Tag Archives: scammer

New Attack Vector for Cyber Thieves

It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015.

Here is an example where the scammer targets an attorney from a big city in the Northeast.

Attack vector: The scammer gathers intelligence about real estate transactions handled by an attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail and instead wires the funds into an account designated by the scammer.

More video: Scammers exploit trust in Google’s platform

Distinctive technique: The funds initially get routed to another law firm in the Southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”

Wider implications: U.S. consumers are well protected by federal law, and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. Most of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.

Infographic: More Americans living with data insecurity

Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)

3C: Businesses are losing one heck of a lot of money to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer

Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business, you’re out of luck.

3C: Why aren’t suspicious transactions flagged more often?

Goodman: The government will tend to go after companies for anything that may have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attorney sort of invited spoofing?

Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.

Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.

3C: Could this have been avoided?

Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.

Identity Theft Can Be Double Whammy

When it comes to data security and the real-life impact of identity theft, public awareness is at an all-time high. But there is still great confusion and ignorance about what it is, how it happens and what can be done to avoid the pitfalls of life after a data breach or personal compromise.

Most of us still feel flummoxed–and perhaps a bit panicked–when we get a phone call, an email or a letter saying our data or identity has been compromised. Even if it’s a situation that can be easily remedied, like a compromised credit card, where the problem is relatively small, it’s still frustrating. Even if the only real-life consequences are a day or two’s wait for a replacement card and the need to notify a few creditors that your billing information has changed, you feel violated. You wonder if it’s going to happen again. And depending on the source of the compromise and what’s been taken, it may well happen again. So, you stew and wonder some more.

The unfortunate part is that identity thieves understand this. In the mad dash to understand the full ramifications of what’s happened to you, you may expose yourself to further trouble–for instance, by providing your information to a phony identity theft resolution expert, only to be guided through a process of information shedding that brings about further compromise by the very data wolves in sheep’s clothing who ran the scam in the first place.

Taking a few simple steps will help you avoid crooked “helpers” like these, as I explain in my book Swiped.

Be Prepared

If you don’t subscribe to an identity theft resolution service or lack a plan of action before you suffer a personal compromise (other than the theft of a payment card, which can be solved with a couple of phone calls), you will need to spend more time and more money than you are probably prepared to spend. Then, after you have worked your way through the maze of law enforcement, credit bureau, creditor and record-keeping requirements necessary to put yourself back together again, you will almost assuredly spend additional time–more than you thought possible–rearranging the way you make your information available both online and in your everyday transactions.

For this to really work, you need to be willing to make a few adjustments in the way you approach your identity and your data hygiene.

The Best Defense Is a Good Offense

What the great majority of current and future identity theft victims fail to understand is that they really must be their own first line of defense. Because identity thieves can’t realistically be completely stopped, you can instead focus on making yourself a harder target, and on being readier when the attack comes.

A simple practice like shredding your personal documents can help, but it’s not a solution. Identity thieves can be anyone from a dental hygienist pilfering patient files to small-time crooks breaking into mailboxes or stealing unshredded garbage or tax-related documents during filing season. The more you know what the bad guys want and need, the better you can practice proactive data hygiene.

The fact of the matter is that when it comes to international crime syndicates that breach the databases of multibillion-dollar international corporations and sell the liberated information, deploying a paper shredder is like bringing a knife to a gunfight.

The above is an adapted excerpt from Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, which hits bookstores everywhere Black Friday.

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”

Health Insurance Exchange Scam Alert: Beware of Fake Websites

The Identity Theft Resource Center (ITRC) has growing concerns regarding the potential for new scams concerning the implementation of the Health Insurance Exchange (HIE) websites as part of the Patient Protection and Affordable Care Act (also known as Obamacare). These exchanges are currently online with enrollment due to start on October 1st.

According to the Act, each state must implement insurance exchanges. These exchanges are to serve as online marketplaces (websites) for consumers to compare rates and make choices about which health insurance coverage is best for them. Each state has the ability to determine the best way to manage these exchanges in order to meet the needs of their uninsured residents.

The open enrollment period for these exchanges begins on October 1, 2013. There have already been some predictions that there will be “bugs and glitches,” to quote President Obama, during this process. IT professionals are already voicing concerns regarding the ability to handle the amount of traffic anticipated on the first day of the rollout. However, no one is talking about ensuring that consumers actually know and understand where to go in the first place.

There is huge potential for misinformation and misunderstanding with this new insurance exchange program. Consumers will now be mandated (or face a penalty come tax time) to purchase health insurance if they don’t have existing coverage. The official website, www.healthcare.gov will be used by the majority of the states. But 17 states have opted to manage their own unique exchange with a different URL. This has the potential to cause much confusion for consumers. While it may appear that this information would easily be located via an internet search, our experience was that the official website was not easy to locate. In fact, when we searched for “health insurance exchange official websites” (rather than “website”) the websites for the 17 states that have their own unique URLs appeared, but www.healthcare.gov did not appear on the first page.

From our experience with scams and fake websites, we believe it would be extremely easy for scammers to create multiple websites that will trick consumers into thinking that it is either the federal health exchange website or one of the alternative state websites. Without known and reliable sources, there exists a great opportunity for gaming of the Internet search engines to attract consumers to websites intent on harming them by eliciting the fraudulent collection of personal identifying information (PII). There is a need to present factual information about which websites represent the accredited websites for the new insurance exchanges.

While there is a comprehensive list of insurance exchange websites on www.healthcare.gov, we are concerned that consumers may not find their way there in the first place. Already our searches indicate that there are organizations using keywords such as “Obamacare” and “Health insurance exchange” in the paid advertising section that are not the official insurance exchange websites. While these websites may not be scams, our concern is that it will only be a matter of time before imposter websites intent on real consumer harm surface.

This concern has a historical basis. The Fair Credit Reporting Act (FCRA) requires each of the Credit Reporting Agencies (CRAs: Experian, Transunion, and Equifax) to provide consumers with one free credit report annually. Confusion still exists between www.annualcreditreport.com, which is the court-mandated website hosted by the credit reporting agencies that actually provides annual free credit reports to consumers, and other websites that offer free credit reports or free credit scores such as www.freecreditreport.com, hosted by one of the credit reporting agencies. Soon after the creation of the original mandated website, dozens of look-alike websites were created. Consumer protection organizations, including the Federal Trade Commission, continue to educate consumers about this to this day (Consumer Information: Free Credit Reports) even though the mandated free website was launched in December 2004.

With the operational launch of these new insurance exchanges just a few short months away, consumers will be scrambling to comply before the January 1st, 2014 deadline. We already stated that we expect consumers to use search engines to locate the particular website they are supposed to use, and that the searches are inconsistent. With that knowledge, will regulators put provisions in place to identify, deter, monitor and address imposter websites? Or do they presume that the existing regulatory or enforcement provisions will deter those who create malicious fake websites intended to capture the personally identifiable information of consumers? Information provided to a fake insurance exchange website could be used to commit identity theft and other frauds.

There will be two types of imposter websites that will require redress. Not all imposter websites are created equal. There are differing levels of harm depending upon the type of imposter website consumers discover. There are legitimate businesses cutting corners and engaging in misleading tactics to secure new business and there are outright scam websites, whose intention is to secure personally identifiable information for malicious use.

Phishing and smishing could eventually come into play.

In 2012 “Imposter Scams” ranked 6th (out of 30) in the list of most complained about fraud events according to the FTC Consumer Sentinel Report. The 82,896 complaints represented 4% of the total complaints received by the FTC.

This category is defined by the FTC as “complaints about scammers claiming to be family, friends, a romantic interest, companies, or government agencies to induce people to send money or divulge personal information.” Complaints included the following: Scammers posing as friends or relatives stranded in foreign countries without money, scammers claiming to be working for or affiliated with government agencies, and scammers claiming to be affiliated with a private entity (a charity or company).

By far, the largest subtype of scam was regarding government agency imposters, with over 43,000 of the total in that category. Previous years’ statistics indicate that year over year, government imposters were the most complained about subtype: 47,454 in 2011 and 49,321 in 2010.

This demonstrates that the scammers continue to find impersonating the government to be a lucrative enterprise. Since this is a new program, even those consumers who normally know not to click on strange links in emails or respond to unknown senders of text messages, may feel compelled to respond and potentially share their personally identifiable information via these means. Why should we believe that the health care exchanges will be immune to this kind of impersonation?

If past behavior is an indicator, we can be sure that there will be financial harm to at least some of these victims.

The Internet Crimes Complaint Center (IC3) 2011 report states that it received approximately 39 complaints per day regarding FBI impersonation email scams. IC3 presented a total loss for this type of impersonation scam (via phishing emails) as over $3 million dollars. This number is just for the complaints that the IC3 received and does not take into account all the unreported losses.

A fundamental part of the Identity Theft Resource Center’s mission is to serve as a relevant national resource on topics such as this. In an effort to provide consumers with the important information they need about potential insurance exchange scams, the Identity Theft Resource Center has developed a scam alert and posted additional information on its website to help educate consumers.

The Identity Theft Resource Center is hopeful that there will be strong and coordinated efforts to educate consumers as to the authentic websites for these exchanges. As they differ from state to state, universal messaging will be difficult to coordinate. Of course, there will be glitches, and as with any new process, we will only discover what these are when the actual user experience is reviewed. However, these efforts need to take place now.