Posts

Online Tax Time Scams: How to Avoid

Filing your taxes online is convenient but also comes with some potential security problems. My job as an expert in all things online-security is to spell out what these online tax scam risks are and how to avoid them. As you get ready to file your taxes this year, here are some things you should know about.

9DThere were billions of fraudulent refunds that the IRS discovered for just 2012. Both consumers and business owners (small to medium) are being targeted by hackers during tax time. Following are tax time scams that are related to online filing:

  • Phishing: If you get an unsolicited email that seems to be from the IRS or similar, requesting personal information (especially bank account information, passwords or PINs) or claiming you’re being audited, it’s time to smell a big rotting phish. The IRS will never contact you via email, text message or social media. Make sure you don’t click on any links or open or download any attachments if you even suspect that the message is fake. Report any time of phishing to phishing@irs.gov.
  • The fake IRS agent: Crooks will pose as IRS agents and contact you by email or phone. They’ll already have a few details about you, probably lifted off your Facebook page, using this information to convince you they’re the real deal. If you sense a scam, go to IRS.gov/phishing.
  • The rogue tax preparer: It’s best to use a reputable tax return service, rather than an independent-type preparer. After all, some of these preparers have been known to charge extra high fees for getting you a bigger return, or steal some of your refund.

Additional Tips for Online Tax Time Scam Protection

  • Protect your data. From the moment they arrive in your mailbox, your personal information (financial institution numbers, investment records, Social Security numbers, etc.) must be secured. Don’t give personal information over the phone, through the mail or on the Internet unless you have initiated the contact and are sure of the recipient.
  • Chuck the papers. Opt for electronic statements to be received via email to eliminate paper statements coming into your mail box where thieves could get at them.
  • Check and monitor your statements. To ensure that you’re not a victim, the best thing to do is to monitor you monthly bank statements and do a credit report at least once a year.
  • Use a clean machine. Make sure that the computer you use is not infected or compromised. The operating system and browser should be updated. It should have comprehensive, up to date security software, like McAfee LiveSafe™ service, which protects all your devices, you data and your identity.

If you’re vigilant and follow these guidelines and you won’t have to deal with online (or offline) tax time scams. You can also watch this video from the IRS.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

What is a Denial-of-Service Attack?

You may have heard news reports about popular websites such as CNN, Amazon and Yahoo! being taken down by a DoS attack, but have you ever wondered what DoS means?

3DThis common tech term stands for “denial-of-service,” where an attacker attempts to prevent legitimate users from accessing a website entirely or slowing it down to the point of being unusable.  The most common and obvious type of DoS attack occurs when an attacker “floods” a network with useless information.

When you type a URL for a particular website into your browser, you are sending a request to that site’s computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can’t process your request. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying access to legitimate users.

A distributed denial-of-service (DDos) attack is one where a site is attacked, but not by just one person or machine. DDos are attacks on a site by two or more persons or machines. These attacks are usually done by cybercriminals using botnets (remote computers that are under their control), to bombard the site with requests. Cybercriminals create botnets by infecting a collection of computers—sometimes hundreds or thousands—with malware that gives them control of the machines, allowing them to stage their attack.

There is also an unintentional DoS where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site’s regular users–potentially hundreds of thousands of people—click that link in the space of a few hours, having the same effect on the target website as a DDoS attack. When Michael Jackson died in 2009, websites such as Google and Twitter slowed down or even crashed.1

While this can be an inconvenience to you, as you may not be able to complete transactions or access your banking site, there’s no real danger for you. But unbeknownst to you, your computer or mobile device could be part of the botnet that is causing a DDos attack.

To make sure you’re not part of a DDos attack:

  • Pay attention if you notice that your Internet connection is unusually slow or you can’t access certain sites (and that your Internet connection is not down)
  • Make sure you have comprehensive security installed on all your devices, like McAfee LiveSafe™ service
  • Be careful when giving out your email address, clicking on links and opening attachments, especially if they are from people you don’t know
  • Stay educated on the latest tactics that hackers and scammers use so that you’re aware of tricks they use

“Web slows after Jackson’s death”BBC News

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Stolen Identities are cheap on the Darknet

What a steal: You can purchase a U.S. stolen identity for $25, and an overseas one for $40. Cybercrime is booming. Cybercriminals are competing even against each other. Data theft is becoming increasingly easier, with more and more people gaining entry into this realm. It’s no longer for the elite.

11DHiring someone to perform a cybercrime doesn’t take technical knowledge; only the ability to pay. Even a computer isn’t necessary, and the crime can be outsourced.

The underground of cyberspace is known as the Darknet. Illegal activities of the Darknet are mighty cheap these days.

  • Under $300: credentials for a bank account that has a balance of $70,000-$150,000.
  • $400-$600 a month: Hire a crook to fire a denial-of-service attack on your online competitor to knock it offline. This service can also go for $2 to $5 per hour. Prices are actually quite varied, but the range goes well into the cheap end.
  • $40 bought a personal identity (U.S. stolen ID as of 2011), and $60 bought a stolen overseas ID (as of 2011). Currently, these IDs cost 33 to 37 percent less.

Other Crime Fees

  • $100 to $300: hack a website
  • $25 to $100: A hacker will steal all the data they can on a person or business by using social engineering or Trojan infiltration.
  • $20: a thousand bots; and $250 will get you 15,000.
  • $4 to $8: one stolen U.S. credit card account including CVV number ($18 for European accounts)

What does all this mean to you? It means your identity is at risk.

  • Update your PC with the most current antivirus, antispyware, antiphishing and a firewall.
  • Update your devices critical security patches.
  • Require password access for all your devices and use strong passwords for your accounts.
  • Invest in identity protection because even if you secure your data, a major retailer or bank can be breached putting your data at risk.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Socint: disseminating cybercrime through social intelligence

People talk—A LOT. They can’t stop talking. Talking, getting something off your mind and out there feels good. Talking takes the pressure off one’s mind; our mouths are like relief valves for our heads. The problem has always been that people blurt out whatever is on their mind and say things that often get them in trouble. And yes, I’ve done it too.

But now people now post their thoughts online, which in many cases is even worse because it’s not one on one; it’s to the world. We’ve seen numerous kids, teachers, employees, officials, politicians, celebrities, and folks from just about every walk of life say or post something that has resulted in backlash and sometimes arrest.

The arrest part is very interesting. Law enforcement and government are paying close attention to social media and what is being said. A man in Toronto posts on Twitter he’s looking for a drug dealer, provides a location for where he is, and says, “I need a spliff”—slang for marijuana—and the Toronto police respond, “Awesome, can we come too?”

But it goes much deeper than that. NextGov.com reports, “Criminals, organized crime syndicates, gangs and terrorists also use social media. They post information and share photos and videos, and terrorist groups use the tools to recruit new members, disseminate propaganda and solicit funds.”

It seems the next stage to investigate and prevent crime is through social intelligence combined with social analytics, hence “Socint”. Continues NextGov.com: “Officials can use this type of social media-driven intelligence to gain insight, investigate, construct countermeasures and refocus resources.”

So what do YOU do? If you are doing anything illegal, stop…or just keep doing what you are doing and let’s just hope you get caught. For the rest of us who want a little more privacy or don’t want to get in trouble because we say stupid stuff, pay attention:

  • Know that everyone’s watching: What you say or post lasts forever, and it can and will bite you.
  • Lock down privacy settings: Each social site has its own privacy settings. They change often and they require your attention at least semiannually.
  • Update security settings: Criminals are creating viruses in record numbers for computers, mobiles and tablets. It is essential to updates your operating system’s critical security patches and antivirus, antispyware and antiphishing.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures For Roberts FREE ebook text- SECURE Your@emailaddress –

It’s Even Easier Now For Regular Folks To Conduct Cybercrime

Here’s a late night infomercial for you: How’s that burger flipping going? That cubicle working out? Anyway, I’m sure your boss is such a nice guy. Guess what! If you’re interested in a career in criminal hacking, you don’t even need a computer! This (scary) special, one-time offer comes to you right now from the Internet! Get your credit card ready!

Yes people, this is no joke. Everything you, ‘the average person,’ need to conduct cybercrime can now be purchased online—for example, you can get access to your spouse, neighbors or bosses emails, conduct research, create malware, execute an attack—all of it! Today’s cybercriminals don’t need great technical expertise, or even need to own a computer. Everything can be available for a price.

I often hear people say, “If criminals just used their skills for good, think of how much money they could make and how much better the world would be.” The sad fact is that the bad guys can make in one day what the good guys make in a year.

In a new report called “Cybercrime Exposed,” Raj Samani, vice president and CTO of McAfee, exposes the shift that has taken place with cybercrime easily getting in the hands of everyday people. Here’s a quick snapshot of the report:

The growth of the cybercrime “as-a-service” business model allows cybercriminals to execute attacks at considerably less expense and easily assessible tools now more than ever before.

From renting services to buying email lists for a small sum, the types of exploits that are now available with a click of the button are shocking.

The four categories of cybercrime as a service are:

Research-as-a-Service—One of the primary items research is used for is discovering and identifying vulnerabilities in software or operating systems. The sale of this information can be used for bad or good, so this is why this is considered a gray market. It becomes a cybercrime when these vulnerabilities are sold on the black market so cybercriminals can use the “holes” to exploit users.

Crimeware-as-a-Service—This is what you’d expect to find for sale in the black market. It involves the sale of online tools, or development of tools that can be used by the bad guys to carry out a cybercrime attack.
Also it includes the sale of hardware that may be used for financial fraud (for example, credit card skimming) or equipment used to hack into systems.

Cybercrime Infrastructure-as-a-Service—Once the toolset has been developed, cybercriminals are faced with the challenge of delivering their exploits to their intended victims. An example of this service is the rental of a network of computers controlled by a hacker (known as a botnet) to carry out a denial-of-service (DoS) attack. What is DoS? That’s where the criminal floods a target website with large amounts of traffic so users can’t access the site).

Hacking-as-a-Service—Getting a hold of the individual components* of an attack remains one option; but there are services that allow a criminal to outsource everything about the attack.

This path requires minimal technical expertise, although it is likely to cost more than acquiring individual components and is often used by criminals wanting to obtain information such as bank credentials, credit card data, and login details to particular websites.

While the news is grim, the solutions are not. Here’s what you can do to protect yourself from the bad guys (or your neighbor):

  • For starters, use comprehensive security on all your Internet connected devices, like McAfee® LiveSafe, that includes antivirus, anti-phishing, anti-spyware  and anti-spam, and a firewall
  • Keep your browser and your devices’ operating systems updated to make sure you receive critical security patches
  • Beware of any emails that might contain infected links
  • Secure your wireless connection by using encryption

And if you do decide to go into the business of being a criminal, make sure you have money in reserves for a lawyer because law enforcement and companies like McAfee are relentless in the pursuit of criminal groups or networks who steal your money, your information, or your identity and of those who engage in online abuse of children.

*Each cybercrime attack consists of a variety of components, such as getting a hold of usernames, email addresses, passwords, sending a phishing email, finding the mobile number, determining someone’s Operating System identification, etc.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Do I Need to be Concerned About Cybercrime?

The short answer is yes! You should be concerned. And even if you’re not concerned for yourself, with the Internet all of us are interconnected so cybercrime does not just affect one person or one group, but all of us.

Imagine your body being targeted by 100 million viruses. That is exactly what cybercriminals are doing to your networked digital devices. Laptops, desktops, Macs, iPads, iPhones, BlackBerrys, Androids and Symbian mobile phones are all at risk. Research from McAfee Labs reveals a variety of threats that exist “in the wild” that you need to be aware of.

Malware: For 2012, new malware sample discoveries increased 50% with more than 120 million samples. The nature of the threats aimed at PC users continues to become more dangerous and sophisticated as the cybercriminals invent new ways to disguise their activity. PC-targeted malware saw an increased growth in drive-by downloads (read my blog on this), which allows a cybercriminal to surreptitiously download malware from a website without your knowledge. Cybercriminals have clearly figured out that user authentication credentials constitute some of the most valuable intellectual property that can be found on most computers.

Spam and phishing: Believe it or not, spam volume has decreased…to a mere one trillion messages per month. McAfee Labs has observed major developments in targeted spam, or what’s often called “spear phishing.” By using information they collect about you, spear phishers create more realistic messages that increase the chance you will click.

Bad URLs: The number of new suspicious URLs increased by 70% in Q4 2012, averaging 4.6 million new, suspect URLs per month. This is almost double the previous 2.7 million per month figure from the last two quarters. 95% of these URLs were found to be host malware, exploits or code designed specifically to compromise your computers.

Mobile: The number of mobile malware samples discovered by McAfee Labs in 2012 was 44x the number found in 2011. This means that 95% of all mobile malware samples ever seen appeared in the last year. Also cybercriminals are now dedicating essentially all of their efforts to attacking Android, with 97% of malware samples found in the last year aimed at this one operating system.

Besides the proliferation in the amount of mobile devices, there are a number or reasons why cybercriminals are targeting mobile including:

Valuable information that can be found on your mobile devices, including passwords and contacts and the fact that 36% of users lacking basic protection such as a PIN to lock the device

New “opportunities” to make money, such as malware that sends premium text messages that you get charged for but not notice on your device

The fact that some users “hack” their phones to customize the interface or add functionality, thus allowing hackers to exploit the device’s vulnerabilities

The ability to install malware that blocks software updates from your carrier – some of which are designed to protect against security holes

The threat landscape continues to evolve on many fronts in ways that threaten both consumers, small-to-medium-sized businesses and large enterprises. This is why it is critical for you to use comprehensive security software on all your devices, like McAfee All Access, and keep it up to date.

Source: McAfee Q4 2012 Threats Report

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

What Should I Know about Mobile Cybercrime?

The Internet has dissolved the geographical boundaries and technological limitations that have constrained organized cybercrime in the past. We now live with cybercrime syndicates based in the US, Russia, Asia and all over the globe. When hackers in the US are sleeping, the ones in China are flexing their fingers on their keyboards, and the ones in Eastern Europe are waking up. Cybercrime never stops.

The brave—and ballooning—new world of smartphones and tablets offers tremendous scope and volume for these organizations. Mobile devices run on different operating systems and use different apps from PCs and Macs, which presents opportunities to create new device-specific attacks.

Even more interesting, mobile devices require an entire ecosystem of businesses to make them work. Data you transmit or receive has to make it through a conga line of companies that can include your device manufacturer, wireless carrier, app developer, app store, website host and email provider. Motivated by money and information, criminals exploit flaws in the underlying software and information handoffs of each of these players.

Here are two examples of how malicious software (malware)—downloaded through a fake app, a phishing or text message, or from a website—can net the criminals your information.

Text messaging fraud – Cybercriminals have figured out how to incorporate text messaging (SMS) into banking frauds. When you log on to perform a transaction (like checking your balance), banks often send a validation code to your mobile device via SMS. Banks figure if you are logging onto their website through your mobile device, a separate authentication through text messaging will help ensure that it’s really you logging in and provide an extra layer of security. However, mobile malware can collect that validation code and send it, along with your account number, password and “secret” security question to a cybercriminal. The perpetrators repeat this process reliably, victim after victim, bank after bank.

Premium SMS scams. Other malware can run so-called “premium SMS” scams, where you get billed for sending text messages you didn’t consciously send, or receiving messages you didn’t ask for. The malware on your device is doing the communicating—and conceals any confirmation message so you won’t notice until your bill comes. Organized crime networks have the sophistication and relationships to put together these sorts of multifaceted moneymaking schemes.

These guys are good at their jobs—they are truly organized and professional. Everything they do is about monetizing your information—your personal life. That’s why it’s critical for you to educate yourself on why you need mobile security and what scams are out there.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Skimming, Identity Theft and How Online Business Defend Against Cybercrime

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) or skimming has been prevalent. Consumers commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have been adept at coming up with ways to skim those customer cards.

In one such case, Romanian hackers were indicted when they were charged with remotely accessed hundreds of small businesses’ POS systems and stealing enough credit card data to rack up fraudulent charges totaling over $3 million. The hackers’ targets included more than 150 Subway restaurant franchises and at least 50 smaller retailers.

SCMagazine reports “An Eastern European criminal syndicate has hacked into a small Australian business and stolen details of half a million credit cards from the company’s network. In both cases, the syndicate captured credit card details using keyloggers installed within Point of Sale (POS) terminals and siphoned the data through an insecure open Microsoft’s Remote Desktop Protocol (RDP) connection. The syndicate found its victims by scanning the internet for vulnerable POS terminals.

Card skimming is just one of many ways that cybercriminals obtain access to stolen identities. And what happens once they have this information?  They begin hitting many of the major brand websites to purchase products that are commonly found in our homes and office.  How can retailers, ticketing companies, gaming sites and credit issuers protect their businesses and customers from fraudulent transactions?

Many start by identifying the device being used to access their website, through advanced device identification technology.  Is it a computer, laptop, tablet, mobile phone or another Internet-enabled device?  Is that a device that is already known to iovation’s cybercrime intelligence network? If so, has it been involved in fraudulent or abusive activities in the past? Often times, known bad devices have a history of credit card fraud, identity theft, account takeover attempts and other abuses. If the device comes back clean, is it related to other known bad devices?

iovation also helps its clients understand the web of associations between related devices, which helps businesses identify and shut down entire fraud rings. Lastly, online businesses run their highly-customized business rules as the transaction or activity is attempted. Many of iovation’s clients have more than 100 business rules on their site, that help them assess risk in real-time.  These business rules can trigger factors including velocity, device anomalies, proxy use, age of the device-to-account association, and more.

Last week at the Merchant Risk Council Platinum Meeting in Seattle, iovation demonstrated it’s ReputationManager 360 fraud prevention service, and showed in simple terms, what happens during a real-time device reputation check.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

How to Defend your Small Business against Cybercrime

Brilliance, historically, is often expressed in the simplest of technologies; the wheel and the light bulb are perfect examples. Today, brilliance is often attributed to advances in technologies that cure illnesses, solve problems, and make our lives easier.

Over the past decade, coders, programmers, and hackers of all kinds have come up with some of the simplest and most brilliant inventions—inventions with the power to transform life as we know it. Unfortunately, when it comes to network security it’s the cyber criminals that seem to be the smartest in the room.

Forbes reports, “ZeuS, SpyEye, Sunspot, OddJob, Gameover. Villains in the next James Bond movie? No. These are names for sophisticated and dangerous crime-ware used by real villains—internationally organized gangs of cyber criminals—to hijack online bank accounts and steal money.” According to the Anti-Phishing Working Group, when it comes to online security an estimated 45% of all computers are now infected with malicious software designed to steal.

When banks began building out their IT infrastructure to allow for online banking, they didn’t anticipate the thousands of ways in which bad guys would scheme to separate banks and their clients from their cash.

One bank actually sued an accountholder who lost $800,000 to a digital heist in order to determine who shoulders the legal responsibility to protect online bank accounts from fraud. (The bank was able to recover $600,000 of the $800,000, which Italian and Romanian hackers had removed via unauthorized wire transfers.) The bank sought a legal acknowledgement of their systems’ security, while the accountholder argued that online security measures were inadequate.

In a similar case, a Michigan judge decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses.

Small businesses and banks are losing money via cyber-attacks on their online banking accounts. One way this happens is a cybercriminal send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts. These malicious links either install one of the software programs detailed above or steals the username and passwords the employees use to log in to their online banking accounts.

Surfing pornography websites increases your risk, as does frequenting gaming websites hosted in foreign countries. Downloading pirated content from P2P (peer-to-peer) websites is also risky.

Computers with old, outdated, or unsupported operating systems are extremely vulnerable to cybercrime. Systems using old or outdated browsers such as IE 5, 6, or older versions of Firefox offer the path of least resistance.

Follow these essential computer security tips to protect your small business against cybercrime. Update your operating system to XP SP3 or Windows 7. Make sure to set your antivirus software to update automatically. Keep your critical online security patches up-to-date by setting Windows Update to run automatically as well. Don’t engage in risky online activities that invite cyber-attacks.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Banks Blame Cybercrime Victims for Hacking

It’s Tuesday morning after a long weekend, the bookkeeper comes in a little late but hits the books right away. She comes into your office and asks you about a series of wire transfers you made over the holiday weekend to new employees who apparently live overseas. And then your heart sinks. Because you have heard about how small business bank accounts are hacked, but didn’t think it would happen to you.

It’s happening to the tune of around 1 billion dollars a year. Small business bank accounts are being hacked and the banks are pointing the finger at their customers. Why? Because in many cases there are no actual data breaches at the banks. Cybercrime is often taking place right in the small businesses offices on their own PCs.

Blooomberg reports “Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by insurance as individual accounts are.”

However one bank fought back and won. iovation reports “one Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this cybercrime case.

Small businesses are under siege today and must know their bank accounts are being targeted by cyber-thieves. One solution is certainly a secure IT infrastructure and another, in some cases, may be moving to a bigger bank. Some smaller banks simply can’t handle the loss whereas bigger banks may have the resources to absorb them. If you bank with a small bank now is the time for a heart to heart talk.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures