From “IBM Report Details 2017 Tax Scams as IRS Filing Deadline Nears”
eWeek (04/05/17) Kerner, Sean Michael. Printed by ASIS International.
IBM Security is warning of an increase in tax-related spam email and related fraud scams that aim to exploit tax filers as the April 18 tax filing deadline nears. IBM’s “Cybercrime Riding Tax Season Tides: Trending Spam and Dark Web Findings” report, released on April 5, details how attackers are increasing their efforts ahead of the deadline. IBM X-Force security researchers have tracked a 6,000 percent increase in tax-related spam emails from December 2016 to February 2017. Limor Kessem, executive security advisor at IBM Security, says that this is the first year that IBM is seeing campaigns targeting businesses. “Last year, consumer tax fraud was the most common illicit activity linked with compromised taxpayer information,” she says. “This year, things are getting bigger and bolder.” She went on to say that attackers have several different ways to get taxpayer information, depending on their technical skill levels. “The more technically inclined may breach a company’s infrastructure to steal data directly from their internal servers,” she explains.
Reports have surfaced about a new scam using a familiar line. Scammers call, identify themselves by name and company and during the momentary pause that follows, the scammer says, “Can you hear me?” Of course we all respond, “yes,” and then we hang up or say we’re not interested or let loose a string of expletives. You get my point. But no matter how you respond– the damage is done.
The scammer records your yes response and neatly places it in a recording making it sound like you answered yes to ordering various goods. When you later call to complain, you are met with the sound of your own voice verifying the purchase. As a matter of fact, these folks are bold enough to threaten to sue you if you don’t pay for your “order.”
There are so many creative scams out there it is important to remember a few simple rules that might eliminate a great deal of inconvenience (or money loss) later:
DO NOT answer calls from numbers you don’t recognize.
DO NOT verify your phone number with anyone you didn’t call.
DO NOT give out personal information on any call you did not initiate.
It is not likely we can avoid all scammers– but let’s not make it easy for them!
From “Yahoo Says Information on at Least 500 Million User Accounts Was Stolen”
Wall Street Journal (09/23/16) McMillan, Robert. Posted by ASIS.
Yahoo Inc. reported Thursday that hackers backed by an unnamed foreign government had stolen personal information from more than 500 million of its users’ accounts. Hackers penetrated Yahoo’s network in late 2014 and stole personal data on more than 500 million users. The stolen data included names, email addresses, dates of birth, telephone numbers, and encrypted passwords, Yahoo said. Yahoo said it believes that the hackers are no longer in its corporate network. The company said it did not believe that unprotected passwords, payment-card data, or bank-account information had been affected. In July, Yahoo began investigating claims by hackers who were offering to sell what they said were 280 million Yahoo usernames and passwords. Yahoo said it concluded the information for sale was not legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by “a state-sponsored actor.” Yahoo did not say how the hackers broke into its network or which country sponsored the attacks. The intrusion, in 2014, came during a period when many computer attacks were believed to be the work of China. More recent hacks, however, including of the Democratic National Committee earlier this year, have been blamed on Russia. Both countries have denied involvement in the hacks. The Yahoo breach appears to be the largest ever disclosed, based on the number of users affected, said Paul Stephens, director of policy and advocacy with Privacy Rights Clearing House.
From “Crooks Are Selling a Skimmer That Works on All Chip Card Readers”
CSO Online (08/31/16) Korolov, Maria. Posted by ASIS.
Researchers have found a website that claims to sell “the most advanced EMV chip data collector in the world.” The seller says that the device is powered by the point of sale terminal, and can hold information on up to 5,000 credit cards in its memory. The equipment can also be used on machines made by Ingenico and Verifone, as well as terminals on gas station pumps, ticket purchase stations, and on small ATMs, specifically those manufactured by Triton. Andrei Barysevich, director of Eastern European research and analysis at Flashpoint, says that the device is primarily targeted towards Latin America. Latin America is still reliant on static data authentication chips, which allow criminals to create usable new chip cards with the data they catch, making it an easier target. Barysevich also says that the “technology can be used in any point of sale device. It literally takes less than 10 seconds to install, and once installed, it stays there forever.” He said that terminal manufacturers have been notified about the issue.
LinkedIn is invalidating passwords for all accounts created before 2012 following the disclosure that 100 million members’ passwords may have been compromised.
In a post on the social network’s blog, LinkedIn confirmed that in 2012 it was the victim of an unauthorized access and disclosure of 6.5 million of its users’ passwords.
“At the time, our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure,” the blog post said. “Additionally, we advised all members of LinkedIn to change their passwords as a matter of best practice.”
On Tuesday, however, LinkedIn became aware that an additional set of data that has been released claims to be e-mail and hashed password combinations of more than 100 million LinkedIn members from the 2012 theft.
The data is reportedly for sale on a dark web market called The Real Deal by the dealer Peace, who is selling the data for 5 Bitcoin (approximately $2,200), according to Forbes.
Due to this new development, LinkedIn began invalidating passwords on Wednesday for all accounts created before the 2012 breach that have not updated their password.
“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will continue those members to reset their passwords,” the blog post explained. “We have no indication that this is as a result of a new security breach.”
LinkedIn said it will be notifying individual users if they need to reset their password. “However, regularly changing your password is always a good idea and you don’t have to wait for the notification,” it explained.
To change your password on LinkedIn, follow the below instructions:
- Login to your LinkedIn account
- Move your cursor over your photo in the top right of your homepage and select Privacy & Settings
- Select the Account tab at the top of the page
- Under the Basics section, click Change next to Change Password
- Enter your old password, type your new password, and then type it again to confirm it. (Passwords are case sensitive and must contain at least six characters.)
- Select the checkbox if you’d like to automatically be signed out of all sessions once you change your password
- Click Save
From “Report: Security and Privacy Fears Can Affect Internet Use”
PC Magazine (05/14/16) Murphy, David. Posted by ASIS.
About one-fifth of 41,000 respondents said they were victims of some sort of negative personal experience online in the last year, according to a new report from the Nationals Telecommunications and Information Administration. The report’s conclusion noted that it appears many Americans have completely changed their online behavior in the wake of privacy concerns. In fact, 45 percent of respondents indicated their concerns stopped them from conducting online financial transactions, buying goods and services, posting on social networks, or expressing opinions. Around 30 percent refrained from at least two of those activities. Most respondents cited identity theft as their main concern, followed by credit card and banking fraud, data collection by online services, loss of control over personal data, and the government collecting user data. The most concerned users were those who had experienced a breach of data in the past. NTIA will conduct additional studies to learn more about the public’s Internet practices related to online security and privacy.
By ASIS From “Cyberthieves’ Latest Target: Your Tax Forms”
Wall Street Journal (04/04/16) Sidel, Robin
A new email scam is putting vast amounts of individuals’ tax information in the wrong hands. The perpetrator, impersonating a company’s high-ranking executive from a phony email address that appears legitimate, fools staffers in the payroll or human resources departments into forwarding W-2 forms or other tax information. Thousands of workers have already fallen victim to the scam, which has hit smaller companies to companies as big as Weight Watchers. According to experts, this data is being sold in underground markets to criminals who use the data to file fraudulent tax returns and collect refunds. These thefts can often include Social Security numbers, which are difficult to retain once compromised. The attack has the potential to wreak havoc on a victim for years. Tax officials say thieves are targeting companies of all sizes; at least 50 have already reported that they were victims. The reason the scam is so effective is because it is so simple and low-tech. When preying upon the right type of victim, it becomes very simple to extract the desired information. It also shows that hackers are becoming more aware of who exactly they are targeting. According to experts, the scam has proven that hackers focus on specific employees who have valuable information rather than hacking into a network in a blind search for data.