USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online

In October 2017, KrebsOnSecurity warned that ne'er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn't at that point set up to use its own unique communication system -- the U.S. mail -- to alert residents when someone had signed up to receive these scanned images.

The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed "Informed Delivery," includes a scan of the front and back of each envelope or package destined for a specific address.

The post USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online appeared first on Security Boulevard.

from USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online

Chase ‘Glitch’ Exposed Customer Accounts

Multiple Chase.com customers have reported logging in to their bank accounts, only to be presented with another customer's bank account details. Chase has acknowledged the incident, saying it was caused by a two an internal "glitch" Wednesday evening that did not involve any kind of hacking attempt or cyber attack.

The post Chase ‘Glitch’ Exposed Customer Accounts appeared first on Security Boulevard.

from Chase ‘Glitch’ Exposed Customer Accounts

Money Laundering Via Author Impersonation on Amazon?

Patrick Reames had no idea why Amazon.com sent him a 1099 form saying he'd made almost $24,000 selling books via Createspace, the company's on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that's full of nothing but gibberish.

The post Money Laundering Via Author Impersonation on Amazon? appeared first on Security Boulevard.

from Money Laundering Via Author Impersonation on Amazon?

New EU Privacy Law May Weaken Security

Companies around the globe are scrambling to comply with new European privacy regulations that take effect a little more than three months from now. But many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats.

On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires technology companies to get affirmative consent for any information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.

The post New EU Privacy Law May Weaken Security appeared first on Security Boulevard.

from New EU Privacy Law May Weaken Security

Attackers Exploiting Unpatched Flaw in Flash

Adobe warned on Thursday that attackers are exploiting a previously unknown security hole in its Flash Player software to break into Microsoft Windows computers. Adobe said it plans to issue a fix for the flaw in the next few days, but now might be a good time to check your exposure to this still-ubiquitous program and harden your defenses.

Adobe said a critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

The post Attackers Exploiting Unpatched Flaw in Flash appeared first on Security Boulevard.

from Attackers Exploiting Unpatched Flaw in Flash

File Your Taxes Before Scammers Do It For You

Today, Jan. 29, is officially the first day of the 2018 tax-filing season, also known as the day that fraudsters start requesting phony tax refunds in the names of identity theft victims. Want to minimize the chances of getting hit by tax refund fraud this year? File your taxes before the bad guys can!

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

The post File Your Taxes Before Scammers Do It For You appeared first on Security Boulevard.

from File Your Taxes Before Scammers Do It For You

First ‘Jackpotting’ Attacks Hit U.S. ATMs

ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

The post First ‘Jackpotting’ Attacks Hit U.S. ATMs appeared first on Security Boulevard.

from First ‘Jackpotting’ Attacks Hit U.S. ATMs

Registered at SSA.GOV? Good for You, But Keep Your Guard Up

KrebsOnSecurity has long warned readers to plant your own flag at the my Social Security online portal of the U.S. Social Security Administration (SSA) -- even if you are not yet drawing benefits from the agency -- because identity thieves have been registering accounts in peoples' names and siphoning retirement and/or disability funds. This is the story of a Midwest couple that took all the right precautions and still got hit by ID thieves who impersonated them to the SSA directly over the phone.
In mid-December 2017 this author heard from Ed Eckenstein, a longtime reader in Oklahoma whose wife Ruth had just received a snail mail letter from the SSA about successfully applying to withdraw benefits. The letter confirmed she'd requested a one-time transfer of more than $11,000 from her SSA account. The couple said they were perplexed because both previously had taken my advice and registered accounts with MySocialSecurity, even though Ruth had not yet chosen to start receiving SSA benefits.

The post Registered at SSA.GOV? Good for You, But Keep Your Guard Up appeared first on Security Boulevard.

from Registered at SSA.GOV? Good for You, But Keep Your Guard Up

Chronicle: A Meteor Aimed At Planet Threat Intel?

Alphabet Inc., the parent company of Google, said today it is in the process of rolling out a new service designed to help companies more quickly make sense of and act on the mountains of threat data produced each day by cybersecurity tools.

Countless organizations rely on a hodgepodge of security software, hardware and services to find and detect cybersecurity intrusions before an incursion by malicious software or hackers has the chance to metastasize into a full-blown data breach.

The post Chronicle: A Meteor Aimed At Planet Threat Intel? appeared first on Security Boulevard.

from Chronicle: A Meteor Aimed At Planet Threat Intel?

Expert: IoT Botnets the Work of a ‘Vast Minority’

In December 2017, the U.S. Department of Justice announced indictments and guilty pleas by three men in the United States responsible for creating and using Mirai, a malware strain that enslaves poorly-secured "Internet of Things" or IoT devices like security cameras and digital video recorders for use in large-scale cyberattacks.

The FBI and the DOJ had help in their investigation from many security experts, but this post focuses on one expert whose research into the Dark Web and its various malefactors was especially useful in that case. Allison Nixon is director of security research at Flashpoint, a cyber intelligence firm based in New York City. Nixon spoke with KrebsOnSecurity at length about her perspectives on IoT security and the vital role of law enforcement in this fight.

The post Expert: IoT Botnets the Work of a ‘Vast Minority’ appeared first on Security Boulevard.

from Expert: IoT Botnets the Work of a ‘Vast Minority’

Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured "Internet of Things" or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn't begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn't have to be so bleak. Here's a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

The post Some Basic Rules for Securing Your IoT Stuff appeared first on Security Boulevard.

from Some Basic Rules for Securing Your IoT Stuff

Serial SWATter Tyler “SWAuTistic” Barriss Charged with Involuntary Manslaughter

Tyler Raj Barriss, a 25-year-old serial "swatter" whose phony emergency call to Kansas police last month triggered a fatal shooting, has been charged with involuntary manslaughter and faces up to eleven years in prison.

The post Serial SWATter Tyler “SWAuTistic” Barriss Charged with Involuntary Manslaughter appeared first on Security Boulevard.

from Serial SWATter Tyler “SWAuTistic” Barriss Charged with Involuntary Manslaughter

Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience

KrebsOnSecurity heard from a reader whose friend recently received a remarkably customized extortion letter via snail mail that threatened to tell the recipient's wife about his supposed extramarital affairs unless he paid $3,600 in bitcoin. The friend said he had nothing to hide and suspects this is part of a random but well-crafted campaign to prey on men who may have a guilty conscience.

The post Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience appeared first on Security Boulevard.

from Bitcoin Blackmail by Snail Mail Preys on Those with Guilty Conscience

Microsoft’s Jan. 2018 Patch Tuesday Lowdown

Microsoft on Tuesday released 14 security updates, including fixes for the Spectre and Meltdown flaws detailed last week, as well as a zero-day vulnerability in Microsoft Office that is being exploited in the wild. Separately, Adobe pushed a security update to its Flash Player software.

The post Microsoft’s Jan. 2018 Patch Tuesday Lowdown appeared first on Security Boulevard.

from Microsoft’s Jan. 2018 Patch Tuesday Lowdown

Kansas Man Killed In ‘SWATting’ Attack

A 28-year-old Kansas man was shot and killed by police officers on the evening of Dec. 28 after someone fraudulently reported a hostage situation ongoing at his home. The false report was the latest in a dangerous hoax known as "swatting," wherein the perpetrator falsely reports a dangerous situation at an address with the goal of prompting authorities to respond to that address with deadly force. This particular swatting reportedly originated over a $1.50 wagered match in the online game Call of Duty. Compounding the tragedy is that the man killed was an innocent party who had no part in the dispute.

The following is an analysis of what is known so far about the incident, as well as a brief interview with the alleged and self-professed perpetrator of this crime.

The post Kansas Man Killed In ‘SWATting’ Attack appeared first on Security Boulevard.

from Kansas Man Killed In ‘SWATting’ Attack

Happy 8th Birthday, KrebsOnSecurity!

Eight years ago today I set aside my Washington Post press badge and became an independent here at KrebsOnSecurity.com. What a wild ride it has been. Thank you all, Dear Readers, for sticking with me and for helping to build a terrific community.

The post Happy 8th Birthday, KrebsOnSecurity! appeared first on Security Boulevard.

from Happy 8th Birthday, KrebsOnSecurity!

Skyrocketing Bitcoin Fees Hit Carders in Wallet

Critics of unregulated virtual currencies like Bitcoin have long argued that the core utility of these payment systems lies in facilitating illicit commerce, such as buying drugs or stolen credit cards and identities. But recent spikes in the price of Bitcoin -- and the fees associated with moving funds into and out of it -- have conspired to make Bitcoin a less useful and desirable payment method for many crooks engaged in these activities.

The post Skyrocketing Bitcoin Fees Hit Carders in Wallet appeared first on Security Boulevard.

from Skyrocketing Bitcoin Fees Hit Carders in Wallet

Buyers Beware of Tampered Gift Cards

Prepaid gift cards make popular presents and no-brainer stocking stuffers, but before you purchase one be on the lookout for signs that someone may have tampered with it. A perennial scam that picks up around the holidays involves thieves who pull back and then replace the decals that obscure the card's redemption code, allowing them to redeem or transfer the card's balance online after the card is purchased by an unwitting customer.

The post Buyers Beware of Tampered Gift Cards appeared first on Security Boulevard.

from Buyers Beware of Tampered Gift Cards

The Equifax Breach: What You Should Know

It remains unclear whether those responsible for stealing Social Security numbers and other data on as many as 143 million Americans from big-three credit bureau Equifax intend to sell this data to identity thieves. But if ever there was a reminder that you -- the consumer -- are ultimately responsible for protecting your financial future, this is it. Here's what you need to know and what you should do in response to this unprecedented breach.

from The Equifax Breach: What You Should Know

Who Is Marcus Hutchins?

In early August 2017, FBI agents in Las Vegas arrested 23-year-old U.K. resident Marcus Hutchins on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. Hutchins was virtually unknown to most in the security community until May 2017, when a British newspaper revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. Relatively few knew it before his arrest, but Hutchins for many years authored the popular cybersecurity blog MalwareTech. When this fact became more widely known — combined with his hero status for halting Wannacry — a great many MalwareTech readers quickly leapt to his defense to denounce his arrest. They reasoned that the government was overstepping on flimsy evidence, noting that Hutchins has worked tirelessly to expose cybercriminals and their malicious tools. To date, some 226 supporters have donated more than $14,000 to his defense fund. At first, I did not believe the charges against Hutchins would hold up under scrutiny. But as I began to dig deeper into the history tied to dozens of hacker forum pseudonyms, email addresses and domains he apparently used over the past decade, a very different picture began to emerge. In this post, I will attempt to describe and illustrate more than three weeks’ worth of connecting the dots from what appear to be Hutchins’ earliest hacker forum accounts to his real-life identity. The clues suggest that Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.

from Who Is Marcus Hutchins?