The New Face of Phishing

August 17th, 2010

In the past six months,  a dangerous new threat has emerged in the world of internet phishing. Many of us have often laughed at the crude and poorly crafted phishing explorations that often invade our in-box.

Lest any of us fall asleep at the wheel thinking we are already hip to the rather primitive  phishing tactics of the past, this one could easily  catch you in it’s insidious hooks if you don’t read on.

Known as “tabnapping”, this ploy is designed to psych you out with a behind-the-back switcheroo that literally kidnaps  open tabs and catches most savvy observers by surprise. Using an almost invisible layer of embedded JavaScript, here’s how it works.

Brian Krebs explains:

” As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.”

In as little as five seconds, a tabbed page silently and almost invisibly changes to a seemingly familiar page (including the cute little “favicon” in the address bar) which requires you to re-enter your log-in credentials. As soon as you enter your private details,  both you and your personal information  have literally been “had”.

The best defense against this tricky new tactic is to take a time-out. What that means is whenever a site you visit “times-out” , you should take some time-out of your browsing frenzy to open a new tab and re-enter the desired URL yourself.

Most browsers including Safari, Chrome,  Firefox and Internet Explorer claim to be on the lookout for you by blocking tabnapping attack code. Researchers and hackers have both been able to sidestep many of the current blocking protections,  leaving most browsers vulnerable.

Safety dictates that you don’t log in on any tab that you  have not opened yourself. Get into the habit of opening fresh tabs whenever you enter a user-name or password.

If you forget to refresh previously opened and familiar log in pages, one day soon you could literally open up a fresh can of worms.

Posted in Data security, Financial Scams, Internet, Phishing | 1 Comment »

New “Data Passing” Scams Exposed

July 1st, 2010

What do online companies like Orbitz, Priceline and Travelocity have in common?

Nope, guess again.

All three have found themselves  in the middle of complaints about dubious business practices. The behavior in question has recently been investigated by the Federal Trade Commission on behalf of boatloads of victimized consumers.

The scam here,  refers to the practice of sharing or “passing” credit card information over to a third party at the end of a transaction without the knowledge or explicit consent of the buyer.

The retailers deny any wrongdoing.

The practice known as “Data Passing” or “Pre-Acquired Account Marketing” was the subject of a high profile, year-long investigation by the Senate Commerce Committee according to a June 22, 2010 article in the Washington Post.

According to published reports:

“In May 2009, Chairman Rockefeller launched an investigation into a set of controversial e-commerce business practices that have generated high volumes of consumer complaints. Since that time, Commerce Committee staff has been investigating three Connecticut-based direct marketing companies – Affinion, Vertrue, and Webloyalty – as well as the hundreds of online websites and retailers that partner with these three companies to sell club memberships to online shoppers. Although this investigation is not yet complete, it is clear at this point that these three companies use highly aggressive sales tactics to charge millions of American consumers for services the consumers do not want and do not understand they have purchased.”

Bob Sullivan from MSNBC.com  also reported that the problem has triggered an astounding $ 1.4 billion in unauthorized charges onto the credit card bills of  30 million Americans.

Senate investigators revealed that this practice was used by over 450 e-commerce websites and retailers. Many of the names on the list are well-known and respected companies who got around existing data-privacy and banking rules by forming partnerships and joint ventures with third parties.

Credit card issuer Visa, has taken a stand and no longer allows merchants to use the so-called “Data-Pass Marketing” on their network.

Despite Visa’s policy and after more than $1 billion dollars in “aggressive and potentially deceptive” sales tactics,  I think it would be fair to complain that the horse is already out of the barn.

Posted in Credit card fraud, Federal Government, Financial Scams | No Comments »

ID Theft Is Lurking In Your Computer

June 7th, 2010

Personal computing guru Steve Bass recently shared some rather eye-opening statistics in his value-packed newsletter,  Techbite.

Security vendor PC Pitstop Research analyzed just over 50, 000 computers for evidence of security threats, vulnerabilities, viruses and protection tools. Immediately, some interesting results emerged.

Can you guess what percentage of computer users have absolutely no security software installed on their machines? The answer is that a shocking 23% of us are flying through cyberspace as naked as  jay birds!

The PC Pitstop  study was looking for evidence of threats which we should all be on the lookout for such as Spyware, Malware / Rogueware and Keyloggers.

For clarity, the article defined its terms,  so there would be  no confusion about the nature or intent of each of these threats.

According to the report:

” We define spyware as the software that is unintentionally installed on the target computer. … A new growing segment of malware is rogue or phony security software.… Keyloggers are a category of software that is intended to monitor the activity of a target computer. This is a rather dangerous category since this form of malware can be used for identity theft, stalking and other ugly criminal activity.”

The good news is that Symantec, Trend Micro, Kaspersky and other leading providers are very effective in their own areas of strength,  at delivering protection from many of the most common  threats:

  • Kaspersky was rated best against rogue software
  • Symantec was best in the fight against spyware
  • Trend Micro was best against keyloggers
  • Kaspersky was best against viruses

One of the takeaways here is that not all threats can be stopped with just one form of security. Redundancy in various computer security software programs is the best way to keep the multiplying strains of threats at bay.

The underlying theme from this study is that ” no one security provider is good at protecting against all aspects of security. As the analysis suggests, each vendor has some strengths and weaknesses.”

The reality that a given threat could progress  from mischievous to menacing to malicious, is a real possibility in our data-rich daily lives.

Protect your data and assets accordingly.

Posted in Anti-virus software, Computer safety, Data security, Personal privacy | No Comments »

Cyber Battlefield In Our Own Backyard

May 6th, 2010

With the war in Iraq winding down and the war in Afghanistan heating up, many of us are unaware of the cyber-war raging on our own home turf.  If this is old news to you, stay with me.

According to a Congressional committee, attacks on the Department of Defense computer systems jumped 60 percent in 2009.

Russia, China and North Korea have all launched sustained attacks on U.S. government agencies including the Federal Trade Commission and the Department of the Treasury.

Analysts believe that security standards like the ones created by the National Institute of Standards and Technology (NIST), should be implemented immediately. According to the experts, NIST could get us 90 percent closer to where we need to be.

In Congressional testimony earlier this year, former National Intelligence Director Mike McConnell said that we could be on the brink of an all-out cyberwar. McConnell’s view has been repudiated by the current Secretary of Defense Robert Gates.

If  Moore’s law is true,  (every 24 months a dollar buys twice the amount of computing power that it did before) our enemies may be able to buy, beg, borrow or hack twice as much of our data as  they can today for the same effort.

Computer scientist Daniel Geer Jr. aptly reveals what is at stake:

” We have spent centuries learning about securing the physical world, plus a few years learning about securing the digital world. What we know to be common to both is this: That which cannot be tolerated must be prevented.”

America’s most valued, electronically stored data is being targeted. Government agencies, private think tanks and university data warehouses are all vulnerable. The enemy operates from a distance with virtually no risk of personal danger.

What defense mechanisms can we construct to prevent our data from being stolen at the speed of light?

Tags: ,
Posted in Cyberwar, Data security | No Comments »

Identity Thief Gets 300 Year Sentence

April 2nd, 2010

Who says justice is blind? Sometimes she can see pretty clearly!

In this case, a judge decided to do more than follow the letter of the law regarding sentencing guidelines. In Louisiana, the court flexed some judicial muscle and threw an entire bookshelf  at a defendant.

According to a report retrieved recently from All Headline News:

“Baton Rouge, LA,  – A man who led an identity theft and bribery scheme was sentenced to more than three centuries in prison on Wednesday.

A federal judge decided that Robert Thompson, also known as John Lawson, should serve 309 years for leading a conspiracy to use confidential financial information of over 60 individuals, businesses, churches and financial institutions to steal money and goods.

The sentence is believed to be the longest handed down to a white collar defendant in the history of the Middle District of Louisiana.

Prosecutors say the scheme began in June 2006 and included an attempt to steal $20 million from one victim. Thompson bribed a prison guard while he was an inmate at Elayn Hunt Correctional Center with $10,000 in return for cell phones he used for his crimes.

Thompson was indicted in 2008 along with 10 other people for identity theft. He pleaded guilty a year later to charges of conspiracy, wire fraud, mail fraud, bank fraud, computer fraud, access device fraud, aggravated identity theft, money laundering, and obstruction of justice.

The 43-year old from Zachary, LA, reportedly collapsed during his sentencing. He recovered in time to hear the sentence from Chief U.S. District Court Judge Ralph Tyson.”

This low life’s repeated attempts to defraud a long list of victims only goes to prove the well known maxim that “crime doesn’t pay”.  In this case perhaps for only a brief moment, crime DID pay.

The problem is that eventually we have to pay it all back.

Posted in Uncategorized | No Comments »

ID Fraud Not Just A White Collar Crime

March 7th, 2010

This chilling story from the New York Post reinforces the fact that identity theft  is not simply  a harmless white collar crime.

“A man charged in an identity theft scheme has been accused of killing two of his victims.

An indictment unsealed Thursday in federal court in Brooklyn charges Dmitriy Yakovlev in the murder of a missing Russian-language translator. He’s also accused of killing a man whose remains were found in New Jersey in 2006.

Yakovlev and his wife were already facing charges they used a credit card with the missing translator’s name to go on shopping sprees. Last year, the FBI searched the basement of the couple’s Brooklyn home for the victim’s body, but never reported finding anything.

The indictment added charges alleging Yakovlev also stole the identities of two men who disappeared in 2003 and 2005, and that he killed one of them.

There was no immediate response to a message left with Yakovlev’s attorney.”

This tragic story underscores the urgent need for each of us to become and  remain smaller targets for ID thieves.

“How do I become a smaller target” you ask?

You become a smaller target by establishing and maintaining your own financial literacy about safeguarding personal information. This ensures that you will be a smaller target for both the opportunistic  amateurs and the career criminals.

Make no mistake. The financial safety habits you develop now could literally save your life in the future.

Read more: http://www.nypost.com/p/news/local/brooklyn/prosecutors_identity_theft_victims_AITfK5UoqA0eBK29NhMotL#ixzz0hTWbDusQ

Posted in Financial Security, Violent Crime | No Comments »

2010 U.S. Census Creates ID Theft Vulnerability

February 13th, 2010

In March of this year, census takers will begin to thread their way across the highways and byways of our land to conduct the 2010 census.

Despite the skepticism of some,  participation is required under Title 13 of the United States Code. The same law also requires that the Census Bureau tabulate your information without revealing any of your personal data.

The government imposes very stiff fines and possible prison terms for federal employees who violate the privacy guidelines.

Allow me to call another lurking personal privacy threat to your attention. Make sure that anyone you share information with is actually from the Census Bureau!

This reminder came to my attention  from a Vice President of  Security at Austin Bank in Longview,  Texas.  (used with permission)

There has been a lot of advertisement about the 2010 Census. It is important that all people participate in the census since it is only taken every ten years. However, there are people at work posing as census takers to do one simple thing; steal the identity of everyone they can, and either use or sell the information. It is important that you protect yourself and talk to your family and friends, about protecting themselves.

Additionally, the U.S. Census Bureau has issued this statement on their website:

Census workers may need to visit your household to update the Census Bureau’s address list, deliver a questionnaire or ask you to complete the questionnaire face-to-face.  All census workers carry official government badges marked with just their name.  You also may ask them for a picture ID from another source to confirm their identity.  In addition, some census workers might carry a ‘U. S. Census Workers’ bag.  If you still are not certain about their identity, please call the Regional Census Center toll-free number to confirm they are employed by the Census Bureau.

Census workers will never ask  for your:

  • Social security number
  • Citizenship or immigration status
  • Salary or income
  • Bank account information

The reality is that their questions require much less personal information than a typical credit card application. If you would rather not answer questions at your front door, you can mail in your data.

The government says that our participation will help us to “paint a portrait of America”.

Pick up your paintbrush and let your voice be heard.


Tags: , ,
Posted in Federal Government, Federal Law, Personal Responsibility, Personal privacy | 2 Comments »

Haitian Disaster Scammers Target Donors

January 16th, 2010

Hands of HaitiAs Americans and the world respond to the urgent needs of the Haitian people, the dark deeds of evil people surface yet again.

The scammers who take advantage of disasters  such as this one by preying upon unsuspecting donors,  are already in full swing.

It has been widely reported now, that criminals have begun setting up fraudulent charities, helplines and websites in an attempt to cash in on the misery and heartache of the Haitian quake survivors.

Reuters is reporting that the FBI and The Bureau of Justice Assistance have already begun warning donors and tracking complaints during this relief effort.

Both the Asian tsunami and Hurricane Katrina shed light on the depths to which con-artists will go in order to steal both money and personal information.

The potential for technology to be used for the good of the Haitian relief effort,  can be seen and safely accessed by texting to one or more legitimate mobile-friendly sites that are now in place.

– Texting HAITI to 90999: The U.S. Department of State’s Web site suggests texting “HAITI” to “90999″ to donate $10 to the American Red Cross to help with relief efforts. The $10 will be charged to your cell phone bill. Or you can go online to organizations like the Red Cross and Mercy Corps to contribute to the disaster relief efforts.

– Texting YELE to 501501: On Twitter, musician Wyclef Jean, a native of Haiti, notes, “Haiti needs your help text YELE to 501501 and $5 dollars will go toward earthquake relief.” Yele Haiti is a grassroots movement Jean has set up to inspire change in Haiti through programs in education, sports, the arts and environment.

We Americans can be a very generous and compassionate people.  The sheer magnitude of the issues facing the world’s poorest countries like Haiti, can and are now being brought to light by the media as well as the ongoing efforts of  well established relief organizations like World Vision and Food For The Poor.

In their hour of need, Haitian earthquake survivors and relief workers must not be held hostage by opportunistic “privacy pirates”.  Shame on those who attempt to re-route essential resources away from the people of Haiti and into their own dark pockets.

Tags: ,
Posted in Financial Scams | No Comments »

Cyberspies Working Overtime to Upset U.S. Power Grid

December 14th, 2009

New threats to America’s power grid are surfacing daily. The folks at McAfee  spend most of their waking hours looking for ways to defend their clients from the never ending barrage of cyber-threats.

On the other hand, non- geeks simply want a worry-free, hacker-free Internet experience and we generally don’t care about the details of the international day to day battle of tech wits.

However, some tech experts on the front lines are alarmed these days. They have known about the foreign threat for years, but they have come to realize something that is both disturbing and revealing about our own willingness to fight back.

Elan Winkler over at McAfee surveyed 200 critical infrastructure IT professionals and discovered an eye opening attitude. These industry insiders blame cost and complacency for our predicament. Winkler states:

“So, if the people in the know, knew, how come we’re still vulnerable? I asked them that question as well. The number one answer: cost. Number two: complacency. No real surprises there; those are the same answers that we used to get from IT departments 15 years ago on why they didn’t have defense in depth technologies set up to protect servers and databases.”

The survey respondents also provided the following comments:

  • “There hasn’t been a real incident so no one takes it seriously.”
  • “Lack of knowledge and understanding.”
  • “Inability of decision makers to commit to security upgrades.”
  • “No one wants to pay for security.”
  • “False sense of security.”
  • “Security competes with other priorities for resources.”
  • “We, as Americans, believe we are invulnerable to this kind of attack.”

In neighborhoods across our great country,  most power outages are often simply a result of the forces of  Mother Nature. For example, a nasty December storm blew through our neighborhood just last night leaving about 700 homes in the dark, well into the night.

Imagine what could happen if our own complacency and budget constraints were to put the entire nation at risk.

Government’s job is to protect citizens from both foreign and domestic threats.  Our job is to support them in any way we can.

This pervasive, lazy attitude held by many inside the IT community, renders the term”computer geek” more laughable than it already is.

Posted in Cyberwar | No Comments »

Identity Thief About To Pay the Piper

December 2nd, 2009

Despite the conventional wisdom (including my own) which says most identity thieves never get caught, one high profile flim-flam artist is about to get the big chill.

According to a report originating from Denver’s NBC-TV news affiliate KUSA, one of the most prolific financial criminals in U.S. history is about to be sentenced to a maximum of up to 36 years in prison.

The person awaiting sentencing is 38 year old Shonya Young. Ms. Young was part of an identity theft ring that was busted after stealing the purse of the wife of Federal Reserve Chairman Ben Bernanke.

According to reports, Young is the person who actually  drained Mrs. Bernanke’s checking account after her purse was swiped from a Washington D.C. area Starbucks.

To lessen the chances that you could become the next victim, consider leaving the following items in a secure place and not in your purse, wallet or backpack:

- Checkbook
- Unused credit/debit cards
- Social Security card
- Passport

Three kinds of awareness are helpful here. The first is an awareness of your possessions including personal items like laptops, backpacks, wallets and purses.

Second, be aware of your physical surroundings involving transactional privacy while using smartphones, ATM’s  and WI-FI hotspots.

The third is financial reporting awareness, which comes from closely monitoring your credit card and banking statements to look for irregularities on at least a monthly basis.

There is no substitute for awareness coupled with action in order to detect, deflect and destroy the efforts of  identity thieves who are still out there lurking in the wings.

Posted in Uncategorized | No Comments »

« Older Entries