After a lovely Labor Day weekend spent grilling, eating and celebrating with friends, I received an email early Tuesday morning from a worried client who was sent a very upsetting email over the weekend. It greeted them by name and opened with a single sentence, “I know that visiting [client’s address] would be a more convenient way to reach if you don’t cooperate,” and followed with another partial sentence, “Beautiful neighborhood btw,” and included a picture of my client’s home and then a PDF attachment that supposedly included further instructions. Despite missing a word, this email was threatening and clearly menacing. It was also fake.
What this means for you
At first glance, my gut reaction was to tell my client to report this email to the local authorities and maybe look into getting out of town for a few days. As written this was a very thinly veiled threat – if someone were to receive this email in a movie or TV show, it would most certainly be a prelude to some good ole-fashioned Hollywood violence and terror. On a hunch, I opened up Google Maps Street View and punched in my client’s address. A quick flick of my wrist on the camera angle revealed the exact picture used in the email, cropped to remove the various overlays that would have otherwise significantly detracted from the implied threat. Clearly the sender (most likely just another bot powered script) was trying to pull a fast one by getting the recipient to open the PDF, which would most likely lead to a phishing prompt. “It’s fake,” I typed in a quick email to the client, and then went about my day, where, within the hour, I encountered the same type of email received by another colleague over the same weekend. The scammers have a new toy, and I’m betting it’s a money-maker for them.
Here’s my thinking on this: regardless of the contents of the email, or who it’s from, you should NEVER open an unexpected attachment (or link) unless you can confirm the contents in some other way than opening the actual attachment. It is beyond common for email accounts to get compromised and the first thing hackers do when they bag an email account is to immediately spread to that account’s contacts within minutes of gaining access. Their success counts on rapid, undetected spread and rely on the built-in trust that emails sent by a known contact inherit. Even the best email filters available are always playing catchup to the latest scam techniques like the fake extortion email from above, so there will always be ill-intentioned emails that will get through despite your mailbox being protected by “enterprise-grade” security. As always, anything built and maintained by humans will be fallible, and as the threats on the internet get increasingly dangerous, even fake extortion phishing emails can end up doing real damage. Stay vigilant and always ask for a second opinion on things like this. While it can be exhausting sometimes to be on the receiving end of the countless questions people have, every time I keep someone safe for even one more day makes it all worth it.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Last Friday, while I was in the middle of working with a client at their office, I received a voicemail that set off some alarm bells when I read the transcript. I had received a call from someone claiming to be from the local Sheriff’s department wanting to discuss an important matter. I’ve worked with law enforcement in the past as a consultant on various technical items, so I figured someone had provided my name to this Sargeant as a technology expert. Nope, that was not what he was calling about. This was regarding a “failure to appear” in court on a traffic ticket and a warrant for my arrest.
Talk about “record scratch” moments!
Prior to talking to this person, I had my office call back on the voicemail to verify the number rang through to an actual person. It did, so I called him back. He sounded legitimate, down to the faint southern accent, generous application of law enforcement terminology in our conversation, and the fact that I did have an old fixit ticket that I did resolve – I hadn’t updated my license with my new address after we moved – but was never able to close the loop on, as the ticket was never logged into the county’s online system. (It still isn’t, I just checked again, over a year after it was issued!) He had me sweating for a few minutes, until he brought up the matter of settling this over the phone by paying for a bail bond, which could be done using an app on my phone, as long as either were linked to my bank account. RED ALERT!!! I asked him to verify his identity and badge number, and he also offered to prove he was who he said he was by calling me from their “official” line. He did, and the caller ID displayed a number that, when searched up on Google, showed it was indeed the non-emergency number for the Sheriff’s department he claimed to be from. What he didn’t know was that I know scammers can spoof any number they like, including the Sheriff’s department. Perhaps sensing that he was losing me (a sign of an expert conman) he pulled out all the stops: wanting to know if I was ready to resolve this now or come on down to the Sheriff’s station to turn myself in. When I played dumb and said my GooglePay wasn’t set up with my bank account, he offered to walk me through it.
All throughout this, I was texting with my office to have them actually call the Sheriff’s office to verify this man was who he said he was. While I was verbally fencing with the “Sargeant”, they confirmed my suspicions that this was indeed a known scam, and the person on the phone was not in any way affiliated with the Sheriff’s department. I promptly hung up on the scammer and put in a call to one of our clients who also happens to be one of the top criminal defense attorneys in the county and a former DA. He also confirmed that local law enforcement would not be calling people to post bail via phone, and more importantly, there were no outstanding warrants for my arrest.
Here are the things that set off warning bells on this call, and may provide you with help in identifying similar scams when they inevitably call your cell:
- The scammer absolutely did not want me to hang up with him once he had me on the phone. He went to far as to throw around some official-sounding terminology – “Mandatory Contact Order” that required he stay on the phone with me to make sure this matter got resolved. Ostensibly this is so that I can’t call for help or advice (like I did anyways, via text), and to keep the intimidation factor active.
- Scammers will always want you to use your bank account, or to have you pay via a method that can’t be reversed, like gift cards or money orders. Credit cards are easily charged back, and often have blocks in place that make them non-starters for scams like this. No legitimate law enforcement agency is going to allow you to post bail on any matter via phone – how do they know the person they are talking to is actually the person named in the warrant?
- Don’t accept a call-back by the scammer from a different number as verification of their identity. Spoofing any number is trivial for them. They can pretend to call from any number that can be found on Google. Hang up and call the organization they are supposedly from on a new call, or have someone next to you do it for you.
- Don’t just assume because the person calling doesn’t have a foreign accent that it makes them more credible. I’ve heard from numerous clients about scam calls from people who were clearly native English speakers with a Western (or no) accent.
- Scammers will often use scare tactics to pressure you into a hasty decision – whether it’s being arrested, or that your name showed up on an FBI watch list for child pornography, or you have unpaid taxes and fines that will be levied against your paycheck. The claims will be hard to verify – more so because the scammer will be doing their best to keep you on the phone talking and not independently verifying whether what they are saying is true. They will often be counting on you wanting to avoid possible embarrassment or exposure so as to isolate you. Don’t be afraid to ask for help from someone you trust!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It’s one of the oldest cons in the book: convincing a mark that they’re sick and then selling them a handy cure for the low, low price of “You just got ripped off.” Despite this sort of scam being perpetrated on the internet for years now, it’s still bamboozling lots of people, according to a recent court case brought by the FTC against a US-based company that has tricked computer users into purchasing millions in fake technical support to “fix” their computers. The scammers find their “marks” via fake pop-ups warning users that their computers are infected or performing poorly and provide a prominent phone number to call to receive tech support from a “certified” Microsoft or Apple partner (of which they are most definitely not). Once the victim calls, they are essentially tricked into believing they actually need support through carefully crafted application of legitimate tools and deceitful interpretation of events and warnings that are commonplace and not necessarily indicative of an actual problem. Once the scammers get your credit card or bank account info and get paid, they will deliver the service in the form of tech support “theatrics” which is more than likely just a script that looks impressive, but doesn’t actually do anything or might even damage your computer further. It’s also highly likely your payment info gets sold on the black market for additional profit.
Spread the word:
Clients of C2 Technology are typically savvy enough to spot this con a mile away, or at a minimum, have developed a healthy sense of skepticism to pick up the phone and call for a second opinion from someone they know and trust. It may not occur to you that, as a tech-savvy professional, you might actually be that trusted advisor for your family, friends and colleagues. Even if you don’t feel like a tech expert, you know enough to warn the people around you about these sort of scams, and you definitely know an expert who is always willing to take their call. At minimum, you should foster a healthy skepticism in the more naive or gullible loved ones, especially the ones that always seem to fall for the most obvious scams. This isn’t just for their benefit, it serves you as well. The more people around you who stay safe, the less likely you are to get infected. Thanksgiving dinners are a lot more enjoyable when you don’t have an family-spread malware infection on the table.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It’s taken many years, but it would seem that the US business world has finally agreed that throwing old technology straight into the trash is unsafe and bad for the environment. To capitalize on this, an entire cottage industry of electronic waste (e-waste) recycling companies have sprung up over the years as our rate of technology consumption increases. Unfortunately, though they may promise it in their marketing, an investigative study has found that as much as 40% of e-waste processed through these companies is actually illegally and improperly disposed of through shady overseas outfits that buy the e-waste for pennies on the pound, scavenge what precious metals they can, and then dump the rest in toxic landfills. Contrary to popular belief, e-waste recycling is costly to do properly, and not profitable at this current time.
What this means for you:
While you should still feel good for not just throwing your e-waste into the trash, you may want to scrutinize the vendors or organizers of any e-waste events that you use, especially if they promise “secure disposal” of items that may contain data, like old hard drives or mobile devices. If the vendor in question isn’t handling the actual recycling of the materials it collects, it’s possible they are reselling the e-waste to cover their costs (maybe even make a small profit) to another firm that is definitely not “green” in any sense other than profiteering.
There are two types of e-waste certifications recognized by the EPA – “R2” and “eStewards” – both of which are administered by nongovernmental organizations, and despite the certification and oversight, both seem to have bad apples, though eSteward companies are held to stricter standards and appear to cheat less than their R2 or non-certified counterparts. While you can’t be expected to control or direct the morality of these companies or the certification process, your scrutiny and attention to this issue will hopefully lead to less hazardous waste being improperly disposed of in overseas landfills.
A new scam to extort money out of Apple mobile device users has surfaced in Australia, with scattered reports in other countries as well. Affected devices are locked out via Apple’s own “Find my iPhone” platform with a message that demands a ransom payment of $100 USD to unlock the phone. Security analysts are unsure at this point as to how the perpetrators are gaining access to victim’s AppleID accounts, and so far Apple is refusing to comment on this issue. According to posts on Apple’s Support Forums, the only reliable way to unlock the device is to reset it back to factory settings and restore your data from a backup, if one was actually created and maintained for that device.
What this means for you:
So far, there is a tenuous link between some of the victims and the recent eBay hack that exposed user accounts and encrypted passwords, where the victims admitted to using the same password for both eBay and iCloud. However, several other victims of this new ransom scam did not use the same password as their eBay account, so eBay’s exposed data may not be the only source. Bottom line, you should use strong, unique passwords for online accounts, especially for the ones that are tied to important services like online banking, email and any account that has access to confidential data, either yours or your clients/customers.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
One of my favorite bits of advice regarding suspicious emails is to encourage the recipient to pick up the phone and call the company that supposedly sent the email to see if it’s legitimate. Unfortunately that advice isn’t as valuable as it once was. Cybercriminals have broadened their repetoire to include fake customer support numbers for popular internet services, such as Netflix. This particular scam relies on a very common advertising vehicle wherein companies can buy ads that look very much like the top search result in both Google and Bing searches. Potential victims, using a search engine to find the customer support number for Netflix are shown ads with fake customer support numbers, and many searchers mistake the ad for the legitimate search result. The phone call to the phoney help desk quick escalates into the customers computer being “infected” with fake viruses, and soon followed by demands for cash to clean up the compromised computer.
What this means for you:
The internet veterans among you know how to tell the advertisements from the actual search results on Google and Bing, but there are just as many who do not realize there is a difference. This particular scam counts on it, on top of victimizing people who are already in some form of technology distress. If you count yourself among the search-engine savvy, make sure you educate those close to you on how to separate the ads from the search results, as well as showing them how to find the right support phone numbers for important services they use. This may be particularly useful to aging family members who are targeted specifically because of their neophyte technology tendencies and trusting nature towards phone technicians who sound like they know what they are doing.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
If you’ve taken to heart any of the security advice or practices that I or many other technology professionals have been dispensing for the past few years, you’ve probably developed a healthy skepticism for any emails that land in your box that are unexpected and contain unfamiliar links. Even more so if your email provider marks the email as spam or a possible phishing attempt.
For example, I recently received an email with the subject “iPhone iPod touch Class Action Settlement” that was immediately marked as spam by Gmail. This email purportedly offered me a part of a class action settlement with Apple. Seeing how many people own iPhones and iPods, it seemed like good phishing bait so I assumed this was yet another scam. It had all the trappings of a well-made con:
- broad target demographic
- based on a recent, actual event
- contained lots of official-sounding text that didn’t read like a 4th grader wrote it
- no overt clues that the sender was an obvious bad agent (non-US domains, inappropriate reply-to addresses, spoofed mail headers, etc.)
It would probably lure people into clicking a link that would either load up their machines with malware, or entice them into giving up some personal information that would later be used in an identity theft attempt. I opened it up with the intent of warning my audience and clients about the potentially well-crafted fraud.
As it turns out, this is a legitimate email that Gmail incorrectly identified as spam, probably because the sender was flagged as a spammer by justifiably suspicious readers like you and me. A little research online reveals this is part of the original case that made headlines back in May of this year. Emboldened by this information, I used Chrome (bolstered by a variety of anti-scripting extensions) to visit the included link, and, lo and behold, it’s a legitimate website. Because of the relative newness of this initiative, there isn’t a lot out on the web about this yet, so unless you are an experienced internet researcher, your searches might have come up with little evidence that this was a legitimate email.
What this means for you:
Most cautious internet citizens might have trusted their email provider’s guidance on this and just deleted this email, potentially missing out on as much as $200 as a settlement award. False positives are an unfortunate side-effect of a proper security protocol, and in this case, even Google didn’t provide enough information to immediately assuage my suspicions, and a few search results actually led to conversations where people immediately labeled it as a scam. Sometimes the internet does not provide instantaneous answers, nor is it always right, and as always, you should always take your search results with a grain of salt, especially if there is money at stake. If your search results turns up a dearth of information, your best course of action is to wait a few days for the internet to catch up (it always does!) and research again, or to contact a tech expert like C2 Technology to get a second opinion.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net
Hackers are now taking advantage of conscientious users who have been repeatedly warned by folks like myself to keep their software, specifically their browsers, up to date. If a user happens to surf to a website hosting this new style of attack, they will be presented with a realistic-looking warning that asserts their browser is out of date, but if they click the convenient link to update the browser, they instead be infected with a trojan that will forcibly change the browser homepage to a site that will deliver a full payload of malware. If the user is unfortunate enough to have his or her anti-malware software overrun, they will quickly have a severely compromised computer.
What this means for you:
You should only ever download updates for your software from the manufacturer’s website, as it’s extremely unlikely for manufacturers to use third-party hosts for software updates. In the above example, users were directed to download an update from a domain “securebrowserupdate” which is something Microsoft, Google, Mozilla or Apple would never do for their browsers. If you happen across a pop-up warning that an update is available for your browser, and you aren’t sure it’s legitimate, close it, then check your update status through the browser’s built into the interface, usually under the “Help” menu. Still not sure? Why not call an expert like C2?
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
- 1
- 2