February Cyber Bytes

Romance Scams

Source: National Cybersecurity Alliance - February 2022

It’s well known that people online aren’t always as they appear. However, tens of thousands of internet users fall victim to online romance scams each year, and it can happen to anyone. These scams can be incredibly convincing and are increasingly found across dating sites and social media platforms. Bad actors are very good at appealing to victims’ emotions and feigning personal connections, with the intention of stealing large sums of money and personal information. Luckily, there are ways to identify a scam and protect yourself and family online.

Look for the red flags. Scammers can be very convincing, however there are ways to identify a scammer, including, but not limited to, the following red flags:

  • There’s a request for money for urgent matters, such as medical expenses or a plane ticket. Never send money to someone you haven’t met in person.
  • Common forms of money requested by scammers are wire transfers or pre-loaded gift cards.
  • The person claims to live far away, overseas or be in the military.
  • The relationship is moving very fast.
  • They break promises to see you in person.
  • There’s pressure to move the conversation off the platform to a different site or text app.

Know what action to take If you believe you or a loved one are the victim of a scam, it is important to take the following steps:

  • Cease communications with the scammer immediately.
  • Take note of any identifiable information you may have on them, such as their email address.
  • Contact your bank or credit card company if you think you’ve given money to a scammer.
  • File a police report.
  • Report the scammer to the FTC at ftc.gov and the FBI at ic3.gov.
  • Notify the website or app where you met the scammer.

Basic safety tips, include:

  • Share with care: Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it might affect you or others. Consider creating an alternate persona that you use for online profiles to limit how much of your own personal information you share.
  • Check your account settings: Consider setting your social media profiles to “private”. This will make it harder for scammers to target and communicate with you. A public profile will make it easy for scammers to find your profile and learn about you through old posts and photos.
  • Think before you act: Be wary of communications that push you for immediate action or ask for personal information. Never share personal information through email, especially if you do not know the sender.
  • Use reverse image search: If you are unsure if you are being scammed, do a reverse image search of the potential scammer’s profile picture. You may see that image belongs to a completely different person or has been affiliated with different online identities.

Additional Resources include:

  • FBI: Romance Scams
  • FTC: What You Need to Know About Romance Scams
  • Norton LifeLock: Romance Scams Guide
  • Talk to your friends, family, and coworkers.
  • The National Cybersecurity Alliance created a Romance Scam Kit to raise awareness and spread the word about these types of scams.

UnitedHealthcare tied to RIPTA data theft incident as breach tally rises to 22K

Source: SCMedia – February 7, 2022, Jessica Davis

New information has come to light in the ongoing investigation into the Rhode Island Public Transportation Authority (RIPTA), after it was revealed that the data of 5,015 health plan beneficiaries was stolen during an August hack. The breach notice soon caught the attention of the state’s attorney general and American Civil Liberties Union over privacy and security concerns.

A state hearing into the incident last week showed United Healthcare has been named as part of the state’s investigation, as it was the former health plan administrator for Rhode Island. Local news outlets revealed the health plan leadership did not show for the hearing, the absence explained by the ongoing state investigations. However, the meeting did reveal some key details, including that the initial estimated breach tally was incomplete: the exfiltration actually impacted 22,000 individuals, according to local news outlet WPRI. The discrepancy is due to the relationship the individual had with RIPTA.

The 5,000 individuals initially notified were employed by RIPTA; the remaining 17,000 were state citizens who received healthcare from the state but were not employed by RIPTA. The tally was determined by a manual review of over 40,000 impacted files following the discovery of the hack. The investigation and hearing stem from a recent notice detailing the theft of personal and health data from RIPTA over the summer. A hacker gained access to multiple computer systems two days before it was discovered using the access to steal troves of sensitive information.

The trouble is that some of the informed individuals had no direct connection to the public transport authority, among other privacy and security concerns. As noted by the ACLU letter: “But worst — and most inexplicable — of all, the people who have contacted us are even more deeply distressed by the fact that RIPTA somehow had any of their personal information — much less their personal health care information — in the first place, as they have no connection at all with your agency.” The hearing also shed light into how RIPTA came to have the health data in the first place.

RIPTA tasked a number of employees with healthcare billing and health plan enrollment for transit employees, accessing a UnitedHealthcare portal through a secure link sent via email. The access enabled reconciliation for healthcare bills. Any downloaded files were automatically saved to a server and backed up every night, an official told WPRI. While state policy requires many departments to encrypt data, the rule does not apply to RIPTA. At the hearing, an official stressed the incident likely would not have occurred if data had been encrypted. The oversight committee also noted RIPTA should have done a better job communicating these issues to the public. Further, the hearing revealed that the Department of Justice and Department of Health and Human Services are currently working to decide which agency will investigate the incident. For now, the state is continuing to investigate and address underlying privacy concerns.

Finland warns of Facebook accounts hijacked via Messenger phishing

Source: Sergiu Gatlan - January 28, 2022

Finland's National Cyber Security Centre (NCSC-FI) warns of an ongoing phishing campaign attempting to hijack Facebook accounts by impersonating victims' friends in Facebook Messenger chats. In the alert, the NCSC-FI says that all Facebook users who received messages from online acquaintances asking for their phone numbers and a verification number delivered via SMS are the targets of this ongoing scam.

If they provide the information they're asked for, the attackers will take control of their accounts by changing the password and associated email address. Once hijacked, the Facebook accounts will target other potential victims from their friend list in similar scams. "In the attempts, a hacked account is used to send messages with the aim of obtaining the recipients' telephone numbers and two-factor authentication codes to hijack their Facebook accounts," the cybersecurity agency explained.

To successfully hijack their targets' Facebook accounts, the scammers will go through the following steps:

  • They first send a message from the previously compromised friend's account via Facebook Messenger.
  • They ask for the target's phone number, saying they want to help with registering for an online contest promising prizes of thousands of euros.
  • The next stage involves asking for a code sent via SMS allegedly sent by the contest's organizers to confirm the entry.
  • If the SMS confirmation code is shared with the scammers, they will use it together with the phone number to access and hijack the victim's Facebook account.
  • Next, they will change the account password and email address and start forwarding similar scams to the victims' friends.
  • "The best way to protect yourself from this scam is to be wary of Facebook messages from all senders, including people you know," the NCSC-FI advised.

"If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers."

Meta (formerly known as Facebook) has recently filed a federal lawsuit in a California court to disrupt other ongoing phishing attacks targeting Facebook, Messenger, Instagram, and WhatsApp users. The threat actors behind these phishing campaigns have used roughly 40,000 phishing pages designed to impersonate the four platforms' login pages. These actions are part of a long series of lawsuits Facebook filed against attackers targeting its users and abusing its platform for malicious purposes.

What is ATM skimming and how do you protect yourself?

Source: Libby Wells – Bankrate.com Oct. 19, 2020

ATM skimming is a type of payment card fraud. It is a way of stealing PINs and other information off credit cards and debit cards by rigging machines with hidden recording devices. Bank ATMs and payment terminals at gas pumps and other merchants are the targets of this scam. Thieves then use the stolen information to produce fake cards and spend victims’ money or take cash straight from their bank accounts.

“If they are able to retrieve the card number itself, it’s common to use those in online marketplaces or to sell the card numbers in batches to other criminal groups who may attempt to use them for fraudulent purchases,” says Nathan Wenzler, chief cybersecurity strategist at Tenable, a cybersecurity firm in Columbia, Maryland. Here is what you need to know about ATM skimming and how to protect yourself.

Methods of ATM skimming - Thieves employ several techniques to steal data that’s embedded in the magnetic stripe on credit and debit cards:

  • A plastic overlay placed over the ATM keypad captures PINs as they are entered.
  • An overlay placed over the card insertion slot records the data on the magnetic stripe.
  • Tiny cameras placed on an ATM record keypad entries and your fingers as you type.
  • An overlay that covers the whole ATM faceplate is embedded with  cameras and card-slot and keypad overlays.
  • “Skimmers are getting harder and harder to detect, especially with the advent of 3-D printers and other inexpensive fabrication devices,” warns Wenzler.

Even chip-enabled payment cards, which are more secure than magnetic stripe cards, are vulnerable to theft. By placing a super-thin shim between the chip and the chip reader inside the ATM, thieves can capture your PIN and other card information. These devices are called  “shimmers,” and as chip technology becomes more prevalent, they are starting to supplant skimmers as thieves’ choice tool.

How prevalent is ATM skimming? - You hear quite a lot about ATM skimming these days, especially at gas pumps. It’s a scam that costs consumers and U.S. financial institutions more than $1 billion each year.  “ATMs and gas pumps are certainly the most common targets,” Wenzler says, “but customers should be aware and vigilant of any card reader anywhere, whether that’s restaurants, retail stores, coffee shops or wherever else you may swipe your card.” Wenzler notes that advancements in 3-D printers that can replicate an ATM’s card reader are making skimming cheaper, easier and more accessible to less sophisticated criminals. “Plus, they can sell or share these (skimming) blueprints with others, making it easier to scale up attacks wherever that particular model of ATM is used … This makes it even harder for law enforcement to track and trace who is performing these kinds of attacks,” he says. Also, wireless technology enables cyber-thieves to retrieve stolen PINs and other card data “without approaching the ATM ever again, making it very difficult to catch them in the act,” Wenzler says.

Ways to avoid ATM skimming - To avoid becoming a victim of ATM skimming and possibly having your bank account cleaned out, follow these tips:

  • Go with cardless ATM transactions. Using your smartphone and your bank’s mobile app, you can conduct ATM transactions from anywhere, without a physical debit card.
  • Use debit and credit cards with chip technology, which is more secure.
  • Run your debit card as a credit card transaction and don’t enter your PIN.
  • Avoid using a debit card if you have linked accounts. Use a credit card instead.
  • Use a mobile payment system such as Google Pay, Apple Pay, Samsung Pay or PayPal.
  • Check your bank statements regularly for suspicious transactions; get account alerts and notifications.
  • Besides using safer payment methods, there are some physical, common-sense ways to avoid being an ATM skimming victim:

Don’t use ATMs located in dark, out-of-the-way places, in bars and restaurants or in areas with lots of tourists. Go to your bank or inside a store to use an ATM.

If the ATM doesn’t immediately return your card after the transaction, waste no time in reporting it to the card issuer. Look over the ATM for signs of skimmers or ask the store manager to do it for you. Don’t use ATMs that have damaged or loose parts or look as if they have been tampered with. “Try wiggling the card reader area to see if it feels loose or if there is a ‘cover’ over it,” advises Wenzler. “That could be a sign of a skimmer having been placed on top of the actual card reader itself.” Use a gas pump that is within view of the gas station attendant or pay inside. Cover the PIN pad when you enter your PIN.

Beware of e-skimming - While some criminals skulk around banks and stores to attach skimmers to physical payment terminals, other criminals steal your credit and debit card data without getting out of their pajamas. “Cyber-criminals now practice the concept of digital skimming or e-skimming,” says Ameet Naik, security evangelist and director of product marketing at PerimeterX, a California-based cybersecurity company. “Instead of placing a physical device on the ATM, they inject a piece of malicious code into a website script that skims credit card numbers from checkout pages on e-commerce sites.”

When there is an online payment transaction, the business collects personal data from the buyer, explains Naik. This usually includes name, email address, phone number, password, payment card data and verification code. “This data is most vulnerable at the point of entry,” Naik says. The store, payment processor or bank is often not aware that skimming has occurred, Naik says, because the information was taken from the consumer’s device, not a company server. “The lack of visibility means that the attacks often go undetected for weeks or months, while hackers yield a rich bounty of credit card numbers to sell on the dark web,” he says.

Ways to avoid e-scamming:

  • Don’t enter your card number repeatedly on a website. “If your trusted merchant has an option to save the card number for future purchases, choose it so as to minimize the times you have to type in your information,” advises Naik.
  • Use alternative payment methods such as Apple Pay, Google Pay or PayPal so that you don’t have to type in payment card information. “However, consumers must ensure they use strong passwords to secure these services and avoid account compromise,” Naik says.
  • Be on the lookout for fake checkout pages that impersonate an online merchant. “Be especially wary of payment transactions that appear to fail,” warns Naik. “If that happens, immediately contact the card issuer who can place a fraud alert on your account.
  • Monitor your credit reports and bank and credit card statements routinely for suspicious activity, and report it right away.

Bottom line:

Whether you are using a physical bank ATM, a point-of-sale terminal at a merchant or doing cardless ATM transactions, there is always a risk of fraud. Chip-enabled credit and debit cards are safer than magnetic stripe cards, but even those can be hacked. “Frankly, until we can move away from using magnetic stripes for transactions, the technology that creates skimmers will continue to advance and improve, resulting in more attacks against more devices against the globe,” Wenzler says. To minimize your risk exposure, follow the tips and advice outlined here and stay vigilant.

Here is how hackers are targeting Uber users

Source: WPLG Local10.com January 18, 2022

The victim of a scam shares how fraudsters fished for his code and accessed his wallet to tip a driver that never got there $200.

MIAMI – James Carvalho said he was in a rush on Monday to get to the Miami International Airport to catch a flight for a business trip. He was waiting for an Uber driver when he received a text message that appeared to come from the sharing service.

Carvalho said he assumed it was a new Uber security feature and entered his code. It was a trick and the hackers took over his account. The Uber driver never arrived and they stole $200. “I always said I would never fall for it, and you know, of course, I’m running last minute to the airport, I’m trying to get there, I just want the car to get there,” Carvalho said. At first, the driver who accepted his trip sent him a message asking for his phone number. He didn’t think much of it and disclosed it because finding his high-rise building on Biscayne Boulevard can be challenging. He received a text message with a 4-digit security code that appeared to be from Uber and another message from the driver through the app.

“There’s a message saying, "I need your security code, your 4-digit code." Thinking Uber installed a new security feature, I sent them the 4-digit code,” Carvalho said. He also received another code via e-mail and he passed that along as well, but that was when he knew something fishy was happening. “I couldn’t believe I fell for it, I knew something was up. Went to try to open the Uber app, couldn’t get anything,” Carvalho said. The scammer had already changed his password and the e-mail address on the account and used a two-factor authentication, so Carvalho was totally locked out of his account.

The scammer used Carvalho’s American Express to give the driver a $200 tip on what was supposed to be a $6 ride — that Carvalho didn’t even get. By Tuesday, Uber had refunded his money, but Carvalho wanted Uber to do more. He also wants all Uber users to be aware of the risks and take precautions to protect themselves. “You see the ride, it says it’s 5 minutes away, but you know it’s 10 and I just wanted the ride to get there, so I just didn’t think it through.” It remains unclear if the driver was the scammer or if the driver’s account was also compromised and the scammer was a third person. Uber said the incident is still under investigation.

Tips to avoid becoming a victim:

  • Use the app’s two-factor authentication
  • Don’t share your passwords or verification codes
  • Uber will never call or text users asking them to provide personal information
  • Only speak to drivers through the app; don’t give your phone number or email