It’s a Cookie Theft! Yahoo Announced Sophisticated Way Hackers Stole Data in 2013 Breach

Yahoo is notifying some users that their cookies were stolen. No, not by Cookie Monster, but by whomever perpetrated the breach that was announced in December 2016, occurred in 2013, and affected 1 billion Yahoo users.

The notice that is going out contains links opening this news event into a perfect phishing opportunity. Your safest bet is to never click on an unexpected or unknown link. If you want to go to a website, use a bookmark in your browser, manually enter it, or search it. Links can be spoofed and so can email address.

Cookies are little bits of corresponding text between a user’s device and a website. They are used to authenticate users and can track a user’s movement around the site or prevent the user from re-entering information over and over on frequently visited sites. This information could be login IDs, zip codes, or even theme settings. Most cookies are temporary and deleted once the session ends (session cookies), but others, such as those you give the site permission to save, such as perhaps your login ID and password, can stick around for a long time (persistent cookies) and these are the ones that Yahoo says were forged in order to get access to these accounts. The hacker(s) didn’t even need to know passwords in this case. They just copied them from the cookies.

You can delete or clear your cookies anytime you wish. Depending on your browser, the process should be very simple. Just search for the instructions and clear them out. Just keep in mind that many of your cookies were set up by you to make life simpler, so know that if you do this, you may have to re-enter data on a few of your favorite sites. Once they are cleared, you can check your cookie settings to be sure you are prompted anytime a website is requesting to use a cookie.

If you are a Yahoo user who has still not changed his or her password since these latest breaches were announced, take a moment to do that now. It’s a good idea to change passwords on a regular basis and considering how often sites are invaded these days, quarterly is becoming a better and better idea. When doing so, make sure that upper and lower case letters are used, a special character is included, as well as at least one number. Make sure all passwords are at least eight characters long whenever possible.

It’s also not a great idea to save your passwords for online accounts. It may not be desirable to keep re-entering them, but it’s much safer. In fact, if ever offered multi-factor authentication (MFA) for accounts such as email and online banking, take advantage of it. Then even if a hacker does get your cookies, he or she still can’t get into your account because your MFA code will still be needed.

Yahoo says it is nearing the end of its investigation of the 2013 breach and notifying those that were affected by the forged cookies. It’s uncertain what advice they will provide in those notifications, but likely changing passwords will be part of it.

If you think that a data breach doesn’t affect a business’ value, think again. Because of the combined breaches announced last year affecting 1.5 billion users, it might have saved Verizon a lot of money in its bid to buy Yahoo. It has been reported that the offer has decreased by $250 to $300 million.

© Copyright 2017 Stickley on Security

Amazingly Realistic PayPal Scam Seeks Your Sensitive Details

There is yet another phishing scam targeting PayPal users. This one is an example of how the fraudsters and scammers are getting pretty good at tricking their victims. It even uses the actual PayPal logo (or an incredibly well-done facsimile of it), the PayPal color schemes, and claims there is an issue with the user’s account that needs to be corrected. Until it is, there will be limited access and functionality to the account.

The email received is not bad, but still does have the tell-tell signs of phishing, if you are paying close attention. There are few language mistakes (for example, one heading is “What the Problem’s”) and there is a generic greeting of “Dear Customer.” It also has a sender address that is nothing similar to PayPal’s domain (in the example seen, it was “notice-access-273.com”).

However, if the reader is tricked into thinking there is a problem, the button included in the email that supposedly goes to the PayPal login screen, actually goes to a fake site. Now, the phoniness of that site is very difficult to detect. It has the PayPal logo nicely done. At the bottom are the logos for a 100% secure site by Symantec, but the wording is not quite right: “Secured & Certificate by Symantec.” If you are looking for the green lock next to the URL to ensure you have landed on a secure site, you will see it. Per ESET, the thieves are transmitting the form over an HTTPS link.

Along the side of the screen are some FAQs about having limited access. A subsequent screen after clicking the “continue” button has a list of items to fill in. These include address, social security number, and mother’s maiden name.

Always be on the lookout for phishing. With the plethora of data breaches occurring these days and the sophistication of the fraudsters on the rise, it’s ever more important to pay close attention when an email is received that says something is wrong with an account that stores such sensitive information. Never click links or attachments included in those. Go directly to your account and login from a previously saved link or by manually typing the URL into the address bar. If you receive a suspicious email or find a fake PayPay-related site, you can report it to PayPal as well. There is more information in its Help Center.

PayPal is a particularly attractive target for such scams because it’s tied to payment card and bank account numbers. If they get your login credentials, it’s not much more effort for them to steal from you. Always take the time to read messages carefully and if there is any suspicion at all, don’t click.

© Copyright 2017 Stickley on Security

Lost iPhone Provides ID Thieves Great Opportunity to Go Phishing

There is an account of someone online who was relieved of his iPhone while vacationing in Italy. It was stolen out of the rental car when he was away for a couple of hours. While these things happen all the time, what happened to him later is quite interesting. His story provides a couple of lessons. The first one is a good reminder. Don’t leave your smartphone unattended in your car. That just invites theft; even if you live in a small town in the middle of the U.S. where you know most of the people in town.

Once this person discovered his phone was missing, he went into Find My iPhone and entered his phone number and a note to call him in case it was found. Essentially what ended up on the lock screen was “This iPhone has been lost. Please call me” with a phone number and button to press to call. After that, he simply went on with his vacation confident that his data was secure and that no one could activate the phone.

Eleven days later, he received a text and email that his phone had been found. What was in the email was a very professionally done message with a link that he was to click in order to see the last location of his iPhone. Sounds great, until he clicked the button. He started to enter his Apple ID credentials and before he got too far, he had second thoughts. That was because he suddenly realized it was a phishing scam.

He noticed the address at the top of the screen and it didn’t look like Apple would use it. It was “show-iphone-location.com.” It also had no indicator that the site was using a secure certificate, as the Apple site would. He also looked up the owner of the site and it was registered to someone in the Bahamas. There were other warning signs as well, but you get the picture.

If you use the “Find My iPhone” feature on your device, use caution about what you put into the text box should you need to use that app. Never enter your email address, because that allows someone to potentially phish for sensitive details. In addition, be a bit on edge about any telephone calls you may receive from Apple claiming someone found your iPhone. It is highly unlikely that Apple would call you. They might send email to the address you have on file in your account and they might even text you, but it’s doubtful they’d place a phone call. That said, should you receive one tell the caller thank you and hang up. Contact Apple separately using a number on their official support site. Never give anyone who calls you unexpectedly or unsolicited, sensitive information or login credentials.

In this story, the victim assumed that the thieves got his name from the “Medical ID” information stored on his phone, before he had a chance to lock the device. There is a place where you can put in certain information such as your name, blood type, allergies, and emergency contact information that is available even when the iPhone is locked. If the thieves indeed used that, they could have found his name there and searched online. Since his name is very unique, they could have figured out his email address using online searches and social engineering.

However, if the phone has been locked in the Find My iPhone app, it only shows on the lock screen what is written in the boxes when you filled it in iCloud. So if you don’t add your name, email address, social media handles, or any other identifying information, thieves won’t know how to find you in other ways.

Also, when filling in the medical ID section, consider putting in limited information. Since it could very well save your life, some information such as allergies to medications might be very useful. However, using your first name and the first names of your emergency contacts might be preferred over including last names too.

If you are one of those people who don’t lock their phone, it is highly recommended that you do. Had this one not been, whoever took it could have run off with a wealth of information. After all, think about all the details we keep in them these days: Our name, contact numbers, email addresses, banking and financial apps, access to home security systems, health data, social media apps with automatic login selected, etc. Which brings us back to the first tip and just don’t leave valuables in your vehicles.

© Copyright 2017 Stickley on Security

Tax Season Brings Out the Tax-Related ID Theft Scams; Ways to Avoid Falling for Them

Here’s a gentle reminder that it is indeed tax season. While the actual day you have to submit your return is not until April, you should start gathering those tax documents now and file your return as soon as possible. This applies whether you are getting a refund or have to pay up. Once you file, a criminal cannot use your identity to file a claim, the IRS will immediately reject it as a duplicate filing. So if the scammer files a fake claim with your information first, it is a nightmare to get resolved.

Criminals wanting to deposit your tax return in their accounts or steal your identity are upping their game starting now. Those age-old IRS tax scams and likely some new ones will resurface, perhaps with a vengeance, for the next few months. And one of the best tips to avoid becoming a victim of tax-related identity theft is to file early.

The IRS defines tax-related identity theft as occurring “when someone uses your Social Security number to file a tax return claiming a fraudulent refund.” Scammers have many tricks to try and get that ever-so-personal number out of taxpayers. There are three main ways they do this; filing fraudulent returns, phone scams (vishing), and the ever so popular email or text message phishing. Here are a few examples that may show up this tax season:

1. Phony IRS agents call you up and inform you that you owe taxes. They come up with some official sounding “tax” you owe or they say you are owed a big refund. All you have to do is confirm your social security number (SSN).

2. You receive an email with a link that directs you to an official looking website asking you to update your IRS information. Of course, included in that information is your social security number.

3. You receive an email with a link directing you to a website that asks you to verify your e-file information for the IRS. This information includes your SSN, your credit or debit card number (for paying any tax due), address, etc.

4. Someone “official” shows up at your door unexpectedly and presents you with a badge that looks like it could be an IRS agent. You are told you owe taxes and her or she is there to collect payment or to take you to jail if you don’t pay.

Of course all of these are fake. The IRS has protocols in place for communicating with taxpayers and one thing you can be sure of is that no one from the agency will initiate communication with you using email, the telephone, social media, or by showing up at your door. They will first send a letter by US Postal Service.

The IRS also will never:

-Demand payment immediately without giving you the opportunity to appeal or discuss it.

-Require a payment method of wire transfer, pre-paid debit card, or gift cards.

-Ask for payment card information over the phone.

-Threaten to have you arrested for failure to pay any tax or fee.
According to the IRS, last tax season there was a 400% increase in phishing and malware incidents. The agency detected 35,000 fraudulent returns and prevented nearly $194 million from being issued fraudulently, as well. So once again, file early, because the IRS only accepts one filing per SSN. Beat the crooks to it.

If you have been a victim of tax-related identity theft, contact the IRS directly and complete IRS Form 14039 Identity Theft Affidavit. In addition, contact the Treasury Inspector General for Tax Administration and file a complaint with the Federal Trade Commission (FTC). More information can be found on the IRS and FTC websites.

© Copyright 2017 Stickley on Security

Autofill Feature Used to Relieve You of Unintended Details

You know the autofill feature that is in browsers these days? It is supposed to relieve you of having to constantly fill in details over and over such as your email address, phone number, and even credit card details when your filling in forms on web pages. Well, a Finn named Viljami Kuosmanen discovered how that time-saving trick can also relieve you of more information than you intend sending it off to the bad guys.

The feature can be activated in Chrome, Safari, and Opera and the vulnerability was proven to be found in all of those. What happens is when the data is requested on a form, it can also enter data into other text boxes, even if they don’t appear on the screen. So, say you’re adding your email address to a page to sign up for an online newsletter. If there is a box lurking in the background, it can also grab other details that are saved in the autofill settings of the browser like your address. Some plugins, such as LastPass can also be used this way with their profile-based autofill functions.

The best way to avoid this is to disable the autofill feature, no matter how tedious filling that information in the boxes gets. However, should you choose to use it, don’t add any payment card, bank account, or other sensitive data into your settings. For example, when Chrome asks if you want to save the payment card details in the browser, just click “no.” You can edit and delete the information stored in the autofill settings in your browser settings menus.

In addition, always make sure the anti-phishing features are active in your browsers and that you have anti-malware and anti-virus installed and kept up-to-date on your computers and devices.

There are a couple of bits of positive news with this. Firefox is not vulnerable because it doesn’t yet have the autofill functionality; although it is in the works. The trick also still relies on tricking users into entering the data in the fake form. So, as long as you know what to look for and are always on the lookout for phishing, you can avoid giving up your data when it wasn’t your intention.

© Copyright 2017 Stickley on Security

New Versions of Android-Targeting Banking Malware Likely All Contain Ransomware

Some experts believe that the current online banking Trojans that target Android devices are equipped with ransomware-like capabilities. In fact, researchers are finding that many of them have a primary purpose of acquiring banking credentials and only activate the ransomware features when initial methods such as phishing fail.

Examples of recent Trojans that do this are Tordow, FantaSDK and Svpeng. These last two possessed the ability to lock the user’s screen and poke around in the background for the credentials, hoping the user would be too busy trying to unlock the screen to notice they were being robbed simultaneously.

However, the developers of these Trojans are adding the ability for them to encrypt the data as well and use them as true ransomware, according to analysts at Kaspersky.

Some good news, if there is any to be found is that holding the device or data for ransom is used as a last-ditch effort to snatch your cash if the criminal is not able to drain your account by stealing your login credentials. One way or another, the cyber thieves will try to get your money.

There are many ways you can avoid having to pay ransom to get your devices unlocked.

First, always be aware of phishing attacks and don’t fall for them. Unexpected links and attachments, regardless of how they arrive or from whom, should always be met with suspicion. If you cannot be 100% sure it’s safe, don’t click it.

Create regular backups of your devices so that should you get hit with ransomware, you can quickly restore from a recent copy. This will keep your money in your pocket and not in that of a cyber thief. Make sure those backups are stored in a separate location from the devices you are backing up, preferably on a separate drive, network, or in the cloud. In fact, the appeal of holding mobile devices for ransom is diminished because many backup their data to the cloud, rendering any extortion attempt a futile activity.

Keep anti-malware and anti-virus software and apps installed and updated on all your devices. These act as a second line of defense after your own knowledge of how to avoid becoming a victim of phishing.

There is more good news. The developers still have work to do in order to get mobile ransomware to be as sophisticated as it is for desktops. However, it is coming. In addition, according to analyst Roman Unuchek of Kaspersky, a recent version of the Faketoken Trojan already has such ransomware features, but fortunately rarely deploys them. Faketoken targets more than 2000 financial institution apps all around the world.

The first Trojan to have this ransomware-like technology was the previously mentioned Svpeng. This has been around a while, but was recently found lurking in online advertising. The attackers did this by exploiting a zero-day flaw in the Chrome browser. More recent examples of dangerous Android-targeting Trojans include Android.SmsSpy and FantaSDK.

© Copyright 2017 Stickley on Security