Student Loan Applicants Victims of Tax Fraud from Breached IRS Data Recovery Tool

The New York Times recently reported a data breach of the Internal Revenue Service (IRS) websites that taxpayers can use to auto populate student loan application forms with relevant income tax data. The two sites, and are in addition to a previous IRS breach in 2015 with the “get transcript” feature of the site.

In this incident, the IRS is estimating that up to 100,000 parents and students who applied for loans were affected. The cyberthieves can use the information that is auto-populated into the FAFSA (Federal Application For Student Aid) to file fraudulent returns with the IRS and get victims’ refunds. At this time, the IRS believes that fewer than 8,000 fraudulent returns have been filed and refunds paid to thieves as a result of this.

All who have been victims of this or any incident in which social security numbers were accessed should take some steps to protect themselves from additional fraud and identity theft.

File income tax returns early every single year. This will prevent someone who may have saved your details from doing it first. A payment card number can be changed relatively easily, but a social security number remains with you and can only be changed under extreme circumstances and with extreme effort.

If you haven’t filed this year, contact the IRS proactively to find out if you are on the list of those affected in this. So far, they have notified 35,000 victims and will continue to send out letters.

Monitor your credit reports regularly. Everyone with credit in the U.S. is entitled to one free credit report each year from each one of the three major credit reporting agencies (CRA). You can get it from their sites, but watch for the fine print where it asks for payment. If so, they might be trying to sneak in extra services and products that you are not required to purchase to get your free report. There is also a website, where you can order them all. Report any suspicious accounts you see on them to the CRAs and get it resolved. Sometimes they are honest reporting mistakes, but sometimes they are fraud.

Add fraud alerts to your credit reports. These won’t prevent someone from opening an account in your name, but they will let you know if someone does.

If you have no need to apply for credit of any kind for a while, consider putting a credit freeze on your reports. This will prevent anyone, including you from opening accounts. If you need to apply for something, you can take the freeze off temporarily. Be aware that this service usually costs a small fee and there may be lead times to remove a freeze.

If you do find fraudulent charges on any payment card accounts or otherwise, be sure to change passwords for those accounts immediately.

Report fraud and Identity theft to the Federal Trade Commission (FTC) and to your local law enforcement agencies. Sometimes, the CRAs will provide services free of charge to fraud victims with a police report number.

The IRS noticed an increase in FAFSA applications that were not finished in the fall. This was a possible indicator that hackers may have been at work. In addition, IRS Commissioner, John Koskinen reported in a Senate Finance Committee hearing about this that the agency had concerns several months ago about the security of the site. However, they chose to leave the Data Retrieval Tool up as there was no evidence of foul play. And parents and students rely heavily on the tool so they don’t have to manually re-enter all the information.

The tool has been taken down now and will not be put back into place until October as new security is being put into place. Anyone needing tax return information from 2015 (the filing year needed for the current term application period) will need to manually enter the information into the FAFSA. If you don’t have your returns, you can order a transcript from the IRS at its website.

© Copyright 2017 Stickley on Security

Free Travel Coming Your Way Via Airlines. Or Is It Really?

The airline industry has a lot of information on passengers. That’s why using them for phishing attacks is useful to cyber criminals. In response to a warning from Delta Airlines, the U.S. Computer Emergency Readiness Team (US-CERT) issued an alert recently warning airlines consumers to be on the lookout for email messages attempting to gain access to personal and sensitive information.

Delta recently put a notice on its website warning its passengers of attempts to access personal data in email messages claiming to be from the airline. In these, are promises of free travel or prizes, invoices, or other documents, which Delta makes clear are fraudulent and may contain malware. The criminals go to great lengths to copy the company’s website making it difficult to tell it’s fake.

If you receive a message in email, social media, or any other way promising free travel or prizes from any airline, you should consider it suspicious. Before clicking any links or attachments, go directly to the airline’s website to verify contests or giveaways. Most likely, these are phony. If it seems too good to be true, it really is.

The Delta notice also warns consumers that they do not market to them using giveaways and prizes.

Although Delta issued this particular notice, other airlines are not immune to similar scams and phishing attacks. Southwest has been used often in scams seen on Facebook and United experienced a breach of its systems in 2015. Loyalty programs for airlines, hotels, and others are frequently targeted by scammers.

When signing up for programs like these, always use strong passwords that include:

At least eight characters
Upper and lower case letters
At least one number
At least one special character

Passwords also should not contain personal or sensitive information such as birthdates, names, or addresses. Remember to change passwords regularly, even for loyalty programs and that each password used on a site is unique to that site.

There is one last thing. If you are entering sensitive information into any website, such as payment card details, be sure to confirm that the site is secure. Look for the lock icon or the “https://” preceding the address and that the spelling of the URL is correct before hitting the “enter” or “return” key. When in doubt, don’t enter any information.

© Copyright 2017 Stickley on Security

Surfing the Web and Social Media at Work Adds Risk to Your Company’s Security

Let’s say you’re at work and doing what so many of us do and eating your lunch at your desk. You decide to do a little bit of browsing or peruse your social media accounts. What you are doing is putting your company at risk of malware attack.

Cybercriminals actively use social media and social networking sites for phishing and to distribute malware. Passwords for accounts are regularly stolen and reused. Personal blogs, entertainment sites, and file sharing services are all potential entry points for various types of malware onto a company’s network. Drive-by malware downloads are a popular tool for cybercriminals and these can happen without anyone knowing and can be completed in a mere fraction of a second.

In 2009, some major software companies, including Google and Yahoo fell victim to an attack called Operation Aurora. This took advantage of a vulnerability in Microsoft’s Internet Explorer Browser on Windows XP. It was serious enough that the German and French governments recommended that users stop using Internet Explorer until the issue was resolved.

The perpetrators gathered information from social media about users including interests, birthplaces and dates, schools attended, etc. The attackers then created Facebook pages and befriended the victims’ friends before requesting friendship from the targets. All of this was in effort to gain trust. When the victims used their lunch break (or other time while at the office) to catch up on all the social news of the day, it was only a matter of time before the attacker was able to get that victim to click something malicious allowing entry into the corporate network.

Even if your company has a plethora of perimeter security tools implemented, they are not foolproof. The cybercriminals are generally one or more steps ahead of these tools. Therefore, it’s up to us to be on guard for these attacks at all times.

1. Always be 100% certain that any links or attachments clicked in email or on social media are safe. If you cannot be sure, don’t click them.

2. Consider the information you share on social media and business networking sites. Spear-phishing is a way that attackers target victims by using information found on social media or by social engineering. They use that information to perform attacks such as business email compromise (BEC) or W2 Fraud.

3. Always keep all devices and computers updated with the latest operating system versions and software. In the office, the IT department might do this. However, if you bring your own device to work and connect to the WiFi for example, you are adding risk to your company if your devices are not kept up-to-date.

4. When multifactor authentication (MFA) is offered for an account, take advantage of it. Facebook offers it, as does Twitter, iCloud, Google, and many others. It will prevent someone from gaining access to your account with merely with a password.

5. Always pay attention to awareness training and to any information you receive about potential threats. This information is provided to help you supplement those security tools that protect the perimeter of the office network. While they can detect key words and phrases to filter out potentially threatening email, for example, they will never be 100% accurate. It is difficult to imagine a time that human interaction will not be necessary to prevent cyber-attacks.

© Copyright 2017 Stickley on Security

Phone Fraud is Real and Raking in Millions

While social engineering comes in many forms, over the past two years phone fraud has been seen a steady rise with some organizations reporting more than a 30% increase in attacks. Social engineering via the phone offers many advantages to criminals because of the limited technical resources required, the low risk of capture if detected and the ease in which these attacks can be performed.

Most organizations have set policies designed to prevent employees from falling victim to phone fraud. The problem is that these policies are often the same for all organizations and over time criminals have become aware of how these policies work and are finding new ways to have success through loopholes in these policies. In addition the types of attacks themselves are changing, making it more difficult for employees to detect fraudulent activity based on the policies implemented by the organization. This is why it is so important that employees not only follow the policies of the organization but also use their own intuitions when speaking with people on the phone.

Often when a customer calls into an organization they will provide their name and then the employee will ask additional verification questions to confirm the person is who they say they are. Unfortunately many of the verification questions such as mother’s maiden name, first pet name, favorite color, favorite teacher in school, etc. can often be discovered through social media sites. In addition, through the dark web, databases are for sale that contain thousands of people and their associated verification answers including the last four digits of their social security number. Generally this information has been gained through previous phishing attacks.

Another form of verification often used to confirm the identity of the caller is caller ID. Many automated systems will check the phone number of the caller automatically and flag the user as verified when they are connected to the employee. While caller ID does help in the verification process, criminals now have access to online services that for a small fee will allow you to change your caller ID to any number they choose. This in turn makes the caller ID validation only a layer of security and not a guaranteed verification.

Because it has become so difficult for an employee to guarantee the caller is who they claim to be, even when all policies are properly followed, it is up to the employee to watch for suspicious activity while talking with the caller. First, don’t assume the caller will sound nervous, have an accent or act suspicious. Criminals making these calls are often very experienced and will sound just like every other customer calling in. Instead pay attention to the requests of the caller. One of the most common steps a criminal will take is the request to change their contact information. This will include their home address, phone number and email address. Account takeovers often start with the criminal changing this information to allow them to control all correspondence going forward. While these changes may be valid, it is also potentially suspicious and depending on your organization, other verification steps may be required before you should continue.

If your organization is a financial institution, does the caller ask for their balance, want to transfer funds, add addition people to their account, or receive new credit card services? Again, while all possibly legitimate requests, when coupled with a change of address or other odd behavior, it could be a red flag. Often something as simple as additional verification by asking the customer to name off any recent check written or payment made can help confirm the called is legitimate.

In some cases your organization may contain confidential information about your customers and the criminal calling in is looking to gain access to this information. A customer calling in asking for you to provide them with their social security number, account numbers, drivers license number or other confidential information should definitely raise your suspicions. While the caller may have passed the initial verification screening, additional follow up may be required before proceeding with giving out this information. Check with your company policies as many organizations will not allow you to ever provide some or all of this information over the phone.

Another trick criminals use when calling organizations is to pretend to work for a vendor that the organization does business with. By using this relationship they hope to bypass some of the security policies implemented in the organization. For example, a caller may pretend to work for an IT company that is partnered with the organization. Using this business relationship they may explain they are working on a networking issue and ask for login credentials, network information or even remote access to the employees computer. In many cases they will mention other employee names such as management in the organization that they have been working with to help lend credibility to their call. As you read this you may think that seems ridiculous that anyone would fall victim to that type of attack but when a call like this takes place it is often far less obvious than you would think. That is why it is so important to always keep your guard up and remain suspicious with any incoming call.

Phone fraud is real and criminals are adapting to security policies put into place to detect them. As with most types of social engineering attacks, the goal of these criminals is to get you to act quickly without having time to thoroughly think about the actions requested. Your job is to pay attention to the small things and whenever you have any doubt, stop. Take a little extra time to think through the situation and when in doubt get help.

© Copyright 2017 Stickley on Security

Android Users Are Prime Targets for Banking Malware and Phishing

It was a surprisingly tough year for Android users with regard to malware and phishing attacks. While experts at Kaspersky Labs had expected attacks against those devices to follow the downward trend from 2014 and 2015, it actually increased by a whopping 30.6%.

All cyber gang related phishing and malware attacks were primarily directed toward Android users in 2016, likely because that is the most popular mobile operating system in the world. Banking malware campaigns actually surpassed the one million mark last year, making it the highest number of such attacks since security researchers starting recording those statistics.

The most popular malware strain seen last year targeting the operating system was Zbot (also called Zeus). This accounted for nearly half of the attempts. Zbot is primarily distributed via spam campaigns and drive-by downloads. It is designed to steal confidential information, especially banking login credentials, off the infected device. It can also download other configuration files and updates.

Everyone gets spam these days and email that they are not expecting that might even appear legitimate or from a known sender. However, often inside them are links and attachments that include malware or forms where the thieves ask for credentials to be entered for various accounts. Therefore, if one of these messages happens to get through the security technology, be wary of clicking any links or attachments. Even if you recognize the sender, it’s best to verify that the information in the messages is legitimate before clicking it.

If you don’t expect to receive something, or there is no specific information in the message that gives you the comfy cozy feeling that it’s safe, don’t click it. For example, if it arrives unexpectedly, but has a note from your sister that she thought the link would be helpful after a discussion you had last week about that topic, it is probably safe to click.

Other ways to determine if it’s real are:

-Clicking the sender’s address to see if it’s what you expect it to be, or
-Hovering over links with the mouse pointer or holding down on them if you’re on a touchscreen device to see where they actually go.
-If they don’t make sense, don’t go any further.

While many cybercriminals are now targeting organizations, in this case it was the average consumer that was targeted at a rate of more than four out of five attacks. Presumably that is because these criminals are choosing volume over fewer targets for more money. After all, even small amounts of money add up to big numbers after a while.

Users in Russia, the U.S., Germany, Japan, and Vietnam were the top targets for this in 2016.

Coming in second place to Zbot was the Gozi family of malware at 17%. Gozi was developed to steal online banking credentials. It’s author actually was sentenced to 21 months in prison, which was essentially served while he was awaiting extradition from Lativa to the US. That obviously didn’t stop his legacy from continuing on with the help of other cybercriminals.

© Copyright 2017 Stickley on Security

iPhone Users Tricked With Crafty Ransomware Using Safari Vulnerability

If you haven’t noticed yet, there is a new iPhone update to version 10.3. It was just released to fix a vulnerability that would allow a popup box to be displayed and then put into a continuous loop in the Safari browser. This was found by security company Lookout and reported to Apple for a fix. Since the patch has been released, details have surfaced about how that hole was, and still is being used by attackers as a way to trick victims out of money.

Within Safari, if a phishing attack is successful, a popup appears
on select pages that accused victims of accessing illegal pornography or pirated music. The messaged claimed that all data on the phone was locked and would not be unlocked unless a code for an iTunes gift card in the sum of approximately $125 was sent to a specific mobile phone number. When the “OK” button was clicked, it just kept cycling in a loop and would not go away.

However, the popup appearing to be a form of ransomware was actually fake. The devices don’t get locked, but the attackers are using scareware in the hopes that victims send money before they realize that all they have to do to clear the dialogue box is clear the Safari browser cache.

Many think that Apple devices are safer than other operating systems. However, this ploy shows that nothing is invulnerable to cyber trickery or scams. Regardless of the operating system running on a device, it should always be kept up-to-date with the most recent patches and software versions.

In addition, use caution when browsing the Internet. It’s very easy to mistype a URL and go to the wrong page. Cyber thieves count on this happening and purchase domains that are so similar to popular sites; even one character off, that people often will make typos and land on those rogue pages. This is called typosquatting or domain jacking. If you are manually typing in an address, review it before hitting the “return” key.

In this case, the attackers purchased several domains and used the country code from victims’ devices to determine the popup message that was displayed. They also used icons such as logos from the National Security Agency (NSA) or Interpol to further legitimize the sites. Always be careful about clicking on links or attachments that arrive in email as well. If you don’t know the sender or are not expecting it, verify it’s real before clicking it. Often, scams like these are successful because someone didn’t do that.

© Copyright 2017 Stickley on Security