Security Insights: Email Security – Internet and Email Scams

By | September 12th, 2013|Uncategorized|

emailEmail and internet scams are just some of the top ways cyber criminals manipulate everyday users to click on a malicious link or visit a hacked website. These scams not only put individuals users at risk, companies are also at risk as these scams often target employees at all types of companies. About.com recently put together a list of the top 10 internet and email scams of 2013 – take a look at the list below as well as tips to protect yourself and your company.

The Top 10 Internet/Email Scams of 2013

1. The Nigerian Scam, Also Known As 419 – Most of you have received an email from a member of Nigerian family with wealth. In every variation, the scammer is promising obscenely large payments for small unskilled tasks. This scam, like most scams, is too good to be true. Yet people still fall for this money transfer con game.

2. Advanced Fees Paid For A Guaranteed Loan Or Credit Card – If you are thinking about applying for a “pre-approved” loan or credit card that charges an up-front fee, ask yourself: “why would a bank do that?” These scams are obvious to people who take time to scrutinize the offer.

3. Lottery Scams – Chances are you will receive at least one intriguing email from someone saying that you did indeed win a huge amount of money. This scam will usually come in the form of a conventional email message. It will inform you that you won millions of dollars and congratulate you repeatedly. The catch: before you can collect your “winnings”, you must pay the “processing” fee of several thousand dollars.

4. Phishing Emails And Phony Web Pages – This is the most widespread Internet and email scam today. “Phishing” is where digital thieves lure you into divulging your password info though convincing emails and web pages. These phishing emails and web pages resemble legitimate credit authorities like Citibank, eBay, or PayPal.

5. Items For Sale Overpayment Scam – This one involves something you might have listed for sale such as a car, truck or some other expensive item. The scammer finds your ad and sends you an email offering to pay much more than your asking price. The reason for overpayment is supposedly related to the international fees to ship the car overseas. In return, you are to send him the car and the cash for the difference. The money order you receive looks real so you deposit it into your account. In a couple of days (or time it takes to clear) your bank informs you the money order was fake and demands you pay that amount back immediately.

6. Employment Search Overpayment Scam – You have posted your resume, with at least some personal data accessible by potential employers, on a legitimate employment site. You receive a job offer to become a “financial representative” of an overseas company you have never even heard of before. You will be paid 5 to 15 percent commission per transaction. If you apply, you will provide the scammer with your personal data, such as bank account information, so you can “get paid”. Instead, you will experience some, or all, of the following: identity theft, money stolen from your account, or may receive fake checks or money orders for payments which you deposit into your account but must send 85–95 percent of that to your “employer”.

7. Disaster Relief Scams – What do 9-11, Tsunami and Katrina have in common? These are all disasters, tragic events where people lose their lives, lose their loved ones, or everything they have. Scammers set up fake charity websites and steal the money donated to the victims of disasters.

8. Travel Scams – You will receive an email with the offer to get amazingly low fares to some exotic destination but you must book it today or the offer expires that evening. If you call, you’ll find out the travel is free but the hotel rates are highly overpriced.

9. “Make Money Fast” Chain Emails – A classic pyramid scheme: you get an email with a list of names, you are asked to send 5 dollars (or so) by mail to the person whose name is at the top of the list, add your own name to the bottom, and forward the updated list to a number of other people. Should you risk to participate, you risk being charged with fraud.

10. Turn Your Computer Into a Money-Making Machine! – You send someone money for instructions on where to go and what to download and install on your computer to turn it into a money-making machine… for spammers.

Read the full article on The Top 10 Internet/Email Scams from About.com.

How to protect yourself and your company

The best way to protect yourself and your company is to stay aware of these types of email and Internet threats and stay educated on how to mitigate them. The following tips are for handling suspicious emails:

  • Pay attention to sender and message subject
  • If an email is from an unrecognized sender or domain, consult someone from your IT or Security department, as they will verify the type of email and if it should be deleted
  • NEVER Open or forward a suspicious email
  • Pay attention to filenames attached to emails
  • Do not open email attachments from people that you do not know or trust and/or that look suspicious
  • Be aware that files can come as email attachments in the format of zip files in order to trick your anti-virus
  • Do not download executable (.exe) files that are sent to you

– Kristin Badgett, CSID Information Security Officer

Be sure to check out our other blog posts on security. Share your tips for protecting your business with us on Facebook and Twitter.

Tis the Season: Security Tips for Online Holiday Shopping

By | December 5th, 2012|Uncategorized|

It’s that time of year again! As you finish your holiday décor and put your gifts under the tree, make sure you stay safe while shopping for your loved ones online this season with these quick tips.

  • Make sure your devices are up-to-date. Any device you use for shopping; including smartphones, tablets and computers; should have the latest security software, operating systems, programs and applications. In addition, be aware of shopping on these devices when connected through public Wi-Fi or unsecured networks.
  • Know your merchant. When making online transactions, make sure you’re dealing with a reputable site and take a careful look at the website’s URL. A good indicator that the retailer is legitimate is if your web browser’s address bar includes a closed padlock or the URL address begins with https.
  • Be aware of phishing scams. This time of year, email phishing scams are in full effect and could lead you to a merchant that may look legitimate but is not. Be aware of any misspellings in communications and ‘too good to be true’ deals from the retailer. If in doubt, just go to the site directly by typing in the URL to your browser and/or make sure to delete any suspicious emails and mark them as ‘spam.’
  • Protect your personal and financial information. Be aware of the information that is being collected to complete your purchase. Only fill out what is required and understand the merchant’s privacy policy – know how your information will be stored and used for current and future purchases.
  • Keep track of payments. Save records of your online transactions and follow up with your bank and/or credit card accounts to make sure there are no fraudulent purchases. Credit cards are often best for online purchases because if there is suspicion of fraud and you have a complaint, your creditor will investigate and remove the charge until it determines if it is indeed fraudulent.

Have some smart and safe online holiday shopping tips? Share your advice with us on Facebook and Twitter. Happy holidays to you and yours from CSID!

Securing Your Digital Life: Lessons from the Mat Honan Hack

By | August 9th, 2012|Uncategorized|

With just a few easy details in hand, a hacker can drastically change your life. Wired technology reporter Mat Honan’s digital life was recently abolished by a couple of hackers who ultimately sought access to his three-letter Twitter handle, @Mat. Within a matter of minutes, they deleted his Google account, erasing years of communication with technology influencers.  They wiped each of his Apple devices, including all existing photos of his baby daughter. And finally, they took over his Twitter.

Mat has written a full account (a worthwhile read) on how these hackers destroyed his digital life with such ease. Access to Mat’s Gmail led them to his billing information stored in his Amazon account, which provided them with the credentials to access his Apple ID and iCloud, and eventually his Twitter handle.

Mat’s story has had a strong impact on the security and technology industries. As professionals and consumers, what can we learn?

  • Use two-factor authentication—Mat believes that had he set up two-factor authentication on his Gmail account, the hack would have been foiled from the start.
  • Avoid linking accounts when possible—Mat’s various accounts were all linked, providing access to one another.
  • Vary your email addresses—Mat’s email addresses each had the same basic format, so the hackers could guess any that were unknown.
  • Back up your data in a hard location—Mat lost private photos and documents that were only saved on his computer and iCloud.
  • Be wary of using Find My Mac tool—Hackers can use this tool to remotely wipe your computer.

One of the hackers has been in touch with Mat since the incident, saying, “He likes to publicize security exploits, so companies will fix them. He says it’s the same reason he told me how it was done.” It’s true—this story has highlighted a number of security holes in the companies we trust most with our personal data. Apple, for instance, has put a lockdown on over-the-phone Apple ID resets, and Amazon will no longer allow customers to change account settings via phone.

What is your biggest takeaway from Mat’s story? What would you do as a consumer or company to prevent this from being possible? Share your thoughts via comments, Twitter or Facebook

Password Complexity: Why It Makes a Difference in a Breach

By | May 15th, 2012|Uncategorized|

By: Joel Carleton, CSID Director of Cyber Engineering

We’ve all heard that it’s important to pick long, complicated passwords. What you may not realize is why this becomes crucial in the context of a breach. While ensuring you don’t pick from some of the most common passwords is important, it’s still not enough. 

Some background information on how passwords work: while we still see websites storing passwords unencrypted (in this case, if you are part of a breach, the complexity of your password makes no difference), it is most common for websites to encrypt your password with a one-way hash. Put simply, this is a method that takes your password and transforms it into a long string of characters that is then stored in the website’s database. The website does not know your original password. When you log in to the website it applies the transformation and compares the long string to what it has stored in the database. If they match, then it knows you have entered the correct password.

When a company is breached, a common result is the selling and or sharing of that company’s user accounts. They could be publicly disclosed, shared in criminal forums and chat rooms, or sold to the highest bidder. The breached company may have taken steps to secure your account credentials, but the strength of your password can be your best friend or worst enemy. When a breach happens on a website where the passwords have been hashed, the criminal steals a list of user ids/emails and associated hashed passwords. They do not yet have your original password. The criminal has to decrypt the hash to retrieve the original password. While there are many sophisticated techniques at the criminals’ disposal, one of the most popular is referred to as the “brute force” method.  Every possible password is tried. Given the short and simple passwords that are routinely used, the criminal can quickly decrypt the majority of the encrypted passwords. 

To find out just how simple it is to decrypt a password, try to Google the encrypted hash of a common password, “d8578edf8458ce06fbc5bb76a58c5ca4”. It’s pretty easy to see what the original password is even without using brute force guessing software.

Let’s assume you’ve chosen something more complicated. For passwords with 6 characters, how many brute force guesses are necessary? Assuming your password at least has mixed upper and lower case letters, there are 19 billion possible passwords. There are two things that make cracking this type of password trivial for the criminal:

  1. They do not have to attempt to log in to the website for each of their guesses. It would be impossible to make the necessary number of attempts to log in. They are able to make as many guesses as they want without anyone knowing what they are doing because they have the hashed password. 
  2. Computers are very good at making very fast guesses. An average computer with an upgraded graphics card can make 500 million guesses a second.   Your 6-character password length can be guessed in 38 seconds or less. Adding numbers and the full set of non-alphanumeric characters, the password can now be guessed in 26 minutes or less. 

Parting advice: the easiest way to make your passwords better is to make them longer (at least 9 characters).  If you still use only alphanumeric characters but your password is 10 characters, a criminal would need over 18,000 days to crack it. Hopefully he won’t have this much time on his hands and will move on to an easier target!

The Changing Landscape of Spam

By | October 19th, 2011|Uncategorized|

PC Mag recently published an infographic that visualizes a study by Commtouch about “The State of Hacked Accounts.” Commtouch collected data from email users who have had their email accounts hacked to draw conclusions about email security and the motives of email hackers.

Findings:

The study found that two-thirds of hacked email accounts are used to send spam or scams to email addresses listed in the account’s address book, full of family and friends. Many of these messages are focused on obtaining money from the recipients. They utilize angles such as “stuck in a foreign country, please send money,” and recipients see that someone close to them is asking for financial help.

Traditionally, email spam has been focused on marketing (generally unwanted) products through huge email blasts. Email and security providers quickly caught on, however, and now automatic spam folders work their magic on a regular basis and botnets can now be taken down instantly.  What does this mean for spam?

A Changing Landscape:

The spam landscape has changed. Hackers have realized that, with the onset of spam filters and the decline of botnets, they have to switch tactics. They have been finding success in compromising existing email accounts for spam and scams because (1) these accounts exist within whitelisted IP address ranges like Hotmail, Yahoo and Gmail, thus bypassing spam filters and (2) recipients are more likely to open emails from a familiar addresses than unknown senders, and are therefore more likely to follow through in providing personal information.

 eWeek’s Fahmida Rashid wrote an article describing the modern inner workings of the hacker community: “Hackers are often perceived as isolated, alienated individuals, working alone or in small groups. In reality, hackers are quite social, frequenting online forums and chat rooms to brag about their exploits, exchange tips and share knowledge, according to a recent analysis of hacker activity.”

The Future:

So what does this mean? We can likely expect an increase of such personalized scams, in email as well as social media outlets. To combat these intelligent, organized and widespread hacker communities, we have to do our best to predict next moves and be a step ahead. Then again, that’s why the U.S. government is hiring hackers left and right, but that’s for another blog post.

In the meantime, be smart. See the prevention tips in at the bottom of the infographic, and check out identity protection tips from our consumer identity theft expert, John Sileo, in earlier blog posts.

Load More Posts
WordPress › Error

There has been a critical error on this website.

Learn more about troubleshooting WordPress.