Posts

Are You Protected From Zeus?

In Greek mythology, Zeus is the father of all gods and men. Today in the tech world, Zeus is the father of all computer viruses. The Zeus Trojan virus, which has been around since 2007, has been described as one of the most powerful, sophisticated, and evasive viruses ever. Many antivirus programs have had difficulty defeating it. Experts believe that millions of computers may have the virus without users having noticed.

Zeus behaves like many other viruses in that it may lure the PC user into clicking an infected link in the body of an email, then instantly downloads the virus, which quietly installs itself in the background. Sometimes that link may point to an infected website, which injects the virus in the form of a “drive-by download.” Once Zeus has been installed, it works as spyware, recording keystrokes as the user types.

Last month, the FBI broke up a hacking ring that had used the Zeus virus to steal more than $70 million. More than 100 people were charged or detained, including code writers in the Ukraine and “mule-network operators” throughout the United States, the United Kingdom, and Ukraine. The ring primarily targeted U.S. bank accounts, as well as some in the U.K., the Netherlands, and Mexico.

Zeus is designed to steal bank account login credentials. It has traditionally targeted PCs, but has now been updated to attack cell phones as well, with one version of the malware apparently “intercepting SMS confirmations sent by banks to customers, and defeating the fund transfer authorization codes.”

Protect yourself from this and other viruses by running free operating system updates from Microsoft. Click “Start,” then “All Programs,” and then scroll up the menu and select “Windows Update” or “Microsoft Update.”

You should also install antivirus software. Most PCs come bundled with antivirus software that is free for the first year or six months. Just renew the license whenever it expires. Most antivirus software categorizes spyware as a virus now, but it’s also a good idea to run a spyware removal program daily. You should also install a firewall. Microsoft’s operating system has one built in, but it is not sufficient. Use a third party firewall that comes prepackaged with antivirus software.

And don’t be a fool. Scammers consider you, the target, “simple minded.” They’ll use 1001 different techniques to trick you into divulging your data. They attempt to gain your trust by lying, sending misleading emails, or planting pop-up ads that try to convince you to download software for your own protection. Just hit delete.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses phishing on NBC Boston. (Disclosures)

Retailers’ Point of Sales Terminals “Slurped”

Electronic funds transfers at the point of sale (or EFTPOS) skimming is a relatively new scam that has become more prevalent over the past few years. This form of skimming involves swapping out the self-swipe point of sale terminals at cash registers, and replacing them with devices that record credit and debit card data.

Fast food restaurants, convenience stores, and clothing boutiques are being hit the hardest in Australia. Last year, EFTPOS devices at McDonald’s outlets across Perth were replaced with compromised versions designed to skim cards, cheating 3500 customers out of $4.5 million. The thieves actually replaced the entire device you see at the counter when you order your Big Mac! The problem is so severe that officials have urged people to change their PINs on a weekly basis to prevent their entire bank accounts from being wiped out. A similar scam was pulled off at United States supermarket chain Stop and Shop.

POS machines are particularly vulnerable because the magnetic stripe technology, which has been around for 40 years, is essentially defenseless against modern fraud techniques. Anyone can easily, and legally, purchase a skimming device for a couple hundred dollars.

This problem will continue as long as the current system of accepting magnetic stripe cards is standard in the United States. Our system needs a serious upgrade. In response to their skimming problems, Australian is turning to chip and PIN technology. Last year, Visa announced a four-year plan to shift all Australian cards to chip and PIN. Since this past January, all new Visa credit cards in Australia feature embedded smart chips, and in 2013, signatures will no longer be accepted at checkout.

You can’t protect yourself from this type of scam. But you can recover any losses by paying attention to your statements and refuting any unauthorized transactions within 60 days. And when swiping your card at any POS terminal, be alert for any details that seem unusual. If you notice anything odd about the machine’s appearance, such as wires or error messages, or if your card gets stuck, don’t use it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Online Privacy: Fighting for Your Eyeballs

You may have noticed that the Internet is expanding. Major newspapers are publishing all their content online, because the readers expect and demand it. 23 of the 25 largest newspapers are seeing declines in readership. And if people aren’t buying newspapers, advertisers won’t place ads in them.

Newspapers hire journalists to investigate the issues that affect us on a daily basis. It’s these well-paid, experienced journalists who keep us informed, disseminating news that helps us make decisions in our own lives. We need these journalists to expose lies and uncover truth. Without quality journalism, the media’s influence will have an adverse impact on us all.

But if newspapers aren’t making money, journalists won’t have jobs. As newspapers shift their business models from local, paper-based distribution to online, potentially international distribution, their advertising strategy must change.

There are hundreds of new companies that understand this dilemma perfectly and have created technologies to capture your attention by knowing exactly who you are and what you want. This is where targeted Internet advertising comes in, and it has privacy advocates freaking out.

Most major websites now install cookies on your computer, which track what you do online. Over time, these cookies develop a profile, which becomes your digital fingerprint, to a certain extent. You may have noticed after searching for a specific product, advertisements for that particular product or brand appearing on various other websites you visit.

Microsoft, Google, Facebook, and most major newspapers, retailers, and advertisers are in on the game. These large companies are making decisions that affect your privacy. As a consumer, you pay close attention to these issues and consider how they might impact you personally.

The Wall Street Journal delves into these questions here, here, and here.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses oversharing on the Internet on Fox News. (Disclosures)

Twitter Crime on the Rise

Twitter is now beginning to see a substantial rise in active users. A recent report found that the percentage of Twitter users who have tweeted ten or more times, have more than ten followers, and follow more than ten people rose from 21% to 29% in the first half of 2010.

Spammers, scammers, and thieves are paying attention.

In the physical world, when communities become larger and more densely populated, crime rises. This also applies to online communities, like Twitter and Facebook.

Twitter’s “direct messages” and “mention” functions are laden with spam, often prompting users to click various links. Why anyone would want me to “Take a Good Look at Hypnotherapy” is beyond me, but someone must be buying because the spam keeps coming.

Common Twitter scams include:

Hijacked Accounts: Numerous Twitter (and Facebook) accounts, including those of President Obama, Britney Spears, Fox News and others have been taken over and used to ridicule, harass, or commit fraud.

Social Media Identity Theft: Hundreds of imposter accounts are set up every day. Sarah Palin, St. Louis Cardinals Coach Tony LaRussa, Kanye West, The Huffington Post, and many others have been impersonated by fake Twitter accounts opened in their names.

Worms: Twitter is sometimes plagued by worms, which spread messages encouraging users to click malicious links. When one user clicks, his account is infected and used to further spread the message. Soon his followers and then their followers are all infected.

DOS Attack: A denial-of-service attack left Twitter dark for more than three hours. The attack seems to have been coordinated by Russian hackers targeting a blogger in the Eastern European country of Georgia.

Botnet Controller: One Twitter account produced links pointed to commands to download code that would make users’ computers part of a botnet.

Phishing: Hacked Twitter accounts are used to send phishing messages, which instruct users to click links that point to spoofed sites, where users will be prompted to enter login credentials, putting themselves at risk of identity theft.

Twitter Porn: Please, “Misty Buttons,” stop sending me invites to chat or to check out your pictures.

Twitter Spam: The use of shortened URLs has made Twitter’s 140 character limit the perfect launch pad for spam, shilling diet pills, Viagra and whatever else you don’t need.

To prevent social media identity theft, take ownership of your name or personal brand on Twitter. Protecting yourself from other scams requires some savvy and an unwillingness to click mysterious links. In other cases, you’ll need to keep your web browser and operating system updated in order to remain safe. Make sure to keep your antivirus software updated with the latest definitions, as well.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hacking wireless networks on Fox Boston. (Disclosures)

Cross-Site Scripting Criminal Hacks

Secure computing requires an ongoing process, as you learn about risks and then implement processes and technology to protect yourself. Without a concerted effort to defend your data, you will almost certainly by victimized by some type of cyber-invasion.

JavaScript is everywhere, making the Internet pretty and most websites user friendly. Unfortunately, hackers have learned to manipulate this ubiquitous technology for personal gain. Java can be used to launch a cross-site scripting attack, which leverages a vulnerability often found in applications that incorporate Java. The vulnerability allows hackers to insert code into a website you frequent, which will infect your browser and then your PC.

Following links without knowing what they point to, using interacting forms on an untrustworthy site, or viewing online discussion groups or other pages where users may post text containing HTML tags can put your browser at risk.

Facebook, one of the most popular websites, is a likely place for JavaScript hacks, due to cross-site scripting vulnerabilities and the overall lack of security of Facebook users. This allows hackers to read a victim’s private Facebook messages, to access private pictures, to send messages to the victim’s contacts on his or her behalf, to add new (and potentially dangerous) Facebook applications, and to steal the victim’s contacts.

Beware of going down the rabbit hole when browsing the Internet. Once you start clicking link after link, you may find yourself on an infected site. And look out for scams such as contests that require you to paste code into Facebook, your blog, or any other site.

To protect yourself from cross-site scripting attacks, update your browser to the most recent version, with the most current security settings.

McAfee offers a free tool, SiteAdvisor, which helps detect malicious sites. In Firefox, you can install NoScript, a plug-in that lets you control when to enable JavaScript. NoScript also includes a list of good and bad sites. In Chrome, you can disable JavaScript in preferences, and in Internet Explorer, you can fiddle with the settings and adjust “Internet Zones,” but the default settings are best for most people. In Adobe Reader, JavaScript can be disabled all together, under “Edit” and then “Preferences.”

That being said, after messing with default browser or program settings, the reduced functionality may impede your ability to do anything online. The trick is to have the most updated security software and to avoid social engineering scams that ask you to click links or copy code.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Top 5 Vishing Techniques

“Vishing” occurs when criminals call victims on the phone and attempt to lure them into divulging personal information that can be used to commit identity theft.

The name comes from “voice,” and “phishing,” which is, of course, the use of spoofed emails designed to trick targets into clicking malicious links. Instead of email, vishing generally relies on automated phone calls, which instruct targets to provide account numbers.

Vishing techniques include:

Wardialing: This is when the visher uses an automated system to call specific area codes with a message involving local or regional banks or credit unions. Once someone answers the phone, a generic or targeted recording begins, requesting that the listener enter bank account, credit, or debit card numbers, along with PIN codes.

VoIP: Voice over Internet Protocol, or VoIP, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once the visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams, educate yourself. Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to be up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

“Flash Attacks” Make Big Money for Debit and Credit Card Scammers

The latest ATM scam is so brilliantly simple, it’s hard to believe that it actually works. Apparently, banks’ fraud detection systems are unable to flag nearly simultaneous transactions from the same account. This leaves bank customers vulnerable to what’s been termed a “flash attack,” in which multiple scanners use a stolen debit card number to withdraw cash from the same account.

Once a victim’s debit card number has been successfully skimmed, the card can be cloned, say, 100 times, and the cloned cards can be distributed to 100 people. All 100 people can then use the cloned cards to withdraw cash from 100 different ATMs within a brief window of five or ten minutes. If 100 people withdraw $200 each from the same account, at the same time, the scam nets $20,000 in almost no time.

Your credit or debit card number can be skimmed in a number of different ways:

Wedge Skimming: The most common type of skimming occurs when a salesperson or waiter takes your credit or debit card and runs it through a card reader, which copies the information contained in the card’s magnetic stripe. Once the thief has obtained the credit or debit card data, he can then burn the card number to a blank card, or simply use the number to make purchases online or over the phone.

POS Swaps: Many people pay for goods or services by swiping a credit or debit card through the in-store point of sale machines. EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal has been replaced with a skimming device. In Australia, fast food chains, convenience stores, and specialty clothing stores have been common targets. McDonald’s, for example, has been hit with this scam.

ATM Skimmers: A card reader device can also be placed on the face of an ATM, disguised as part of the machine. It’s almost impossible for the average user to recognize a skimmer unless it is of poor quality, or the user has an eye for security. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror or car stereo looking speaker on the face of the ATM in order to extract the victim’s pin number. The device may use wireless Bluetooth or cellular technology built to obtain the data remotely. Gas pumps are equally vulnerable to this type of scam.

Data Interceptors: Rather than simply placing a skimmer on the face of a gas pump, some criminals place a data-stealing device inside the pump. Posing as a fuel pump technician, a criminal can use a universal key purchased on eBay to access the terminal. Once inside, they unplug a cable that connects the keypad to the display, and piggyback their own device within the mechanism, in order to capture all the unencrypted card data.

Dummy ATMs: ATMs can easily be purchased through eBay or other outlets, and installed in any heavily trafficked location. The machine, which might be powered by car batteries or plugged into the nearest outlet, is programmed to read and record card data. I found one advertised on Craigslist and picked it up at a nearby bar, for $750 from a guy named Bob.

Once credit card numbers have been skimmed, hackers can copy the data on to blank cards, hotel keys, or “white cards,” which are effective at self-checkouts, or in situations where the thief knows the salesperson and is able to “sweetheart” the transaction. A white card can also be pressed with foils, giving it the appearance of a legitimate credit card.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. In order for the $50 limit to apply to debit cards, fraud victims must notify the bank within two days of discovering the fraudulent transactions. After two days, the maximum liability jumps to $500.

When using an ATM, gas pump, or point of sale terminal, always cover your PIN.

As inconvenient as this may seem, regular debit card users should check online statements daily.

Consider limiting your debit card use. I use mine only two or three times a month, for deposits and withdrawals.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Protecting Children on the Internet

Today’s kids don’t even know what it’s like to not be connected to the Internet. But being technology savvy doesn’t mean they are safe and secure.

Since the Internet as we know it was born in the early 1990s, it has become an integral part of our and our kids’ lives. Online shopping, social media, mobile web, and computers in the classroom are as normal to them as riding a Huffy bicycle was to me. For these kids’ parents, the online world often feels too fast and too complicated. Nevertheless, it is essential that parents educate themselves on safe, secure online practices in order to set a positive example and provide guidance for their children as they navigate the web.

Fortunately, safe and appropriate online behavior isn’t much different than in the real world. The main distinction is that on the Internet, it is necessary to be particularly sensitive regarding how and with whom you communicate.

Parents who lack experience with the Internet, computers, or mobile phones must learn the basics before they can adequately monitor their children’s habits. A parent’s discomfort or unfamiliarity with technology is no excuse to let a child run wild on the Internet.

As with any task, one should start with the fundamentals. In recognition of National Cyber Security Awareness Month, let’s go over some of those fundamentals:

  • Spend as much time as possible with kids in their online world. Learn about the people with whom they interact, the places they visit, and the information they encounter. Be prepared to respond appropriately, regardless of what sort of content they find. Remember, this is family time.
  • One popular tactic has been to set up the computer in a high-traffic family area, and to limit the time children may spend using it. This is still good advice, but it becomes less feasible as more children have their own laptops and mobile phones, which can’t be so easily monitored.
  • Teach children to recognize inappropriate behavior. Kids will be kids, but that doesn’t mean it’s okay to say mean things, send racy pictures, make rude requests, or suggest illegal behavior. If it isn’t okay in the physical world, it isn’t okay on the Internet.
  • Consider investing in computer security software with parental controls, which limit the sites kids can access.
  • Decide exactly what is and is not okay with regards to the kinds of websites kids should visit. This dialogue helps parents and children develop a process for determining appropriate online behavior.
  • Children should be restricted to monitored, age-appropriate chat rooms. Spend time with your children to get a feel for the language and discussion occurring on the websites they wish to visit.
  • Do not allow children to create usernames that reveal their true identities or are provocative.
  • Children should be reminded never to reveal passwords, addresses, phone numbers, or other personal information.
  • Kids should not be permitted to post inappropriate photos or photos that may reveal their identities. (For example, a photo in which a t-shirt bears the name of the child’s city or school.)
  • Never allow a child to meet an online stranger in person.
  • Children should be taught not to open online attachments from strangers.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online predators on Fox News. Disclosures

15 Facebook Fiascos to Watch Out For

The following 15 activities, all of which are facilitated by Facebook and other social networking websites, are causing lots of heartache and headaches:

1. Posting illegal activities. In the little town where I grew up, 30 kids recently faced the wrath of their parents, school officials, law enforcement, and the Boston media, all because someone posted their party pictures, which depicted underage drinking, on Facebook. It’s never okay to show illegal behavior.

2. Account hijacking. Phishers imitate the Facebook email template, tricking victims into believing they have received an official Facebook message. Once you enter your login credentials, criminals can take over your account, pose as you, and ask your friend for money. Always log into your Facebook account manually, rather than going through a link in an email.

3. Facebook bullying. It is so much easier to write something awful about someone than it is to say it to them personally. Words hurt. Vicious words have led to kids committing suicide. Friend your kids and see what their online dialogue looks like.

4. Online reputation management (or lack thereof). I’ve seen teachers, professors, students, officials, police, and others from just about every walk of life get fired because of words or pictures they posted on Facebook. Remember, if what you post wouldn’t pass the potential employer test, don’t do it.

5. Social media identity theft. When someone snags your name, posts a photo as you, and begins to communicate while impersonating you, the effects can be devastating. Grab your name on as many sites as possible, including Facebook. Knowem.com can help speed up this process.

6. Financial identity theft. Bad guys use Facebook to crack your passwords. Most online accounts use “qualifying questions” to verify your identity. These questions tend to involve personal information, such as your kids’, other relatives’, or pets’ names or birthdays. When the bad guys find this information on your Facebook page, they can reset your passwords and steal your identity. So limit what you post, and lock down your privacy settings.

7. Burglaries. Criminals have been known to check Facebook statuses to determine if potential victims are home or not. Publicly declaring that you’re not home creates an opportune time for burglars to ransack your house. Never post this information on Facebook.

8. Geo-stalking. Location-based GPS technologies incorporated into social media are perfect tools for stalkers to hone in on their target. Please just turn these settings off.

9. Corporate spying. By posing as an employee, setting up a Facebook group, and inviting all the company’s employees to join, the bad guy gathers intelligence that enables him to commit espionage from within the organization.

10. Harassment. This goes beyond bullying. In one example, a woman was on a camping trip and unreachable by phone when her Facebook account was taken over. The “harasser” wrote all kinds of desperate status updates posing as the woman, leading concerned friends and law enforcement to her house, where they broke down her door.

11. Government spying. Who is that new friend? The AP reports, “U.S. law enforcement agents are following the rest of the Internet world into popular social-networking services, going undercover with false online profiles to communicate with suspects.” Just don’t be a “suspect.”

12. Sex offenders. Facebook is perfect for sex offenders, who pose as real nice people until they gain their victims’ trust. Always be on guard, and do background checks, at least.

13. Scams. It’s just a matter of setting up a fake Facebook page and marketing it to a few people, who then send it to their friends, who send it to their friends. An Ikea scam hooked 40,000 unsuspecting victims with the promise of a $1,000 gift card. Like mom said, if it sounds too good to be true, it’s probably not true.

14. Legal liabilities. In New York, a judge recently ruled that material posted on Facebook and other social networking websites can be used as evidence in court, regardless of whether the posts were hidden by privacy settings.

15. Zero privacy. If you think for one second that what you post on Facebook is for you and your friends’ eyes only, you simply don’t understand how the Internet works. Many sites are capable of pulling data from the bowels of Facebook, despite any privacy settings you may have in place. And that data can be stored forever, which means that it can come back to bite you long after you’ve forgotten you ever posted it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers on social media on CNN. Disclosures


Cybersquatting Scams Aren’t Over Yet

Cybersquatting, simply put, is the act of procuring someone else’s trademarked brand name online. The Anti-cybersquatting Consumer Protection Act, a U.S. federal law enacted in 1999, describes cybersquatting as registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else.

Cybersquatters squat for many reasons. Some squat for fun or because they like the brand or name, while other squatters use the domain to advertise competitors’ wares, or for stalking, harassment, or outright fraud. Most cybersquatters offer to sell the domain at an inflated price to the person or company who owns the trademark contained within the domain name.

In particularly malicious cases of cybersquatting, identity thieves use a domain similar to that of a bank or other trustworthy entity in order to create a spoofed website for phishing. If the desired domain isn’t available, typosquatting is the next best option. After Annualcreditreport.com launched, more than 200 similar domains were quickly snapped up.

Computerworld discussed the havoc that cybersquatting can wreak on a brand’s reputation. Sometimes, criminals copy a brand’s entire website in order to collect usernames and passwords from unwitting visitors. The hackers then test those names and passwords on other websites. Cybersquatting increased by 18% last year, with a documented 440,584 cybersquatting sites in the fourth quarter alone, according to MarkMonitor’s annual Brandjacking Index report.

I’ve written before about the time I was accused of cybersquatting. I wasn’t, I swear! I bought myself some domains in the early 90’s, way before cybersquatting was illegal. I sold some, and regrettably gave up some others. And there was one that will haunt me until the day I die. I owned LedZeppelin.com for five or six years. Led Zeppelin was and is my favorite band, and as a fan, I bought the domain as a keepsake. I would get emails from people all over the world, saying things like, “I am Paulo from Brazil, I love the Led Zep!”

With cybersquatting on the rise, it makes sense to claim your name, your brand name, and your kids’ names as soon as possible. There are numerous new domain extensions coming out all the time. Dot Co recently launched without much fanfare, but it creates a new opportunity for criminals to hijack your brand. I just snagged “siciliano.co.” So go get your domain before the bad guy does!

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. Disclosures