Tuesday, November 20, 2018

Thanksgiving Day phishing emails with .doc attachments

There's a phishing scheme in the wild that invites the email recipient to click an attached Word document (.doc) file.

The subject line resembles one of these:
  • Thanksgiving Day congratulation
  • Thanksgiving Day Greeting Card

If you've been following this blog, it goes without saying that you should never (ever!) open unexpected attachments—even if the sender appears to be someone you know.

Always be skeptical of any message that contains hyperlinks or attachments, and be wary of unexpected messages or those that contain out-of-the-ordinary language.

It's the holidays. Be extra alert and remember this motto:

Stop. Think. Don't click!

Thursday, November 8, 2018

Online holiday shopping: How to stay safe out there

A few nights ago I logged in to Amazon to order a couple of household items. A banner quickly caught my eye, enticing me to view the "early Black Friday deals." I did. And I spent $150. It was three weeks before Thanksgiving.

The holiday shopping season comes earlier every year. This season, we'll spend over $700 billion. With the rise in spending comes an increase in online scams. In 2017, holiday scams were up 20% over the previous year. Expect even more this year.

Cyber thieves are forever devising more clever schemes to get us to click. And they can be very convincing. You don't need to be a victim.

Instead, outsmart them by changing one online behavior: Stop clicking links in emails and text messages. Instead, navigate to the site you want to visit online by typing the URL in the address bar of your browser.

Until you learn to be skeptical of every single attachment and hyperlink that you receive in a digital message, you are more likely to fall prey to a phishing scam or fake web site.

If you absolutely must click a link, first hover over the text to view the real destination behind the link. Make doubly sure it points to a domain that is both legitimate and trustworthy. Blindly clicking on a link is like walking unarmed down an unlit urban alley alone late at night. You do not know what is lurking.

Next time you log in to do some shopping, repeat this mantra:

Stop. Think! Don't click.

Friday, October 26, 2018

Top 10 ways of keeping kids safe online

Sophos is a security company in the UK that offers up some great security awareness content. Below is a list of ten short and simple tips to share with your children. For more information, see https://nakedsecurity.sophos.com/2014/02/11/safer-internet-day-dont-be-an-online-sheep-our-top-10-tips-help-you-think-before-you-act/.

  1. Limit your Facebook profile to your friends only.
  2. Accept online friend requests only from people you already know, and like, and trust.
  3. Only upload things you are happy for the whole world to see, including your parents, friends and even your enemies.
  4. Never give out your address or agree to meet in person someone you’ve “met” online.
  5. Set a password lock on your phone or any other device you use, and make sure it locks automatically when you aren’t using it.
  6. Don’t click on suspicious-looking links.
  7. Tell your friends in person if you receive unusual messages from them. (Someone could have stolen their passwords.)
  8. Always log out – don’t leave any account open when you go away from your computer, phone or other device.
  9. Don’t pick easy passwords – mix up letters, numbers and funny characters so other people can’t guess what you chose.
  10. If you see something upsetting, or dangerous, or dishonest, speak up! Tell a parent or a teacher.

Saturday, September 29, 2018

Use Facebook? Time to change your password

This week there was a Facebook breach that affected 50 million users. Three days later, on Friday September 28, 2018, all of those users were forced to change their Facebook passwords. Even if you were not required to change your password, it's a good idea to do it anyway. Do it this weekend.

A Forbes article about the breach also recommends that you log out of any other web sites where you authenticate using your Facebook credentials. To access this information in Facebook, click apps and web sites, then logged in using Facebook. Remove the apps that you've used your Facebook account to log in to.

Go to settings and click security and login. Select the single-click option to log out of Facebook and every app or site where you are logged in using Facebook.

If you haven't enabled two-factor authentication on Facebook, do it today. Employ the same protection for any site holding sensitive information about you. This should include your email account (if multi-factor authentication is offered by your email provider), your banking and insurance web sites, your retirement and investment sites/apps, etc.

And, finally, if you are not using a password manager to store and encrypt all of your app passwords, start doing that today. LastPass, 1Password and KeyPass are just a few password managers available. Most have a free option. Writing down passwords and re-using them across various web sites or apps is a huge risk that is easily avoided by using password manager software.

For more information about the vulnerability that was exploited,  see https://www.forbes.com/sites/kateoflahertyuk/2018/09/29/facebook-data-breach-what-to-do-next/#b7fe4852de35.

Sunday, September 23, 2018

No excuse now: Credit card freezes are free!

The best way to protect your identity is to freeze your credit and then thaw it with the appropriate credit bureau when a credit check is needed.

If you haven't done this for yourself, your spouse and your dependents, consider doing this to protect your family from identity theft. Yup, this includes your children or any dependent who has a social security number.

Credit bureaus formerly charged minor fees for both freezing and thawing your credit. The 2017 Equifax breach led to much-needed change—a win for Americans. Note that freezing your credit also protects your credit score from those unsolicited credit inquiries.

According to Brian Krebs, this freedom from freeze fees was solidified in the Economic Growth, Regulatory Relief and Consumer Protection Act of 2018.

For more information, see the Krebs' article at https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/.

Saturday, June 30, 2018

Have you disabled autofill in your browser?

I was, at one time, an autofill user. How convenient for me that my browser fills in the answers for me in various web form fields, like name, address, phone number, zip code, etc. It's possible to input credit card data this way as well, although I never enabled that feature.

More recently, I disabled the autofill capability in my preferred browser, which happens to be Google Chrome. I did this because the bad guys figured out a way to cull this information without the user's knowledge.

How they do this is quite simple. The user clicks a link in a targeted phishing email and is redirected to the attacker's web page. A form on the page shows some blank fields—such as first name and last name.

With autofill enabled in browser settings, and with a single click, the user chooses to automatically fill the name fields, unaware that there are hidden fields on the page that are automatically filled as well—only with more sensitive information than just a name.

Note that if you use a password manager program (such as LastPass), it may have an autofill feature enabled.

For more information, see https://www.social-engineer.com/disable-autofill-browsers/.

Wednesday, June 6, 2018

Facebook users: Beware Target gift card scam

If one of your Facebook friends claims that he/she sent a text and received a free Target gift card in exchange, it's a hoax. The simple lesson here is that if it looks too good to be true, it probably is.

According to an article on Goodhousekeeping.com, the Facebook post appears to come from someone you know, and it may look like this:


This is a phishing scam.

The rule of thumb to avoid being scammed is this: Don't click links or open attachments in unexpected or unusual messages. Always verify before clicking. Other red flags are messages urging you to act now, messages asking for money, and anything offering something for nothing.

Want to stay safe online? Be careful what you click. When in doubt, verify. It's as simple as that.

For more information, see https://www.goodhousekeeping.com/life/money/a20952055/target-gift-card-scam/.

Saturday, May 5, 2018

Time to change your Twitter password if you have one

This week Twitter reported that it was storing user credentials in clear text in log files. Twitter users would be wise to log in to twitter.com and change your password. Now. Make it a long one, and make it unique.

For more information, see the Wired article at https://www.wired.com/story/change-your-twitter-password-right-now/.

Tired of keeping up with passwords? We all are. If you're not using a trusted password manager by now, you're behind the times. There is no excuse. Make it an immediate goal to stop using insecure passwords and to stop writing them down.

There are plenty of good password managers available, and many of them are free. LastPass is an example. See Wired magazine's recent article at https://www.wired.com/story/password-manager-autofill-ad-tech-privacy/.

Sunday, April 29, 2018

Why we all need to stop responding to online quizzes and personal surveys

The Internet has become a massive data aggregation tool, providing entire lifestyle and consumer profiles about people to a host of anonymous entities. If you participate in social media tools like Facebook, your life's details are not only being harvested by marketing firms but by hackers as well.

Many social media sites offer up seemingly harmless quizzes and games that serve up questions urging you to reminisce about specific areas of your past, like "What was your first job?" You can substitute the word "job" with a host of other words—like pet, car, school name, etc.

Other questions might be, "What was your favorite teacher's name?" Again, you can substitute a number of words for teacher—like movie, book, school mascot, etc.

These questions are no different from the secret questions that you use online to reset a lost password or unlock an account. By sharing the answers with anonymous sources you are giving away the keys to unlocking your online accounts.

Although most people won't give away this kind of information, you'd be surprised at how many do. Whether you think you trust the source or not, always avoid answering questions like these in chain emails and social media "quizzes" and surveys.

Also, when configuring your secret questions and answers for unlocking online accounts, be sure to use information that is not readily available through your online persona.

For more information, see Brian Krebs' posting entitled Don't give away historic details about yourself at https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/.

Sunday, April 22, 2018

New active shooter "emergency scare" phishing scam at college

Here is a scheme for college students to be aware of. A community college in Florida fell victim to a fake campus-wide security alert that awkwardly announced an "emergency scare" by email to students. Even though this hit just one school, it paves the way for more scams like it. And scams like this can lead to panic, a flood of calls to 911, and other harm.

KnowBe4, the organization that posted info about this scam, warns college students to be on the lookout for these potential variations in the subject line of the phishing email:
  • IT DESK: Security Alert Reported on Campus
  • IT DESK: Campus Emergency Scare
  • IT DESK: Security Concern on Campus Earlier
If you click the links in the message, you're asked to enter your Microsoft online account credentials, which the bad guys then steal from you.

Always, always be wary of any unexpected email that leads you to provide a user name and password. If you do inadvertently click such a link, look at the full web site URL in the address bar of your browser before typing anything. In this case, if the URL doesn't have "microsoft.com" in it, then you know it's a fake.

In fact, it is best to always check the URL before typing in your credentials anywhere on the world wide web. Is the domain name correct? Is the prefix "HTTPS" (not "HTTP"), which shows you that the information you type is secure? If not, leave that site without interacting with it.

For the story, see http://www.prweb.com/releases/2018/04/prweb15410086.htm.

Saturday, April 7, 2018

The latest domain name scam involves changing .com to .cm in a web address in order to fool unsuspecting victims into clicking a link to a nefarious web site that looks a lot like the real thing.

Domain names are used to identify web pages on the Internet. In a web page address (also known as a "URL," for uniform resource locator), the domain name identifies the realm of the administrative authority that controls the domain.

For example, in the URL https://support.microsoft.com/en-us, the domain name is microsoft.com. The suffix of the domain indicates which top level domain it belongs to. Common suffixes (sometimes called domain extensions) are .com, .edu, .net, .org, .gov, .mil, .biz, .info and .us.

Some other top-level domain names are facebook.com, villanova.edu, billygraham.org, fdic.gov and navy.mil. Here's another: parliament.uk. For this one, the domain name extension is ".uk," which is a country code for United Kingdom.

Anyone can register a domain name for an annual fee.

With this particular ".cm" ruse, someone registers a trusted name using the .cm extension. In actuality, .cm represents the country Cameroon. But, as we said, anyone can buy a domain name, provided it's not already taken.

Say I was quick on the draw and registered facebook.cm before Mark Zuckerberg thought to reserve it. If I was a bad guy, I could then stand up a web server at facebook.cm and use it to mine bitcoin, store porn or serve up malware--you name it. Then I could buy a spam email list on the dark web and send tens of thousands of phishing emails to people that point to a web page on my facebook.cm server. I can guarantee you that a certain percentage of those recipients would take the bait and click that malicious link. It looks too much like the real thing.

Never click links in unexpected emails. Personally, I treat every link as suspicious. To protect yourself, before you click any link, hover over it with your mouse pointer to view the real URL behind the text. Scrutinize the domain name. Is it a domain you trust? Is it spelled properly? When in doubt, don't click. The safest route to a web site is to type the address into your browser address bar yourself, then store it as a bookmark.

For details, see Brian Krebs' article at https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/.

Monday, February 19, 2018

Beware bogus debt collection and IRS phone calls

After an 8-month sabbatical that took me to a new job in a new state, I'm back to my blog. And guess what?! It's tax fraud season again! A few things to know:
  • If a debt collector calls you, hang up. 
  • File your taxes early, before an impersonator does it for you.
  • If the IRS calls you, hang up. Remember that the IRS will never phone you asking for money. 
Always beware of fake "debt collectors," fake "attorneys" claiming to be helping a loved one in jail, fake government agency representatives, or anyone calling you for money. It's also not a bad idea to screen incoming calls and don't answer numbers you don't recognize. Legitimate callers will leave a message.

​For more information on this new debt collection scam that goes after your IRS refund, see Brian Krebs' blog posting IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts at
https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/.