Beware of Spam; It Might Be Loaded with Ransomware

Virus Protection Computer Antivirus Safety Spam Concept

“Be wary of emails with JavaScript attachments,” is the word coming from Microsoft this week. A recent blast of email messages has been tricking the recipients into clicking on javascript files and subsequently downloading ransomware to their computers.

These messages come in emails that have file names that are interesting enough that users want to click them; but don’t. They come with a .zip or .rar extension and include such malicious favorites as TeslaCrypt and Locky, which was been attacking hospitals most recently.

There are a few defenses against this. Ensure you always keep a recent backup of important files from your computers. Also, install trusted anti-malware software and make sure it’s kept up-to-date. While this particular attack may get around this, it’s still important to have it installed. Of course, never open attachments or click links in email messages that you suspect may not be legitimate, especially if they come from unknown senders. Remember that if the file has a .js or .jse extension, it should be considered suspect.

Finally, always keep your system updated with the latest critical and security patches. If you have an older operating system, such as Windows XP, consider upgrading to a newer version. Windows XP has not been supported for a couple of years now and as new exploits are found, the vulnerabilities they exploit will not be fixed.

Other tips to defend against this type of spam include:

  • Making sure to scan all email messages that come through with updated anti-malware software,
  • Disabling macros in Microsoft Office programs,
  • Disabling macro loading in the group policy, if you are in charge of a corporate network, and
  • Educating users on phishing and how to avoid it, including not clicking potentially suspicious links.

Remember that paying cybercriminals to unlock files they encrypted with ransomware is not recommended. Instead, restore any affected system with that recent backup you make sure to have on hand.

© Copyright 2016 Stickley on Security

Scammers Can Fake Caller ID Info

phone-scam

Your phone rings. You recognize the number, but when you pick up, it’s someone else. What’s the deal?

Scammers are using fake caller ID information to trick you into thinking they are someone local, someone you trust – like a government agency or police department, or a company you do business with – like your bank or cable provider. The practice is called caller ID spoofing, and scammers don’t care whose phone number they use. One scammer recently used the phone number of an FTC employee.

Don’t rely on caller ID to verify who’s calling. It can be nearly impossible to tell whether the caller ID information is real. Here are a few tips for handling these calls:

•If you get a strange call from the government, hang up. If you want to check it out, visit the official (.gov) website for contact information. Government employees won’t call out of the blue to demand money or account information.
•Don’t give out — or confirm — your personal or financial information to someone who calls.
•Don’t wire money or send money using a reloadable card. In fact, never pay someone who calls out of the blue, even if the name or number on the caller ID looks legit.
•Feeling pressured to act immediately? Hang up. That’s a sure sign of a scam.

If you’ve received a call from a scammer, with or without fake caller ID information, report it to the FTC and the FCC.

by Andrew Johnson
Division of Consumer and Business Education, FTC

Wire Fraud Phishing Scams on the Rise in 2016

Thin line flat design of internet banking transaction secure money transfer using credit card online financial business operations. Modern vector illustration concept isolated on white background.

Wire fraud phishing scams are not new. In fact, they seem to be on the rise. Between October 2013 and August 2015, the FBI reported that nearly $750 million was stolen from over 7,000 U.S. companies using this method.

It isn’t limited to the United States either. It happens in Canada and according to The Canadian Anti-Fraud Centre, this type of Business Executive Scam typically results in losses of more than $100,000 for a company. In that country, in the first eight months of 2015, this type of fraud cost companies $6 million. Compared to all of 2014, that is on target to surpass the $19 million from all of 2014.

What can people and companies do to avoid this?

  1. Read emails, particularly unsolicited ones very carefully if they present any kind of urgent situation that supposedly requires immediate attention. This is one clue that it may be phishing.
  2. If asked to wire or transfer funds from a company account, confirm and re-confirm with the requestor by means other than email to make sure it is legitimate. Don’t simply reply to a message.
  3. Set up a separation of duties process so that no one person can wire money alone. It should require signatures and approvals from at least two people.
  4. Pay attention to grammar and spelling, as well as logos and formatting of email messages, and signatures, even when you know the sender. It’s easy to fake an email address, so when in doubt, trash the message.
  5. Look for urgency cues such as “this needs to be done immediately,” or phrases like “I can’t answer calls right now, so please email back.” These make it seem urgent and attempt to bypass any separation of duties processes that may be in place.

Don’t forget that taking a few minutes to educate staff on how to identify fraudulent requests and phishing email will go a long way in protecting your organization.

© Copyright 2016 Stickley on Security

Bogus debts, bogus collections

 debt-collectors-real-fake

At the FTC, they sue abusive debt collectors and try to do right by people who’ve been harmed by unlawful practices. But they also try to protect people from being harmed in the first place. That’s exactly what this article sets out to do: warn you about debt collectors calling about debts that the FTC knows are bogus.

The bogus debts supposedly are payday loans from these companies: USFastCash, 500FastCash, OneClickCash, Ameriloan, United Cash Loans, AdvantageCashServices, or StarCashProcessing. The companies are real, but if you’re hearing from anyone other than those companies, the debts are fake and you don’t need to pay.

Sometimes, if they can’t collect money owed to them, companies sell lists of those debts to debt collectors. But, in this case, we know that didn’t happen. The company that processed and serviced loans from these companies told the FTC that it never sold any customer or account information to debt collectors. Their lawyer even filed a legal declaration saying that.

Even so, we’ve still heard about abusive calls from debt collectors claiming to be collecting money owed to the companies listed above – and we already know that’s not true. But we also know that many of the people who have been called never even had a loan with those lenders in the first place – so the debts themselves also are bogus.

What to do if you get a call from a debt collector who says you owe money to one of those companies? You have rights. Ask for a validation notice, which says what you owe and to whom. After you get it, consider sending a letter saying that you don’t owe the debt. If you’re getting debt collection calls, check your free credit report at annualcreditreport.com. If a debt you don’t recognize shows up there, follow the instructions to dispute the debt. And, as always, report any problems to the FTC.

by Christopher Koegel
Assistant Director, Division of Financial Practices, FTC

Malware Creators Adapt to New SHA-2 Certificate Technologies to Thwart Security Measures

Image of young businesswoman looking at laptop while working at her desk. Female web designer taking notes from internet.

It’s a constant battle between the good guys and bad guys. The good guys are transitioning to the stronger SHA-2 certificates on websites, so the bad guys are now using stolen SHA-1 and SHA-2 certificates.

Symantec noted in a recent blog that these stolen certificates are being used in an attempt to thwart the new browser technology that will indicate if a site is using the outdated SHA-1. In fact, they are using both versions so that older websites will detect the older certificate and newer ones will detect the newer certificate. That’s pretty crafty of them.

They are doing this so that the malware can bypass security measures put in place. Symantec found that a version of the Carberb.B Trojan was modified to use exactly this approach. This malware uses an infected attachment in email with a subject of ATTN 00890 and targets those who work in accounting departments. The macro embedded in the attachment downloads a malicious .exe file from a server in the island nation of Mauritius off the coast of Africa.

malware3

This scenario shows how malware creators are adapting and using legacy systems to wreak havoc. So, those who are still running the unsupported Windows XP in their organizations should make a serious effort to upgrade. In addition, make sure all patches are applied as soon as they are released. This should be part of a comprehensive security strategy.

However, because this effort by the malware creators is still new, US companies have been given a window of time to address this specific attack. The window is not big so action should be taken.

© Copyright 2016 Stickley on Security

Credit Monitoring vs Credit Freeze; What Is the Best for You?

Identification documents (social security driver license and credit cards) in hand of thief isolated on white.

Those who were victims of the massive Office of Personnel Management (OPM) breach of last year (21.5 million as of September 2015) were given the option of signing up for free credit monitoring services for a period of time; up to three years from the date of signup. Other companies who experience a data breach often offer up this service to victims. However, what does that really mean and is credit monitoring going to prevent identity theft?

The short answer is “no.” Credit monitoring and identity theft protection services (the term the OPM used to offer the service to its victims) will send an alert if credit is accessed, applied for, or an account is opened. In some cases, if identity theft does occur it will help you through the process of correcting it. It will not prevent any of this from happening.

On the other hand, a credit freeze will. It blocks any attempt to access credit and the credit bureaus will alert you if someone tries. A credit freeze is recommended to those who have had their social security numbers stolen and who are not applying for credit in the near term. For those who are planning to apply for a mortgage, credit card, car loan, etc., this may not be the right solution. Apply for the credit first, then put the freeze on the account.

That said, a credit freeze may be lifted and re-implemented if needed. Just make sure to check the fine print to find out how much lead time is needed to do this and if additional costs are involved. In some states, the bureaus are allowed to charge for freezing credit. However, it’s a relatively small cost and should be considered peace of mind.

An important detail about taking advantage of any credit monitoring service is that if there already is a freeze on your credit, the credit monitoring services will not work. This is because they need to access your credit so they can monitor it. Therefore, if you do sign up for this (and you should if you are offered it and want to keep your files accessible), sign up for the service first, then freeze your credit. Also, if you have already been an identity theft victim, these services can help you put your credit back together. However, don’t unfreeze it just to sign up. If the third party cannot access your file because it’s frozen, then the credit freeze is doing what it is supposed to do.

Don’t forget to monitor the credit of your children. Theoretically, children under 18 should not have a credit report. The reality is that one in 40 families with children under 18 had at least one child whose information was accessed in an unauthorized manner (from a 2012 study by the Identity Theft Assistance Center and the Javelin Strategy & Research group). If you find a report for your child on file with Equifax, Experian, or TransUnion, it means one of the following:
•A parent or guardian applied for credit with the minor’s social security number and it was approved,
•Someone used the minor’s information to get credit fraudulently, or
•The minor was listed as an authorized user or joint account holder on a credit account.

Unfortunately, the child victims of identity theft often know the thieves; 27% as reported in the aforementioned study. This makes it even more challenging for young victims to report it.

The company that the OPM is paying $133 million dollars to monitor the credit of its victims, requests more information than is needed to do the job. They recommend that bank account numbers, credit card numbers, passport details, medical information, and other sensitive information be entered into their forms so that they can watch over that too. However, even if they monitor all of that, it will not prevent identity theft and in fact, gives over a lot of very important information to yet another party leaving oneself open to even more risk of it being stolen. After all, the more that have it, the more risk of it being accessed by an unauthorized party.

© Copyright 2016 Stickley on Security