Category Archives: Viruses

A costly low-cost trial offer

by Rosario Méndez

You’ve probably seen online ads with offers to let you try a product – or a service – for a very low cost, or even for free. Sometimes they’re tempting: I mean, who doesn’t want whiter teeth for a dollar plus shipping? Until the great deal turns into a rip-off. That’s what the FTC says happened in a case it announced today.

The defendants sold tooth-whitening products under various names, and hired other companies to help them market the products. These affiliate marketers created online surveys, as well as ads for free or low-cost trials – all to drive people to the product’s website. What happens next is so complicated that we created an infographic to explain it.

In short, once people ended up on the product’s website, they filled in their info, put in their credit card number, and clicked “Complete Checkout.” When people clicked this button they not only got the free trial of the one product, but were actually agreeing to monthly shipments of the product at a cost of $94.31 each month.

Next, another screen came up and people were asked to click “Complete Checkout” again. But the second screen wasn’t a confirmation screen for the trial of the product. Instead, by clicking this button people were actually agreeing to monthly shipments of a second product. So, what started as a $1.03 (plus shipping) trial of one product wound up being an unexpected two products at a very unexpected $94.31 each – for a total monthly charge of $188.96 plus shipping.

Trial offers can be tricky – and there is often a catch. If you’re tempted, do some research first, and read the terms and conditions of the offer very closely. Sometimes, however, marketers might simply try to trick you – and it can be hard to spot. Look again at the infographic…would you have known what charges were about to hit your credit card? If you use your credit card for a low-cost trial offer, be sure to check your credit card statement closely. If you see charges you didn’t authorize, contact the company and your bank immediately. And then tell us about it.

How scammers get rich through click fraud

Scammers always try to trick us to click on ads or visit websites that we don’t want to.
That’s called “click fraud” and it costs marketers all over the world billions of dollars every year.
It consists in generating clicks that don’t come from genuinely interested users or by hijacking clicks that were intended for a legit advertiser.
You may argue that it’s harmless, only wasted time, right?
Well, take those few cents that a scammer will earn from your click and add to the other millions of clicks that they managed to gather.
And that’s not all. You can end up with data-stealing malware or ransomware just by clicking on an infected banner.
So pay close attention to how you spend your clicks.

This is how clone phishing works

Clone phishing is less known, but just as dangerous as your “common” phishing attacks. That’s because it uses legitimate, previously delivered emails.

Here’s how it works:

The cyber attackers will use original emails and create a cloned (or almost identical) version.

Clone phishing emails may claim to be a resend of the original ones or an updated version of it.

What will be different: the attachment or links are replaced with a malicious version of the legit ones.

Clone phishing appear to come from the original sender and use a fake reply-to address.

It’s a strategy that works because it exploits the trust created from the original email.

What your hacked account is worth on the Dark Web

Next time you sign up for a new website and it asks for a password, or your favourite social media site nags you for a phone number, or a site you use every day pesters you to set up two-factor authentication, take a pause.

What’s going through your mind?

Are you getting ready to jump at the chance to tighten up your security? Itching to drum up another impenetrable 14 character password? Reaching for your password manager? Pulling out your phone ready to read the soon-to-arrive verification code?

Hey, you’re a Naked Security reader so perhaps you are.

But what about the next person? Many of them won’t be doing any of those things. They’ll pass up 2FA and stick with their go-to password of 123456 or qwerty, even though they know what a strong password looks like.

They’ll do it and stay safe, in their own mind at least, because Elliot Alderson and his ilk aren’t interested in their Netflix account.

Hackers in popular culture are ideological, FBI-dodging cyber-swordsmen who penetrate the armour of sophisticated adversaries using precise rapier thrusts.

The problem (of course) is that real life is messy, dull and rarely telegenic. In the real world we have to worry about real criminals who aren’t carrying rapiers and aren’t interested in kudos or ideology.

The adversaries we have to worry about when we’re choosing our Twitter or eBay passwords are in it for the money and their approach isn’t so much cyber-fencing as carpet bombing – it’s untargeted and it doesn’t matter who gets hit because it’s “how many?” that matters.

Our accounts aren’t compromised one by one, they’re cracked en masse or exfiltrated in the millions and then bought and sold online.

According to account monitoring company LogDog, who recently took a fresh look at this burgeoning part of the underground economy, it’s such a lucrative trade that there are Dark Web sites selling nothing but logins, not even credit cards.

There are now stores completely dedicated to selling only online accounts, without even offering credit cards for sale. Fraudsters, it appears, have discovered the financial potential in targeting various online services instead of just banks and credit card issuers.

As you’d expect in any marketplace, prices fluctuate based on supply and demand, and the value that criminals can extract from the accounts they buy. But everything has a price:

While Paypal has, and still dominates … it is now possible to find Amazon, Uber, eBay, Netflix, Twitter, Dell and many more … Any account that can generate fraudsters money, or even help them receive a service for free, has a demand in the cyber underground.

…Uber, for example, are sought after by fraudsters simply because they provide “free taxi rides”. Demand for adult entertainment accounts is high due to interest for self ­consumption.

…eBay and Amazon are sought after … to steal money or credits from these accounts … Compromised dating site accounts are also often exploited for romance scams.

And here, according to LogDog’s research, is what your account is currently worth on the Dark Web:

Service Min. Price Max. Price
Brazzers $1
Yahoo 70c $1.20
Gmail 70c $1.20
Dell 80c $2
Uber $1 $2
Netflix $1 $2
Walmart $2.50
Twitter 10c $3
Mate1 Premium $4
Amazon 70c $6
Ebay $2 $10
eHarmony $10
PayPal $1 $80

How to get through college with your data unscathed

College is a challenging, but rewarding time of our lives. But it’s also a time when youngsters can be reckless more frequently.

To make sure that your digital life doesn’t take a hit, here’s a useful checklist of what you should have in place:

  • Data backups (yes, that’s more than one)
  • Strong passwords (never reused)
  • Avoiding online piracy (not an impossible feat)
  • Strong cyber security awareness (phishers be phishing’)
  • Never sharing your credentials
  • Installing software updates as soon as they’re available (or automating them)
  • Using robust security software to protect your data from ransomware and other threats.

Information Sharing

Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the Department of Homeland Security (DHS) has developed and implemented numerous information sharing programs. Through these programs, DHS develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. DHS also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries.


Combating Cyber Crime

Today’s world is more interconnected than ever before. Yet, for all its advantages, increased connectivity brings increased risk of theft, fraud, and abuse. As Americans become more reliant on modern technology, we also become more vulnerable to cyberattacks such as corporate security breaches, spear phishing, and social media fraud. Complementary cybersecurity and law enforcement capabilities are critical to safeguarding and securing cyberspace. Law enforcement performs an essential role in achieving our nation’s cybersecurity objectives by investigating a wide range of cyber crimes, from theft and fraud to child exploitation, and apprehending and prosecuting those responsible. The Department of Homeland Security (DHS) works with other federal agencies to conduct high-impact criminal investigations to disrupt and defeat cyber criminals, prioritize the recruitment and training of technical experts, develop standardized methods, and broadly share cyber response best practices and tools. Criminal investigators and network security experts with deep understanding of the technologies malicious actors are using and the specific vulnerabilities they are targeting work to effectively respond to and investigate cyber incidents.

What To Do with That Found USB Stick

I found a USB stick in the street the other day. This is not the first thumb drive I have found, and apparently this is not an unusual event, as some reports indicate that dry cleaners find thousands of them (along with some more unsavory items) each year.

The ability to write malware code onto USB sticks is not a new phenomenon, and the “USB drop” technique is used by some security assessment companies to test staff awareness. There is even a smartly priced commercially available version of a USB onto which one can load customized code.

Curiosity killed the cat, the famous saying goes.
Curiosity may also get your computer infected with malware if you can’t resist it.

It turns out that most people would plug a USB stick they found on the street into their computers and will look at what’s on it.

Needless to say, this is WRONG.


Fake Publishers Clearinghouse scams | Consumer Information

by Lisa Lake

Most of us have seen those ads with Publishers Clearing House knocking on someone’s door with balloons and a big check for millions. It’s a life-changing moment marked by joyous tears. Dreams are about to come true.

But the FTC wants to be sure your tears are not sad ones and the dream doesn’t wind up being a nightmare, because scammers are pretending to be Publishers Clearing House and tricking people into sending them money.

Publishers Clearing House and the FTC have both gotten many reports about scammers using the Publishers Clearing House name to deceive people. Scammers call, claiming you’ve won the sweepstakes – but, to collect your prize, you need to send money to pay for so-called fees and taxes.

Paying to collect a prize is a scam. Every time. And scammers like to ask you to send money by Western Union or MoneyGram, or by getting a prepaid card or gift card. Why? Because it’s nearly impossible to trace that money – and you’ll almost never get your money back.

If you think you’ve won a prize, here are a few things to know:

  • Publishers Clearing House will never ask you to pay a fee to collect a prize. In fact, no legit prize promoter will ever charge you to win.
  • If anyone calls asking you to pay for a prize, hang up and report it to the FTC.
  • Never send money to collect a prize. It’s a scam.

And here’s another insider tip: Publisher’s Clearing House doesn’t call ahead to say you’ve won.

Did you send money to a prize scammer, or know someone who has? Report the loss immediately to the company you paid through (Western Union, MoneyGram, the prepaid or gift card company). And then tell the FTC.

The difference between malware, viruses and ransomware explained

It’s easy to get caught up in cyber security lingo, so we wanted to explain 3 key terms you often hear, so you’ll always know what they mean. Here goes:

Virus = a type of malicious software capable of self-replication. A virus needs human intervention to be ran and it can copy itself into other computer programs, data files, or in certain sections of your computer, such as the boot sector of the hard drive. Once this happens, these elements will become infected. Computer viruses are designed to harm computers and information systems and can spread through the Internet, through malicious downloads, infected email attachments, malicious programs, files or documents. Viruses can steal data, destroy information, log keystrokes and more.

Malware = (short for “malicious software”) is an umbrella term that refers to software that is defined by malicious intent. This type of ill-intentioned software can disrupt normal computer operations, harvest confidential information, obtain unauthorized access to computer systems, display unwanted advertising and more.

Ransomware = a type of malware which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time-limit for the ransom to be paid. There is no guarantee that the, if the victim pays the ransom, he/she will get the decryption key. The most reliable solution is to back up your data in at least 3 different places (for redundancy) and keep those backups up to date, so you don’t lose important progress.