Posts

The Mind of the Misunderstood Cybercriminal

There are a number of misconceptions about cybercrime and those who engage in it. To a cybercriminal, there is no target that is special unless they have a grudge or beef with a particular entity, and as a rule, they will often cast their net wide and then move to attack the easiest prey they find.

11DSecurity specialists must never underestimate the actions of a cybercriminal. Records are easily shared and sold, and they are highly valued. This is especially the case when personal and medical information is the focus.

Any plan that the security professionals design must be focused on these types of crimes. They must also be aware of any upcoming threats and ensure that all proper backups of data are in place.

What are the Common Misconceptions Associated with Cybercrime and Cybercriminals

The most common misconception about cybercriminals that is often observed is that these people have diverse experience and skills, which allow them to initiate a huge range of cyberattacks. This would mean that they would earn a large amount of money as a result. However, the truth is, many of the cybercriminals out there use automated software, which means they don’t require much training at all. According to a recent survey, the vast majority only make from $1,000 to $2,000 a month. But as many as 20 percent of cybercriminals are making more than $20,000 a month.

Who are the Criminals Behind Cyber Crimes?

For the most part, those who commit cybercrimes have a clean criminal record and do not have any ties to any organized groups. These criminals usually also have a stable job during the day and participate in these cybercrimes in their free time. Often, these people are introduced to cybercrimes during college, and many remain active in the industry for several years after they begin.

The other cybercriminals have a bit of a different background. These people belong to cybercriminal syndicates that work within a hierarchy. There are highly skilled members of these groups, and each have certain responsibilities to ensure the success of their organization.

Generally, these groups are controlled by a “boss,” who is the mastermind. They are typically highly educated, intelligent, and some are often connected with the banking industry, as they must arrange for things like money laundering. Additionally, these groups often include people who are professional forgers, as they often require fake documents to serve as paperwork to “prove” their schemes, and then the group needs those skilled in hacking, software engineering, and other technical operations. Some of the groups also include those familiar with law enforcement, as they are skilled with things such as gathering information and counter-intelligence.

What is often so surprising is that members of these groups are often highly respected members of their communities, and many are seen as successful people in business. These people are also often connected to hospitality, real estate, or the automotive industry.

These people do not think of themselves as regular criminals, and they rarely cross paths with others whom the general public might deem as “criminal.” They usually hide in the shadows and avoid any actions that might bring attention to them.

To avoid all of this, it is best to use the assistance of a professional. They are familiar with how these communities run and how they react to certain actions. There are a number of way to research the dark web in a secure and safe manner without risking the integrity of your organization, but the professionals are best for this job. It is also important for businesses to utilize security teams. This ensures that they are capable of obtaining the data and stimulating the environment.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to Make $5 Million a Day in Cybercrime

This post isn’t exactly a “how to” but if your current employment isn’t bringing in the bacon, I’m sure your criminal mind can figure it out. In the biggest digital advertising fraud in the history of the U.S., it was recently found that a group of hackers is bringing in from $3 million to $5 million a day from media companies and brands. That’s some scratch!

11DWhite Ops, an online fraud-prevention firm, uncovered this campaign, which they have called “Methbot,” and the firm found that the campaign is generating more than 300 million video ad impressions each day.

AFT13, which is a cyber criminal gang, has worked to develop the Methbot browser, which spoofs all of the interactions that are necessary to initiate and carry out these ad transactions.

The hackers, which are allegedly Russia-based, have registered more than 250,000 distinct URLs and 6,000 domains, all of which impersonate US brand and companies, including Vogue, ESPN, Fox News, Huffington Post, and CBS Sports. They then take these sites and sell fake ad slots.

The cybercriminals that are behind Methbot are using their servers, which are hosted in Amsterdam and Texas, to give power to almost 600,000 bots. These have fake IP addresses, most of which belong to the US, and this makes it look like the ads are being viewed by visitors in the US. The criminals then get video-ad inventory, which they display on the fake media website that they have created. They get top dollar for this, and they trick the marketplace into believing that this content is being seen by legitimate visitors. In reality, however, these ads are being “viewed” by fake viewers thanks to an automated program that mimics a user watching an ad.

To make the bots look even more real, the group also uses methods such as fake clicks, mouse movements, and even social network login info. White Ops has also found that this fake army of viewers has amassed about 300 million ad views each day, and it has an average payout of about $13 per every 1000 views. If you multiply this by the compromised IP addresses out there, the money is rolling in.

White Ops believes that the Methbot empire has created from 200 to 300 million fake video ad impressions each day, which targets about 6,000 publishers. In a 24-hour period, this is generating somewhere between $3 and $5 million in each 24-hour period.

While the operation has its headquarters in Russia, White Ops can’t say for sure that Methbot has Russian origins. The good guys have been in contact with the FBI, and together, they have been working towards stopping this scam for several weeks.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Small Business a favorite Attack Vector

Small businesses are hardly immune to attacks by hackers.

  • The illusion of low attack risks comes from the publicity that only huge corporations get when they are breached, like Target, Sony and Anthem. These are giants, so of course it makes headline news.
  • But when a “ma and pa” business gets attacked, it’s not newsworthy.

11DIf you own a small business, ask yourself just how the mega-giant Target got infiltrated by cybercriminals in the first place. Answer: a ma and pa HVAC vendor of Target’s!

Cybercriminals thrive on the myth that only big companies get attacked. They know that many small outfits have their guards down; have only rudimentary security measures in place. Never assume you know everything that a hacker wants—or doesn’t want.

Think of it this way: Which burglar is more likely to make off like a bandit? One who attempts to infiltrate a palace that has a 10-foot-high stone wall, surrounding a moat that surrounds the palace, with motion sensors everywhere that set off piercing alarms; an army of Dobermans; and a high tower where guards are keeping a lookout?

Or the burglar who tries to break into a small townhome with only a deadbolt and window screens for security? Sure, the palace has millions of dollars worth of wall art alone, but what chances does the burglar have of getting his hands on it? The little townhome just might have some electronics and jewelry he can sell underground.

No business is too small or its niche too narrow to get a hacker’s attention; just like any burglar will notice an open ground floor window in that little townhome at 3 a.m.

  • Never use lack of funds as an excuse to cut corners on security.
  • Share security information with competitors in your niche.
  • Consider the possibility that a cyber attack can be an inside job in your little company—something relatively easy to pull off (e.g., every employee probably knows the direct e-mail to the company owner).
  • Get cyber attack insurance. A halfway-sized cyber attack could cripple any small company and have tangential fallout.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to digitally detox on Vacation

Many years ago when you were on vacation, before Facebook, Instagram and Twitter were invented (assuming you were an adult then), you had a great time, right? You weren’t “connected,” because there was no social media to be connected with.

2DIf today you can’t imagine being disconnected from social media while on vacation, ask yourself how this can be, if years ago, you never missed what had not yet been invented.

And what about constantly checking e-mail while on vacation? Or constantly perusing various websites with your mobile while at the beach?

Intel did a recent study:

  • 55% of Americans can’t disconnect while vacationing.
  • Two-thirds actually wanted to disconnect (detox), but less than half actually did so.
  • But when they did disconnect, 88% reported feeling okay about it and connecting better with travel mates.

Motivation to Detox

  • Know that cybercrooks are banking that vacationers do not disconnect.
  • Vacationers are especially vulnerable when they use public Wi-Fi, as cyberthieves can “snoop” on login entries and steal login information (such as to your bank, or get your credit card number when you online shop at the coffee house).
  • Can’t stay away from your e-mail when vacationing? Cybercrooks can gain access here, too.
  • Though installation of a virtual private network will prevent cyber snooping, it won’t prevent shoulder surfing, or thieves using high powered cameras to capture what you’re doing across the coffee house.
  • Of course, your devices should have security software that’s always updated.
  • Your devices should be password-protected as well.
  • Before embarking on your vacation (and not a few days before, but a few weeks before), practice disconnecting for 24 hours. If you must check your e-mail daily for business purposes, at least practice disconnecting from social media for 24, even 48 hours. Can you do it?
  • Can you stay off your mobile device while waiting at the dentist’s office or at the motor vehicle agency?
  • These “home” practice sessions can help you overcome withdrawal symptoms of not checking Twitter, Facebook or e-mail every 10 minutes.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Your Ransomware Response: Prepare for the Worst

A ransomware attack is when your computer gets locked down or your files become inaccessible, and you are informed that in order to regain use of your computer or to receive a cyber key to unlock your files, you must pay a ransom. Typically, cybercriminals request you pay them in bitcoins.

binaryThe attack begins when you’re lured, by a cybercriminal, into clicking a malicious link that downloads malware, such as CDT-Locker. Hackers are skilled at getting potential victims to click on these links, such as a phony e-mail, apparently from a company you do business with, luring you into clicking on a link or opening its attachment.

And if you find your computer is being held hostage:

  • Report it to law enforcement, although it’s unlikely they can provide help. It’s just good to have it recorded.
  • Disconnect your computer from its network to prevent the infection from spreading to other shared networks.
  • You need to remove the ransomware from your computer. Remember, removal of the ransomware won’t restore access to your files; they will still be encrypted. To remove ransomware from your computer, follow the steps provided here.
  • If you already had your data backed up offline, there’s no need to even consider paying the ransom. Still, you will want to remove the ransomware and make sure your backup solution was working.
  • But what if very important files were not backed up? Prepare to pay in bitcoins. The first step is to find out what the experts say about making payments in bitcoin.
  • The crook will be essentially impossible to trace. You’ll be required to make the payment over the Tor network (anonymous browsing).
  • Finally, don’t be shocked if the crook actually provides you the decryption key—essentially a password; ransomware thieves often follow through to maintain being taken seriously. Otherwise, nobody would ever pay them. But it would not be unprecedented to not receive the key. It’s a gamble.
  • The best course of action is to prevent a ransomware attack, and that means looking for all the clues to malware and phishing scams. Don’t let threatening e-mails, saying you owe back taxes or bank fees, jolt you into hastily clicking a suspicious link or attachment. If you regularly back up your data online and to an external drive, then you’ll never feel you must pay the ransom.

Robert is a security analyst, author and media personality who specializes in personal security and identity theft and appears regularly on Good Morning America, ABC News and The TODAY Show.

Phone Account of FTC Chief Technologist hijacked

An impostor posed as Lorrie Cranor at a mobile phone store (in Ohio, nowhere near Cranor’s home) and obtained her number. She is the Federal Trade Commission’s chief technologist. Her impostor’s con netted two new iPhones (the priciest models—and the charges went to Cranor) with her number.

11DIn a blog post, Cranor writes: “My phones immediately stopped receiving calls.” She was stiffed with “a large bill and the anxiety and fear of financial injury.”

Cranor was a victim of identity theft. She contacted her mobile carrier after her phone ceased working during use. The company rep said her account had been updated to include the new devices, and that her Android’s SIM cards had been disabled. The company replaced the SIM cards and restored use of her phones.

The company’s fraud department removed the charges but blamed the theft on Cranor.

So how does an impostor pull off this stunt so easily? Stores owned by the mobile carrier are required to ask for a photo ID and last four digits of the customer’s SSN. However, at a third party retailer, this requirement may not be in place. In the Cranor case, the crook used a photo ID of herself but with Cranor’s name—and was not required to reveal the victim’s SSN last four digits.

Cranor’s Actions

  • Changed password of online account
  • Added extra security PIN
  • Reported the theft to identitytheft.gov
  • Placed a fraud alert and got a free credit report
  • Filed a police report

Hijacking a smartphone is becoming more common, with the FTC having received over 2,600 reports just for January this year.

You may not think that this type of fraud ranks as high as other types of fraud, but it all depends on the thief and his—or her—intentions. Though the thief may only want to sell the phones for a little profit, a different kind of crook may want to hijack a phone to commit stalking or espionage. Or  the thief can gain access to the victim’s text messages. If the phone is used for two factor authentication, then a thief would have access to your One Time Passwords (OTP) upon logging into a critical website. There’s all sorts of possibilities.  The most important tip: add an extra security PIN to your account. This way, whether over the phone, web or in person, this “second factor” of authentication will make it harder for a thief to become you.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Viruses as Cyberweapons for sale

It’s all about code—the building blocks of the Internet. Software code is full of unintentional defects. Governments are paying heavy prices to skilled hackers who can unearth these vulnerabilities, says an article at nytimes.com.

6DIn fact, the FBI director, James B. Comey, recommended that the FBI pay hackers a whopping $1.3 million to figure out how to circumvent Apple’s iPhone security.

So driven is this “bug-and-exploit trade market,” that a bug-and-exploit hacking company, Hacking Team, ended up being hacked last summer.

The software companies that create code don’t get to learn what the vulnerabilities are that the richly paid hackers discover. This has been going on for two decades-plus.

Here are some sizzling facts from nytimes.com:

  • Over a hundred governments have reported they have an offensive cyberwar program.
  • Iran boasts being in the No. 3 spot in the world for digital army size (trailing the U.S. and China), though this can’t be confirmed.
  • However, Iranian hackers have demonstrated their skill more than once, and it’s not pretty. For instance, they were responsible for the rash of U.S. bank hacking incidents in 2013.
  • Though Iran’s cyber power lags behind that of the U.S.’s, they’re steadily closing the big gap.
  • Most nations keep details of their cyberwar programs classified.

It has been surmised by many a security expert that WWIII will be largely digital. Imagine how crippling it would be if a nation’s grid was dismantled—affecting major networks across that country—such as healthcare, shipping and banking and other critical infrastructures such as food and water supply.

There’s not a whole ton you can do about this battle. However, you should, at a minimum, prepare your physical life for any digital disasters. Prepare the same way you would if you knew there was a severe storm coming. Store dry foods, water, extra climate appropriate clothing, and cash, preferably lots of small bills. This is just a short list. Seek out numerous resources on ready.gov to learn more.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Ransomware as a Service: A new threat to businesses everywhere

Cyber criminals have been attempting to extort money from individuals and companies for many years, and the latest attempt to take advantage of others is by using Ransomware as a Service, or RaaS.

4DA ransomware virus infects a computer when a user clicks a link and unknowingly download a malicious file. The ransomware virus then encrypts the computer’s files and promises to render them useless unless the victim pays a ransom. The cost varies greatly and groups sending these out can bring in hundreds of millions of dollars in profits.

RaaS makes it even easier for criminals to deploy ransomware viruses. All they have to choose a ransomware virus, set a ransom amount and deadline, and then trick their victims into downloading it onto their computer.

What to do if systems become infected with ransomware

If you have been attacked with ransomware, consider the following:

  • Tell the hacker you will pay, but that you need time to get the cash.
  • Gather all correspondence from the hacker.
  • Tell the webhosting provider, maybe call the cops, but expect little. If there is a major loss, reach out to the FBI, just know they might not see it as serious.
  • Delete all infected files and download clean versions from your backup system. Remember: If you have a quality backup system in place, you won’t need to pay the ransom.

Handling computer viruses

Ransomware isn’t the only type of virus to be on the lookout for. Symptoms of other types of virus infections include programs opening up on their own and a slow computer. Some viruses may send messages from your email account without you knowing about it. Here are some more ways to protect yourself from ransomware and other computer viruses:

  • Use both firewall and anti-virus software
  • Do not open attachments, links or programs from an email, including those from people you know, until you check for viruses.
  • Do not use public Wi-Fi connections unless on a virtual private network or using encryption software.
  • Keep security software current, use administrative rights and use a firewall.
  • Use the most recent version of your operating system and browser.
  • Back up all data.
  • Train employees on security measures for all devices.

How can you mitigate insider threats? Tune into the Carbonite webinar that I’ll be hosting live on Wednesday, March 15th at 11 am ET, to learn how. Register here: http://go.carbonite.com/security-threat/blog.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Why Are Cyber Hucksters so successful?

Often, hucksters prey on the consumer’s desperation, which is why it’s no surprise that the No. 1 rip-off (at least between 2011 and 2012)) was bogus products promising weight loss.

6DVICE (vice.com) interviewed psychologist Maria Konnikova about how cyber cons are so successful—even with the most ridiculous sounding bait (Nigerian prince, anyone?).

The bait becomes more attractive when the target is receiving an influx of cyber attention. Sad to say, this trips up a person’s rationale, making them susceptible to the huckster’s plan.

Konnikova is quoted as stating, “Few things throw us off our game as much as so-called cognitive load: how taxed our mental capacities are at any given moment.” She explains that people are vulnerable when the con artist hits them up with their scheme while the victim is distracted with Twitter, texting, etc. In short, it’s cognitive overload.

Konnikova is the author of the book, “The Confidence Game: Why We Fall For It, Every Time.” In the book, she mentions that victims such as the U.S. Navy were too humiliated to prosecute the crooks who conned them. She tells vice.com: “Because admitting it [getting rooked] would mean admitting you’re a sap.”

And in this day of rapidly evolving cyber technology, the huckster’s job is becoming easier, what with all sorts of pathways he can snag a victim, such as dating sites and pop-up ads warning your computer has been infected. But something else is on the crook’s side: the false sense of security that all this techy mumbo jumbo gives the common user—who hence lets down their guard.

And despite all the parodies and mockeries surrounding the so-called Nigerian prince scam (aka 419 scam), it’s still out there in full force and effect. Look how technology has made it swell. And it will continue evolving as long as people want something for nothing. Why else would the Powerball swell to over 1.3 billon. “The basic contours of the story won’t change,” Konnikova tells vice.com.

Another factor is that some people equate online with credibility: “It’s online so it must be legitimate,” is the mindset. According to this mindset, the Loch Ness Monster must really exist, since there are many stories about it online. Despite how irrational this mindset is, scammers know that many people think this way and will design their ploys to look even more legitimate (with creative layouts, slogans, links, etc.).

Though it takes skill to be a successful huckster, they can’t get the job done without the victim being “vulnerablized” by cognitive overload.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Nineways to shop safely on Cyber Monday

With Cyber Monday, you don’t have to camp outside in the cold overnight so you can be the first person busting through the doors like on Black Friday. But you still may get trampled to a pulpby cyber scammers waiting for their prey.

2DHow can you avoid these predators?

  • You know that old mantra: If it’s too good to be true, it probably is. Be highly suspicious of outrageously great deals, and also assume that e-mails that link to unbelievable savings are scams. You may think it won’t hurt to just “check it out,” but consider the possibility that simply clicking on the link will download a virus to your computer.
  • Back up your data. Shopping online means it’s inevitable that you’ll stumble upon an infected website designed to inject malicious code into your computer or phone. “Ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the “ransom.”
  • Say “No” to debit cards. At least if you purchase with a credit card, and the sale turns out to be fraudulent, the credit card company will likely reimburse you. Try getting your money back from a scam with a debit card purchase. Good luck.
  • If you’re leery about using a credit card online, see if the issuer offers a one-time use credit card. If someone steals this one-time number, it’s worthless for a second purchase.
  • Make sure you understand the online merchant’s shipping options.
  • When buying online, read up on the retailer’s privacy policy.
  • When completing the purchase, if the merchant wants you to fill in information that makes you think, “Now why do they need to know that?” this is a red flag. See if you can purchase the item from a reputable merchant.
  • Never shop online using public Wi-Fi such as at a hotel, coffee house or airport.

If the retailer’s URL begins with “https” and has a padlock symbol before that, this means the site uses encryption (it’s secure). If it doesn’t, don’t buy from that merchant if the product is something you can buy from a secure site. Of course, I don’t expect, for instance, Veronikka’s Death by Chocolate Homemade Cookies to have an encrypted site, but if you’re looking for more common merchandise, go with the big-name retailers.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.