Posts by xmisupport

Scams: Vaccine Scams

With the rollout of COVID-19 vaccines, you know that scammers and their dirty tricks won’t be far behind. As with many scams, the bad guys are after both your money and your personal information. Along with claiming to sell early access to vaccines and saying that you are required to get a COVID test or antibodies test before getting a vaccine, scammers are offering unproven treatments and “cures” for the virus. All of this for a price, of course. According to the Federal Bureau of Investigation (FBI) some indications that you may be dealing with a scam include: Advertisements or offers for early access to a vaccine upon payment of a deposit or feeRequests asking you to pay out of pocket to obtain the vaccine or to put your name on a COVID-19 vaccine waiting list Suggestions of additional medical testing or procedures (for a fee or in exchange for Medicare or insurance information) when obtaining a vaccine Marketers offering to sell and/or ship doses of a vaccine, domestically or internationally, in exchange for payment Unsolicited emails, telephone calls, or personal contact from someone claiming to be from a medical office, insurance company, or COVID-19 vaccine center requesting personal and/or medical information to determine eligibility to participate in clinical vaccine trials or obtain the vaccine Unverified claims of FDA approval for a vaccine Advertisements for vaccines through social media platforms, email, telephone calls, online, or from unsolicited/unknown sources Individuals contacting you in person, by phone, or by email telling you that the government requires you to receive a COVID-19 vaccine The Department of Health and Human Services suggests you remember the following to keep yourself and your family safe from COVID-related scams: You will not be asked for money to enhance your ranking for vaccine eligibility. Government and State officials will not call you to obtain personal information in order to receive the vaccine, and you will not be solicited door to door to receive the vaccine. Medicare beneficiaries should be wary of unsolicited requests for their personal, medical, and financial information. Medicare will not call to offer COVID-19 related products, services, or benefits. Do not trust unexpected callers or visitors offering COVID-19 tests or supplies. If you receive a suspicious call, hang up immediately. Do not respond to, or click links in, emails or text messages about COVID-19 from unknown individuals. Ignore offers or advertisements for COVID-19 testing or treatments on social media sites. If you make an appointment for a COVID-19 test online, make sure you are dealing with an official testing site. Do not give your personal or financial information to anyone claiming to offer HHS grants related to COVID-19. Be aware of scammers pretending to be COVID-19 contact tracers. Know that legitimate contact tracers will never ask for your Medicare number or financial information. They will not attempt to set up a COVID-19 test for you and collect payment information for the test. If you suspect COVID-19 health care fraud, report it immediately online or call 800-HHS-TIPS...

read more

Privacy: Should Passwords Be Complicated? Or Just Long?

You know the routine: you set up a new account and you are asked for a password. The password you choose must be suitably complex or you can let the site choose a password for you, full of numbers and special characters and impossible to remember. What if you were to use a series of unrelated words instead of a password such as “%wT65g17&”? The Federal Bureau of Investigation (FBI) thinks that could be a better choice. They recommend combining multiple words into a long string of at least 15 characters. For example, the site https://www.useapassphrase.com/ says that the passphrase “embassy praising expire owl” would take hackers 34,084,573 centuries to crack, as opposed to seconds or milliseconds for most commonly used types of passwords (e.g., 18 milliseconds to crack “december”). The site features a password generator that will generate a four-, five- or twelve-random word password, and tell you how long it would take to crack. Why do they think this approach would work? You might picture a hacker as a guy in a hoodie, hunched over a keyboard entering password attempt after password attempt; but in reality, the bad guys actually use scripts that quickly run through massive numbers of passwords. According to the site, the method for cracking passwords might look something like this: The hackers start with a bunch of wordlists. The top 10 million passwords is one. Also, lists of all English words, all names, dates, and so on. In less than one second, 30% of all passwords will be cracked.
The next step is to try all of the words again with common substitutions: capitalizing the first letter (december → December), making common letter-for-number swaps (december → d3cemb3r), and other common variations.
After that, they start combining the previous wordlists. Name + date (doug3251983). Name + [separator] + date (doug.3251983). If all else fails, the final step is a brute force attack, i.e., try every combination of characters. Try a, then b, then c … eventually aa, ab, ac … eventually 6j2b#hi8, 6j2b#hi9, 6j2b#hi0, et cetera.As the online comic strip xkcd says, “Through 20 years of effort we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.” Of course, some sites will not let you use a password that doesn’t include capital letters, numbers and/or special characters. In that case, your best bet is probably to use a password manager. Password managers will generate secure passwords as needed and store all of your passwords for you so that you can use them across devices. Many people find this to be the easiest solution. However, if you need to generate a password that, for whatever reason, you need to remember, you would be wise to follow the advice of the FBI and create passphrases of about four words and at least 15 characters. “mambo tango mister denim” would take 2,303,286 centuries to crack. That seems pretty secure to...

read more

Crimeware: Phishing Scheme Gives Bad Guys Access to Your Cloud Data

As online users become more sophisticated, hackers are becoming more sophisticated as well. Early phishing attacks relied on users clicking links without paying attention to where the links took them. For example, a hacker would create a page that looked just like the PayPal login page, but it was actually a fake page used by the bad guys to capture log in information from people who believed they were signing into their PayPal accounts. Today, there are new twists to the old phishing scams. The usual tipoff in a phishing scam is that the user is sent to a domain impersonating the real one. It might be paypal.log-in.com instead of paypal.com, for example. In one recent scam, however, users who clicked on a malicious link to login.microsoftonline.com were taken to Microsoft’s actual login page. The catch is that there is code appended to the link that tells Microsoft to forward an authentication token to officesuited[.]com, a site controlled by the hackers. The user is then sent to a page that grants permissions to access the user’s email, contacts, files, mailboxes, and more. This same approach could be used with other cloud providers. In fact, Gmail was targeted by a similar tactic in 2017. Why would users grant these permissions? If they do not know there is a malicious actor involved, users may not be concerned. We have been conditioned to click and agree when presented with options. According to Michael Tyler of Phishlabs.com, “We can look at the reason phishing is still around and it’s because people are making decisions they shouldn’t be making or shouldn’t be able to make. Even employees who are trained on security are trained to make sure it’s a legitimate site before entering their credentials. Well, in this attack the site is legitimate and at that point their guard is down. I look at this and think, would I be more likely to type my password into a box or more likely to click a button that says ‘okay’?” Because the login happens at Microsoft’s website, two-factor authentication would not protect users. And once access has been given to this malicious app, even changing the password would not prohibit the hackers’ access.Microsoft provides instructions for rescinding illicit consent grants, but the best way for users to avoid this issue is to carefully review the entire URL when installing apps and granting permissions. Look for links to unfamiliar sites and odd URLs. System administrators can block users from installing any apps or limit them to apps from the official Microsoft...

read more

Legal Matters: Fraud Reports from the FTC and the FBI

On June 15, 2021, the FBI’s Internet Crime Complaint Center (IC3) released its 2020 Elder Fraud Report. According to the report, IC3 received a total of 791,790 complaints in 2020, with reported losses exceeding $4.1 billion. About 28% of the total fraud losses were sustained by victims over the age of 60, and seniors suffered approximately $1 billion in losses. This represents an increase of about $300 million in losses in 2020 over what was reported by victims over 60 in 2019.The FBI Elder Fraud Report also said the “average victim over 60 lost nearly $9,200 and that nearly 2,000 senior victims lost more than $100,000 each.” The largest increase came in tech-support scams, which exceeded $116 million in 2020 from less than $38.5 million in 2019. According to the Federal Trade Commission, younger people reported losing money to fraud more often than older people (44% of victims were aged 20 – 29 vs 20% aged 70 – 79); however, when people aged 70+ suffered a loss the median loss was much higher ($635 for ages 70 – 79 and $1300 for ages 80+, vs $324 for ages 20 – 29).The FBI reports that the most common types of identity theft and fraud scams encountered by individuals 60 years of age and over included: Tech support scam: Criminals access victims’ devices by posing as support representatives offering to repair issues. Romance scam: Bad guys approach victims on online dating sites and form relationships to extract money.Investment fraud: Promises of high returns on investments are offered online or at in person events.Grandparent scam: Criminals pretend to be a family member in distress needing immediate funds.Government impersonation scam: Criminals pose as government employees and threaten to arrest or prosecute victims unless they agree to provide payments.Sweepstakes/charity/lottery scam: The bad guys claim to represent charities and solicit donations. Or they claim that the victim has won a prize and needs to pay a fee to collect their winnings.Home repair scam: Criminals charge homeowners in advance for home improvement services that they never provide.TV/radio scam: Hearing it on the radio or TV doesn’t make it legitimate. Crooks may advertise to find victims.Family/caregiver scam: The people closest to the victim may be the ones who steal from them, including relatives or caregivers. Know how to protect yourself, and let family members know that they can protect themselves by: (1) learning to recognize common scams; (2) resisting pressure to act quickly, as scammers create a sense of urgency to avoid letting victims have time to think or get more information; (3) being wary of unsolicited phone calls, mailings, and door-to-door service offers; (4) protecting your identity by never sharing your personally identifiable information (PII); and (5) making sure your computer anti-virus, security software and malware protections are up to...

read more

PRIVACY: Should You Unsubscribe From Spam Texts and Emails – Or Not?

How many emails do you receive in a typical day? If you are like most people, the answer is probably, “Too many!” Some are emails you want, others you no longer find useful and some are just plain spam. Obviously, the ones you want to receive are not a problem, but what can you do about the others? First let’s define what “spam” is. Spamhaus defines it this way, “Spam is an issue about consent, not content. Whether the Unsolicited Bulk Email (“UBE”) message is an advert, a scam, porn, a begging letter or an offer of a free lunch, the content is irrelevant – if the message was sent unsolicited and in bulk then the message is spam.” That means that if you subscribed to an email newsletter or agreed to receive sale notices from an online retailer those messages are not spam, even if they are no longer of interest to you. If you are receiving such emails from reputable organizations and want them to stop, clicking the unsubscribe link is the way to go. You should not, however, mark these emails as spam. Depending on your email service, marking legitimate emails as spam may affect how the email service treats them and people who want to receive them may find the messages directed to their spam box instead of their inbox. So what about the stuff you didn’t ask for and do not want in your inbox? You can’t stop spam. Anyone who has your email address can send email to you. And blocking an email sender seldom works as the spammers use lots of random email addresses to send their junk to you. Unsubscribing is not a good idea in these cases, as all this does is confirm to the spammers that they are sending to a valid address. They will send more spam or even sell your email address as a live address. Although you can’t stop spam, you can manage it. Spam filters are an important tool in keeping spam out of your inbox and relegating it to the junk or spam folder, where it belongs. Most email platforms use some kind of spam filtering, but none of them are perfect. You will have the occasional spam message slip through or even some false positives, where messages that are not spam get sent to the spam folder. You can train your spam filters and improve the results by marking messages that are improperly filtered. The best thing to do is take steps to keep your email address from falling into the hands of spammers in the first place: Do not post your email address publicly on websites, social media or other places.Do not respond to spam by unsubscribing or clicking on a link in the email.Disable images on email going to your spam folder. (When the image is accessed, it is like clicking on a link in an email and lets the spammers know they have a live one.)Do not give your email address to just anyone. When dealing with a new company, use a “throw-away” email address. Of course, another source spammers use to harvest email addresses are those emails your Aunt Bea sends of cute kitten pictures that she cc’s to everyone on the planet. You can ask Aunt Bea not to do that, but chances are she is going to keep right on sending them anyway. So, have a throw-away email for Aunt Bea to use,...

read more