Six tips to help prevent identity theft online

Private data such as addresses and other personal details can be just as valuable to cybercriminals intent on identity theft as valid credit card details can be to thieves  – if not more so.

Knowing the name, address history and ID numbers of someone with good credit allows a thief to steal not just once – but many times.

What is shocking is how freely many people hand out data which forms the building blocks of identity theft.

A Microsoft survey of 10,000 consumers in 2014 found that the worldwide annual cost of identity theft and phishing could be as high as $5 billion – and the cost of repairing damage to people’s reputation online could be even higher: up to $6 billion, with the 10,000 consumers polled by Microsoft losing  an average of $632.

The survey found that out of more than 10,000 consumers surveyed, 15% said that they had been a victim of phishing, losing an average of $158, a further 13% said their professional reputation had been compromised, costing on average $535 to repair, and 9% said they had suffered identity theft at an average cost of $218.

Thankfully, there are steps you can take both to check that your data is not already available in ‘the wild’ – but also to lock it down so that cybercriminals will (hopefully) ignore you in favour of easier targets.

1. Identity theft: know the warning signs

Signs that your identity details are being used for fraud include letters from your bank appearing to drop in frequency (identity thieves frequently change your banking address so that letters don’t reach you), and letters from financial institutions you don’t recognise.

Keep track on the dates that you normally receive bills and call your institution if you don’t. And always read anything from financial institutions you DON’T recognise.

It’s very easy to dismiss such letters as junk mail – but if you receive a letter from a loan company or credit card company, it’s worth reading to check that someone is not taking loans in your name.

2. If you are posting sensitive information, post it

mail a letter

If you are applying for a credit card, or sending a tax return, you’re sending enough information for a cybercriminal to make money from identity theft.

Don’t send it via a mailbox where it could be stolen (i.e via an employer’s internal mail system). Go directly to a post office, and put it into the box yourself.

3. Even if you have been banking online for years, change the password

change your password

Your bank and credit card company passwords are among the most important ones you have when it comes to protecting yourself against identity theft – but if you’ve been using the same service for years, it’s easy to keep using the same old, weak password.

Change it. For an ESET guide to making passwords as strong as possible, click here.

If your site forces you to change your password periodically, do so using strong passwords.

Users often respond to such requests by adding the required special characters to the end of passwords, or adding numbers there instead. If your password leaks, this is among the first things a password cracker will try.

ESET Senior Research Fellow David Harley says, “This also applies where the site requires you to change your password periodically but allows you to do so by appending a number. Password cracking 101.”

4. If someone calls you, it’s THEIR job to prove who they are

phone scams

Common identity theft scams often rely on you handing over the information willingly – in response to a call or email from your bank or another institution.

In these situations, remember that banks do not usually operate this way. It’s your right to hang up if you are suspicious that a call is an identity theft scam.

Most importantly of all, it is THEIR job to prove that they are calling from a bank, not your job to prove who you are. Emergency fraud alerts from a bank will not require you to hand over personally identifying informatio – that’s a clear sign that the fraud has yet to happen, and you are facilitating it.

5. Safeguard personal information in your home

safeguard information in your home

Many of us will invite tradesmen and cleaners into our homes without a second thought, and check only for outright thefts of cash or jewellery – despite the fact that personally identifying information can be just as valuable if not more so.

If you invite people you do not know into your home, make sure that documents such as tax returns, credit card details and government identity certificates are kept under lock and key.

If your home has been burgled, be alert for identity theft frauds following steps one and two above.

6. Be wary of Facebook quizzes

Be wary of Facebook quizzes

It pays to be wary of oversharing on social networks generally – but anyone security conscious should also pay attention to the sort of content they click on.

Some people thought that Facebook quizzes might have peaked when Slate made the spoof, ‘What kind of Buzzfeed quiz are you?’ But some of these quizzes are not just boring – they’re risky.

As ESET Senior Research Fellow David Harley notes here, some of these quizzes appear to harvest data which might be extremely useful for criminals – and some quiz companies have previously been caught selling data to advertisers such as drug companies from health-related quizzes.

The same applies double to any raffle, money-off offer or freebie offered through Facebook – if you find yourself handing out the same data you’d enter when applying for a credit card, do not hit Enter.

Leave the page, close your browser, and walk away.

Even IT Pros guilty of risky selfies on their mobiles

ESET study reveals many IT professionals are guilty of storing indecent material on their mobile phones, which would leave them embarrassed if lost

It appears that Jennifer Lawrence is not the only one with problematic photos on her mobile device. According to a new survey from ESET, 39 percent of the UK’s leading IT professionals have also confessed that if they were to lose their phone, some of the photos and information they have stored on the device could compromise them.

The survey, which was carried out at IPEXPO in October and studied the attitudes of 500 IT professionals, also revealed that 46 percent of respondents admitted that if they were to lose their phone with work information on it, and it was subsequently hacked, it could jeopardise or compromise their company. But that’s not all. A worrying 15 percent of respondents said they are not confident that the photos they take on their phone are not being streamed to other members of their family. Let’s just hope that they are not taking pictures of anything too sinister, or they could find themselves in the same position as Cameron Diaz was in her latest movie ‘Sex Tape’.

The recent news around celebrity phones being hacked and their images being stolen and posted online should act as a warning. Mobile phones are a very attractive target for cybercriminals as they hold so much information. Phone users should be very cautious with what content they have stored on their device.

Other concerning findings from the study revealed that despite most respondents admitting to storing compromising data on their mobile, 22 percent do not have a facility to remote wipe their device.

ESET’s security experts recommend: “A remote wipe facility is really your only piece of insurance against a lost phone. It essentially means that if you lose your mobile phone, you could log into a PC and remotely delete all the data stored on the device. This means that anyone who finds the phone will not be able to access any of your personal information. If you choose to store data on your phone which has the potential to compromise you, if it ended up in the wrong hands, you should deploy a security solution which offers a remote wipe facility.”

In order to help protect data on mobile devices, ESET recommends the following steps:

  • Use a password on your phone at all times
  • Restrict how long you keep emails for on your phone – don’t store things unnecessarily for more than a couple of days
  • Restrict the amount of information you keep on your phone
  • Delete any photos you don’t need and download them frequently to your own computer, where you can store them safely
  • Be mindful of where you are streaming your photos
  • Make sure you do back-ups frequently and check that they are actually being backed up and working
  • Try wherever possible to have remote lock and remote wipe available for your mobile phone. Lock the device if it’s lost, then wipe it if needed. Always bear in mind it’s unlikely you will get your phone back after it’s lost

Interview: Windigo victim speaks out on the ‘stealth’ malware that attacked his global company

Operation Windigo was one of the biggest operations against a criminal gang of this year – led by ESET with help from law enforcement and scientists from around the world, including Europe’s CERN (the organization behind the Large Hadron Collider). It highlighted a new, dangerous threat, where criminals target UNIX servers to redirect victims – and successfully took over thousands of servers and sites around the world.

Pierre-Marc Bureau, Security Intelligence Program Manager says, “The malicious gang is using these servers to send spam, redirect web traffic to malicious content, and steal more server credentials to widen their operation.” At its height, Windigo sent 35 million spam messages a day and redirected 500,000 web users to malicious sites. A detailed analysis of the malware and techniques used, and the ongoing battle against Windigo, can be found here, written by Bureau. ESET researcher Oliver Bilodeau chronicles the ongoing battle against Windigo here.

The victims often never knew they were infected. Even today ESET blocks thousands of redirects from infected servers – and this arduous research has thrown light on a new, sinister face of cybercrime.

ESET researchers have helped many companies identify and neutralize the infection, and this effort goes on today. Francois Gagnon, whose company was targeted, reveals what happened when this novel, emerging threat took hold of his large company.

Bureau says, “ESET has invested months of efforts to analyze, understand, and document Operation Windigo. At the peak of analysis activity, six researchers worked on the investigation.  We are very proud of the current results and we continue to monitor the situation. All servers have not been cleaned and the malicious gang behind the operation is still in control of significant resources. There is still a lot of work to do!” Veteran security researcher, writer and We Live Security contributor Graham Cluley says that at one point half a million PCs were attacked a day. Most victims remained unaware.

Francois Gagnon, owner of a business whose servers in France and Canada fell victim for weeks, explains how a large business can fall prey – and not notice.

Were you aware that this sort of attack was possible?

Like most businesses of our size, we knew criminals ‘sniffed around’, but had never been subject of a serious attack. To begin with, we didn’t realize what it was. But this did not feel like something really offensive. It was running in the background pretty silently. No crash or anything happened. I think that’s why it had infected so many servers before people started to react.

Did the nature of the attack surprise you?

One of the first things you learn in any form of hi-tech business is that anything is possible. But we knew from the start that Windigo was something different. It was subtle. No one stole our database – the first we heard was that suspicious behavior like random redirections in some websites were mentioned by some customers.

When did you realize that something very bad was happening?

We discovered that some of our servers were on Email Blacklists – used to pick out spammers. We knew that our system had sent spam. Our customers also mentioned that some of our sites – we have 2,000 – were randomly redirecting customers. It was customer complaints that helped us realize something was badly wrong. Some suspicious behaviors like random redirections in some websites were mentioned by some customers as well.

Just how ‘stealthy’ is this infection – how long did it take you to realize you were a victim?

I suppose we have been infected a few weeks before we realized what was going on.We pushed our investigation further and realized that most servers had been infected after we had opened tickets with cPanel. Their servers were infected and they infected our servers using SSH connections to us.

How did you react? Did you fear your business was under threat?

We rapidly went from not worrying to the worst worry of all – that it was an advanced threat, targeted specifically at us. We run a dozen servers and 2,000 sites. At the beginning we thought that it could be a targeted attack, but we quickly understood that many other businesses were running through the same issues. Plenty of people were talking about those strange behaviors on many forums.

Did you work closely with researchers on this – when did you realize that there were so many other victims?

We were quickly contacted by ESET and were told about how big this infection was and quickly started to work very closely with the research team. We cleaned infected servers but kept some intact for ESET’s investigation. Marc-Etienne of ESET offered advice – clean the server and reinstall. It’s a harsh cure, but we did it. We have now cleaned almost all of our infected servers and re-installed. We worked closely with ESET’s team, and some servers were used to help the researchers understand the infection. We have now-reinstalled most of them.

Why were you targeted?

That is easy. We have a lot of servers, and many customers in France and Canada.

Why do you think your business was targeted?

Simply because we have many servers, and many customers in France and Canada. Thanks to the quick action of ESET, our company’s reputation was not damaged – we listened to our customers and acted. We did not suffer severe financial loss, either.

What are your feelings towards the gang behind this – and the companies still suffering?

This attack is big. Many web hosting companies were infected and didn’t even know what it was. They were told by cPanel to reinstall – and that was it. That was all the help we got. We were lucky. We worked closely with ESET, who helped put it right, and I hope we helped in turn with the Windigo project.

What is the status of your company now?

We are fully operational. We have always been cautious and took seriously any strange or suspicious behavior. If the government took these kind of attacks more seriously and invested more money to help companies such as ESET it may prevent some attacks.

At his request, We Live Security used a fake name for our interviewee. The gang behind Windigo is still at large and reprisals are a possibility.

ESET will not end Windows XP products support

windows-xp-54321-623x420

After 8th April 2014, Microsoft will no longer provide system updates for Windows XP.
ESET will support the Microsoft Windows XP versions of ESET products at least until the end of April 2017.

Q: What exactly happens on April 8, 2014? Will Windows XP stop working?
A: On April 8, 2014, Microsoft will release its final security updates for Windows XP, and stop providing support and fixes for it. The operating system will still function the same way it has, and all old updates and fixes will still be available. Regular system updates are used to repair exploits and patch existing security vulnerabilities.

Q: Will ESET products and virus definitions on Windows XP still be updated?

A: Yes. At least until the end of April, 2017 ESET will maintain support for customers with ESET products installed on the Windows XP operating system and will continue to offer the following services during that period:

  • Regular virus signature updates for the latest threats
  • Consistent updates to other parts of the antivirus engine
  • ESET Customer Care support requests

Currently, ESET still supports and provides updates for endpoint products that work with Windows NT 4.0 and Windows 2000, both of which reached end of life (EOL) status in 2004 and 2010, respectively.

Q: Will all versions of Windows XP cease being supported by Microsoft after April 8, 2014?
A: No, not all. Windows XP Professional for Embedded Systems, a special version of Windows XP used in devices such as cash registers, ATMs and ticket machines, etc., will be supported until December 31, 2016. However, that date is fast approaching and if you have devices running XP Embedded you will eventually need to replace or update them.

Q: Are other Microsoft programs going to cease being supported?
A: Microsoft Office 2003 will no longer be supported after April 8, 2014. The next major end of life date is July 14, 2015, which is for Windows Server 2003. If your office has any servers left running Windows server 2003, you should be planning on updating or replacing them as well.

Q: I have to run Windows XP and cannot upgrade or replace my PC. Is there anything I can do to protect myself?
A: Make sure that your copy of Windows XP is fully patched and all your applications are on the latest versions with the latest patches as well. Please note that while your service from ESET will not change, your system could become more vulnerable to threats because it will no longer receive regular system updates from Microsoft.

We recommend that you use the latest version of your ESET product to maintain the highest degree of protection possible with the non-updated Windows XP operating system.

To maintain the highest level of security, we recommend that you upgrade your operating system or move your important data onto a computer with a more current operating system.

by Urban Schrott and Aryeh Goretsky

ESET’s Threat Trends Predictions 2014: The next battle for internet privacy, a new assault on Androids, and a new wave of hi-tech malware

Each year, ESET releases its Threat Trends Predictions report for the coming twelve months, written by our global network of security experts, and based on wide-ranging analysis of trends in cybercrime and malware. This year’s report centres on three key trends, the first and foremost being privacy – the others being threats to mobile devices, and new, hi-tech malware targeting PCs and other devices in the home. You can download the full 35 page report Trends for 2014: The Challenge of Internet Privacy (.PDF).

The reaction to Edward Snowden’s revelations concerning the activities of the US National Security Agency (NSA) demonstrates that Internet users really do care about digital privacy and security. Our report analyses how users can protect their information – but ESET experts warn that ensuring data is locked down (by the use of encryption, for instance) is merely the first step towards real security.

“The challenge to internet privacy has not meant a decrease in cases of people affected by any malicious code or other kind of computer threat,” the researchers write. “Concern about privacy is a good starting point, but it is essential for people to be aware of all aspects of Information Security. Otherwise, it is not possible to mitigate the impact of computer threats.”

Next year will also see an escalating increase in serious threats targeting Android phones and tablets – ESET detections of such malware increased more than 60% between 2012 and 2013. This trend is predicted to continue in 2014. ESET Research Laboratory points out that malware afflicting Android now uses classic PC attack methods – the discovery of vulnerabilities, then their exploitation through malicious code.

Filecoders such as the ransomware Cryptolocker have been one of this year’s most notorious attacks, one that is still spreading worldwide. More such malware is expected in 2014.Likewise, Bitcoin and other e-currencies will remain a target for cybercriminals – but gangs may cast their nets wider, and threats against devices such as smart cars, games consoles and smart TVs may loom on the horizon.

The use of DDoS as a means of protest will continue to grow, particularly by people unhappy with the surveillance activities of governments and events in the Middle East. Indeed a lot of hacking as well as DDoS for activist purposes is predicted in 2014; so, expect a lot of attacks against high profile, controversial targets, especially national and local governments and their infrastructure.

Detailed info available in ESET Ireland’s Blog post 2014 security and privacy predictions

2014 security and privacy predictions

Have you been wondering what trends in security and privacy ESET researchers are predicting for 2014? The following is a sampling, a year-end snack plate if you will. (Later in the month we will also be serving a main course of 2014 predictions in the form of a whitepaper from our colleagues in Latin America.)

Perennial readers of the ESET blog will know researchers do not relish making predictions, and yet each year we make them. Why? Because some people ask nicely, and because there is some practical value in looking ahead at where future attacks on information systems might come from, and in what form. Sometimes we name trends that are already in motion, like Bring Your Own Device, which has been a trend for several years. But we only draw attention to an ongoing trend if we think its persistence has implications for security and privacy (for example, one of researchers sees the increasing diversity of cheap smartphones adding to the BYOD challenge).

2014 predictions

First up is ESET Distinguished Researcher Aryeh Goretsky who predicts that, as locked-down computing environments such iOS and Windows RT come to the fore, we will see criminals increase their focus on identify theft. In other words: “Why 0wn the computer when you can 0wn the p3rs0n?”

Aryeh also observes that, while biometric authentication–such as a fingerprint reader–has largely been a feature of corporate computers: we now have the first widespread consumer computing device to incorporate this technology–the Apple iPhone 5s–and we will begin to see fingerprint sensors become increasingly common in other consumer computing devices. Aryeh suggests we will see this first at the higher “prosumer” end of the market, and then increasingly in less expensive devices, as the cost of sensors decreases. Low end devices will still probably not have these in 2014, partially because of cost and partially because of market segmentation reasons.

A third Goretsky prediction is that research into UEFI rootkits will continue, and we will probably see a handful of proof-of-concept demos, largely device or manufacturer-specific and due to flawed implementations of the standard or from improper key management by manufacturers. Or both.

Weighing in from the Netherlands, ESET Senior Research Fellow Righard Zwienenberg predicts the trend for Bitcoin to become more and more popular and valuable will continue. However, illicit Bitcoin-miners as well as Bitcon-stealers will also increase. Righard suggests that, as Bitcoins become more valuable, and because they are untraceable, operators of ransomware scams will increasingly demand payment in Bitcoin.

Righard also thinks 2014 will see a gradual increase in IPv6 installations along with the associated implementation faults that will allow some taking over of networks and systems.

A third Zwienenberg prediction is that the BYOD trend will get even larger due to more and cheaper (non)branded devices, making CYOD more needed than ever (see ‘From BYOD to CYOD: Security issues with personal devices in the workplace‘). Consequently, there will still be a big need to convince the people about the right device policies and security measures.

Weighing in from the redwood forests, ESET security researcher Cameron Camp predicts that the convergence of payment systems on smartphones and other mobile devices will increase the value of them as a target, and scammers will spend more effort aimed at financial fraud on these platforms.

Cameron also see nation states moving closer to drafting digital truces between trading partners in response to escalating tensions and the underlying need to continue strong trade in a semi-protected fashion. This is analogous to naval trade routes, where protecting cargo vessels carrying goods was deemed critical for semi-open worldwide trade, and therefore subject to various safe harbors, rules of engagement, etc.

Mr. Camp also predicts a year-long escalating cat-and-mouse game between anonymizing technologies (and related crypto products) and those who try to break into them in various fashions and with various motives. This will result in a bevy of new and novel technologies hitting the streets in an attempt to reclaim some modicum of the expectation of private communication, for better or worse (depending on one’s point of view).

ESET security researcher Lysa Myers sees the use of DDoS as a means of protest continuing to grow, particularly by people unhappy with the surveillance activities of governments and events in the Middle East. Indeed Lysa predicts a lot of hacking as well as DDoS for activist purposes in 2014; so, expect a lot of attacks against high profile, controversial targets, especially national and local governments and their infrastructure.

David Harley, ESET Senior Research Fellow, thinks cyber criminals will pay more attention to finding vulnerabilities and potential exploits in mobile operating systems. This will be driven, in part, by the convergence of payment systems on smartphones and other mobile devices that Cameron mentions.

Mr. Harley also thinks that, as the use of mobile devices–especially smartphones–as a means of strengthening privacy by two-factor authentication becomes more common, it will become more important to consider the use of other kinds of security software (where available) to reduce the risk of other attacks, including the interception of financial and other sensitive transactions.

Another Harley prediction is that post-Snowden concerns about whether providers are sharing cloud-stored data with government agencies–voluntarily or through enforcement of legal processes–will revive questions about the geographical location of data and cloud storage and processing. Older concerns about differing approaches to data privacy will flare up due to fresh mistrust and tensions between nations, not only between European and other nations, but even between European nations with differing views on how to counter terrorism without infringing on the privacy of their citizens. The General Data Protection Regulation, which among other things will aim to extend European Community data protection principles (see European Union Directive 95/46/EC) to countries outside the Community, is expected to be adopted in 2014. But it may not be compatible with sending data to be processed in countries where government rights to carry out surveillance are seen as excessive.

Finally, a few predictions of my own, starting with an educated guess about basic phishing attacks against consumers in developed countries. These will continue to be conducted from less developed countries where such activity is tolerated because it provides revenue to an under-employed citizenry.

A popular computer magazine asked ESET for one big and bold prediction for 2014 and my money is on: Cryptowar! An unprecedented level of interest in encryption products due to continuing revelations about state-sponsored surveillance of companies and consumers.

I will end this buffet of 2014 predictions with the first Internet fumble! I predict a small but not insignificant percentage of current Internet users in developed countries will scale back their online activities in light of continuing revelations about state-sponsored surveillance of companies and consumers. This and other aspects of the “Snowden effect” will not do the economy any good. I leave you with an illustration of what happened to Cisco’s stock price after it publicly referenced the “NSA effect” on future sales.

cisco-share-price

Author Stephen Cobb, We Live Security

Nearly one in four Irish lost money online!

ESET Ireland’s latest survey reveals 22 per cent of Irish have already lost money to cybercrime, which could mean they have suffered up to €300 Million of financial loss because of it.

Everyone knows virus infections occur, cards get abused, scams happen. But the prevailing sentiment is still that it’s something that happens rarely and it’s primarily just a nuisance. ESET Ireland’s latest survey reveals it has likely happened to someone you know and it actually cost them money.

Cyber-threats can incur financial damage in many ways. From the costs of having an infected computer repaired, or having your credit card abused online, to the recent wave of ransomware infections, which lock your files and demand a ransom to unlock them.

ESET Ireland commissioned a survey in October, carried out by Amárach Research on a thousand Irish adults, which asked whether they ever suffered financial loss and how much, because of cyber-threats, consisting of repairing an infected computer, having their credit/debit card abused, being victim of an online/phone/text scam or a target of hacking, etc.

graph

While 78% said they suffered no loss (or didn’t use a computer), the 22% who did, which is nearly one in four people, represent a very significant percentage. With 9% having lost up to €50 and the Irish population currently being at about 3,5 Million adults (the survey only covered the adult population), this translates into 315000 people having lost up to a total of over €15 Million just for the first group! And if we add up all the numbers and losses of all others, from the top 9% to the bottom 1% who lost over €3000 (if 10 out of 1000 told us they lost over €3000, in the whole of Ireland that could mean 35000 people with a total of over €105 Million in costs?), the final statistical estimate of Irish direct and indirect cyber-crime damages could be beyond €300 Million.

The demographic breakdown is also interesting. Dublin and the rest of Leinster seem to be the safest, with 19% having suffered losses, while Connaught and Ulster seem hardest hit, with 30% having lost money already. Females and the older generation seem to be more cautious, with 20% females versus 24% of males and the older age group of 45-54 with 19% versus the younger group of 25-34 with 27% having suffered financial consequences of their online activities. In one of our previous surveys we have found out that 54% of Irish computer users have already suffered a malware infection, 15% had their credit/debit card abused, and 14% were victims of online or phone scams.

All these numbers should really convince people to start taking computer security a bit more seriously, as a survey we did on online behaviour actually revealed the situation has decreased in the last 2 years!

What to do?

  1. Keep your system and your antivirus software patched and up to date.
  2. Don’t open suspicious files, go to suspicious websites or download suspicious pirated materials, and particularly if your antivirus warns you you’re about to open something dangerous, do take its warning seriously. Think before you click!
  3. Be very careful with your online banking and credit card information, if you’re unsure of anything you’ve received online, just ring your bank and ask!
  4. Stay informed about latest threats (on blogs like ours), so you know what to avoid. Bad guys that are after YOUR money are always thinking up new ways to scam you.
Follow

Get every new post delivered to your Inbox.

Join 78 other followers