IT Security Professional
3396 stories
·
19 followers

The FBI Issues Alert on Tech Support Fraud

1 Share

Based on new reporting, the FBI's Internet Crime Complaint Center (IC3) provided on March 28th updated guidance regarding technical support fraud. Tech support fraud involves a criminal claiming to provide customer, security, or technical support in an effort to defraud unsuspecting people.

Because the alert is so substantive and contains so much valuable information, I have reprinted it almost in its entirely below. Yes, it is long. But it is highly instructive reading.

In 2017, the IC3 received approximately 11,000 complaints related to tech support fraud. The claimed losses amounted to nearly $15 million, which represented an 86% increase in losses from 2016. While a majority of tech support fraud involved victims in the United States, IC3 has received complaints from victims in 85 different countries.

Criminals may pose as a security, customer, or technical support representative offering to resolve such issues as a compromised e-mail or bank account, a virus on a computer, or to assist with a software license renewal. Some recent complaints involve criminals posing as technical support representatives for GPS, printer, or cable companies, or support for virtual currency exchangers.

As this type of fraud has become more commonplace, criminals have started to pose as government agents, even offering to recover supposed losses related to tech support fraud schemes or to request financial assistance with "apprehending" criminals.

HOW THE FRAUD OCCURS

Initial contact with the victim typically occurs through the following methods:

Telephone: A victim receives an unsolicited telephone call from an individual claiming the victim's device or computer is infected with a virus or is sending error messages to the caller. Callers are generally reported to have strong, foreign accents.

Search Engine Advertising: Individuals in need of tech support may use online search engines to find technical support companies. Criminals pay to have their fraudulent tech support company's link show higher in search results hoping victims will choose one of the top links in search results.

Pop-up message: The victim receives an on-screen pop-up message claiming a virus has been found on their computer. In order to receive assistance, the message requests the victim call a phone number associated with the fraudulent tech support company.

Locked screen on a device: The victim's device displays a frozen, locked screen with a phone number and instructions to contact a fraudulent tech support company. Some victims have reported being redirected to alternate Web sites before the locked screen occurs.

Pop-ups and Locked Screens

  • Often accompanied by a recorded, verbal message to contact a phone number for assistance.
  • Frequently programmed into links for advertisements or popular topics on social media.
  • Web addresses of popular Web sites (such as social media or financial Web sites) can be typo-squatted to result in a pop-up or locked screen if the victim incorrectly types the intended Web site address.

Phishing e-mail warning: The victim receives a phishing e-mail warning of a possible intrusion to their computer or an e-mail warning of a fraudulent account charge to their bank accounts or credit cards. The e-mail provides a phone number for the recipient to contact the fraudulent tech support.

Once the fraudulent tech support company representative makes verbal contact with the victim, the criminal tries to convince the victim to provide remote access to the victim's device. If the device is a tablet or smart phone, the criminal often instructs the victim to connect the device to a computer. Once remotely connected, the criminal claims to find expired licenses, viruses, malware, or scareware. The criminal will inform the victim the issue can be removed for a fee. Criminals usually request payment through personal/electronic check, bank/wire transfer, debit/credit card, prepaid card, or virtual currency.

Another widespread issue is "the fake refund." In this scheme, the criminal contacts the victim offering a refund for tech support services previously rendered. The criminal requests access to the victim's device and instructs the victim to login to their online bank account to process a refund. As a result, the criminal gains control of the victim's device and bank account. With this access, the criminal makes it appear as if too much money was refunded to the victim's account and requests the victim return the difference back to the criminal's company via a wire transfer or prepaid cards. In reality, there was no refund at all. Instead, the criminal transferred funds among the victim's own accounts (checking, savings, retirement, etc.) to make it appear as though funds were deposited. The victim "returns" their own money to the criminal. The "refund and return" process can occur multiple times, resulting in the victim potentially losing thousands of dollars.

VARIATIONS AND TRENDS

Tech support fraud was originally an attempt by criminals to gain access to devices to extort payment for fraudulent services. However, criminals are creating new techniques and versions of the scheme to advance and perpetuate the fraud.

Re-targeting previous victims and contacts

  • Criminals pose as government officials or law enforcement. The criminal offers assistance in recovering losses from a previous tech support fraud incident. The criminal either requests funds from the victim to assist with the investigation or to cover fees associated with returning the lost funds.
  • Criminals pose as collection services claiming the victim did not pay for prior tech support services. The victim is often threatened with legal action if the victim does not pay a settlement fee.

Virtual Currency

Virtual currency is increasingly targeted by tech support criminals, with individual victim losses often in the thousands of dollars.

  • Criminals pose as virtual currency support. Victims contact fraudulent virtual currency support numbers usually located via open source searches. The fraudulent support asks for access to the victim's virtual currency wallet and transfers the victim's virtual currency to another wallet for temporary holding during maintenance. The virtual currency is never returned to the victim, and the criminal ceases all communication.
  • Criminals who have access to a victim's electronic device use the victim's personal information and credit card to purchase and transfer virtual currency to an account controlled by the criminal.

Increasing use of victim's personal information and accounts to conduct additional fraud

  • Criminals use the victim's personal information to request bank transfers or open new accounts to accept and process unauthorized payments.
  • Criminals send phishing e-mails to the victim's personal contacts from the victim's computer.
  • Criminals download personal files containing financial accounts, passwords, and personal data (health records, social security numbers, tax information, etc.).

Additionally, IC3 complaints report:

  • Criminals who took control of victims' devices and/or accounts and did not release control unless a ransom was paid.
  • Viruses, key logging software, and malware were installed on victims' devices.
  • Criminals have become more belligerent, hostile, and abusive if challenged by victims.

SUGGESTIONS FOR PROTECTION

  • Remember that legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals.
  • Install ad-blocking software that eliminates or reduces pop-ups and malvertising (online advertising to spread malware).
  • Be cautious of customer support numbers obtained via open source searching. Phone numbers listed in a "sponsored" results section are likely boosted as a result of Search Engine Advertising.
  • Recognize fraudulent attempts and cease all communication with the criminal.
  • Resist the pressure to act quickly. Criminals will urge the victim to act fast to protect their device. The criminals create a sense of urgency to produce fear and lure the victim into immediate action.
  • Do not give unknown, unverified persons remote access to devices or accounts.
  • Ensure all computer anti-virus, security, and malware protection is up to date. Some victims report their anti-virus software provided warnings prior to attempt.

IF YOU ARE A VICTIM

  • Individuals who receive a pop-up or locked screen, should shut down the device immediately. Ignore any pop-ups instructing to not power off or restart the computer. Victims who reported shutting down the device and waiting a short time to restart usually find the pop-up or screen lock has disappeared.
  • Do not re-contact fraudulent tech scam companies. Expect additional fraudulent calls as these companies often share their customer database information.
  • Should a criminal gain access to a device or an account, individuals should take precautions to protect their identity. Immediately contact financial institutions to place protection on accounts as well as change passwords and actively monitor accounts and personal information for suspicious activity.

FILE A COMPLAINT

Individuals who believe they may be a victim of an online scam (regardless of dollar amount) should file a complaint with the IC3 at www.ic3.gov. The more often fraud and scams are reported, the better equipped law enforcement can be to address the issues.

To report tech support fraud, please be as descriptive as possible in the complaint including:

  1. Identifying information of the criminal and company. Include Web sites, phone numbers, and e-mail addresses used by the criminal and company or any numbers you may have called.
  2. Account names and numbers and financial institutions receiving any funds (e.g., bank accounts, wire transfers, prepaid card payments, virtual currency wallets) even if the funds were not actually lost.
  3. Description of interaction with the criminal.
  4. The e-mail, Web site, or link that caused a pop-up or locked screen.

Complainants are also encouraged to keep all original documentation, e-mails, faxes, and logs of all communications.

As you can see, the criminals are getting craftier and more innovative all the time. All of the above needs to be included in mandatory employee cybersecurity training.

E-mail: snelson@senseient.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Read the whole story
josephwebster
53 days ago
reply
Denver, CO, USA
Share this story
Delete

Op-Ed Contributor: How to Prevent Smart People From Spreading Dumb Ideas

2 Shares
Think first before you retweet that bit of fake news.

Read the whole story
josephwebster
63 days ago
reply
Denver, CO, USA
christophersw
64 days ago
reply
Baltimore, MD
Share this story
Delete

Marvel Comics Stands at a Fork in the Road

2 Shares

Marvel is rebooting their comics yet again, a move that will surprise absolutely no human, Kree, or Skrull in the 616. At this point, Marvel is like that dumb kid who–try as he might–just can’t stop himself from sticking his tongue to cold objects.

So, we’re unsurprisingly getting new Marvel #1s in 2018. But what other trend might be coalescing in the comic book industry just beneath the surface? Let’s discuss a trend that can be summed up in one word: divergence.

There are two very difference comic books audiences and those two audiences continue to diverge. Marvel comics finds themselves standing at a fork in the road, staring at a difficult choice created by the current comic market realities.

The trail that forks right leads straight to comic shops (the Direct Market), or our FLCS (Friendly Local Comic Shops) for us old school comic readers. And there is nothing about the comic shop business that makes sense. Let me explain.

First, don’t conflate Marvel movie money with comic shop money. Comic shops are small businesses with very thin profit margins. Comic shops specialize in little 25-page $4 floppy pamphlets filled with colorful characters that have been around for decades. Small shops need tons of rack space for the hundreds of titles, yet they only sell 1 or 2 copies of 90% of the titles. As a business model, it’s nuts.

Worse, these comic shops are completely inaccessible to the vast, vast majority of the population who are confused as to why half the inventory is wrapped in mylar. The hurdles one has to clear in order to make their first comic shop visit are immense. Listen, they have a reputation. Comic shops are no one’s idea of cool and are notorious boys clubs, often downright hostile to any potential female audience. We all know this.

This creates a very insular clientele for comic shops. I should know, I’m one of them, as are the majority of the writers for Nerds on Earth. We’re downright wistful in our Nerds on Earth Slack channel when we talk about Marvel comics. Shoot, when someone mentions Chris Claremont X-Men there is a flurry of GIFs that hit the feed, all emoting the nostalgic happy tears of grown men who have grown up reading comics in a certain way in a certain era.

And we have opinions. Boy, do we have opinions. Marvel is smart to chase our money but in doing so, they also have to cater to our nostalgia in very particular ways. Comic Shop owners are old school comic fans also, so they share our nostalgia. But they carry the immense pressure of also having to pay their electric bill.

One more quick thing about the comic business. The distributor is Diamond Distributors, who delivers comics like clockwork every Wednesday to the hundreds of itty bitty comic shops across America. But unlike books–which can be returned by bookstores for credit if unsold–comics are non-refundable. Comics shops owners have to pay up front for product that they might not sell and they are on the hook if they don’t. So if they order too many copies of Marvel’s latest relaunch title, they’ll simply end up in back issue bins at a loss. Again, as a business model, it’s nuts.

But don’t count comic shops out yet. They replaced the drug store spinner racks in late 70s and have been going strong ever since. They’ve lived through the rise and fall of video rental shops. Comic shops have also seen CD music shops tumble, yet they persist. Comic shop owners are heroic small business owners fighting a battle against galactic foes, so don’t count them out.

If Comic Shops (the Direct Market) is the right fork in the road, the Trade Book Channel is the left fork. In thinking about trade books, imagine graphic novels and manga titles. Remember, all those floppy books are collected into trades, meaning the same stories that are sold in comic shops are also sold in bookstores, digitally, and cheaply via Amazon. And quite frankly, collected trades are easier to digest and collect. No hustling up missing issues.

Meanwhile, these trade book channel sales show no signs of slowing. Indeed, a new generation of readers are discovering colorful stories for elementary and young adult audiences in interesting places.  Publishers and distributors have learned how to create and market content for this young audience, and it doesn’t involve comic stores.

Small publishers are getting this. BOOM! Studios president Ross Ritchie was asked directly about the sales drop: “Are you seeing that equally in the comic store and book channels?” He replied, “No. We’ve had a lot of growth in the book channel.”

My oldest daughter is in 4th grade and loves superheroes, just like her dad. I’ve attended numerous Scholastic Book Fairs with her at her elementary school. The hot ticket items? Stuff like the Squirrel Girl books and Moon Girl and Devil Dinosaur graphic novels, plus tween and YA graphic novels like Sisters and Smile. And DC is killing it with their DC Superheroes books for young girls. Needless to say, us crusty old nerds aren’t talking about Moon Girl and Devil Dinosaur in the Nerds on Earth Slack channel.

These are two roads divided in a snowy wood. Can the comic book market survive segmentation between two increasingly distinct and divergent audiences, particularly when the economics, publishing strategies, and distribution systems are distinct for both? It’s a trend to watch.

Marvel needed to sell their characters to pull out of bankruptcy in the 90s and somehow comic shops survived. Never count them out. But when the numbers say that any sensible decision lies along the left fork of the road, is there any reason why for comic shops not to finally succumb to the economic realities?

The post Marvel Comics Stands at a Fork in the Road appeared first on Nerds on Earth.

Read the whole story
josephwebster
69 days ago
reply
Denver, CO, USA
JayM
69 days ago
reply
Atlanta, GA
Share this story
Delete

Cellebrite Unlocks iPhones for the US Government

1 Comment and 2 Shares

Forbes reports that the Israeli company Cellebrite can probably unlock all iPhone models:

Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.

[...]

It also appears the feds have already tried out Cellebrite tech on the most recent Apple handset, the iPhone X. That's according to a warrant unearthed by Forbes in Michigan, marking the first known government inspection of the bleeding edge smartphone in a criminal investigation. The warrant detailed a probe into Abdulmajid Saidi, a suspect in an arms trafficking case, whose iPhone X was taken from him as he was about to leave America for Beirut, Lebanon, on November 20. The device was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapids labs and the data extracted on December 5.

This story is based on some excellent reporting, but leaves a lot of questions unanswered. We don't know exactly what was extracted from any of the phones. Was it metadata or data, and what kind of metadata or data was it.

The story I hear is that Cellebrite hires ex-Apple engineers and moves them to countries where Apple can't prosecute them under the DMCA or its equivalents. There's also a credible rumor that Cellebrite's mechanisms only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.

EDITED TO ADD (3/1): Another article, with more information. It looks like there's an arms race going on between Apple and Cellebrite. At least, if Cellebrite is telling the truth -- which they may or may not be.

Read the whole story
josephwebster
82 days ago
reply
Denver, CO, USA
Share this story
Delete

FIrmware Upload Contest

1 Comment and 3 Shares
I'm working on a new security research project. We need to collect firmware files from IoT devices. To crowdsource the collection, I am running a contest through my company with great prizes, including an iPad mini 4, Nintendo Switch, Apple HomePod, Apple Watch, Chromebook, PS4, and more.

See https://harborlabs.com/contest for details.

Finding and entering proper Firmware is a great project for high schoolers in the STEM field. The prizes are potentially life changing for a 16 year old!

Please spread the word. The contest runs until April 15.
Read the whole story
josephwebster
82 days ago
reply
This sounds like a great idea. And fun to boot. Avi definitely has the credentials - and the chops - to really do important work in IoT security.
Denver, CO, USA
christophersw
79 days ago
reply
Baltimore, MD
Share this story
Delete

SamSam ransomware virus keeps CDOT employees offline for fourth day

1 Comment

Nasty ransomware kept Colorado Department of Transportation workers offline for a fourth full work day as investigators scrambled to search every single employee computer for damage done by the SamSam ransomware variant demanding bitcoin.

“Everything is still under investigation,” said Brandi Simmons, a Colorado Office of Information Technology spokeswoman.

The state hasn’t paid any ransom nor does it intend to. But Simmons said she was unable to share how the ransomware got into the state system or what files were infected. There were backups of all files, so nothing was lost.

The malicious software began its attack Wednesday morning, causing state IT officials to isolate infected machines and cut off the network to 2,000 CDOT employee computers. Employees still worked on personal laptops or smart devices and are able to access the agency’s Google documents account online.

No critical transportation systems were impacted, said Amy Ford, a CDOT spokeswoman.

“Our critical systems, our road operations, traffic operation systems are still online. We still have people on the road plowing and doing construction,” Ford said. “The things we have changed a little bit is we’ve had some business bids in the process of being done and we’ve extended times and dates. And we’re working with our contractors.”

SamSam ransomware first showed up in 2016 and hit healthcare systems. In one case, the attack was linked to hackers using a vendor’s name and password, and resulted an Indiana hospital system Hancock Health paying $55,000 in ransom to get files back. In another case, officials believed hackers exploited a misconfigured hospital web server to gain entrance into the network of New York’s Erie County Medical Center.

Read the whole story
josephwebster
88 days ago
reply
"There were backups of all files, so nothing was lost." -- except for 4 days of work and the need to re-image all PC's...
Denver, CO, USA
Share this story
Delete
Next Page of Stories