News broke that pop star George Michael was found dead in his home in Oxfordshire, England. He was 53.  Internet scum are going to exploit this celebrity death in a number of ways, so be careful with anything on anything related to George Michael’s death: emails, attachments, any social media (especially Facebook), texts on your phone, anything. There will be a number of scams related to this, so Think Before You Click! 

A new celebrity death scam reared its ugly head. The bad guys claim that Brad Pitt has committed suicide because of the recent Angelina Jolie divorce.  The scam is currently on Facebook but you can expect emails with links for “more details” and/or attachments that claim it is a video of his last moments. There are several versions that claim he hanged himself, died in a shooting range or from a substance overdose.

You might even get text messages to your smartphone that try to trick you into going to a site with the exclusive pictures of his death. If you see any social media posts or get emails with links or attachments, do not click on anything, do not open attachments or reply, and if it is social media, do not touch and do not share or forward. These bad guys will use anything to shock and trick you into clicking. 

Do not fall for it and Think Before You Click!

There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer.

Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately.

If you do, two things may happen:

1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, “fix” it, and ask for your credit card.

2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you and try the same scam.

Remember, if you get any emails that either promise something too good to be true, OR looks like you need to prevent a negative consequence, Think Before You Click and in this case before you pick up the phone.

If you decide to call any vendor, go to their website and call the number listed there. Never use a phone number from any email you may have received. Here is a real example of such a call. Dont’ fall for it! http://cdn2.hubspot.net/hubfs/241394/phone_phish.mp3

A lot of companies have support pages on social media. A good example is PayPal that has a Twitter support page. You need to watch out for bad guys who are tricking people with fake support pages. Here is how this scam goes down:

    1. The bad guys set up a fake PayPal Support page on Twitter.
    2. They monitor the real PayPal Support page on Twitter for potential victims.
    3. A PayPal user reports a problem on the real Twitter PayPal Support account.
    4. The bad guys swoop in and respond to that user from their fake PayPal Support page and tell the user to log in on a fake PayPal support site with their real PayPal username and password.
    5. Game over. Bad guys now own your account and steal money.

What To Do About It: If you have problems with a vendor, do not use social media to complain and/or resolve the issue because everyone else can see this including the bad guys. Go to that vendor’s website and use their existing support webpage to create a trouble-ticket — not their social media pages.

 

There is a new Scam Of The Week where bad guys have taken an actual past scam that the Federal Trade Commission has resolved and is now refunding money on. Bad guys take these FTC cases by just go to the FTC website to get ideas and create a phishing attack out of them and start sending them to millions of people.

 

Here is the rule: If you receive any emails from an official-sounding organization that promises you a refund for any amount, be very careful and never click on any links or open any attachment you did not ask for. Delete the email.

 

When you are really expecting an FTC refund, go to their website yourself using your own shortcut, or by typing the address in your browser, or Cut & Paste this URL:  https://www.ftc.gov/enforcement/cases-proceedings/refunds (this link may be redirected, do not click on the link)

 

Remember: Think Before Your Click!

 

There is a current email phishing scam going on where you get an official-looking email forwarded by your ISP, which states you have violated HBO copyrights and illegally downloaded Game of Thrones.

The email has a link to a website where they say you can pay the fine. Don’t fall for it. The message was sent by cybercriminals and they would get any money you pay. 

In general, it’s a bad idea to illegally download shows and movies for two reasons. First, you are indeed violating copyrights which can turn out to be very expensive when you get sued. Second, the websites promising these downloads are often compromised and infect your computer with all kinds of malware. 

If you receive such a notice and want to verify if this is for real or not,  contact the real IP-Echelon directly which you can do here: https://www.ip-echelon.com/contact-us/

Remember: Think Before You Click!

 

There literally a new craze going on with an augmented-reality smartphone app called Pokémon Go. It’s a geocaching game, meaning it’s tied to real-world locations.  It’s a smash hit sending people on the street, trying to catch virtual creatures in real-world locations — called Pokestops — that players can capture, train and trade.

However, the game’s rapid rollout and breakaway success has its risks. It’s from Niantic, a Google spin-off that makes Ingress, which is a very popular multiplayer game, but Pokémon Go has immediately hit several security and privacy-related speed bumps, and not all of them are virtual.

First: Muggings

In this game, players can meet in Real Life using the Pokestop feature to do virtual battle, and police in O’Fallon, Mo., say that a group of four individuals apparently used that feature to lure other players to remote locations with the intention of robbing them. Police said they responded to an armed robbery report at 2 a.m. on July 10, and arrested four suspects – one of whom was a juvenile – who were in a BMW. They also said they recovered a handgun.  Here are their mugshots, from left: Michael Baker, Brett William Miller and Jamine James D. Warner – accused of using Pokémon Go to lure victims.

pokemon_suspects_12jul2016

Second: The Google Login Permissions Problem

Many security researchers have been warning that the initial release of the Pokémon Go app has access to many more device permissions than needed meaning a possible privacy risk. Some information security experts – such as Veracode CTO Chris Wysopal – have even been urging users to create “burner” Apple or Google accounts that get used only with the game.

Third: Trojanized Apps

Just 72 hours after the release of Pokémon, bad guys had Trojanized a legitimate version of the free Android app to include malware and released it via unofficial, third-party app stores, researchers at security firm Proofpoint said.

The malicious Android application file “was modified to include the malicious remote access tool called DroidJack – also known as SandroRAT, which would virtually give an attacker full control over a victim’s phone,” the researchers warn in a blog post. Gaming websites have begun publishing instructions about how users can download the app, including using side-loading – evading Google’s official app store – to install them.

Proofpoint said: “In the case of the compromised Pokémon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk.”

Recommendations:

So if you have the “gotta catch ’em all”  fever.

First, please stick to the vetted app stores, do not download the app from anywhere else. Why? Bad guys have taken the app and infected it with malware, and try to trick you downloading it from untrustworthy websites.

Second, anyone using the app, and especially kids should be VERY aware that they are not lured into a real-world trap which could lead to mugging or abduction. Other players can track you in the real world using this app so be careful.

Third, there are possible privacy issues if you use your Google account to log into the app. Create a throw-away account and use that to log into Pokémon, not your private or business account.

As always, Think Before You Click!

 

Internet Criminals are using fresh news of big data breaches (like Wendy’s last week) to send people threatening emails. These emails claim the criminals have confidential information about you that they will send to your employer, friends and family using social media. They threaten with possible divorce, court proceedings, losing your job, or worse.

If you get emails like this, delete them immediately. Do not click on any links in the email, do not open attachments that claim to show your confidential information, do not reply to them, and definitely do not send any money in any form, whether they want checks, wire transfers or payment in a new e-currency like Bitcoin.

The FBI published some very helpful tips to protect yourself online:

  • Do not open e-mail or attachments from unknown individuals.
  • Monitor your bank account statements regularly, as well and as your credit report at least once a year for any fraudulent activity.
  • Do not communicate with the cyber criminals.
  • Do not store sensitive or embarrassing photos of yourself online or on your mobile devices.
  • Use strong passwords and do not use the same password for multiple websites.
  • Never provide personal information of any sort via e-mail. Be aware, many e-mails requesting your personal information appear to be legitimate.
  • Ensure security settings for social media accounts are turned on and set at the highest level of protection.
  • When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes https, or the status bar displays a “lock” icon.

The FBI released some examples of extortion emails:

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

 

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

 

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

 

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

 

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Let’s stay safe out there.

There is a new scam you need to watch out for if you log into your accounts and have to wait for a text message on your phone to enter and only then log in. This more secure system is called “2-factor authentication”. These two factors are:

  1. one thing you need to know — your password
  2. one thing you have to have — the text code on your phone

Now, criminal hackers are trying to get past this with a nasty trick you need to watch out for. Tens of millions of hacked user names and passwords have recently surfaced — yours may be one of them — and they are using these for this scam.  Read this.

They send you a fake (spoofed) text that looks like it’s from the company you have an account with, claiming that your account may be hacked or that there is suspicious activity happening.

In the same text they say they will send you your verification code and that you need to send that right back to them or your account gets closed. But if you text that verification code back, you have given the hacker just the thing they needed to hack into your account! The French would say: “Simple comme Bonjour“.

TIP TO STAY SAFE

If your accounts are protected by 2-factor authentication, the only time you will be sent the code is to verify an attempt to log into your account.  That means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is trying to hack into your account.

Never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a 2-factor authentication protected account. And as a reminder, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you simply cannot know for sure who is really on the other end of that communication line.

Remember, Think Before You Click!

The Summer Olympics in Rio de Janeiro are going to be a major event, however, the bad guys are going to exploit this with a multitude of scams at the same time. Anything you receive in email, text, or even voice mail, you should look at with a healthy dose of skepticism, and ask yourself: “Could this be a scam?” Here are six examples but the possibilities for scams are endless:

  • Emails with DOC or PDF attachments related to tickets or other special offers related to Rio
  • Advertising banners on websites that are poisoned and infect your workstation
  • Scam phone calls trying to sell you Rio-related travel or even products
  • Links to controversial Rio-related videos
  • Claims that the whole event will be moved because of the Zika virus
  • Complete fake websites which claim they will sell you cheap tickets to the event

So remember, anything to do with the Olympics in Rio the coming months… Think Before You Click!