Posts

Scammers Use Online Calendars to Phish Victims

You’ve been here before: You’re at work, you get a notification via a popup, then an email, then a text reminding you of an appointment on your calendar. For most busy professionals, this is pretty normal because you know you need multiple points of contact to remind you of your schedule so you don’t look like a fool and miss an appointment. Online calendars rock, and they beat the heck out of paper calendars.

But this particular appointment that just popped is unfamiliar, you don’t recall making it, and you wonder if maybe it’s a mistake or you had too many Scotches last night. It shows up in your calendar like this:

When: Sat Sep 28, 2013 11am – 12pm Eastern Time

Calendar For Robert Siciliano

Dear Robert,

Writing with humanitarian heart, my name is Mrs. Rita Kennedy, and I was married to Mr. Kennedy director of MWB Industries Cote d’Ivoire. We were married for years with only one child, who was 11 years old, our only daughter Grace. My husband died after a Cardiac Arteries Operation and left both me and little Grace.

Recently when I went for medical examination my doctor told me that I might not last for the next Eight months due to my cancer at this advanced stage (cancer of the liver and partial stroke). Before my husband died last year, there is this sum of ($6.4 Million US Dollars) that my late husband deposited with a Bank here In Ivory Coast. Presently this fund is still in the Vault of the Bank.

Having known my condition I decided to donate this fund to any good God fearing brother or sister that will utilize this money the way I am going to instruct herein. Going by my health unstable state, I am only worried about little daughter Grace and what will her life be if I die, this is why I am looking for any God fearing whom I will entrust both Grace and the money and secure her future. I prayed for one who will use this money according to the desire of my late husband to make sure that Grace is given the best and is being looked after the way we would have done for her if we were alive.

I want you to always remember me in your daily prayers because of my up coming surgery, and please after reading this letter, indicate on what you could do to help.

Hoping to read from you ASAP
Mrs. Rita Kennedy

SOOOOOOOOOOO…. Now while this particular calendar appointment is an obvious Nigerian 419 scam, not all are this obvious. So beware.

The goal here is for the victim to respond, engage with and ultimately pull money out of one’s pocket in an “advanced fee” scam. But really, all you need to do is ignore and delete.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Phishing Remains Popular and Effective

Phishing, where a scammer sends an email that appears to come from a trusted source in order to trick recipients into clicking malicious links, has been around for quite a while now. Although phishing has become fairly well known, the scam continues to be a successful and widely used as a method of stealing bank credentials and other personal information.

Cyber security experts recently reported to the House Financial Services panel that criminals have tweaked their phishing tactics. Until recently, most phishing messages purported to be from a bank. But in the latest versions of this scam, the phony emails claim to be from the National Automated Clearing House Association, the Electronic Federal Tax Payment System, the U.S. Postal Service, private delivery firms, telecommunications companies and social networking websites.

According to testimony from the Financial Services Information Sharing and Analysis Center, phishing “remains the most popular attack method that criminals use to infect victims’ machines.”

To protect yourself from phishing scams, malware, and identity theft, follow these guidelines adapted from the Anti-Phishing Working Group:

  1. Be suspicious of any email that demands personal financial information. Call your bank directly to determine if they legitimately need information from you.
  2. Certain red flags can help you spot a phish, such as upsetting or exciting statements designed to elicit an immediate reaction.
  3. Phishing messages typically ask for usernames, passwords, credit card numbers, Social Security numbers, your date of birth, or other similar personal details.
  4. If you suspect that an email or chat message may not be authentic, or you don’t recognize the sender, do not click any links included in the message.
  5. If possible, avoid filling out any form within an email that requires you to enter personal financial data.
  6. Consider installing a toolbar in your Web browser to help protect you from fraudulent websites. These toolbars match compare online addresses against a lists of known phishing websites and will alert you before it’s too late.
  7. The latest versions of Internet Explorer, Chrome, and Firefox include optional anti-phishing protection.
  8. Check your bank, credit, and debit account statements regularly for any unauthorized transactions.
  9. If you notice any suspicious or unfamiliar transactions, contact your bank and/or card issuer immediately.
  10. Make sure to keep your browser up-to-date and install any necessary security patches.

Banks can help protect their customers by using iovation’s ReputationManager 360, which helpsbusinesses avoid fraud loss by detecting high-risk behavior and stopping cybercriminals in their tracks. The device identification and device reputation technology from iovation assesses risk as activities take place at various points within an online site, such as account creation, logging in, updating account information, attempting a purchase or transferring funds. These checks can be customized and fine-tuned to suit the needs of a particular business, detecting fraudulent and risky behavior in order to identify and block cybercriminals for good.

Malicious Websites – The Web is a Dangerous Place

McAfee’s latest Threats Report shows a growth in malicious websites replacing botnets as the primary infection mechanism. This means that by just simply visiting a website you could be exposed to malicious things that can do harm to your computer, mobile device, finances or identity.

Websites with bad reputations are influenced by the hosting of malicious software (malware), potentially unwanted programs, or phishing sites. By the end of June 2012, the total number of bad URLs referenced by McAfee Labs™ overtook 36 million! This quarter McAfee recorded an average of 2.7 million new bad URLs per month. Of the new bad-reputation URLs, 94.2% host malware that have been specifically designed to hijack your computer.

It is important to make sure you are aware of things that can happen when you are exposed to a malicious site. The web is a dangerous place for the uninformed and unprotected. Protect yourself:

Make sure your OS is updated: Keeping your operating system updated is a must to protect against security threats. The updates protect you from any known holes that could expose you.

Keep your browser updated: Running the latest versions of the browser also help to protect you against threats that you could be exposed to.

Use security software: Having up to date comprehensive security software is a must. It should include antivirus, anti-spyware, anti-spam, anti-phishing, a firewall and a safe search tool.

Use strong passwords: Little yellow sticky notes on your monitor with your passwords isn’t good. Use a combination of upper and lower case letters, numbers and symbols that are at least 8 characters in length. Also use different passwords for each of your accounts and if possible consider changing them up every 6 months.

Stay educated: Make sure you stay up to date on the latest tricks and tools that hackers use by reading blogs, and getting tips from trusted security sources.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

 

Feast of the 7 Phishes 2011

Every year at the Siciliano household, we have a holiday tradition based on the Italian Feast of the Seven Fishes, which is, as you probably guessed, a meal consisting entirely of fish. There’s lobster, mussels, clams, scallops, shrimp, smelt, and cod, all either fried or cooked in red sauce, spicy sauce, or white sauce. This year we’re dedicating our feast to “Miles for Miracles,” a fundraiser for Children’s Hospital Boston. I’ll be running the Boston Marathon this coming April in support of the cause.

Another of my holiday traditions is to expose the year’s phishing scams. The following examples come straight from my inbox or spam filter, and have been abbreviated to demonstrate the nature of the scam and specific hook being used.

1. This first phishing email appears to have been sent from LinkedIn, but the link that supposedly leads to the FDIC’s website is in fact a virus.

“From: LinkedIn linkedXXX@em.linkedin.com

Temporary FDIC insurance coverage news. To obtain more information about temporary FDIC insurance coverage of transaction accounts, please refer to http://www.xxxxxx. Yours faithfully, Federal Deposit Insurance Corporation.”

2. In this phish, the sender claims to be Canadian, but the email suffix “.cn” is Chinese, and the scammer grammar is clearly East African in nature.

“From: Mrs.Martha Chery tesXXX@k.cn

Dear Beloved,

I am Mrs.Martha Chery from Canada,I am 58 years old,i am suffering from a long time cancer of my brain,from all indication my conditions is really deteriorating and it is quite obvious that i may not live for the next two months.”

3. Wow, my “email address has won.” Lucky me?

“From: payofficeXXX@aim.com

WINNING NUMBER: OL/656/020/018

OUR DEAR WINNER, THIS IS TO NOTIFY YOU THAT YOUR EMAIL ADDRESS HAS WON ONLINE LOTTO AND GAMING CORPORATION SUM OF (ONE MILLION EURO).”

4. This scammer responded to a Craigslist ad I had posted. Apparently I “sounded gorgeous in the ad.” I probably did!

“From: Justina Serini justinaXXX@hotmail.com

Hi Robert, I found your posting and wanted to ask you something essential. I am in a relationship and caught my partner cheating on me so I decided to get even! My co-worker said Craigslist list would be the best place to find someone nearby who I can be with for one time only so thought the hell, I would email someone I thought sounded gorgeous in the ad and came across yours!”

5. In this phish, I’m being scammed in Hebrew!

“החינמון!!! info@free2XXX.co.il

יכול לחסוך לעצמו עשרות או מאות אלפי שקלים – ובקלות! גם אם לקחתם משכנתה והשגתם את התנאים הטובים ביותר,”

6. Oh, wow, the United Nations is contacting me directly. How exciting!

“From: UNITED NATIONS bankimoonXXX@yahoo.com

Attn: Beneficiary, This is to inform you that the International Community has received series Complaints from Beneficiaries who are yet to receive their outstanding Contract/Inheritance Funds.”

7. Download this report, and you’re as doomed as a boiled lobster.

“From: Jerry Bush benoit.metzger@XXXueamachine.com

This report applies to the ACH transfer (ID: 963623905410) that was recently sent from your banking account. The current status of the referred transfer is: failed due to the technical error. Please find the detailed information in the report below.”

Hey, that reminds me, I have fish to fry!

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses phishing on Fox Business Disclosures

Protect From Holiday Phishing Shipping Scams

A common holiday shipping phishing scam is a phony notice from UPS, saying you have a package and need to fill out an attached form to get it delivered. The form may ask for personal or financial details that will go straight into the hands of the cyberscammer. Often the email asks to download a label and the risk there may be downloading a virus.

Scammers are sending emails that look like they are coming from the United States Postal Office, Fed Ex, UPS, DHL, you name it. The email may state in the subject line there is a problem with delivery and reference a code.

In these emails the scammers are trying various ruses to get you to either download a virus or cough up names, addresses, credit card, bank info and even usernames and passwords.

The scams work because at this time of the year millions of people are getting stuff in the mail and expecting it. Scammers know there is a better chance that you will open an email, click a link, or even make a phone call in response to an official looking communication from a phish email.

It’s pretty simple not to get scammed here. Realize right now that none of these organizations will send you an email requesting more information from you or for you to download something.  And if you are currently engaged in shipping or receiving packages, go through the normal channels you usually do to make contact. Log into your accounts or go to the existing emails you may have to communicate.

Ultimately just hit delete.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

Beware of Robo-Call Scams

While out for an evening with friends talking about everything under the sun, including security, which I’m obsessed with – and people often quiz me anyways, my mobile rang from an “unknown” number. The caller, a computer, stated “Hello, this is a call from Eastern Bank. Your MasterCard account has been locked. Please press 1 now to unlock.” Eastern Bank is local to me.

This is hilarious because I don’t have an Eastern Bank account and I’m in the middle of a conversation with someone about identity theft. So I immediately put my phone on speaker and played the message for everyone who proceeds to look at me and then ask “whats wrong with your Mastercard?” While I’m laughing at the call, they are concerned about my card, not initially realizing this is a scam. No longer funny, this saddens me because these are intelligent people who could easily get bit by this crime.

So I had to explain that this is a “Robo-call scam” where scammers simply use free technology to call thousands of random people by telling a computer to call 555-1212 then 555-1213 in sequential order. Eventually someone is going to press 1 and enter all their credit card information and end up being compromised

I did a little research and Eastern Bank posted this warning that anyone from any bank should heed:

Notice of Fraudulent Phone Calls
Eastern Bank has been made aware that customers, as well as non-customers, are receiving automated calls on their cell phones with the following message:

“This is a call from Eastern Bank. Your MasterCard account has been locked. Please press 1 now to unlock.”

The recording then instructs the individual to enter their debit card number. There may also be a variation of this phone call that references other banks or asks the customer to enter their debit card number in order to activate it.

Please hang up and do not press 1.

Please be advised that these calls are a scam and are not being made by Eastern Bank.  This is a phishing attempt by criminals to obtain your personal account information.  Never provide your debit card number or any other private information in response to an unsolicited phone call or email.

REMEMBER: Eastern Bank will NEVER ask you for any private information (such as account numbers, passwords, Social Security numbers) through an unsolicited email or phone call.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures

How Phishing is Like a Home Invasion

Phishing of course is when you receive a fraud based email designed to trick you into clicking links and entering your personal information. In some cases when clicking those links you may download a virus. Their intention is to bypass your computers security.

Phishing is emerging as sophisticated due to ways in which the phish emails are disguised to look like legitimate communications often from other trusted employees on the inside or companies you may do business with.

The criminals behind these emails are doing their research on company websites finding key individuals to model and following up their research on Facebook and LinkedIn to make their phish emails more personal.

And while criminals are still targeting “whales” or CEOs of major corporations and their officers, they are using similar attacks on consumers, as well.

Home invaders are using similar tactics to stalk their prey. You receive a knock on the door, and the minute you open it, like clicking a link, you’re vulnerable. Their intention is to bypass your home security alarm by getting you to open the door.

Home invaders use some ruse like they are from the gas company or making a delivery or some may lie that their car broke down. All of these methods prey upon your trusting of another person or business that you may have a relationship with.

Home invaders do their research. They watch you on social media, they look up basic information and they often target the head of the household.

Protecting yourself from phishing or home invasions comes down to one fundamental principle: Don’t automatically trust or believe that whoever is contacting you in any form has good intentions. We trust by nature, and that’s great, but not allowing yourself to question others intentions set you up to fail.

Robert Siciliano personal and home security specialist toHome Security Source discussingADT Pulse on Fox News Live. Disclosures

Cybercriminals Target Senior Citizens

Cyber scams happen to the young and the old, the rich and the poor. It doesn’t matter how good or bad your credit is, or whether or not you have a credit card. Cybercriminals target everyone, regardless of how much or how little you rely on a computer.

The lowest of the lowlifes, however, tend to prey upon the weak and uninformed. And all too often, that means children or elderly.

Senior citizens are in a unique position because they often have money in the bank, plus access to additional lines of credit. They are less likely to be frequent Internet users, relative to younger generations, and are therefore less likely to be aware of the many scams that may be targeting them.

Many common scams take place using the telephone rather than the Internet, such as “grandparent scams,” in which victims receive calls from their supposed grandchildren, requesting money.

Online, beware of social media and dating scams. Not everyone who contacts you online is your friend, so be cautious before sharing personal information. Never, under any circumstances, should you send money on the basis an online relationship.

You’re most likely heard the term “phishing,” and have certainly received a fake email at some point. But scammers are getting better at creating targeted, personalized emails that include your name, email address, and even stolen account numbers. Never click any links within an email. Instead, go to your favorites menu or manually type the address into the address bar. If you suspect that an email might not be legitimate, hit delete.

Scammers are constantly searching for the information they need to take over your existing accounts, either by hacking into your own personal computer or by stealing data from your bank, credit card company, a government agency, or any other institution that keeps personal data on file. To prevent account takeover, keep your antivirus software updated, and pay close attention to all your bank statements. Refute any unauthorized transactions right away.

Bad guys love your Social Security number, because they can use it to open new credit accounts in your name. You’ve probably disclosed your Social Security number hundreds of times in your life, and can’t avoid disclosing it in the future. But you can protect yourself with identity theft protection and a credit freeze.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

Slam Online Scams

#1 Nigerian Scams: While these types of scams are generally understood to be Nigerian in nature and origin, and are in fact named after the 419 Nigerian code that made them illegal, advanced-fee scams happen right here in the good old USA by Americans presenting to offer jobs or may ask help to transfer money.

#2 Romance Scams: If you ever hear talk like this, run far and fast: “In me sweetheart you are going to find the most passionate, loving and romantic man you have ever met. There are very few promises in life but this is one of them! ROMANCE is the key to my happiness and to my heart and soul!”

#3 Classified Ad Scams: This story caught my eye: “An online scam targeting pet-lovers is circulating the web, and it could cost you more than a new pet. An ad posted to a local online classified website by a man who claimed he was living in Florida. He was willing to give the Labrador Retriever puppy named Dely away for the cost of shipping, which was $220.”

#4 Phishing: Phishing continues to become more sophisticated, more effective, and more prevalent. In one example, criminal hackers waited until Pennsylvania school administrators were on vacation, then used simple money transfers to liquidate over $440,000 out of the districts accounts.

#5 Spear Phishing: Spear phishing occurs when the scammers concentrate on a localized target, usually an individual with control over a company’s checkbook. This insidious type of phishing occurs when a recipient clicks a link, either in the body of an email or on the spoofed website linked in the email, and a download begins.

Don’t be taken. Keep your head up and recognize when someone’s trying to take advantage of you.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Twitter Crime on the Rise

Twitter is now beginning to see a substantial rise in active users. A recent report found that the percentage of Twitter users who have tweeted ten or more times, have more than ten followers, and follow more than ten people rose from 21% to 29% in the first half of 2010.

Spammers, scammers, and thieves are paying attention.

In the physical world, when communities become larger and more densely populated, crime rises. This also applies to online communities, like Twitter and Facebook.

Twitter’s “direct messages” and “mention” functions are laden with spam, often prompting users to click various links. Why anyone would want me to “Take a Good Look at Hypnotherapy” is beyond me, but someone must be buying because the spam keeps coming.

Common Twitter scams include:

Hijacked Accounts: Numerous Twitter (and Facebook) accounts, including those of President Obama, Britney Spears, Fox News and others have been taken over and used to ridicule, harass, or commit fraud.

Social Media Identity Theft: Hundreds of imposter accounts are set up every day. Sarah Palin, St. Louis Cardinals Coach Tony LaRussa, Kanye West, The Huffington Post, and many others have been impersonated by fake Twitter accounts opened in their names.

Worms: Twitter is sometimes plagued by worms, which spread messages encouraging users to click malicious links. When one user clicks, his account is infected and used to further spread the message. Soon his followers and then their followers are all infected.

DOS Attack: A denial-of-service attack left Twitter dark for more than three hours. The attack seems to have been coordinated by Russian hackers targeting a blogger in the Eastern European country of Georgia.

Botnet Controller: One Twitter account produced links pointed to commands to download code that would make users’ computers part of a botnet.

Phishing: Hacked Twitter accounts are used to send phishing messages, which instruct users to click links that point to spoofed sites, where users will be prompted to enter login credentials, putting themselves at risk of identity theft.

Twitter Porn: Please, “Misty Buttons,” stop sending me invites to chat or to check out your pictures.

Twitter Spam: The use of shortened URLs has made Twitter’s 140 character limit the perfect launch pad for spam, shilling diet pills, Viagra and whatever else you don’t need.

To prevent social media identity theft, take ownership of your name or personal brand on Twitter. Protecting yourself from other scams requires some savvy and an unwillingness to click mysterious links. In other cases, you’ll need to keep your web browser and operating system updated in order to remain safe. Make sure to keep your antivirus software updated with the latest definitions, as well.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hacking wireless networks on Fox Boston. (Disclosures)