Ransomware and Mobile Devices

One moment, you’re surfing the Internet. A minute later, a pop-up shows your files have been taken hostage and that you’re required to pay a $300 ransom to have them released back to you. You stare at the screen in disbelief. How is this possible, especially considering you are on your mobile device?

Ransomware – malware that accesses your computer system and blocks access to your files until a ransom is paid to restore access all while stealing your payment information – has been becoming more prevalent among PC users. While these attacks typically focused solely on PCs, they are now adapting to include mobile devices. That’s right, the very same mobile devices you use to access your credit union accounts for checking balances, transfer funds and make payments.

An example of a Russian-based mobile device ransomware is called “Svpeng.” It focuses on tactics for infecting mobile phones and mobile banking applications. It infects the device with a phishing window when the application is opened. This overlay attack is used to steal online banking information as the malware pretends to be the application’s login screen. The user enters login and password information, which is then stolen by the hackers. Once they have access to the account, they can control the account. Svpeng also phishes through Google Play if that is on the mobile device.

This tactic also involves SMS messages being sent to two Russian banks to determine if the phone number of the device is connected to any payment cards. If a card is indeed connected to a number, the hackers use commands through the device to transfer the victim’s money into their own accounts. While Svpeng has currently been seen only in Russia, it is expected to expand into other countries; one of the features of the ransomware checks the mobile device’s language settings to determine the appropriate language to use for the attack.

As time goes on, other PC-based ransomware programs may also be adapted for mobile devices or more ransomware programs that are specifically designed for mobile devices may be created. Hackers are always looking for ways to evolve their tactics in hopes of stealing more information and making immediate profits. Svpeng, for example, had 50 modifications to its malware within a three-month period.

How does this type of malware get onto a PC or a mobile device? It could be through a “drive-by download” where malicious software is downloaded without the user even knowing about it. This happens as the user surfs the Internet without a care, yet comes across a compromised Web page or clicks to a website through an HTML-based email. It could have been downloaded through a phishing email, which appears to be from a credit union, yet is a fake email linking to a compromised Web page. The ransomware could also come through an email attachment that is malicious.

After the infection occurs on the mobile device or PC, the overlay or ransomware tactics are used as was described with Svpeng. That way the hackers can either directly steal the login and password information when the credit union account is accessed, or the user is blackmailed by a direct ransomware attack to send money to unlock the mobile device.

Many of the ways ransomware can be prevented from infecting a PC are the same for preventing on a mobile device. Make sure data on a mobile device is regularly backed up. This will help with recovering information if the device is hijacked. Make sure an antivirus program is running on the mobile device. Follow safe Web browsing habits. Block suspicious emails.

Don’t download data or apps from questionable sources. Don’t “jailbreak” a device where built-in controls and security features are overridden; this removes an additional layer of protection against ransomware attacks.

If you think your mobile device has become a victim of ransomware, you can try to remove it by running a virus scan through mobile antivirus software. Don’t pay any ransom because it won’t guarantee the release of your data and you are giving additional payment information to the hackers. If none of these work, talk with your mobile device or cellular provider and/or their tech support. Of course, notify your credit union to monitor your accounts for any potentially fraudulent activity.

Emails and Phone Calls from Utility Providers

Usually, you get your electric bill in the mail. This month, however, it appears in your email account. You don’t remember signing up for the electronic version of the bill. You aren’t even sure they have that available. You stare at the email. Wait. How did a bill that is normally $150 a month suddenly jump to $550? You stare at the email in a panic.

In another scenario, you receive a phone call from someone claiming to be from your water company. They tell you that you owe on your account or your water will be immediately shut off. You are pretty sure you paid that bill last week. If only you could find the most recent bill while also trying to find a debit card to pay the bill.

If anything like this happens to you, it should trigger alarm bells. What you’re encountering may be fraud. It may come in the form of emails or phone calls, but the goal of the fraudster is the same: to steal your information.

This is happening to customers in Pennsylvania, Texas, Oregon, Florida, and Oklahoma. It has happened under the guise of reputable companies such as UGI Utilities, PG&E Energy, Atmos Energy Corporation, Portland General Electric, NW Natural Gas Company, Pacific Power, and Duke Energy.

If you get an email from a utility company, pay attention to the account number, the logo and the return email address. Even links within the email can actually send you to a fraudulent website that looks just like the website you would expect to see. Pay attention to the amount. Is it close to what you typically pay? Of course, consider if you even signed up for electronic bills from the utility company. If things don’t look right or you just aren’t sure, don’t click on any links and contact your utility company immediately. It should go without saying, look up the phone number in the phone book or online – don’t rely on any phone number that is printed within the suspicious email.

If a phone call comes from someone claiming to be from your utility company, consider that your service won’t be turned off that instant. In other words, don’t reach for that prepaid debit card. And remember, if indeed your bill is past due, you will be mailed other reminder notices. The phone call won’t be the only indicator that your bill is past due (if it really is).

If you get an email or phone call, gather as much information you can from the caller. Refuse to pay any money or provide personal information like account numbers, tax identification, etc. Call your utility provider and share the information. If it is a fraudulent email or phone call, you likely aren’t the only potential victim. Any information you share with your real utility provider will help them inform their customers and protect their financial identity.

Heartbleed Bug: Your NASA FCU Accounts are Not Affected

You may have heard the news reports regarding security vulnerability called Heartbleed. The Heartbleed Bug affects OpenSSL-an open source software widely used to encrypt Web communication.

First, we want to assure you that your NASA Federal Credit Union accounts are not affected by the Heartbleed Bug.

Do Our Members Need to Take Action?

NASA FCU Member Accounts have not been affected however we always encourage members to routinely change their passwords and to continue to take proactive steps towards protecting their personal information from fraud. We also encourage members to be cautious of what sites they visit, sign on to, and what links they click since these may be unsecure.

Members can visit the NASA FCU Security Center for more information on protecting themselves from fraud, as well as the steps NASA FCU takes to keep their information secure.

More information on the Heartbleed SSL can be found at www.heartbleed.com.

How to Protect Yourself from Identity Theft

Identity Theft

Data breaches at retail establishments and universities seem to be abundant these days. And if you’re like most of us, you may be wondering if there’s anything you can do to help protect yourself—and your credit—from prying eyes.

According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, there is an important tool you may consider: a credit freeze—or security freeze—on your credit report. By employing a credit freeze, you essentially restrict access to your credit report.

The reason this tool is so effective is that creditors must review your credit report before approving new accounts. If they are unable to access your credit file, they are unlikely to extend credit. As a result, restricting access to your credit report puts the brakes on identity thieves who would open new accounts in your name.

To place a freeze on your credit reports, you’ll need to contact each of the nationwide credit reporting companies: Equifax, Experian, and TransUnion. Be prepared to share with them your name, address, date of birth, Social Security number and other personal information. There are also fees for this service. They are based on your address, but they typically are only between $5 and $10.

A credit freeze does not affect your credit score or prevent you from getting your free annual credit report. You can still open new accounts, apply for jobs, rent an apartment, and buy insurance, but you’ll need to lift the freeze temporarily, either for a specific time, or for a specific party, say, a potential landlord or employer. The cost and lead times to lift a freeze vary, so it’s best to check with the credit reporting company in advance.

Although a credit freeze is an effective tool, it won’t prevent a thief from making charges to your existing accounts. You still need to monitor all bank, credit card and insurance statements for fraudulent transactions.

Watch out for Mail Thieves

A new scam may be coming to your neighborhood. Thieves are now driving around residential areas and stealing the outgoing mail from residential mailboxes. These thieves usually strike in the morning and usually after you have placed outgoing mail in your home mailbox. Just like your normal mail carrier, these mail thieves are looking for the little red flag standing up to signal that outgoing mail is sitting in the mailbox. The thieves will then steal the envelopes and search inside for checks that you have written to pay your monthly mortgage, electric bill, phone bill, etc… Upon stealing your check, these mail thieves alter the check to a new payee name and dollar amount. They then have a person walk into a branch office of the Financial Institution that the check is drawn on and attempt to cash the altered check.

Amazingly, this crime may all happen on the same day that you mailed your payment out!

Tips on how you can help prevent mail theft:

  • Consider only putting outgoing mail in a locked mailbox, in a blue USPS collection box, or drop it off at the post office.
  • Retrieve your mail as soon as possible after it is delivered. Don’t leave your mail unattended for extended periods. Don’t leave mail in your mailbox overnight.
  • If you cannot regularly retrieve your mail promptly, consider installing a lockable mailbox or obtaining P.O. Box service from your local post office.
  • If you will be away from home temporarily, you can notify your local post office to hold your mail with the online hold mail service on the US Postal Service website.
  • Ask your financial institution if your check order can be picked up at a branch location that you normally visit.
  • Monitor your bank account statements regularly, and report any checks that you did not authorize.
  • Make sure that your contact information (phone numbers, email) is up to date on your checking account- that way, if your financial institution is suspicious of a person presenting your check for cashing, they can quickly contact you to verify whether the check is valid or not.
  • Be alert for unusual activity in your neighborhood. Watch out for strange cars and/or persons that are going into mailboxes along your street.
  • If you believe you are a victim of mail theft or see suspicious activity, call the local police or contact the U.S. Postal Inspectors at 877-876-2455 or on the Postal Inspectors website.

NCUA Warns about Telephone Fraud

​Consumers Targeted by Vishing Scam Should Call Agency’s Hotline

The National Credit Union Administration today warned consumers to beware of a new telephone fraud, known as a “vishing” scheme, that is using the agency’s name in an attempt to obtain personal financial information.

Several credit union members have been contacted by an automated phone call claiming to be from NCUA and notifying consumers their debit cards have been compromised. The call then asks the receiver to follow prompts, which request personal information, including sensitive financial data and personal identification information.

Anyone contacted by this so-called “vishing” scheme should immediately contact NCUA’s Consumer Assistance Center Hotline at 800-755-1030 or by email at phishing@ncua.gov to report the scam. Operators answer calls Monday through Friday between 8 a.m. and 5 p.m. Eastern.

NCUA neither seeks personal information from consumers over the telephone nor handles day-to-day maintenance of member account information. NCUA works with law enforcement agencies, including the FBI, to protect consumers from frauds of this nature.

NCUA urges consumers to never verify or release personal financial information to unknown callers.