Banking and finance sites have the greatest risk for getting hacked, a new report says. The worst vulnerabilities were found in banking and finance web applications tested by Positive Technologies, a firm that provides Internet security products for businesses. “Greater complexity results in more opportunities” for hackers, according to the Positive Technologies report, which said banking applications are some of the most complex. The hackers primary target is the average user. “The number-one threat is attacks that target web application users,” the report said. A whopping 87 percent of banking web applications tested by Positive Technologies were susceptible to these attacks. Government app users are also big targets because they tend to be less security-savvy, making them easy victims, the report said. “We gained access to personal data of 20 percent of the applications that process user information, including bank and government websites,” the report added. The most common vulnerability was Cross-Site Scripting, which allows attackers to perform phishing attacks, which can result in malware infection. In a phishing attack, the hacker sends, for instance, an email pretending to be a trusted entity like a bank or major shopping site, hoping to dupe you into clicking on the malicious link. Denial of service (DOS) attacks – which block access to a web site or service – are common. In 75 percent of e-commerce web applications, there are vulnerabilities enabling DoS attacks, Positive Technologies said. “Denial of service is especially threatening…High-profile e-commerce web applications receive large amounts of daily visits, increasing the motivation for attackers to find vulnerabilities to turn against users,” the report said. In separate report released earlier this month, Positive Technologies said employees are often the gateway for attacks. An alarmingly high percentage of employees download malicious files, click phishing links, and even correspond with hackers, the report said. Positive Technologies testers pretended to be hackers by sending emails to employees with links to websites or forms that required password entry, the report said. Of the 3,332 messages sent, 17 percent of these messages would have led to a compromise of the employee’s computer, and possibly, the entire company. The most effective method was to send an email with a phishing link. In that case, 27 percent of recipients clicked on the link. “Users often glance over or ignore the address, leaving them unaware that they are visiting a fake website,” the report said.
The Internal Revenue Service (IRS) has awarded Equifax a $7.25 million fraud-prevention contract following the company’s massive security breach which affected over 140 million consumers. According to Politico, “The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week.” “The credit agency will ‘verify taxpayer identity’ and ‘assist in ongoing identity verification and validations’ at the IRS, according to the award,” Politico’s reported. “The notice describes the contract as a ‘sole source order,’ meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.” In September, it was reported that Equifax had been the victim of a large cyberattack, which potentially left over 140 million consumers’ personal information vulnerable. Following the attack, Equifax blamed the attack on a single employee who failed to implement a patch. However, according to Tech Crunch, “a patch for that vulnerability had been available for months before the breach occurred.” The company faced further controversy following the discovery that Equifax’s Terms of Service included a clause in their security assistance website which barred consumers from being able to sue the company before they removed it following consumer backlash. It was also revealed that the company had been encouraging consumers to visit the wrong security website, a fake, which could have easily been used as a phishing scam and taken more information.
Wow.. Be afraid..
An illegal alien living in the sanctuary city of Philadelphia, Pennsylvania, was sentenced for stealing Americans’ identities to collect more than $800,000 in tax refunds. Abdou Koudos Adissa, an illegal alien from the Republic of Benin, was sentenced to four years in federal prison for his part in a tax fraud scheme, the Department of Justice (DOJ) announced. According to court records, Adissa was convicted of conspiring to commit access device fraud in March for his involvement in the tax scheme that ran from February to June 2014. During that time, Adissa was a part of a group that stole Americans’ identities to file tax returns with the Internal Revenue Service. Adissa’s co-conspirators filed the fraudulent tax returns, stealing more than $800,000 in refunds which was then deposited onto Green Dot pre-paid debit accounts. That money was eventually sent to Nigeria through Western Union. When federal officials raided Adissa’s apartment in Philadelphia, they found 106 of the Green Dot cards. The illegal alien registered all the debit cards using stolen American IDs before giving co-conspirators the cards’ direct deposit information so they would be able to direct the fraudulent tax refunds to the cards. Adissa called Western Union some 63 times to transfer the stolen $800,000 to Nigeria. Following Adissa’s release from federal prison, he will be handed over to the Immigration and Customs Enforcement (ICE) agency for deportation.
Identity theft is a HUGE problem in our country. And, we find that Nigeria seems to be associated with a lot of these stories. Just glad this illegal alien piece of garbage was caught. He’ll do some time in prison, as well he should, before being deported.
Another day, another phishing scam. LinkedIn, which hasn’t always had the best security to begin with, may be the delivery method for a curious email message that’s been going around. Like most phishing attempts, it claims to represent a popular social media site and asks for login information. Unlike other scams, though, the link it provides doesn’t actually go anywhere (it may have been removed by LinkedIn). It’s not clear whether the scam’s goal is to steal your login credentials, infect your system with malware or lure you into paying for useless tech support , making the threat pretty mild — for now. A staffer at Tom’s Guide received an email message entitled “Important User Alert” from “linkedIn.email@example.com”. Even casual users will notice right away that this is not a legitimate LinkedIn email address. Rather, FSR is a Moscow, Idaho-based Internet provider, not really notable for anything other than the fact that it’s decidedly not LinkedIn. The “LinkedIn” username is pure fabrication. “Dear Valid LinkedIn User,” the e-mail begins, and this should be your second tip-off that the message is a scam. The real LinkedIn is aware of your real name and can address messages to you personally. The email continues with errant capitalization on “Important Message” and questionable grammar: “Our system indicates your account signed-on from different IP recently, do not panic, this happens mostly when your ISP provider changes the IP without your knowledge, but we advise you kindly follow up by Updating to the system to enable auto unflag,” and so on, and so forth, in an incredibly grating run-on sentence. One need not be very internet-savvy to presume that LinkedIn employs better copywriters than this. The email warns that users could lose their LinkedIn privileges unless they click on a suspicious link, but that’s where two unusual things happen. First off, the URL appears to lead to an actual LinkedIn address, complete with the site’s secured HTTPS server. Second, there’s nothing there. The site is completely blank and thus, for the moment, apparently harmless. Generally speaking, links like this lead to shady copies of legitimate websites that ask for, then catalog, usernames and passwords. There are a few possibilities for why there’s nothing at the URL. The site could simply be unfinished, but it’s possible that the scammers sent out an incorrect link (they would hardly be the first cybercriminals dumb enough to do so). The fact that the page appears to be hosted on the real LinkedIn website is also interesting, but not necessarily shocking; users can create their own blog posts and pages, so it would not take a very daring criminal to make a malicious LinkedIn page. It’s eminently possible that LinkedIn, now owned by Microsoft, already discovered the page and shut it down. The lesson here is the same as always: Don’t click on links in strange emails, and make sure to verify sender addresses in incoming messages to ensure you don’t wind up giving away your login information to scammers. The page doesn’t work this time, but there are much smarter tricksters out there.