Equifax Crisis Worsens

The Equifax security breach just keeps getting worse. At the end of the day this sad situation proves a point I have been pressing for years now. You can not trust others with your digital security. You must take security very seriously. The first thing everyone should do is – take passwords seriously, very seriously.

Think about this, would you leave your wallet or your purse on a table – all alone – in a public place? Of course you would not. Your passwords are even more important then this.

Image result for password managers

My reccomendation is to find a password manager, like LastPass and take some time setting up unique, encrypted passwords for each of your accounts. This is not as difficult or as expensive as it sounds. You can learn more about LastPass here.

OK – lets get back to the lastest disaster that is Equifax.

One month after news came out about a massive breach at Equifax, the credit bureau is still struggling with the fallout. The latest blow arrived yesterday when an independent security researcher reported discovering that links on the Equifax Web site were attempting to redirect him to a malicious URL.

In a blog post last week, analyst Randy Abrams said that he visited the Equifax site to check and see whether false information from another credit bureau had made its way into his credit report on Equifax. When he tried to access his personal information, he said he was redirected to a site with a fake Flash Player update screen. In a tweet yesterday, Abrams said it appeared that the issue might indicate Equifax’ Web site had been breached again.

Image result for equifax breach

Equifax revealed in early September that its systems had been compromised sometime between May and July, causing sensitive personal data for around 143 million Americans, as well as a number of Canadian and British citizens, to be exposed. Early this month, the company increased its estimate of the number of U.S. victims by 2.5 million. The U.K.’s National Cyber Security Centre reported earlier this week that nearly 700,000 Britons might have been affected by the breach.

Abrams noted on his blog that he “just sort of tripped over” the latest problem at Equifax’ Web site while trying to view his credit information. The appearance of a Flash update site was an immediate red flag, according to Abrams.

“Seriously folks, Equifax has enough on their plate trying to update Apache,” he said. “They are not going to help you update Flash. I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines ‘deplaning’ a passenger . . . It hurts.”

The fake Flash download links appeared during at least four separate visits Abrams made to the Equifax site, according to a report today in Ars Technica. An analysis by the German IT firm Payload Security gave the malicious file that attempted to load a threat score of 96 out of a possible 100.

Meanwhile, U.S.-based security writer Brian Krebs has pointed out that the Equifax breach could expose not only people’s names, Social Security numbers, and birth dates, but also details about their salary and employment histories. Krebs also criticized the Web site that Equifax created to keep people informed about the issue.

Share This:

Beware Fake AdPlus Block Extension

I get it: you don’t like websites (and neither do I) that push countless ads you, so you’ve just decided that enough is enough and the use of an ad blocker is in order. But make sure you don’t fall for the fake AdPlus Block extension that Google allowed into the official Chrome store.

Some 37,000 people already installed the fake app. If you’ve just added AdBlock Plus to your Chrome browsing experience, better make sure you’ve got the legit one.

It’s unclear how the fake app made it through Google’s verification process, which should be the first layer of protection against malicious web apps. Once approved to the Chrome Web Store, the fake app was available for download right alongside the right one. I wouldn’t blame you if you got confused. After all, if the apps are in the store, then they must be legit, right?

First spotted by SwiftOnSecurity, the fake app is now removed from the store.

Google allows 37,000 Chrome users to be tricked with a fake extension by fraudulent developer who clones popular name and spams keywords.

It’s also unclear what the fraudulent app did on the machines it infected. Yes, infected is the right word, as this is a malicious app created by a “fraudulent developer who clones popular name and spams keywords.” But one user who installed it revealed in a review that the fake AdPlus Block app pushed invasive ads and opened up additional tabs.

Safe to say that you should pay extra attention to your computer if you’re one of the 37,000 users affected by the issue.

Share This:

Yahoo’s Security Breach Grows Worse

In December 2016, Yahoo revealed it had been hacked back in 2013. It was reported at the time that this security breach by an “unauthorized third party” saw the user data associated with 1 billion accounts stolen. However, it turns out that this epic hack was even worse than Yahoo thought.

This hack didn’t just affect 1 billion random Yahoo users. Instead, it hit every single Yahoo account that existed in August 2013. And there were 3 billion of them at the time. Let that sink in for just a minute: 3. billion. accounts. Making it the largest data breach in history. That we know of…

The Most Epic Security Breach Ever Recorded

Since Yahoo first disclosed the hack Verizon has acquired the company. During that acquisition new intelligence was uncovered that clued Yahoo into the fact it had underestimated just how epic this hack was. Rather than “just” 1 billion users being affected, all 3 billion users were caught up in it.

Image result for yahoo hack

Yahoo has subsequently sent out a notice revealing the truth. The company states it now believes that “all Yahoo user accounts were affected by the August 2013 theft”. And Yahoo, now called Oath, has drawn this conclusion “following an investigation with the assistance of outside forensic experts”.

Thankfully, although the size of the security breach has been scaled up significantly, the information stolen has remained the same. Which means that “names, email addresses, telephone numbers, dates of birth, hashed passwords […] and, in some cases, encrypted or unencrypted security questions and answers” were stolen.

However, Oath (formerly Yahoo) is ultra keen to stress that no “passwords in clear text, payment card data, or bank account information” was stolen from its servers. This should be of some comfort to anyone who had a Yahoo account in 2013. Which is probably most people reading this right now.

Please Follow Yahoo’s Common Sense Advice

Oath has created a full page of FAQs related to this data breach. And this provides the common sense advice the company suggests you follow in order to safeguard your information. Which basically amounts to changing your passwords and security questions and answers for any and all Yahoo accounts, and, crucially, all other accounts that share the same or similar information.

Share This:

Watch Out for SuperB

A new ransomware threat has been discovered making the rounds and once again the idea here is to separate victims from their cash.

Image result for superb ransomware

Introducing SuperB

SuperB is a computer virus that encrypts files and appends .enc extension to all encrypted files. Attacker warned victims that paying the ransom is the only key to restore their data.

SuperB is a file-encrypting virus. This malware forbid users to open their files like images, videos, databases, and other personal and sensitive data. It adds .enc extension to all encrypted files. Then SuperB virus shows a ransom note stating that your important files are encrypted.

The Malware creator claims that the only way to get back access to your data is through decryptor software or the private key. But, to be able to get the correct key, you have to first pay the ransom. The amount being demanded is $300 that must paid in Bitcoin currency. The attacker then instructs the victims to download TOR browser and visit SuperB’s web site for more information.

It is highly advised not to contact cyber criminals and not even think about paying the ransom. The creator of SuperB virus will not really decrypt your files even after payment is made. Dealing with them is surely a waste of time and your money.

SuperB virus is merely created to extort money from its victims. Giving their demand is like letting them or tolerating these people to profit from this scheme. So you better not to deal with them. The only thing you can do to bring back your files now is through your backups.

SuperB and most ransom virus use a number of tricky methods to spread it widely. This virus commonly hit its target machine by serving as a malicious email attachment. Some ransom virus may comes bundle with malicious downloadable programs. And some can sneak into the computer by finding the system vulnerability.

What To Do If SuperB Invades Your PC

The ransomware infection has been mainly designed with the purpose to scare users and trick their money. It take your files on hostage and demand ransom to return your important data. But now the question is what you can do when your system got infected by SuperB ransomware virus? Here are some option that you can use to get rid of this nasty infection.

Don’t Panic – Well the first thing is Don’t panic and then completely check out your system for any working files. If you got any working files then copy it to USB drive.

Pay Ransom – Other option is you can pay the ransom and wait to get your files back. (this is really a very bad option)

Use Backup – Clean you entire system files, remove the infection completely from your PC and restore your files with any backup.

Remove Infection – You can also delete SuperB ransomware virus using malware removal tool and remove all the infected files. You can later recover all your data by using any data recovery tool. (In case you don’t have backup of your files.) – Recommended Method.

Reinstall Windows – The last option is reinstall your Windows OS. It will completely remove all your data as well as infection. You will get a completely new infection free PC.

Share This:

Viewing Your Credit Report for Free

With the recent Exuifax security breach now is a great time to start monitoring your credit. What is often considered to be an expensive and confusing task is actually quiet easy. In addition to many credit card company’s offering free credit monitoring services there are also straight up credit monitoring services like Credit Karma that do a great job that are free and can help you even improve your credit score.

Image result for credit security

With all of these regular security breaches your best bet is to keep an eye on your own credit reports and scores and make sure nothing is going on there that you don’t already know about. In this article, I’m going to show you how to get your credit report for free, which you can do once a year. Secondly, I’m going to show you how to get your free credit score, which you can get pretty much on a daily basis.

While there are many ways to get a free credit report my favorite option today is Credit Karma.

Credit Karma uses the VantageScore which seems to be becoming more popular than FICO.

Credit Karma gives you the score from both TransUnion and Equifax. If you click on View score details, you get all kinds of details on the credit factors that are helping and hurting you. These include credit card usage, payment history, derogatory remarks, credit age, total accounts and hard inquiries. You also get two full credit reports, so it’s a really nice service that is completely free.

Credit Karma also has a great mobile app for both iOS & Android so you can have access to your credit history, two of your credit reports, access to credit alerts and more from wherever you are – on whatever device you are using.

I have been exclusively using Credit Karma to monitor my credit reports, help me improve my credit score and even apply for and receive very reasonable loans.

You can learn more about Credit Karma here.

Note: I am not affiliated with Credit Karma in any way. I am just a big fan of their service and with security breaches all around us I wanted to share this with all of you, my dedicated readers.

Share This:

Equifax Breach Update

If you were one of the estimated 143 million Americans whose sensitive personal data was exposed in the recently revealed hack of the credit bureau Equifax, one of the first things you should do is put a freeze on your credit files.

Image result for Equifax breach

In an analysis earlier this week of the Equifax breach, IT security writer Brian Krebs recommended that people who believe their data is at risk should file a security freeze with the major credit bureaus. In the U.S., those reporting agencies include Experian, Equifax, Innovis, and TransUnion.

A freeze on an individual’s credit files ensures that identity thieves will not be able to use that person’s personal information to obtain loans or lines of credit. Anyone with a credit freeze can still seek loans or lines of credit by personally agreeing to unfreeze the information for those purposes.

Last week Equifax revealed that a security breach that occurred between the middle of May and July could have exposed the names, Social Security numbers, birth dates, and other information of as many as 143 million U.S. consumers.

Filing a Credit Freeze

People can usually file a credit freeze online, although some reporting agencies might require a request by phone or in writing. Filing can also sometimes require paying a fee, although that payment can be waived in most states with proof of a legitimate identity theft threat.

With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you by viewing your credit report.

In addition to seeking a credit freeze, potential victims of the Equifax hack should regularly request a copy of their credit reports and sign up for free credit monitoring with a verified provider. In order to avoid difficulties that could be caused by a freeze people should first obtain credit reports and sign up for monitoring before requesting to freeze their files.

Questionable Response by Equifax

Equifax is under serious fire not only for the breach, but for its responses since then. Security experts and officials alike slammed the company for a poorly designed response Web site, and for initially requiring potential victims to give up their rights to sue before they could obtain free credit monitoring. Equifax has since dropped its credit-freeze fees and requirement for binding arbitration in consumer disputes.

Members of the U.S. Senate Finance Committee yesterday sent a letter to Equifax chairman and CEO Richard F. “Rick” Smith asking for a detailed timeline of the breach and more information about what the company is doing to “identify and limit potential consumer harm.”

Earlier this week Equifax posted a progress update for consumers on its security site to summarize its latest actions in response to the breach. Among the steps Equinox said it has taken are changes to ensure random PIN generation for users requesting security freezes, ramped-up call center support to reduce call wait time, improved security links from its Web site, and reversal of a policy that would have automatically charged customers seeking free credit monitoring for renewal of its TrustedID Premier service after one year.

As of today, at least 23 class-action lawsuits have already been filed against Equifax in federal courts across the U.S.

Share This:

Was Your Data Stolen in the Equifax Breach?

Yesterday we first reported about the massive Equifax security breach. Today more details have emerged as well as additional details regarding how you can see if your data is at risk. Sadly I checked mine this morning – and indeed my data was possibly “exposed”. Also, surprisingly I was advised to wait until September 13 for more details.

Image result for equifax

This data breach could affect up to 80 percent of all U.S. credit card users, and – as I reported above – the credit reporting giant Equifax is doing a terrible job of reassuring customers. As of this writing, getting through to the company on the phone is nearly impossible and online access is not much better.

What Data Was Stolen in the Breach?

Equifax revealed what is potentially one of the biggest data breaches in U.S. history, and the company could be facing a $1 billion lawsuit as a result. Though the hack was discovered on July 29, it was only just revealed by the company. This delay is reporting the hack to the public is almost always the case – which is why password management is so critically important. I have written about this many times.

Hackers were able to access sensitive data including names, social security numbers, addresses, dates of birth, phone numbers, and driver’s license details for 143 million consumers between May through July 2017. Approximately 209,000 users also had their credit card details stolen, and about 182,000 users had details from their Equifax dispute documents stolen.

The breach mostly affects U.S. residents, along with some U.K. and Canada citizens.

How to Find Out If Your Data Was Stolen

There’s been plenty of confusion on how to find out if you were affected.

Equifax has set up an online tool that lets customers check if they were part of the data breach, but it requires entering more personal information (last six numbers of your social security number) and the results are vague & inconclusive (as I experienced). You may be understandably skeptical about handing over more information to a company who’d find itself on the receiving end of such a large breach.

If you prefer to call the company, you can reach them at 866-447-7559. Good luck getting through1

For immediate results, go to the web tool provided by Equifax and click “Begin Enrollment.” Do NOT click Continue Enrollment! (According to the terms of service, enrolling in TrustedID will waive your rights to legal representation, including participation in any class-action lawsuits.)

You’ll see a screen where you can enter the last six digits of your social security number and your last name.

If your data was stolen, you will see the message below. Again, do NOT click the Enroll button!

Up until last night, customers may have seen one of three messages. The one listed above, another saying they were not affected, and a third providing a date on which they could enroll in the company’s TrustedID Premier service.

What Should You Do?

Consumer Reports offers some suggestions for those who find that their information may have been compromised.

Credit Monitoring: You can sign up for Equifax’s free TrustedID Premier service which is a credit monitoring service that is currently free. As mentioned above, enrolling does preclude you from participating in a class-action lawsuit against the company.

Credit Security Freeze: One of the most common suggestions from security experts in the wake of the breach is to place a credit security freeze. This will not affect your credit score and will not impact prescreened credit offers.

In order to place a freeze, you must request a security freeze with all three credit bureaus:

There is a BIG problem with this move however!

First, this is not free. The fee varies from state to state, but it shouldn’t cost you more than $10 per credit bureau.

Secondly, the freeze will prevent new lines of credit being opened in your name, which of course means that if you were planning on purchasing or renting a home, financing a car, applying for a job, or getting a new credit card, you will have to lift the freeze first.

Finally, Lifting the freeze may also cost up to $10 per credit bureau.

Stay Vigilant: Keep a vigilant eye on your bank accounts for any suspicious activity. Consumer Reports recommends setting up alerts on your bank accounts for unusual activity: suggested parameters include your balance and the size of transactions. While Consumer Reports does not suggest it, you should also be vigilant when it comes to your online accounts. Set up two-factor authentication, create secure passwords, and don’t click on links in emails claiming to be from Equifax.

Equifax has said that it will mail out notices to consumers who credit card numbers or dispute documents with personal identifying information were impacted.

Share This:

Equifax Hacked – 148 Millions Accounts Exposed

Another security hack has just been announced – and it is a big one.

Hackers have stolen the personal details of 143 million people, including their names, social security numbers, birth dates, and home addresses, according to credit monitoring firm Equifax, which disclosed the breach on Thursday. For perspective, that’s nearly half of all Americans.

Image result for equifax hacked

Ironically, Equifax is a company that is regularly hired by major companies to protect the credit of consumers after major data breaches. “You’ll feel safer with Equifax. We’re the leading provider of data breach services, serving more than 500 organizations with security breach events everyday,” its website advertises.

The company revealed that hackers broke into its servers in mid May and went undetected until July. The cybercriminals also stole some driver’s license numbers, and around 209,000 credit card numbers, according to the company’s release, which was posted on a custom website called “equifaxsecurity2017.com”.

Equifax is one of the three major American firms that offers credit monitoring services, along with TransUnion and Experian, which also lost 15 million Social Security Numbers of T-Mobile customers in the fall of 2015.

Equifax is offering free identity theft protection and insurance, credit monitoring protection, and a service that scans the internet for the stolen SSNs to all US consumers, the company said. The company also launched a site that allows consumers to check if they’ve been impacted by the breach, which asks for a person’s last name and the last six digits of their SSN.

If you have used Equifax be sure to change your account password immediately. Also this is yet another reminder why password managers are becoming more and more important. You can learn more about passwords by checking out some of our recent articles here.

Share This:

Avoiding Phishing Through Knowledge

Phishing is no doubt a security term you have heard many times. You probably also know that “phishing” is something you want to avoid. But what exactly is “phishing”? Lets take a deep dive into what exactly this is – and why you don’t want to be tricked by one of these attacks.

Image result for phishing

Pronounced like fishingphishing is a term used to describe a malicious individual or group of individuals who scam users. They do so by sending e-mails or creating web pages that are designed to collect an individual’s online bank, credit card, or other login information. Because these e-mails and web pages look like legitimate companies users trust them and enter their personal information.

Example of phishing e-mail

How to identify a phishing e-mail.

  1. Company – These e-mails are sent out to thousands of different e-mail addresses and often the person sending these e-mails has no idea who you are. If you have no affiliation with the company the e-mail address is supposedly coming from, it is fake. For example, if the e-mail is coming from Wells Fargo bank but you bank at a different bank.
  2. Spelling and grammar – Improper spelling and grammar are almost always a dead giveaway. Look for obvious errors.
  3. No mention of account information – If the company were sending you information regarding errors to your account, they would mention your account or username in the e-mail. In the above example, the e-mail just says “eBay customer”, if this was eBay they would mention your username.
  4. Deadlines – E-mail requests an immediate response or a specific deadline. For example, in the above example, the requirement to log in and change your account information within 24 hours.
  5. Links – Although many phishing e-mails are getting better at hiding the true URL you are visiting, often these e-mails will list a URL that is not related to the company’s URL. For example, in our above eBay example, “http://fakeaddress.com/ebay” is not an eBay URL, just a URL with an “ebay” directory. If you are unfamiliar with how a URL is structured, see the URL definition for additional information.
What to do if you are not sure if an e-mail is official.
  • Never follow any links in an e-mail. Instead of following the link in the e-mail, visit the page by manually typing the address of the company. For example, in the above example, instead of visiting the fake eBay URL, you would type: http://www.ebay.com in your web browser and log in to the official website.
  • Never send any personal information through e-mail. If a company is requesting personal information about your account or are saying your account is invalid, visit the web page and log into the account as you normally would.
  • Finally, if you are still concerned about your account or are concerned about your personal information, contact the company directly, either through their e-mail address or over the phone.
Issues phishing e-mails commonly address

Below are some of the issues a phishing e-mail may inquire about to trick users.

  • Account issues, such as account or password expiring, account being hacked, account out-of-date, or account information needing to be changed.
  • Credit card or other personal information, such as credit card expiring or being stolen, incorrect social security number or other personal information, or duplicate credit card or other personal information.
  • Confirming orders, such as a request that you log in to confirm recent orders or transactions.
Common companies affected by phishing

Below is a listing of companies phishers most often try to attack.

  • Any major bank
  • Popular websites such as Amazon, Facebook, MySpace, PayPal, eBay, Microsoft, Apple, Hotmail, YouTube, etc.
  • Government: FBI, CIA, IRS, etc.
  • Internet service providers such as AOL, Comcast, Cox, MSN, etc.
  • Casinos and lottery.
  • Online dating or community websites.
I’ve fallen for a phishing attack, what should I do?

If you’ve read this page too late and have already fallen for a phishing attack log into your account from the companies page and change your password immediately. Also, it is a good idea to scan your computer for malware in case the site has infected your computer. Finally, if the company supports two-factor authentication, it is also a good idea to enable this feature on your account.

If you believe your personal information such as your social security number, credit card number, phone number, address, or full name has been stolen it is also a good idea to watch all of your accounts for suspicious activity.

Share This:

Malware Hidden in Hacked Episodes

A report from cybersecurity company Proofpoint reports that it has observed a “targeted email campaign” that is using details of leaked Game of Thrones episodes to try and spread malware to unsuspecting users.

Image result for game of thrones

The company first came across an e-mail on August 10th with the subject line “Wanna see the Game of Thrones in advance?” The emails contained some general details of upcoming episodes, as well as a Microsoft Word attachment with malware hidden in it. Once downloaded, it would attempt to install a “9002” remote access Trojan (RAT). Proofpoint says that similar attacks in the past have been attributed to groups associated with the Chinese government, and that it’s possible that this attack could be coming from the same actors.

Image: Proofpoint

At the end of July, hackers stole 1.5 terabytes of data from HBO, including contact information for the show’s stars, unaired episodes and scripts, while an unrelated accident allowed a pair of episodes to leak to the internet earlier this month.

Proofpoint isn’t saying that HBO’s breaches and these attacks are connected. The hackers behind these phishing attempts are using the leaks as a way to get people to click on and accidentally install their software, relying on natural human curiosity to carry out their attack.

Share This:

1 2 3 39