A new report on the say “Yes” telephone call scam we talked about back on February 6th.
Anyone who still has a traditional home phone (myself included) dreads those irritating robocalls. As part of the latest scam, the caller, instead of mentioning who they are, simply asks “Can you hear me?” That seemingly innocent question could be a sign that a scammer is on the other end of the line.
The Federal Communications Commission issued a consumer alert against just such scammers yesterday, Monday, March 27, 2017. When you reply and say, “Yes,” that you can hear the scammer, your reply is recorded and used to authorize fraudulent charges via telephone on the victim’s utility or credit card account, the FCC says.
The scam must be much more prevalent, based on complaints the agency has received and from news reports across the U.S. The fraudulent callers may even try to impersonate familiar organizations to get you to answer and talk.
“Robocalls are the number one consumer complaint to the FCC from the public. And it’s no wonder: Every month, U.S. consumers are bombarded by an estimated 2.4 billion robocalls,” said FCC Chairman Ajit Pai last week at the agency’s March meeting, during which the commission voted to begin a rulemaking process to eliminate robocalls. “Not only are unwanted robocalls intrusive and irritating, but they are also frequently employed to scam our most vulnerable populations, like elderly Americans, out of their hard-earned dollars.”
What should you do?
According to the FCC, if you receive this type of call, immediately hang up. If you have already responded to this type of call, review all of your statements such as those from your bank, credit card lender, or telephone company for unauthorized charges. If you notice unauthorized charges on these and other types of statements, you have likely been a victim of “cramming”.
Anyone who believes they have been targeted by this scam should immediately report the incident to the Better Business Bureau’s Scam Tracker and to the FCC Consumer Help Center.
Now back to my thoughts on this “Scam”…
At first glance, this warning sounded reasonably valid: major news outlets covered it as recently as last night on the 6:00 ABC news hour. But just because the media is running around reporting that the sky is falling doesn’t mean you have to duck for cover. A closer examination of the purported scam reveals some questionable elements.
First, we’ve yet to identify any scenario under which a scammer could authorize charges in another person’s name simply by possessing a voice recording of that person saying “yes,” without also already possessing a good deal of personal and account information for that individual, and without being able to reproduce any other form of verbal response from that person.
Moreover, even if such a scenario existed, it’s hard to imagine why scammers would need to utilize an actual audio recording of the victim’s repeating the word “yes” rather than simply providing that response themselves. As far as we know, phone companies, utilities, and credit card issuers don’t maintain databases of voice recordings of their customers and use them to perform real-time audio matching to verify identities during customer service calls.
So – once again, I believe the media is simply reporting on something they found on the wire without doing any due diligence as to the authenticity of the scam. Even though the FCC has issued an alert – it’s not backed up by any concrete, documented evidence of people actually getting scammed. It’s simply the result of people reporting that they got the “Can You Hear Me” phone call and are worried about what to do next. To answer that question, the FCC has provided the following information.
Directly from the FCC website (web link below)
Consumers should always be on alert for telephone scams. The following tips can help ward off unwanted calls and scams:
• Don’t answer calls from unknown numbers. Let them go to voicemail.
• If you answer and the caller (often a recording) asks you to hit a button to stop receiving calls, just hang up. Scammers often use these tricks to identify, and then target, live respondents.
• If you receive a scam call, write down the number and file a complaint with the FCC so we can help identify and take appropriate action to help consumers targeted by illegal callers.
• Ask your phone service provider if it offers a robocall blocking service. If not, encourage your provider to offer one. You can also visit the FCC’s website for information and resources on available robocall blocking tools to help reduce unwanted calls.
• Consider registering all of your telephone numbers in the National Do Not Call Registry.
Better Business Bureau Scam Tracker:
FCC Consumer Help Center
Just when you thought the internet couldn’t get any creepier. There is apparently a disturbing trend going on called “digital kidnapping.” And if that phrase is new to you, allow me to fully weird you out. “Digital kidnapping” is when someone steals a stranger’s baby photos and reposts them on the Internet. Sometimes, these virtual photo thieves will pass the snapshots off as their own. But other times, it goes a step further. Just last week, a couple took the photos of a child suffering with cancer from a Go Fund Me page and went door to door trying to collect money for funeral costs. They weren’t the sharpest knives in the drawer because they got caught after going to the child’s grandparents work place…
Another example found on Instagram, accounts were being set up specifically to encourage others to join in on “adoption role playing,” inventing new identities for each child and inviting users to chime in.
So, in the wake of recent news reports about digital kidnapping, it’s important that parents know what can be done to see if anyone is using your child’s photo.
Once you post a picture online, it’s hard to know where it’s going to end up. Most likely, it will be one of the millions that people scroll past on their Facebook feed every day. Considerably less likely, it could go viral and become a meme. But somewhere in between those possibilities, is the potential for that image to be used by strangers for all the wrong reasons. Pictures of your children could end up in the hands of people with intentions that would make you cringe.
Here’s a quick, simple tutorial on how to do a reverse image search on Google so you can find out where your personal pictures might have gotten to beyond where they were originally posted.
1: Go to google.com and click “Images.” 2: In the search bar, click the camera icon. 3: Either upload a picture from your computer or enter the URL of a picture to search for it. 4: Google will return every instance of that image they can find
Ultimately, the most important thing for anyone to do is to be careful of what you post online and to always enable the privacy setting on your accounts. When you do a reverse Google image search, hopefully you will find that your, or your child’s photos, aren’t anywhere they’re not supposed to be. Google isn’t the only company to offer this service. You can also search for specific images using TinEye, BING and Copyscape.
- Google Reverse Image Search. This is my default go-to for looking out sources of images. You click on the camera icon in the search bar and upload the image. Google then brings up the sources for the image that you searched for.
- TinEye.This works in a similar way as Google Reverse Image Search and the results are usually the same but not always.
- Copyscape.This works in the same way as the above but for written words instead of pictures.
(Unfortunately, you cannot do this on your phone. So if you want to check any images shared on a social media app, you’ll have to log into their website.
More information on how to find out if your images have been stolen: http://stopstealingphotos.com/find-images-stolen/
If you find your intellectual products or images are being used, here’s some info on what you can do. https://ongoingpro.com/copyright-find-stolen-photos-online-reverse-image-search/
Here we go again. Right on the heels of the latest revelations from the Yahoo hack, another popular web company has been seriously compromised.
Cloudfare, a popular web performance and security company, is the newest addition. Over 5.5 million websites who use Cloudflare, including Fitbit, Uber, OkCupid, Medium, and Yelp, may have been compromised.
If you have or had accounts on Fitbit, Uber, OkCupid, Medium, or Yelp, you should probably change your passwords. In a blog postthe web performance and security company Cloudflare said it had fixed a critical bug discovered over the weekend that had been leaking sensitive information such as website passwords in plain text from September 2016 to February 2017.
What should you do?
1: Change your passwords and make them very strong. Consider using a password manager like LastPass to create a long, random string of characters for every online account.
2: Where possible – enable two-factor authentication. Two-factor authentication requires a code sent to your mobile phone, in addition to your password.
3: While you’re at it, add a PIN to your phone number account.
A dedicated Hacker can bypass two-factor authentication by providing your name and the last four digits of your social security number to your mobile carrier. Simply call the customer care number at your mobile provider/carrier to enable this feature.
There’s a list available of all the websites identified so far if you want to see if you might be at risk. See the link at the end of this article. There’s also a list of many potentially affected IOS apps as well.
Thanks to BuzzFeedNews for this very relevant information.
List of Websites available here: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md
IOS Apps potentially affected: https://www.nowsecure.com/blog/2017/02/23/cloudflare-cloudbleed-bugs-impact-mobile-apps/
If you use a Mac, beware. The Russian cyberspies blamed for the US election hacks are now targeting Macs. Security researchers have discovered a malware targeting Mac’s that is very likely a variant of the malware used to hack the Democratic National Committee during last year’s election. What’s worse is that this particular piece of malware is believed to be tied to a group affiliated with the Russian military intelligence service.
Yes, the Russian hackers. The same hackers that are being talked about by the news media each and every day for their reported efforts to sway the US Presidential election and their potential undue influence over the present Administration. The group, which is known in the security industry under different names, including Fancy Bear, Pawn Storm, and APT28, has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent.
Politics aside, this group is purported to be the most sophisticated hacking organization in the world. Why they are now targeting Mac computers is not yet known. Nor is it known how they are distributing the malware, but it’s out there. If you are using MacKeeper for anti-virus, replace it, a vulnerability in that program appears to be the most plausible point of penetration.
Don’t buy in to popular misconception that Mac’s are not vulnerable to virus and malware attacks. They are and this certainly proves it. Be sure you have strong anti-virus and anti-malware protection, keep it updated and perform regular deep scans on your Mac to be sure it’s clean.
Additional MAC Malware information from Bitdefender Labs: https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/
The “Can You Hear Me?” phone scam has generated a lot of interest and concern in recent weeks but do you really have to be worried about it?
This scam has been reported recently by USA Today, NBC News, CBS News, Boston television stations and newspapers across the country including last Sunday’s Globe.
People around the country have reported receiving a phone call from someone who claims to be from a home security agency, cruise line, Social Security Administration, or another agency or business. The scam caller starts the conversation with: “can you hear me?”
If you reply “Yes” which most of us would say automatically, the scammer supposedly records your answer and uses it to sign you up for a product or service. When an invoice arrives in the mail demanding payment and you call the listed number to protest the charge, the scammers say they have your recorded “yes” confirming the purchase. Some folks are worried that by simply saying “yes” they might be out hundreds or even thousands of dollars.
Should you be worried? I don’t think so!!! Snopes.com – one of my favorite sites to dispel rumors, scams and even urban legends posted that there is no evidence of individuals losing money or having their identities stolen due to this scam, only that some people have received phone calls. http://www.snopes.com/can-you-hear-me-scam/
This type of scam has previously been targeted at businesses. The business ends up receiving invoices or bills in the mail for products or services they didn’t order. Even though they are not legally required to pay a bill for any product or service they did not order, sometimes the business owners are so scared of the thought of debt collectors, they pay the bill.
To take money from you, the scammers would need other personal information to successfully charge items on their credit card or take money from their bank account. In those cases and with that information, a recorded “yes” wouldn’t be needed anyway. Even if such a scenario existed, it’s hard to imagine why scammers would need to utilize an actual audio recording of the victim’s repeating the word “yes” rather than simply providing that verbal response themselves.
As far as I know, phone companies, utility companies, and credit card issuers don’t maintain databases of voice recordings of their customers and use them to perform real-time audio matching to verify identities during customer service calls.
If you or a family member gets this type of phone call, your best bet is to simply hang up. Make it a habit to just hang up every time you get an unsolicited phone call from any organization or business. Don’t let these scammers waste your time.
Foreign and domestic media outlets as well as Facebook posts are reporting that photos of one’s fingers flashing either a “peace sign” or “victory sign” are so high resolution today that hackers are capturing them and using the images for identity theft.
This all started on January 9th when researchers at Japan’s National Institute of Infomatics raised alarm bells over the popular 2 fingered pose.
Fingerprint recognition technology is becoming widely available to verify identities, such as when logging on to smartphones, tablets, laptop computers and electronic door locks.
The proliferation of mobile devices with high-quality cameras and social media sites where photographs can be easily posted is raising the risk of personal information being leaked, reports said.
The NII researchers were able to copy fingerprints based on photos taken by a digital camera three metres (nine feet) away from the subject.
“Just by casually making a peace sign in front of a camera, fingerprints can become widely available,” NII researcher Isao Echizen told the Sankei Shimbun newspaper.
Fingerprint data can be recreated if fingerprints are in focus with strong lighting in a picture. Advanced technology was not necessary and anyone could easily copy fingerprints.
Now “whisper around the world” as media outlets caught this story which they embellished as they reported it with headlines such as the following:
How YOUR selfies are allowing crooks to steal your identity… by zooming in on your FINGERS
HD lenses mean thieves can replicate your fingerprints
Celebrities most at risk, but fraudsters could hack smartphones and workplaces.
Although the articles routinely referenced “identity theft” (commonly interpreted to mean unauthorized use of financial accounts and personal identification documents), they also described hypothetical situations in which a fingerprint passcodes could potentially be replicated. In those instances, the “hackers” would require both a rendering of the fingerprints and personal devices belonging to their targets (such as a smartphone or point of sale access) to do any damage.
No evidence has been presented to demonstrate that hackers are currently using photographs to duplicate fingerprints in order to commit crimes or steal identities. The professor quoted on the possibility works with a laboratory that is developing a technology to secure fingerprints, and noted that technology of any sort was not necessary to copy them, as people leave them on surfaces throughout the day.
While the possibility exists that devices could potentially be compromised in this manner, the exaggerated headlines made the threat sound more plausible and immediate than it really is.
Needless to say, there are plenty of scams on Facebook. Whether it’s fake giveaways, like-farming pages, phishing attacks and spamming links, you only need to scroll through your newsfeed for a few moments before you come across something suspicious.
A portion of these scams are initiated via a simple friend request. You login, and that red number appears over your Contacts icon at the top of your newsfeed.
Of course it could be a legitimate request from someone you know wanting to be a Facebook friend. Or it could be the beginning of any of the following five scams….
Number 5 happened to me this past weekend thus the motivation to prepare this article. I’ve also included some info at the end of this article to help YOU fix this type of problem referring to an easy to follow graphic.
- Facebook Profile Cloning Scam – If the Facebook request comes from someone you know, and in fact are already friends with on Facebook, then alarm bells should already be ringing, because this could be a cloning scam.
Facebook profiling cloning scams (a.k.a. Friend Imposter scams) are surprisingly effective yet simple to execute. A scammer searches for a Facebook profile with a friends list that is public to anyone. Most people do not make their friends list private, so the scammer has plenty of profiles to choose from.
The scammer then copies both the profile name and profile picture of the account they pick – both of which are also public – and creates a brand new account with that information, thus creating a clone account. If the Facebook account targeted by the scammer has any other public photos, the scammer may well upload those photos to the new cloned account as well.
From there the scammer sends friend requests to the friends of the account they cloned, in the hope a number of them will accept the request under the thinking that it is the friend that has either created a new account of that they were accidentally deleted and being duly re-added.
Once an invitation has been accepted the scammer can now see information on that account only intended for friends. Any number of scams can be carried out on the person who accepted the friend request, such as the “Friend in Crisis” scam, or any of the following three scams on this list.
Always verify friend requests before accepting, and make your friends list private so scammers don’t pick your account and impersonate you to your friends.
- Malware linker – Most typically these friend requests will appear to come from an attractive member of the opposite sex, but the scam itself is rather rudimentary (unless combined with above Facebook cloning scam for a more personal touch) but essentially involve the scammer sending you an unsolicited friend request and – if accepted – following that up by sending you links to malicious websites that will attempt to install malware onto your computer when visited.
Either that or you’ll be sent to a survey scam, which harvest personal information by luring you into completing intrusive questionnaires. If you’re fooled into downloading a suspicious file to your computer, run an antivirus scan right away.
- Phishing linker – Very much like the above malware linker, the stranger you just accepted (again often posing as a member of the opposite sex – or again it may be combined with the Facebook cloning scam) will send you links to spoof phishing websites.
Typically these sites will be designed to look like the Facebook login page, asking for your Facebook username and password, which are then duly sent to the scammer, compromising your Facebook account.
- The “Looking for Love” Romancer – Finding love on the Internet is increasingly common, and this fact is exploited by scammers who target the lonely and vulnerable. This scam can be initiated on dating websites, through email, or on social media websites like Facebook. Scammers locate profiles to target and send a friend request. Upon the victim accepting the friend request, they are sent messages from the scammer who is attempting to strike a romantic relationship online with the ultimate goal of gaining the trust of the victim.
Once that trust has been established, the scammer will use one of a number of techniques to attempt to extort money from the victim. For example the scammer will tell the victim they want to visit but cannot afford transportation costs, or that the victim needs money for emergency medical bills, or money for equipment that will allow them to keep in contact with the victim.
- The Identity Thief – Many of us share plenty of information with our friends. Photos, birthdays, home towns and a plethora of statuses containing a variety of personal information about us. And while this information can look innocuous and harmless, if it falls into the wrong hands it can be an identity thieves treasure chest.
If you accept the friend request of a stranger, or a stranger posing as a friend, then they can accumulate a lot of information about you based on what you continually upload onto the site. This information can be used to compromise other online accounts, create new accounts in your name and just generally impersonate you on the Internet or even in real life.
Identity theft is serious and can take victims years to recover from. So always make sure that your Facebook friends are who they say they are and never share too much information on your accounts just in case someone does compromise your account
Dispelling a myth There are plenty of legitimate scams on Facebook, but there are also plenty of myths as well. One such myth is the fallacy of friend requests that can “hack” your computer, “erase your hard drive” as well as other types of pseudo-jargon drivel that sounds more akin to Hollywood’s take on computer security.
As you can see from the list above, there are plenty of scams that can be initiated by a simple friend request. But don’t be confused. There is no such thing as magical hackers that can do anything they please by merely being accepted as a friend on Facebook. Friend requests can initiate a scam but they still require the victim to take further actions, such as giving away too much information, or by visiting a dangerous website.
A new virus, specifically a form of ransomware, might be targeting your computer through shared pictures on social media websites like Facebook and LinkedIn. The new attack vector called ImageGate is the culprit. Researchers from Check Point say that this new type of ransomware has been making the rounds, and is better known as Locky. The Locky ransomware is one of the most notorious malware attacks to arrive on the scene in recent months.
Malware attacks like this do not necessarily attack your PC through browsers and operating systems only. Hackers understand the flaws in the treatment of images by both Facebook and LinkedIn and use it to their advantage by forcing users to download malicious codes through the pictures which eventually hijacks the computer when you open them. The ransomware quickly encrypts your files and attackers don’t give them back to the user until the requested amount of ransom is paid.
Check Point representatives stated that they informed both LinkedIn and Facebook but it’s difficult to gauge what actions have been taken. Roman Ziakin and Dikla Barda, members of Check Points Research team wrote, “The attackers have built a new attack to embed malicious code into an image file and successfully upload it to the social media websites. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file,” It has also been reported that hackers are using Facebook Messenger to spread the ransomware using .SVG files
This is another reminder that we should not take Facebook-like sites for granted. It’s always easier to prevent threats than react to them after the damage has been done. After all, there’s no guarantee that you will get your data back even if you pay the ‘ransom’.
As more and more people are joining social networks, cyber criminals are focusing on using new techniques like ransomware. The new and inexperienced users easily fall into their traps.
If you have clicked on an image and your browser starts downloading a file, do not open it . Social media websites show a preview of the picture without downloading any files. They’ve also asked users of Facebook and LinkedIn not to open files with weird extensions like JS, HVG, HTA, SVG.
Cujo is a Smart Home firewall that protects everything on your network including all those IoT (Internet of Things) devices. Think of it as an immunity system for your home network.
The Cujo is surprisingly unassuming, a small plastic stump like device with light-up eyes that stands in adorable contrast to its mad dog name (the book from Stephen King) and home security mission statement.
The product is designed to bring enterprise-level security to the home network, helping protect against attacks to the increasingly vulnerable world of networked devices, from laptops to smart light bulbs.
Cujo is, for all intents and purposes, a smart firewall. It’s made for an average user to easily understand. You see every single thing on your network through your app. If you got to bad places or bad things come to you, we will block bad behavior and we will send you a friendly notification that someone tried to access your camera.
The company demoed the product at the Disrupt 2016 conference by hacking a baby camera. On a page displaying all of the devices connected to the network, a warning popped up: We blocked an unauthorized attempt to access device ‘IP camera’ from [IP number]. From there, access to the feed can be cut off — or not, if there is no actual threat.
Cujo serves as a peer to a home router, monitoring all network connected devices for malicious activity and sending notifications when something happens, like suspicious file transfers or communications with faraway IP addresses. It’s a bit like the Nest app, only for networked security, rather than fire alarms.
Today’s exploits are less about individual devices than they are about opening up the entire network through a small and seemingly harmless smart gadget. You may think, so what, my lightbulb is going to get hacked. The real challenge is what happens next. Once the bad guys are in the network, they can get to the other devices. They can get to your camera, they can get to your PC and extract files, they can even film you. The FBI director is on record as taping over his webcam when he goes home. That tells you that we’re very exposed.
Part of the company’s current mission is highlighting those exploits for consumers who are likely versed in the threat of PC malware but may be unaware of the growing threat posed by the vulnerability of the Internet of Things.
The biggest advantage has been that it’s the average user who no longer feels private at home, may even put the duct tape over his webcam and just wants something that works — doesn’t want to spend days and months changing and configuring things.
Cujo is available now through Amazon. It’ll be rolling out to “all major retailers” by year’s end. The company anticipates breaking even with the device, eventually monetizing the product with the ongoing security subscription.
I like CUJO’s innovation and focus on home network security. It appears they’ve met their goal of making a friendly and simple to use firewall and the smart phone app is very easy to use.
CUJO is not going to be for everyone, particularly those folks uncomfortable with any cloud service looking at any part of their internet traffic. But for home users who want to protect all the devices on their network, whether they run anti-virus/malware apps or not, CUJO would be worth a try.
CUJO currently sells for $76.85 at Amazon & Walmart, $99.00 at Staples , with BestBuy and Target offering the device soon. It includes a 180 day trial license. After that, you’ll need to subscribe for $8.99 / month, $26 for three months, $49 for six months or $80 for a year of service. If you’re a true CUJO believer, you can opt for a lifetime subscription for $800
Additional information can be found here:
Here’s a WIN for the little guys! Federal regulators have approved new broadband privacy rules that require internet service providers like Comcast and Verizon to ask for customers’ permission before using or sharing much of their data, potentially making it more difficult for them to grow their advertising businesses.
Under the new measure, for example, a broadband provider has to ask a customer’s permission before it can tell an advertiser exactly where that customer is by tracking her phone and what interests she has gleaned from the websites she’s visited on it and the apps she’s used.
For some information that’s not considered as private, like names and addresses, there’s a more lenient approach. Customers should assume that broadband providers can use that information, but they can still “opt-out” of letting them do so.
The final Federal Communications Commission’s measure was scaled back from an earlier proposal, but was still criticized by the advertising, telecommunications and cable industries.
Cable and phone companies want to increase revenue from ad businesses of their own — AT&T has said increasing advertising tailored to customers’ preferences is one of its goals with its $85.4 billion purchase of HBO, CNN and TBS owner Time Warner; Verizon has bought AOL and agreed to buy Yahoo in order to build up its digital-ad business.
But the new rules could make doing that more difficult. Companies and industry groups say it’s confusing and unfair that the regulations are stricter than the Federal Trade Commission standards that digital-advertising behemoths such as Google and Facebook operate under. The FCC does not regulate such web companies.
FCC officials approved the rules on a narrow 3-2 vote Thursday, its latest contentious measure to pass on party lines.
“It is the consumer’s information. How it is to be used should be the consumers’ choice, not the choice of some corporate algorithm,” said Tom Wheeler, the Democratic chairman of the FCC who has pushed for the privacy measure and other efforts that have angered phone and cable companies. AT&T and other players have fought the “net neutrality” rules, which went into effect last year, that say ISPs can’t favor their internet traffic. Another measure that could make the cable-box market more competitive is still waiting for an FCC vote.
Industry groups representing the cable, phone and advertising industries criticized the outcome of Thursday’s vote, while several consumer-advocacy and civil liberties groups hailed it.
Today’s vote is a historic win for privacy and free expression and for the vitality of the internet, said a spokesperson from the American Civil Liberties Union (ACLU). Just as telephone companies are not allowed to listen in to our calls or sell information about who we talk to, our internet providers shouldn’t be allowed to monitor our internet usage for profit.
The FCC order is not airtight so we can expect the industry to try and exploit every crack in these protections – time will tell. In the future, I fully expect that their “opt out” process will be buried deep within their 6,000 page “terms of service” document hoping we don’t take the time to find the instructions and make the request.