Posts

Gift Cards: The Newest Scam that You Should Be Aware of

Hackers are making a lot of money thanks to phishing attacks these days, and now they are also focusing on gift card scams. One of the most notorious scam groups, Scarlet Widow, which is out of Nigeria, has been boosting its efforts to scam people with gift cards since 2015. This group generally focuses on people in the UK and US and also is known for tax scams, romance scams, and rental cons.

Are you at risk of getting scammed by Scarlet Widow? The group generally focuses on medium to large US businesses and nonprofits including the United Way, Boy Scouts of American, and YMCA chapter. The scammers send emails to employees of these organizations, and though most people understand that the emails are, indeed, scams, it only takes one person to put your organization at risk.

The Targets

From November 2017 to the present, Scarlet Widow has targeted thousands of nonprofits and individuals. It also targets the education industry and tax industry. Scarlet Widow only succeeds by getting access to these organizations’ email accounts. They might put malware in the emails or use malicious phishing links. Either way, eventually, these people are going to be able to scam the organizations.

The Scam

Though traditional phishing scams work for Scarlet Widow, it is really focusing on the gift card scam these days. In October 2018, more than a quarter of people who have been scammed during the year said that they were victims of a gift card scam. Scammers love these because they can get the cash quickly, they can be anonymous, and it’s very difficult to reverse. All the scammers have to do is convince someone to buy a gift card, then send them a photo, and they can take the money that is on there.

Scarlet Widow generally focuses on Google Play and iTunes gift cards, but other scammers will ask for cards from places like Target, Walgreens, or CVS. You might think it sounds strange that these people could con others into paying for business services with gift cards but remember…these scammers are experts at manipulation. They will certainly come up with some story with a sense of urgency, and people fall for it all of the time. For instance, there was an administrator in Australia who sent a scammer $1,800 in iTunes gift cards. The email she got seemed as if it was from the head of the finance department, so she believed it was legitimate. However, it was just a scammer.

A security awareness training financial advisor client of mine was conned too. Actually it was his assistant. She received an email that looked like it was coming from him requesting 5 $500.00 Apple gift cards to send to their top 5 clients. She went right out to Walgreens, bought 5 cards and the instructions were to scratch off back to reveal the codes and email pictures of the cards and codes back to him. Which she did. And then the scammers disappeared.

Though there are limitations to scammers using gift cards, these nefarious groups will use any method they can think of to get more money funneling in. So, if you ever get a request from a contractor or organization leader asking for a gift card, use an extreme amount of caution.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Florida City Pays Hackers $600,000 after Scam

Riviera Beach, a city in Florida, has agreed to pay a $600,000 ransom to hackers who attacked its network.

This week, the City Council voted to pay the demands after coming up with no other option to meet the demands of the hackers. It seems that the hackers got access to the system when a staff member clicked on a link in an email, which uploaded malware to the network. The malware disabled the city’s email system, direct deposit payroll system and 911 dispatch system.

According to Rose Anne Brown, the city’s spokesperson, they had been working with independent security consultants who recommended that they pay the ransom. The payment is being covered by the city’s insurance. Brown said that they are relying on the advice of the consultants, even though the stance of the FBI is to not pay off the hackers.

There are many businesses and government agencies that have been hit in the US and across the world in recent years. The city of Baltimore, for instance, was asked to pay $76,000 in ransom just last month, but that city refused to pay. Atlanta and Newark were also hit with demands.

Just last year, the US government accused a programmer from North Korea of creating and attacking banks, governments, hospitals, and factories with a malware attack known as “WannaCry.” This malware affected entities in over 150 countries and the loses totaled more than $81 million.

The FBI hasn’t commented on the attack in Riviera Beach, but it did say that almost 1,500 ransomware attacks were reported in 2018, and the victims paid about $3.6 million to the hackers.

Hackers often target areas of computer systems that are vulnerable, and any organization should consistently check its systems for flaws. Additionally, it’s important to train staff about how hackers lure victims by using emails. You must teach them, for instance, not to click on any email links or open emails that look suspicious. It is also imperative that the system and its data, and even individual computers, are backed up regularly.

Most of these attacks come from foreign entities, which make them difficult to track and prosecute. Many victims just end up paying the hacker because the data is precious to them. They also might work with some type of negotiator to bring the ransom down. In almost all cases, the attackers will do what they say and allow the victims to access their data, but not all of them do. So, realize that if you are going to pay that you still might not get access to the data. Ransomware simply should not happen to your network. If all your hardware and software is up to date and you have all the necessary components and software that your specific network requires based on its size and the data you house then your defenses become a tougher target. Additionally, proper security awareness training will prevent the criminals from bypassing all those security controls and keep your network secure as it needs to be.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Use a Password Manager Or You WILL Get Hacked

Do you ever use the same password over and over again for different accounts? If so, you are not alone. However, this is quite dangerous. It’s best to use a different, unique password for each account, and to make it easier, you should use a password manager.

According to surveys, people understand that they should use unique passwords, and more than half of people get stressed out due to passwords. Furthermore, about 2/3rds of people said that they had forgotten a password or that a password issue had cause problems at work.

However, a password manager can easily solve the issues associated with passwords. A password manager is a type of software that can store login info for any and all websites that you use. Then, when you go to those websites, the password manager logs you in. These are safe, too. The information is stored on a secure database, which is controlled by a master password.

Using a Password Manager

Most people have more than one online account, and again, it’s so important to have a different password for each account. However, it’s very difficult to remember every password for every account. So, it’s not surprising that people use the same one for all of their accounts. But, if using a password manager, you can make it a lot easier.

  • When using a password manager, you can create a password that is safe and secure, and all of your passwords are protected by your master password.
  • This master password allows you to access all websites you have accounts on by using that master password.
  • When you use a password manager, and you update a password on a site, that password automatically is updated on all the computers that use your password manager.

Password Managers Can Ease Your Stress

When you first start using a password manager, it’s likely that you’ll notice you have fewer worries about your internet accounts. There are other things you will notice, too, including the following:

  • When you first visit a website, you won’t put your password in. Instead, you can open the password manager, and then there, you can put your master password.
  • The password manager you use fills in your username and password, which then allows you to log into the website with no worries.

Things to Keep in Mind Before You Use a Password Manager

Password managers available on the internet from many reputable security companies. However, before you pay for them, there are some things that you should keep in mind:

  • All of the major internet browsers have a password manager. However, they just can’t compete with the independent software that is out there. For instance, a browser-based password manager can store your info on your personal computer, but it may not be encrypted. So, a hacker can might that information anyway.
  • Internet browser-based password managers do not generate custom passwords. They also might not sync from platform to platform.
  • Software based password managers work across most browsers such as Chrome, Internet Explorer, Edge, Firefox and Safari.

Password Managers are Easy to Use

If you are thinking about using a password manager, the first step is to create your master password.

  • The master password has to be extremely strong, but easy to remember. This is the password you will use to access all of your accounts.
  • You should go to all of your accounts and change your passwords using the password manager as an assistant. This ensures that they are as strong as possible, too.
  • The strongest passwords contain a combination of numbers, uppercase and lowercase letters, and symbols. Password managers often create passwords using this formula.

Managing your accounts online is really important, especially when you are dealing with passwords. Yes, it’s easy to use the same password for every account, but this also makes it easy for hackers to access those accounts.

Don’t Reuse Your Passwords

You might think it would be easy to reuse your passwords, but this could be dangerous:

  • If your password is leaked, hackers can get access to all of your sensitive information like passwords, names, and email addresses, which means they have enough information to access other sites.
  • When a website is hacked, and all of your passwords and usernames are discovered, the scammer can then plug in those passwords and usernames into all of your accounts to see what works. These could even give them access to your bank account or websites like PayPal.

Ensuring Your Passwords are Secure and Strong

There are a number of ways to ensure your passwords are secure and strong. Here are some more ways to create the best passwords:

  • Make your passwords a minimum of eight characters long.
  • Mix up letters, numbers, and symbols in the password, making sure they don’t spell out any words.
  • Have a different password for every account that you have. This is extra important for accounts containing financial information, like bank accounts.
  • Consider changing your password often. This ensures your safety and security.

If you have a weak password, you are much more susceptible to hacks and scams. So, protect your online existence, and start utilizing these tips.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

What Was Scary About Blackhat 2017?

As you might know, at the end of July, all types of hackers came to Las Vegas to attend Blackhat 2017. During the conference, some pretty scary hacks were exposed, and we can all take this as a lesson on what we are up against in this technology-heavy world. Here are some of the scariest hacks we learned about during Blackhat 2017:

Carwash Hijacking

Nothing is safe from technology, and these days, carwashes are an unexpected target for hackers. It is perfectly possible that a car wash could be hacked, controlled remotely, and used to destroy vehicles. Scary.

Hacking Cars

Speaking of vehicles, it was also revealed how easy it is for a pro to hack automobiles. Just last year, Chinese hackers were successful in hacking a Tesla S. The hackers disabled the brakes, so Tesla updated security in its cars. However, recently, the car company was hacked again, showing that hackers always find a way.

Oculus Headsets and Hoverboards

Another scary hack participants learned about was that hackers can access hoverboards and the Oculus Rift headsets. These hacks could cause the devices to shake uncontrollably, bringing harm to those who are using them.

Printer Hacking

Michael Howard Chief Security Advisor of HP and painfully demonstrated that only 18% of IT security managers are concerned about printer security where as 90% are concerned about PC’s. That stat is one reason why ?92% of Forbes Global 2000 companies experienced a breach in 2016 which in part resulted in 4 billion records breached worldwide. According to the Ponemon Institute, 60% of data breaches reported by companies involve printers. Very scary.

The Motivation of Adversaries

We also learned that hackers wanting money, data, or intelligence aren’t their only motivation. More and more, they are motivated by the ability to manipulate people, to undermine democracy, and to wreak havoc for journalists and activists.

Wind Hacking

Wait, what? Participants at Blackhat 2017 also learned about how the bad guys are hacking the wind. Well, not actually the wind, but the systems that create wind energy. The main motivation here is money. Just one hacked turbine can cost anywhere from $10,000 to $30,000 per hour. That’s a lot of leverage for hackers who only need to hack a single turbine to demand ransom to set the turbine free.

Hacker Masquerade

Hackers are also using a savvy technique to hack phones. Chinese hackers are switching from targeting high tech LTE networks to slow 2G technology. This means, when our phone switch to a slower network, which happens if the signal isn’t strong, even if you have great security, your phone can still be hacked.

Facebook Bounties

These are some of the scariest hacks we saw at Blackhat 2017, but never fear, white hat hackers are on it. In fact, companies like Facebook are offering cash, up to $1 million, for developers who create software to keep users safe. OK, not scary. But good.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Blackhat Hackers Love Office Printers

The term, or in this case the word “blackhat” in tech generally refers to a criminal hacker. The opposite of black is white and a “whitehat” is a security professional. These terms originate from the “spaghetti western” movies when the bad guy cowboy wore a black hat and the law wore white hats. Fun huh?! Blackhat is also the name of the largest conference on the planet for information security. The conference itself is 20 years old and as Alex Stamos who is the CSO for Facebook and also Blackhat 2017’s keynote speaker said “Blackhat isn’t even old enough to drink” That statement reflects just how far we’ve come in information security and also how much more there is to do.

One of the presentations at Blackhat discussed printer security called “Staying One Step Ahead of Evolving Threats” by Michael Howard Chief Security Advisor of HP and painfully demonstrated just how much more there is to do.

Do you ever feel as if your office printer is dangerous? Most of us don’t. In fact, more than half of businesses don’t even bother adding printers to their security strategies. Mr Howard stated only 18% of IT security managers are concerned about printer security where as 90% are concerned about PC’s. That stat is one reason why ?92% of Forbes Global 2000 companies experienced a breach in 2016 which in part resulted in 4 billion records breached worldwide.

Hackers know this, so office printers are the perfect target for them. Remember, printers are connected to the network, and if unprotected, they are easily hacked. According to the Ponemon Institute, 60% of data breaches reported by companies involve printers. So, why do hackers love printers? Here are a bunch of reasons:

Networks are Vulnerable

Even if you have a firewall, there are several devices that might be on a network that are access points to that network. When you don’t add your printer to your security plan, it becomes a welcome access point to hackers. Once they get in, the consequences could be terrible for a business.

Hackers Can Get Useful Data

The data that hackers can get from printers that are not protected is unencrypted. If one of your staff members sends sensitive information to the printer, yet it is unencrypted, the hackers can read it. Mr Howard shared how one universitys unsecured printers led to students hacking tests days before they were taken, giving the students a significant advantage. Do you really want your company’s data to be open like that? All hackers have to do is take it if the printer isn’t protected.

They Know They Can Access Other Devices

Hackers also love office printers because they know that once they are in, they can access other unprotected endpoints on the network. Mobile devices are an excellent example of this. It is quite challenging to secure access to all of these devices. The more devices that are connected to the network, the easier it is to access it.

Information Leaks

How many times have you printed something at the office and let it sit in the tray for a while? This happens often. Hackers know this, too, and they can essentially print anything once they have access to the printer and retrieve it at any time. This easily opens up the business to compliance issues.

Finally, hackers love office printers because they get inside access. ?Once the printer is compromised, so is the rest of the network.

  • Change the printers default passwords.
  • All computing devices including printers need encryption.
  • Printer hard drives have lots of data. Destroy hard drives prior to recycling or reselling.
  • Printer firmware and software needs to be regularly patched and updated.
  • Use “fleet management” tools to ensure all of the companies devices are protected.

When businesses implement security policies and procedures that directly address endpoints, including printers, they significantly reduce risk and maintain proper network and data security compliance.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to Stop Your Cellphone from Getting Hacked

If you are like most of us, you probably have a password, antivirus program, and a firewall for your home computer to protect it from hackers. Are you doing the same thing for your phone?

From 2015 to 2016 malware infections on smartphones swelled by 96%, and about 71% of the smartphones out there do not have any software at all to protect them. What does that mean for you? It means the odds are against you when it comes to getting your phone hacked. Luckily, there are some things you can do to protect your mobile phone from hackers:

  • Update Your Operating System – Many people skip updates for some reason. Don’t put it off. Most of these updates contain security fixes that your old operating system didn’t have.
  • Put a Lock On It – If your phone doesn’t have a passcode on it, it’s like leaving the front door of your home open for burglars. Hackers will get in; it’s just a matter of time. If you can, use a biometric method, like a swipe or finger tap. In addition, set up a good passcode. Make sure it’s totally unique and nothing a hacker can guess, like your address or birthday.
  • Use Caution with Public Wi-Fi – Public Wi-Fi is great, in theory, but it can also be dangerous, as it is very easy for hackers to access your info. It’s usually pretty safe to use a public Wi-Fi connection for things like catching up on the news or watching a movie, but don’t put any personal information into your device such as your banking password or credit card number.
  • Check Up On Your Apps – Hackers often use phone apps to access data. So, to make sure you are really safe, make sure to delete any apps that you aren’t using regularly. An outdated app can be dangerous, too, so make sure to always update when one is available. Also, only download apps from reputable sources like Google Play and iTunes.
  • Use a VPN – Finally, use a VPN, or virtual private network. This will encrypt your information when you use it over a public network. They are free or cheap, usually $5 to $30, and that small investment is definitely worth it for your safety.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Hire an Ethical Hacker NOW!

You might think it’s crazy to actually hire a hacker, but if you don’t have an ethical hacker on your security team, you could be playing a dangerous game.

Ethical hackers are called “white hat hackers” and are legal hackers, that help businesses find security problems in their networks. Developer and security teams, who build out codes, should have a white hat hacker on their side. This way, they will know from the start if the code is vulnerable. This is also known as “application security”.

How Important are Ethical Hackers?

How important is this? It’s so important that even the largest companies in the world are using this practice. Take Microsoft, for instance. They host a competition for white hat hackers, and challenge them to find any bugs present in their codes. This is called a “bounty”. On participant, was able to bypass every single security measure that Microsoft had in place. Can you imagine what would happen if he was one of the bad guys?

This type of security solution should be the first line of defense for your company, as they expose the risks that your company might have. Additionally, many companies used white hat hackers to ensure that they are complying with legal standards, such as HIPAA.

Wouldn’t Security Audits Work?

A security audit is basically a checklist for what a network has and doesn’t have in place. There’s not rubber on the road. Ethical hacking is a real world test. A security audit isn’t. The job of a white hat hacker is to find as many holes in the code as possible, and then report them back to the company. Another benefit of using an ethical hacker is that the information they provide helps to enhance the detection quality of products. An audit probably wouldn’t find this information.

What Does it Mean For Your Company?

Before anything, it’s important that you realize that an ethical hacker can help you and your business. A strong security program must focus on both the security of the code and the program’s security as it runs. This is where an ethical hacker will be most beneficial. Of course, it’s best to get the coding right the first time, but mistakes happen, and this is where a white hat hacker can make a huge difference.

So, the next time you talk about staffing, remember to bring up the addition of a white hat hacker. It could be the difference between keeping your data safe or being the victim of a real hacker.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Malware Hack Attacking the Grid…BIGLY

For more than four years, malware has been posing as legitimate software and infecting industrial equipment across the globe.

The malware, which looks just like the Siemens control gear software, has affected at least seven plants in the US. According to security experts, the malware was specifically designed to attack this industrial equipment, but what it does is not totally known. It is only described as a type of “crimeware.”

The malware was first hinted at in 2013, but at that time, it was not seen as dangerous, and many anti-virus programs were flagging it as dangerous, but it was considered a false positive. Eventually, it was seen as a type of basic malware, and upon further inspection, it was found that there are several variations. The most recent flag was in March 2017.

This particular infestation is only one of many malware infections that target industry. Approximately 3,000 industrial locations are targeted with malware each year, and most of them are Trojans, which sometimes can be brought in by staff on found or compromised USB sticks.

Most of these programs aren’t extremely harmful, meaning they won’t shut down production. However, what they could do is pave the way for more dangerous threats down the road. It also allows for sensitive information to be released.

It is not easy for hackers to infiltrate an industrial plant, and it takes good knowledge of layout, industrial processes, and even engineering skills to pull something like that off. This goes way beyond a simple malware attack.

However, these attacks have also brought to light the issue of how many legitimate files are being flagged as malware and vice versa. This means that the files can be used by the bad guys, who can then target a specific industrial site. There are thousands of these programs out there, ripe for the picking by observant hackers.

What can they do if they get this information? They could find out where the site is, who operates it, the layout and configuration, what software they have, and even what equipment they are using. Though this wouldn’t give them everything they need, it would be enough to plan a bigger, more dangerous attack.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Second Hand and Discarded Devices Lead to Identity Theft

A new study was just released by the National Association for Information Destruction. What did it find? Astonishingly, about 40% of all digital devices that are found on the second-hand market had personal information left on them. These include tablets, mobile phones, and hard drives.

The market for second hand items is large, and it’s a good way to find a decent mobile device or computer for a good price. However, many times, people don’t take the time to make sure all their personal information is gone. Some don’t even understand that the data is there. This might include passwords, usernames, company information, tax details, and even credit card data.  What’s even more frightening is that this study used simple methods to get the data off the devices. Who knows what could be found if experts, or hackers, got their hands on them. It wouldn’t be surprising to know they found a lot more.

Here are some ways to make sure your devices are totally clean before getting rid of them on the second-hand marketplace:

  • Back It Up – Before doing anything, back up your device.
  • Wipe It – Simply hitting the delete button or reformatting a hard drive isn’t’ enough. Instead, the device has to be fully wiped. For PCs, consider Active KillDisk. For Macs, there is a built in OS X Disk Utility. For phones and tablets, do a factory reset, and then a program called Blancco Mobile.
  • Destroy It – If you can’t wipe it for some reason, it’s probably not worth the risk. Instead, destroy the device. Who knows, it might be quite fun to take a sledge hammer to your old PC’s hard drive, right? If nothing else, it’s a good stress reliever!
  • Recycle It – You can also recycle your old devices, just make sure that the company is legitimate and trustworthy. The company should be part of the e-Stewards or R2, Responsible Recycling, programs. But destroy the hard drive first.

Record It – Finally, make sure to document any donation you make with a receipt. This can be used as a deduction on your taxes and might add a bit to your next tax return.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Researchers Say Office of Personnel Management Hack Leads to Ransomware

In June, 2015, it was revealed by an anonymous source that the Office of Personnel Management was hacked. This office, which administers civil service, is believed to have been the target of the Chinese government. This is one of the largest hacks in history involving a federal organization.

Slowly, the motivation behind the hacking is being understood. At first, it seemed obvious, the stolen data being personally identifiable information, which is what was taken can be used for new account fraud. But in government breaches, they usually look for military plans, blueprints, and documents that deal with policy.

The question, of course, is why did the hackers focus on this information? Well, some of the data that was taken was used to launch other attackers against contractors, and this resulted in the access to several terabytes of data.

Now, those who have become victims of this attack have found themselves being the target of ransomware.

Security experts have recently noticed that the victims have been getting phishing emails, and these messages look like they are coming directly from the Office of Personnel Management. When these emails arrive, the body and subject of the message seem as if the email contains an important file. When the unsuspecting victim downloads the .ZIP file, however, they instead receive a type of ransomware called Locky.

These attacks are much more dangerous than the average phishing attack. This is mainly due to the fact that they are being received by those who have worked with the Office of Personnel Management before. Thus, they have seen the genuine emails from the office, which look remarkably similar to the fake ones. The only thing that set the two emails apart was a typo that said “king regards,” instead of “kind regards,” and a phone number that doesn’t work. These are details that many people overlook, which makes it easy for hackers to be successful with these schemes.

Who was Really Behind This Hack?

Though experts believe that the Chinese government is behind this hack, there are some facts that look a bit fishy. For instance, since personal data was taken and data has been taking hostage, this seems much more like a typical cybercrime operation instead of something that a nation would do. After all, why would China be looking for a few hundred dollars from people who want their files back?

Of course, this could be a smokescreen and someone could just be using this attack as a smokescreen…and while experts are focused on this, the real attack could be planned for the future.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.