Posts

Survey Shows Most People Back Up…But Not as Often as They Should

According to a new survey, we now have a good idea of the habits of the regular person in regard to backing up their devices. The survey, which covered almost 3,000 people, looked at people around the world. What it shows is that 91 percent of people back up their devices and their data. But, 68 percent of people still lost data because of a different reason. These include accidentally deleting the data, software or hardware failure, or even because they hadn’t backed up their data recently. The truth is, only 41% of companies and people back up each day, which leaves most of us…and most businesses…vulnerable to data loss.

surveyThe data from this survey stress how important it is to implement some type of cyber protection strategy for a business, which includes backing up data several times a day, and using the 3-2-1 backup rule. This is creating three copies of your data (a single primary copy and two backups), storing your copied on two different types of storage option, and then storing one of the copies in the cloud or remotely.

Change the Game with Cyber Protection

With more cyberattacks happening all of the time, the traditional methods of backing up our data is no longer working. We simply cannot rely on only backing up our information. It is way too dangerous.

Cybercriminals will target backup software with their own ransomware, and then try to modify the files, which makes it even more important to protect your information.

Recommendations for Cyber Protection

There are a number of different ways you can protect your personal or company’s information. Here are just five things you can do to ensure that your data is relatively safe:

  • Create a backup of your most important data…always – Keep a number of different copies of your backup locally and in the cloud. You want to do it locally so you can access it quickly and frequently, and you want to save it in the cloud to make sure that even if there is a fire, flood, or other disaster, your data is safe.
  • Ensure your OS and applications are all the current versions – If you are not updating your OS or apps, it means that they are much more vulnerable to getting hacked. These updates often contain patches and fixes that can keep cybercriminals out.
  • Beware of any suspicious links, emails, or attachments – Most ransomware and virus infections are created by using social engineering, and they trick unsuspecting people into opening these infected attachments or clicking on a link that installs malware to the device or network.
  • Install anti-virus, anti-ransomware, and anti-malware software – While you are doing your automated updates for your apps and OS, you should also be using all of these different software options, too.
  • Consider using an integrated cyber protection solution – You want to choose an option that combines anti-ransomware, anti-virus, backup, patch management, and a vulnerability assessment all in a single solution. This type of solution increases efficiency, ease of use, and the reliability of your protection.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

 

Cybercriminals are Stealing from you by Using these COVID-19 Scams

It is estimated that COVID-19 fraud has cost Americans more than $13 million, and it is rising. This comes from the US government.

The US Federal Trade Commission has added up the costs of all of these scams. They are looking from those that started from the 1st of January to the current week. What are these numbers made of? Mostly vacation and travel scams, as these have added up to $4.7 million lost. Online shopping scams are also out there, but they have only added up to $1.4 million.

The global spread of coronavirus has forced people to change the way they live, work, and even socialize. This is going to be the case for some time to come, and because of this, the cybercriminals have jumped onto the bandwagon, and they know…if they are lucky…this could be a lucrative thing for them.

These COVID-19 scams are definitely playing on the fears of the general public, and the goal of these cyber criminals is to get their targets to give them their personal information. Then, the bad guys use this information to commit fraud. In other words, they take money directly out of the hands of the people who need it the most.

What are the Tactics that People are Using to Hack Their Victims

There are a number of COVID-19 tactics that are being used to trick people into giving away their personal information, and in some cases, their hard-earned money.

Most of the tactics are combining phishing texts and emails with fake sites. Here are some of the things that are commonly found in a number of different languages:

  • Malware that is sent by “official” feeds, which are not really official. These include things like real time COVID-19 maps, which are actually meant to spread malware.
  • Messages that are offering an iPhone 11…for free…to help pass the time at home.
  • Messages offering payday loans to help people who are having problems with money.
  • Scams advertising products that are supposedly “cures” for COVID-19.
  • Coronavirus-themed domain names that seem to offer official information about the virus, but instead, simply spread viruses.
  • Emails from sources that show they are from WHO, the CDC, or even local governments.
  • Emails that ask for donations for COVID-19 research
  • Emails that look like they are coming from the government that have fake links allowing you to claim a tax refund.
  • People from the UK have reported getting fake emails saying they are from the BBC and the person’s TV license is expired. Then, they are asked to go to a website and update their details.
  • Phone calls are coming that are recorded and telling people that their broadband access will be cut off within 24 hours thanks to “illegal activity,” and the user must “press 1” to speak with a person to fix it. Once you are connected, they do all they can to get personal information from you.
  • Emails from people claiming to be “company officials,” that contain and attachment with the names of people within the organization that have tested positive for COVID-19.

No person nor industry is immune to this, so keep your eyes open and stay safe.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program and the home security expert for Porch.com

Beware of IRS Stimulus Check Scams

The IRS has been urging taxpayers to be aware of calls and emails that might lead victims to give up their personal information to cyberthieves.

IRS Commissioner, Chuck Rettig, has been urging people to take more care during this time. He reminds taxpayers that the IRS won’t ever call to verify or collect financial information in order for you to get your refund faster. The IRS will also never email taxpayers asking for this information. Fraudulent text messages are also on the rise.

Cybercriminals have always taken advantage of times of trouble, and now that we are in the throes of coronavirus, they are continuing this. While people are waiting to get their stimulus payments and tax refunds, it is extremely important to remain vigilant.

Don’t Fall for These Scams

The IRS has definitely seen many more phishing schemes. In most cases, the IRS deposits these payments directly into the bank accounts of the taxpayer. Those who have previously filed, but have not provided direct deposit information, must provide this on the IRS.gov website. If they don’t do that, the IRS will mail a paper check to the taxpayer.

It is also important to mention that the IRS has reminded those who have retired and don’t have to file a tax return that they don’t have to do anything in order to receive their stimulus check. Cybercriminals tend to focus on seniors, and they may try to reach out by mail, phone, or email and ask for information such as Social Security numbers, bank account numbers or other identifying info. The IRS will not contact these people, so don’t give any info if you are in this group.

Other Information from the IRS

The IRS is also reminding taxpayers that there are signs that something is a scam. Here are some of them:

  • The official term of the payment is “economic impact payment.” If you see terms like “Stimulus Payment” or “Stimulus Check, it’s probably a scam.
  • It is a scam if someone asks you to sign over your check to them.
  • It’s a scam if they ask you to verify your personal or financial information via phone, text, social media, mail, or email.
  • If they suggest that you can get your money faster by supplying information, it is a scam.
  • If you get a check in the mail that seems a bit off, and then you are asked to verify information online, it is a scam.

Reporting These Scams

If you believe that you might be a target or victim of a scam like this, you should do your best to report it. If you get an email, for instance, you should forward it to phishing@irs.gov.

It is also recommended that you do not engage with potential scammers on the phone or internet. There are guidelines on how to deal with this on the IRS.gov website.

Official information about the IRS and how it is dealing with the COVID-19 pandemic is also available online at the Coronavirus Tax Relief page online.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program and the home security expert for Porch.com

The Mind of the Misunderstood Cybercriminal

There are a number of misconceptions about cybercrime and those who engage in it. To a cybercriminal, there is no target that is special unless they have a grudge or beef with a particular entity, and as a rule, they will often cast their net wide and then move to attack the easiest prey they find.

11DSecurity specialists must never underestimate the actions of a cybercriminal. Records are easily shared and sold, and they are highly valued. This is especially the case when personal and medical information is the focus.

Any plan that the security professionals design must be focused on these types of crimes. They must also be aware of any upcoming threats and ensure that all proper backups of data are in place.

What are the Common Misconceptions Associated with Cybercrime and Cybercriminals

The most common misconception about cybercriminals that is often observed is that these people have diverse experience and skills, which allow them to initiate a huge range of cyberattacks. This would mean that they would earn a large amount of money as a result. However, the truth is, many of the cybercriminals out there use automated software, which means they don’t require much training at all. According to a recent survey, the vast majority only make from $1,000 to $2,000 a month. But as many as 20 percent of cybercriminals are making more than $20,000 a month.

Who are the Criminals Behind Cyber Crimes?

For the most part, those who commit cybercrimes have a clean criminal record and do not have any ties to any organized groups. These criminals usually also have a stable job during the day and participate in these cybercrimes in their free time. Often, these people are introduced to cybercrimes during college, and many remain active in the industry for several years after they begin.

The other cybercriminals have a bit of a different background. These people belong to cybercriminal syndicates that work within a hierarchy. There are highly skilled members of these groups, and each have certain responsibilities to ensure the success of their organization.

Generally, these groups are controlled by a “boss,” who is the mastermind. They are typically highly educated, intelligent, and some are often connected with the banking industry, as they must arrange for things like money laundering. Additionally, these groups often include people who are professional forgers, as they often require fake documents to serve as paperwork to “prove” their schemes, and then the group needs those skilled in hacking, software engineering, and other technical operations. Some of the groups also include those familiar with law enforcement, as they are skilled with things such as gathering information and counter-intelligence.

What is often so surprising is that members of these groups are often highly respected members of their communities, and many are seen as successful people in business. These people are also often connected to hospitality, real estate, or the automotive industry.

These people do not think of themselves as regular criminals, and they rarely cross paths with others whom the general public might deem as “criminal.” They usually hide in the shadows and avoid any actions that might bring attention to them.

To avoid all of this, it is best to use the assistance of a professional. They are familiar with how these communities run and how they react to certain actions. There are a number of way to research the dark web in a secure and safe manner without risking the integrity of your organization, but the professionals are best for this job. It is also important for businesses to utilize security teams. This ensures that they are capable of obtaining the data and stimulating the environment.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to Make $5 Million a Day in Cybercrime

This post isn’t exactly a “how to” but if your current employment isn’t bringing in the bacon, I’m sure your criminal mind can figure it out. In the biggest digital advertising fraud in the history of the U.S., it was recently found that a group of hackers is bringing in from $3 million to $5 million a day from media companies and brands. That’s some scratch!

11DWhite Ops, an online fraud-prevention firm, uncovered this campaign, which they have called “Methbot,” and the firm found that the campaign is generating more than 300 million video ad impressions each day.

AFT13, which is a cyber criminal gang, has worked to develop the Methbot browser, which spoofs all of the interactions that are necessary to initiate and carry out these ad transactions.

The hackers, which are allegedly Russia-based, have registered more than 250,000 distinct URLs and 6,000 domains, all of which impersonate US brand and companies, including Vogue, ESPN, Fox News, Huffington Post, and CBS Sports. They then take these sites and sell fake ad slots.

The cybercriminals that are behind Methbot are using their servers, which are hosted in Amsterdam and Texas, to give power to almost 600,000 bots. These have fake IP addresses, most of which belong to the US, and this makes it look like the ads are being viewed by visitors in the US. The criminals then get video-ad inventory, which they display on the fake media website that they have created. They get top dollar for this, and they trick the marketplace into believing that this content is being seen by legitimate visitors. In reality, however, these ads are being “viewed” by fake viewers thanks to an automated program that mimics a user watching an ad.

To make the bots look even more real, the group also uses methods such as fake clicks, mouse movements, and even social network login info. White Ops has also found that this fake army of viewers has amassed about 300 million ad views each day, and it has an average payout of about $13 per every 1000 views. If you multiply this by the compromised IP addresses out there, the money is rolling in.

White Ops believes that the Methbot empire has created from 200 to 300 million fake video ad impressions each day, which targets about 6,000 publishers. In a 24-hour period, this is generating somewhere between $3 and $5 million in each 24-hour period.

While the operation has its headquarters in Russia, White Ops can’t say for sure that Methbot has Russian origins. The good guys have been in contact with the FBI, and together, they have been working towards stopping this scam for several weeks.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Small Business a favorite Attack Vector

Small businesses are hardly immune to attacks by hackers.

  • The illusion of low attack risks comes from the publicity that only huge corporations get when they are breached, like Target, Sony and Anthem. These are giants, so of course it makes headline news.
  • But when a “ma and pa” business gets attacked, it’s not newsworthy.

11DIf you own a small business, ask yourself just how the mega-giant Target got infiltrated by cybercriminals in the first place. Answer: a ma and pa HVAC vendor of Target’s!

Cybercriminals thrive on the myth that only big companies get attacked. They know that many small outfits have their guards down; have only rudimentary security measures in place. Never assume you know everything that a hacker wants—or doesn’t want.

Think of it this way: Which burglar is more likely to make off like a bandit? One who attempts to infiltrate a palace that has a 10-foot-high stone wall, surrounding a moat that surrounds the palace, with motion sensors everywhere that set off piercing alarms; an army of Dobermans; and a high tower where guards are keeping a lookout?

Or the burglar who tries to break into a small townhome with only a deadbolt and window screens for security? Sure, the palace has millions of dollars worth of wall art alone, but what chances does the burglar have of getting his hands on it? The little townhome just might have some electronics and jewelry he can sell underground.

No business is too small or its niche too narrow to get a hacker’s attention; just like any burglar will notice an open ground floor window in that little townhome at 3 a.m.

  • Never use lack of funds as an excuse to cut corners on security.
  • Share security information with competitors in your niche.
  • Consider the possibility that a cyber attack can be an inside job in your little company—something relatively easy to pull off (e.g., every employee probably knows the direct e-mail to the company owner).
  • Get cyber attack insurance. A halfway-sized cyber attack could cripple any small company and have tangential fallout.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to digitally detox on Vacation

Many years ago when you were on vacation, before Facebook, Instagram and Twitter were invented (assuming you were an adult then), you had a great time, right? You weren’t “connected,” because there was no social media to be connected with.

2DIf today you can’t imagine being disconnected from social media while on vacation, ask yourself how this can be, if years ago, you never missed what had not yet been invented.

And what about constantly checking e-mail while on vacation? Or constantly perusing various websites with your mobile while at the beach?

Intel did a recent study:

  • 55% of Americans can’t disconnect while vacationing.
  • Two-thirds actually wanted to disconnect (detox), but less than half actually did so.
  • But when they did disconnect, 88% reported feeling okay about it and connecting better with travel mates.

Motivation to Detox

  • Know that cybercrooks are banking that vacationers do not disconnect.
  • Vacationers are especially vulnerable when they use public Wi-Fi, as cyberthieves can “snoop” on login entries and steal login information (such as to your bank, or get your credit card number when you online shop at the coffee house).
  • Can’t stay away from your e-mail when vacationing? Cybercrooks can gain access here, too.
  • Though installation of a virtual private network will prevent cyber snooping, it won’t prevent shoulder surfing, or thieves using high powered cameras to capture what you’re doing across the coffee house.
  • Of course, your devices should have security software that’s always updated.
  • Your devices should be password-protected as well.
  • Before embarking on your vacation (and not a few days before, but a few weeks before), practice disconnecting for 24 hours. If you must check your e-mail daily for business purposes, at least practice disconnecting from social media for 24, even 48 hours. Can you do it?
  • Can you stay off your mobile device while waiting at the dentist’s office or at the motor vehicle agency?
  • These “home” practice sessions can help you overcome withdrawal symptoms of not checking Twitter, Facebook or e-mail every 10 minutes.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Your Ransomware Response: Prepare for the Worst

A ransomware attack is when your computer gets locked down or your files become inaccessible, and you are informed that in order to regain use of your computer or to receive a cyber key to unlock your files, you must pay a ransom. Typically, cybercriminals request you pay them in bitcoins.

binaryThe attack begins when you’re lured, by a cybercriminal, into clicking a malicious link that downloads malware, such as CDT-Locker. Hackers are skilled at getting potential victims to click on these links, such as a phony e-mail, apparently from a company you do business with, luring you into clicking on a link or opening its attachment.

And if you find your computer is being held hostage:

  • Report it to law enforcement, although it’s unlikely they can provide help. It’s just good to have it recorded.
  • Disconnect your computer from its network to prevent the infection from spreading to other shared networks.
  • You need to remove the ransomware from your computer. Remember, removal of the ransomware won’t restore access to your files; they will still be encrypted. To remove ransomware from your computer, follow the steps provided here.
  • If you already had your data backed up offline, there’s no need to even consider paying the ransom. Still, you will want to remove the ransomware and make sure your backup solution was working.
  • But what if very important files were not backed up? Prepare to pay in bitcoins. The first step is to find out what the experts say about making payments in bitcoin.
  • The crook will be essentially impossible to trace. You’ll be required to make the payment over the Tor network (anonymous browsing).
  • Finally, don’t be shocked if the crook actually provides you the decryption key—essentially a password; ransomware thieves often follow through to maintain being taken seriously. Otherwise, nobody would ever pay them. But it would not be unprecedented to not receive the key. It’s a gamble.
  • The best course of action is to prevent a ransomware attack, and that means looking for all the clues to malware and phishing scams. Don’t let threatening e-mails, saying you owe back taxes or bank fees, jolt you into hastily clicking a suspicious link or attachment. If you regularly back up your data online and to an external drive, then you’ll never feel you must pay the ransom.

Robert is a security analyst, author and media personality who specializes in personal security and identity theft and appears regularly on Good Morning America, ABC News and The TODAY Show.

Phone Account of FTC Chief Technologist hijacked

An impostor posed as Lorrie Cranor at a mobile phone store (in Ohio, nowhere near Cranor’s home) and obtained her number. She is the Federal Trade Commission’s chief technologist. Her impostor’s con netted two new iPhones (the priciest models—and the charges went to Cranor) with her number.

11DIn a blog post, Cranor writes: “My phones immediately stopped receiving calls.” She was stiffed with “a large bill and the anxiety and fear of financial injury.”

Cranor was a victim of identity theft. She contacted her mobile carrier after her phone ceased working during use. The company rep said her account had been updated to include the new devices, and that her Android’s SIM cards had been disabled. The company replaced the SIM cards and restored use of her phones.

The company’s fraud department removed the charges but blamed the theft on Cranor.

So how does an impostor pull off this stunt so easily? Stores owned by the mobile carrier are required to ask for a photo ID and last four digits of the customer’s SSN. However, at a third party retailer, this requirement may not be in place. In the Cranor case, the crook used a photo ID of herself but with Cranor’s name—and was not required to reveal the victim’s SSN last four digits.

Cranor’s Actions

  • Changed password of online account
  • Added extra security PIN
  • Reported the theft to identitytheft.gov
  • Placed a fraud alert and got a free credit report
  • Filed a police report

Hijacking a smartphone is becoming more common, with the FTC having received over 2,600 reports just for January this year.

You may not think that this type of fraud ranks as high as other types of fraud, but it all depends on the thief and his—or her—intentions. Though the thief may only want to sell the phones for a little profit, a different kind of crook may want to hijack a phone to commit stalking or espionage. Or  the thief can gain access to the victim’s text messages. If the phone is used for two factor authentication, then a thief would have access to your One Time Passwords (OTP) upon logging into a critical website. There’s all sorts of possibilities.  The most important tip: add an extra security PIN to your account. This way, whether over the phone, web or in person, this “second factor” of authentication will make it harder for a thief to become you.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Viruses as Cyberweapons for sale

It’s all about code—the building blocks of the Internet. Software code is full of unintentional defects. Governments are paying heavy prices to skilled hackers who can unearth these vulnerabilities, says an article at nytimes.com.

6DIn fact, the FBI director, James B. Comey, recommended that the FBI pay hackers a whopping $1.3 million to figure out how to circumvent Apple’s iPhone security.

So driven is this “bug-and-exploit trade market,” that a bug-and-exploit hacking company, Hacking Team, ended up being hacked last summer.

The software companies that create code don’t get to learn what the vulnerabilities are that the richly paid hackers discover. This has been going on for two decades-plus.

Here are some sizzling facts from nytimes.com:

  • Over a hundred governments have reported they have an offensive cyberwar program.
  • Iran boasts being in the No. 3 spot in the world for digital army size (trailing the U.S. and China), though this can’t be confirmed.
  • However, Iranian hackers have demonstrated their skill more than once, and it’s not pretty. For instance, they were responsible for the rash of U.S. bank hacking incidents in 2013.
  • Though Iran’s cyber power lags behind that of the U.S.’s, they’re steadily closing the big gap.
  • Most nations keep details of their cyberwar programs classified.

It has been surmised by many a security expert that WWIII will be largely digital. Imagine how crippling it would be if a nation’s grid was dismantled—affecting major networks across that country—such as healthcare, shipping and banking and other critical infrastructures such as food and water supply.

There’s not a whole ton you can do about this battle. However, you should, at a minimum, prepare your physical life for any digital disasters. Prepare the same way you would if you knew there was a severe storm coming. Store dry foods, water, extra climate appropriate clothing, and cash, preferably lots of small bills. This is just a short list. Seek out numerous resources on ready.gov to learn more.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.