Facebook users: Beware Target gift card scam

If one of your Facebook friends claims that he/she sent a text and received a free Target gift card in exchange, it's a hoax. The simple lesson here is that if it looks too good to be true, it probably is.

According to an article on Goodhousekeeping.com, the Facebook post appears to come from someone you know, and it may look like this:

This is a phishing scam.

The rule of thumb to avoid being scammed is this: Don't click links or open attachments in unexpected or unusual messages. Always verify before clicking. Other red flags are messages urging you to act now, messages asking for money, and anything offering something for nothing.

Want to stay safe online? Be careful what you click. When in doubt, verify. It's as simple as that.

For more information, see https://www.goodhousekeeping.com/life/money/a20952055/target-gift-card-scam/.

Time to change your Twitter password if you have one

This week Twitter reported that it was storing user credentials in clear text in log files. Twitter users would be wise to log in to twitter.com and change your password. Now. Make it a long one, and make it unique.

For more information, see the Wired article at https://www.wired.com/story/change-your-twitter-password-right-now/.

Tired of keeping up with passwords? We all are. If you're not using a trusted password manager by now, you're behind the times. There is no excuse. Make it an immediate goal to stop using insecure passwords and to stop writing them down.

There are plenty of good password managers available, and many of them are free. LastPass is an example. See Wired magazine's recent article at https://www.wired.com/story/password-manager-autofill-ad-tech-privacy/.

Why we all need to stop responding to online quizzes and personal surveys

The Internet has become a massive data aggregation tool, providing entire lifestyle and consumer profiles about people to a host of anonymous entities. If you participate in social media tools like Facebook, your life's details are not only being harvested by marketing firms but by hackers as well.

Many social media sites offer up seemingly harmless quizzes and games that serve up questions urging you to reminisce about specific areas of your past, like "What was your first job?" You can substitute the word "job" with a host of other words—like pet, car, school name, etc.

Other questions might be, "What was your favorite teacher's name?" Again, you can substitute a number of words for teacher—like movie, book, school mascot, etc.

These questions are no different from the secret questions that you use online to reset a lost password or unlock an account. By sharing the answers with anonymous sources you are giving away the keys to unlocking your online accounts.

Although most people won't give away this kind of information, you'd be surprised at how many do. Whether you think you trust the source or not, always avoid answering questions like these in chain emails and social media "quizzes" and surveys.

Also, when configuring your secret questions and answers for unlocking online accounts, be sure to use information that is not readily available through your online persona.

For more information, see Brian Krebs' posting entitled Don't give away historic details about yourself at https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/.

New active shooter "emergency scare" phishing scam at college

Here is a scheme for college students to be aware of. A community college in Florida fell victim to a fake campus-wide security alert that awkwardly announced an "emergency scare" by email to students. Even though this hit just one school, it paves the way for more scams like it. And scams like this can lead to panic, a flood of calls to 911, and other harm.

KnowBe4, the organization that posted info about this scam, warns college students to be on the lookout for these potential variations in the subject line of the phishing email:

• IT DESK: Security Alert Reported on Campus
• IT DESK: Campus Emergency Scare
• IT DESK: Security Concern on Campus Earlier

If you click the links in the message, you're asked to enter your Microsoft online account credentials, which the bad guys then steal from you.

Always, always be wary of any unexpected email that leads you to provide a user name and password. If you do inadvertently click such a link, look at the full web site URL in the address bar of your browser before typing anything. In this case, if the URL doesn't have "microsoft.com" in it, then you know it's a fake.

In fact, it is best to always check the URL before typing in your credentials anywhere on the world wide web. Is the domain name correct? Is the prefix "HTTPS" (not "HTTP"), which shows you that the information you type is secure? If not, leave that site without interacting with it.

For the story, see http://www.prweb.com/releases/2018/04/prweb15410086.htm.

The latest domain name scam involves changing .com to .cm in a web address in order to fool unsuspecting victims into clicking a link to a nefarious web site that looks a lot like the real thing.

Domain names are used to identify web pages on the Internet. In a web page address (also known as a "URL," for uniform resource locator), the domain name identifies the realm of the administrative authority that controls the domain.

For example, in the URL https://support.microsoft.com/en-us, the domain name is microsoft.com. The suffix of the domain indicates which top level domain it belongs to. Common suffixes (sometimes called domain extensions) are .com, .edu, .net, .org, .gov, .mil, .biz, .info and .us.

Some other top-level domain names are facebook.com, villanova.edu, billygraham.org, fdic.gov and navy.mil. Here's another: parliament.uk. For this one, the domain name extension is ".uk," which is a country code for United Kingdom.

Anyone can register a domain name for an annual fee.

With this particular ".cm" ruse, someone registers a trusted name using the .cm extension. In actuality, .cm represents the country Cameroon. But, as we said, anyone can buy a domain name, provided it's not already taken.

Say I was quick on the draw and registered facebook.cm before Mark Zuckerberg thought to reserve it. If I was a bad guy, I could then stand up a web server at facebook.cm and use it to mine bitcoin, store porn or serve up malware--you name it. Then I could buy a spam email list on the dark web and send tens of thousands of phishing emails to people that point to a web page on my facebook.cm server. I can guarantee you that a certain percentage of those recipients would take the bait and click that malicious link. It looks too much like the real thing.

Never click links in unexpected emails. Personally, I treat every link as suspicious. To protect yourself, before you click any link, hover over it with your mouse pointer to view the real URL behind the text. Scrutinize the domain name. Is it a domain you trust? Is it spelled properly? When in doubt, don't click. The safest route to a web site is to type the address into your browser address bar yourself, then store it as a bookmark.

For details, see Brian Krebs' article at https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/.

Beware bogus debt collection and IRS phone calls

After an 8-month sabbatical that took me to a new job in a new state, I'm back to my blog. And guess what?! It's tax fraud season again! A few things to know:

• If a debt collector calls you, hang up. 
• File your taxes early, before an impersonator does it for you.
• If the IRS calls you, hang up. Remember that the IRS will never phone you asking for money. 

Always beware of fake "debt collectors," fake "attorneys" claiming to be helping a loved one in jail, fake government agency representatives, or anyone calling you for money. It's also not a bad idea to screen incoming calls and don't answer numbers you don't recognize. Legitimate callers will leave a message.

​For more information on this new debt collection scam that goes after your IRS refund, see Brian Krebs' blog posting IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts at
https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/.

The warrior inside you: Protect yourself from knife attacks

This post takes a detour from virtual security to physical security. I raise this issue because here in America we are not well acquainted with small-scale terrorist attacks—the type of attacks that Israelis are well-versed in combating.

A couple years ago, I heard Dr. Robbie Friedmann speak about the types of terrorist attacks that we can expect to see more of. He specifically mentioned knife attacks, whereby an aggressor appears in a public location like a city sidewalk and suddenly wields a knife, stabbing at any human being within reach.

Because we've seen more of these lately, including this week's London Bridge attack, I reached out to women's self-defense and security expert Celia Cortes, founder and CEO of Seva 6 Security Consulting.

When I asked Celia how we can defend ourselves in a situation like this—one with no escape route—she advised that going on the offensive may the best way to save lives. Most importantly, the decision whether to act offensively or defensively must be made quickly:

"A knife is more dangerous than a gun. You have to decide if you want to attack offensively or protect yourself defensively. 

If the attacker is upon you, you have no choice but to burst in and attack offensively. That means going after the knife. Or at the very least the arm that is holding the knife and doing your all to control the weapon and/or disarm the guy. If you are with other people, one should go for the knife, the other should go for the legs. A group of people can easily overpower an attacker but they have to overcome the fear of being cut. Cut is better than killed. 

It happens so very fast, so there is no time to hesitate. 

Here's hoping you never have to deal with it but if you ever do, call on the warrior inside you and protect your life."

In other words, should an attack like this occur, act immediately. If others are present, work together against the attacker. There is power in numbers. For me, that means summoning up the courage of 9/11 hero Todd Beamer, who famously motivated other passengers on Flight 93 to take down their attackers when he said, "Let's roll!"

Some may disagree with how Celia or I would respond in this situation, and how you react will depend upon the totality of the circumstances and your presence of mind in the moment.