Free Prizes Offered In Exchange For Personal Info Is A Scam

Anyone want a free prize? Of course we all do. However, sometimes those “free” gifts come with a price attached. And it can be quite expensive when that price is malware on your mobile device. A recently discovered scam has been spotted by researchers at Symantec that promises free prizes if you merely provide a few personal tidbits. That sounds harmless, so, why not? All they want is some information, right?

Well, hold your horses, there Partner. What they really want is most likely to install malware onto your device. If they don’t want to do that, they want access to your Facebook friends list. In exchange, they promise Amazon gift cards, free iPhones, or even cash. But they are all scams, so don’t let them lasso you.

The scammers are pretty good in this one, too. They don’t limit it just to one operating system or type of device. Anyone with an Apple or Android product is at risk when using a browser. The fraudsters even post fake testimonials flaunting how fantastic their scam is. Those “testimonials” are all phony and just trickery.

The good news is that many, if not most, of the antivirus software products are ready for this one and as long as you have the latest updates installed, you should be protected. If you don’t, stop right now and go take a gander at what is available and apply it right now.

In addition, make sure all the latest critical and security updates are applied to your devices. Apple recommends enabling the “Block Pop-ups” and “Fraudulent website warning” options for iOS too. If you don’t see these options, you may not have the latest updates.

Remember to use caution when browsing, whether on your desktop, laptop, or sitting atop your favorite steed using your smartphone. All devices are all at risk, regardless of what browsers you use and where you’re using them. Consider using a pop-up blocker on all your devices. There are many options. Just make sure to do a little research to make sure you’re using a legitimate product rather than just manure.

Stickley on Security
Published August 18, 2018

iPhone Users Beware: Fake “Lockout” Hack on the Move – Again!

One of the oldest hacking scams is back and better than ever. The devices involved are mainly iPhones and other devices running on Apple OS systems that’ve been told via email they are locked out of using their iPhone. Not that other devices are safe from this, but the victims in this case are mostly using iPhones. The hacking method may be old, but it’s been updated to include phone support scams as a sneaky way to get your sensitive data.

How It Works

To the surprise of no one, fake email phishing is used. It begins when potential victims receive an email from “Apple Support” saying they have been locked out of their phone due to illegal activity detected. That message alone will scare a lot of iPhone users who may be wondering what’s next. Rest assured there will be more to it, including a legitimate-looking but very fake Apple website. Users are redirected by an email link to the bogus Apple website. Once on the site, a friendly pop-up offers a phone number to call and find out more.

That fake “Helpline” in this case, is located somewhere in India; but don’t believe for one second that they only exist there. This is where you’ll be asked to pay in order to get your phone unlocked. By the way, your phone was never locked to begin with. But once on the phone, you can bet you’ll be asked for sensitive information to “confirm” your account. After that data is stolen, you’ll likely be asked to pay to unlock your phone. Then the friendly “support person” will collect the account numbers or payment numbers from whatever card you choose to pay with.

The fake Apple sites look identical to the real Apple site. The only way to tell the difference is to verify the URL. In the case of this scam, the URL is constantly changing as Apple, Google and other tech giants work hard to shut down scam websites as fast as possible. But because there is an unlimited of URLs, the criminals just keep putting up new scam sites. Always verify that you are on the correct website and that it is secure before logging in or entering any personal information.

The important things to know here are that Apple, Microsoft or any other provider would never contact users by phone to talk about a “problem” with your device, unless you initiate the dialogue. Furthermore, Apple or any provider would not know what activity you may be up to on your device, much less tell you it’s being used for illegal activity.

Knowing what scams are out there is the best way to protect yourself. Also knowing that anytime you’re contacted by phone about any issue, especially if the number is provided to you, it’s likely a scam. Your best bet is never calling the number and hanging up immediately should someone call you to discuss security issues about your devices. When it comes to being hacked, knowledge truly is power.

Stickley on Security
Published October 4, 2018

Avoid Social Media Cybercrime

We love social media these days. Facebook, Snapchat, Twitter, LinkedIn, and many others can lead to lots of sharing and fun, but also carry significant risks. This is particularly true now that cybercriminals are collating data and using it against us for targeting phishing attacks.

Online social networks may seem all in fun and harmless, but they are anything but that. Anyone participating in a social network online assumes some risk of becoming a victim of a con artist or other criminal. But this does not mean you should opt out of getting involved. It’s part of our society, and in some cases an important part of doing business. Just be aware of the risks and take action to avoid being a victim of identity theft or another cybercrime.

It’s always important to remember that once you put something on the Internet, it is there… forever. It never disappears, you can’t completely remove it, and there is nothing preventing your connections from sharing. Once that happens, you lose control of it. If someone in their network shares it, it will crawl even further into the Internet and there really is little to nothing you can do about it.

Therefore, always know who you are giving access to your personal information and if you don’t want them to share something, ask them not to or just don’t post it. Also, keep in mind that what you post can reflect on your business relationships as well. Even if you don’t connect with business contacts via social media, it can still get around and affect your business.
Pay attention to who wants to follow, friend, or share with you. Often cybercriminals will try to connect with people to learn about them, bring them into confidence, and then scam them. This may come in the form of attachments or links passed on once you are “friends” with that person. It may come in personal requests, such as asking you to send money via wire transfer or even gift cards to help with an emergency.

Any information found on the Internet may be used against you for nefarious purposes, so always think about what you post. And just because you use the highest privacy settings, doesn’t necessarily keep you safe. Assume that whatever you post is available to anyone on the Internet. Hackers of all types troll social networking sites to put together collections of information on specific targets. The information may be used for something completely unrelated to social media, but can do a lot of damage. For example, if you work with financials in your company and you share it on social media, you could be targeted for wire transfer fraud.

All of this may not only put you in physical danger, but it may also be used to create phishing messages and to send emails to people you know, including your co-workers. These email messages could contain malware. Once a link or attachment is clicked, it could unleash something nasty on the network. No one wants to be responsible for that.

A good example where criminals will often go to learn important information about you is LinkedIn. This social networking site is a great way to form business relationships, but is also often used by criminals to learn more about an organization’s personnel. For example, LinkedIn can provide a would-be criminal with the employee names, job positions, job responsibilities, and even how long an employee has worked at the organization. This information can then be used by criminals to target “high risk” employees or even be used as part of a larger social engineering campaign.

Because all this information is now available to the public, you need to be even more diligent in detecting potentially malicious activity. From suspicious emails to phone calls, just because a person contacting you knows some personal information about you, does not mean they can be trusted. Don’t be tricked into giving out even more information or opening links and attachments contained in emails. Always do an independent verification before disclosing any personal or sensitive details about yourself or your organization.

Think about how you use social media and how much information you want to share with the world. Because even if you think it’s just your “village” seeing the information, the reality is that it isn’t. It’s everyone, everywhere.

Generally speaking, there are two ways in which hackers and cybercriminals use social engineering to exploit social networks.

1. Attempting to get someone to install software on a computer or phone that will give them access to that device.

2. Gain someone’s trust in order to exploit personal connections and manipulate people through the social network.

People are the weakest link in cybersecurity and the savvy hacker will take advantage whenever possible. Following are a few tips to help you avoid becoming a victim of either of these:

  • Always use the strongest security settings possible on social media sites. For example, consider if you need to share your location. If it really isn’t necessary (and it usually isn’t), deactivate that option. Also be sure to limit who has access to your information. Don’t make it public to the world, but instead make it viewable only to those who are directly linked to you, keeping in mind that even that information is vulnerable once one of them sends it on. Some sites will allow you to customize lists based on what you are posting. This may be appropriate for some content.
  • Don’t post personally identifiable information (PII) on social networking sites. This includes your birthdate, phone number, and address. If you want to exchange that information, do it via private messaging or email. Never ever post your social security number or any banking or other financial details, not even through the site’s private messaging or email service.
  • If you use your smart phone to post photos to your social networking sites, turn off location services for your camera. Leaving this activated will give away your location. While you may think it isn’t a big deal to share your location, it can be. When you’re on vacation and sharing selfies with recognizable landmarks in the background, it would be a great time for someone to break into your house and steal all kinds of information.
  • Be aware of unsolicited contact from strangers. Often, scammers will try to get to know you and then scam you. This happens often with online dating sites. They may use social engineering such as to convince you they need money to help them get out of a bind, but they also may use you to spread malware. It’s reasonably easy to spoof someone’s email address and often the criminals will do this to try to get your friends, colleagues, and other contacts to click malicious links. People are more likely to click a link if they trust the one posting it. Therefore, use caution even when clicking links on social media from those you do know.
  • With the increase in popularity of private messaging services that are attached to the social media sites, such as Facebook Messenger, watch for private messages that arrive that include only a link, or have a vague description of what the link may contain. One that was seen recently was sent with text that addressed the recipient by name, “Bob, is this you?” Contained in the link was malware.
  • If a deal sounds too good to be true, it is. Cybercriminals use popular events and news stories as bait to get people to open infected email, visit infected websites, donate to fake charities, or purchase items that either don’t exist or that are counterfeit. Recently, someone impersonated Iron Man star, Robert Downey Jr. and scammed people out of their money by “personally” asking them to donate to his favorite charity. Other stars were used in such scams as well, such as Brad Paisley, Hugh Jackman, and Elton John. All had to send pleas out to fans not to fall for it.
  • Change your social networking passwords often. Studies have shown that even with all the password reuse issues and stolen credentials, 53% of social media users had not changed their passwords in over a year and 20% had never changed them. It’s recommended to do it quarterly and when doing so, don’t reuse one that you use on another site; especially one that you use for you financial accounts.

The bottom line is just to use caution when participating in social networks. They can be fun and useful and are likely here to stay. However, just use good judgment and common sense when partaking so you are not or don’t cause your company to be the next victim of fraud or identity theft.

Stickley on Security
Published September 28, 2018

Create A Strong And Unique Password For Every Account

It’s not the newest trend. In fact, it’s rather old news. It’s still important to use strong passwords, use passphrases, and YES! Passwords really do still get cracked. The many techniques for obtaining passwords over the years have become more sophisticated, but the tried and true methods still work. The top methods for cracking passwords, in no particular order are rainbow tables, brute force attacks, social engineering, phishing, malware, and plain old guessing.

The more complex your passwords are, the less likely they will end up in the hands of a cybercriminal. The age-old advice for selecting passwords still remains true:

•Combine upper and lower case letters.
•Use no less than eight characters. Passphrases are best.
•Include at least one number and one special character. More of each is better.
•Make them easy to remember, but difficult to guess. For example, make them create a pattern on the keyboard or use a base phrase and add to it based on the website name.
•Having strong passwords is important. Sometimes knowing why is helpful. One reason is because time is money; even in cybercrime. The easier the password, the easier and faster it is to crack. It’s as simple as that.

Criminals often crack passwords en masse, so when they get enough easy ones figured out, they move on to the next phase of their crime and dump the ones they can’t figure out quickly.
Knowing how they end up in the hands of the cybercrime world may help in understanding why it’s so important. So let’s get back to those aforementioned methods.

At a high level, rainbow tables are long lists of every possible plain text permutation of encrypted passwords. Attackers use these in password cracking software and can try a lot of passwords in a short period of time, depending on the size of the list. Thus, security experts recommend using longer passwords and phrases. The longer they are, the more time it takes for them to be found in these lists.

Brute force attacks use dictionary words working through all possible combinations of alpha-numeric characters from AA1 to zz1. These are not quickly done, but often those who use them have a lot of time on their hands and it’s worth the effort. In any case, the longer the password, the longer it takes to figure it out.

Social engineering is the foundation of so many security related breaches; whether they are intrusions into a network, theft of a password to get into an account, or getting malware onto a computer. At a basic level it involves getting users to give up passwords or access. Hackers are amazingly successful at getting information by pretending to be someone else and bringing victims into their confidence. A favorite scene for the social engineering actor is to call workers in an office posing as the IT person. They simply ask for passwords and surprisingly and unfortunately, it really works.

Phishing should be familiar to everyone by now. According to IBMs X-force researchers, phishing increased four times in 2017 over the previous year. And it’s not only increasing in volume, it is evolving and getting more sophisticated. It’s getting to a point that identifying phishing is nearly impossible, even for the most educated on the topic. Currently, it’s estimated that more than half of the email we receive is spam. Most of it gets caught in spam filters, but much of it doesn’t. Of the messages that make it to users’ in boxes, about half are opened. Roughly 10% of those are acted upon. These messages are trying to coax the users out of information and often times it’s a password to some account that will net the thief something of value.

Next, there is malware. This is software that ends up on a computer or device and can be used for any number of activities from logging key strokes (key loggers) to redirecting a web browser to fake websites to collecting administrator rights to networks.

Finally, there is the highly unsophisticated method of guessing. Believe it or not, it still works. People often create passwords based off of information that is not so hard to find out such as kids’ names, birthdates, pets names, etc. This is especially true with the rise in popularity of social media and networking websites. People post their kids’ names, birthdates, pets’ names, their travel plans, addresses and so forth on their social media profiles. A savvy hacker may use the previously discussed social engineering techniques to befriend victims and simply guess passwords.

There are many more strategies for getting passwords. No matter what you come up with for yours, it needs to and should make sense to you and no one else. If you must write them down, do it. Just keep it separate from your computer and mobile device and keep it out of plain sight. And if you can use clues to trigger your memory, that’s better than writing out the passwords in their entireties.

We have a lot of passwords these days used for everything from online magazine subscriptions to logging in to check our healthcare information. We trust many others with our sensitive information and the only thing between us and that information is still quite often, only a password.

Protecting that information is critical. Following are some guidelines regarding passwords and protecting them as well as the information they protect:

•Don’t use words commonly found in any dictionary for your passwords; even in foreign language dictionaries. Don’t use slang terms or phrases either. The bad guys are onto that too. If you are thinking of substituting an “1” with the lower case “L,” don’t bother. That’s an old trick. Spelling words backwards or with common misspellings; they know those too and even use those for other trickery.
•Never include personal details in passwords such as your name, birthdates of your kids or loved ones, or even pets’ names. Those are not all that difficult to find out anymore, so don’t make it easy on someone with ill intentions.
•When your password recovery options ask which questions you want to choose, pick ones that are not obvious and few people know the answers to; better yet, make up your answers. Just don’t forget what you chose, if you decide on this strategy.
•Several studies have found out that using device default passwords is still common. Year after year, “12345” and derivations of it still top the most commonly used password lists. The number 2 password is “password.” Be more creative than this.
•Password reuse is common and is still a bad idea. This means using the same password for multiple accounts. Yes, using so many different ones may seem daunting, but it’s important. It’s particularly critical to make sure your social media, healthcare, and financial account passwords are completely different from one another and from everything else.
•When using public computers, in a hotel business center or internet café when traveling for example, make sure that the box to remember your password is NOT checked and be sure to close out the browsers you used before leaving. Otherwise, someone may use the computer after you and get access to your accounts or be able to view what you just did.
•If you are sitting in a coffee shop enjoying a cup of joe and decide to check out the Internet using their free wireless, avoid logging into any of your accounts that have sensitive data, including your work accounts. Hackers are often found lurking in these places using programs to intercept passwords. If you need to check something and it can’t wait till you get to a secured location, use the data network on your smartphone rather than the wireless. If you’re logging into your office from a remote public location, use a VPN.
•It may seem obvious, but it happens a lot. Don’t tell anyone else your passwords. This includes anyone from your IT department. They just don’t need them. If you just cannot remember it, reset it.
•Make it a routine to change passwords to online accounts regularly. It is recommended to do this at least once every three months.

It’s OK to have online accounts. They are convenient and help us stay on top of information and help us do our jobs. Just keep basic security guidance in mind when using them.

Stickley on Security
Published September 26, 2018

The New Rule That Makes Protecting Your Credit Easier

If you are worried about identity theft, this new law should make you stress a little less.

Starting on September 21, 2018, the Federal Trade Commission (FTC) will make protecting your credit files easier than ever. The Economic Growth, Regulatory Relief, and Consumer Protection Act lets you request a free credit freeze from the major credit-reporting agencies (Equifax, Experian and TransUnion), which must comply by the next business day.

If you suddenly discover that your identity has been stolen, or just decide to freeze your credit as a precaution, the new rule makes it faster and cheaper for most consumers.

What Is a Credit Freeze?

A freeze is when you restrict access to your credit report. If an identity thief steals your credit card information or Social Security Number and tries to open an account in your name, the lender will have to check your credit first. However, with a freeze in place, they will not be able to access your credit report.

New Protections for Children

According to a study by T. Rowe Price, 18 percent of children ages 8-14 have credit cards in their own name. Children are especially vulnerable to identity theft because they do not have much of a credit history. Thieves view them as an easy target, assuming no one will check their credit report for fraudulent accounts.

However, with the new law, children age 16 and under can now have their credit frozen as well.

Is a Credit Freeze Better Than a Fraud Alert?

Typically, experts recommend that you freeze your credit only if you’re confident that someone has stolen your personal information. Remember, freezes also prevent you from opening new accounts.

If you want to be cautious but do not wish to lock down your credit completely, you can create fraud alerts. With alerts, creditors are required to verify your identity if they want to get a copy of your credit report. And unlike a freeze, you can still open new accounts.

September 2018

Smoking Can Be Bad For Your Computer

Opening a Word attachment that is infected with a recent find by Cisco Talos researchers may be hazardous to your health. They have been tracking a new version of a malicious application that is used to get other malware onto devices called Smoke Loader. It can affect anyone; not just those who enjoy a smoke once in a while. Not only was it bad to begin with when it was first found in 2011, but now it is new and improved, and of course more dangerous. You knew I was going to say that, didn’t you?

Smoke Loader spreads via email messages using malicious Microsoft Word documents and a macro. If an attachment is unexpected, don’t open it. If it includes a macro that you are not 100% sure is safe, don’t activate it. In fact, unless you created it, you should keep macros disabled by default.

Having antivirus installed on all devices is always great advice. In the case of this new version it successfully loads using something the researchers called PROPagate. It injects code that corrupts graphical user interfaces (GUI), which is the new and improved part of Smoke Loader. GUIs are visual indicators that allow users to interact with icons and other visual cues, as opposed to using text only. Many antivirus products blocked this version of Smoke Loader with great success. So, make sure to keep those products updated too.

Smoke Loader’s primary goal is to deliver ransomware and cryptominers onto victim devices. There are other objectives as well, such as stealing stored login credentials or other sensitive information that is transferred via browsers. One of its preferred payloads is to steal banking credentials. From what we know, the phishing emails that distributed this malware are designed to look like legitimate invoices or purchase orders from firms with which many would typically do business.

It also has been known to infiltrate applications such as Team Viewer. That allows it to possibly collect credentials of others on the same network.

It pays to spend some time performing awareness training of all employees and staff on how to avoid phishing and steps to take if they accidentally click on malicious links or attachments.

Stickley on Security
Published September 19, 2018