Chrome Browser Vulnerability Allows Hackers to Take Remote Control of Your Device and Network

In order to be infected by most malware, you have to download a malicious file and open it. Downloading the bad file is simply not enough to cause you problems. But what if there was a file that downloaded and opened itself automatically? That would truly be your worst nightmare. Sadly, if you use Google’s Chrome browser, your nightmare has now arrived.

Browsers make our lives easier by automating a lot of processes. For example, if you don’t specify where you want your download to go, it will go into a file often called, ‘Downloads’. When Chrome assumes a file is safe, the user will receive no other information when a download is called for. The file is simply downloaded. Normally, this presents no problem. However, a new vulnerability in Chrome makes this automated process the springboard for a serious malware attack.

Most files will not open automatically when downloaded but a few will. Among these are files which will create an icon which is really a shortcut link to some other location. These files come with the extensions .lnk or .scf. The .lnk extension has been stopped from automatically opening but the .scf extension has not. It will open when the file or directory it is stored in, such as the ‘Download’ file, is opened. In other words, Windows File Directory will automatically activate the icon. The problem occurs when the SCF ‘icon’ is actually a link to a remote server. At this point, the remote server will receive the hashed passwords for the user’s PC and, if they are on a corporate or institutional network, the hashed password for this as well. So if the attacker can lead the victim to a website with a malicious SCF file, Chrome will help the attacker do the rest.

Maybe it’s a good idea to look at hashing at this point. If you already know about hashing, you can skip this paragraph. Hashing is basically a one-directional encrypting process. When you first register your login information on a website, the website transforms your password into a random series of numbers, letters, and symbols of a particular length called a ‘hash’. It’s the hash, not the actual password, that they store on the website. Unlike regular encryption, this hashing cannot be reversed. Thus, when a hacker steals your hashed password they cannot apply some formula or key to decrypt it. They have to use another technique which is basically, guessing. They simply type in a guessed password to see how it is hashed. If they have guessed correctly, they will see that their hashed password matches the one on the list of stolen hashed passwords. Only then can they log into your account.

hash

Your Windows password is automatically hashed so the attacker operating the remote server that receives it has two options. They can try to use software to guess and match (crack) the hash in order to get the actual password, or they can use the hashed password itself. This is because some Microsoft services only require the hashed passwords to operate. Such services include OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live, and more. In other words, using either of these techniques can allow an attacker remote access to your computer and any network to which you may be connected. Needless to say that good hackers can leverage network access to steal  sensitive data from an enterprise or compromise other users on the network. It all depends on whether their goal is information-based or financially based.

 Although the Chrome browser may allow for downloads of SCF files to proceed without hindrance, you may suppose that antivirus software will detect these files and notify users of their presence. Unfortunately, this does not appear to be the case. The main investigator of this vulnerability stated that, “we tested several leading antivirus solutions by different vendors to determine if any solution will flag the downloaded file as dangerous. All tested solutions failed to flag it as anything suspicious.” Moreover, Windows Explorer automatically removes the visibility of the SCF extension so it will not appear in the name of the file. In other words, if the attacker uses a file named photo.jpg.scf, the user only sees photo.jpg, which may appear as a valid jpg file.

Since the file does not appear malicious to either Chrome or antivirus software, you will need to be the download filter. To do this, you simply have to set Chrome’s advanced settings to “Ask where to store each file before downloading” option. Then, you will be able to intercept any automatic downloads that may otherwise occur.

You may also want to adjust your firewall to stop any SMB communications to devices outside of your network. Unless you have an older Windows operating system, such as Windows XP, you should probably disable SMB 1.0. I gave directions on how to do this in a recent post.

Although it might seem an easy flaw for Google to fix, so far, none has been reported. Thus, unless you want your computer remotely controlled by someone else or your business to be infiltrated, you need to browse with some caution. Of course, there is another option. You can change your browser. Sorry Google.

 

Posted in Uncategorized | Leave a comment

A Simple Guide for Protecting Yourself from Ransomware

If you think the last ransomware attack was the end of the story, you’re wrong. If you think only enterprises are targeted by ransomware, you’re wrong. And if you think you have an operating system that is safe from ransomware, you’re wrong. In other words all of us are vulnerable. In fact, most researchers think that the next targets could be bigger enterprises and more individuals via a vast botnet attack.

However, it remains true that all of these attacks can be subverted by a few simple steps because, when all is said and done, attackers only have a few vectors that they can exploit to get control of your device. Although there are many ransomware varieties that are prowling the internet for victims, the attacks always begin by attacking individuals. If these individuals are working for companies or institutions that depend on quick access to data, so much the better for the attackers. Enterprises have a role to play in all of this, but each person, each employee must know how attackers are trying to trick them into becoming victims. Here are the steps to take to stop that from happening.

1, System Updates and How to Get Them

 
 Windows 10 really gives you no choice but to accept updates. In truth, that’s probably good, at least for critical updates. There are ways to work around the automatic updates but, for safety’s sake, it’s best to make your updates automatic. Go to your settings, then to Updates and Security and here you can check for the latest updates.

updating

The WannaCry Ransomware targeted older operating systems, especially Windows XP and enterprise networks that used these older systems. As the chart below shows, extended support for Windows 7 and above will continue for a few years yet so be sure to keep up with those updates.

support schedule

Older, unsupported versions of Windows Vista and below, normally have no support. However, due to the seriousness of the latest ransomware attack, Microsoft has created some patches that you can download here.

Quick installation of updates is important because hackers will use the updates to find what holes existed that needed patching. They know that many people won’t update right away so they will search the internet for unpatched computers and networks that they can attack. Big enterprises with big networks take a long time to patch and the hackers know it. These exploits are termed one-day exploits because that’s how long it will take the attackers to begin the attack on networks that do not update fast enough.

There are other steps for advanced users to take and they can be found here. I wouldn’t recommend these to the average user because some of the suggestions deal with tweaking the registry and any mistakes could seriously affect the functionality of your device.

2. Disabling SMB1.0

This may sound daunting but it is not. What you will be doing is protecting your device from being remotely attacked. Basically, if this is not disabled, attackers can work around later updates of the SMB protocol to cause you problems. This is especially true for enterprises with large networks. SMB stands for Server Message Block and is used for sharing files on a network. If you run Windows XP or have an old printer you may still need SMB1.0, otherwise you probably do not. Even with all of its shortcomings, SMB1.0 comes enabled on Windows 10. I have disabled SMB1.0 on my device and will let you know in updates if any functionality problems arise.

So, to disable SMB1.0, go to ‘Search’ (lower left hand corner) and type in “Windows features”. You will be given a control panel for turning off or on various Windows features (see below). You will probably see the area that I highlighted with the box checked. Simply uncheck it and reboot your computer. If you think this is a small thing, think again. As one Microsoft expert on the topic wrote, “stop using SMB1. For your children. For your children’s children. Please. We’re begging you.”

windows features

  3. How to tell if an email attachment is malicious

 There are some good phishing scams out there. They can fool anyone. Some phishing emails may come from your friends or even from people in management. The attachment may have a legitimate name. It could be photos from a party you went to or information your CEO wants you to read. You can’t simply refuse to open any attachment. You could lose friends and even your job. So what do you do?

The first thing to remember is that no attachment is dangerous until you download and open it, thus, releasing its payload. So, before you open it, you can scan it for viruses or malware with your antivirus software. If your file is smaller than 150MB, you can use a good online scanner like VirusTotal.

At the same time that WannaCry Ransomware was bringing down enterprises around the globe, Jaff Ransomware was using a botnet to spread its payload at the rate of 5 million an hour, mostly to individuals. Although researchers are not sure how WannaCry delivered its payload, Jaff was doing so with the help of a PDF attachment. Opening the attachment will give you this.

pdf ransom

The file mentioned is a Word document packaged within this PDF file. It will look like this.

word ransom

If you follow the instructions and enable editing, you will install the ransomware which will begin encrypting all of your files. Eventually, you will be told to pay a ransom in Bitcoins of over $3,000 to get your files back.

This attack needs you to enable macros before it can operate. Until you do this, you are safe. Make sure your macros are disabled. First, you need to find your Word Macro Settings menu. This will either be in Trust Center Settings or Tools/Macros/Security. There, choose the High or Very High option.

macros

According to Kaspersky Labs, the spammed phishing emails come with a subject line similar to “Receipt to print” and will sometimes have a message like, “Print two copies”.

The senders will be generic “John” or “Joan” but with an unusual email address that should give them away. It doesn’t matter to the criminals as long as they can trick even a small percentage of people.

4. Check those links

Similar to attachments, links may also come from friends or management. They may have valid names. Hover over any link with your cursor to see if a valid address appears in the lower left hand corner of your screen. If you’re still not sure, or the URL doesn’t appear, you can push the ‘Reply’ button and you will see the true address of the sender in the “To” field. Don’t send the message. Simply look at that address and see if it looks valid. If you are still unsure of a link, test it by copying it and using VirusTotal to check it. If you are still unsure you can always contact the sender in person or by phone to see if they actually sent that email and link. Yes, it is possible that visiting an infected website alone will be enough to download and install ransomware. This is called a ‘drive-by’ attack and it often employs the Flash Player, Adobe Reader, or Java. Keeping these programs up to date is a good way to thwart such attacks.

5. Enterprise Security

Enterprises need to isolate data on their networks so that it is not easily accessed and then encrypted. Many will use sandboxing to do this. However, the Jaff Ransomware knows this and has been designed to detect and avoid sandboxes. Hardware separation employed on all network endpoints may be the best solution. In this case, even if the normal-use half of an endpoint is breached and encrypted, important data on the hardware-separated network half of the device cannot be accessed by the attacker. All important data is kept safe.

Conclusion

If you’ve taken the steps mentioned above, you should be protected from most ransomware and other malware attacks. That said, back up your files. Malware is always evolving and no malware is evolving faster than ransomware. Researchers are already warning users not to be complacent just because the most recent attack was accidentally thwarted. The attackers will quickly find a new workaround. I personally believe that the attack was bigger than the attackers really wanted it to be. Just as what happened in the San Francisco metro attack, they may have drawn too much attention to themselves. Those hackers had to back off on their ransom demands.

Attackers really just want the money paid and the victims to remain silent. Many enterprises pay the ransom and say nothing so as not to ruin their reputations. That’s why most ransom demands are kept relatively low. The criminals know it is easier for the company to pay than to risk tarnishing their image. Besides, they often need the encrypted data too much to risk losing it.  At the beginning of this year, almost every security firm predicted that ransomware would be the big story of 2017. I concurred and I will stand by that prediction.

Posted in Uncategorized | Tagged , , | 1 Comment

Android Banking Trojans Now Found in Trusted Apps on Google Play

 

If you use a banking app on an Android device, you need to be especially careful of a new type of attack that is causing concern in the cybersecurity community. The concern comes from the fact that this banking malware hides inside harmless apps and, what’s worse, these apps have been turning up on Google Play. In other words, downloading something as simple as a flashlight can download a banking trojan.

This banking malware will steal your login information by presenting a page that looks identical to your normal banking login page. It can do this in two ways. When the app is downloaded, you will get the usual permissions interface. If you simply allow all permissions you may give administrative rights to the app. This means that whoever controls the app also controls your device. The malware will scan your device for any banking apps loaded on it and prepare a fake login page for you to see when you try to log into your account. Of course, logging in will give your information to the criminals who will then use it to do whatever it is they want to do.

The other method allows you to log into your account first and, then, out of nowhere, gives you a screen asking you to log in again. It’s the same login screen because the criminals have captured it. However, logging in this time takes you to an unrelated page. You may think something was wrong with your browser and you then go back and login as usual and nothing is wrong. All your funds are there as they should be. Right, but maybe not for long. The criminal has all your data and can use it when they need it. Of course, this attack doesn’t necessarily have to attack banks, it’s just that that’s where the money is. They could just as easily use the same technique to get into your Gmail or  Facebook accounts.

I know what you’re thinking. This can’t happen if you have Two Factor Authentication (2FA). Wrong. All forms of  2FA have been circumvented. Let me give you an example. You log into your banking site and are supposed to receive a SMS message with a code that you can use to authenticate your login. However, the criminal who has control of your device mutes the SMS arrival signal and intercepts the SMS message. Now, they have the code. They can even have the device request a new code which you, the victim, will interpret as the original code. Unfortunately, you will be unable to use this code.

The name of the newest trojan behind these attacks is called, BankBot; however, there are a number of new variations on this idea appearing with a number of different names. As the name implies, the BankBot trojan targets banks, as of this writing, almost 500 of them. To find out if your bank is being targeted, go to this page and use your browser’s “Find on Page” function with your bank’s name or abbreviation (i.e. db = Deutsche Bank) to see if it is being targeted through Android apps on Google Play. A word of caution here. As of this writing, most of the targeted banks are in Europe or Asia. However, since this malware is spreading so rapidly in many variations, it is only a matter of time before it is found in the U.S. Your bank may not be listed now, but be vigilant because it will be.

The big problem is that the malware is using a trusted site, Google Play, with trusted apps. It is able to bypass, or at least delay, Google Play algorithms from detecting any problem with the app by using a variety of obfuscation techniques. The malware designers figure their malware will eventually be detected and the app removed from Google Play, but if they can get the app downloaded by enough people, they can consider the attack a success. Remember that if they are able to gain administrative rights over a device, they can spread the malware in more traditional ways, such as by sending fake files/links to your contacts through phishing emails or social media messages. To put it bluntly, this attack vector is positioning itself to be one of the biggest malware events of 2017.

As if to underline this point, it has just been reported by Check Point that at least two million Google Play-based downloads of malware-infected apps have been detected since November of last year. “The apps were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads.” This happened despite the fact that Google, once alerted to the problem, removed the infected apps. The researchers were focusing only on one type of malware that infects guides to games such as FIFA, Pokemon GO, Shadow Fight, and Hungry Shark World. The malware appears to be using Google Play as a way to set up a botnet. This particular malware has been mostly used to distribute adware, however, it could be tweaked to do far more.

For the past week or so, I’ve been following the continuing discovery of BankBot offspring and other banker malware showing up on Google Play apps. Recently, the target has been Flash Player updates and even Google Play updates.

flash player bank

google update bank(From Koodous)

It is not just a whack-a-mole approach that Google must use in combatting this malware, it is more a Hydra-like whack-a-mole; when one app is removed two more, often with slightly different code, appear. The reason for this proliferation is due to the fact that the malware is available at a low cost (or even free) on deep web and other sites and that it is relatively easy to implement. So rapid is this proliferation that some of the malware has not even been named yet.

BankBot malware may appear in many variations and may even be given different names, but they all use similar attack vectors. Although most use the overlay trick of presenting victims with fake login screens, these screens are used in different ways. Some will lock the screen while criminals wipe out the victims account. Some will present various error messages to delay the victim. Others come with no hard-coded login pages but will search the victim’s device for various apps and prepare for the attack by downloading the login page associated with the app. They will present a fake login page at the appropriate time. One form of banking malware, Trojan.Android/Charger.B, will even take a picture of the victim through the infected device’s camera and send it to the attackers. All of this functionality will be hidden in normal apps that maintain their functionality.

Is there any way to tell in advance if an app on Google Play is infected? That’s difficult. If, however, the reviews seem to point to something suspicious, it is better not to download the app. Look at this review for one banking app.

“Ever since latest update I been having issues with even getting logged in. It comes up saying sorry temporarily delays try again later! It never did this before the last update? Please fix so it can be a great app again! Thanks”.

 Sure, this is one person’s bad experience, but if there are more of these, it would make me nervous.

 The main advice I would give is to be very careful about giving any app administrative privileges. Once you do this, the criminals have complete control of your device and will stop you from uninstalling the malware. If you try to deactivate the administrative rights given to the app, you will only get a popup screen that won’t go away unless you activate administrative rights again. It may, in some cases, be possible to deactivate the rights in safe mode. If you don’t know how to do this, see this post.

Some banking trojans install keyloggers so if your bank offers mouse-controlled numeric keypads for entering credentials, use them. Of course, this won’t work with malware that can ‘see’ your screen. Look for any changes in login screen design, any unusual messages, or unrequested login or logout screens. Yes, you will be, and should be, somewhat paranoid but better safe than bankrupt. Antivirus software is always being updated to look for such malware so make sure it is updated on your device and use it to scan frequently, especially after something unusual seems to happen.

Also keep in mind that these Android banking trojans can steal login credentials from other sites as well. I have seen Skype, PayPal, and even antivirus updates targeted. If you are really worried, you can go analog. That is, you can take the radical action of actually walking into your local bank, as crazy as that sounds.

 

Posted in Uncategorized | Tagged , , , , | Leave a comment

Beware of the Rise of Scam Sellers on Amazon

If you’re like most people, when you heard, back in August, 2016, that 200 million Yahoo users had been hacked, you probably shrugged it off. Maybe you had no Yahoo account, or you had one, but never used it. Maybe you had changed your password recently so you felt it didn’t affect you. Well, if you thought any of these things, you were wrong. You could still be affected by this Yahoo hack. If you bought or buy anything on Amazon, you may not ever receive it. That may be because you have just bought something from a fake seller. Nothing will happen to you except for the inconvenience as Amazon will refund you for your purchase. However, if you are a seller associated with Amazon, you could be in big trouble.

Handmade jewelry seller, Amy Jennings, was understandably surprised when Amazon told her to ship the gun holster that someone had bought from her firm. She had not made any jeweled gun holsters recently. She suspected something was wrong and decided to check her Amazon account. This, she could not do. The account had been taken over by someone else who was pretending to be her and her firm. This meant that any money made from sales of her product had gone into the hacker’s account which had replaced her own. If you think that Amazon will refund the losses that these businesses incurred, think again. Amazon is a business. They don’t simply shell out money for customer refunds from their own bank account. They charge the account of the seller who failed to deliver the goods. Yes, the seller may eventually get this money back if Amazon accepts responsibility for the hack, but that is not guaranteed. A number of sellers are suing  Amazon for their mismanagement and their loss of much more money than Amazon is offering them in compensation. Some have even had their accounts completely drained by the hackers.

Beginning in late August, 2016, the number of scam sellers on Amazon grew at such a pace that, by December, Marketplace Pulse, the e-commerce market analyst site that assists Amazon, opened a new site called Scam Sellers, because “the more we looked at it, the more aware we became that this is not a one-off issue but instead a continuing effort to exploit the marketplace.” It’s no coincidence that fake seller sites ramped up during the holiday buying season, most scams do. However, the number of fake sites continued to rise thereafter. If you visit the Scam Seller site, you will see the latest fake sellers on Amazon. In the past month alone, the company has identified 2,541 scam sellers. However, this story has only recently been attracting the attention of the mainstream media.

amazon scams.jpg

The situation is rapidly worsening and Marketplace Pulse reports that “during the past few days we detect roughly 75 new scam sellers every day, out of which 20 or so are previously dormant, and now hijacked accounts. It’s unclear how this is achieved, but it is happening at scale, not as here-and-there events.”

So how did we get to this point and how is this scam perpetrated? Well, first of all, we have to get back to the original Yahoo hack of 2012. Over time, the personal data from this and other hacks appeared for sale on the deep web, like it did in August, 2016. The data, in itself, does not include Amazon account information. The problem is that many people tend to use the same password, or variations on it, for multiple sites. Someone, for example, might use the password, ‘Williams’, on one site and ‘wi11iams’ on another of their sites. Criminals may first identify individuals who run sites affiliated with Amazon and then hope that they use the same password there that they use on other sites that the scammers already have the password for, such as Yahoo.

Once the scammers are on the victim’s Amazon site, Amazon assumes they are the real owner. They can, then, change their login information and change the bank account to which money from sales is sent. Of course, if they want, they can just try to steal money from the owner’s account and leave. Using this seller’s site, they can then offer phantom products on Amazon at more than competitive prices. Recently, they’ve been selling the popular gaming console, Nintendo Switch, at well-below normal prices. Customers must think they have found a great bargain, when, in reality, they have found a great scam. Once again, if it seems too good to be true, it probably is.

The scam seller will most likely keep the site until it looks like they might be found out. That may be no more than a few weeks or a month. They may claim that delivery will take up to a month so that Amazon is not concerned about any customer complaints until after that time. My own investigations have shown that these scam sites are using a number of other tactics as well. The criminals will sometimes use the trusted identity of the original owner to set up a fake site with another storefront name. They will often seed the bogus site with positive reviews upon taking it over to give it credibility. Some will send fake tracking information to buyers to keep them from reporting the site to Amazon and allow them more time to continue fooling buyers. The customer may even get a notice that the order was delivered but to a different address, which gives the seller some extra time while the buyer tries to, ineffectively, negotiate the source of the problem. Here are some typical reviews of scam sites.

“My order summary stated that these items were delivered 3/19/2017. Did not receive them. Tried to contact seller, and was informed that they no longer did business with Amazon, so they were unable to be of assistance.”

 “I have placed this order after research and waiting to receive. Unfortunately order got cancelled by giving explanation someone hacked the account. Such a full waste of time and efforts. Very poor service and customer support. I wish if I could zero star.”

 Notice in the last example that it appears the seller got their site back and blamed hackers for the problems the buyers faced. But is this true? Could this be just another ruse used by the hackers? I can only confirm that the site is no longer listed on Amazon. If, however, the original owner did get their site back, they would have to deal with the tremendous blow to their reputation caused by the bad reviews posted during the time the site was controlled by hackers. In such a case, I would recommend starting over with a new name.

It is relatively easy to spot a scam seller if all the recent reviews are negative. It’s a different case if positive reviews are thrown into the mix as you can see from the following hacked seller.

amazon custormer complaints

So how can you keep from getting scammed by fake sellers? What are the warning signs?

 Well, first of all, if you are suspicious about a seller, you can always go to scamsellers.com and use the search function to see if the suspicious site is listed as fraudulent. If it is not, you’ll have to use other warning signs.

1. They are a new site offering many products at prices too good to be true.

2. Shipping by Amazon (FBA; Fulfillment by Amazon) is not offered and seller gives long shipping times (2-4 weeks).

3. Weird names for a business. Here are some names of actual fake sites.

filez69

lnland49

rcimaritza

Keith Backhaus

012525428

  1. Company is listed as existing outside of the U.S. but ships from somewhere within the U.S.

Companies listed outside of the U.S. are not necessarily evil. Check the most recent reviews as well as shipping times. Any company listing a 4 week shipping time may be worth avoiding if you want to play it safe.

The growing threat from fake sellers has led Amazon to take more drastic actions. Since many scam sellers use quick hit-and-run attacks, it is important for Amazon to identify them as soon as possible. To this end, they have implemented an automated seller suspension algorithm which can identify and block scam sellers within hours after they appear. Unfortunately, it can also block good sellers for a number of reasons and freeze their funds for 90 days. Make sure you follow Amazon guidelines before you set up your site or be prepared to be as frustrated as one disgruntled seller who wrote that, “Amazon just destroyed my business”.

In my opinion, Amazon is still the world’s best store. When I have had problems with orders, Amazon has always refunded me without hesitation. But what is good for customers is not always good for sellers. The opinion of sellers about Amazon is mixed as can be seen in the following from the Amazon Seller Forum site.

 “I’m split 50/50 with amazon, sometimes I really dislike it here, I suppose I’m a little bitter with how things have changed here. I also don’t like the way they treat sellers, suspended because a misguided or lying buyer can put your account in jeopardy, that’s crazy, feel ebay are a bit more seller friendly.”

 When the buyer comes first, the burden must be shifted to the backs of the sellers. In the case of scam sellers, it seems that this burden shift is justified. Using the same password on multiple sites or using easily guessed passwords is as bad as forgetting to lock the door of your shop when you go home at night. On the other hand, some seller complaints seem justified, such as the complaints about the lack of or inadequacy of support.

As long as Amazon continues to be the highest profile market on the internet, it and its sellers will be the target of attacks. It is difficult for Amazon and, by extension, sellers to keep up with all the attack vectors that arise. The latest, for example, uses Amazon’s Buyer-Seller Messaging service and two-factor authentication to trick sellers into handing over personal information. It’s clear that Amazon must work more closely with its sellers to mitigate such threats. Rapid communication and comprehensive support are vital. Buyers can play a role by letting Amazon know of questionable seller behavior and using better judgement when purchasing. None of this will completely stop hackers, but it will make their lives more difficult.

Posted in Uncategorized | Tagged , , | Leave a comment

China May Be Behind North Korean Missile Failures

At first glance, this may seem to be a counter-intuitive viewpoint. After all, China is one of North Korea’s only two friends in the world. The other, Iran, is too geographically separated to give more than psychological support. But things have changed. Last year China agreed to strong U.N. sanctions against North Korea after North Korea conducted its fourth nuclear test. At that time, it was thought that the Chinese were worried that its own economy may be targeted with sanctions by the U.S. if it continued in its reticence to put pressure on North Korea. China also agreed to the sanctions under the condition that the U.S. not install missile defense systems in South Korea.

 Experts agree that China did not seriously enforce these sanctions. China needs North Korea and North Korea knows it. In fact, North Korea feels that China needs them more than they need China. Why else would Kim Jong-un assassinate the main contact between North Korea and China, his uncle, Jang Song-thaek? It was a message not lost on the Chinese leadership.

 North Korea knows that China needs them to serve as a buffer between it and South Korea and, by extension, the U.S. China also doesn’t want a North Korean collapse because of the economic strain Korean refugees would place on their economy. If China could choose its dream scenario, it would be for some sort of regime change to one that would be far less confrontational.

The U.S. has ramped up pressure on China to control North Korea and has gone so far as to install a THAAD missile defense system in South Korea, knowing all along that this would irk China and, perhaps, motivate them to do more to control Pyongyang. Interestingly, this occurred just before The Chinese president was due to meet with President Trump.  We do not know what was agreed upon in the meeting President Trump had with Chinese president Xi, but, from all indications, something positive seemed to come of it as Trump has repeatedly claimed he was happy with the meeting. China has apparently agreed to ramp up economic pressure on North Korea, probably with the promise of not being designated as a currency manipulator. According to some sources, Trump may have threatened China with sanctions on both its banking sector and companies supporting North Korea’s missile and nuclear technology.

 It has been known for some time that China has shipped missile technology to North Korea in violation of sanctions. Some of this technology originated in Europe but was sold on to North Korea through Chinese companies which were often fronts for North Korean owners. A U.N. security council report from February, 2017, details the degree to which Chinese companies are complicit in violating sanctions. It’s an impressive list. Last year, the Security Council imposed sanctions on the North Korea-Ryonha Machinery Joint Venture Corporation, based in China, which produces parts used in the North Korea’s missiles and uranium enrichment centrifuges.

 Also last year, while the North Korean government was celebrating the launch of its Kwangmyongsong-4 satellite, South Korea was celebrating the collection of parts from the rocket that launched it. The U.N. report, mentioned above, said the find demonstrated “the continuing critical importance of high-end, foreign-sourced components” in North Korean missile construction. Though the missile itself was found to have been built in North Korea, many of its components were from a variety of countries around the world.

 One of North Korea’s greatest acquisitions in this regard was that of Computer Numerical Control (CNC) machinery which could be used in the construction of both missile and nuclear components. These computer controlled machines are used for the high precision work so necessary in this field.

 cnc

 According to the U.N. report, Kim got these machines from China.

 “The Panel noted that a Chinese company had exported several computer numerically controlled machine tools to the country, and investigated the possible involvement of Ryonha Machinery Corporation. According to the company’s website, a Democratic People’s Republic of Korea company ordered computer numerically controlled machines and visited its workshop to inspect computer numerically controlled machine tools before purchasing them.”

 So excited was Kim to get these machines that he had a song composed to glorify them. If you didn’t think North Korea was strange before, what can you say about a regime that has songs written to glorify a machine? For your listening pleasure, here is that song.

 

 

As far as I know, it received no Grammy nominations. But if they ever have a category of ‘Best Song about a Machine’…

The media is currently filled with stories about the U.S. being behind North Korea’s rather high rate of missile failures (52% in 2016). They point to the possibility of a Stuxnet-like attack or an attack that corrupts technical components via the supply chain. The problem of a Stuxnet attack is that it would require the use of an insider, and not just one insider, but insiders at every missile launch site. The problem with infecting the supply chain is the lack of technical components that originate in the U.S. This would mean that other countries and companies would either have to agree to letting the U.S. mess with its products or the U.S. would have to ‘arrange’ for sensitive components to be ‘stolen’ or shipped to cooperating middlemen countries and then marketed to North Korea. Both vectors are problematic.

 The following chart shows the specifics on North Korean’s missile launches for last year.

nkorea missles

Note that failures occurred at five separate sites. Except for Kusong, all of the sites also had successful launches. In addition, failures occurred in a variety of ways. If something cyber was behind the failures, it was doing a hit or miss job.

 China is not upset by the number of failures, but they are upset about North Korea destabilizing the region in its pursuit of deployable nuclear weapons. They would, in fact, be happy to see North Korea’s missile program fail. To that end, China is in the unique position to contribute to this failure. If China was selling CNC technology to North Korea with its accompanying software, they could also throw in some malware that could mess with these machines. They could design them to malfunction and damage the product. Since such components must be designed within extremely precise parameters, it would be no problem, with effective malware,  to alter these parameters just enough to make the final product undependable under real world conditions. What’s more, the malware could mask these changes in the parameters to make it appear to the human controllers monitoring these machines that nothing at all was wrong. The problem would be in the unpredictability of the outcome. That is, the parts may be made outside of specification guidelines but may or may not malfunction, and, if they did, the type of malfunction may not be predictable.

 It is well known that the Chinese government can force any company to build backdoors into its products. But doing so with companies which serve as fronts for North Korean owners or who even deal with North Korea is not so easy. In such a case, the North Koreans would know that this was happening and would be able to neutralize the attempt. It would be far better to insert malware after the product left the factory, either through supply chain intervention or remotely, after the device had been installed in North Korea. As far as the remote insertion of malware is concerned, it should be noted that all internet traffic going to North Korea goes through China.

 The problem with most malware is that it will eventually be discovered and this would certainly not improve relations between China and North Korea. There is, however, a type of malware that can remain hidden, survive updates, and can persist even if the hard drive is reformatted. This is a rare type of malware that can flash or rewrite the firmware. Think of firmware as a program on a chip that tells the hard drive it’s a hard drive. Otherwise, how would it know how to act when someone tries to install an operating system? The problem is that almost no one has the capability to do such a hack. Kaspersky has, however, found one group capable of this so-called god-like power. This group has found a way to rewrite the firmware to make it deliver malware to the computer/device it operates. Kaspersky has termed this malware, “indestructible”. As Kaspersky notes, “this is very high profile engineering which requires months of development and millions in investment.” And what is the group that has such power? Kaspersky has identified it as the Equation Group. It is, apparently, a group that works with the United States National Security Agency or NSA.

 I doubt whether the Chinese have developed such sophisticated malware. If they had, they most likely would have used it, instead of traditional malware, in their attempts to subvert the THAAD missile defense system in South Korea.  But would they agree to work with U.S. intelligence on a cyberattack that would attain the mutual goal of undermining North Korea’s missile program? It’s not that far-fetched of an idea and one that would certainly be more effective than many of the so-called ‘left-of-launch’ techniques currently being discussed. Since all internet traffic is routed through China, remotely triggering a firmware overwrite is not out of the question. To be frank, if the U.S. and China haven’t considered this option, they should.

 Of course, such an agreement would have to be kept under wraps with the appropriate diversionary tactics: China will bristle at any semblance of U.S. aggression in an attempt to appear friendly towards North Korea. After all, they can’t tip their hand and have the already paranoid Kim looking at them with suspicion. North Korea has already castigated China on its improving relations with the U.S. Hu Xingdou, a political analyst at Beijing Institute of Technology, claimed that “there are already cracks” in the relationship but it was better for both parties “to maintain peace on the surface.”

 It’s really a win-win situation for both the U.S. and China. China gets stability in Asia, better trade deals, and not being condemned for hurting the North Korean people which is what is more likely to happen if they stop buying North Korean coal. The U.S. gets a neutralized North Korea. The only person to be hurt by such an arrangement is…

 crying kim

  

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

The Growth of Parallel Universes in the Trump Russian-Connection Debate: A Cybersecurity Perspective

If you watch your news on CNN, the headline story will inevitably swirl around the purported connection between the Trump administration and the Russian government. It doesn’t matter what the story is, eventually, it will spin in this direction. If, on the other hand, you watch the same story on Fox, you will be told there is no connection and the story does not deserve any appreciable coverage. The gap separating the pro and anti-Trump camps, as reflected in the media, has become an abyss. In fact, it is as if each side is existing in its own, non-intersecting, parallel universe. One side simply cannot see, or cannot accept, the viewpoint of the other. This widening gap has been found in a recent Gallup Poll.  (Note: The same poll found that most Americans (64%) believe the media favors Democrats.)

gallup poll media

Oddly, this bias in the media has not negatively impacted viewership. In fact, just the opposite seems to be happening as all main media outlets have shown a sharp increase in ratings.

media ratings

It may, in fact, be the case that viewers on both sides of the political spectrum prefer biased news over objective, truth-based news. In other words, media seems to be playing a divisive roll in the American social fabric because that’s what people are seeking. It is an enabling relationship which pushes both camps to be more and more extreme. The media know what their viewers want and will, in some cases, go to unethical lengths to give it to them. The fear is that if they don’t enable their viewers in their addiction to news that supports their views, they may lose them. In no case is this seen more clearly than in coverage of Trump’s possible connections to Russia.

In an attempt to moderate this increasing divergence, I would like to look at this issue from a cybersecurity perspective, which I hope may be somewhat more objective. Of course, I’m realistic enough to know that whatever I write will change few opinions and probably antagonize everyone in the process.

The reason a cybersecurity perspective is justified is simply because this is, at root, a cybersecurity issue. Remember that the current media parallelism has its roots in the DNC hack announced back in June, 2016. The actual attack occurred much earlier as the FBI had contacted the DNC back in September of 2015 to inform them that they thought that their network may have been infiltrated, possibly by Russian hackers. The DNC only confirmed the truth of this in late April, 2016. In May, 2016, the DNC contacted cybersecurity firm, Crowdstrike, and they soon discovered that the network had, indeed, been compromised. It was at that time that Crowdstrike claimed that the DNC had been penetrated by two separate Russian hacking groups known as Fancy Bear and Cozy Bear. Crowdstrike reached this conclusion based on the digital fingerprints the attackers left during the hack. Crowdstrike had seen these actors before and, therefore, the company was familiar with their modus operandi. The bad news was that these attackers appeared to have been on the DNC network for almost a year, as Motherboard reported the Crowdstrike claim that the DNC was likely penetrated in the summer of 2015.

But let’s step back for a moment. If this hack began in mid 2015, it was at a time when few people took candidate Trump seriously. In fact, right-leaning Breitbart news posted an article by Ben Shapiro in October titled, “Is Trump a Serious Candidate”. Shapiro reached no clear conclusion but pointed to a Gallop poll released in July which showed that most people didn’t take him seriously. Here is that poll.

gallup trump candidate

True, by September, Trump had gained more traction, but not much. New York Times columnist, Joe Nocera, wrote, “I wonder, in fact, whether even now Trump is a serious candidate, or whether this is all a giant publicity ploy…I don’t think he’ll ever put himself at the mercy of actual voters in a primary. To do so is to risk losing. And everyone will know it. He’ll be out before Iowa. You read it here first.”

Oops.

So the big question is: Why would the Russians be interested in promoting Trump when he had no apparent road to victory at the time they first hacked the DNC? Clearly, promoting Trump was not their initial motive. More likely, assuming the hackers were really connected to the Russian government, is that they wanted to disrupt the Clinton campaign or the U.S. election in general. They may have changed their focus as Trump rose to the top of the candidate heap, but they clearly did not have Trump in mind when they started their hack.

It should be noted here that the FBI never had access to the DNC servers so they basically took Crowdstrike’s word on the specific groups involved in the hack. The reason why the FBI were so quick to take Crowdstrike’s word for this was because of what Russia had done in previous elections. This is why they initially jumped to the Russian conclusion when they warned the DNC in September, 2015. Crowdstrike only claimed a medium confidence level in ascribing the attack to Russia, but there was little doubt in the FBI’s mind.

In June, 2016, Guccifer 2 appeared online with the announcement that he had given the hacked DNC documents to Wikileaks. Remember that the initial winner in this release was Bernie Sanders, as it appeared he was correct in assuming that the DNC was trying to back-burner him. Also keep in mind that Russian TV, RT, was, if anything, championing the Sanders and not the Trump campaign when this occurred. Later, when Trump praised Putin’s leadership ability and questioned NATO, RT and the Kremlin showed him more interest.

Guccifer 2 claimed to be working independently and ridiculed Crowdstrike for trying to pin the hack on Russia. Although I believe Guccifer 2 is Russian, based on metadata, release times, and linguistic analysis, I, or no one, can link him directly to the Russian government. He may even be trying to pretend to be Russian by giving out false clues. That’s the way things are in cyberland. Others claim that Guccifer 2 was a disgruntled DNC employee. The reason for these diverse conclusions stems from the fact that any hack is difficult to conclusively pin to a particular perpetrator. As cybersecurity expert Brian Krebs notes, “I can’t say for certain if the Russian government was involved in directing or at least supporting attacks on U.S. political parties.” Only those who perpetrated the hack can confirm it. Along these lines, a member of the hacktivist group, Anonymous, who goes by the name, Commander X, claimed, in March, that Guccifer 2 was actually a group of hackers not connected to the Russian government. According to him, the Guccifer 2 group teamed with other hacker groups to undermine the U.S. election for the sole purpose of causing confusion. He wrote that “this band included the Guccifer Crew, Anonymous Russia, WikiLeaks, and a handful of western Information Activists who chose to fly no flag for this action.” He claimed that the only election disruption that the Russian government sponsored was that based on using trolls and false news.

Crowdstrike and other cybersecurity firms claim they found evidence in the malware code and other places that led them to suspect Russian operants behind the hack. Other experts believe that Russian hackers are too good to leave any evidence of their origins. They claim that good hackers always try to leave indicators that point to other attackers in other countries. Krebs disagrees with this assessment claiming that the arrogance of the Russian hackers may have led them to be unconcerned as to whether they were uncovered or not. Why? Because the Russian government will protect hackers from extradition if push comes to shove. However, this arrogance may only be true for unaffiliated hackers. The individual Russian hacker may not care if they get caught, but it is unlikely that the Russian government would want to be caught meddling in the U.S. election. In other words, if careless mistakes were made which led investigators to a Russian source, it is unlikely that these hackers worked for the Russian government. Of course, this is not conclusive evidence. Russian government hackers could still make mistakes, but they would not be obvious, easily spotted mistakes.

Julian Assange has always claimed that the hacker who gave him the DNC emails was not connected to the Russian government but did not and could not rule out the possibility that the emails were ‘laundered’ through a third party. A Reuter’s article, posted in January, sites an anonymous source within the intelligence community who stated that this was, in fact, what occurred.

For argument’s sake, let’s just assume that Russia did participate in the hack on the DNC and that they released these documents to Wikileaks. It’s still a big leap from here to saying that Trump colluded with the Russian government to win the election. In fact, in recent weeks, the evidence has been piling up against this line of reasoning. Here is some of it.

March 6- Former Director of National Intelligence James Clapper told ABC : “There was no evidence whatsoever, at the time, of collusion between the Trump campaign and the Russians.”

March 16- Former Acting CIA chief Michael Morell told NBC News: “On the question of the Trump campaign conspiring with the Russians here, there is smoke but there is no fire, at all…There’s no little campfire, there’s no little candle, there’s no spark. And there’s a lot of people looking for it.”

March 23- Crowdstrike’s attempt to increase its confidence rating in Russian participation in the DNC hack from medium to high fails. (note: I contacted Crowdstrike to see if they would like to comment on their current position concerning the DNC hack but, as of this writing, I have received no reply.)

April – BuzzFeed News, after interviewing 6 members of the Senate Intelligence Committee who are investigating Russian interference in the election, concluded,  “there’s a tangible frustration over what one official called ‘wildly inflated’ expectations surrounding the panel’s fledgling investigation… I don’t think the conclusions are going to meet people’s expectations.”

Let me make it perfectly clear. If undisputed proof was found linking President Trump to colluding with the Russian government in order to either gain an advantage in the 2016 election or to receive some financial benefits, I would be the first to call for impeachment. The facts, however, at least for the moment, are clearly heading in the opposite direction. But here is the problem. It is not only the majority of democrats that have gotten on the Russian connection bus but most of the mainstream media as well. They have ignored all the signs warning them of danger in order to achieve their goal of delegitimizing and ending the Trump presidency. It is the same Quixotic hope they displayed when they used celebrities to try to get electoral college delegates to change their votes. Driven by what is, no doubt for them, higher ideals, they have reached the point where they are balanced on the edge of an ideological cliff. They have simply failed to ask the question: What happens if we are wrong?  If the truth comes down on the opposite side, how much credibility will they be able to salvage? In short, they have put it all on the line for this quest.

msm bus

Fox News, the only right-leaning mainstream media outlet, can often be accused of spinning any confusing tweet from President Trump to make it look more rational than it actually is. If Donald Trump tweeted that an alien spacecraft with little green men had landed in his garden, Fox would tell you not to take the tweet literally. They would claim he was speaking metaphorically about the ever-present danger of illegal aliens. CNN, on the other hand, would warn viewers not to take the tweet seriously because it was only made to distract people from the true issue; the Trump connection to Russia. If you don’t believe this line of reasoning, watch how MSNBC’s Lawrence O’Donnell suggests that Putin orchestrated the Syrian gas attack to distract from the investigation into Trump’s connections with Russia. In short, that Trump approved of gassing babies as a way to escape scrutiny. I’m not the only one who sees this as going over the edge. Many left-leaning, MSNBC-watching Americans felt the same. But take a look to see what you think.

This is what happens when you look at events through the tinted lens of an assumption. If you accept a conspiracy theory as fact, you will pick and choose only those aspects of a story that supports this ‘fact’. I have followed some of the discussions that members of the left have been having on this topic in various forums and I have to congratulate them on the depth to which they’ve investigated this issue. However, their conclusions can be summed up by posts like the following.

“You don’t just assemble the “greatest minds” and find out literally the ten people closest to you, with the closest ties to your organization, have deep-rooted Russian contacts. The balance of probability of that happening by accident are astronomical. You add in Trump’s own ties (Russian money launderers operating out of his pent house, buying his real estate for more than double its value, his refusal to speak badly of Putin, his request for Russia to hack Clinton’s emails on live TV), and you have a scenario where it is, quite literally probabilistically impossible for him to not have been in illegal collusion with the Russian government.”

Actually, in today’s business or political world, it is not unusual for people in administrative positions to have ties with Russia. The odds of this happening are within the parameters of normal probability and are by no means ‘astronomical’. I would have to ask the poster of the above comment to explain what they meant by ‘deep-rooted’ and to name the ten people with these ties. To support their position, the poster notes other conspiracy theories. The Russians-funneling-money-to-Trump theory has been debunked by the rumor checking site, Snopes, as “mostly false”.

snopes

I realize that those who believe in collusion will focus on the word, “mostly”. That determination was arrived at because Trump said he probably sold some condos to Russians at sometime or other, thus, he would have received some money from Russians. I should note here that many on the right consider Snopes as having a liberal bias.

It is not only the left that is guilty of twisting facts. There are just as many, if not more, bizarre conspiracy theories on the right. Fox News has recently suspended commentator Andrew Napolitano for propagating a false story about then President Obama asking British intelligence to investigate Donald Trump.

As both universes continue to fly away from each other at an ever-increasing rate of speed, we can expect more false news to be treated as news and more real news to be spun into biased news, and this might be precisely what viewers want. To stop the situation from spinning out of control, to bridge the gap, truth must triumph over opinion. There’s a word for that. It’s called, journalism.

 

 

Posted in Uncategorized | Tagged , , , | Leave a comment

Watch Out for Last Minute IRS Scams that will Target You Even After You’ve Filed

Every once in a while, you should look in your spam folder. For whatever reason, I sometimes find valid, non-spam emails there. Most of the spam is obvious. Amazon keeps wanting to give me free gift certificates, Russian women are dying to meet me, and I can become wealthy working from home. However, if I see a message that reads, “Important Information from the IRS”, I have trouble just ignoring it. What if it really is important information? So the criminals have gotten me to step 1 of their attack. Take the email seriously and open it. A good subject line is the key to the attack. If the email manages to bypass the spam filter and get into my inbox, so much the better.

Upon opening the email, I may get something that looks like this.

irs phish

This is where part 2 of the scam kicks in; getting you to believe the message is real. Well, it has the right logo. It may, in fact, be a copy of a real IRS message. There is even a warning that looks real. Then there’s the appeal to the reader’s greed. Don’t we all hope that one day the IRS will find that they owe us money for a change? Maybe this is that moment!

Everything is good except for the link. Depending on what the attacker wants, clicking on the link could do just about anything. At best, you could be led to a site with a form that collects your personal data. At worst, it could install ransomware on your device and make you pay to get your files back. Some of the fake emails don’t have links. They will have a document for you to open and fill out so that you can get your refund. Opening the document will install the malware. Just a note of caution here. If you go so far as being fooled into opening a Word document file, you are not compromised unless you allow macros. The fake document may even give you instructions on doing this because the document will appear as gibberish. In order to read it, you are told to allow macros. At this point, it depends on how much you want the fake refund. By default, Word disables macros. If you are not sure of your settings, you can check them in your tools/options/security menus or trust center/macro settings.

Remember also that attachments can be given valid looking names and links can be called anything that seems to match the contents of the message. Don’t believe them on face value. Check the link in the email by hovering the cursor over it and looking at the real link in the lower left hand corner of the screen.

Another attack vector has been through tax preparers, such as TurboTax. TurboTax has been hacked in the past and attackers may know who uses it. They can, therefore, send you an email like the following.

turbo fake

Again, it looks good. Don’t believe the ‘From’ address because that may be hidden. Hold your cursor over that to see if the sender is who they say they are. Check the link in the same way. If you are a TurboTax customer, you could easily be fooled into clicking on the link and either filling out a fake form or having malware installed on your device.

The latest scam that the IRS is warning about is the Form W-2 scam, which is, apparently, spinning out of control. According to IRS Commissioner, John Koskinen, “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

So how does it work? A legitimate looking email is sent to someone in a firm or organization’s payroll or human resource department. The email appears to come from top management. It may look like this. It will often look informal.

w2 fake

Here is another variation on the same idea. I would normally mask the sender but Sjouwerman actually gave this scam email to cyber security expert, Brian Krebs, so that he could get the word out.

irs ceo

You can understand why the person receiving this would probably comply with the request. The only thing that stopped the scam from working was that the receiver of the request asked Sjouwerman, in person, if he had sent the request. How many of your employees would have done something similar? Had the person sent the information to the return address, the attackers would have had the personal information on all the company’s employees that is included on a W-2 form, which includes their Social Security Numbers.

According to the IRS, these are the common phrases used in these W-2 phishing emails.

“Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.

Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).

I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

There are a number of variations on this scam. The IRS has reported that some of these requests are coupled with a request for a wire transfer of money. Apparently, the hackers feel that if they’ve made it this far, they might as well try to get some money thrown into the deal.

One major, and quite effective, variation targets organizations that rely on paperless W-2 forms. The scam targets major U.S. universities at this time, but there is certainly no reason why companies or organizations using wireless W-2 forms could not be targeted in the same way. Here is the actual email which fooled staff at the University of California at Berkeley. Notice that the “From” field has an email address rather than a name to give it some look of legitimacy. The other address is that of a school teacher in Georgia. These names don’t matter. The criminals want the reader to click on the link. The “Click Here” link is revealed by the cursor hover and leads to a site that will compromise the individual fooled into going there.

Original Message:

From: ESSW2@berkeley.edu (link sends e-mail) <huatom@clarke.k12.ga.us (link sends e-mail)> Date: January 6, 2016 at 5:53:32 AM PST To: undisclosed-recipients:;

Subject: IMPORTANT TAX RETURN DOCUMENT AVAILABLE‏‎

Dear: Account Owner,

Our records indicate that you are enrolled in the University of California paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing.

Your W2 is ready for viewing under Employee Self Service. Logon at the following link:

Click Here to Logon

If you have trouble logging in to Employee Self Service at the link above, please contact your Payroll Department for support.

If you would like to un-enroll in the Paperless W2 Program, please logon to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions.

And it doesn’t end there. Recently, the IRS warned that tax preparers may be targeted by clients asking that their refund address be changed. The phishing email may include personal details of a real, but compromised, client. The criminal usually wants the refund sent to a prepaid debit card account.

This is the time of year when most taxpayers are preparing their forms and sending them off to the IRS. They may not be surprised by communications seeming to come from the IRS. They are, therefore, more susceptible to scams. Last year, there was a 400% increase in scams at the end of the tax season and that is expected to occur again this year. It’s good to keep in mind the warning from the IRS.

“REMEMBER: The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action.”

You’ve been warned. But if you fall for the following scam, you deserve no pity.

irs simple

Posted in Uncategorized | Tagged , , | Leave a comment