This article from NetworkWorld.com highlights 9 classic but clever ways we should all be alert to.  We urge you to remind friends, family members and coworkers to not fall for these scams.

Note: links to third party sites are provided for your convenience only. Bank of Ann Arbor does not control their content.

Phishing Attacks On Telecommunication Customers Resulting In Account Takeovers

The Internet Crime Complaint Center has received numerous reports of phishing attacks targeting various telecommunication companies' customers. Individuals receive automated telephone calls that claim to be from the victim's telecommunication carrier. Victims are directed to a phishing site to receive a credit, discount, or prize ranging from $300 to $500.

The phishing site is a replica of one of the telecommunication carrier's sites and requests the victims' log-in credentials and the last four digits of their Social Security numbers. Once victims enter their information, they are redirected to the telecommunication carrier’s actual website. The subject then makes changes to the customer's account.

The IC3 urges the public to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. If you receive such an offer, verify it with the business associated with your account before supplying any information. Use the information supplied on your account statement to contact the business.

Your C-Level execs are your biggest social engineering threat. Why? 

1) They Expect You to Have Their Back 

These are the people that approve the security budget and they know how much the organization spends on IT security. So when they open an infected attachment that hoses their machine, they ask: "Why didn't you prevent this?" instead of asking themselves what they themselves did wrong. 

2) They Live On The Bleeding Edge 

C-level execs are the heavy hitters, with the busiest schedules and often a daunting workload. No wonder that they are the first ones that insist on new technology that will save them time or make their lives a bit more easy. So these are the people that you see with iPads on the company network, and they expect since this is new technology, it's of course more secure than the 'old stuff'. Unfortunately we know better, as new stuff is buggy and barely out of beta. New stuff can usually be hacked easier and faster. 

3) They Think Security Policy Is Not For Them 

Your C-level people are the best targets for attackers as they usually have the most access to corporate jewels. Since their jobs actually are very demanding, they naturally expect that 'restricting' security rules do not apply to them. They expect to be able to visit the websites that are otherwise blocked by rules in the proxy server, and so on, and on. Problem is of course that their security awareness is no higher than the other employees but C-level folks should be the very best security trained! 

4) Their Family Has A Target On Their Back Too 

Social engineers are 'business people'. Their time is money too, so they go after the low hanging fruit. In many cases that means using social media to infect the PC of the spouse of your C-level at their home, 'own' that low-security peer-to-peer network, which the Exec uses to log on with their company laptop and bingo! Your C-level exec's family needs some security awareness training too. 

This week, it's IT administrators that are specifically targeted with a phishing attack. The bad guys know very well that the most powerful weapons are administrator's credentials, as those really are the keys to the kingdom. So, what they are using is the instantly famous report that Mandiant wrote about the Chinese military hacking into 141 mostly U.S. businesses. An infected PDF version of the original report, titled "APT1: Exposing One of China's Cyber Espionage Units, is now being used as spear phishing bait to get IT people to open it up using two fake names: Mandiant.pdf and Mandiant_APT2_Report.pdf The infected document leverages a just-patched hole in Adobe Reader and was first spotted in Asia. Keep your eyes peeled for it hitting your own inbox. In the meantime, the actual report is fascinating reading, and you can find it here at the Mandiant website: http://intelreport.mandiant.com/.

Source: Cyberheist News,  www.knowbe4.com

Note: links to third party sites are provided for your convenience.  Bank of Ann Arbor does not control their content.

Bank of Ann Arbor is aware of a text message phishing scam that may lead you to believe your Debit/ATM card has been deactivated. Please know that we do not send unsolicited text message alerts. The most recent phishing scam is tricky in that it requests you to call a phone number to activate your card and the phone number noted has a 734 exchange leading you to believe it is local. If you believe you are a victim of this scam, in that you have called the number and entered your card information please call 1-800-528-2273 and request that your card be cancelled.

The IC3 (Internet Crime Complaint Center) continues to receive complaints reporting telephone calls from individuals claiming to be with Tech Support from a well-known software company. The callers have very strong accents and use common names such as "Adam" or "Bill." Callers report the user's computer is sending error messages, and a virus has been detected. In order to gain access to the user's computer, the caller claims that only their company can resolve the issue.

The caller convinces the user to grant them the authority to run a program to scan their operating system. Users witness the caller going through their files as the caller claims they are showing how the virus has infected their computer.

Users are told the virus could be removed for a fee and are asked for their credit card details. Those who provide the caller remote access to their computers, whether they paid for the virus to be removed or not, report difficulties with their computer afterwards; either their computers would not turn on or certain programs/files were inaccessible.

Some report taking their computers to local technicians for repair and the technicians confirmed software had been installed. However, no other details were provided.

In a new twist to this scam, it was reported that a user's computer screen turned blue, and eventually black, prior to receiving the call from Tech Support offering to fix their computer. At this time, it has not been determined if this is related to the telephone call or if the user had been experiencing prior computer problems.

SplashData.com recently published the following information regarding the most popular 2012 passwords on the web. The ranking was based on password information from compromised accounts posted by hackers online. The article was also featured on blogs.avg.com.

This year, the list is back! So it's time to see how, if at all, users have learned their lessons about what makes a strong password.

Here's the full list and how it compares to last year's:

#	Password	Change from 2011
1.	password	Unchanged
2.	123456	Unchanged
3.	12345678	Unchanged
4.	abc123	Up 1
5.	qwerty	Down 1
6.	monkey	Unchanged
7.	letmein	Up 1
8.	dragon	Up 2
9.	111111	Up 3
10.	baseball	Up 1
11.	iloveyou	Up 2
12.	trustno1	Down 3
13.	1234567	Down 6
14.	sunshine	Up 1
15.	master	Down 1
16.	123123	Up 4
17.	welcome	New
18.	shadow	Up 1
19.	ashley	Down 3
20.	football	Up 5
21.	jesus	New
22.	michael	Up 2
23.	ninja	New
24.	mustang	New
25.	password1	New

As you can see, people haven’t changed their password habits a whole lot in a year.

If your password is included on that list, or is a close variation of these passwords, it's really important to take action now!

Fixing your password problem can be very simple;

Long is strong: The longer the password, the more difficult it will be for someone to try and crack it using brute force. So, instead of a single word, with a jumble of symbols, numbers and characters, try a string of words. Use a line of your favorite poem, song or just something memorable. Feel free to add your lucky number at the end if you like.

Something like: "withnodirectionhome1085".

A famous Dylan lyric like this will always be easy to remember, and say you were born in October 1985. This means that you've suddenly got a 23 character password, which is much harder to crack than something much harder to remember such as "Phu!R7tRjX".

Variety is the spice of life: The trouble with smaller, complex passwords is that they can be a real hassle to remember, often forcing you to use the same password for multiple accounts which is never a good idea. So another benefit of having long, easy to remember passwords is that you keep many passwords.

 

Source: Internet Crime Complaint Center's 01/07/2013 Scam Alerts. 

 

Note: third party links are provided for your convenience only. Bank of Ann Arbor does not control their content.

Kimberly Lankford of Kiplinger's Personal Finance has put together a very informative article, Protecting Yourself from New Year's Scams, warning of common scams that appear around the beginning of the new year.  

(Note: links to third party sites are provided for your convenience. Bank of Ann Arbor does not control their content.)

Here are the most recent spear-phishing attacks that are currently making the rounds nationwide, and which pose a significant threat to your data- and financial security. Note that some of these attacks are used for years, because they continue to work on uninformed people.

Number 5
The Better Business Bureau Complaint – In this scam, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.

Number 4
The Smartphone 'Security App' – This is a 2-step attack. With minimal research cybercriminals can find the name and email addresses of a company’s CFO and social engineer them to click a link. That link infects the PC of the CFO with a keylogger. This way the hacker obtains bank account data and passwords. In case the bank uses two-factor authentication, the attacker spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually malware giving them access to the phone. And with that, the cybercriminals have full access to the CFO’s bank account login credentials and at the same time control any two-factor text messages sent to or from the CFO authorizing money transfers.

Number 3
The Watering Hole Attack – Hackers do their research on a targeted executive, and find out which websites the executive frequents, sometimes to discuss industry related topics with their peers, or perhaps a hobby site the hackers learned about through the exec's social media postings. Next, the bad guys compromise that website, and inject a zero-day exploit onto public pages of the website that they hope will be visited by their targeted executive. Once the exec does, their PC is infected with a keylogger and the network penetrated.

Number 2
Free Dinner in Return for Feedback – By reviewing an executive’s social media profiles, cybercriminals are able to determine what charities that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of that charity, asking the exec to download a Word Doc that supposedly contains details on an upcoming campaign or event, and promises free dinner at their favorite restaurant as an incentive for providing feedback. When the Word doc is downloaded the user's password is stolen – and gives hackers direct access to the network. Here is a short video of Kevin Mitnick showing how this type of exploit works. Take these two minutes, it's worth seeing: http://www.knowbe4.com/video-mitnick/

Number 1
'We're Being Sued' – In this scenario, attackers dig up the email addresses of a company’s executives and also their legal counsel (in-house or external). They will then spoof an email from the legal counsel to the executive team, and attach a PDF that claims to contain information about new or pending litigation. When the recipients download and open the attachment, their system becomes infected and the entire network is compromised.

While savvy Internet users realize they should not click links or download attachments from unknown senders, spoofed emails and official-looking websites trick recipients into letting their guard down. When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.

Note: links to third party sites are provided for your convenience only. Bank of Ann Arbor does not control or endorse their content.

Washington – The Department of Justice, the FBI and the National Center for Disaster Fraud (NCDF) remind the public there is a potential for disaster fraud in the aftermath of a natural disaster. Suspected fraudulent activity pertaining to relief efforts associated with the recent series of tornadoes in the Midwest and South should be reported to the NCDF hotline at 866-720-5721. The hotline is staffed by a live operator 24 hours a day, seven days a week, for the purpose of reporting suspected scams being perpetrated by criminals in the aftermath of disasters.

NCDF was originally established in 2005 by the Department of Justice to investigate, prosecute and deter fraud associated with federal disaster relief programs following Hurricanes Katrina, Rita and Wilma. Its mission has expanded to include suspected fraud related to any natural or man-made disaster. More than 20 federal agencies – including the Justice Department’s Criminal Division, U.S. Attorneys’ Offices, Department of Homeland Security, Office of Inspector General and the FBI – participate in the NCDF, allowing the center to act as a centralized clearinghouse of information related to disaster relief fraud.

In the wake of natural disasters, many individuals feel moved to contribute to victim assistance programs and organizations across the country. The Department of Justice and the FBI remind the public to apply a critical eye and do due diligence before giving to anyone soliciting donations on behalf of hurricane victims. Solicitations can originate as emails, websites, door-to-door collections, mailings, telephone calls and similar methods.

Before making a donation of any kind, consumers should adhere to certain guidelines, including the following:

• Do not respond to any unsolicited (spam) incoming emails, including by clicking links contained within those messages, because they may contain computer viruses.
• Be cautious of individuals representing themselves as victims or officials asking for donations via email or social networking sites.
• Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities.
• Rather than following a purported link to a website, verify the existence and legitimacy of non-profit organizations by using Internet-based resources.
• Be cautious of emails that claim to show pictures of the disaster areas in attached files, because those files may contain viruses. Only open attachments from known senders.
• To ensure that contributions are received and used for intended purposes, make donations directly to known organizations rather than relying on others to make the donation on your behalf.
• Do not be pressured into making contributions; reputable charities do not use coercive tactics.
• Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
• Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.
• Legitimate charities do not normally solicit donations via money transfer services.
• Most legitimate charities maintain websites ending in .org rather than .com.

In addition to raising public awareness, the NCDF is the intake center for all disaster relief fraud. Therefore, if you observe that someone has submitted a fraudulent claim for disaster relief, or observe any other suspected fraudulent activities pertaining to the receipt of government funds as part of disaster relief or clean up, please contact the NCDF.

If you believe that you have been a victim of fraud by a person or organization soliciting relief funds on behalf of hurricane victims, or if you discover fraudulent disaster relief claims submitted by a person or organization, contact the NCDF by phone at (866) 720-5721, fax at (225) 334-4707 or email at http://www.ic3.gov/egress.aspx?u=mailto%3adisaster%40leo.gov&h=4140F8F901080C7FDA8B1827AF951ECF5CBC7A242D8A1F59BF37755CB664DBB0.

You can also report suspicious e-mail solicitations or fraudulent websites to the FBI’s Internet Crime Complaint Center at http://www.ic3.gov/.

Links to third party sites are provided for your convenience. Bank of Ann Arbor does not endorse or control content on these sites.