Tag Archives: Scams

Security News for the Week Ending November 19, 2021

Old Scams Never Die, They Just Get a Fresh Coat of Paint

Scammers have been posing, according to a warning by DHS, as Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) agents in San Antonio. The scammers call the mark, pretending to be HSI and tell them there is a problem with their passport and if they just pay the scammer/HSI agent some money, the problem will go away. They threaten that they will be arrested if they don’t pay. The victim’s passport, they say, was involved in a crime and police will be dispatched to their house to arrest them. Marks can call the ICE tip line at 866-347-2423 if they are able to “mark the mark”, so to speak. This type of scam is decades old; the only things that change are the targets and the agency who the scammers claim to represent, although DHS is a popular one. Credit: Infosecurity

Hackers Use Real FBI Email Account to Send Spam Cyberattack Spam

I don’t think this qualifies as a hack. Instead it is really poor software design. The FBI runs a portal for law enforcement, but until Saturday anyone could sign up for an account. The prankster sent out at least 100,000 emails and the FBI was flooded with calls. For admins, it was hard to disregard the alert since it came from the real FBI email server and was signed with DMARC. A bit of a black eye for the FBI and they only said that they were working on fixing the hole. Their temporary fix was to shut the system down. Probably a good idea. The hacker talked to Brian Krebs and explained what he did and why. To point out crappy security. Credit: Brian Krebs

Election Conspiracy Theory Lives On

For those of us in Colorado, there is a full blown election conspiracy fight still going on. Tina Peters, the election official in Mesa county, the reddest part of the state, is in the middle of a fight for her political life. A Republican, she was booted out of her role as election chief by Jena Griswold, a Democrat and the state’s chief election official. Griswold appointed another Republican to oversee Mesa County’s elections. So far, the courts have sided with the state. Peters did things like turn off the cameras in the secure counting area and made covert copies of the disk drives from the counting machines Somehow, copies of all of her voting system passwords and a copy of the rogue disk drive image were posted on the Internet for anyone to download. She says that she doesn’t know how that happened. Her legal expenses are being paid for by the MyPillowMan. Check out the story here.

CISA About to Name Members of New Advisory and Investigation Panels

DHS’ CISA officially created the Cybersecurity Advisory Committee this month. It was authorized in the 2021 NDAA. The committee is limited to 35 people and must include one each from 12 key industries including finance, tech, communications and healthcare. The remaining slots will be appointed by CISA’s director. The Cyber Safety Board was created by executive order this year and will operate similar to the way the NTSB examines transportation accidents. It will include both Govies and private sector people and will convene when needed. Credit: The Record

Phone Scams Gone Wild

It used to be that when the phone rang, it was someone with an African accent telling you that he was from Windows technical support calling you because your computer was infected. You hung up.

Scammers have gotten much smarter. Unfortunately. Here are two recent examples.

This guy got taken for $10,000. Mitch (him, not me, thank goodness) got a call a couple of Fridays ago from someone claiming to be from his bank saying there was fraud detected on his bank card. The callerid had the same number as was printed on the back of his card. He logged into his account and did, in fact, see several fraudulent charges going back several weeks (NOTE 1 – see tips below). They were relatively small – under $100 each. But there were also two withdrawals from cash machines in Florida for $800 each (NOTE 2).

He figured that if this was a scam, the caller would have asked him for information, which she did not (NOTE 3). She said they would reverse the charges and send him a new card (NOTE 4). He thanked her and hung up.

This was part of the hook in the scam.

The next day he got another call about suspected fraud on his bank account. He thought this is weird, so he called his bank on another phone and asked if they were talking to him. They said yes. This is known as a man in the middle attack (or woman in the middle. These scams often use women because, after all, women aren’t crooks, right?). The hacker calls the bank pretending to be you, then they call you pretending to be the bank and magic, they have everything they need to do the fraud.

Mitch said that the bank, in the past, might send him a one time code via not-very-secure text message, so when the attacker asked him to give him the text message code (which the bank had asked the attacker for, he gave it to her. Again they said they would fix it.

Over the weekend he looked at his account and saw no more activity and figured it was handled. Not so.

On Monday Mitch saw a $9,800 outgoing wire posted to his account (NOTE 5). He was now out over $10,000.

To add some intrigue, the destination of the wire was an online-only bank in Mitch’s name. The bank figured it was a Mitch to Mitch transfer, so they figured it was okay. Banks are required by law to “know your customer” or KYC. For online banks, “know” is a relative term and until the feds start fining those banks millions of dollars, this fraud will continue.

Obviously, at some time his debit card and maybe PIN (NOTE 6) was compromised and the rest was an elaborate social engineering scheme.

The bank did give him back his money (under federal law CONSUMERS but **NOT** BUSINESSES are giving the benefit of the doubt and will usually, but not always and sometimes are a fair bit of screaming, will get their money back). Businesses are assumed to know what they are doing and don’t get a free pass.

So what about all the notes. Okay, here goes.

NOTE 1 – All decent banks can send you a text message (better than an email because you are more likely to look at it quickly) every time your card or bank account is used. If your bank can’t do this simple anti-fraud measure, find a new bank. BTW, this includes credit cards too. Usually there are a lot of options in terms of what/when/how much, but in my opinion, opt for being over notified. That way, the first fraudulent transaction that cleared, Mitch would have said “hey wait, I didn’t use my card” and he would have called the bank, they would have killed the card and maybe this would not have happened. If, after Mitch did all of this, a second fraudulent transaction happened, Mitch would have known that not only was his card compromised, but so was his account.

NOTE 2 – $800 withdrawal from a cash machine. Banks will let you specify how much cash you want to be allowed to withdraw per day from the ATM. I do not EVER withdraw $800 in one day from an ATM. That limit is too high. Set your limit at $50 above the max you want to risk losing. You can always go into the branch and withdraw more in some weird circumstance. Also, your spouse’s card has a separate and likely equal (could be different) limit, so if you set the limit low, you can get your spouse to get more cash. Again, if you had followed NOTE 1 above, you would have known about the $800 cash withdrawal as soon as it happened.

Side note. I got a text alert a while back and immediately called my wife. Wasn’t her. I called the bank, in this case it was Wells and they did a great job. WHILE I WAS ON THE PHONE WITH FRAUD and he was working diligently to kill the card, he saw three more transactions attempting to be authorized. He was able to “decline” those charges, kill the card and issue a new one via overnight mail. Problem solved.

Your choice is convenience in not having to deal with those text messages or a pain in the ^%$# trying to get your money back. YOUR CHOICE.

NOTE 3: Banks also often choose convenience over security. Since the hacker spoofed Mitch’s callerid, the bank’s security mechanism got scammed. They would rather eat a few billion dollars in losses which you pay for in fees than annoy you. They figured the call was coming from Mitch, so why bother using the security protocol. I’m not fond of that strategy.

NOTE 4: The bank said they would send him a new card. Since there was fraud on the card – as well as fraud on the phone – they should have said they were going to kill the card. Apparently they didn’t say that. That should have been a flag to Mitch. When there was a supposed additional fraudulent charge the next day, that really should have been a red flag to Mitch again. If they say the card was disabled, you can easily test it by trying to make an online transaction. If it is a hacker saying the card is disabled, you will be able to complete the transaction. Big red flag. It should be declined. If it is not, call your bank yourself.

NOTE 5: That $9,800 outgoing wire. You should be able to tell your bank that you do not want to allow outgoing wires ONLINE or you want to set the limit to $500 or whatever. Sometimes you will have to make a stink, but banks can do almost anything. Also, that wire should have generated an alert (see Note 1).

NOTE 6: Some people insist on using their PIN when they buy gas or go to the grocery store. I am not sure why. Maybe they like dealing with the nice people in the fraud department. The only place you should ever use your PIN is at the ATM. Period. End of conversation. There is NO reason to use your PIN anywhere else. If you don’t use your PIN then your PIN can’t be compromised and your bank account emptied out.

In this case, Mitch got his money back. That doesn’t always happen and it doesn’t always happen quickly. The quicker you notify your bank about fraud, the more likely it is that you will get your money back. In the case of businesses, this is super critical because with wire fraud, money usually only stays in the first bank account for a few minutes. Literally.

Credit: Brian Krebs

I said at the beginning that I had two examples, but this post is already too long. Here is the link to the other example.

All I can say is be proactive or deal with the results.

If you have questions, please reach out to me. I am happy to help you protect yourself. AND, share this post with your family.

Security News Bites for the Week Ending April 5, 2019

Oops – Office Depot Mimics Phone Phishers

Thanks to reader Gina for this one.  Office Depot got caught scamming its customers telling them they had (fake) malware on their computers when they asked OD and its vendor Support.com to scan their computers.

No, they didn’t have malware – just a bill for unneeded services.

While taking your computer to Office Depot or Best Buy is convenient and inexpensive,  historically, it has not always worked to your advantage.

Office Depot will pay $25 Mil in fines; Support.com another $10 Mil.  Source: Ars Technica.

FBI Doesn’t Warn Hacking Victims of Their Rights

The FBI’s Office of Inspector General says that the FBI does not warn victims of international cyber-espionage that their data was under attack, say by the Russians.

The OIG says that FBI victim letters were almost never sent in national security cyber cases.

The FBI’s Office of Victim Assistance blames outdated guidelines.  An AP investigation showed that only a handful of the victims of Russian hacking during the 2016 election season received any assistance from the FBI.

This is consistent with my post this week titled “Who *IS* going to rescue us” .  Plan on protecting yourself.  Source: Seattle Pi.

Earl Restaurants Admits Breach – Likely 2 Million Cards Hacked

Early Enterprises, parent of Buca de Beppo, Earl of Sandwich , Planet Hollywood and other brands finally admitted that their point of sale system was hacked.  For almost a year before someone told them.  No, they did not find it themselves.

They are not providing any details; not even information on how many cards were stolen.  They are also not offering any support to the victims other than a web page FAQ and a call center to complain to.  Beyond that, you are on your own.  Source: Brian Krebs.

Lock ‘Em Up!

No, I am not talking about our President at a campaign rally.

But I am talking about a Presidential candidate.

Elizabeth Warren wants to make sure that CEOs who are at the controls of companies who have large breaches, like Equifax, are held accountable.

For companies that earn more than a billion dollars in revenue the consequences of a breach could be a year in jail.  Repeat offenders could get three years in jail.  Source: Ars Technica.

More on Hidden Cameras in Rental Properties

In March I wrote about the problem with hidden cameras in rental properties and hotel rooms (see post here).  This week there was an article in CNN discussing this very issue.

A Family with 5 kids is travelling around the world and when they arrived in Ireland, the father scanned for WiFi signals and found a hidden camera that was livestreaming their stay.  It didn’t say if scanning for cameras was their normal practice.

The owner would not confirm whether there were more cameras, so the family moved to a hotel, but AirBnB would not refund their money.

In fact, initially, AirBnB claimed to investigate the owner and after the investigation, said there was no problem and reinstated the listing.

Only after they posted the item on social media and the local New Zealand news stations picked up the item did AirBnB understand the potential brand damage and refund their money.


Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.


Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.


Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .


Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.