Connect With Friends and Family, Meet New People, and Possibly Get Scammed

https://www.facebook.com/facebook

I can’t even begin to tell you how many times I have been asked, “Are you on Facebook?”  My response every time is NO and to this day I still do not have a Facebook account.  There is no doubt in my mind that Facebook connects people with their friends and family and enables them to meet new people, however, there has always been something about Facebook that makes me uneasy.

As you can see in the picture above, there have been at least 85 million people that have visited Facebook’s Facebook page and that is just the people that gave the page a thumbs up.  Now that is a lot of people.  For a scammer this site could potentially be a gold mine if they could only find a way to employ their malicious scams on it.  Well, they already have and they have been doing it for some time now.

The goals of the scams on Facebook are basically the same as many of the other scams on the Internet.  They attempt to steal your personal information, trick you into subscribing to some service, or initiate a download of malicious code (Zorz, 2013, Facebook scams and why users fall for them).

In order to accomplish their goals, scammers have devised many methods to employ their them on Facebook.  Their scams include a myriad of methods that include but are not limited to: correspondence disguised as if it came from Facebook directly  (Facebook preference changes, free Facebook items to give away, Facebook account scare alerts, and Facebook notification emails), free items for give away by third parties (free iPad or iPhone, free Walmart gift card, etc), attention grabbing news (can be real or fake news), or  attention grabbing videos, pictures, or statements (Zorz, 2013, Facebook scams and why users fall for them).

As always, there are measures you can practice to protect yourself on Facebook.

1. Educate yourself on the methods scammers are employing.  There are many websites that  identify the scams that are currently employed on Facebook.  Locate a website you like and read up on the scams (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

2. Restrain yourself from clicking on interesting pictures, videos, or links.  I know it can be hard to not clink on them; in the end, just reframe from it (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

3. Click with caution.  Scammers insert links on Facebook hoping you click on it.  Examine links carefully.  You can do this by examining a links URL.  A link's URL can be viewed by right clicking it and selecting properties.  Signs of an illegitimate URL are: a shorten link making it unidentifiable, misspellings of Facebook, unusually long, or contain many numbers or letters (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

4. Be cautious when approving apps.  Many Facebook users fail to read the fine print before approving an app or are forced into approving an app.  If fine print is present read it thoroughly.  The fine print may reveal that you are authorizing the app to do something like access your address book and/or use your user name.  Additionally, if you find yourself being forced into allowing an app then it is probably safe to say the app has malicious intent.  Those types of apps can be stopped from executing by closing the browser (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

There is one last measure that I would like to add, but many may not think it is practical so I am not going to list it as measure number 5.  However, I will share it strictly as a personal recommendation.  If you are really worried about the scams on Facebook then don’t use it.  I personally don’t have a Facebook account because I like keeping my life as private as possible.  Additionally, if I want to connect with friends or family then I will call them, email them, or in some cases I will even send them a letter or card through the U.S. mail.

Resources:

Facebook is on Facebook. (n.d.). Retrieved January 29, 2013, from https://www.facebook.com/facebook

Zorz, Z. (2013, January 17). Facebook scams and why users fall for them. Retrieved January 29, 2013, from http://www.net-security.org/secworld.php?id=14252

Zorz, Z. (2013, January 25). How to avoid Facebook scams and limit the damage they make. Retrieved January 29, 2013, from http://www.net-security.org/secworld.php?id=14304

Do You Really Safeguard Your Information?

My job requires me to travel from time to time.  When I do travel for work purposes I normally have to travel by air to the location I am required to go.  I am usually very careful when I make my airline reservations.  However, when I made my flight arrangements for a trip I took last week I made a mistake which resulted in a five hour overlay.  Needless to say, I had a lot of time to waste in an airport that I really did not want to be at.

During that long stretch of time, I started to think about a video that I watched on You Tube a couple of months back.  The video is of a presentation called No-Tech Hacking which is presented by a computer security expert named Johnny Long.  I have inserted the video, which I obtained from You Tube, below for those that would like to watch it.

http://www.youtube.com/watch?v=5CWrzVJYLWw

What is so interesting about the presentation is that Johnny Long informs the audience on how easy it is to obtain information on people, organizations, and / or businesses by observing the actions of others and / or by paying attention to what is in plain view.  I used to think that attackers (scammers, hackers, and cyber terrorists) would obtain personal information by using technical methods until I watched Johnny Long's presentation.  What Johnny Long reveals is that people often give up their private information without even knowing it.

For example, when I was sitting in the airport waiting for my connecting flight I was able to learn a lot about the people around me.  I was able to observe a man enter his password on his Mobile device not once or twice, but three times.  By the way, I had it memorized after the second time.  Additionally, I was able to view the screens of many laptops and many had what appeared to be work related information on their screens.

So what can we all learn from this? What I learned is that I have to be more careful about concealing my personal information when I am in public or private places. Many may think I am being paranoid, but just remember that attackers will use a variety of methods to try and obtain your personal information so they can use it for malicious purposes.  Even if it means using a method that is as simple as observing your actions in an airport.

Resources:

Basic204. (2008, September 11). No-tech hacking [Video file]. Retrieved from http://www.youtube.com/watch?v=5CWrzVJYLWw

 

People Are the First Line of Defense

In my blog post for last week I talked about the effectiveness of phishing attacks and methods to practice that will lessen your chances of becoming a victim.  This week I would like to go over an incident that was more than likely initiated with a phishing attack and identify a security measure that is often not utilized, but when implemented can strengthen an organizations information security program.

In October of 2012 South Carolina State officials released that the South Carolina Department of Revenue experienced a massive data breach.  The attacker responsible for the attack apparently had access to South Carolina Department of Revenue's database for months and was able to obtain 1.9 million social security numbers and 3.3 million bank account numbers (Schwartz, 2012).

The most socking aspect of the South Carolina Department of Revenue data breach incident for me is that the data breach may have been initiated with a phishing attack.  The security firm Mandiant provided a theory as to how the attacker gained access to the Department of Revenue's database.  They found evidence that suggests that a phishing attack, in the form of an e-mail, was sent to multiple Department of Revenue employees.  At least one of the employees clicked on the link that was contained in the e-mail which launched the malicious code that captured the employee's user name and password.  The attacker was now able to use the employee's user name and password to access the user's workstation, manipulate the user's access rights, and access other Department of Revenue systems and databases (Heilman &Glyer, 2012, p. 2-3).

This incident is a perfect example to illustrate that people are the first line of defense when it comes to security.  In order to strengthen that first line of defense, it would be very beneficial for any organization to implement a security education, training, and awareness (SETA) program.  According to Whitman and Mattord (2010), "SETA programs enhance general education and training programs by focusing on information security" (p. 189).  With that being said, it would be interesting to know if the South Carolina Department of Revenue has a SETA program and if they do whether or not the employee that clicked on the link in the malicious e-mail completed any mandated information security training.

Implementing a SETA program is not any easy task.  There are many aspects that have to be analyzed and considered when developing a program.  However, before one begins the momentous task, he or she should first obtain support from management.  This too is not easy to sell, but may be accomplished by informing management of the consequences that could occur by not having a SETA program.  In addition, the benefits can be briefed to management in an attempt to get them to buy into the program.

With cyber threats increasing at a rapid rate it is only logical to invest in the first line of defense.  An effective SETA program will provide employees with the education, training, and awareness that are necessary to fight the cyber security war and mitigate incidents like the South Carolina Department of Revenue data breach from occurring.

Resources

Heilman, M., & Glyer, C. (2012, November 20). South Carolina Department of Revenue public incident response report. Retrieved January 15, 2013, from http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20%20Department%20of%20Revenue%20%2011%2020%202012.pdf

Schwartz, M. (2012, November 26). How South Carolina failed to spot hack attack. Retrieved January 15, 2013, from http://www.informationweek.com/security/attacks/how-south-carolina-failed-to-spot-hack-a/240142543

Whitman, M., & Mattord, H. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology Cengage Learning.

Most Scammers Would Rather Be Phishing

I am one of those people that thinks, "Who would fall for that?" when it comes to phishing scams.  For example, I received this text message not too long ago.  Really, I just won a $1000 Best Buy Gift Card??  I don't even recollect filling anything out to submit my name into the drawing.  Plus, I have never won anything so this is definitely a scam.

My wife was looking over my shoulder as I was inserting the above picture for this post and she kind of chuckled. I asked her what was so funny and she said that she received a text like that a couple of months ago that stated she won something from Wal-Mart. I said, "You deleted it right?"  She said, "No I clicked on the link and it brought me to this weird website.  After that I closed out of it, but this weird $10.00 charge ended up on our cellphone bill after that.  I had to call them and they ended up removing the charge."  I couldn't believe what I was hearing.  Of all the people, my wife fell for the obvious phishing scam.  I just consider myself lucky this time.

 

The whole situation made me think about the effectiveness of phishing.  According to scambusters.org phishing scams are on the rise.  This is probably because they are easy for scammers to employ and they are effective, but just how effective are they?  Statistics on it are scarce which may be because it is difficult to retrieve data on a phishing scam after it has been uncovered.  However, Bortnik (2011), an Awareness & Research Coordinator at ESET Latinoamerica, reported in his blog that his organization researched a phishing attack that lasted just over five hours.  The brief phishing scam resulted in 164 people accessing the site with 35 of them entering their credit card information (http://blog.eset.com/2011/01/26/inside-a-phishing-attack-35-credit-cards-in-5-hours).  I consider that to be an effective phishing scam in my book.  Another statistic provided by http://www.phishing.org states, "the cost of phishing is nearly $500 million per year in the United States alone."  Now that is a lot of money and proves that phishing is very effective.

 

So what is phishing and what can you do to prevent yourself from becoming a victim?  Phishing is a method that attackers use that attempts to get people to provide their sensitive information.  They can employ their method by using different methods either by email or phone.  In addition, attackers are  also employing their phishing attacks on mobile devices since they are growing rapidly in use and popularity.

 

Surprisingly, phishing attacks are easy to defend against even though they are becoming more sophisticated.  If you practice the following techniques provided by http://www.phishing.org then you will decrease your chances of becoming a victim of a phishing attack:

 

1. Check email carefully: look for errors and investigate the information.  One way to investigate the information is by calling the organization stated in the email directly.  However, do not use the phone number in the email if provided.  It could be another trick.

 

2. Never provide private information: many emails will ask for your private information after you click on a link in the message.  Never provide information when prompted to after clicking a link in an email.

 

3. Identify fake phone numbers: phishing attacks over phones may disguise their phone number.  Try to identify if it is fake or not.  When in doubt, don't relinquish any private information.  I personally never provide any information unless I initiate the call to the organization.

 

4. Use firewalls and antivirus: firewalls and antivirus will aid in preventing and / or identifying phishing attackes when configured correctly and updated regularly.

 

5. Never send private information in an email: there is no telling who may end up with private information you send in an email.  The best practice is to just not do it.

 

6. Check your finances regularly:  this will allow you to identify and dispute any discrepancies shortly after they occur.

 

7. Never download files from unreliable sources: If you have any doubt at all as to the legitimacy of an email or website then don't download any files from the source.

 

Phishing scams are effective and therefore, I think they will remain to be a method that attackers are going to continue to employ.  Thankfully, there are ways to combat their ploys.  Practice the above suggestions and you will lessen your chances of becoming a victim.  Thanks for reading and look for my next post sometime next week.

 

Resources

 

Bortnik, S. (2011, January 26). Inside a phishing attack: 35 credit cards in 5 hours [Blog post]. Retrieved from ESET Threat Blog: http://blog.eset.com/2011/01/26/inside-a-phishing-attack-35-credit-cards-in-5-hours

 

How to prevent phishing scams. (n.d.). Retrieved January 11, 2013, from http://www.phishing.org/

 

Phishing scams: How you can protect yourself. (n.d.). Retrieved January 11, 2013, from http://www.scambusters.org/phishing.html