Posts

Hacking Humans: How Cybercriminals Trick Their Victims

Intel Security has compiled a list of the top ways cybercriminals play with the minds of their targeted victims. And the chief way that the cybercriminals do this is via phishing scams—that are designed to take your money.

11DThe fact that two-thirds of all the emails out there on this planet are phishy tells me that there’s a heck of a lot of people out there who are easily duped into giving over their money. I’m riled because many of these emails (we all get them) scream “SCAM!” because their subject lines are so ridiculous, not to mention the story of some befallen prince that’s in the message

I bet there’s a dozen phishing emails sitting in your junk folder right now. Unfortunately, a lot of these scam emails find their way into your inbox as well.

McAfee Labs™ has declared that there’s over 30 million URLS that may be of a malicious nature. Malicious websites are often associated with scammy emails—the email message lures you into clicking on a link to the phony website.

Clicking on the link may download a virus, or, it may take you to a phony website that’s made to look legitimate. And then on this phony site, you input sensitive information like your credit card number and password because you think the site really IS your bank’s site, or some other service that you have an account with.

6 ways hackers get inside your head:

  1. Threatening you to comply…or else. The “else” often being deactivation of their account (which the scammer has no idea you have, but he sent out so many emails with this threat that he knows that the law of numbers means he’ll snare some of you in his trap).
  2. Getting you to agree to do something because the hacker knows that in general, most people want to live up to their word. That “something,” of course, is some kind of computer task that will compromise security—totally unknown to you, of course.
  3. Pretending to be someone in authority. This could be the company CEO, the IRS or the manager of your bank.
  4. Providing you with something so that you feel obligated to return the favor.
  5. “If everyone else does it, it’s okay.” Hackers apply this concept by making a phishing email appear that it’s gone out to other people in the your circle of friends or acquaintances.
  6. Playing on your emotions to get you to like the crook. A skilled fraudster will use wit and charm, information from your social profiles, or even a phony picture he took off of a photo gallery of professional models to win your trust.

In order to preventing human hacking via phishing scams, you need to be aware of them. Aware of the scams, ruses, motivations and then simply hit delete. Whenever in doubt, pick up the phone and call the sender to confirm the email is legit.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

What’s Your Click IQ?

The recent celebrity photo hacks are an unfortunate reminder of how devastating or embarrassing it can be to have your data compromised.  But celebrities are not the only ones getting hacked. Cybercriminals aren’t choosy—they’ll send malicious texts, emails, and website links to Jennifer Lawrence and your grandma. And while the celebrity hacks are more publicized, the fact is, every day, hundreds of ordinary people are falling prey to phishing scams.

So how can you protect yourself from these cybercriminals? The best defense is actually you.

Many of these scams involve a similar thing—the click. So if you learn how to click wisely, 95% of cybercrime techniques—including phishing, bad URLs, fake text messages, infected pdfs, and more—are eliminated.

And that’s the idea behind Intel Security’s new campaign, #ClickSmart. Intel Security wants to empower you with the skills and sense to avoid those dastardly scams.

Here are some tips to get you started

  • Check URLs for misspellings or interesting suffixes. For example, if you see www.faceboook.ru, don’t click it.
  • Only open texts and emails from people you know. But even if you do know the sender, be wary for any suspicious subject lines or links. Hackers can try to lure you through your friends and family.
  • Beware of emails, texts, and search results offering anything for free. If it sounds too good to be true, then it probably isn’t true.

Print

Are you ready to take the #ClickSmart challenge? If so, go to digitalsecurity.intel.com/clicksmart and see if you’re a Click head or a Click wizard.

To learn more on how to #ClickSmart, join @IntelSecurity, @McAfeeConsumer, @cyber, @GetCyberSafe, @STOPTHNKCONNECT  for Twitter chat on October 14th at 12 PM PT. Use #ChatSTC to join in on the conversation. Click here for more information.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Teens’ Online Behavior Can Get Them in Trouble

Do you really know what your kids are doing all the time? Probably not, unless you’re a stalker (just kidding). But really, there has to be some element of trust and you can’t physically be everywhere your kids are. And that also applies to the online world. As parents, we need to be aware of what our kids are doing, teach the “rules of the road,” and help them stay safe, but we can’t always be there with them every moment of every day.

But we do need to understand that our kids are doing things online that could expose them to risk. McAfee’s 2014 Teens and Screens study showed that tween and teens continue to interact with strangers online and overshare information, even though they realize that these activities can put them at risk.

So what else did the study unveil? About 75% of tweens and teens friend people whom they know in the real world, however, 59% engage with strangers online. And one out of 12 meet the online stranger in real life. This could be because 33% of them say they feel more accepted online than in real life.

Additional facts to understand:

  • Our tweens and teens overshare personal information – 50% posted their email address, 30% their phone number and 14% (which is 14% too many) posted their home address, even though 77% know that what is posted online can’t be deleted and 80% have had a conversation with their parents on how to stay safe online
  • Social media friends are not always friendly – 52% have gotten into a fight because of social media, 50% have gotten into trouble at home or at school and 49% have regretted posted something.
  • Our kids are still hiding things from us – Although 90% believe their parents trust them to do what is right online, 45% would change their online behavior if they knew their parents were watching, 53% close or minimize their web browsers when their parents walk into the room and 50% clear the history of their online activity

Alarmingly, 24% said that they would not know what to do in the event of cyberbullying (how about stay away from the bully’s page and block the bully from your page?). A whopping 87% have witnessed cyberbullying and 26% have been victims themselves.

So with all these, how do we ensure we help our kids stay can enjoy the benefits of being online, while staying safe online. Here’s my top tips:

  • Establish rules: Parents should establish pinpointed rules about computer activities including sites the kids can visit and what is and isn’t appropriate behavior online, including the fact that online is forever.
  • Check in: Kids should be told to immediately report cyberbullying. whether they are witnessing it or being a victim.
  • Meet their “friends”: If it’s not possible to meet that person in person, then your child shouldn’t be chatting with them online.
  • Learn their technology: You should know more about the various devices that your kids use than your kids do, not the other way around.
  • Get their passwords: Parents should have full access to their kids’ devices and social media accounts at all times; they need the passwords.
  • Have security software on all their devices: Make sure all your kids’ devices and yours have comprehensive security software, like McAfee LiveSafe™ service.

Or you can just relegate your kids to their rooms and never let them out—like I’ve told my girls. Just kidding. But on a serious note – parents, it’s time to make this a priority, for you and your kids.

To join the conversation online, use #TeensNScreens or follow @McAfeeConsumer or like McAfee on Facebook.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

10 Tips to Protect Yourself on Social Networks

With the prevalence of mobile devices, more than ever, it’s easy for us to share our lives with the world. And yes, social networks are all about staying in touch with friends and family, and sharing events in your life, but perhaps it’s too easy to share information?

14DWith just a few clicks, posts and messages, you could give away enough personal information to compromise your privacy and even open yourself up to identity theft. So that’s why it’s critical that you know how to protect yourself when using these sites. Here’s my top 10 list:

  1. Remember the Internet is permanent: Assume that once you put information on the site, it stays there forever. Even if you delete the account, you don’t know if someone has already printed/copied your text or photos off of it.
  2. Be selective when accepting a friend: Do you really know that their profile is real and not fake? Only “friend” people you know in the real world.
  3. Exercise caution when clicking on links: Even if they’re from friends. Hackers prey on social networks because you are more likely to click on something from your friends. Also be wary of offers with the word “free” in them, or ones that sound too good to be true, as they usually are.
  4. Manage your privacy settings: Make sure that you are only sharing information with friends and family and check them regularly in case there are any changes.
  5. Be aware of the fact that the information you share on one social network may be linked to another: For instance, a photo you post to Twitter may automatically post to your Facebook profile.
  6. Don’t reveal personal information: Be suspicious of anyone who asks for your personal information online and never share your home address, phone number, Social Security number, or other personal identifying information.
  7. Turn off the GPS function on your smartphone camera: If you plan to share images online, make sure that you turn off the GPS on your device to keep your exact location private.
  8. Don’t enable auto login: Make sure that you don’t have your apps set to automatically log you in and that you don’t have your computer’s browser “remember” your login and password. That way if someone does get access to your devices, they can’t automatically access your social sites.
  9. Change your passwords frequently: Choose hard-to-guess passwords that are at least eight characters long and a combination of letters, numbers, and symbols, and change them regularly. Also make sure you use different passwords for each account.
  10. Close old accounts that you don’t use anymore: Don’t risk leaving personal data in an old account, such as a MySpace page you haven’t used in years, or on an online dating site you no longer need. Instead, close the accounts you don’t use and delete as much personal information from them as possible.

Social networking is meant to be fun…let’s keep it that way by staying safe online. 

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Change Your Password. World Password Day

We also say we want to be safe online. Yet sometimes our actions betray our words—especially if we’re using simple, short passwords for our online sites. Passwords with less than eight characters are the easiest to crack, especially if they include a proper noun or a word that’s in a dictionary. Hackers especially love passwords of all one character. Lose the “ilovedogs” password please.

WorldPasswordDayTake a look at your passwords. Are they simple and include an actual word, or are they long and unique?  World Password Day. Take the pledge and change your passwords.

And don’t balk about changing your passwords; you must change them to be safe online. Your password is your first line of defense—not only for your online accounts, but also on your devices. Be like Nike and “Just Do It!” Think about this if you’re reluctant to change them:

  •  Research shows that 90% of passwords are vulnerable to hacking
  • The most common password is “123456”  and the second most common password, is “password”
  • 1 in 5 Internet users have had their email or social networking account compromised or taken over without their permission

Now, believe it or not, a password of eight characters, even with various symbols and no dictionary words, can be cracked. However, a password the length of “Earthquake in the Sahara” would take over a million years to unearth. Ladies and gents, size does matter when it comes to passwords.

Ditch your old passwords

They may already be on the black market, and if not, it’s inevitable. Especially in this post Heartbleed time, we need to make sure we all change our passwords.

Think pass-sentence, not password

Just four words (with spaces) will make a killer password. Toss in punctuation. Create a sentence that makes no sense, like “Sharks swimming in the shower” and then add some space, numbers and special characters so it’s “Sh@rks swimming >n The Sh0wer!” That’s a 30-word password, technically known as a passphrase, and beats out #8xq3@2P. And which is easier to remember?

And don’t use something that a person who knows you might be able to guess: If you own five black cats, don’t make a passphrase of “I love black cats.”

Here’s a fun way to make a passphrase.

Make the change

Now that you have a passphrase that will take millions of years to crack, it’s time to make use of it. Sift through all of your accounts and change your passwords, using a different passphrase for each account, and not similar, either, for optimal uncrackability.

Once all of your new passwords (passphrases) are in place, you’ll have peace of mind, knowing that it would take millions of years for these passwords to be cracked.

Remember, there’s no better time than World Password Day to change your password!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

What is Social Engineering?

No, it’s not some new engineering field to develop social media sites. Social engineering has been around as long as the con artist has been around. The terms stems from the social science world where social engineering is deemed as an act of psychological manipulation.

social_engineeringIn our tech-laden world of today, social engineering still involves deceit but it’s used to deceive you into giving up personal or sensitive information for the bad guys’ financial gain. Social engineering can take many forms from an email, phone call, social networking site, text messages, etc., but they all have the same intent—to get you to part with valuable information.

Any one of us can be a target. And social engineering continues to be a tool that cybercriminals use because it works. They play on our emotions and our innate sense to want to trust others and be helpful. The also rely on the fact that many of us are not aware of the value of the information we possess and are careless about protecting it.

For instance, after major natural disasters or major news topics, like a hurricane or earthquake, cybercriminals sent out scores of bogus emails, calling for sympathy and donations for the victims, just so they could line their pockets.

In addition to sympathy, the bad guys also barter in fear, curiosity and greed. From emails offering fake lottery winnings (greed), to dangerous download sites advertising a preview of the latest Lady Gaga song (curiosity), to devious popup messages that warn you that your computer is at risk (fear), today’s cybercriminals are masters at manipulating our emotions.

And because their tricks often look legitimate, it can be hard for you to identify them. You could wind up accidentally infecting your machine, or sharing personal and financial information, potentially leading to monetary loss and even identity theft.

How can you protect yourself?

  • Never respond to a message from someone you don’t know and never click on a link in an unsolicited message, including instant messages, and any time the phone rings and they are requesting personal information consider it a scam.
  • Be suspicious of any offer that seems too good to be true, such as the lure of receiving thousands of dollars just for doing a wire transfer for someone else.
  • If you are unsure whether a request is legitimate, check for telltale signs that it could be a fake, such as typos and incorrect grammar. If you are still unsure, contact the company or organization directly. Financial institutions, and most sites, don’t send emails or text messages asking for your user name and password information.
  • When using social networking sites, don’t accept friend requests from people you don’t know, and limit the amount of personal information you post to your profile.
  • Consider using a safe browsing tool such as McAfee® SiteAdvisor® software, which tells you whether a website is safe right in your search results, helping you navigate away from phony sites.
  • Make sure your all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that protects all your PCs, Macs, smartphones and tablets.

So remember to ask yourself if this is really legit, the next time you get a message that plays on your emotions. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

McAfee Labs 2014 Predictions

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threat Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some  types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.

2014ThreatPredictions

Here’s some security resolutions to help you stay safe online in 2014:

  • Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
  • Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
  • Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
  • Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
  • Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
  • Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Protection For Your Shiny New Devices

After Santa heads back to the North Pole, there will be many new devices in the hands of good girls and boys that will be targeted by criminals. With the enjoyment of these cool devices should come top-notch protection for them, as they can be vulnerable to a number of malicious threats.

5WLaptop or PC

What should your security software include?

  • A two-way firewall: monitors the activity on your devices making sure nothing bad is coming in (like unauthorized access) and nothing good is leaving (like your data).
  • Anti-virus software: protects your devices from malicious keyloggers and other badware.
  • Anti-phishing software: watches your browser and email for suspicious inbox activity.
  • Anti-spyware software: keep your PC spyware free.
  • Safe search capacities: McAfees SiteAdvisor plugs into your browser and tells you what websites are good and which are suspicious.

Go further with wireless network protection, anti-spam, anti-theft protection and parental controls.

Free software is not recommended, as it provides only basic protection and you’ll likely end up purchasing more anyways.

Make sure you have a subscription to software that’s automatically renewed every year so that you don’t forget. This is after you figure out whether or not your new device’s protection software is on a trial basis.

Smartphone or tablet

  • Be leery of third-party apps you install on your mobile phone, since malicious apps are the main threat.
    • Download apps only from reputable app stores.
    • Read reviews and make sure you know what information the app requests prior to download.
  • Use mobile security software that includes:
    • Anti-virus and malware protection
    • Anti-theft
    • App protection
    • Web protection
    • Call and text filtering
  • Turn off automatic connections to Bluetooth and Wi-Fi unless you’re using them.
  • Apply app and operating system updates.
  • Never store account numbers, passwords, etc., on your phone or tablet
    • Do not have your apps set to automatically.
  • Apple products are at highest threat; install security software that’s been designed just for the Mac.
  • Never leave your phone or tablet unattended.

Gaming or entertainment device

These devices are vulnerable to many of the same attacks that PCs are, since they’re connected to the Internet.

  • Create backups of your games.
  • Make sure you understand the built-in parental controls.
  • Never store personal information on this device.
  • Connect it only to a secure Wi-Fi network.
  • Use a secure, encrypted USB drive that will muddle up your information to make it unreadable to thieves.
  • Purchase security software to protect the portable hard drive; and set a password.
  • Employ technologies for protecting your information.
  • Never leave the USB drive unattended.

The most important thing to remember is “don’t worry about it” but definitely do something about it. Once you invest in your devices security go play, have fun and be smart about what you do online.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

New Facebook Phish Steals Passwords

I got an email from a colleague today:  Subject: “My Facebook account got hacked.

I wonder if you could give me some guidance here –

I received the following email from Facebook:

——————————————————————–

From: Facebook [XXXXXX@facebook.com]

Sent: Wednesday, March 17, 2010 5:58 AM

To: XXXXXXXXXXX

Subject: Security Warning From Facebook

Dear XXXXXXXXXX,

We have detected suspicious activity on your Facebook account and have temporarily suspended your account as a security precaution.

You can regain control of your account by logging into Facebook and following the on-screen instructions.

Please be sure to visit the Facebook Help Center (http://www.facebook.com/help/) for further information regarding these security issues and let us know if you need assistance.

Thanks,

Facebook Security Team

————————————————————————-

Reuters reports Hackers have long targeted Facebook users, sending them tainted messages via the social networking company’s own internal email system. With this new attack, they are using regular Internet email to spread their malicious software.

McAfee estimates that hackers sent out tens of millions of spam across Europe, the United States and Asia since the campaign began on Tuesday.

Dave Marcus, McAfee’s director of malware research and communications, said that he expects the hackers will succeed in infecting millions of computers.

“With Facebook as your lure, you potentially have 400 million people that can click on the attachment. If you get 10 percent success, that’s 40 million,” he said.

McAfee says:

Tip 1: Do not open the attachment. Promptly delete the Facebook scam email.

Tip 2: Consumers can protect their computer from this type of cybercrime by installing a complete security software suite that includes anti-virus, anti-spyware, and firewall protection.

Tip 3: Consumers should make sure they are running the most up-to-date security software and their subscription is active.

Tip 4: If consumers are unsure if their security software vendor has an update for this type of malware, McAfee recommends that they check for and install any available updates, then immediately run a full scan.

Robert Siciliano personal security expert to Home Security Source discussing Facebook hacking on CNN.