identity databases. It’s like all the loot is in one location, so that when the thieves strike, they get it all. And as the forbes.com article points out, not too many governments care to invest the money and energy in optimizing the security of these huge central databases. And it’s not just the U.S. with this problem. Other countries have also had either cyber attacks or big issues with their national ID systems.

On the security evolution clock of 24 hours, cybersecurity comes in in the last few seconds. Governments for eons have been very staunch about issuing security in the physical form, such as constructing walls and other barricades near borders.

But protecting a computer database from harm? It’s just not as prioritized as it should be. The forbes.com article notes that the cybersecurity of a country’s citizens makes up the whole of the nation’s security.

Seems like things will be getting way more out of hand before things start getting under control, if ever. In line with this trend is that hackers have, in their possession for all time, fingerprint data of more than one million U.S. security clearance holders.

Governments need to start focusing on protecting the cyber safety of all the millions and millions of ants that make up its nation, or else one day, the empire just might crumble.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

Trolls: How to deal

Cartoonist Ben Garrison posted something “about the Fed” online, says an article at www.vice.com, and this created a firestorm, leading to his billing as the “most trolled cartoonist in the world.” You see, his other cartoons were altered in an offensive way, fooling people into thinking these alterations were his original creations.

11DHow can Garrison climb out of the hole others dug for him? First identify the type of trolling.The vice.com article describes several forms of trolling:

  • Hate speech. This targets anyone other than a white straight man who’s not transgender.
  • Cyberbullying. Targets are often known by the cyberbullies, though I’d like to point out that in this day and age, if you disagree with someone’s comment on an article, you might be called a bully.
  • Trolling. Like cyberbullying, trolling has developed an incredibly broad encompassment, but in its truest form, it refers to anonymous harassing. The basic difference between cyberbullying and trolling is that the target has no way of responding directly to the troller.
  • Griefing. Many people do something little, like send a nasty tweet. The act itself is minor, but when multiplied by all the people repeating it, it creates a huge effect.

After you identify the type of trolling, report it to the social media platform it occurred on.

  • Facebook doesn’t permit online harassment, but this doesn’t mean it can’t be done. If a FB user allows anyone to post on the page, then gee, a hateful message can easily be posted (though the FB user could take it down and block that person after that point).
  • Twitter doesn’t like hateful messages either, but admits that in the past, they stunk at regulating it, though they’ve gotten better, and in fact, will suspend a violator.
  • The Online Hate Prevention Institute runs Fight Against Hate. Report hateful content, then log the report to FAH, and OHPI will track how long it takes the platform to respond. If the platform is lifeless, then FAH can take action.

The third step is to watch for Phoenix pages. The vice.com article defines a Phoenix page as follows: “…a hate speech fanpage or harassing user is removed from Facebook and then immediately creates a new page or account.”

A Phoenix page can pick up steam much faster than the time it takes to remove it. In fact, Facebook was lax at taking down Garrison’s troll pages. Garrison spent “countless hours” trying to get libel removed from Facebook and Twitter. If you’ve been harassed, be on the lookout for if the harasser has been removed—the appearance of re-created pages and users. Report this promptly.

Next step: Report the problem to the police if it’s interfering with your daily life, though I need to point out that I’ve heard of people becoming unraveled simply because someone kept insulting them in some thread.

Also, the police can’t do anything if the harasser is in a different country. In fact, when writer Amanda Hess reported online harassment to the police, he asked her what Twitter was.

It’s best maybe to bypass the local cops and just give the report to the FBI. You can do this through the Internet Crime Complaint Center. Don’t even think about hiring an attorney; you’ll sink time and money. And trying to get money out of the harasser could be like trying to get blood out of a rock.

Rebuilding your tainted reputation is the final step. One way is to put a disclaimer on your site stating that you’re ignoring the trolls. Admit you’ve been trolled. Let people know what’s happening. This approach might make some of the trolls vanish. In other words, don’t “feed the trolls,” as the saying goes.

If you’re able to contact a troller, then do so with the idea of trying to reason with that person. Though this won’t stop all the other trolls, it might help you see them in a different light if you connect with just one of them.

What happened to Garrison and many others was true harassment that marred their reputation. It can affect your business. It can be very serious stuff. But I urge you also not to become overly sensitive to what really amounts to nothing more than name-calling and someone with too much time on their hands spewing nasty comments to you. Don’t get all shaken up just because someone disagrees with your post or even posts the proverbial “your an idiot” (lack of contraction is intended).

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Very Bad People for hire online

The Deep Web is not a nice place. Here, people can hire assassins, take ransomware payments, purchase U.S. citizenship without revealing their identity, among other things, says an article on darkreading.com.

6DThis information comes from Trend Micro, which used a tool called the “Deep Web analyzer,” something of a web crawler, that collected URLS that were linked to TOR- and I2P-hidden sites, domains with nonstandard TLDs and Freenet resource identifiers, says darkreading.com.

The Deep Web is that portion of cyberspace that’s not indexed by the search engines. The Dark Web is part of the bigger Deep Web, accessible only via special tools.

A Dark Web user could literally hire a rapist or assassin. In fact, assassins even advertise, such as the group C’thulhu. Pay them their fee and they’ll maim, cripple, bomb and kill for you.

$3,000 will get you a “simple beating” to a “low-rank” target. $300,000 pays for the killing of a high-ranking political figure, staged to look like an accident.

Users can also hire (and do so much more commonly than the above) cybercriminals and child exploitation services.

The article points to additional research of the Deep Web, that cybercrooks use anonymization tools in creative ways. In fact, they are using TOR for the hosting of their command-and-control infrastructure. TorrentLocker is a type of malware, and it uses TOR to accept Bitcoin payments and host payment sites.

In other words, cybercriminals are using the Deep Web/Dark Web more and more commonly these days. TOR is being used for cybercriminals to receive payments for their hacking services.

But that’s not the biggest problem of the deep, dark Web, is it? As mentioned, it can be used to hire someone to murder. Just what will all of this eventually evolve into in the next 10 years?

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Zeus Malware Gang take-down

Zeus is no longer a god of malware; he’s been taken down by law enforcement agencies spanning six European nations. Five people were recently arrested—believed to have infected tens of thousands of computers across the globe. There have been 60 total arrests pertaining to this cybergang.

They also used malware called SpyEye, and that, along with Zeus, stole money from major banks. This was a clever operation that included ever-changing Trojans, and mule networks.

Another malware that was asphyxiated was the BeeBone botnet, which had taken over 12,000 computers across the world.

We can thank the Joint Investigation Team for these successes. And they don’t stop there. The JIT put a stop to the Ramnit botnet, responsible for infecting 3.2 million computers globally.

The JIT is comprised of judicial authorities and investigators from six European nations. The cybergang is believed to have its origins in Ukraine. This crime ring was sophisticated, repeatedly outsmarting banks’ revisions of their security measures. Each crook in this ring had specially assigned duties and caused total mayhem to their victims. They even sold their hacking expertise and recruited more thieves. This was one hefty cybergang.

The six nations that are members of JIT are the UK, Norway, Netherlands, Belgium, Finland and Austria. The investigation began in 2013 and had a most thrilling ending. And it wasn’t easy. Here’s some of what was involved in this investigation:

  • Analysis of terabytes of data (one terabyte = one million million bytes)
  • Forensic analysis of devices
  • Analysis of the thousands of files in the Europol Malware Analysis System
  • Operational meetings and international conference calls

But the game isn’t over; there are still more cybergang members out there, and JIT will surely hunt them down by analyzing the mountainous load of data that was collected from this investigation. The funding comes from Europol and Eurojust. In fact, Eurojust has provided legal advice and was part of the composition of the JIT Agreement.

Other countries were instrumental in achieving this capture: Latvia, Estonia, Moldova, Poland, Germany, Ukraine and the U.S.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

UL to launch Cybersecurity Cert

UL in this case stands for Underwriters Laboratories. An article on darkreading.com notes that a UL official, Maarten Bron, says that they are taking part in the U.S. government’s plan to promote security certification standards.

1WThe U.S. government is interested in developing a UL-type program directed at computers and smartphones. This initiative will encourage the private sector and the government to create the standards.

So that’s what we have thus far; this initiative is in its early childhood stage, so there isn’t much more information about it that’s available to the media. UL is looking forward to sharing involvement with the White House’s initiative to unite the private and public sectors to combat cybercrime.

In the meantime, UL is fine-tuning its own test and certification program for Internet of Things products.

The darkreading.com article quotes Bron as follows: “We are prepared to release a test and certification program for this,” that will be fueled by users’ concerns and needs.

Historically, UL has been involved with the testing and certifying of appliances for their electrical safety. About four years ago, UL developed a cybersecurity division. In the darkreading.com article, Bron points out that the security of electronic payments is of particular concern, “namely certification of chip and PIN technologies.”

The transition from magnetic stripe credit cards (which are so easy to fraudulently use) to chip and PIN technology for the cards is underway.

UL has come up with some testing tools that cross-validate the settings from bank card chips against Visa best practices, says Bron. But that’s all just one slice of the cybersecurity pie.

Another big slice is health, and yet another big chunk relates to industrial control systems. UL wants to be on top of holes or vulnerabilities.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

The Growing Demand for Cybersecurity Professionals

Cybersecurity professionals are always in demand[i]. Threats to intellectual property and sensitive data constantly evolve with technology, which means a security professional’s job is never done. There’s always another security problem to solve.

Consider the recent proliferation of cyber attacks: it’s become easier and easier for a small group of people to compromise vast networks of corporate and government information. Worse still, cyber criminals are getting better at covering their tracks.

Experts believe the global shortage of top-flight cybersecurity professionals exceeds one million–our federal government is currently seeking more than 10,000 candidates. The trend will continue in the near future as more and more features of day-to-day living are converted to digital.

As the private sector feels the crush of data breaches, the increasing sophistication of attacks fuels demand to counter or prevent them. Unfortunately, cybersecurity is rarely considered a “glamor job.” Ask a hundred eight-year-olds what they want to be when they grow up and few (if any) will answer “cybersecurity specialist.”

But that’s all the more reason to consider a career in this booming field! Governments and private organizations of all kinds are desperately seeking skilled candidates to protect their data and critical infrastructures from cyber criminals. The shortage of cybersecurity talent is not simply a lucrative opportunity for IT experts–it’s a matter of national security in defense of privacy, property and fair commerce.

Simply stated: there have never been better opportunities for advancement in the cybersecurity profession.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.


[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm