Search The Web's Nooks And Crannies To Find Connected Devices

Most people believe that when they use one of the popular search engines (e.g., Bing, Google, Yahoo, DuckDuckGo), that they have effectively searched the entire Internet. That belief is erroneous for a couple reasons.

CNN Money has a good report about the Shodan search engine, which was developed specifically to search what I call the nooks and crannies of the Internet. Shodan users can find devices connected to the Internet that other search engines don't necessarily focus upon:

"... servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet... traffic lights, security cameras, home automation devices and heating systems... control systems for a water park, a gas station, a hotel wine cooler and a crematorium... command and control systems for nuclear power plants and a particle-accelerating cyclotron..."

If it isn't obvious to you, these search results have huge privacy and identity theft implications for a variety of reasons. Many users connect devices to the Internet which they shouldn't connect. Or don't properly secure their Internet-connected devices with firewall software. You can bet that since the good guys already know about and use Shodan, then the bad guys will, too, and hack into unprotected devices, steal identity information, and/or cause havoc.

The second reason: many consumers are trapped in the search Filter Bubble, and don't know it.

Chicago Theft Ring Received Sentences For Card Skimming Crimes

In a Chicago court, several defendants were sentenced for card skimming thefts and fraud. The sentences ranged from six years of prison time for the ringleader to two years of probation for other members of the theft ring.

The thieves, working with employees at several fast-food restaurants in Chicago, had allegedly swiped consumers' debit/credit cards through small portable readers to obtain their card numbers. The theft ring then allegedly created fake cards with the stolen card numbers and purchased about $200,000 in merchandise.

Affected consumers had accounts at several banks: Chase, Citibank, Fifth Third Bank Harris Bank, U.S. Bank, Bank of America, and American Express. Reportedly, the banks assisted local law enforcement with the investigations. The seven defendants included:

• Joseph Woods, 33 (the ringleader)
• William Washington, 31
• Alex Houston, 23
• Britain Woods, 34
• Jenette Farrar, 35
• Essence Houston, 29
• Kenyetta Davis, 33,

Congratulations to both local law enforcement and the judicial system.

Former Employee At Web Hosting Service Arrested And Charged With Felony Computer Breaches

Ars Technica reported that Eric Gunnar Gisse, a former Hostgator employee, has been arrested and charged with felony computer breaches. Gisse allegedly used his position to install secret code that allowed him unauthorized, "back door" access to more than 2,700 Internet-connected computer servers. Gisse, of San Antonio, Texas is being held on $20,000 bail in the Harris County jail.

This highlights one risk with cloud computing services. Many companies outsource the operation of their website to third-party vendors, such as Houston-based Hostgator, that offer what the industry calls "web hosting services." This is not new.

As a usability professional who has worked with several digital agencies, I have seen this outsourcing repeatedly work well and data maintain security. The issue is when employees abuse their positions and either steal or expose the sensitive information of people who use the compromised web servers.

The C/Net website lists companies that provide web hosting services.

CBC Interactive Map Of Foreign Travel Advisories

I like to travel to different countries. So do many people. If you plan to travel to other countries, then you might find this resource helpful to avoid getting mugged, your identity information stolen, or worse during foreign travel.

The Canadian Broadcasting Corporation (CBC), based upon data from the Canada's Department of Foreign Affairs, produced an interactive map of travel advisories for consumers. The map highlights places to avoid and places to take extra security precautions.

In the United States, the Bureau of Consular Affairs within the State Department provides similar information with alerts and warnings for foreign travel.

Fraudsters Target Police Chief With Check Scam

Wicked Local warned consumers about a check scam that targeted the Police Chief at Hingham, Massachusetts. Like many other check scams, the a package arrived snail mail -- in this case, UPS. The package included a letter and bogus $3,000.00 check which appeared to be from a legitimate business. The letter includes instructions to wire money, about $250, to cover supposed taxes and fees.

Police Chief Michael Peraino was suspicious and called the business first to verify the check. The receptionist at the business verified that the check was a fake, as the business had already received many phone calls from consumers.

Fraudsters attempt check scams like this because they receive real money wired to them from each victim long before the victim realizes that the bogus check they deposited in their bank account has bounced. Each victim is out the $250 they wired, the amount of the bogus check, and any bounced-check fees from their bank.

Check scams like this are a reminder for consumers to verify first any check you receive from an unknown organization or person.The Identity Theft Resource Center (ITRC) advises consumers to follow these steps to verify a suspected scam:

1. Contact the company involved directly, using a customer service number you find in the phone book or that you have used in the past.
2. If you were solicited online, contact the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Or, contact your local State Attorney General's office.
3. Contact the Federal Trade Commission via phone (877-FTC HELP) or e-mail
4. Avoid scams that appear to use expensive out-of-country telephone numbers. If you are unsure about a telephone number's location, look the number or Area Code using this free decoder.

If you are unsure who the attorney general is in the state where you live, then browse this list. Readers of this blog are familiar with a similar check scam that targeted Craig's List website users.

For Consumers Who Believe Their Apple Products Are Immune From Malware

Finally, somebody has said it loud and clear. As part of its 2013 predictions about identity theft and fraud, the ProtectMyID blog stated:

"As Apple products have become a growing part of the electronic market, cybercriminals have taken aim at the brand. They have developed malware specific to Apple Products and have taken advantage of the fact that everyone believes their Apple product is immune. In 2013, we suspect these attacks will continue to grow and soon the Apple App Store will be as seedy as that of its competitors."

Want to learn about more threats to your privacy? Read:

• Trouble In Smart Phone Land
• Lawsuit Claims Instagram Performed Data Collection, Retention, And Tracking Via Its Mobile App Without Notice Or Users Consent
• Publishers Consider Ways To Further Use Data Collected By E-Readers

Study: 30 Percent Of Teen Girls Meet In Person Strangers They Met Online

This is a startling and terrifying statistic. Parents: what is your teenage daughter doing online? WFMJ reported the results of a recent pediatric study:

"... the study tracked online and offline activity among more than 250 girls aged 14 to 17 years and found that 30 percent followed online acquaintance with in-person contact..."

The study, funded by a grant from the National Institutes of Health (NIH), included a mix of girls with and without a history of risky behavior. The study's author is Jennie Noll, a professor of pediatrics at the University of Cincinnati. The NIH is part of the U.S. Department of Health and Human Services (DHHS).

I recommend that parents read the WFMJ article, since it includes additional information. Reportedly, the study appeared in the Journal of Pediatrics. I wished that the study had included younger girls, since many social networking sites allow youth aged 13 and older to register.

2 Teens Drug Parents' Milkshakes To Get More Internet Time

This is weird news.

According to the Sacramento Bee, two teenage girls were arrested on Wednesday after allegedly drugging one of the girl's parents, so the teens could use the Internet after a 10 pm curfew. The teens allegedly spiked milkshakes they'd bought for the parents with a prescription sleep aid. After waking up, the suspicious parents had the milkshakes tested and then notified local law enforcement.

It is unclear what the two teens were doing online.

The story has been picked up by many newspapers and news sources including the major television news networks.

Legit Email Or Scam? Legit Text Message Or Scam? What To Do Next

Recently, I received the following email message from a relative:

Sent: Thursday, November 01, 2012 11:30 AM
To: undisclosed recipients:
Subject: Manila, Philippines : (Sad News) : Shirley XXXXXXXXXX

Hello,
Just hoping this message reaches you... Well, I'm sorry for this emergency and for not informing you about my urgent trip to Manila, Philippines but I just have to let you know my present predicament... Everything was fine until I was attacked on my way back to the hotel, i wasn't hurt but I lost my money, bank cards, mobile phone and my bag in the course of this attack.. I immediately contacted my bank in order to block my cards and also made a report at the nearest police station. I've been to the embassy and they are helping me with my documentation so i can fly out but I'm urgently in need of some help from you to pay up my hotel bills and my flight ticket back home... My return flight back home is scheduled to leave in few hours from now... Please i need your help..."

The bottom of the email had the person's standard, valid signature with her office contact information. Legit email or scam?

To me, it read like a scam. My relative uses much better punctuation and grammar. Plus, I didn't think she was traveling abroad. So, the simple next step was to call her via a land-line phone or other separate method to confirm things.

I called her, left a voice mail message, and she replied via email a day later. She confirmed that she was not traveling abroad, and that heer email account had been hacked.

Identity thieves and scam artists are creative and persistent. There are a variety of "phishing" (e.g., email) scams and "smishing" (text message) scams. Learn to recognize them. Remember, you can always call the company directly and confirm whether or not they sent the suspect text message (or email).

So, a word to the wise. When you receive a suspect communication, confirm it with the person (or company) first via an alternate method. If you receive a suspect text message, call or email the person. If you receive a suspect email, call the person. Even better, talk with them in person.

While waiting for the person to reply, you can always check one of the hoax websites, like Snopes. Your telephone company's website probably lists the types of phone and text scams that have been reported. Your Internet service provider's website probably lists the types of email scams that have been reported.

If you use Facebook, then the Facecrooks site is a good source to verify suspect messages and apps that abuse your privacy.

You've Been 'Mugged' In An Auto Accident Insurance Scam. What To Do Next?

Recently, an I've Been Mugged reader wrote asking what to do. She had been the innocent victim in an auto insurance scam:

"Two days ago, I was surprised to find myself in a situation that I believe is a clever scam. It involves auto insurance and a trumped up claim. Although the situation is still unfolding, and my carrier may not pay once they investigate, I am shaken at being on the business end of such a scheme. I'm afraid to drive. I feel unsafe because this person has my address and who knows what else such a person might do."

While I had heard about these scams, I have never been involved in an auto accident insurance scam. And, I had not thought about an insurance claim scam as also being a potential identity theft risk, too. It stands to reason that if some criminals are willing to stage a bogus accident, intentionally cause a collision, and/or submit bogus medical claims after an accident, then they are also willing to abuse the other driver's personal data.

So, what should a consumer do to protect yourself? What can a consumer do to protect yourself after a staged accident?

First, I did some online research to learn about the types of auto insurance scams. My thinking is that by understanding them, it would be easier to recognize them and not get tricked. The Allstate Insurance page lists the types of auto insurance scams and fraud schemes:

• Swoop & Squat
• Sideswipe
• Shady Helpers

I am not going to repeat the scam descriptions here. You can visit the site and read them for yourself. Some are intentional collisions. Sadly, criminals will stage bogus accidents or cause intentional collisions. In 2010, Florida led the nation in the number of complaints about insurance fraud related to staged accidents.

Second, I found that auto insurance company websites often provide advice for their policyholders about how to protect yourself, and what to do if you suspect fraud. The State Farm site lists the types of auto insurance frauds and provides instructions for its policyholders:

"To report suspected insurance fraud, call State Farm or the National Insurance Crime Bureau (NICB) hotline: 1-800-TEL-NICB / 1-800-835-6422"

So, if you suspect fraud, you should inform both your auto insurance company and the NICB. I visited the NICB website to learn more.

The NICB, based in Des Plaines, Illinois, is a non-profit organization dedicated to preventing, detecting, and defeating insurance fraud and vehicle theft. The NICB works with more than 1,100 property and casualty insurance companies. The NICB offers an Apple iPhone app for consumers to report suspected insurance fraud.

According to the NICB, staged accidents occur in every state in the nation. In 2010, the top five cities with the most staged accidents and related auto insurance fraud schemes were:

1. New York, New York
2. Tampa, Florida
3. Miami, Florida
4. Orlando, Florida
5. Houston, Texas

And, the top five states were:

1. Florida
2. New York
3. California
4. Texas
5. Illinois

The NICB also describes the types auto insurance scams:

• Swoop & Squat
• Sideswipe
• Panic Stop
• Drive Down

While at the site, I downloaded the NICB Staged Automobile Accident Fraud brochure (Adobe PDF) to learn more. It sounded to me like the I've Been Mugged reader had experienced a "Drive Down" scam.

The NICB also offers a really good flyer for consumers about what to do after an auto accident. Download the Accident Checklist (Adobe PDF). The NICB advises consumers to:

• Tend to the injured. Call emergency and/or ambulance personnel if needed
• Keep a disposable camera in your auto. Take photos of the entire accident scene, and damage to your car, the other car(s), and any buildings affected. Take photos of all cars' license plates and Vehicle Identification Numbers.
• Notify the police immediately, and call them to the scene
• Get the information (e.g., name, address, phone, insurance certificates) of all other drivers involved, and of any witnesses. Either write down the informaton, or take photos of any documents, especially if the driver is not the registered owner of the other car
• Notify your insurance company immediately
• Don't disclose your Social Security Number or bank account information

If you suspect that others involved in the (staged) accident have abused your personal information or committed identity fraud, file a report with local police and get a copy of that police report. I have used the Identity Theft Resource Center (ITRC) website before, and highly recommend it. The site provides plenty of information and advice for a variety of identity theft and fraud situations. If you suspect other drivers in the (staged) accident are abusing your personal information, then Fact Sheet 110 seems to apply. It makes sens to file fraud complaints with your insurance company and with the U.S. Federal Trade Commission (FTC).

If you are feeling particularly vulnerable, you might arrange a consultation with an attorney to get advice about what to do next. Get an attorney referral from somebody you trust and know. I also visited the websites for several states' Attorney General offices, as these websites often contain advice and resources for consumers.  For example, the New York State Attorney General website provides advice for consumers about how to fight auto insurance fraud.

I am sure that some I've Been Mugged readers have opinions or experience with auto insurance claim scams. If you were a victim in a staged auto accident auto insurance scam, what did you do to protect yourself? What resources did you find most helpful?

Study: Small And Medium Sized Businesses Face Growing Data Security Threats

According to a new report by Osterman Research, and sponsored by Trend Micro, while cloud and mobile device usage have increased within small and medium sized businesses, so too has malware and data security threats. The survey found that about 52.1% of devices (e.g., desktop computers, laptops, tablets, smartphones) used by employees were infected annually with malware. In any given month, about 4.3% of devices were infected.

The report found that the malware has become more serious, with more versions, a short life, had target specific mobile devices (e.g., devices running the Android operating system) ,and had targeted businesses in specific countries that perform online banking.

The researchers found the costs to businesses were substantial. Information technology (I.T.) departments spent on average 72 minutes per device to remove the malware and fix the infected computer. The direct I.T. staff cost was about $2,400 per device per year. And, those costs don't include the lost employee productivity.

The data breaches from this malware can lead to theft of money, trade secrets, or the sensitive personal information of employees, former employees, and contractors. Criminals try to infect employees' devices with keystroke-logging malware to steal online bank account passwords. The report listed some of the company data breaches where businesses were robbed in this manner:

• Western Beaver County School District: $700,000
• The Catholic Diocese of Des Moines: $600,000
• Hillary Machinery: $800,000 (its bank was able to recover only $600,000)
• Patco: $588,000
• Experi-Metal, Inc.: $560,000
• Village View Escrow: $465,000
• An unidentified construction company in California: $447,000
• Choice Escrow: $440,000
• An unidentified solid waste management company in New York: $150,000
• An unidentified law firm in South Carolina: $78,421

So, if you work in a small or medium sized business that performs online banking, you can assume that identity thieves and criminals have targeted your employer and, most likely, your mobile device.

Mobile Marketing Company To Pay $500K Settlement Fine For Text Message Spam

This past weekend, the office of the New York State Attorney General announced a settlement with Game Theory LLC, a mobile content company. Game Theory agreed to pay a $500,000 settlement for allegedly sending deceptive text messages that tricked New York State residents into signing up for monthly text messages costing $9.99 per month:

"These charges appeared on the victim’s wireless telephone bill in a way that was difficult to detect. For months, consumers would pay for text messages they did not want before they realized they were being charged. For example, between May 23, 2011 and July 5, 2011, Game Theory sent text messages claiming that the recipients had a “secret crush,” and that the recipient needed to respond “yes” to find out who it was. However, in the process of finding out the identity of the “secret crush,” the recipient was also unknowingly signing-up for a text message service..."

Game Theory reportedly sent 150,000 such text messages to the mobile phones of New York State residents. Terms of the settlement require the company to exit the text messaging business.

Security experts advise consumers to never respond to unsolicited text messages, including those that claim a reply is necessary to stop any charges. Consumers should report text message spam and fraudulent mobile phone charges to their mobile service provider, and ask their provider to block those third-party charges. Consumers can also report this fraud to their state consumer protection agency, and to the U.S. Federal Trade Commission (FTC).

It is important for parents to remind and teach their children of good mobile device security habits, including how to recognize and delete smishing text messages.

Latest Email Scam: Promises Not To Kill You If You Pay

Spammer and fraudster are persistent and creative. The latest email scam involves a threat where the criminal will not kill you if you pay instead. Honest. I am not making this up.

Michael Finney described the scam in his blog. So, if you see an email message in your inbox with the following subject line:

"Somebody you call a friend, wants you dead"

You can assume that it's probably a scam. The scammers are trying to trick you into wiring money to them.

The Risks Of Buying Drugs Online

Everyone loves a good deal. And the Internet provides several sources of deals and discounts. If you seek deals on prescription drugs, there are several things you should know so you don't get "mugged" by a rogue online pharmacy website.

Earlier this year, the National Association of Boards of Pharmacy (NABP), which accredits online drugstores, released the results of a study where it reviewed more than 9,600 online pharmacies. Key results:

• Most are rogues sites: 96.6% (or 9.349 of 9,677 online pharmacies reviewed) operated out of compliance with existing laws and standards
• Only 2.7% (259 online pharmacies) to be legitimate websites, and 0.7% (69 sites) were accredited through an NABP verification program
• Of these 9,349 online pharmacies, 8,122 don't require a valid physician's prescription
• 4,648 offer foreign or drugs not approved the U.S. FDA
• 3,363 have internet servers outside the USA
• 1,523 don't have secure web sites

The problem is intensified by drugs that are in short supply. Fraudsters know this and try to take advantage of the situation:

"The most critical shortages involve cancer, antibiotic, nutrition, and electrolyte-imbalance medicines, according to the FDA. For many community pharmacies, health-system pharmacies, and patients the lack of availability of needed -- and often life-saving -- medications through official, authorized supply channels means resorting to unconventional and more dangerous means of obtaining the medications, sometimes turning to unknown sellers online. The unfulfilled demand for these medications has created a lucrative market for counterfeiters..."

The results: several risks to consumers. One risk is that you may not get what you paid for:

"... health care facilities and patients have no assurance that the substances they receive are what they are purported to be. Many of the replacement drugs purchased online are unregulated, meaning there are no safeguards in place to ensure their identity, safety, efficacy, where and under what conditions they were made, or how they were handled."

A second risk is to your health. Counterfeit drugs can fail to address your medical conditions, make you sicker, or kill you:

"... two-thirds of the online drug sellers discovered in this study are represented on the NABP list of Not Recommended sites. These illegal online drug sellers pose serious risks to patient health. The risk is especially high with vaccines..."

A third risk is identity theft or fraud at those online pharmacies that operate unsecured sites.

Earlier this year, the U.S. Congress House Committee on Oversight and Government Reform investigated "gray market" companies, that operate outside of authorized drug distribution networks to provide short-supply drugs at hugely inflated prices. In July 2012, the committee released its report (Adobe PDF), which found:

"... a growing number of prescription drugs sold in the United States have experienced supply shortages. Because these shortages have been most severe among a group of injectable drugs used to treat patients with cancer and other serious illnesses, they have had a particularly serious impact on hospitals... During drug shortages, hospitals are sometimes unable to buy drugs from their normal trading partners, usually one of the three large national “primary” distributors... some short-supply injectable drugs do not reach health care providers through the manufacturer-wholesaler distributor-dispenser chain that policymakers and industry stakeholders present as the typical model for drug distribution. Instead, these drugs “leak” into longer gray market distribution networks, in which a number of different companies – some doing business as pharmacies and some as distributors – buy and resell the drugs to each other before one of them finally sells the drugs to a hospital or other health care facility. In more than two-thirds (69%) of the 300 drug distribution chains reviewed in this investigation, prescription drugs leaked into the gray market through pharmacies. Instead of dispensing the drugs in accordance with their professional duties, state laws, and the expectations of their trading partners, these pharmacies re-sold the drugs to gray market wholesalers..."

The investigation also found:

"... a number of businesses holding pharmacy licenses that do not dispense drugs, but instead appear to operate for the sole purpose of acquiring short-supply drugs that can be sold into the gray market.... Some gray market wholesalers gain access to shortage drugs by recruiting pharmacies to act as their purchasing agents..."

The impact is far higher drug prices than otherwise for health care facilities, hospitals, and consumers.

The NABP operates several online pharmacy accreditation programs, including the Verified Internet Pharmacy Practice Sites (VIPPS), the Veterinary-Verified Internet Pharmacy Practices Sites (Vet-VIPPS), and the e-Advertiser Approval Program. The NABP has appllied to the Internet Corporation For Assigned Names and Numbers (ICANN) for a specific domain-name to help consumers recognize accredited online pharmacies.

To protect yourself online, experts advise consumers to:

1. Buy drugs online from reputable stores you already know
2. Look for NABP VIPPS and Vet-VIPPS symbols when shopping
3. Visit AwareRX.org, which maintains lists of both NABP-recommended and not-recommended online pharmacy websites
4. Visit SafeMedicines.org operated by the Center for Safe Internet Pharmacies (CSIP), which contains a tool for patients to check if doctors in their state purchased counterfeit cancer medications
5. Watch this public service announcement produced by the CISP:

Download the full NABP report: "Internet Drug Outlet Identification Program Progress Report for State and Federal Regulators: April 2012" (Adobe PDF).

Malware Snuck Into Both Apple and Google App Stores

InformationWeek reported that a bogus app designed to steal the address books of both Apple iPhone and Google Android smart phone users' made its way into both the Apple App store and the Google Play store, and stayed there for at least a week. The bogus app was titled, "Find and Call." Some app users complained that the app sent SMS spam to their address book contacts.

Apparently, malware targets all operating systems for all devices.

Photo of Cash Posted On Facebook Leads to Home Robbery

There are some things you should never post photographs online about. The BBC reported that two armed thieves robbed a home after an Australian teenager posted photographs on Facebook of a large amount of cash. The teenager had helped her grandmother count the cash, which was saved for retirement.

It was unclear how the thieves obtained the home address. The teenager no longer lives at the address.

What can consumers learn from this?

• Be careful about posting online messages or photos fwith cash, jewelry, or similar valuables
• Adjust the settings on your mobile device or smart phone to remove geo-tags from photographs and video you post online
• Avoid announcing online when you will be away from home
• Make sure that your profile and post/video/photo sharing settings are set to "friends only"
• Don't accept friend requests from people you don't know. Verify their identity via a separate method (e.g., phone, email)
• Delete from your list of friends nmes you don't know or recognize
• Don't assume all of your friends practice good data security and privacy habits. Too many don't.
• Be careful about the apps you install on your smart phone or the apps you accept on Facebook
• Parents should discuss experiences like this, and how to safely use social networking websites

Why Cyber Criminals Attack: For The Money

Last week, the Ponemon Institute and Check Point Software Technologies released the results of a joint survey, "The Impact of Cybercrime on Business" (Adobe PDF), conducted to better understand the nature of online attacks which businesses of all sizes face. The survey included executives from companies in several countries. Key survey findings:

• Companies experience an average of 66 cyber attacks per year
• Mobile devices (e.g., smart phones and tablets) present an increased breach risk
• Cyber crime is expensive, costing companies on average
• Criminals attack for the money

Almost all survey participants said:

"... the primary goal for cybercriminals is financial fraud and/or access to the company’s financial records. In the U.S. and UK, financial gain is followed by theft of customer data. Approximately five percent of security attacks are motivated by political or ideological agendas."

So, identity thieves and cyber criminals attack employers to steal money: the employer's and/or yours. And, the criminals will attempt to use your mobile devices to gain access to employer's networks:

"... Hong Kong and Brazil report on average the highest percentage of mobile devices infected an act of cyber crime... the lowest average of infected mobile devices and machines connected to the network at 11 percent in the U.S. and nine percent in Germany."

The Ponemon/Check Point survey included more than 2,600 experienced business leaders and IT security practitioners from commpanies located in the United States, United Kingdom, Germany, Hong Kong and Brazil.A similar study by Symantec found that 50% of cyber attacks focused on businesses with fewer than 2,500 employees, and targeted mobile device and social networking users.

The Ponemon Institute helps both public sector and privbate sectors by performing independent research on privacy, data security, and information protection. Check Point Software Technologies provides organizations with a veriety of solutions to secure online networks and data.

6 Threats That Target Consumers' Mobile Devices

If you think that identity thieves and scam aartists have not already targeted your favorite mobile devices, then think again. Dark Reading reported about siz specific threats that target popular mobile devices:

"1. Zitmo - One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers..."

"2. Mobile Botnets - Since 2009, Perimeter E-Security Research Analyst Grace Zeng has been exploring the possibilities of botnets consisting entirely of mobile devices. Naysayers told her it wasn't feasible, but last month she showed how realistic the possibility is with a presentation at WiSec 2012...:

"5. JiFake - Mobile marketers are loving the convenience of easy-to-scan QR codes to deliver mobile users to their websites and apps through their phones' barcode scanners. Attackers love these codes, too. Researchers are finding that the bad guys are increasingly using the obfuscation of QR codes to trick users into downloading malware..."

To protect yourself and the sensitive data on your smart phone or tablet, experts advise consumers to:

• Download apps only from trusted websites,
• Donwload only apps with privacy policies and terms of conditions that you understand and agree with,
• Keep the anti-virus software on your mobile device updated, just like you do on your laptop or desktop computer, and
• Password protect your mobile device in case it is lost or stolen.

FTC Seeks Information From The Public About How Identity Theft Impacts Elders

The U.S. Federal Trade Commission (FTC) seeks information from the public about how identity theft and fraud impact senior citizens. According to the Bureau of Justice statistics, 11.7 million people, about 5 percent of the population ages 16 or older, were victims of identity theft between 2006 and 2008. The FTC is concerned that:

"... seniors may be particularly susceptible to identity theft. They are often targeted for phishing scams; some seniors have granted powers of attorney giving wide access to their personal information; and most seniors' Medicare cards list their Social Security numbers. In addition, the personal information of senior citizens may be vulnerable in hospitals, nursing homes, and other care facilities."

To learn about the problem, the FTC seeks:

• Original research about the scope of identity theft and elders,
• The types of scams (e.g., phishing, tax, power of attorney, door-to-door) targeting elders,
• Obstacles to fighting or preventing this identity theft,
• Solutions by both the public and private sectors, and
• Any related issues

The FTC focuses upon enforcing laws, sharing its identity-theft complaint data with local law enforcement, and educates both consumers and businesses about data security. The FTC has brought actions against 35 companies for failing to adequately safeguard the sensitvie consumer data stored. In the summer of 2011, the FTC held a forum on the impacts upon children of identity theft. In September 2011, the FTC testified before Congress (Adobe PDF) about the problem and the actions it was taking.

Comments and submissions must be received by July 15, 2012. Information can be submitted in electronic or paper formats. Submissions should be mailed or delivered to:

Federal Trade Commission
Office of the Secretary
Room H-112 (Annex L)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

Submissions received will be made public on the FTC website.

The FTC helps consumers to prevent fraudulent, deceptive, and unfair business practices. It also provides information to help consumers spot, stop, and avoid them. If you have been a victim of identity theft and fraud, you can file a complaint in English or Spanish at the FTC Complaint Assistant website, or call 1-877-FTC-HELP (1-877-382-4357). The FTC compiles complaints it receives into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad.

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).