CRC It Posts

Don’t become a victim of spear phishing

Don’t become a victim of spear phishing
(USA  Today)

We have all heard about the sophisticated malware responsible for the wave of data breaches that began last year with Target and recently included Home Depot and JPMorgan Chase, but the question that many people fail to ask is how did the malware necessary to perpetrate these major data breaches get downloaded into the seemingly secure computers of major companies and government agencies?

The answer in almost every instance is the same. It is done through a technique called phishing. Phishing occurs when someone receives an e-mail that lures the person receiving the e-mail into downloading an attachment with malware or clicking on a link within the e-mail that automatically downloads keystroke-logging malware that enables the hacker to steal all of the information from the computer of the unwitting receiver of the e-mail. Generally among the information in the victim’s computers are the passwords and other keys required to open the company’s or agency’s data banks. Often in major data breaches, the phishing is aimed, as it was with Target, at a third-party vendor that works with and has computer access to the real intended victim.

At one time, phishing e-mails appealed to standard subjects that interest people at work with roaming minds, such as free video games, music or pornography. According to The Washington Post, the 2005 massive data breach of information broker LexisNexis was caused by a Florida police officer at work who clicked on a link in an e-mail promising pornography and ended up downloading malware that enabled the hackers to steal the police department’s password and login information to provide access to LexisNexis’ data banks.

Today, although those techniques are still used and still work, phishing has gotten more sophisticated. Often the e-mails are made to appear as if they come from upper-level management of the targeted company. LinkedIn, the popular social networking service site, is a source of information that can be manipulated to aid hackers in creating special phishing e-mails using the names of specific people within the company.

When phishing e-mails are done with this extra level of specificity of having the exact names of intended victims as well as precise names of people trusted by the victims, it is called spear phishing. Hackers will look up a company on LinkedIn and find profiles for individual employees of the company. Many of these listings include the employee’s e-mail address.

After viewing a few employee profiles a hacker can determine the protocol used for e-mails within the company, such as the initial of the first name, last name and company name, such as jsmith@companyname.com. Using this information, the hacker can send a legitimate-appearing e-mail to a company employee that looks like it comes from within the company, luring the real employee to either click on a tainted link or enter a username and password. This can be used to either directly install malware on to the company’s computers through the tainted link or get access through the user name and password of the victimized employee. From there it is an easy task to install malware to steal information from the company.

Phishing e-mails can be easily be made to appear as if they are coming from legitimate sources, such as banks, government agencies, insurance companies or myriad companies with which you do business. It takes little talent to create a counterfeit logo on an e-mail to make the e-mail look official. Identity thieves and hackers have a knowledge of psychology that would have made Freud envious and they know how to lure us into linking on malware infected links and download malware infected attachments. Although sometimes the target of these hackers is access to bigger fish, such as the company for which you work, sometimes the target is you personally.

One of the biggest fallouts from the recent hacking of JPMorgan Chase was the theft of e-mail addresses and names of JPMorgan Chase customers thus making those customers prime targets for spear phishing. JPMorgan Chase customers can well expect to receive e-mails that very much appear to come from JPMorgan Chase directed to them personally by name.

These e-mails may even appear to be sent in response to the recent hacking and warn the customer of new problems that require the customer to either click on a link for protection or provide information to receive personal assistance in protecting their account. Unfortunately, people clicking on these links or providing the requested information will end up becoming victims of identity theft.

The rule to follow is to never click on links in e-mails or download attachments unless you are absolutely sure that they are legitimate. The risk is too great. Also, never provide personal information in response to an e-mail that you receive. You cannot be sure that the e-mail is legitimate. Trust me, you can’t trust anyone. If you think that possibly the e-mail may be legitimate, call the company or agency at a telephone number that you know is correct to inquire about the e-mail. It may seem paranoid, but remember, even paranoids have enemies.

Steve Weisman is a lawyer, a professor at Bentley University and one of the country’s leading experts in scams and identity theft. He writes the blog www.scamicide.com and his new book is Identity Theft Alert.

Read More

Your medical record is worth more to hackers than your credit card

By Caroline Humer and Jim Finkle
Reuters

NEW YORK/BOSTON (Reuters) – Your medical information is worth 10 times more than your credit card number on the black market.

Last month, the FBI warned healthcare providers to guard against cyber attacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.

Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.

“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”

Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.

The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations.

Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Read More

Read More

The Wheedle on the Needle

As many of our clients know our founder and CEO, James Cosgrove, is also the son of Stephen Cosgrove author of “The Wheedle on The Needle” and many many many other children’s books. If you are looking for a copy, please feel free to contact Stephen Cosgrove at stephen@stephencosgrove.com or his personal web site, www.stephencosgrove.com. If you are one of our clients, let him know.

Read More

CryptoLocker Alert

Just last month, antivirus companies  discovered a new ransomware known as Cryptolocker. This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.

Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks. Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

For more information please see the 2 sites listed (Both Malwarebytes and  Bleeping computers are reputable sources)
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

Read More

What is a HIPAA HITECH Breach

Interim final breach notification regulations, issued in August 2009, implement section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.  Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

Read More