Tax service in eastern Virginia

phone icon757.926.5353

Cybersecurity shorts: May 2016


Cybersecurity shorts: May 2016


Listen to a recorded IRS scam phone call. NPR recently shared a recording collected by Pindrop Security of a real IRS scam phone call. Pindrop Security shares dummy phone numbers in online raffles and other scams to get their numbers on scammers’ lists. The call begins with the scammer telling the Pindrop researcher that she miscalculated her taxes and she owes money. He threatens to seize her property and send her to prison. You can listen to the phone call in its entirety here.

Malicious software steals $4 million from bank customers in U.S. and Canada. The malware, GozNym, is planted in phishing emails sent out to bank customers. If clicked, the links install malware on the computer and records keystrokes and even take screenshots when the victim signs on to their online banking account. The malware has targeted over 20 banks and has resulted in millions being lost in April alone.

Fifty-four percent of people trust their data with tech companies more than the federal government, according to a survey by The App Association. Only 21% trusted federal agencies more. The poll also found that seven in ten people believe hacking is increasing. The majority of those polled are concerned about their personal data.

Chinese nationalist pleads guilty to hacking U.S. defense contractors. Su Bin worked in China in the aviation industry and stole data on U.S. military fighter jets. He emailed hackers telling them which companies to target. Once the companies were hacked, Su Bin would tell them what files to steal. His sentencing is scheduled for July.

Iranian group hacks New York dam. According to reports, a group associated with the Iranian government targeted almost 50 U.S. financial institutions and a dam outside of New York City from 2011 to 2013. Targeted institutions included The New York Stock Exchange, JPMorgan Chase & Co, AT&T, Bank of America and others. The affected dam was the Bowman Avenue Dam in Rye, New York. The dam was shut down at the time, which prevented any serious consequences from the hack. The U.S. has officially indicted seven Iranians for the hack.

Affordable Care Act website was targeted by cybercriminals over 300 times in 18 months. None of the attempted attacks resulted in any sensitive information being released, according to a government report. However, the report did find that the Center for Medicare and Medicaid did not regularly patch security holes affecting the network.

FBI paid third-party hackers to crack San Bernardino shooter’s iPhone. It was previously reported that the FBI worked with Israeli security firm Cellebrite to hack the phone, but it appears now that they contracted professional hackers for the job. One of the hackers considers himself “a gray hat” which means he sells software flaws to government agencies or private firms to create surveillance tools. The security industry is pushing the government to reveal the flaws to Apple.

Verizon Enterprise Solutions hit with data breach. The B2B unit of Verizon is known for the comprehensive data breach report it produces each year. Now, however, the unit is dealing with a breach of its own affecting over 1 million customers. According to security expert Brian Krebs, the information is being sold online for $100,000. Verizon Enterprise customers should be on the lookout for phishing attacks.

Database holding information on 191 million voters found on Internet by computer security researcher, Chris Vickery. He said the database contained names, addresses, party affiliations, birthdates, emails, and more on voters in all U.S. states. Vickery is working with federal authorities to find the database owner so it can be removed from the Internet.

Hackers may have had access to U.S. government computer systems for years. The FBI released an alert warning that a hacking group, APT6 has been spying and stealing documents from various government networks since 2011. It is unknown what information has been compromised at this time.

President Obama forms the Commission on Enhancing National Cybersecurity. This new group is part of the $19 million cybersecurity plan Obama put forth earlier this month. Commission members include the CEOs of MasterCard and IBM, a Microsoft Research VP, Uber’s Chief Security Officer, and others. The goal of the commission is to improve the cybersecurity in government agencies as well as the private sector.

Apple plans to lock down iCloud. Currently, Apple holds the encryption key for all users with an iCloud account. Now, Apple wants to shift the encryption key to each individual user to manage. This move comes after the request from the FBI for Apple to unlock the iPhone of one of the San Bernardino shooters.  If Apple does not hold the encryption key for iCloud accounts, they will not be able to supply federal authorities with any data stored in the cloud. If users forget their passwords, however, Apple would not be able to give them access to their accounts.

Record number of zero-day flaws used in 2015, according to a report by Symantec. Last year, hackers exploited 54 zero-day vulnerabilities, 30 more than in 2014. Zero-day vulnerabilities are software flaws that have not yet been patched by manufacturers. Exploiting these vulnerabilities allows hackers to potentially access your network, install malware, and much more.

Lookout Mac users: More fake Adobe Flash updates are being released. Security experts warn of an influx in fake Adobe Flash update notifications targeting Mac computers. If you get a notification to update Adobe Flash, don’t click. Visit their website and download the update from there instead.

U.S. government agencies rank last in cybersecurity. SecurityScorecard, a security risk startup, analyzed the cybersecurity practices of 17 private industries and 600 U.S. government agencies. U.S. federal, state, and local agencies came in last place. Federal agencies performed the worst in network security, including installing patches for outdated software. NASA performed the worst among the government agencies.

EMV cards lessen counterfeit fraud by 18%, according to Visa. The survey found that major merchants who have fully adopted EMV technology have seen a decrease in counterfeit card fraud, while those who are not accepting chip-enabled cards have seen an 11% increase in fraudulent transactions. The credit card company is releasing a software upgrade which will make chip transactions faster and hopefully encourage more people to use the technology.

Trump Hotels face second data breach in one year. Multiple banks have noticed a pattern of fraud stemming from Trump Hotel properties. The company is investigating the claims. If Trump Hotels was indeed breached again, it would be the second breach since July.

Payroll firm sees spike in employee tax fraud due to login practices. Greenshades, a software company that helps other companies with their payroll, allowed payroll administrators to access employee data using only the employee’s date of birth and Social Security number. Hackers caught on and began using stolen DOB and SSN to access employee’s W-2 information to file fake tax returns. Greenshades has posted a fraud alert on their website but claims it was not a data breach since the hackers used “valid login credentials.”

New ransomware scheme uses your address to get you to click. The scam claims the email recipient owes money to UK businesses and uses the recipient’s personal address. The email includes an invoice attachment which downloads the ransomware. It is currently unknown how the scammers collected the mailing addresses. While this scam has not spread outside of the UK yet, it’s a good reminder to think before you click and always back up your data.

Facebook gets one step closer to no passwords. Facebook held its major developer conference this month, F8, and announced new breaks in technology including their Account Kit. This new app would essentially eliminate the need for passwords on third party apps connected to Facebook. For example, if a developer wants to allow users to sign up via Facebook the user would no longer need to enter their username and password. Rather, the user will get a text message code or email to verify and login.