Weekly SEA

Don’t Give Away Historic Details about Yourself
Comment: Across various social media platforms, users are commonly enticed by quizzes and surveys that ask seemingly harmless personal questions; however, answering these questions truthfully could put online accounts at risk of compromise. Bank accounts, social media platforms, and many other online services use knowledge-based authentication (KBA) questions such as “What was the make and model of your first car?” or “What was the name of your first grade teacher?” as a security measure to verify account holders. When users reveal the answers to these questions on quizzes or public social media posts, they are providing unknown entities with answers that could be used to bypass and reset passwords for online accounts. For this reason, when you encounter these types of quizzes and posts, refrain from providing truthful answers and warn others about the risks of revealing such information.

Scams Plague Glen Rock Residents: Police Blotter
Comment: Officials in Glen Rock, New Jersey are warning residents of a number of social engineering schemes impacting the area. Profit-motivated criminals are attempting to take advantage of unsuspecting victims through lottery scams, “secret shopper” scams, and wire transfer fraud. No matter if the request is received through snail mail, email, or over the phone, we encourage our members to never provide personal information or payment in any form to unknown or unverified solicitors. Be sure to spread awareness of these types of scams to friends and loved ones, especially members of the senior citizen community who can be particularly trusting of others and, therefore, vulnerable to social engineering schemes.

Weekly SEA

New Play Store Scam Uses Google’s Own Pop-Ups to Steal Money
Comment: A new scam has surfaced targeting Android users who have payment card information registered with the Google Play store. This particular scam relies on the complacency of users who click “Confirm” on pop-ups without reading the developer’s terms of use to trick unsuspecting users into agreeing to a weekly subscription charge on their associated payment card. This incident emphasizes the importance of thoroughly researching new products – especially software, apps, and online services – and carefully scrutinizing their Terms and Conditions prior to use to help protect personal information and avoid unexpected charges.

Craigslist Scam Aimed at Wanaque Cops Failed, Becomes Teachable Moment
Comment: Although Craigslist and other online marketplaces provide an easy way for people to sell their unwanted or unneeded items quickly, they also provide scammers with an easy way to exploit unsuspecting sellers and trick them into accepting stolen funds and fraudulent checks. In this article, an officer of the Wanaque Police Department posed as a seller on Craigslist and engaged a scam artist in conversation to demonstrate the techniques they use when posing as would-be buyers. We recommend all potential and current online sellers review this article and the Wanaque Police Department’s Facebook page for a helpful list of “red flags” to prevent becoming a victim of this and similar scams.
 
The Latest Hard-to-Believe Scam? Roving Thieves Stealing your Medical Identity
Comment:  Every day, crafty social engineers find new ways to try and gain access to people’s sensitive, personal information. This latest ruse involves perpetrators who masquerade as government employees and ask victims to take pictures of their drivers licenses and health insurance cards. Once they snap the picture, these criminals can use this information to commit identity theft and insurance fraud, using victims’ medical plans to submit phony or inflated claims. Remember to never share personal information with any individual who requests or demands it, unless proper identification is presented. Also, monitor your health insurance claims for any suspicious activity and report any discrepancies to your health insurance provider as soon as possible.

Weekly SEA

The 5 Latest Scam Emails You Should Avoid
Comment: The most effective phishing campaigns typically exploit well-known company names and logos in their email messages and are repeatedly used by scammers to deliver malware or steal personal information from victims. Maintaining awareness of the latest and most common email-based threats can help reduce the risk that you will take an action leading to the compromise your accounts, systems, or networks. Approach all unsolicited email messages with a healthy dose of skepticism and be sure to log into personal accounts directly by entering their URLs into your web browser rather than clicking on a link in an email, text, or social media message.
 
Popular Tax Software May Expose Users to Phishing Attacks
Comment: With the 2018 US tax deadline approaching, some of the most popular tax software providers may not be doing enough to protect their customers from phishing attacks. According to Philip Reitinger, president and CEO of Global Cyber Alliance, “One of the best ways to stop phishing is to deploy DMARC.” All email administrators are encouraged to implement DMARC to help reduce the threat of phishing and protect their users, clients, and customers from email fraud. More information about DMARC is available at DMARC.org.

Weekly SEA

Cybercriminals Spotted Hiding Cryptocurrency-Mining Malware in Forked Projects on Github
Comment: With cryptocurrency-mining malware on the rise, attackers are finding new ways to hijack the computing resources of unsuspecting victims. This method uses phishing techniques to trick users into clicking on ads which prompt the installation of a fraudulent Adobe Flash Player update. Users should refrain from clicking on pop-up advertisements and only install software from a trusted source, such as the vendor’s official website.

Yet Again, Google Tricked into Serving Scam Amazon Ads
Comment: This is not the first time that a search engine has displayed a malicious advertisement within the top search results. In this instance, a top Google search result for “Amazon” directed users to a scam site that mimicked authentic Apple and Windows support pages. Always be wary of unsolicited phone calls or computer pop-up messages prompting the installation of remote access software as these are common tactics designed to give scammers full control over your device. 

Weekly SEA

Phantom Debt Phone Scams Increasing in Bergen County: Prosecutor
Comment: Bergen County officials are warning residents about an increase in phone scams that threaten victims with fines over non-existent debts. These callers are pretending to be representatives for law firms, judges, court officials, and debt collectors. Never share personal and sensitive information over the phone during an unsolicited call and remain suspicious of any caller that requests immediate payment, especially if they request the payment in the form of a gift card or prepaid debit card. 

Don't Fall for Fortnite Invite Scams!
Comment: Popular products and services can be attractive lures for malicious actors to use to trick victims into performing an action such as clicking a link, visiting a website, or opening an attachment. Always investigate promotional offers before acting on them, especially if they are shared via email or social media. Verify email addresses and social media profiles to make sure that they are not spoofed accounts.

Weekly SEA

IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies
Comment: IBM X-Force Incident Response and Intelligence Services (IRIS) recently identified malicious groups actively targeting Fortune 500 companies using business email compromise (BEC) scams to steal financial assets. These threat groups, believed to be based in Nigeria, employ these tactics to trick their victims into transferring millions of dollars into fraudulent bank accounts. The phishing emails are typically sent from spoofed accounts and designed to mimic legitimate correspondence from the company’s vendors or clients. However, the groups use them to request changes in payment procedures, such as asking that new payments be sent to an “updated” account number. As BEC scams can employ sophisticated tactics to fool victims, businesses are strongly encouraged to implement account security features such as multi-factor authentication, observe strict wire transfer policies, and verify vendors and clients prior to conducting any financial transactions.

Oscar Scams Ran Wild Thanks to Twitter Bots
Comment: On Sunday night during the Academy Awards, an extensive social media spam campaign ran rampant on Twitter lasting until Monday morning. Celebrities who used the platform during the ceremony to post messages were impersonated by bots that would respond to both the targeted celebrities and their fans in an effort to spread malicious URLs. Social media platforms are used by a range of malicious actors to trick unsuspecting victims into clicking malicious links. Social media users are urged to use caution when clicking on any links shared through the platform, even if they are posted by someone the user knows personally, as they could lead to phishing sites or result in the installation of malware on the user’s system.

Weekly SEA

‘Secret Shopper’ Fake Job Scam Hits LinkedIn
Comment: Popular social media platforms are commonly abused by scam artists who post fraudulent “wanted ads” in an effort to exploit job-seekers. Some scammers even use hacked accounts of legitimate users to fool their contacts into thinking the offers are coming from someone they know. They hook victims with the lure of fast, easy money for little or no effort. To avoid becoming a victim of these types of scams, always remain skeptical of any offer that seems too good to be true and never participate in the transfer of funds to and from your personal accounts at the request of people you do not know or via any unexpected online request.

New Online Scams Target Soldiers, Army Warns
Comment: The Army Criminal Investigation Command is warning soldiers and the public of a scam in which soldiers’ identities are being used to conduct fraudulent sales. In these schemes, the perpetrator typically tries to sell high-priced goods to victims at unreasonably cheap prices and includes a poignant story designed to manipulate victims into acting quickly on the offer. The criminals behind this scheme are using data from official websites and social media profiles to appear legitimate and impersonate real soldiers. Officials recommend monitoring personal online identities and promptly reporting any fraudulent accounts to the associated website. Limit personal details shared online and tighten privacy settings on all accounts. Only purchase goods from reputable sites or individuals whose identities can be easily verified and carefully scrutinize any product being sold at a steep discount.

Weekly SEA

Phishing Attack Swipes Credentials from More than 50,000 Snapchat Users 
Comment: Over 50,000 Snapchat user credentials were stolen in a phishing attack after targeted victims clicked on a malicious link sent to them from a compromised Snapchat account and entered their login credentials. To protect yourself from falling victim to this and similar scams, never click on links in unexpected and unsolicited messages and never use these links to log into personal accounts. Additionally, enable multi-factor authentication on any account that offers it to protect those accounts from unauthorized access resulting from compromised credentials.

Hoboken Police Warn of Check Scam after Woman Loses $2K 
Comment: Hoboken police have issued a warning after a female resident was scammed into depositing a bogus check and using the fraudulent funds to purchase $2000 worth of eBay gift cards. After completing a survey she received from a LinkedIn contact, the woman reportedly received a $2900 check and was instructed to immediately use a majority of the funds to purchase the gift cards and send them to the scammer behind the scheme. The fraudulent check bounced, leaving the woman on the hook for the $2000 she spent. To avoid becoming a victim of this or similar scams, avoid depositing large and suspicious checks from unknown sources, especially if there is a request for a withdrawal or purchase using the check’s funds immediately following the deposit.

Weekly SEA

It Begins with: ‘I Know You Cheated on Your Wife’
Comment: Some phishing campaigns include emails with salacious and sensational subject lines designed to elicit emotional reactions from recipients and convince them to click on an embedded link, open an attachment, or pay an extortion fee. In this particular scheme, hackers claim to have evidence that the recipient has had a marital affair and threaten to release the information to the recipient’s spouse, family, and friends if specific financial demands are not met. However, there is no evidence to suggest that there is any validity to their claims and recipients of these types of emails are encouraged to delete them without taking any further action.

Study Shows which Phishing Attacks Most Successful 
Comment: A study conducted by KnowBe4 found that some of the most successful phishing campaigns included subject lines referencing delivery attempts, UPS tracking numbers, required password updates, and notifications related to unusual sign-in activity. Users must be especially wary of messages that include any of these topics in the subject line and should refrain from using links provided in unsolicited emails to visit websites requiring the input of personal information or account credentials. 

Weekly SEA

Four Common Email Scams and How to Stay Safe Online
Comment: Email-based phishing attacks are one of the most prevalent cyber threats today because they can be an effective way for hackers to manipulate victims into divulging sensitive information. Anyone can be duped by a phishing scheme which is why education and awareness are key to reducing one’s risk. This article highlights four common phishing scams and provides information on how to spot them and avoid falling victim. When handling email, a good rule of thumb is to remain skeptical of any links or attachments contained within unexpected or unsolicited emails.

IRS Scams Ramping Up in Morris County, Police Say
Comment: Morris County officials are warning residents of an increase in IRS scam calls in which the callers accuse victims of owing back taxes and then threaten them with jail time if they don’t pay immediately. Although these phone calls may initially seem legitimate, especially if the caller uses spoofing techniques to make the caller ID display the real number of the IRS, it is important to remember that this type of call will always be a scam. Recipients of these types of calls are urged to immediately hang up and file a report with their local police department. Never divulge any personal or financial information during unsolicited calls and remember that no legitimate company or agency will ever require payment in the form of gift cards, prepaid debit cards, or money transfers. 

Weekly SEA

Scotch Plains Family Loses Thousands to Phone Scammers
Comment: Before acting on any request for money or personal information, whether the request was made over the phone or via email, do your due diligence and research the person or organization making the request, especially if the requestor tries to create a sense of urgency or the requested payment method is unusual. Search phone numbers and organization names online to see if there are any posted complaints from other victims and avoid sending money to people you don’t know via gift cards, prepaid debit cards, or wire transfers. If you are a victim of a phone scam, contact your local police department immediately.

Hackers Are Con Artists: The Perils of Social Engineering
Comment: Hackers often rely on the trusting nature of their victims combined with the element of surprise in order to circumvent security controls and gain access to valuable and sensitive data. This is why phishing schemes remain so prevalent and phone scams such as the Windows Tech Support scam have worked so well against so many people. Sophisticated social engineering schemes can fool anybody – even security professionals – so we always advise using available security tools such as multi-factor authentication to prevent unauthorized access to accounts and reputable antivirus software on all systems and devices.

Weekly SEA

Phishing Remains Top Cyberattack Method
Comment: No organization can fully protect themselves against the threat of phishing; however, organizations can reduce their risk by educating their employees about the different tactics social engineers use to obtain sensitive information and gain unauthorized access into networks. In addition to education, organizations should also have an incident response plan in place, as well as a comprehensive data backup and recovery plan to fully guard against this and other cyber threats.

Old Phone Scam Takes New Twist In Essex County: Sheriff
Comment: Essex County officials are warning residents of a phone scam in which the perpetrators claim they are from the Sheriff’s Office and accuse victims of failing to appear for jury duty, threatening them with an arrest warrant if they do not pay a fine. If victims agree to pay, they are instructed to purchase a prepaid debit card with an amount specified by the perpetrators and then provide them with the card information. Please remember that no government or law enforcement agency will ever demand payment over the phone in the form of a prepaid debit card or gift card and official communications of a serious nature will always arrive via the US Postal Service. Victims of this or other phone scams are encouraged to report it to their local police department, the NJCCIC, and the FBI Internet Crime Complaint Center.

Watch Out for Phishing Emails Linking to Fake Meltdown and Spectre Patches
Comment: Social engineers know that using well-publicized events and topical news items can lure even the most educated and tech-savvy individuals to dangerous, malware-laden websites. This is why it is very important to run reputable and up-to-date antivirus software at all times and scan every executable you download for malware, even if it initially appears to be a legitimate file. For a vetted list of vendors providing patches for Meltdown and Spectre, please see the NJCCIC Meltdown and Spectre Product Vulnerability and Update List.

Weekly SEA

Fake Meltdown/Spectre Patch Installs Malware 
Comment: Social engineers are using recent news regarding Meltdown and Spectre to trick unsuspecting victims into downloading malware. A recent email campaign was observed attempting to lure victims to a malicious website masquerading as a resource for Meltdown and Spectre information and patches. The website hosts a ZIP file claiming to contain a security patch but, in reality, it contains Smoke Loader, a trojan that creates backdoors in systems. To protect yourself from falling victim to this and similar scams, never click on links included in the body of unsolicited emails. For the latest information on Meltdown and Spectre, visit the NJCCIC’s product vulnerability and update list here

Real Life Examples of Phishing at Its “Phinest”
Comment: Phishing continues to be so prevalent because of its effectiveness, and sophisticated social engineering campaigns put all of us at risk of account and credential compromise. The best way to protect against this threat is to enable multi-factor authentication on every account that offers it and refrain from using the same password across multiple accounts. 

Ridgewood Residents Are Victims of Credit Card Fraud, PSE&G Scam 
Comment: One Ridgewood, New Jersey resident lost approximately $1,500 to a caller who claimed to be a PSE&G employee and threatened to cut her power service unless she submitted payment via MoneyPak prepaid debit cards. Unfortunately, the only way to prevent victimization is through education and awareness. Please inform friends and neighbors – especially senior citizens – about these types of scams and remind them that no legitimate company or agency will ever require payment in the form of gift cards, prepaid debit cards, or money transfers. Recipients of these scam calls are urged to hang up immediately and report them to their local police department.

Weekly SEA

Bamboozled: Netflix and Fraud? How Scammers Are Targeting Users 
Comment: Social engineers use popular online services such as Netflix to indiscriminately target a large number of users in phishing campaigns with the assumption that many of them have associated accounts. Well-crafted spam emails and landing pages that are nearly identical to the legitimate websites can easily trick users into entering their credentials and other sensitive information into phishing sites. Targets of these types of phishing campaigns are highly encouraged to visit associated sites by typing the legitimate URL into their web browsers rather than clicking on links included in the body of these emails. 

Electric Company Phone Scam Reported in Ocean City: Police
Comment: Social engineers are attempting to take advantage of the recent bout of extremely cold weather by calling Ocean City residents and identifying themselves as Atlantic City Electric representatives. During the call, they try to scare victims into believing that they have an unpaid or overdue bill and threaten to cut their power if they do not immediately submit payment using a prepaid Green Dot MoneyPak card. Anyone who receives a phone call associated with this or any other scam are urged to immediately hang up and file a report with their local police department. Never divulge any personal or financial information during unsolicited calls and remember that no legitimate company or agency will ever require payment in the form of gift cards, prepaid debit cards, or money transfers.

Somerset County Residents Targeted in Phone Scam
Comment: Somerset County authorities are warning residents of a phone scam in which the perpetrator fraudulently identifies himself as either Lt. Dan O'Brien or Sgt. Dan O'Brien and attempts to convince victims that there is an active warrant out for their arrest. The caller then asks the victims to meet with him and purchase vouchers at a CVS store to pay off the warrant. The calls reportedly originate from phone number (908) 505-8872. Anyone who receives this type of phone call is urged to report it to their local police department.

Weekly SEA

Please Do Not Feed the Phish
Comment: Because advanced persistent threat (APT) groups know that humans are the weakest link in cybersecurity, they often choose phishing as the initial attack vector. Just one well-crafted email could be all it takes to trick a target into clicking on a malicious link or opening a malware-laden attachment, thus allowing an APT to bypass filters and security appliances and access the victim’s network undetected. As no organizations or individuals are immune to this type of threat, providing social engineering awareness training and limiting user account privileges are essential components of a comprehensive security strategy.

Bamboozled: Top Scams to Watch for in 2018
Comment: If the scamming activity that occurred throughout 2017 was any indication, we will likely see as much, if not more, in 2018, especially as we approach tax season. As we begin this new year, stay ahead of the scammers by remembering to never share sensitive personal information over the phone or through unsecured email. Also, keep in mind that no legitimate company, organization, or government agency will ever initiate a phone call to demand immediate payment and they will certainly not require payment in the form of gift cards.