208 posts categorized "Scams & Threats" Feed

New Technologies Will Soon Make It More Difficult For Consumers To Spot Fake News

We've all heard the old saying: seeing is believing. Right? Not necessarily anymore.

New technologies  will soon make it very easy for bad actors to manipulate videos of people -- politicians, law enforcement officials, celebrities, or anyone -- to say things they never said. This will cause many problems, one of which will be the increasing difficulty, or impossibility, for consumers to spoke fake news. CBS News explained:

"It starts with a selfie. Using that simple image, Hao Li, CEO of Los Angeles-based Pinscreen, can manipulate someone's face. You can literally put words in someone else's mouth. Li said it's all part of building a new virtual chat room world, but this type of advanced artificial intelligence technology is raising real eyebrows... For example, someone could take an image of President Trump and make him say something he didn't really say. Li said these kind of things are already possible in some ways. Comedian Jordan Peele used lip sync technology in a public service announcement (PSA) out Tuesday, warning against the dangers of fake news..."

Below is the PSA by Peele, which has already gotten more than 2.3 million views:

This is more confirmation that artificial intelligence is ripe for misuse by bad actors. The CBS News report also described some of the efforts by software developers to quickly create tools to spot manipulated images and video. Here's why:

"... at Pinscreen, Li said it won't take long before the line between what's real or not is erased. "It might be a year actually." "

Watch the entire CBS News report. These new image/video detection tools can't come soon enough. Consumers will need them. Journalists, military, intelligence, government watch-dog agencies, and corporate executives will need them, too. One can easily imagine bad actors using A.I. and other new technologies to create fake endorsements by celebrities of products, services, and/or politicians they really didn't endorse. What are your opinions?


2017 FTC Complaints Report: Debt Collection Tops The List. Older Consumers Better At Spotting Scams

Earlier this month,, the U.S. Federal Trade Commission (FTC) released its annual report of complaints submitted by consumers in the United States. The report is helpful is understand the most frequent types of scams and reports consumers experienced.

The latest report, titled 2017 Consumer Sentinel Network Data Book, includes complaints from 2.68 million consumers, a decrease from 2.98 million in 2016. However, consumers reported losing a total of $905 million to fraud in 2017, which is $63 million more than in 2016. The most frequent complaints were about debt collection (23 percent), identity theft (14 percent), and imposter scams (13 percent). The top 20 complaint categories:

Rank Category # Of
Reports
% Of
Reports
1 Debt Collection 608,535 22.74%
2 Identity Theft 371,061 13.87%
3 Imposter Scams 347,829 13.00%
4 Telephone & Mobile Services 149,578 5.59%
5 Banks & Lenders 149,316 5.58%
6 Prizes, Sweepstakes & Lotteries 142,870 5.34%
7 Shop-at-Home & Catalog Sales 126,387 4.72%
8 Credit Bureaus, Information
Furnishers & Report Users
107,473 4.02%
9 Auto Related 86,289 3.23%
10 Television and Electronic Media 47,456 1.77%
11 Credit Cards 45,428 1.70%
12 Internet Services 45,093 1.69%
13 Foreign Money Offers &
Counterfeit Check Scams
31,980 1.20%
14 Health Care 27,660 1.03%
15 Travel, Vacations &
Timeshare Plans
22,264 0.83%
16 Business & Job Opportunities 19,082 0.71%
17 Advance Payments for
Credit Services
17,762 0.66%
18 Investment Related 15,079 0.56%
19 Computer Equipment
& Software
9,762 0.36%
20 Mortgage Foreclosure Relief
& Debt Management
8,973 0.34%

While the median loss for all fraud reports in 2017 was $429, consumers reported larger losses in certain types of scams: travel, vacations and timeshare plans ($1,710); mortgage foreclosure relief and debt management ($1,200); and business/job opportunities ($1,063).

The telephone was the most frequently-reported method (70 percent) scammers used to contact consumers, and  wire transfers was the most frequently-reported payment method for fraud ($333 million in losses reported). Also:

"The states with the highest per capita rates of fraud reports in 2017 were Florida, Georgia, Nevada, Delaware, and Michigan. For identity theft, the top states in 2017 were Michigan, Florida, California, Maryland, and Nevada."

What's new in this report is that it details financial losses by age group. The FTC report concluded:

"Consumers in their twenties reported losing money to fraud more often than those over age 70. For example, among people aged 20-29 who reported fraud, 40 percent indicated they lost money. In comparison, just 18 percent of those 70 and older who reported fraud indicated they lost any money. However, when these older adults did report losing money to a scammer, the median amount lost was greater. The median reported loss for people age 80 and older was $1,092 compared to $400 for those aged 20-29."

Detailed information supporting this conclusion:

2017 FTC Consumer Sentinel complaints report. Reports and losses by age group. Click to view larger image

2017 FTC Consumer Sentinel complaints report. Median losses by age group. Click to view larger image

The second chart is key. Twice as many younger consumers (40 percent, ages 20 - 29) reported fraud losses compared to 18 percent of consumers ages 70 and older. At the same time, those older consumers lost more money. So, older consumers were more skilled at spotting scams and few fell victim to scams. It seems both groups could learn from each other.

CBS News interviewed a millennial who fell victim to a mystery-shopper scam, which seemed to be a slick version of the old check scam. It seems wise for all consumers, regardless of age, to maintain awareness about the types of scams. Pick a news source or blog you trust. Hopefully, this blog.

Below is a graphic summarizing the 2017 FTC report:

Ftc-complaints-report-2017


Security Experts: Artificial Intelligence Is Ripe For Misuse By Bad Actors

Over the years, bad actors (e.g., criminals, terrorists, rogue states, ethically-challenged business executives) have used a variety of online technologies to remotely hack computers, track users online without consent nor notice, and circumvent privacy settings by consumers on their internet-connected devices. During the past year or two, reports surfaced about bad actors using advertising and social networking technologies to sway public opinion.

Security researchers and experts have warned in a new report that two of the newest technologies can be also be used maliciously:

"Artificial intelligence and machine learning capabilities are growing at an unprecedented rate. These technologies have many widely beneficial applications, ranging from machine translation to medical image analysis... Less attention has historically been paid to the ways in which artificial intelligence can be used maliciously. This report surveys the landscape of potential security threats from malicious uses of artificial intelligence technologies, and proposes ways to better forecast, prevent, and mitigate these threats. We analyze, but do not conclusively resolve, the question of what the long-term equilibrium between attackers and defenders will be. We focus instead on what sorts of attacks we are likely to see soon if adequate defenses are not developed."

Companies currently use or test artificial intelligence (A.I.) to automate mundane tasks, upgrade and improve existing automated processes, and/or personalize employee (and customer) experiences in a variety of applications and business functions, including sales, customer service, and human resources. "Machine learning" refers to the development of digital systems to improve the performance of a task using experience. Both are part of a business trend often referred to as "digital transformation" or the "intelligent workplace." The CXO Talk site, featuring interviews with business leaders and innovators, is a good resource to learn more about A.I. and digital transformation.

A survey last year of employees in the USA, France, Germany, and the United Kingdom found that they, "see A.I. as the technology that will cause the most disruption to the workplace." The survey also found: 70 percent of employees surveyed expect A.I. to impact their jobs during the next ten years, half expect impacts within the next three years, and about a third percent see A.I. as a job creator.

This new report was authored by 26 security experts from a variety of educational institutions including American University, Stanford University, Yale University, the University of Cambridge, the University of Oxford, and others. The report cited three general ways bad actors could misuse A.I.:

"1. Expansion of existing threats. The costs of attacks may be lowered by the scalable use of AI systems to complete tasks that would ordinarily require human labor, intelligence and expertise. A natural effect would be to expand the set of actors who can carry out particular attacks, the rate at which they can carry out these attacks, and the set of potential targets.

2. Introduction of new threats. New attacks may arise through the use of AI systems to complete tasks that would be otherwise impractical for humans. In addition, malicious actors may exploit the vulnerabilities of AI systems deployed by defenders.

3. Change to the typical character of threats. We believe there is reason to expect attacks enabled by the growing use of AI to be especially effective, finely targeted, difficult to attribute, and likely to exploit vulnerabilities in AI systems."

So, A.I. could make it easier for the bad guys to automated labor-intensive cyber-attacks such as spear-fishing. The bad guys could also create new cyber-attacks by combining A.I. with speech synthesis. The authors of the report cited examples of more threats:

"The use of AI to automate tasks involved in carrying out attacks with drones and other physical systems (e.g. through the deployment of autonomous weapons systems) may expand the threats associated with these attacks. We also expect novel attacks that subvert cyber-physical systems (e.g. causing autonomous vehicles to crash) or involve physical systems that it would be infeasible to direct remotely (e.g. a swarm of thousands of micro-drones)... The use of AI to automate tasks involved in surveillance (e.g. analyzing mass-collected data), persuasion (e.g. creating targeted propaganda), and deception (e.g. manipulating videos) may expand threats associated with privacy invasion and social manipulation..."

BBC News reported even more possible threats:

"Technologies such as AlphaGo - an AI developed by Google's DeepMind and able to outwit human Go players - could be used by hackers to find patterns in data and new exploits in code. A malicious individual could buy a drone and train it with facial recognition software to target a certain individual. Bots could be automated or "fake" lifelike videos for political manipulation. Hackers could use speech synthesis to impersonate targets."

From all of this, one can conclude that the 2016 elections interference cited by intelligence officials is probably mild compared to what will come: more serious, sophisticated, and numerous attacks. The report included four high-level recommendations:

"1. Policymakers should collaborate closely with technical researchers to investigate, prevent, and mitigate potential malicious uses of AI.

2. Researchers and engineers in artificial intelligence should take the dual-use nature of their work seriously, allowing misuse-related considerations to influence research priorities and norms, and proactively reaching out to relevant actors when harmful applications are foreseeable.

3. Best practices should be identified in research areas with more mature methods for addressing dual-use concerns, such as computer security, and imported where applicable to the case of AI.

4. Actively seek to expand the range of stakeholders and domain experts involved in discussions of these challenges."

Download the 101-page report titled, "The Malicious Use Of Artificial Intelligence: Forecasting, Prevention, And Mitigation" A copy of the report is also available here (Adobe PDF; 1,400 k bytes)here.

To prepare, both corporate and government executives would be wise to both harden their computer networks and (re)train their employees to recognize and guard against cyber attacks. What do you think?


Do Social Media Pose Threats To Democracies?

November 4th cover of The Economist magazine The November 4th issue of The Economist magazine discussed whether social networking sites threaten democracy in the United States and elsewhere. Social media were supposed to better connect us with accurate and reliable information. What we know so far (links added):

"... Facebook acknowledged that before and after last year’s American election, between January 2015 and August this year, 146m users may have seen Russian misinformation on its platform. Google’s YouTube admitted to 1,108 Russian-linked videos and Twitter to 36,746 accounts. Far from bringing enlightenment, social media have been spreading poison. Russia’s trouble-making is only the start. From South Africa to Spain, politics is getting uglier... by spreading untruth and outrage, corroding voters’ judgment and aggravating partisanship, social media erode the conditions..."

You can browse some of the ads Russia bought on Facebook during 2016. (Hopefully, you weren't tricked by any of them.) We also know from this United Press International (UPI) report about social media companies' testimony before Congress:

"Senator Patrick Leahy (D-Vt) said Facebook still has many pages that appear to have been created by the Internet Research Agency, a pro-Kremlin group that bought advertising during the campaign. Senator Al Franken (D-Minn.) said some Russian-backed advertisers even paid for the ads in Russian currency.

"How could you not connect those two dots?" he asked Facebook general council Colin Stretch. "It's a signal we should have been alert to and, in hindsight, one we missed," Stretch answered."

Google logo And during the Congressional testimony:

"Google attorney Richard Salgado said his company's platform is not a newspaper, which has legal responsibilities different from technology platforms. "We are not a newspaper. We are a platform that shares information," he said. "This is a platform from which news can be read from many sources."

Separate from the Congressional testimony, Kent Walker, a Senior Vice President and General Counsel at Google, released a statement which read in part:

"... like other internet platforms, we have found some evidence of efforts to misuse our platforms during the 2016 U.S. election by actors linked to the Internet Research Agency in Russia... We have been conducting a thorough investigation related to the U.S. election across our products drawing on the work of our information security team, research into misinformation campaigns from our teams, and leads provided by other companies. Today, we are sharing results from that investigation... We will be launching several new initiatives to provide more transparency and enhance security, which we also detail in these information sheets: what we found, steps against phishing and hacking, and our work going forward..."

This matters greatly. Why? by The Economist explained that the disinformation distributed via social media and other websites:

"... aggravates the politics of contempt that took hold, in the United States at least, in the 1990s. Because different sides see different facts, they share no empirical basis for reaching a compromise. Because each side hears time and again that the other lot are good for nothing but lying, bad faith and slander, the system has even less room for empathy. Because people are sucked into a maelstrom of pettiness, scandal and outrage, they lose sight of what matters for the society they share. This tends to discredit the compromises and subtleties of liberal democracy, and to boost the politicians who feed off conspiracy and nativism..."

When citizens (via their elected representatives) can't agree nor compromise, then government gridlock results. Nothing gets done. Frustration builds among voters.

What solutions to fix these problems? The Economist article discussed several remedies: better critical-thinking skills by social media users, holding social-media companies accountable, more transparency around ads, better fact checking, anti-trust actions, and/or disallow bots (automated accounts). It will take time for social media users to improve their critical-thinking skills. Considerations about fact checking:

"When Facebook farms out items to independent outfits for fact-checking, the evidence that it moderates behavior is mixed. Moreover, politics is not like other kinds of speech; it is dangerous to ask a handful of big firms to deem what is healthy for society.

Considerations about anti-trust actions:

"Breaking up social-media giants might make sense in antitrust terms, but it would not help with political speech—indeed, by multiplying the number of platforms, it could make the industry harder to manage."

All of the solutions have advantages and disadvantages. It seems the problems will be with us for a long while. Social media has been abused... and will continue to be abused. Comments? What solutions do you think would be best?


Security Experts: Massive Botnet Forming. A 'Botnet Storm' Coming

Online security experts have detected a massive botnet -- a network of zombie robots -- forming. Its operator and purpose are both unknown. Check Point Software Technologies, a cyber security firm, warned in a blog post that its researchers:

"... had discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016... Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.

With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others..."

Reportedly, the botnet has been named either "Reaper" or "IoTroop." The McClatchy news wire reported:

"A Chinese cybersecurity firm, Qihoo 360, says the botnet is swelling by 10,000 devices a day..."

Criminals use malware or computer viruses to add to the botnet weakly protected or insecure Internet-connect devices (commonly referred to as the internet of things, or IoT) in homes and businesses. Then, criminals use botnets to overwhelm a targeted website with page requests. This type of attack, called a Distributed Denial of Service (DDoS), prevents valid users from accessing the targeted site; knocking the site offline. If the attack is large enough, it can disable large portions of the Internet.

A version of the attack could also include a ransom demand, where the criminals will stop the attack only after a large cash payment by the targeted company or website. With multiple sites targeted, either version of cyber attack could have huge, negative impacts upon businesses and users.

How bad was the Mirai botnet? According to the US-CERT unit within the U.S. Department of Homeland Security:

"On September 20, 2016, Brian Krebs’ security blog was targeted by a massive DDoS attack, one of the largest on record... The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices... The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack..."

Wired reported last year that after the attack on Krebs' blog, the Mirai botnet:

"... managed to make much of the internet unavailable for millions of people by overwhelming Dyn, a company that provides a significant portion of the US internet's backbone... Mirai disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK. This week, researchers published evidence that 80 models of Sony cameras are vulnerable to a Mirai takeover..."

The Wired report also explained the difficulty with identifying and cleaning infected devices:

"One reason Mirai is so difficult to contain is that it lurks on devices, and generally doesn't noticeably affect their performance. There's no reason the average user would ever think that their webcam—or more likely, a small business's—is potentially part of an active botnet. And even if it were, there's not much they could do about it, having no direct way to interface with the infected product."

It this seems scary, it is. The coming botnet storm has the potential to do lots of damage.

So, a word to the wise. Experts advise consumers to, a) disconnect the device from your network and reboot it before re-connecting it to the internet, b) buy internet-connected devices that support security software updates, c) change the passwords on your devices from the defaults to strong passwords, d) update the operating system (OS) software on your devices with security patches as soon as they are available, e) keep the anti-virus software on your devices current, and f) regularly backup the data on your devices.

US-CERT also advised consumers to:

"Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary. Purchase IoT devices from companies with a reputation for providing secure devices... Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected."


Experts Find Security Flaw In Wireless Encryption Software. Most Mobile Devices At Risk

Researchers have found a new security vulnerability which places most computers, smartphones, and wireless routers at risk. The vulnerability allows hackers to decrypt and eavesdrop on victims' wireless network traffic; plus inject content (e.g., malware) into users' wireless data streams. ZDNet reported yesterday:

"The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network... The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk."

Reportedly, the vulnerability was confirmed on Monday by U.S. Homeland Security's cyber-emergency unit US-CERT, which had warned vendors about two months ago.

What should consumers do? Experts advise consumers to update the software in all mobile devices connected to their home wireless router. Obviously, that means first contacting the maker of your home wireless router, or your Internet Service Provider (ISP), for software patches to fix the security vulnerability.

ZDNet also reported that the security flaw:

"... could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched Internet-of-things (IoT) devices being exposed for use by botnets."

So, plenty of home devices must also be updated. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). One "price" of wireless convenience is the responsibility for consumers and device makers to continually update the security software in internet-connected devices. Nobody wants their home router and devices participating in scammers' and fraudsters' botnets with malicious software.

ZDNet also listed software patches by vendor. And:

"In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android 6.0 Marshmallow and newer... At the time of writing, neither Toshiba and Samsung responded to our requests for comment..."

Hopefully, all of the Internet-connected devices in your home provide for software updates. If not, then you probably have some choices ahead: whether to keep that device or upgrade to better device for security. Comments?


Report: Patched Macs Still Vulnerable To Firmware Hacks

Apple Inc. logo I've heard numerous times the erroneous assumption by consumers: "Apple-branded devices don't get computer viruses." Well, they do. Ars Technica reported about a particular nasty hack of vulnerabilities in devices' Extensible Firmware Interface (EFI). Never heard of EFI? Well:

"An analysis by security firm Duo Security of more than 73,000 Macs shows that a surprising number remained vulnerable to such attacks even though they received OS updates that were supposed to patch the EFI firmware. On average, 4.2 percent of the Macs analyzed ran EFI versions that were different from what was prescribed by the hardware model and OS version. 47 Mac models remained vulnerable to the original Thunderstrike, and 31 remained vulnerable to Thunderstrike 2. At least 16 models received no EFI updates at all. EFI updates for other models were inconsistently successful, with the 21.5-inch iMac released in late 2015 topping the list, with 43 percent of those sampled running the wrong version."

This is very bad. EFI hacks are particularly effective and nasty because:

"... they give attackers control that starts with the very first instruction a Mac receives... the level of control attackers get far exceeds what they gain by exploiting vulnerabilities in the OS... That means an attacker who compromises a computer's EFI can bypass higher-level security controls, such as those built into the OS or, assuming one is running for extra protection, a virtual machine hypervisor. An EFI infection is also extremely hard to detect and even harder to remedy, as it can survive even after a hard drive is wiped or replaced and a clean version of the OS is installed."

At-risk EFI versions mean that devices running Windows and Linux operating systems are also vulnerable. Reportedly, the exploit requires plenty of computing and technical expertise, so hackers would probably pursue high-value targets (e.g., journalists, attorneys, government officials, contractors with government clearances) first.

The Duo Labs Report (63 pages, Adobe PDF) lists the specific MacBook, MacBookAir, and MacBookPro models at risk. The researchers shared a draft of the report with Apple before publication. The report's "Mitigation" section provides solutions, including but not limited to:

"Always deploy the full update package as released by Apple, do not remove separate packages from the bundle updater... When possible, deploy Combo OS updates instead of Delta updates... As a general rule of thumb, always run the latest version of macOS..."

Scary, huh? The nature of the attack means that hackers probably can disable the anti-virus software on your device(s), and you probably wouldn't know you've been hacked.


Here Comes The Post-Equifax-Breach Spam From Scammers

If you haven't received them yet, you probably will soon. Here comes the spam - unwanted e-mail messages - from scammers, supposedly related to the massive Equifax data breach. The spam will likely include phishing attacks: attempts to trick consumers into disclosing sensitive bank account and payment data.

What might this spam look like? The spam filter by my e-mail provider recently trapped the message below in my spam folder:

Suspected spam email. Click to view larger version

The sender's intent is to clearly leverage consumers' anxieties and fears about the massive, horrific Equifax breach. The e-mail message also states:

Suspected spam email. Click to view larger version

The message offers both three free credit scores and free credit reports. The problems I see with this e-mail:

  1. The message doesn't list a price for its offer. The company name -- FreeCreditClick -- implies the offer is free.
  2. Key items in the e-mail don't match. The company name in the "From" field doesn't match the e-mail address. Nor does the company name in the "From" field match the company name in the body of the message.
  3. The sender's e-mail address in the "From" field includes a version of an e-mail address I've seen before in other spam.
  4. The Equifax site already directs consumers affected by the data breach to an Equifax site to learn how to get protection (e.g., credit monitoring and fraud resolution services) for free.
  5.  The e-mail offers credit reports from the three major credit reporting agencies: Experian, Equifax, and TransUnion. Informed consumers know that the official website for free credit reports is annualcreditreport.com.
  6. Informed consumers know that while there are several brands of credit scores, they probably need a single good one.
  7. The e-mail contains order and unsubscribe links with destinations that doesn't match either the company's name in "1" nor "2."

To understand #7, I reviewed the underlying HTML markup language used to create this e-mail message:

HTML markup of the suspected spam email. Click to view larger version

The destinations for both the order link (A) and the unsubscribe link (B) contain the "proffbuilder.com" site and embedded redirect commands. The redirect commands could take your web browser anywhere. Too risky, so I did not click on them.

As best I can tell, this definitely is spam. I don't trust it. What do you think?


A Greater Volume Of Bogus Email Messages

Have you checked your e-mail spam folder? Your e-mail provider's spam filter is a highly valuable tool which identifies and collects bogus, unwanted messages; which often either contain malware or link to sites which do. I happily use my e-mail provider's spam tool. It saves me plenty of time and aggravation.

You don't have to read the messages collected in your spam folder by your e-mail service. I do occasionally because I've taken my online security a step further. I configured the spam filter to trap all inbound messages not in my e-mail address book, and not only the messages it identified as spam. For me, nothing gets through unless I already know you. I don't want any of this garbage downloaded to my laptop's hard drive.

Call me extra careful.

Recently, when I scanned my spam folder I found a flood of messages up from three or five daily to 30 or 40. The subject lines of the bogus messages included a wide variety of offers: timeshare rentals, hair removal products, credit scores, credit cards, dating services, pet products, wrinkle removal products, home refinance loans, ink for computer printers, and much more. Often, the bogus messages pretended to be valid businesses, such as Amazon and Walmart. A partial list of the messages in my spam folder:

Partial list of messages in a spam folder. Click to view a larger version

Clearly, the spammers hope to trick users into opening these messages. Don't. Experts advise consumers not to reply to these bogus e-mails. If you do, you'll only get more.

If you know where to look, it's fairly easy to spot the spam. All of the messages include the same e-mail reply address. In this instance it is contact@cron-job.org. Unfortunately, Cron-Job is a valid business which did not send out this spam. According to the Denver Post:

"Cron-jobs is a non-profit organization supporting Cron, a Unix-software utility. The site was spoofed! Cron-jobs documents what happened here: cron-job.org/en/spam- statement... The messages are not from them, thus they cannot stop them. They don’t even use the “contact@cron-job.org” email... The messages are likely being sent on a bot-network. These are computers that have malware on them and their owners don’t know the machines were hijacked..."

So, a word to the wise. Regularly scan you computer (e.g., laptop, desktop, tablet, phone) to identify and remove malware. You don't want to contribute to the e-mail spam problem.

I noticed another sender's e-mail address generating lots of spam: XXXXXXXXXXXXaolea.us. The spammers vary the numbers and letters in the XXX portion of the e-mail address, but my e-mail service provider is skilled at identifying bogus messages.

Last, if you haven't activated the spam filter offered by your e-mail provider, now is a good time to do so.


Neighbor Spoofing: What It Is And The Best Way To Stop It

A friend recently posted on social media:

"I get five to seven phone calls daily from a 617-388-(random) number. I keep blocking them but new ones keep calling. My number is a 617-388- number. I've called a few back and they're actually people's personal mobile numbers. What is going on?! Anyone know how to stop it?"

This is neighbor spoofing... where robocallers pretend to be neighbors with familiar looking phone numbers. NPR explained neighbor spoofing is:

"... when callers disguise their real phone numbers with a fake phone number that has the same area code and prefix as yours. The idea is you might be more likely to pick up because maybe you're thinking, this call could be my neighbor or my kid's school, someone I know... Even the chairman of the Federal Communications Commission, Ajit Pai, cannot escape... The calls have gotten so aggravating to Pai, he is doubling down and making the fight against spoofers a top priority for the FCC. Robocalls and telemarketers are the No. 1 complaint the agency gets from the public. New technology has made spoofing easier to do and harder to detect. Last year, people received about 2.5 billion robocalls every month...this spring, the FCC started investigating ways to let phone carriers block calls from spoofers..."

The best solution is a system where phone companies authenticate callers. That would stop or block neighbor spoofing. Until then, the FCC is using deterrence. Back in June, the FCC proposed a $120 million fine against a habitual robocall scammer, Adrian Abramovich, based in Florida:

"Over the course of several years, Abramovich's companies disrupted emergency services, bilked vulnerable consumers out of thousands of dollars and hurt legitimate businesses, the FCC contends... TripAdvisor was deluged by consumer complaints about robocalls that the company had not initiated or authorized. After conducting an internal investigation, TripAdvisor determined that the offending calls were linked to a Mexican hotel and resort chain that had contracted with Abramovich for advertising services."

Consumers interested in something they could do might consider Nomorobo, which works (landline or mobile) with many service providers. Users of Apple and Andorid OS phones might investigate Hiya. Windows and BlackBerry phone users can check the CTIA Wireless Association's guide for free (or low-cost) mobile apps to block robocalls.

Robocalls from schools, physicians, airlines, and law enforcement are helpful, while robocalls from scammers aren't. The best solution -- true authentication -- can't come fast enough. Consumers and businesses are suffering.

While I don't wish anything bad on anyone, I am happy that FCC Chairmann Pai is also directly feeling the pain. Perhaps, now he knows how consumers feel. The loss of broadband privacy and Pai's push to kill net neutrality annoy consumers almost as much as neighbor spoofing.


Russian Malware Targets Hotels In Europe And Middle East

FireEye, a security firm, has issued a warning about malware targeting the hotel industry within both Europe and the Middle East. The warning:

"... a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic... Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks... in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network..."

The key takeaway: criminals use malware to infiltrate the WiFi networks at hotels in order to steal the login credentials (IDs, passwords) of traveling business and government executives. The criminals know that executives conduct business while traveling -- log into their employers' computer networks. Stealing those login credentials provides criminals with access to the computer networks operated by corporations and governments. Once inside those networks, the criminals can steal whatever of value they can access: proprietary information, trade secrets, customer lists, executives' and organization payment information, money, or more.

A variety of organizations in both the public and private sectors use software by FireEye to detect intrusions into their computer networks by unauthorized persons. FireEye software detected the breach at Target (which Target employees later ignored). Security researchers at FireEye discovered vulnerabilities in HTC smartphones which failed to adequately protect users' fingerprint data for unlocking phones.

Security warnings earlier this year mentioned malware by the APT28 group targeting Apple Mac users. The latest warning by FireEye also described the 2016 hack in more detail:

"... the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network..."

So, travelers aren't safe even when they use strong passwords. How should travelers protect themselves and their sensitive information? FireEye warned:

"Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible."


Hacked Amazon Echo Converted Into Always-On Surveillance Device

Image of amazon Echo Wired reported how a white-hat hacker provided proof-of-concept that a popular voice-activated, smart home speaker could easily be hacked:

"... British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion."

Amazon sells both new and refurbished speakers. Newer models also include cameras. All are probably high-value targets of hackers and spy agencies.

Reportedly, Amazon has fixed the security vulnerability in newer (2017) models. The company advises customers to keep the software on their speakers current, and purchase speakers from trusted retailers. However (bold emphasis added):

"... Barnes agrees that his work should serve as a warning that Echo devices bought from someone other than Amazon—like a secondhand seller—could be compromised. But he also points out that, contrary to the implication of the company's statement, no software update will protect earlier versions of the Echo, since the problem is in the physical connection its hardware exposes.

Instead, he says that people should think twice about the security risks of using an Echo in public or semipublic places, like plans for the Wynn Hotel in Las Vegas to put an Echo in every room."

Voice-activated smart speakers in hotel lobbies and rooms. Nothing could go wrong with that. All it takes is a prior guest, or criminal posing as a hotel staff or cleaning person, to hack and compromise one or more older devices. Will hotels install the newer devices? Will they inform guests?

For guaranteed privacy, it seems hotel guests may soon have to simply turn off (or mute) smart speakers, smart televisions, and personal assistants. Convenience definitely has its price (e.g., security and privacy). What do you think?


Microsoft Fights Foreign Cyber Criminals And Spies

The Daily Beast explained how Microsoft fights cyber criminals and spies, some of whom with alleged ties to the Kremlin:

"Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft’s trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls “the most vulnerable point” in Fancy Bear’s espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents.

Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each. Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies."

Kudos to Microsoft and its attorneys.


Real Scams, Real Cons and Fake Law Enforcement

[Editor's Note: Today's guest post is by Arkady Bukh of Bukh & Associates, PLLC which specializes in criminal law, family law, and several areas of civil law. Aware consumers know how to recognize scams.]

By Arkady Bukh, Esq.

A man in Nigeria died recently. When the coroner went to the home for the body, he found $25 BILLION dollars. Apparently, the decedent had been trying to give away his money for years, but no one answered his email.

If you've been on the Internet for over, say, one-hour, you recognize the source for that joke. The Nigerian email scam is so infamous it's been given its own, easily recognizable, name: The Nigerian Email Scam.

Despite scams and cons being popular online, they're not confined to the virtual world. They crop up in the real world, too. Often, in unexpected ways.

Pennsylvania Teen Tries to Scam and It Doesn’t Go Well at Home
Police in Westtown Township nabbed a teenage boy in March after linking the kid to a scam involving fake traffic tickets. The fraudulent fines were placed in mailboxes at four homes. Each fake ticket claimed the homeowners' vehicle was captured on camera speeding in nearby West Chester. An accompanying note asked for $96 to be left in the mailbox.

"It does look real," said Jackie McGlone, a West Chester resident.

Detectives have found the photographs of the vehicle's' plates were taken while the car was parked in their owner's' driveway and unoccupied.

Police tracked the 16-year old boy, who lives in the area, by a tip phoned in by the teenager's dad.

The teen's father found some notifications waiting to be mailed and called the police. Charges are pending.

Truckers Lose Big Money in Oregon
In 2013, an Oregon-based scam dug into the pockets of truck drivers with automated calls telling them to pay their unpaid traffic tickets using re-loadable debit cards — or face a penalty.

The caller identified himself as, "Alex James Murphy of the Oregon State Police," and informed drivers of a bench warrant for an outstanding speeding ticket. To pay, the drivers were told to buy re-loadable prepaid cards through Green Dot MoneyPak, put $154 on the card, and then call a second phone number to provide the card information.

If the driver does all that, they'll find out there was never an unpaid speeding ticket and their $154 has hit the road. The scam, which occasionally crops up in difference places, first appeared on the radar in November 2012 and had gone through a few variations since.

An offshoot which also relies on confusing the lines between a con artist and legitimate law enforcement agencies is the “Support Your Sheriff” sticker scam. The Federal Trade Commission's website has a page warning consumers about cons which play on citizens' desire to help support local law enforcement.

Fake Police
A vehicle which appears to be an unmarked police car pulls you over. The ‘officer' says you are about to be handed a large fine and see points added to your driver's license. "However," says the supposed-cop, "you can avoid this by paying a smaller fee, up front, in cash."

That's not a tactic used by legitimate law enforcement agencies anywhere. Real cops want to make sure the law is obeyed and not about a discount if a speeder pays on the front end. Legitimate cops will issue a real ticket that must be paid in person, or mail, at the department.

If in doubt, request another officer to come to the scene. It's your right.

Phishing Scam
Someone receives an e-mail message claiming them they are guilty of a traffic violation. A wise person will delete the email immediately. Any email saying you owe money for traffic tickets is a phishing scam.

Usually, the email says the person needs to pay for the traffic citation right now. The e-mail includes a link where the individual to find details. The link often contains a computer virus, and can redirect the user to a phishing page meant to request personal information from the user.

Buy a Sticker and Get Out of Jail Free
Scammers have called individuals at work and home at claiming the local Department of Public Safety (DPS) offers decals for autos with the DPS logo to waive their next traffic ticket.

The caller instructs the person to place the sticker next to the car's license plate. To get the sticker, the vehicle owner must pay $10. Many persons fall for the scam as $10 is smaller than any traffic ticket issued after 1946.

If you get a traffic citation, you broke the law. You will pay for that. There is no such thing as a law enforcement sticker which gets you one free traffic ticket.


Russian Cyber Attacks Against US Voting Systems Wider Than First Thought

Cyber attacks upon electoral systems in the United States are wider than originally thought. The attacks occurred in at least 39 states. The Bloomberg report described online attacks in Illinois as an example:

"... investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016... In early July 2016, a contractor who works two or three days a week at the state board of elections detected unauthorized data leaving the network, according to Ken Menzel, general counsel for the Illinois board of elections. The hackers had gained access to the state’s voter database, which contained information such as names, dates of birth, genders, driver’s licenses and partial Social Security numbers on 15 million people, half of whom were active voters. As many as 90,000 records were ultimately compromised..."

Politicians have emphasized that the point of the disclosures isn't to embarrass any specific state, but to alert the public to past activities and to the ongoing threat. The Intercept reported:

"Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light."

Spear-fishing is the tactic criminals use by sending malware-laden e-mail messages to targeted individuals, whose names and demographic details may have been collected from social networking sites and other sources. The spam e-mail uses those details to pretend to be valid e-mail from a coworker, business associate, or friend. When the target opens the e-mail attachment, their computer and network are often infected with malware to collect and transmit log-in credentials to the criminals; or to remotely take over the targets' computers (e.g., ransomware) and demand ransom payments. Stolen log-in credentials are how criminals steal consumers' money by breaking into online bank accounts.

The Intercept report explained how the elections systems hackers adopted this tactic:

"... the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers. But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company... The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded..."

Experts believe the voting equipment company targeted was VR Systems, based in Florida. Reportedly, it's electronic voting services and equipment are used in eight states. VR Systems posted online a Frequently Asked Questions document (adobe PDF) about the cyber attacks against elections systems:

"Recent reports indicate that cyber actors impersonated VR Systems and other elections companies. Cyber actors sent an email from a fake account to election officials in an unknown number of districts just days before the 2016 general election. The fraudulent email asked recipients to open an attachment, which would then infect their computer, providing a gateway for more mischief... Because the spear-phishing email did not originate from VR Systems, we do not know how many jurisdictions were potentially impacted. Many election offices report that they never received the email or it was caught by their spam filters before it could reach recipients. It is our understanding that all jurisdictions, including VR Systems customers, have been notified by law enforcement agencies if they were a target of this spear-phishing attack... In August, a small number of phishing emails were sent to VR Systems. These emails were captured by our security protocols and the threat was neutralized. No VR Systems employee’s email was compromised. This prevented the cyber actors from accessing a genuine VR Systems email account. As such, the cyber actors, as part of their late October spear-phishing attack, resorted to creating a fake account to use in that spear-phishing campaign."

It is good news that VR Systems protected its employees' e-mail accounts. Let's hope that those employees were equally diligent about protecting their personal e-mail accounts and home computers, networks, and phones. We all know employees that often work from home.

The Intercept report highlighted a fact about life on the internet, which all internet users should know: stolen log-in credentials are highly valued by criminals:

"Jake Williams, founder of computer security firm Rendition Infosec and formerly of the NSA’s Tailored Access Operations hacking team, said stolen logins can be even more dangerous than an infected computer. “I’ll take credentials most days over malware,” he said, since an employee’s login information can be used to penetrate “corporate VPNs, email, or cloud services,” allowing access to internal corporate data. The risk is particularly heightened given how common it is to use the same password for multiple services. Phishing, as the name implies, doesn’t require everyone to take the bait in order to be a success — though Williams stressed that hackers “never want just one” set of stolen credentials."

So, a word to the wise for all internet users: don't use the same log-in credentials at multiple site. Don't open e-mail attachments from strangers. If you weren't expecting an e-mail attachment from a coworker/friend/business associate, call them on the phone first and verify that they indeed sent an attachment to you. The internet has become a dangerous place.


FCC Says Denial-Of-Service Attacks Caused Its Site To Crash Sunday Morning

Federal communications Commission logo Last weekend, the U.S. Federal Communications Commission (FCC) website crashed during a key period when the public relied upon it to submit feedback about proposed changes to net neutrality rules. Dr. David Bray, the FCC Chief Information Officer, released a statement on Monday that the crash was due to a distributed denial-of-service (DDoS) attack:

"Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC. While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments. We have worked with our commercial partners to address this situation and will continue to monitor developments going forward."

The FCC’s , Electronic Comment Filing System (ECFS) is the site the public users to submit and review feedback about proposed changes. Bray's statement did not identify the "bad actors" responsible for the DDoS attack, did not state the countries or locations of the illegitimate site traffic, nor offer much in the way of any substantial details.

A DDoS attack is when hundreds or thousands of internet-connected devices, often coordinated by malware and/or criminals, overwhelm a targeted website by trying to access it simultaneously. This type of attack prevents legitimate users from accessing the targeted site to perform desired tasks (view/buy products, register for services, view videos, get help, contact representatives, etc.). This can easily disable the targeted website for hours, days, or weeks. It can also disrupt businesses, and cause financial losses.

This blog and its hosting service experienced a DDoS attack in 2014 when offshore advertisers retaliated after the hosting service implemented stronger measures to block illegitimate traffic. An October, 2016 DDoS attack against Dyn, a major DNS provider, interrupted many popular websites and services including Spotify, Reddit, and Twitter. Some DDoS attacks are about politics or censorship. A September, 2016 DDoS attack disabled the Krebs On Security blog.

Generally, security experts are concerned about botnets, collections of internet-connected devices used to perform DDoS attacks. These devices can include home WiFi routers, security cameras, and unprotected computers infected with malware. Often, home devices are used without consumers' knowledge nor consent.

Others were skeptical of the FCC's explanation. Some people attributed the crash to John Oliver, the host of the "This Week Tonight" show on HBO. In 2014, the show's viewers crashed the FCC site trying to submit feedback about net neutrality. Oliver published a similar video this past weekend in support of net neutrality.

Broadcasting & Cable reported:

"Fight for the Future is calling on the FCC to release logs on the attack to an independent third party—a security researcher or media outlet—to independently verify the attack. "The agency has a responsibility to maintain a functioning website to receive large numbers of comments and feedback from the public," said Evan Greer campaign director for Fight for the Future. "They can't blame DDoS attacks without proof, they need to fix this problem and ensure that comments on this important issue are not lost."

MediaPost reported that at least two U.S. Senators have demanded answers:

"Senators Ron Wyden (D-Oregon) and Brain Schatz (D-Hawaii) are also seeking answers from the FCC. "As you know, it is critical to the rulemaking and regulatory process that the public be able to take part without unnecessary technical or administrative burdens," the lawmakers write. "Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue."

They are asking the FCC to provide details about any malicious traffic, including how many devices sent malicious traffic to the agency. The lawmakers also have asked the FCC whether it requested investigatory assistance from other federal agencies, and whether it uses any commercial protection services."

A reasonable demand for the FCC to provide proof. If the DDoS attack was a new form of 21st-centry censorship to stop concerned citizens (e.g., voters) from submitting feedback in support of net neutrality, then we all need to know. And, we need to know what the FCC is doing to protect its systems.


Researchers: Thousands of Android Apps Collude To Spy on Users

Got an Android phone or tablet? Considering an Android phone? Then, pay close attention. Researchers have found that more than 20,000 pairs of Android apps work together to spy on users: collect, track, and share information without notice nor consent. The Atlantic magazine explained:

"Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone... A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data... Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information. When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data..."

Researchers at Southern Illinois University and at Virginia Tech collaborated on the highly technical report titled, "Collusive Data Leak And More: Large-Scale Threat Analysis of Inter-App Communications" (Adobe PDF). The report compared DIALDroid to other inter-app analysis tools, and analyzed whether the data leaks were intentional or unintentional (e.g., due to poor design).

The vulnerabilities the researchers found seem three-fold. First, there is the stealth collusion described above. Second, how the data collected and where it is sent are problematic. The Atlantic article explained:

"When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS."

Third, the vulnerabilities apply to apps operating on corporate networks. The researchers warned in their technical report:

"User Applications. Although DIALDroid is for marketplace owners, Android users can also benefit from this tool. For example, enterprise users can check possible inter-app collusions using DI-ALDroid before allowing certain apps to be installed on the devices of their employees. Moreover, a large-scale public database similar to ours, when regularly updated, can be queried by users to find out possible inter-app communications to or from a particular app."

"Marketplace owners" refers to organizations running online app stores. "Enterprise users" refers to information technology (I.T.) professionals managing (and securing) internal organization networks containing highly sensitive, confidential, and/or proprietary information. Corporate, government, health care organizations, and law firms immediately come to mind.

Prior blog posts and firmware reports have identified numerous vulnerabilities with Android devices. Now, we know a little more about how some apps work together secretly. Add this new item to the list of vulnerabilities.

Android phones may be cheaper than other brands, but that comes at a very steep cost. What are your opinions?


Espionage Groups Target Apple Devices With New Malware

ZDNet reported about a group performing multiple online espionage campaigns which targeted:

"... Mac users with malware designed to steal passwords, take screenshots, and steal backed-up iPhone data. This malware, discovered by cybersecurity researchers at Bitdefender, is thought to be linked to the APT28 group, which was accused of interferring in the United States presidential election. Bitdefender notes a number of similarities between the malware attacks against Macs -- which have been taking place since September 2016 -- and previous campaigns by the group, believed to be closely linked to Russia military intelligence and also dubbed Fancy Bear. Known as Xagent, the new form of malware targets victims running Mac OS X and installs a modular backdoor onto the system which enables the perpetrators to carry out cyberespionage activities... Xagent is also capable of stealing iPhone backups stored on a compromised Mac, an action which opens up even more capabilities for conducting cyberespionage, providing the perpetrators with access to additional files..."


Survey: Internet of Evil Things Report

Pwnie 2017 Internet of Evil Things report A recent survey of information technology (IT) professionals by Pwnie Express, an information security vendor, found that connected devices bring risks into corporate networks and IT professionals are not keeping up. 90 percent of IT professionals surveyed view connected devices as a security threat to their corporate systems and networks. 66 percent aren't sure how many connected devices are in their organizations.

These findings have huge implications as the installed base of connected devices (a/k/a the "Internet of things" or ioT) takes off. Experts forecast 8.4 billion connected devices in use worldwide in 2017, up 31 percent from 2016. Total spending for those devices will reach almost $2 trillion in 2017, and $20.4 billion by 2020. The regions that will drive this growth include North America, Western Europe, and China; which already comprise 67 percent of the installed base.

Key results from the latest survey by Pwnie Express:

"One in five of the survey respondents (20%) said their IoT devices were hit with ransomware attacks last year. 16 percent of respondents say they experienced Man-in-the-middle attacks through IoT devices. Devices continue to lend themselves to problematic configurations. The default network from common routers “linksys” and “Netgear” were two of the top 10 most common “open default” wireless SSID’s (named networks), and the hotspot network built-in for the configuration and setup of HP printers - “hpsetup”- is #2."

An SSID, or Service Set Identifier, is the name a wireless network broadcasts. Manufacturers ship them with default names, which the bad guys often look for to find open, unprotected networks. While businesses purchase and deploy a variety of connected devices (e.g., smart meters, manufacturing field devices, process sensors for electrical generating plants, real-time location devices for healthcare) and some for "smart buildings" (e.g., LED lighting, HVAC sensors, security systems), other devices are brought into the workplace by workers.

Most companies have Bring Your Own Device (BYOD) policies allowing employees to bring and use in the workplace personal devices (e.g., phones, tablets, smart watches, fitness bands). The risk for corporate IT professionals is that when employees, contractors, and consultants bring their personal devices into the workplace, and connect to corporate networks. A mobile device infected with malware from a wireless home network, or from a public hot-spot (e.g., airport, restaurant) can easily introduce that malware into office networks.

Consumers connect a wide variety of items to their wireless home networks: laptops, tablets, smartphones, printers, lighting and temperature controls, televisions, home security systems, fitness bands, smart watches, toys, smart wine bottles, and home appliances (e.g., refrigerators, hot water heaters, coffee makers, crock pots, etc.). Devices with poor security features don't allow operating system and security software updates, don't encrypt key information such as PIN numbers and passwords, and build the software into the firmware where it cannot be upgraded. Last month, the U.S. Federal Trade Commission (FTC) filed a lawsuit against a modem/router maker alleging poor security in its products.

Security experts advise consumers to perform several steps to protect their wireless home networks: change the SSID name, change all default passwords, enable encryption (e.g., WEP, WPA, WPA2, etc.), create a special password for guests, and enable a firewall. While security experts have warned consumers for years, too many still don't heed the advice.

The survey respondents identified the top connected device threats:

"1. Misconfigured healthcare, security, and IoT devices will provide another route for ransomware and malware to cause harm and affect organizations.

2. Unresolved vulnerabilities or the misconfiguration of popular connected devices, spurred by the vulnerabilities being publicized by botnets, including Mirai and newer, “improved” versions, in the hands of rogue actors will compromise the security of organizations purchasing these devices.

3. Mobile phones will be the attack vector of the future, becoming an extra attack surface and another mode of rogue access points taking advantage of unencrypted Netgear, AT&T, and hpsetup wireless networks to set up man-in-the-middle attacks."

The survey included more than 800 IT security professionals in several industries: financial services, hospitality, retail, manufacturing, professional services, technology, healthcare, energy and more. Download the "2017 Internet of Evil Things Report" by Pwnie.


Millions Of Android Smartphones And Apps Infected With New Malware, And Accounts Breached

Security researchers at Check Point Software Technologies have identified malware infecting an average of 13,000 Android phones daily. More than 1 million Android phones have already been infected. Researchers named the new malware "Gooligan." Check Point explained in a blog post:

"Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year... Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe... We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified... Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began..."

Check Point chart about Gooligan malware. Click to view larger version This Telegraph UK news story listed 24 device manufacturers affected: Archos, Broadcom, Bullitt, CloudProject, Gigaset, HTC, Huaqin, Huawei, Intel, Lenovo, Pantech, Positivio, Samsung, Unitech, and others.The Check Point announcement listed more than 80 fake mobile apps infected with the Gooligan malware: Billiards, Daily Racing, Fingerprint unlock, Hip Good, Hot Photo, Memory Booster, Multifunction Flashlight, Music Cloud, Perfect Cleaner, PornClub, Puzzle Bubble-Pet Paradise, Sex Photo, Slots Mania, StopWatch, Touch Beauty, WiFi Enhancer, WiFi Master, and many more.

Check Point is working closely with the security team at Google. Adrian Ludwig, Google’s director of Android security, issued a statement:

"Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware... Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point... to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps... Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected... We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push... We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future."

How the gooligan malware works by Check Point. Click to view larger version Android device users can also have their devices infected by phishing scams where criminals send text and email messages containing links to infected mobile apps. News about this latest malware comes at a time when some consumers are already worried about the security of Android devices.

Recently, there were reports of surveillance malware installed the firmware of some Android devices, and and the Quadrooter security flaw affecting 900 million Android phones and tablets. Last month, Google quietly dropped its ban on personally identifiable web tracking.

News about this latest malware also highlights the problems with Google's security model. We know from prior reports that manufacturers and wireless carriers don't provide OS updates for all Android phones. Hopefully, the introduction last month of the Pixel phone will address those problems. A better announcement would have also highlighted security improvements.

For the Gooligan malware, Check Point has develop a web site for consumers to determine if their Google account has already been compromised:  https://gooligan.checkpoint.com/. Check Point advised consumers with compromised accounts:

"1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”

2. Change your Google account passwords immediately after this process."

A word to the wise: a) shop for apps only at trustworthy, reputable sites; b) download and install all operating-system security patches to protect your devices and your information; and c) avoid buying cheap phones that lack operating system software updates and security patches.