Archive for admin

Be Wary of ‘Order Confirmation’ Emails

Republished from http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/ originally published on 12/14/2014

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

Home Depot Scam Confirmation

An “order confirmation” malware email blasted out by the Asprox spam botnet recently.

Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.

Walmart Scam Confirmation

This Asprox malware email poses as a notice about a wayward package from a WalMart order.

According to Malcovery, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet.

Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email (such as the pharmaceutical spam detailed in my new book Spam Nation), and perpetuates additional Asprox malware attacks. Asprox also deploys a scanning module that forces hacked PCs to scan websites for vulnerabilities that can be used to hack the sites and foist malware on visitors to that site. For an exhaustive and fairly recent analysis of Asprox, see this writeup (PDF) from Trend Micro.

Malcovery notes that the Asprox spam emails use a variety of subject lines, including “Acknowledgment of Order,” “Order Confirmation,” “Order Status,” “Thank you for buying from [insert merchant name here]”, and a “Thank you for your order.”

Target Scam Confirmation

Target is among the many brands being spoofed by Asprox this holiday season.

If you receive an email from a recognized brand that references an issue with an online or in-store order and you think it might be legitimate, do not click the embedded links or attachment. Instead, open up a Web browser and visit the merchant site in question. Generally speaking, legitimate communications about order issues will reference an order number and/or some other data points specific to the transaction — information that can be used to look up the order status at the merchant’s Web site.

Sony Hack: What You Need To Know

It’s easy to think no one is safe on the Internet anymore. On December 1, tech giant Sony joined retailers like Home Depot and Target on the list of apparently vulnerable computers. A large-scale hacking effort hit its films division, Sony Pictures.

There are quite a few reasons for consumers to be aware of this developing story. First off, if you’re a PlayStation owner, you might be wondering if your data was compromised. In addition, if you’re an Internet user, you might be wondering how to keep yourself safe from future hacks. To help address those concerns, let’s go over what we know and what you need to do to protect yourself.

The Hack

On December 1, the FBI issued a “flash” warning to business owners warning them of a dangerous new strain of malware. The FBI later confirmed that this malware had been used in an attack on Sony Pictures. Sony issued a statement describing the attack that afternoon.

According to Sony, screens across the company went black, their contents replaced by the message “Hacked by #GOP.” GOP, in this case, stands for Guardians of Peace, a known group of cybercriminals. The group also threatens to release “secrets” stolen from Sony servers.

Sony suspects that North Korea, or a nation acting as its proxy, may have engineered the attack out of a desire to stop the new James Franco/Seth Rogen movie “The Interview.” In the film, Rogen and Franco are TV personalities sent by the CIA to assassinate North Korean leader Kim Jong Un. The North Korean government has condemned the film in letters to the United Nations and the White House. A representative of the North Korean government denied responsibility in the attack.

The hackers compromised several screener copies of yet-unreleased Sony movies, including WWII drama “Fury” and the forthcoming remake of “Annie.” They also gained access to a great deal of confidential internal information. The Social Security numbers of several celebrities and the home addresses of many Sony employees have already been made public.

The exact extent of the leak is, as of yet, unknown. Sony has brought in an outside security expert to determine the extent of the damage while the FBI conducts an investigation into the origin of the attack.

The Followup

On December 8, hacker group Lizard Squad launched another attack, this time targeting the PlayStation Network’s login server. Sony has not indicated whether consumer records were affected by the attack and the outage lasted only a few hours.

While there is no direct evidence linking the two events, the timing is suspicious, at the very least. Until Sony completes its investigation, there’s no way to know whether or not the same vulnerability was exploited by both groups. At time of press, the gaming network is secure.

What Was Learned

As it turns out, individual web users aren’t the only victims who need to beware of suspicious downloads. In each of the big security breaches this year, corporate computer users have downloaded devastating malware onto company computers. Even the best security software couldn’t have protected against user negligence.

There’s no need for individual consumers to panic. No user data appears to have been compromised. PlayStation Network users might consider changing their passwords, but no further action is needed. Unless you work for Sony, it’s unlikely your personal information was compromised.

Continue to follow identity monitoring best practices. Check your credit card statements. Change your passwords regularly. Keep an eye on your investment accounts. Report suspicious account activity immediately.

The real lesson from the Sony hack should be the prevalent threat of malware. Even with the highest caliber security software, downloading a dangerous file can do serious damage to your computer- and your identity. Here are a few guidelines to help keep you safe online:

  • Don’t open attachments within emails unless you’re expecting them. The rise of email worms that spread using contact lists means we should always be suspicious of attachments. If you need to share a picture or document, consider using a secure upload service. Try free apps like Dropbox or Google Drive to keep your files safe and shareable.
  • Don’t follow links if you don’t know where they’re going. A malicious program could be cleverly disguised behind a news headline. If you don’t recognize the host of the website, just don’t click it.

Safeguard your login information. Don’t share usernames or passwords for any service with anyone. Any piece of identifiable information you publish can be used to fish for more passwords.

Cash Flow Budgeting

A Fast, Flexible Way To Fix Your Finances

You’ve heard it from a million places: Budget your money! Make a firm plan and stick with it. It’s the pathway to prosperity!

For many people, though, that advice just doesn’t resonate. They feel constricted by a budget. Keeping cash in separate envelopes makes them feel like they can’t have a life. It takes too much planning and too much rigid denial. They break their budget and sometimes wind up in serious financial trouble.

Other people have an inconsistent cash flow, making creating and keeping a budget difficult. Maybe they’re freelancers who work gig-to-gig. Maybe they’re in commissioned sales. Maybe their hours fluctuate month-to-month. Whatever the reason, it’s hard to make a detailed plan when your bottom line changes every month.

The answer isn’t to give up on budgeting. The collective wisdom, that monitoring your expenses and income streams is the way to stability, still holds true. It might just require a different approach to budgeting: cash flow focus.

Cash flow focus is the strategy used by most businesses. They pay their fixed costs, and whatever is left is used to grow the business. You can manage your finances the same way.

Just follow these four steps:

1.) Automate your savings

Even if you disregard everything else in this article, implementing this one tip can be life-changing. Figure out how much of your income you can save, then take that out as soon as you get paid. You can set up monthly transfers from your draft account to your savings account. You can also divide the money between the accounts on a per deposit basis. How you choose to do so is less important than doing so.

Like the saying goes, pay yourself first. This savings provides you the flexibility to cover big expenses or make major purchases on your schedule. It’s the single most important step in any budget, but it’s even more important with cash flow budgeting.

When you automate your savings, you remove the money you saved from consideration. You can’t spend it; you’ve already spent it on savings. The importance of this kind of savings will become more clear once you see this budget in action.

2.) Pay your needs and your priorities

Make a list of your essential expenses each month. Include your rent or house payment, your car loan and your utilities. Also include your student loan payments, your insurance and other necessary expenses. These are your “fixed costs.” They get paid after your savings contributions are made.

Next, make a list of your priorities. Include your charitable contributions, vacation savings and retirement account contributions. These are your “growth expenses.” They get paid after your fixed costs.

If you don’t have enough money to make these bills, you don’t need a better budget. You need to lower those bills or increase your income. No amount of spreadsheet magic will change that bottom line.

It’s helpful to automate savings for these expenses, too. That way, you never get caught short on these bills. Transferring this money to a check-only draft account can be a helpful way to ensure you don’t spend it.

3.) Spend the leftovers

This message may sound peculiar for personal finance advice. Remember, though, that you’ve already automated your savings. What you’re spending here is the leftovers – the extra that’s left at the end of the month.

Spend this money however you like – don’t worry about putting this much in entertainment and that much in travel. Just keep track of how much you’ve spent so you don’t accidentally overdraft your account.

This approach allows you to go out or indulge in a latte. You don’t have to worry about including it in your budget. Your spending habits might change as the month goes on, just like a business. If you know there’s a big outing before you get paid again, you may want to save some money for that. You don’t need to say that you can’t go because you didn’t budget for it.

4.) Roll over what’s left

If you’ve worked in a big business, you’ve seen departments desperately spending at the end of the fiscal year. Departments buy cases of pens and paper, knowing that they’ll lose whatever they don’t spend. Fortunately, you’re more flexible than a big business. You don’t have to spend it all. If you have money left over at the end of the month, then you have more to spend the next month.

If you have a month with slightly higher expenses, you can cover it from a previous month’s slightly lower expenses. Your spending will change from month to month, as might your income. So long as you keep the former smaller than the latter in the long run, you’ll be fine.

That’s what cash flow budgeting is about: flexibility. You don’t have to write your unbudgeted spending purposes in stone. You don’t have to mess with cash envelopes or other strategies. You can spend when you have money and save for when you don’t.

Unprepared for College Tuition? You’re Not Alone!

If you are the parent of a college-bound high schooler who’s starting to look at colleges, but find yourself in the difficult position of not having any savings to put toward the cost of education, take a deep breath.  Sending your child to college without having any savings isn’t going to be easy. It’s going to take more research, more writing and more debt. But, this disadvantage isn’t insurmountable. You and your child are both just going to have to work a little harder to make this happen.

Before you begin planning your course of action, get a realistic estimate of costs. The College Board maintains a utility called the Estimated Family Contribution (EFC) calculator. Using this tool, enter your income, savings, and the number of people in your household. At the end of this, you’ll get a dollar amount showing how much the federal government expects you to pay. You can use this number as a target for how much you’ll have to come up with each year.

As hard as it might be to have this conversation with your child, you ought to have it. At some point, your student will have to read and sign the FAFSA (Free Application for Federal Student Aid), which require your income and savings information. This will also help your child make an informed decision about which school to attend.

Once you have a good understanding of realistic costs, it’s time to start planning. Here are three options to consider as you and your child are planning the next steps:

1.) Choose flexible schools

Encourage your child to apply to and visit a few schools where he or she would likely be among the best students. There’s a dirty little secret in the college admissions world. The quality of instruction at most non-Ivy colleges is the same. What’s different is the environment. What makes your student most comfortable: a small, liberal arts school or a big state school? There are many in both categories at all points on the cost continuum.

Many schools in both categories struggle to attract quality applicants. They will be eager to accept a bright and promising young person who can make their school a better place. These schools may offer extensive grants, scholarships, work-study offers, and other tuition breaks.

If your child is reluctant to consider schools that don’t have an elite price tag, you might want to frame the concern as future debt. Use current examples of people who just graduated and can’t find work in their fields. Encourage them to think about the next five or six years of their life, rather than just the next four.

2.) Take a look at loans

If you have nothing saved for college, the unfortunate reality is that you’ll likely have to borrow at least something. The federal government sets a cap on how much they will lend to students, based on EFC, or estimated family contribution. These loans have quite favorable rates and good repayment terms that will help young people stay out of trouble.

The NASA Federal Credit Union CU Student Choice Loan can help you pay for education expenses. Get competitive interest rates and generous repayment terms. Plus, with our fast online application, get the money you need to pay for college quickly. To learn more about NASA Federal’s education loan options, visit the Credit Union Student Choice Loan Center.

Borrowing for college isn’t the end of the world, but you will need to repay all that money whether there is a degree at the end of the adventure or not. This can be a serious burden for a new graduate, even with income-based repayment programs. Don’t give in to “debt creep,” or the feeling that, since you’re borrowing, there’s no reason to borrow less than the most you can. $19,000 in debt is better than $20,000 in debt. Every dollar not borrowed is compounded by the absence of interest on the other end.

Outside of a mortgage, though, a student loan is the safest investment you can make. The earning potential of college graduates is significantly higher than a high school graduate. There’s no need to be ashamed about borrowing to pay for school. Just use it responsibly.

3.) Consider non-traditional options

There’s no rule that says every 18-year-old has to graduate high school and then immediately enroll in college. In fact, in most other countries, the so-called “gap year” is quite common. Students use this time to work at part-time jobs, volunteer, and build their resumes. The difference between a 23-year-old college graduate and a 22-year-old college graduate is negligible. A student working and saving for a whole year could save $10,000 for college. That’s enough to defer the cost of tuition. Plus, building a resume will make it much easier to find work on the other side.

Community college may also be an attractive option. Most community colleges will offer significantly discounted tuition for exceptional students. These institutions offer the same general education courses for a fraction of the price. It’s not a free alternative: you’ll still have to pay for housing and transportation. Yet, the more flexible schedule makes it easier to work a part-time job while going to school, and it costs half as much or less. No employer or grad school will react badly to  two years of community college. Once your child graduates with a four-year degree, that degree will be the same as a four-year student of that school. Community colleges aren’t free, but they’re certainly not as expensive as a residential college.

Having no college savings does set you behind in the education race, but there are many alternative options. Have a frank, honest conversation with your student, and then do what’s best for you and your family. And don’t forget to celebrate the positive – you raised one smart kid.

 

The 12 Scams Of The Holidays

The holidays are a time of family togetherness and celebration. Scammers know you’re distracted, busy, and emotional. That’s why their schemes are so devilish. They get their own twist around holiday time.

In the interest of keeping things in the holiday spirit, let’s look at 12 scams of the Holidays. Don’t get taken in by these or similar schemes. Otherwise, you might be footing the bill for twelve drummers drumming and all the rest!

1.) Mobile malice

Be wary of “season-themed” apps that perform frivolous functions, yet demand top-level security access. An app that makes it look like there’s snow on your background image doesn’t need to send or receive texts. Such an app might send premium text messages and leave you holding the bill.

2.) E-card danger

Everyone with an email address will send these little flash programs. Scammers have designed some with malicious code. They can install data leaching programs on your computer and do untold damage. Don’t click links in emails unless you know the sender. Even then, if it looks a little out of the ordinary, it probably is.  Contact the sender to verify if they sent you the electronic holiday greeting.  If they didn’t send you the greeting, they may have already fallen victim and it would be good to let them know.

3.) Fake packages

You’ll be receiving unexpected packages this season. Scammers know this and will send realistic-looking delivery failure notifications via email or a counterfeit note on the door.  They expect you to follow up with them by clicking on the link contained in the email, or calling the number.  Clicking on the link may result in malware being downloaded on your device.  If you call, the scammer will request that you provide a debit/credit card info to pay the outstanding fee.  Instead, Head to your local post office, visit the delivery services true website to use their track a shipment feature, or call the parcel delivery service (Google the company name)  to check with a clerk before you hand over information via the internet or phone.

4.) Hotel “Lie”-Fi

The FBI issued a warning to this season’s travelers about a malicious pop-up at hotel chains around the country. This scam requests people install a foreign program before connecting to a hotel Wi-Fi network. This foreign program turns out to be data-stealing malware. Remember, Internet connections you don’t own or control can easily be used against you. Before you use the Internet at a hotel, ask yourself if it’s worth the risk. If you do need access, be wary of what you’re installing–there shouldn’t be a need to install anything.

5.) Festive spam

We’ve all gotten used to filtering out spam in our email. Now prepare yourself for it to take on a more holiday-oriented theme. Messages will suggest that off-brand Rolex watches and cheap pharmaceuticals would make excellent gifts. Be careful, though, because these companies might just be in the market for your personal information.

6.) Bogus gift cards

There’s a bonanza of savings to be had buying gift cards through second-hand retailers. Be careful, though, because many of these retailers might be a front for scammers. Gift cards may be invalid, used, or forgeries, and you’ll be left holding the bill.

7.) Fake charities

These crop up every time there’s a major disaster, but they also show up at the holidays. Leaflets and phone calls from organizations with familiar-sounding names will soon appear. To be safe, don’t give to any charity with whom you didn’t start the contact. Do your research on the alleged charity to make sure it is legitimate and give to charities whose values align with your own.

8.) Must-have gift scams

There will soon be an “it” gift. You’ll know it by the high demand, low supply, and hugely inflated prices. Almost on cue, websites will pop up offering the rare widget at unbelievably low prices. This is a scam – the advertiser doesn’t have the product and is only using the offer to harvest personal information or bilk you of your hard-earned money through sites like Craigslist or eBay, where they will seek payment through PayPal and never send the item you purchased.

9.) Holiday catfishing

“Catfishing” means pretending to be seeking a romantic partner on the Internet to dupe people. Scammers take advantage of the loneliness the holidays can evoke to trick people out of gifts or worse. As tempting as it is to believe in love stories during the holidays, keep your feet on the ground and practice safe Internet dating. A good rule of thumb: If you’re single at Halloween, stay that way until after New Year’s.

10.) Holiday vacation scams

If it’s cold and miserable where you are, it’s always tempting to go someplace tropical for a few weeks. If you’re thinking about getting away, be careful of unrealistic prices or “too-good-to-be-true” travel offers. Scammers have been setting up phony travel sites to harvest personal information. Only book through reputable websites.

11.) Devious Holiday games

If you’re facing a 5-hour flight and a 3-hour layover, it’s fantastic to have a distracting mobile game to pass the time. Be careful, however, not to download the wrong one. Mobile games can harvest data from your phone or steal password information. Always do a quick search to check the validity of the app you’re downloading and read the permissions carefully. A fun game should never ask for permission to send texts or send information to third parties.

12.) Free USB Tricks

Be careful with unsolicited gifts of “free” USB thumb drives. Security firm McAfee warns that many of these devices come pre-loaded with malware. Such scams often target company computers, so ensure you only use approved hardware on your work network. USB storage is cheap enough that you can pass on the freebies.

 

Consumers Targeted in Counterfeit Check Scam

We have been alerted to a counterfeit check scam where consumers have received counterfeit checks via FedEx as part of an online job offer that was accepted by the recipient.  The counterfeit checks may be accompanied in the FedEx package by a generic letter claiming to be from “Lisa Banks from the Payment Department.”  The letter instructs recipients to deposit the check into their personal account, and then send a portion of the funds back, usually by Western Union. The checks are not valid financial institution checks.

If you receive a FedEx package containing a check with the NASA FCU name and address and believe that it may be part of this counterfeit check scam, or if you would like to verify a check presented for deposit, please contact the Credit Union at 1-888-NASA-FCU (627-2328).