Avoiding scams, phishing and malicious emails (things to watch for, how to report them + more)

November 19, 2014

Scam artists use clever schemes to defraud millions of people around the world each year. People need to learn how to recognize common phishing tactics and malicious emails and what you can do to avoid them.

Scammers typically create emails and messages that look like they’re from real companies, agencies and organizations and even use their logos, fonts, layouts and color schemes.

According to OnGuardOnline.gov, some clues that an email or text message is suspicious include:

  • the message is requesting your personal information — do not respond or click links! Companies, agencies (like the IRS, etc.) and organizations will not request your password, user name, credit card data, account numbers, or other personal or financial data through e-mail or text.
  • the email appears in your junk folder;
  • the sender’s email address does not have that business or agency domain name in it;
  • when you hover over a link or coupon the web address is not that company’s / agency’s website;
  • if you receive a coupon for a free or discounted item, ask yourself if you signed up to get emails from this company. If not, it’s unlikely they’d send you a discount or freebie out of the blue;
  • the email or message has several typos, missing data or poor English.

If you’re not sure an email is legit, DON’T click any links or open any attachments. Instead, look for signs that the email isn’t the real thing or do a search or visit that company’s site to see if there are any complaints from others who received similar emails.

Shipping confirmations or delivery failed messages

Fedex, UPS, USPS and other carriers are often used in fraudulent emails asking users to click on links that more often than not will place malware on the user’s machine. The subject lines typically say things like there was a problem with delivery or they want you to verify information or some important information is missing, etc. The fraudulent email may have an attached file that contains a virus or other malware … or the link may take you to a website that might download a malicious file. Don’t fall for these scams and report it (if you want to) then delete it. Read more about delivery failure phishing scams on Denver’s ABC7 

ups phishing shipping receipt

Receipts

Be on the alert for fake emails posing as online retailers like PayPal, Amazon and others with a subject line similar to a receipt you would see for a purchase on that vendor’s online store, a PayPal payment to someone, etc. These fake receipt emails are sent by cyber criminals — not the retailers — and clicking links contained in a fake receipt email may install malware on your system, in particular spyware used in severe forms of cyber crime such as credit theft, extortion, and identity theft.

For example, just last week I placed a small order on Amazon and received my order confirmation as usual.

The next day I received another Amazon confirmation email for a $1,099 electronic device and the first thing I thought of is someone hacked our account..!

I immediately logged onto Amazon.com and checked our shipping history and it didn’t appear so I went back to the email in my Inbox and noticed several things…

#1 – The “To” line had an email id called “bobrph@…” (my name is Janet);

#2 – The “Hi %USERNAME%” didn’t auto-populate a name;

#3 – When you hover the mouse over a link (DON’T CLICK IT – just hover) it displays a website NOT called “amazon.com/…” but rather “imailsolution.com/…”. << We strongly suggest you not visit this site – just in case!

email phishing1

Note the email has Amazon’s logo and layout, fonts and color scheme are almost identical to a typical order confirmation email from them so you need to be on guard.

#4 – As I scrolled down and hovered the mouse over other links (again without clicking) the same domain / website name kept showing up.

email phishing2

#5 – Whoever designed this email even added a typical footer that Amazon uses on their confirmations. This was just an image (nothing popped up when I hovered over these links), but it sure gives the appearance it is a normal message from them.

email phishing3

If you click a phishing or malicious link…

According to Anti-abuse.org once a victim visits a malicious website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity’s URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.

In another popular method of phishing, an attacker uses a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct.

A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce any website and capture any log in details entered at the fake site.

Report Malicious / Phishing / Scam emails

It does help to report suspicious emails to the respective company but it is always best to find out how they want you to report it. Some may ask you to forward an email while others prefer you send it as an attachment.

Below are some examples of common brands we’ve seen in suspicious emails over the years, and it’s easy to do a search on a company name and the phrase “report phishing” to find their preferred method of sending them the data.

Once you report an email just delete it so you don’t accidentally click on any links in it later. Realize you probably won’t hear back from the company you reported the malicious email to, but you will get an auto-reply explaining they received it and will be investigating it.

As Amazon.com mentioned in the auto-reply to me, “please be assured that Amazon.com is not in the business of selling customer information. Many spammers and spoofers use programs that randomly generate e-mail addresses, in the hope that some percentage of these randomly-generated addresses will actually exist.”

You can also forward phishing emails to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.

If you might have been tricked by a phishing email:

Additional resources:

OnGuardOnline.gov
StaySafeOnline
US-CERT
Anti-Phishing Working Group
Protecting your devices from cyber threats

Stay safe out there..! j & B


Veterans Day Thank You + 2014 discounts and deals for troops and their families

November 9, 2014

usfra support our troopsOn November 11th our nation will celebrate Veterans Day (originally called Armistice Day) to honor America’s veterans for their patriotism, love of country, and willingness to serve and sacrifice for the common good.

One way businesses and organizations show their appreciation to veterans and active duty military is by offering discounts and freebies at restaurants, recreational sites, and retail stores.

Some deals start this weekend and extend out for days or a few weeks, while most are valid on Veterans Day only.

Take a moment to review Veterans Day 2014 discounts and deals for troops post on the U.S. First Responders Association forum … and please share the information with veterans and active duty troops you know. (The list is also available in a 6-page PDF so easy to print and share.)

Words cannot express the appreciation we have for our military (2- and 4-legged troops and vets) and their families … and we thank you ALL from the bottom of our hearts! j & B

 


Change your batteries and clocks + rotate preparedness stocks this weekend

October 31, 2014

Most people will gain an hour this weekend when they “fall back” early Sunday morning. While you are changing your clocks, it’s also a great time to change the batteries in detectors … and check and rotate items in disaster supplies kits since cooler weather is coming.

Use the following tips to make this a family project and include the kids so they can help choose items for kits and learn where things are, and it’s a good opportunity to discuss your Family Plan.

  • Change the batteries in smoke alarms and carbon monoxide (CO) detectors around your home. Officials suggest you test them at least once a month and completely replace detectors every 10 years.
  • Pull out your home and vehicle kits and rotate stored water, food, medications and other items, and test and/or replace batteries if you stashed some in kits. Remember to pack items for all your pets … or better yet, make special kits for them so those are easy to grab & go during an emergency. Also include winter items in kits like warm clothes and other things described in our Winter driving tips post.
  • If you haven’t already, take some time to make an Escape Plan that includes two escape routes from every room in the house. Draw a floor plan of your home showing doors, windows and stairways. Mark locations of first aid and disaster kits, fire extinguishers, smoke detectors, ladders, and utility shut-off points. Next, use a colored pen to draw a broken line or arrow charting at least 2 escape routes from each room … and walk through the routes with your entire family. Then practice, practice, practice by running drills with the family either monthly or quarterly.
  • Update your Family Emergency Plan (this 6-pg PDF checklist can help you set up meeting places [esp with your children in case you are separated during an emergency], ensure all phone numbers are current, think about things for seniors, pets, etc.)
  • Go through Important Family Documents and keep below items in a waterproof, portable safe container and update as needed. Keep copies of papers off-site in safety deposit box or with a family member — or scan all to a flash drive or CD or save to a secure cloud backup service.
    – Extra set of car keys, cash, traveler’s checks and credit card
    – Will, insurance policies, contracts, deeds, stocks and bonds
    – Passports, social security #s/cards, immunization records
    – Bank account numbers
    – Credit card numbers, card companies + phone numbers
    – Inventory of valuable household goods
    – Family records (birth, marriage, death certificates, photo IDs)
    – Recent pictures of all family members and pets for i.d. needs

Download a free 56-page mini portion of our IT’S A DISASTER! book to help you with the above steps and learn more about our customizable products and funding ideas at www.itsadisaster.net/ppp.html.

Stay safe and have a great weekend, j & B


Get Ready to #ShakeOut October 16, 2014 (world’s largest earthquake drill)

October 9, 2014

ShakeOut_GetReady_2014-lgOn October 16, 2014 at 10:16 a.m. (your local time) people across North America and around the world will participate in the Great ShakeOut earthquake drill.

The main goal of #ShakeOut is to get people prepared for major earthquakes and use the event as an opportunity to learn what to do before, during, and after an earthquake.

You might think “I don’t have earthquakes where I live”, but did you know every continent on the planet experiences earthquakes? The U.S. Geological Service estimates there are several million earthquakes a year globally and, while a vast majority of these are very small or undetected, about 100,000 quakes per year are felt.

All 50 U.S. states and territories have earthquakes so the ShakeOut is an opportunity to practice how to protect ourselves during earthquakes. Anyone can participate and basically, wherever you are at that moment—at home, at work, at school, anywhere—you should Drop, Cover, and Hold On as if there were a major earthquake occurring at that very moment, and stay in this position for at least 60 seconds. ShakeOut also has been organized to encourage everyone to update emergency plans and supplies, and to secure your space in order to prevent damage and injuries.

Learn how to register and find games, resources and more at www.shakeout.org … and, if you’re on Twitter, join ShakeOut, America’s PrepareAthon!, and the American Red Cross at 3p (Eastern) on October 15 using #EQChat. Experts will provide safety tips and other information to get you prepared for earthquakes.

Also check out my recent interview on DestinySurvival Radio since John and I discuss the ShakeOut, earthquake preparedness, and some things to expect in the aftermath of a disaster. Let us know how you plan to ShakeOut and stay safe out there, j & B

 


Fire Prevention Week October 5 – 11, 2014

October 5, 2014

The National Fire Prevention Agency’s Fire Prevention Week runs from October 5 – 11, 2014 and this year’s official theme is “Working Smoke Alarms Save Lives: Test Yours Every Month!”

Did you know that many people don’t test their smoke alarms as often as they should? When there is a fire, smoke spreads fast. You need working smoke alarms to give you time to get out so test your alarms every month.

For example, did you know…

  • Almost three of five (60%) of reported home fire deaths in 2007 to 2011 resulted from fires in homes with no smoke alarms or no working smoke alarms.
  • Working smoke alarms cut the risk of dying in reported home fires in half.
  • In fires considered large enough to activate the smoke alarm, hardwired alarms operated 93% of the time, while battery powered alarms operated only 79% of the time.
  • When smoke alarms fail to operate, it is usually because batteries are missing, disconnected, or dead.
  • An ionization smoke alarm is generally more responsive to flaming fires and a photoelectric smoke alarm is generally more responsive to smoldering fires. For the best protection, or where extra time is needed, to awaken or assist others, both types of alarms, or combination ionization and photoelectric alarms are recommended.

It is best to install both smoke and carbon monoxide (CO) detectors in your home, apartment and/or RV. And remember to test alarms at least once a month, replace batteries once a year, and get new units every 10 years.

And, if you haven’t already, take some time to make an Escape Plan that includes two escape routes from every room in the house. Draw a floor plan of your home showing doors, windows and stairways. Mark locations of first aid and disaster kits, fire extinguishers, smoke detectors, ladders, and utility shut-off points. Next, use a colored pen to draw a broken line or arrow charting at least 2 escape routes from each room … and walk through the routes with your entire family.

Also…

  • Make sure your windows are not nailed or painted shut.
  • Make sure security bars on windows have a fire safety opening feature so they can be easily opened from the inside…and teach everyone how to open them!
  • Teach everyone how to stay LOW to floor (air is safer).
  • Pick a spot to meet after escaping fire (meeting place).
  • Practice, practice, practice! Set aside time each month or several times a year and do fire drills with your family.

Fire Prevention Week is the perfect time to reach out and share resources that empower people to have a hand in preventing home fires and protecting their families.

Learn more at www.fpw.org and please share the link and this post with others. And for the little ones, visit Sparky the Fire Dog® site at www.sparky.org to find free apps, games, videos and more.

Stay safe, j & B

 

 

 


Get involved with October 2014 National Cyber Security Awareness Month #NCSAM

October 2, 2014

ncsam-logo-2014Did you know October is cyber security month in several countries?

America’s National Cyber Security Awareness Month or NCSAM campaign – under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance – has grown exponentially, reaching consumers, small and medium-size businesses, corporations, educational institutions, and young people across the nation.

Cybersecurity begins with a simple message everyone using the Internet can adopt: STOP. THINK. CONNECT. Take security and safety precautions, understand the consequences of your actions and behaviors online, and enjoy the benefits of the Internet.

The National Cyber Security Alliance has #NCSAM tools, banners and materials to help home users, K-12 Educators, Higher Education, Small Businesses and more get involved at www.staysafeonline.org. You can also follow NCSA on Facebook or on Twitter @STOPTHNKCONNECT and @StaySafeOnline and search #NCSAM to find more cyber safety tips and resources.

Canada’s national public awareness campaign Get Cyber Safe was created to educate Canadians about Internet security and the simple steps individuals can take to protect themselves online. Learn more at www.getcybersafe.gc.ca and follow them on Twitter @GetCyberSafe

And the European Union advocacy campaign European Cyber Security Month (ECSM) aims to promote cyber security among citizens, to change their perception of cyber-threats and provide up to date security information, through education and sharing good practices. Visit http://cybersecuritymonth.eu/ to learn more and follow ‪#‎cybersecawarenessmonth‬ on social media to keep up on activities in Europe.

As NCSA explains… The Internet is a shared resource and securing it is Our Shared Responsibility. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. If each of us does our part—implementing stronger security practices, raising community awareness, educating young people or training employees—together we will be a digital society safer and more resistant from attacks and more resilient if an attack occurs.

Also read and share our Oct 2013 enews article called Protecting devices from cyber threats.

Stay safe out there, j & B

 

 


Shellshock Bash bug impacts Linux, Unix and Mac systems (and hackers are already exploiting it)

September 25, 2014

shellshock bash bugA serious flaw has been found in a software component known as Bash (Bourne Again Shell), which is a part of many Linux / Unix systems as well as Apple’s Mac operating system.

The bug, dubbed Shellshock, can potentially be used to remotely take control of almost any system using Bash, researchers said. The bug, which has gone undetected in the software for at least 22 years, was just disclosed yesterday 24-Sep-2014.

According to Securelist.com … “it is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. Basically it lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables, but not every system is vulnerable since certain conditions must be met. … The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.”

Chris Griffith, Senior Technology Journalist @ The Australian writes… “The security hole poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers. That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges. It opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of. …”

According to Trend Micro … “LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) so the reach of this is very broad. Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.”

Shellshock rates 10 out of 10 on the scale of vulnerabilities. For perspective, Heartbleed rated an 11 but that bug required more work to exploit holes, whereas Shellshock opens the way for hackers to add and manipulate code or data into “shell” commands.

Several exploits have already been identified in the wild (read herehere and here) and some experts are concerned this bug is “clearly wormable” and may get much worse in the coming months.

But not all security experts agree this is “Heartbleed 2.0”. Brad Chacos writes in PCWorld … “Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant. Ellis writes, ‘The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.’ …”

No one really knows for sure how bad things could get with Shellshock, but one thing everyone agrees on is system administrators and developers need to patch this Bash bug asap.

PATCH AVAILABLE

There are patches available through the links below and realize there will most likely be a series of patches going forward.

US-CERT recommends administrators and users review CVE-2014-7169 in the National Vulnerability Database as well as the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. As of 24-Sep-2014 GNU Bash patch is also available for experienced users and administrators to implement on all current versions of Bash, from 3.0 to 4.3.

Some security researchers warn that the patches are “incomplete” and would not fully secure systems. Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug. Read more at RedHat.com

WHAT CAN I DO?

As Mashable explains… “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.”

Kaspersky Labs’ Global Research & Analysis Team has great Q&A about the “Bash” vulnerability with an easy test on how to check if your system is vulnerable on Securelist.com. There is some geek-speak throughout the Q&A but it could be helpful to some techie users and programmers.

The patching process for Apple users is described over at StackExchange,  but be warned - according to Mashable, it requires a certain level of command line-level knowledge to be applied.

For general home users worried about security, watch for updates (esp. OS X and Android users) and pay attention to updates from Internet providers and manufacturers – particularly for hardware such as broadband routers. Also be wary of emails requesting information or instructing you to click links or run software to “fix” this bug.

Unfortunately this situation is only starting to manifest and metastasize and, as Kaspersky Lab chief executive Eugene Kasperksy said, “the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks.”

MORE INFORMATION

Some helpful sites and articles with fixes, explanations about various vulnerabilities and more are…

Red Hat’s Security Blog

Red Hat’s original post about vulnerability

“Bash” (CVE-2014-6271) vulnerability – Q&A by Kaspersky Labs’ Global Research & Analysis Team

U.S. Computer Emergency Readiness Team

Everything you need to know about the Shellshock Bash bug by Troy Hunt via TroyHunt.com

What you need to know about Shellshock, aka the “Bash Bug” by Mark Nunnikhoven @ Trend Micro

Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk by Daniel Cid @ Sucuri Security blog

Shellshock DHCP RCE Proof of Concept by TrustedSec.com

Major Bash Vulnerability Affects Linux, Unix, Mac OS X by Michael Mimoso @ ThreatPost

Worse than Heartbleed? by Jim Reavis @ Cloud Security Alliance

Shellshock: The ‘Bash Bug’ That Could Be Worse Than Heartbleed by Stan Schroeder @ Mashable

Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux by James Lyne @ Forbes

Unix/Linux Bash: Critical security hole uncovered by Steven J Vaughan-Nichols @ ZDNet

Shellshock: ‘Deadly serious’ new vulnerability found by Dave Lee @ BBC

Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm by Darren Pauli @ The Register

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack by Brad Chacos on PCWorld


Follow

Get every new post delivered to your Inbox.

Join 2,165 other followers

%d bloggers like this: