You’ve probably read about the threat of “ransomware”. It’s usually distributed via a phishing email and doesn’t just download a virus or malware on your computer, but holds your entire computer and/or network for ransom – often payable in bitcoins. Could you pay in bitcoins if you needed to?
Here’s an overview of the kinds of ransomware extortion schemes that are on the rise:
The FBI’s Internet Crime Complaint Center (IC3) reports that individuals whose data was stolen in high profile breaches have received emails threatening to publicly disclose their personal information. The cybercriminals threaten to release not only phone numbers, home addresses and credit card information, but also warn they have accessed the individuals’ social media accounts and will message friends and family members with personally damaging information unless they pay up. Ransom demands range from 2 to 5 bitcoins, or the equivalent of $250-$1,200.
IBM Security has identified an active campaign they call “bug poaching”, where cybercriminals find and exploit vulnerabilities on an organization’s website. They download as much sensitive data or personally identifiable information (PII) they can, and save it on a cloud storage service. Then they email the organization with a link to the stolen data to prove they were able to access it. If the victim organization pays the ransom, the criminals say they will disclose the vulnerabilities they found. Maybe they will, maybe they won’t. Maybe they’ll release the sensitive information. Who knows?
According to an article on the IT security website www.csoonline.com, the anti-phishing vendor PhishMe reports that as of the end of March, 2016, 93% of all phishing emails contained encryption ransomware. This was a 789% increase since the last quarter of 2015, so ransomware is definitely reaching epidemic proportions.
The same article reports that a popular ransomware attack is the “soft targeted” phish, which targets people in a particular job category. For example, a human resources department may receive an email with an attached resume, or the billing department might receive a message with an attached invoice. These emails look legitimate in that they are addressed to the appropriate recipient, but if the attachment is opened, the company’s network is hijacked.
Here are some tips to protect yourself and your computer network:
- Do not open e-mail or attachments from unknown individuals.
- Even if you know the sender, does the email make sense in context of your relationship with that person?
- Look at the language in the email – does it make sense? Is it overly formal? Does it have bad grammar or spelling errors? Does the email ask you to click on a link or open an attachment to avoid a negative consequence or to gain something of value?
- Monitor your bank account statements regularly, as well as your credit report at least once a year for any fraudulent activity.
- Do not communicate with the subject.
- Do not store sensitive or embarrassing photos of yourself online or on your mobile devices.
- Use strong passwords and do not use the same password for multiple websites.
- Never provide personal information of any sort via e-mail. Be aware, many e-mails requesting your personal information appear to be legitimate.
- Ensure security settings for social media accounts are turned on and set at the highest level of protection.
- When providing personally identifiable information, credit card information, or other sensitive information to a website, ensure the transmission is secure by verifying the URL prefix includes https, or the status bar displays a “lock” icon.
- Install software updates timely. Often these updates include critical fixes to vulnerabilities within software applications or devices.
- Use two-factor authentication whenever it’s available. This involves having a code sent to you independently (like a text message) that you enter in addition to your normal sign-in credentials. HOWEVER – be aware of a new scam that has recently surfaced where you receive a fake text that looks like it’s from the company you have an account with, claiming that your account may be hacked or that they have identified suspicious activity. In the same text, they say they will send your verification code and that you need to send that right back to them or have your account closed. But if you text that verification code back, you have given the hacker just the thing they needed to hack into your account! If your accounts are protected by 2-factor authentication, the only time you will be sent the code is to verify an attempt to log into your account. That means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is trying to hack into your account. So – never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a 2-factor authentication protected account. And as a reminder, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you simply cannot know for sure who is really on the other end of that communication line.