W-2 Fraud Email Scams Still Raking in the Cash

Scam Warning Hacker Device Security Concept

Earlier in 2016 there was an outbreak of business email compromise (BEC) attacks that targeted W-2 information. These types of attacks aren’t particularly difficult to pull off and can be quite lucrative for cyber criminals. After all, the information on a W-2 document is very valuable. In fact, as part of what the Darknet world calls a “fullz” that information can be worth $25-30 per record. A “fullz” includes a collection of information such as name, social security number, date of birth, account numbers, etc. So, if someone gets ahold of 3,000 W-2s, as what happened to the management company Goldkey/PHR in February, it can fetch quite a payoff. That’s why having processes in place to avoid having this happen at your organization is crucial.

BEC in its basic form is when an attacker impersonates an authority within an organization and convinces someone else in that organization to perform some action such as a wire transfer or to provide W-2 information. It is simple, but also incredibly effective. In the first half of the year, more than 70 organizations reported being victims of the W-2 BEC scams, including the Girl Scouts of Gulf Coast Florida, Snapchat, and Seagate. Losses are estimated to be $3 million over the past three years. What is perhaps even more disturbing than the costs, is that this is happening at all.

Employees should not have access to all of the sensitive data in a W-2 or payroll records without some sort of oversight before it can be shared…with anyone. It’s important to put controls in place so that if anyone asks for such information, it’s discussed and approved by multiple people. One of the questions that should be asked is “why does this person need this information?” Then it should be verified with the requestor via voice or some other way that does not include replying to the email request. While email and text are becoming more acceptable ways of communicating everything in any environment, voice interaction goes a long way to prevent scams such as these from being a huge success.

You might feel a bit insecure about asking someone who claims to be the CEO why he or she needs W-2 details, but if it’s legitimate that executive will appreciate the fact that you checked before giving it up to cyber criminals. Many victims of the W-2 fraud have reported being victims of tax fraud, which appears to be the target in these cases. The FBI has reported that the number of identified victims and exposes losses has increased 270% in the past year due to this type of BEC fraud.

© Copyright 2016 Stickley on Security

Fakebank Malware Evolved to Block Your Phone Calls

Serious young hacker using laptop and mobile phone in dark room

Yet again, a security company has found a version of malware that has evolved to be more damaging. Symantec found a new variant of the Android malware called Fakebank that can delay users from placing a phone call to their financial institutions to report fraud and cancel cards.

This version of Fakebank scans the device for certain banking apps and if it finds one, it will prompt the user to delete that app and install the bad one. Be wary if an app asks you to delete it when you are not expecting it to ask such a thing of you.

The best piece of advice for this one is to avoid downloading apps from sources other than the official app stores for your device. Sideloading, as it’s called adds an additional risk element to anyone wanting to take that chance. This is because those apps don’t typically go through as much security scrutiny before they are distributed to users as they do when they are placed into the Google Play or Apple App Store for example.

If fraud or suspicious card activity is noticed on any of your payment cards, contact your financial organization right away to take care of it. If your phone ceases to work, as may happen with this malware, use email or preferably another phone to contact them.

In addition to preventing calls, this new version will also collect banking login data and monitor phone calls. So far, this one has only been seen in South Korea and Russia. However, as with any malware, it’s only a matter of time before it hits the U.S.

© Copyright 2016 Stickley on Security

Study of the Worst Passwords Reveals People Are Not Paying Attention

Cute Daydreaming Girl Next To Floating Hearts with Puppy Within.

Every year someone does a study to find out the worse passwords on the web for a given year. For the first few months of this year, Salted Hash looked at over a quarter of a million passwords and let out a big sigh. No matter how much discussion surrounds how important it is to have strong passwords, how to create them, how it’s important to change them regularly, and to have different ones for each online account, it doesn’t seem to get through. In fact, the number one password in 2013 was exactly the same as the number one password they found; and it’s terrible.

Salted Hash collected phishing logs that the company found on the Dark Web. The sample they examined included companies such as Apple, Microsoft, Google, PayPal, and social media and banking account login details. They hoped to see improvements, but alas, they were sorely disappointed.

People go to great lengths to make sure their homes are protected; deadbolt locks, security systems, big and noisy dogs, for example. But when it comes to protecting online accounts, they seem to think it’s not as important. Yet, if someone with bad intentions gets your online banking or PayPal credentials, the damage could be very significant. It is an intrusion into your financial home.

Take some time to create strong passwords and phrases and to change them regularly. Do this at least quarterly, if not more often. Reusing the same credentials for several years means that if stolen data shows up on the Dark Web two, three or more years after it was stolen, as it did with LinkedIn, someone could still get into your account.

And before you just toss aside the significance of someone getting into your LinkedIn account, think about some of the information that is included in your profile:
•Your name
•Your title or function
•Your city
•Your employer
•Your previous employers
•Referrals that may have useful details
•Your hobbies
•Your email address(es)
•Your connections and often their relationship to you

While this is public, it also makes you trustworthy. And if a cyber criminal wanted to go spear-phishing, he or she would have a lot of information with which to start targeting your connections right there inside LinkedIn from your account.

Of course we don’t need to tell you what can happen if someone gets your four-year-old login credentials to your bank account. So take some time to change it. Use at least eight characters, upper and lower case letters, numbers, and special characters.

The top five passwords in Salted Hash’s list were very uncreative. They included “123456789” and 3 variations of it, but the numbers were still in order. The only diversion off of this path was in the number 4 spot. That was “filosofia.” So, don’t delay. Change your passwords if you haven’t done it within the past three months. Go ahead. Do it right now. We’ll wait.

© Copyright 2016 Stickley on Security

Over 900 Million Android Devices Vulnerable to Quadrooter


Android smart devices are making news again. This time those that were shipped with a Qualcomm chip have four vulnerabilities with which to be concerned. More than 900 million smartphones and tablets are affected by what is being called Quadrooter. Three of these flaws were addressed and fixed in the latest set of security updates from Google. However, one of them won’t be fixed until September. And those that were released by Google haven’t necessarily made it into the releases by individual carriers. This is because carriers have control over when to release them to their users. While most of the time it is shortly after they are provided to them, sometimes they delay releasing them to try to lure people into buying new devices. If you haven’t received a notice for one of the affected Android devices that an update is available, call your carrier and inquire.

If you haven’t updated your Android devices lately, take some time to check if any are available and get at least the three available patches applied. The flaws could allow an attacker to get full control of a vulnerable device; which means he or she would have access to the microphone, the camera, and everything on it.

Fortunately, it would take some effort by the attacker to trick a user into installing a malicious app to be successful. Most Android smartphones at least, don’t allow sideloading of apps (installing them from a location other than the Google Play store), but some malicious apps have still made it past the additional checks and were allowed in. It’s still safer to check the official app store on all devices rather than getting them from other locations.

Some of the devices affected include:

  • Google’s Nexus 5X, Nexus 6, and Nexus 6P
  • HTC’s One M9 and M10
  • Samsung’s Galaxy S7, S7 Edge
  • BlackBerry DTEK50, Priv
  • Blackphone 1 and 2
  • LG G4, G5, V10
  • Motorola New Moto X
  • OnePlus One, 2, and 3
  • Sony Xperia Z Ultra

Remember that when you are looking for apps to install, make sure they are from reputable developers. Check the reviews and make sure there are more than just a few and that they are not all glowing. Sometimes this means they are fake and the app could be malicious. Also check elsewhere online for reviews and information. Sometimes the reviews in the app stores review the app itself and not the company. If there is a complaint about how a company does business, whether via an app, online, or brick and mortar, there will be information on those elsewhere and they may include information on how the app installs malware, if it does.

© Copyright 2016 Stickley on Security

Facebook Notifications Alert You Right Into a Great Scam and Malware


A friend commented on your Facebook post and you see a notification in the corner of your app or an email arrives getting you all excited to know what that friend said. So you click the included link in the notification or email and Bam! You download malware to your device.

This is one of the scams making its way around Facebook right now. In this scam, merely clicking the link in the notification that you were tagged or a comment was made will not execute the malware. However, if you click on the file that was downloaded, it will. This one primarily preys on users of the Chrome browser using a JavaScript encoded file, but other browsers are likely not immune. A second Facebook scam uses clickbait to lure unsuspecting victims and is getting around Facebook’s filters for malicious links.

Clickbait is a photo or headline that is of a provocative or sensational nature with the intent of attracting clicks, views, or site visits. The objective of the hackers in this second scam is to steal login credentials, which will ultimately allow them to do more phishing. The clickbait is pornographic in nature and theoretically should be caught by the phishing filters.  However, it has not yet been and the links are being posted to various Facebook groups.

When the play button on the video is clicked, the user does not see the promised nude girl, but is redirected to a site where he or she is asked to enter Facebook login credentials and a phone number.

Then the user is redirected to an online survey that collects additional information. In some cases, users are redirected again to another site that downloads a fake version of Flash Player that includes either malware or adware, or possibly both. In any case, it’s not a good thing.

One good thing is that users of Chrome seem to be somewhat protected against the second scam because Chrome blocks one of the sites hosting it. However, the scammers are onto that and are already using other ones that have not yet been identified.

It’s always best to avoid clicking links in email messages or in other types of notifications, especially if they are not expected. Instead, go directly into the app or to the site using a previously bookmarked link or by typing the URL into the address bar, being careful not to mistype it (this could lead to other infections by typosquatters or do-jackers). Use caution when clicking on videos or links in Facebook or any social media. Even if they appear to have been posted by your friends, they may actually come from a hacker who has compromised your friend’s account in some way. If you are suspicious in any way, it’s best not to click it.

If you click a link and it asks you if you want to run a program or execute something else, click the negative option unless you know it’s legitimate. And always keep your computers and mobile devices updated with the latest versions of software. Make one of those pieces of software a good anti-malware product.

The Google Chrome browser has been used in several cases to compromise users’ systems. Not long ago a fake Chrome for Android update was used to steal personal data and last year, the CTB Locker ransomware was circulating masquerading as a Chrome update.

© Copyright 2016 Stickley on Security

Real PayPal Emails Used to Take Funds and Give Malware


PayPal is again being used by crafty cyber criminals to trick unsuspecting customers out of their money and to install malware. In this case, an email arrives in the inbox of the victim stating that $100 has mistakenly been sent via the PayPal service and transferred to his bank account. Of course, a link is included and if it’s clicked, a variant of the Zeus malware is set lose. It’s being called the Chthonic Banking Trojan.

The sneaky part of this is in using a legitimate PayPal account and a message directly from PayPal. The message, “You’ve got a money request” won’t likely be detected as spam because it is not a false email. Anyone can create a PayPal account for free and that is what the scammers are doing in this case.


In addition to asking for money, the link redirects to a site that installs the Chthonic Trojan and another module called AZORult. However, it is not yet known what that second one does.

Whenever a message like this is received, especially if it’s asking for money, take a bit of extra time to really examine it. The few extra minutes you take to look closely is not likely going to result in any more damage, even if it is a real email. Regardless of whether or not the link is legitimate, go to your account separately and view any messages in there rather than clicking links. Use the URL that you know is the correct one or via a previously bookmarked link.

Jim Stickley of Stickley on Security found that PayPal appears to have done a partial fix for this. Stickley said “In testing, we have found that PayPal does modify any URL included a message for a PayPal money request. This is done by removing certain characters from the URL to prevent it from functioning properly.” However, he found that a message included in a PayPal invoice request still allows the potentially malicious URL. The link in the email message is indeed clickable. However, he stated that “inside the PayPal account, links are not clickable but can be copied and pasted.”

Therefore, any email sent from PayPal, whether it is a money request or an invoice should be thoroughly scrutinized before any action is taken. The best response is to log into the PayPal account to view request and respond accordingly. You can click to cancel the invoice and send a note stating you would like more information. You can also contact the sender using information you find somewhere that is not from the message or invoice sent to you. Cyber criminals often will put their own contact details in their messages. So look for contact details for the company or person elsewhere. Never hit the reply button in email messages to contact the sender in these cases.

© Copyright 2016 Stickley on Security