Here’s What Hackers will Pay for Your Personal Information on the Deep Web

Hackers are common thieves. They will either steal your money or your personal data, and, most of the time, if they get your personal data, they will monetize it in one way or another.

Some hackers will try to trick you into installing malware onto your device so that they can remotely prowl around your files looking for key information or wait until you log into a prime site, like a banking site, and steal your login credentials. Then, they can either steal your money themselves or sell your login details on the deep web.

However, it is much easier for hackers if you fall for a phishing scam. In this case, they can just get you to send them your personal information directly by having you visit some fake but realistic looking website and filling out a form.

Should the average person be worried? Maybe, but most are not. I’ve spoken with many people who don’t much care if their personal information is stolen. “So what? How does that really affect me?” They often remark. They don’t lose sleep over their bank accounts getting wiped out because they figure the bank will reimburse them. In addition, many of these carefree users claim to lead dull, uninteresting lives which no one would have any interest in. “Let them read my emails. Let them look at my Facebook page. I have nothing to hide.”

Strangely, hackers think otherwise. You might not care if your bank account is emptied, but would you be upset if someone stole your tax refund or your social security payments? Would you like to get a bill from Amazon for goods you never purchased? Would you like to be blackmailed? Would you like all of the files on your computer encrypted so that you have to pay money to get them back? Or, on the more personal level, would you like to lose all of your friends or have your reputation ruined? Would you like to lose your job? Sure, you might not worry about some things, but my guess is there are some good reasons why everyone should do their utmost to protect their personal information.

Hackers know precisely how to monetize stolen personal information. Here is a list of the prices hackers will pay for specific personal information on the deep web. The list is modified from a Top10VPN post.

deep web price list

The article claims that full information (fullz) on a person would sell for about $1,200, but they arrive at that figure by adding up all of the items on their list, some of
which are not shown here. However, no one has all of the services listed.

Let’s look at some of these prices in more detail. It’s rare to see credit card details for sale for over $400. Information on a “first hand Account with American Express Full information Account Simple Login Information User ID Password Billing Information Name Surname Address City Zip Code State Phone Number Birth Day Birth Month Birth Year Place of Birth Social Security Number Mother s Maiden Name Mother s Date of Birth Credit Card Information Credit Card Number Exp Date Name On Card CVV2 ATM Pin CSC Pin E mail Information E mail Address Password” was offered for about $250. The card had a $10,000 limit. The price of credit card information varies in direct proportion to how recently that information was hacked. However, the average price for full credit card information comes in at around $20.

Often, hackers will hack a company or organization’s database to get large amounts of personal information and sell this at a bulk rate. Those who know how to monetize such data can make quite a profit. Why doesn’t the person selling the information just use it for themselves? They may simply not want to take the risk or take the time to monetize it. It takes time and effort to buy gift cards or to buy merchandise and resell it. But don’t feel too sorry for the information sellers. When Hieu Minh Ngo was arrested for identity theft, authorities found that he had made $2 million selling all of the information he stole.

Criminals buy personal information for a number of uses. They can, for example, use it to make fake driver licenses and passports. Fake, but realistic-looking, U.S. driver licenses, from whatever state you choose, sell for around $13 and will come with a matching Social Security Number. British passports with valid numbers sell for around $15.

Obviously, criminals with your PayPal or bank login credentials can simply transfer funds into their own accounts. As soon as the money enters those accounts, they can withdraw it and close the account. Interestingly, those temporary accounts may have been opened with false credentials so that the real owners of them can’t be traced.

Shopping or entertainment login credentials can allow the criminals to buy whatever they want and send you the bill. They will have, of course, changed your delivery address to that of a drop site where they can safely pick up their goods. They often prefer to buy gift cards in your name.

Logins to social media sites are cheap, but, in some ways, they can create the most problems for victims. As soon as a criminal gets these credentials, they will log into the site and then change the password and whatever other information they want. They are now you. As you, they can manipulate your friends. They can ask them for financial help or other information that can allow them to be hacked as well. If they want, they can post pictures on your site that could destroy your reputation. Often, they will use your social media sites to send spam.

Few information sellers on the deep web are ever prosecuted. After all, there’s a reason for calling it, ‘the deep web’. The identity of most sellers is virtually untraceable. Yes, perpetrators have been caught, but it takes law enforcement agencies a lot of effort, which is why they only go after the major sellers. Most of the time, however, it is easier for them to go after the marketplace operators themselves. If the feds do catch the operators, they will take control of the marketplace themselves. Then, pretending that all is normal, they watch the interactions between buyers and sellers until they are ready to make a move. For this reason, there is always a degree of paranoia on deep web markets, but the same paranoia also leads to surprisingly good security measures.

But not all information sellers succumb to paranoia. Some even put up helpful Youtube videos to help buyers use their data. Here is a screen capture from one such video. (I removed identifying data, but you can see the information they have on this and many other potential victims.)

youtube hack details

You must accept the fact that you may have already been hacked and your information may be for sale. This is especially true if you have a Yahoo email account or a LinkedIn account. How can you know if your personal information has been hacked? A good place to begin is the ‘have I been pwned‘ website. Put in your email address and see if it shows up in any hacks. If your address does show up and you haven’t changed your password for a while, go ahead and do that.

For those who visit the deep web, there is a website on which you can enter your username or email address and find if there is a password connected to it. When I did this for myself, I did find a valid password connected to an account I have, but the password was one that I used many years ago. Yes, I realize this site could be used by hackers to find passwords to email addresses the hackers may possess. It’s another reason you should be careful about giving out your email address and, yet, another reason why you should change your email password frequently. I considered not giving a link to this deep web site, however, it is important to be able to check what personal information on you may already be in possession of cyber criminals. So for those so interested, install the Tor browser and go here. (Onion addresses change frequently, but this site was still valid as of this writing.)

deep web passwords

The bottom line here is to protect your personal information in the same way you would protect your car keys. You wouldn’t give them to someone you wouldn’t trust. In the end, you are worth more than you think you are.


Posted in Uncategorized | Tagged , , | Leave a comment

Many Apple/iOS Users Falling Victim to Dangerous Phishing Scams

I remember when my Apple-fanatic friends would laugh every time I fought off some new malware trying to invade my Windows operating system. Those were the days when Apple devices were relatively malware free and relatively unknown. But how things have changed. Apple’s attempt at making its products status symbols has come with a price, which is that hackers now see them as prime targets. The graphic below, from Symantec, shows the increased interest in hacking iOS-enabled devices. While the number of Android attacks have stayed relatively flat since 2016, attacks on iOS have more than tripled.

ios hacks
Hackers are after two things; information and money. If iPhone users have more money to buy their phones, they probably have more money to steal. If status is a key factor in owning an iPhone, then these are people more likely to be in positions of power and more likely to be connected to corporate and governmental networks. Thus, hacking iPhone users is more likely to give hackers access to such networks and the information they may be looking for.

So, it was but a matter of time before a sophisticated phishing scam was specifically developed to target Apple product users. And it’s not only one scam. There are multiple scams now circulating, and they are all quite convincingly engineered to fool their potential victims. In fact, so many Apple-product users have fallen victim to these scams that Apple had to issue a special warning.

Although somewhat different on the surface, all of these scams follow a similar pattern.

The Fake Apple Store Receipt Scam

You’d presumably have to be an Apple Store customer to fall for this scam because it relies on the victim getting a receipt for something they never purchased. Here is a copy of that fake receipt.

apple fake receipt

Naturally, the victim would be upset to find that they would have to pay for something they never ordered. If they suspect the receipt is actually from Apple, they will click one of the links provided to remedy the situation such as the link entitled, “Apple Store Cancelation Form”.

Hovering the cursor over the link would reveal that it was not valid, but, for those not paying much attention, the bad link would include the word, Apple, which may fool some into clicking on it.

Assuming you do get fooled into clicking on one of those links, you will be sent to a fake Apple Store login page, such as the one below. (I added the information in red.)

apple fake login

Interestingly, no matter what you put in the ID and Password fields, the site will ‘log you in’. This means you will be sent to an information page so that you can enter your personal information. Here is a copy of that fake page.

apple account info

If you’ve been fooled thus far, it is here that you will enter the information that could ruin your life. Again, the scammers have made an effort to make this look like a legitimate information page.

The Subscription Confirmation Scam

A couple of the variations on this technique should be noted. One that is fooling many is the ‘YouTube Red’ subscription confirmation scam. In this scam, the victim gets the following email supposedly confirming a subscription the victim has recently made.

youtube red

Again, the scammers are hoping you will want to cancel this subscription and will click the provided link. The results will be the same as the receipt scam outlined above.

This scam will work best with App Store customers who’ve already received such emails because it looks legitimate. A legitimate email is shown below. Notice, however that there are subtle differences, such as no 4 digits of your credit card are given in the fake email.

youtube tv

Update Billing Scam

Here is yet another scam that has met with more success than it should. This comes in the form of an email from Apple Customer Support, but others have noted a similar scam coming from iCloud or iTunes. Here is the basic email.

apple customer support scam

Although the link appears real on the surface, hovering over it will show you otherwise.  You will be sent to a fake sign-in page like all the other scams.

Final Observations

The success of these recent scams will encourage criminals to develop more of them. Each scam will be more convincing than the last. Many Apple users will become victims, not only through phishing emails but through text messaging. At this stage, it appears as if the criminals are only after money. Some may be selling the information they get on deep web sites. Others may be buying merchandise and reselling it. At some point, these scams may be deployed to enter enterprise networks, so IT departments need to be aware of this. The days of feeling safe as a user of Apple products has now passed.

Posted in Uncategorized | Tagged , , , , , | 1 Comment

Governments and Law Enforcement Agencies Can Now Hack Every iOS or Android Device…Really

cellebrite announcement

In a report to potential customers (part of which is shown above), the mobile forensics firm, Cellebrite, claims that it can now unlock virtually any smartphone. Of course, it claims that it will only sell its unlocking technology to governments and law enforcement firms, but, the key underlying point here is that the unlocking ability exists in the first place. The rest is academic. At some point, others will figure this out, either by back-engineering Cellebrite’s technology or by figuring it out on their own. And guess what? Some of these ‘others’ will not be nice guys. They could be governments, but oppressive governments. They could be law enforcement, but corrupt law enforcement. Or they could just simply be cyber criminals looking for a way to make money by hacking smartphones.

Among Cellebrite’s tens of thousands of customers is the U.S. government. Cellebrite has been under contract to the U.S. government since 2007. As can be seen in the following chart from, Cellebrite has received $40.7 million for 1,308 government contracts. It is currently under contract with the Department of Homeland Security (DHS).

celebrite us gov

On the surface, many may see this as a positive development; after all, don’t we want to find out all we can about criminals who endanger the U.S.? Sure, that’s a loaded question. But, Cellebrite claims to have 60,000 contracts in 150 countries. There is little doubt that some of these countries have governments whose reputations may be less than sterling. Some may even have interests that are counter to those of the U.S. As the company notes. “by enabling access, sharing and analysis of digital data from mobile devices, social media, cloud, computer and other sources, Cellebrite products, solutions, services and training help customers build the strongest cases quickly, even in the most complex situations.” That’s fine, if these cases are against dangerous operatives, but, in some countries, dangerous operatives may include anyone who opposes the government.

So how does Cellebrite control who gets access to its technology? If you want to extract information from a locked device, you must fill out a form on their website. Although I assume there must be restrictions on who can use their technology, I could find no information on this on their site. The form on their site gives no clues.

cellebrite form

I could, for example, find no countries that were excluded from such requests, including North Korea, Iran, and China. The contract (EULA) for use of the software only notes that necessary laws must be followed and that those in the U.S. cannot export the software to countries under sanctions. However, there is no mention of which countries should not bother to contact Cellebrite directly. There is no mention of ethical considerations that should be kept in mind when using their technology. Besides a phone conversation with an interested buyer, I could find no information on how validation of a user’s credentials is conducted. I’m not alone in this observation on a lack of openly stated restrictions. A Motherboard investigation reached the same conclusions.

“Cellebrite’s End User License Agreement (EULA) makes no mention of respecting human rights. It also does not state that Cellebrite’s tools shouldn’t be used against certain populations, such as journalists. Cellebrite declined a request for comment, and did not answer an emailed set of questions about the company’s vetting of customers, nor the absence of any human rights clauses from the EULA.”

The same investigation found that Cellebrite did, in fact, work with repressive regimes in Turkey, Russia, and the United Arab Emirates. How did Motherboard learn all this? Apparently, they were given 900GB of data hacked from a Cellebrite server. But that’s another story.

If the potential customer passes whatever validation exists, they will be told to send in the phone they want unlocked or they will be given the option to buy the company’s software. According to a Forbes article, the cost for a one-time phone unlock is as low as $1500. Cellebrite was reportedly behind the unlocking of the infamous iPhone found in possession of the San Bernardino terrorists, but my guess is that the FBI paid a little more for them to unlock this phone.

What stops Apple or other smartphone manufacturers from back-engineering the technology and then circumventing it with a system update? Nothing really, except for a clause in the user license saying that you shouldn’t do that. In an odd way, such update patches would be welcomed by Cellebrite. This is because they would then enter into a lucrative patch, subvert-patch death spiral. True, companies, like Apple, could pay Cellebrite bug bounties for any bugs it found in their operating systems and, thereby, avoid having their phones exposed and their reputations damaged, but this idea would not contribute much to Cellebrite’s own reputation and growth, as they would more or less get paid to keep quiet.

But we shouldn’t feel too sorry for Apple. Apple has long ago abandoned any pretense of being concerned about their clients’ privacy. The noble fight they engaged in over the unlocking of the San Bernardino terrorist phone has since been tarnished when they readily agreed to give up any information on any Chinese-based customer to the Chinese government. The final nail in the privacy coffin took place recently when Apple agreed to store all Chinese customer information on a government controlled server. After all, you can’t afford to lose access to so many customers, right?

china apple worm

Not everyone worries about security. The truth is that most people have only minimal protection enabled on their smartphones and simply hope they won’t get hacked. It’s a different matter, however, for people who have smartphones that are allowed to connect to a company’s or organization’s network. These phones are sought out by high level hackers to gain access to sensitive data in the enterprises they are connected to. Such phones must be secure and should not be phones that can be unlocked because this would expose the entire enterprise to serious risk.

Before the latest Cellebrite report, the iPhone X and Samsung 8 were considered to be among the most secure smartphones available. Now, if security is your main factor for buying a smartphone, the two best are considered to be the Blackphone 2 and the DTEK 60 by Blackberry (yes, Blackberry is still around.) Although at one time Cellebrite claimed to be able to unlock a Blackberry, nothing in their recent reports indicates that they can still do so.


But it may not be so much a security issue as an availability issue. There are just not enough of these secure phones being used by criminals for Cellebrite to worry about. In other words, the demand for unlocking them simply does not exist. Both makers are, in fact, on the verge of financial collapse. Cybersecurity experts at InZero Systems believe the Blackphone 2 can be compromised due to the fact that its security depends on software architecture. The BlackBerry DTEK60 must be only considered as ‘hack resistant’ as it is, after all, based on Android architecture.

No one considers phone security a priority until they get hacked. But if all phones can be unlocked, as Cellebrite claims, then, anything on your phone can and will be used against you in a court of law, if the law deems this necessary. And remember that access to your phone extends to access beyond your phone. Cellebrite, or others using their techniques, would have access to whatever websites your phone is connected to, such as your email, social media, cloud storage, and bank accounts. They can also control your contacts and your friends. It has come to the point where anyone who controls your smartphone can control your life.

Most people in a big city will not leave their keys in their car’s ignition. Most will lock their doors when they leave for the day. Yet, for some reason, these same people are mostly careless in the way they protect access to their phones, even though losing access to them could be far more devastating. It may be that people have become numb to cybersecurity threats. It may be that they feel manufacturers bear the brunt of responsibility for cyber protection. Maybe it’s just that the technological know-how necessary for good cybersecurity is beyond most people’s grasp. Now, it seems this may not matter. If Cellebrite is correct, no amount of cybersecurity will stand in the way of those who really want to get to the information stored on your phone. It will be interesting to see how smartphone manufacturers respond to this challenge.




Posted in Uncategorized | Tagged , , | Leave a comment

The Forgotten Story That Could Uncover the Truth about Russian Connections

As the major media outlets chase after the latest shiny object cast in front of them (the indictment of 13 Russian trolls who can’t be prosecuted), another major story is slipping by relatively unnoticed. It is a story that has the potential to answer many questions about the full extent of Russian meddling in the 2016 US elections. It might even substantiate speculations that have only existed on fringe media sites. The problem with this news story is that it hides under a rather bland banner: BuzzFeed Sues the DNC.

On the surface, this seems like a ‘so what’ story. I mean, everyone sues everyone these days. Maybe it has a mildly interesting cannibalistic angle in that a left wing media outlet is suing the Democratic National Committee. But the true story is in why this is happening at all.

The story begins with BuzzFeed’s decision to publish the now largely debunked Steele dossier on Donald Trump. It was a poor decision by a media outlet which was seeking the limelight at the expense of good journalism. However, in their defense, they must have been convinced, at least to a minimal degree, that there were reliable sources behind the document. The document, when published, referred to one Alexsej Gubarev and his company, Webzilla, as being behind the Russian hacking of the DNC. Gubarev was understandably upset with seeing himself openly and unjustly shamed and, seeing what this could do to the reputation of his company, sued BuzzFeed for libel.

The amount of money mentioned in the suit must have been substantial and may be enough to effectively close down BuzzFeed. I say this because BuzzFeed spared no expense in hiring former FBI and White House cybersecurity official, Anthony Ferrante, to seek information that may, in fact, implicate Gubarev in the DNC hacking or substantiate other sections of the dossier. The hope is that this would show that they were not negligent in their publication of the document. This and other suits filed against BuzzFeed over their publication of the dossier have forced BuzzFeed to fight for its journalistic life.

But what if Gubarev really was behind the hack of the DNC? What if he was not as innocent as he claims? In this case, not only would the lawsuit be dropped, but BuzzFeed could countersue. But there is only one organization that would know for sure who was behind the hack of the DNC, and that is the DNC itself. If clues to the hacking exist, that information may still be somewhere on their servers. At least, this is what BuzzFeed hopes, and this is why they sued the DNC. They want access to those servers to see if they can find out who really hacked the DNC.

But wait a minute. Don’t we already know that the Russian government, or at least someone connected to the Russian government, hacked the DNC? After all, didn’t 17 government intelligence agencies find this to be the case? Well, that’s a bit of an exaggeration. The fact is that the only people who ever saw the DNC servers were not part of the government at all. They were a private cybersecurity firm called, Crowdstrike. The DNC refused to let the FBI look at their servers, if you believe the FBI version of the story because, according to the DNC, the FBI never asked for access to their servers. Neither of these scenarios looks good for the FBI.

The DNC claimed they randomly chose Crowdstrike to help them when they suspected they may have been hacked. They continually worried about Sanders’ supporters trying to hack them. Their claim was that they hired an independent firm because they didn’t want to involve the FBI. At the time, the FBI was investigating Clinton’s use of a private server, and they felt that involving the FBI in this problem would make things worse for Hillary and the DNC. To put it bluntly, they were afraid that such an open investigation could hurt donations to the party. This is substantiated by the fact that, after they announced the hack in June, 2016, they immediately announced that no donor information was involved. This story later proved to be false when Guccifer 2.0 released pages of information on donors.

But did the DNC randomly choose Crowdstrike as they claimed? Crowdstrike, in fact, had already been contracted by the FBI back in July, 2015, as can be seen in the image from seen below.

crowdstrike contract

They were still under contract when they investigated the DNC hacking. This begs the question: Did the FBI suggest that Crowdstrike investigate the hack and, thus, simply trust their conclusions? The FBI had already known the DNC was being hacked. They had warned them to be careful months before. Crowdstrike, having previously dealt with Russian hacking, quickly concluded that Russian hacking groups were behind the attacks. There were certain Russian references in the malware code and the servers used to operate the attack were ones Crowdstrike had seen before. The government intelligence agencies that claimed the hack was organized by Russian operatives based their conclusions on the forensics performed by Crowdstrike. They did not, and could not verify this claim on their own. Now, keep in mind that this was one of the key cyber events in years and, perhaps, in history. Wouldn’t you think that the highest level law enforcement agency in the US government would want to double check the conclusions of a private cybersecurity firm?

So BuzzFeed appears to have a case. In fact, many in the cybersecurity community had their doubts about Russia being the source of this cyber attack. First of all, attribution for an attack is very difficult. The best hackers will hide all traces of where the attack came from. In fact, they will insert code or use servers that appear to point to other countries entirely. If they believe they have been discovered, they have a ‘kill switch’ that will wipe all evidence of the infiltration from the compromised network. What if someone just wanted to make it look like the Russians were the culprits? You could not absolutely exclude this possibility from the evidence given.

As soon as the hack was announced, the DNC put forth the story that Russia hacked them to help then candidate Donald Trump. But were these hackers allied with the Russian government or were the hacks performed by one of the numerous, independent Russian hacking groups? One would expect an attack by the Russian government to be sophisticated. In fact, this one was not. According to the Crowdstrike employee who worked on the hack, Robert Johnston, this was not an example of a sophisticated hack. “The target list was, like, 50 to 60,000 people around the world. They hit them all at once.” He observed that it was unusual for “an intel service to be so noisy.” To be blunt, this looks more like an attack performed by an amateurish hacking group that just happened to get lucky with one of its mass phishing campaigns. Whether the bounty gained from this attack was subsequently used by the Russian government is impossible to say. (For details on how this attack occurred, see this post.)

What is somewhat unsettling is that Crowdstrike has since lost some of its credibility. Crowdstrike falsely attributed attacks on a Ukrainian artillery app to Russia in December, 2016. At that time, Dmitri Alperovitch, the anti-Russian founder of Crowdstrike, claimed that this buttressed Crowdstrike’s conclusions for Russia’s involvement in the DNC hack. When this claim proved to be false, Crowdstrike’s reputation as experts on Russian hacking was tarnished. In addition, when asked to testify before an intelligence committee investigating the DNC hack, they refused, making some wonder if they were trying to hide something.

It was such behavior that has spawned a number of alternative theories. Although some of these may be classified as true conspiracy theories, others have a certain amount of support and could, indeed, be credible. Among the latter are those presenting evidence that the DNC documents were leaked and not stolen. Other theories have suggested that Crowdstrike or the FBI may have inserted malware into the DNC servers to intentionally make it look like the Russians were involved in the hacking. Why would they do this? Most such theories suggest that the DNC was trying to hide something and needed the Russian story to distract the public.

Crowdstrike used its Falcon platform to detect the unusual movements of large numbers of files within the DNC network. At the same time they were doing this, the Awan family was illegally moving thousands of files belonging to over 40 Congressional Democrats (including those of DNC Chairperson, Debbie Wasserman-Schultz) to Dropbox accounts and a server for the House Democratic Caucus. (The server was subsequently stolen.) Did Crowdstrike detect any of this unusual activity? (For more information on the Awan family scam, read this post.)

In the end we are left with more questions than answers. If judges allow BuzzFeed access to the DNC servers, and assuming there is still evidence of the hacking on them, it might just be possible to answer some of these questions on Russia’s involvement in the election. It is possible that what is found could squelch some of the conspiracy theories surrounding Russian collusion and support others. Then again, information may surface that could change the course of the Mueller investigation completely. Some decision should be made next month. However, the DNC lawyers are pushing back saying that, “if these documents were disclosed, the DNC’s internal operations, as well as its ability to effectively achieve its political goals, would be harmed.”

I don’t mean to be sarcastic, but I think their internal operations and political goals were already harmed. It’s time to stop sandbagging and let everyone get to the bottom of this matter once and for all.


Posted in Uncategorized | Tagged , | Leave a comment

Video Game Addiction and Death

When Mr. Hsieh died in a crowded room, nobody took any notice. For hours, he sat there slumped over and face-down on a table. Even when his dead body was carried out of the room, few paid much attention. Why? Because he died in an internet café in Taiwan. The other gamers were simply too involved in their gaming to pay attention to what was going on around them. Death was caused by cardiac arrest probably brought on by sleep deprivation.

But was the ultimate cause of Hsieh’s death video game addiction? It certainly must be considered a major contributing factor. If an alcoholic passes out on a cold night and freezes to death, the cause of death may be listed as hypothermia. However, few would deny that the underlying cause may be the alcoholism that caused him to pass out in the first place.

Hseih was known to disappear for days to play games at his local internet café. He had all the symptoms associated with video game addiction. The World Health Organization (WHO) has recently classified gaming addiction as a mental health disorder. The condition becomes a mental disorder when a persistent pattern of gaming behavior develops that “takes precedence over other life interests.” The organization points out that “for gaming disorder to be diagnosed, the behavior pattern must be of sufficient severity to result in significant impairment in personal, family, social, educational, occupational or other important areas of functioning and would normally have been evident for at least 12 months.” In short, gaming addicts put gaming above all other aspects of life, even when they know that relationships and health are being harmed as a consequence.

video game lives

Gaming addiction often leads to a lack of sleep which, in turn, leads to heart failure. Dr. Daniel Kuetting and his colleagues at the Department of Diagnostic and Interventional Radiology at the University of Bonn studied the effects of sleep deprivation on people who worked 24 hour shifts. They found that, “short-term sleep deprivation in the context of 24-hour shifts can lead to a significant increase in cardiac contractility, blood pressure and heart rate.” It is safe to assume that the condition worsens if one stretches the time of being awake even further. Many of the gamers who have died of their addiction had, like Mr. Hseih, been playing for up to three days straight. Most died of heart failure. Though most such gamers would survive a three-day gaming marathon, those in poor physical condition or with pre-existing heart problems would be at a much greater risk.

Just as not all those who drink alcohol become alcoholics, not all game players become gaming addicts. Studies vary in the number of gamers who become addicts but it’s generally agreed that around 8-10% are either addicted or have problems related to gaming. According to the most recent statistics, 6.2% of adults have Alcohol Use Disorder (what we used to call, alcoholism), and we can assume that the percent of adults with some kind of drinking problem is much higher. A big difference between the two addictions is that around 88,000 people a year die alcohol-related deaths. These include driving accidents, fires, suicides, homicides, health problems, and falls. Even including deaths like that of Daniel Petric’s shooting of his parents for taking away his Halo 3 game, video gaming deaths are nowhere near as many as those related to alcohol addiction or even gambling, but it doesn’t mean that gaming addiction doesn’t ruin lives. For example, 15% of women filing for divorce listed excessive gaming as a contributing factor. To put this in perspective, here is a reminiscence of self-described gaming addict, Mike Fahey.

“The woman I had once told was the love of my life was sitting undressed in my bed not a foot away from my computer desk, begging me to join her, and I kept putting it off. I was so close to level 40 I could taste it. I was in the Dreadlands, kiting large enemies back and forth, killing them slowly with my Bard songs. I still remember the urgency I felt, along with the annoyance that this woman was trying to keep me from reaching my goal. Couldn’t she understand how important this was to me?”

So what games are most addicting and, potentially, most life-threatening or life-destroying? There are a number of lists that claim certain games are more addictive than others. Of course, games are made for different platforms but the following names come up a lot. They are in no particular order. It should be noted that men are 7.5 times more likely to become addicts than women so games that appeal to men are, in all probability, the ones that will cause the most problems.

World of Warcraft


Call of Duty

Candy Crush Saga


The Sims

League of Legends

Dota 2

If you expanded this to the most addictive games ever, you’d have to include games like Tetris, Super Mario, Pac Man, and Age of Empires. Remember that everyone has their own poison. I’ve known Tetris addicts, Asteroids addicts, Wolfenstein, and Duke Nukem addicts.

But, according to experts, the most dangerously addicting games are multiplayer online games aka. massively multiplayer online role-playing games (MMORPGs). These are the ones parents should pay most attention to if they feel their child is losing contact with the real world or is having social, behavioral, or academic problems.

Among these potentially problematic games are the following. (the asterisks indicate free online games).



Grand Theft Auto


Call of Duty

League of Legends/Dota 2*

Star Wars Battlefront


Resident Evil

Diablo 3

Fornite* (also the fastest growing online game)


Eve Online*

According to psychologists who treat gaming addiction, the games that are mentioned most are,

World of Warcraft

Call of Duty

Second Life


Eve Online,

although my gamer son claims this list is out of date.

But what precisely is it that makes these games the most addicting among the thousands on the market? Experts on gaming addiction give the following reasons why some games are more addictive than others.

Addictive games will be,

1. Online Multiplayer Games: MMORGs.

2. Games that allow players to create their own characters, teams, and worlds. This social element creates an alternative world and an escape from reality.

3. Games that have no predefined end or goal, which means they can continue to be played forever.

4. Games that have levels or rewards for playing more or for acquiring more skills. Games that are difficult to advance in tend to create a ‘give up factor’ which would kill potential addiction. Rewards stimulate addiction.

5. Games that have frequent upgrades to keep the game fresh and interesting.

6. Games that generate emotions. These are not always positive emotions, such as a feeling of accomplishment. Negative emotions, such as anger or a need for revenge, can also lead to more gaming.

Taking all of the above into consideration, I would suggest that the crystal meth of online games would have all of these elements and, in addition, be free and available on multiple platforms. With all of the above factors in mind, I sorted through a list of the best multiplayer games and came up with the following which should be considered among the current games with the most potential to cause addiction.

Warhammer 40,000, Fortnite, Heroes of the Storm, Dota 2, Smite, League of Legends, and Paladins.

Others that need to be watched are Terraria, Trackmania Turbo, PlanetSide 2, and Pixel Worlds.

Video game addiction is a physical addiction. Robert Lustig, a professor of pediatrics and endocrinology, recently reported his research on how gaming “can overrelease dopamine, overexcite and kill neurons, leading to addiction.” He further states that “when the brain gets used to a higher level of dopamine, it wants us to keep seeking out the addictive substance or habit.” Teens and young adults are particularly susceptible to dopamine addiction. Add to this the fact that video game developers actually try to make gaming as addicting as possible and you have the dopamine trap known as gaming addiction.

The free online game model works because addicted gamers will pay real money for in-game content. Thus, the more gaming addicts companies can create, the more money they can extract from gamers. And the sad truth is that gamers seek games that are addicting. In the end, it’s a perfect example of a codependent relationship. Mental health experts say that “people with codependency often form or maintain relationships that are one-sided, emotionally destructive and/or abusive.” That about sums it up.

you are dead

Posted in Uncategorized | Tagged , , | Leave a comment

Social Security Scams on the Rise, and It’s Not Just the Elderly Who Have to Worry

It was just a matter of time. With Boomers retiring in droves, more and more criminals have been targeting them to cash in on their retirement benefits. And if you think you’re safe because you’re not retiring yet, think again. One of the most recent scams will actually register you for retirement long before you’ve ever considered doing so. This means that when you do retire, your money may end up going to someone else. In fact, in some cases, these criminals may have preemptively withdrawn all of your retirement benefits before you even registered for retirement. This attack vector was increasingly used in 2017 and led cybersecurity expert, Brian Krebs, to encourage people to register on the Social Security Administration website as soon as possible.

In order to register on the SSA website, you will need to give them some basic information. This will include a name, address, telephone number, email, and, of course, your Social Security Number. If someone has these, they can register as you. But wait, the SSA uses something called an “Identity Services Provider” to “help us verify the identity of our online customers and to prevent fraudulent access to our customers’ sensitive personal information.” And who is this trusted authenticator? Equifax, a company that was hacked last year and lost its database of 145 million Americans; a database which included all of the above personal information and more. So, yes, your Social Security future may be impacted. To find out if your information was lost in this breach, go here. If you are outside of the US, you’ll have to use a VPN that can redirect you through a US server.

Update: On February 9th, the Wall Street Journal reported that Equifax lost more information than they previously disclosed. This included “tax identification numbers, which are used when someone doesn’t have a social security number, as well as e-mail addresses, credit card information, and some additional drivers license information.”

It has been reported that the data from the Equifax hack was dumped and put up for sale. Whether this is true or not doesn’t really matter. Social Security information is readily available for sale on the deep web. For example, I found this information on one deep web site. I removed sensitive information but it would otherwise be there for all to see.

ssn deep web

Some of the information seems to check out.

ssn valid

So, if you have not registered at the SSA website, someone else could certainly do it for you. They could change your address, email, and bank account number to their own and you would be none the wiser.

Then there are the scams. Even if you are registered, criminals can use this information against you. Take a look at a common phishing letter that is making the rounds.

ssa email

Okay, so the bad grammar may be a give away, but would you otherwise recognize it as fake? If you clicked on the link, you may even go to a sign in page that looks like a legitimate SSA site. Yes, you should hover the cursor over the link to see where it goes (check the lower left hand corner of your screen), but sometimes these links are made to look real. The SSA gives this real example of one such link (don’t worry. It goes nowhere):

Notice that it is has legitimate looking elements and even has an ‘https’ header which seems to give it a secure look. But beware of these so-called secure sites. If you must trust any of them, the ‘https’ should be green. Here are two examples. The first is from the legitimate SSA website. Notice that it is not green, and that includes its sign-in page.

ssa https

The second, from Bank of America, shows the highest level of security.


The problem is that any website can get the gray certificate. It can even be acquired for free. Check my post on this for more information.

SSA email scams, like the one mentioned above, are a relatively new phenomenon. Most scams targeting seniors use scam phone callers pretending to be from the SSA. They have the same goal, however, to get your personal information. Why do they use phone scams? Because, sadly enough, older people tend to be more trusting, especially when they hear a friendly voice on the other end of the line. But as seniors become more tech savvy and depend more on email and social media, these are more and more likely to become the main attack vectors. Look for such scams to increase and become more sophisticated in the future.


Posted in Uncategorized | Tagged , | Leave a comment

The Cryptocurrency Scam Epidemic

When a businessman friend of mine told me he and his brother were investing in cryptocurrencies, I was, quite frankly, dumbfounded. Here were two technologically challenged businessmen planning to invest considerable money in one of the most technologically challenging concepts in existence. However, I understood the motivation behind their optimism. It was, in short, the belief that this was the road to instant wealth. It was not only the triumph of greed over fear, but the triumph of ignorance over reason. As someone who writes on cybersecurity, my first question to them was whether they had bought a hardware wallet. Their blank stares said more than any words could have.

This interaction made me wonder how many others were like these two businessmen. How many people, hoping for instant wealth, invested large sums in bitcoins or other cryptocurrencies without knowing the first thing about how they operate? I suspected the numbers were high, and, if this were true, there must be hundreds of hungry scammers waiting to feed on them.

Yes, I expected to see a lot of scams, but what I found exceeded all my expectations. There is a rampant feeding frenzy going on among scammers who are glutting themselves on the overabundance of naïve bitcoin and other cryptocurrency buyers. They are taking advantage of these people in a number of ways. Some of the scams are simplistic while others are more complex. Here are some that are currently making the rounds.

The ICO (Initial Coin Offering) Scam

 Initial coin offerings (ICOs) are supposed opportunities to be among the first to invest in a new type of cryptocurrency. As one writer recently put it, “the shear number of ICO’s that have come across my desk makes my head spin.” The writer estimates that 90% of these offers are scams. If you check a site like Bitcoin Jerk, you will find a list of nearly every possible cryptocurrency available. As of this writing, there are almost 1500 of them with some selling for less than one cent. Although bitcoin itself is based on complex code and encryption, some of the currencies listed are based on absolutely nothing. Then how can they even exist? The answer is: by pure speculation.

If I have enough people believing that a green piece of paper with some esoteric markings on it has value, then it has value, at least among the believers. This paper can, then,  be exchanged for goods and services. Remember that bitcoin really got its footing in the deep web where people needed to buy illegal merchandise, often drugs, in an untraceable fashion. As more people believed in its value, its value increased.

New cryptocurrencies need some way to make themselves known. The best way to do this is to pair themselves with a spamming network or botnet. This is what the largely unheard of cryptocurrency, Swisscoin, is doing.


Swisscoin has paired itself with the infamous Necurs botnet to spread spam offers for the coin. Swisscoin spokespeople deny this and ask those who get such emails to report it to them. That said, Swisscoin has been termed a Ponzi scheme by a number of researchers as it relies mainly on persuading investors to interest other people in the coin in order to increase interest (speculation) in it, thus, raising its price in what is termed a pump-and-dump scam. It could be that only one investor used the botnet to encourage more people to invest in the coin. The increased interest would, then, increase the price of the coin and, by extension, the spammer’s own income. The current price of a Swisscoin stands at $0.004. It is no surprise, then, that Swisscoin wants people to buy packages that start at 25 euros. That said, according to those who’ve traced the bitcoin address for the company, Swisscoin has received over $2.5 million in bitcoins alone. Not a bad return for a little known and almost useless cryptocurrency.

For this and other cryptocurrency spam emails, look for subject lines like the following.

Subject:    Forget about bitcoin, there’s a way better coin you can buy.

Subject:    Let me tell you about one crypto currency that could turn 1000 bucks into 1 million

Subject:    This crypto coin could go up fifty thousand percent this year

Subject:    Could this digital currency actually make you a millionaire?

Cryptocurrency Wallet Hacks

 When you buy your bitcoins, you are really buying a private key that enables you, and only you, to use the coins. This key needs to be protected because, if it falls into someone else’s hands, the coins are as good as theirs. What’s worse is that bitcoin’s built-in privacy will allow the thief to escape all detection. So, to protect the key and your bitcoins, you need what is called, a wallet. Basically, there are three kinds of wallets. One that is often used comes with the coins you buy through some website, like Coinbase. The website protects your private key with its own security. In order for you to access your private key, you need a username and password. However, these ‘cloud’ wallets are vulnerable if someone gets your password. They can get this through normal hacking methods, such as phishing scams, or by infiltrating your email and contacting the bitcoin site to reset the password, thereby taking control of your account.

Cloud services themselves have been hacked and customers’ bitcoins were stolen. This happened to NiceHash when hackers compromised an employee’s computer to steal $64 million. The Mt. Gox hack (billions of dollars in bitcoins stolen) and the recent Coincheck hack ($450 million stolen) are examples of online storage sites that were hacked. Some of these could have been inside jobs.

Software wallets store your bitcoin information on your device or computer and, in so doing, are connected to the internet. Such wallets allow for easy use of your bitcoins but are more accessible to hackers. No serious bitcoin owner will use software to protect their private key. Serious users use hardware wallets, which are independent devices, not connected to the internet. They can be hacked, but not easily. For more information on these hardware wallets, see my recent post.

Fake Recipient Hacks

 “All of my money was just send from MyEtherWallet to this address. It looks like that person has stolen more than 44 million dollars worth of crypto. What now?” So began one post on Reddit. It appears the user signed into a spoofed (look alike) website and gave them the information they needed to steal his bitcoins from the real website. Always check the URL carefully as even a one letter difference can be important. is not the same as (They look the same because of the font used on this website. The capital ‘I’ is indistinguishable from the letter ‘l’, but that’s my point. Spoofing a false link can be difficult to spot.)

It is also possible for a hacker to divert bitcoin payments through a man-in-the-middle attack. Without going into details, the scammer initiates a transaction with both a buyer and a seller and watches it progress. When the time is right, the scammer, pretending to be the seller, gives the buyer his own bitcoin address for the buyer to send the coins to. For more details on this scam, go here.

So, my final observation after studying many of these scams is that those who speculate on cryptocurrencies without knowing how they work are destined to find out how they work after they lose their coins. When greed is the underlying motive for buying cryptocurrency, reason is co-opted and people are more willing to take risks they would not normally take. As for my businessman friend mentioned at the beginning of this post, he ended up losing about 30% of his original investment. For the moment, his greatest fear is not of being hacked, but of having his wife learn about his costly investment.




Posted in Uncategorized | Tagged , , | Leave a comment