Beware: Twitter scam could hijack your account
Courtesy Atlanta Journal Constitution AJC.com By Craig Johnson: Clark.com
10/11/17- A new Twitter scam is enticing users by appealing to their vanity in order to get them to hand over their personal info.
The scam is presented in an innocent-looking tweet that promises to show you the people who have been clicking on your profile. The tweet says “You have the possibility to know who visits your profile with this simple app.”
Because Twitter wants to encourage innovation among developers, its API is available for startups to tinker with. The potential bad side of this is that unsavory types can create all kinds of malware to entrap users.
While social media networks such as Linkedin and others offer the capability to see who’s viewed your profile, Twitter does not. And so the tease appeals to our nearly insatiable need for information — data digging — to get us to click on the link and sign up.
Twitter has flagged the account and now when you click on it, a message says: “Warning: This link may be unsafe. The link you are trying to access has been identified by Twitter or our partners as being potentially harmful or associated with a violation of Twitter’s Terms of Service.”
Social media scams have been around since Twitter and Facebook’s inception. Before that, you probably received email from a Nigerian prince who promised you a fortune if he could use your bank account number.
People asking for money, phishing tactics and even games that have hidden charges are all scams that have proliferated on the web for years now for one simple reason: They work.
How to protect your personal information online
Unfortunately, criminals oftentimes know how to stay one step ahead of the safeguards that many of us use, so we have to be extra-vigilant in protection our information. Crooks are employing sophisticated email scams that mimic real companies, including credit card companies and banks. So it’s important to do a Google search of the company or brand before you click on any link — and no matter what, don’t provide them with any personal information through email.
Booter and Stresser Services Increase the Scale and Frequency of Distributed Denial of Service Attacks
Criminal actors offer distributed denial of service (DDoS)-for-hire services in criminal forums and marketplaces. These DDoS-for-hire services, also known as booters or stressers, are leveraged by malicious cyber actors, pranksters, and/or hacktivists to conduct largescale cyber attacks designed to prevent access to U.S. company and government Web sites. The FBI investigates these services as a crime if they are used against a Web site without the owner’s permission (such as for a legitimate stress test).
DDoS attacks are costly to victims and render targeted Web sites slow or inaccessible. These attacks prevent people from accessing online accounts, disrupt business activities, and induce significant remediation costs on victim companies. They also can cause businesses impacted by DDoS attacks to lose customers.
For example, in October 2016, one of the largest DDoS attacks to date targeted a domain name service (DNS) provider and impacted more than 80 Web sites primarily in the United States and Europe, causing them to become inaccessible to the public. The attack used a booter service and was attributed to infected Internet of Things (IoT) devices like routers, digital video recorders, and Webcams/security cameras to execute the DDoS attack1. Open source reports estimate the DNS provider lost approximately eight percent of its customers following the attack.
WHAT ARE BOOTER AND STRESSER SERVICES?
Booter and stresser services are a form of DDoS-for-hire--- advertised in forum communications and available on Dark Web marketplaces--- offering malicious actors the ability to anonymously attack any Internet-connected target. These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency. Criminal actors running booter and stresser services sell access to DDoS botnets, a network of malware-infected computers exploited to make a victim server or network resource unavailable by overloading the device with massive amounts of fake or illegitimate traffic.
These services can be used legitimately to test the resilience of a network; however, criminal actors use this capability to take down Web sites. Established booter and stresser services offer a convenient means for malicious actors to conduct DDoS attacks by allowing such actors to pay for an existing network of infected devices, rather than creating their own. Booter and stresser services may also obscure attribution of DDoS activity.
Regardless of whether someone launches a DDoS attack using their own command-and-control infrastructure (e.g., a botnet) or hires a booter and stresser service to conduct an attack, their transmission of a program, information, code, or command to a protected computer2 may result in criminal charges.
CONSEQUENCES OF PARTICIPATING IN THESE SCHEMES
The use of booter and stresser services to conduct a DDoS attack is punishable under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in any one or a combination of the following consequences:
Seizure of computers and other electronic devices
Arrest and criminal prosecution
Significant prison sentence
Penalty or fine
HOW AND WHAT TO REPORT
The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident. Field office contacts can be identified at www.fbi.gov/contact-us/field. IC3 complaints should be filed at www.ic3.gov with the following details (if applicable):
Traffic protocol used by the DDoS (DNS, NTP, SYN flood, etc)
Attempt to preserve netflow and/or packet capture of the attack
Any extortion/threats pertaining to the DDoS attack
Save any such correspondence in its original, unforwarded format
Overall losses associated with the DDoS attack
If a ransom associated with the attack was paid, provide transaction details, the subject’s email address, and/or crypto currency wallet address
Victim impact statement (e.g., impacted services/operations)
IP addresses used in the DDoS attack.
Common Internet of Things Devices May Expose Consumers to Cyber Exploitation
In conjunction with National Cyber Security Awareness Month, the FBI is re-iterating the growing concern of cyber criminals targeting unsecure Internet of Things (IoT) devices. The number of IoT devices in use is expected to increase from 5 billion in 2016 to an estimated 20 to 50 billion by 2020. Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks.
IoT refers to a network of physical devices, vehicles, buildings, and other items (often called “smart devices”) embedded with electronics, software, sensors, actuators, and network connectivity enabling these objects to collect and exchange data. Below are examples of IoT devices:
Home automation devices (e.g., devices which control lighting, heating and cooling, electricity, sprinklers, locks);
Security systems (e.g., alarm systems, surveillance cameras);
Medical devices (e.g., wireless heart monitors, insulin dispensers);
Wearables (e.g., fitness trackers, clothing, watches);
Smart appliances (e.g., refrigerators, vacuums, stoves);
Office equipment (e.g., wireless printers, computer mouse, outlets, interactive whiteboards);
Entertainment devices (e.g., DVRs, TVs, gaming systems, music players, toys); and
Hubs (devices that control other IoT devices through a single app).
As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit. In 2016 and 2017, cyber actors have demonstrated the ease in which IoT device vulnerabilities can be compromised and leveraged. Deficient security capabilities, difficulties in patching vulnerabilities, and a lack of consumer security awareness provide cyber actors with opportunities to exploit these devices.
In September 2016, cyber actors using the Mirai botnet infected IoT devices—including routers, cameras, and digital video recorders—for the purpose of conducting DDoS attacks. The actors exploited openly accessible devices via the Internet with common default usernames and passwords.
In February 2017, a hacker compromised more than 160,000 printers with open connections to the Internet by scanning for those with specific open ports. The hacker claimed the devices were part of a botnet and sent print jobs to the affected printers.
In August 2017, a cyber actor released a list of over 33,000 usernames and passwords for IoT devices, including cameras, DVRs, and routers. While the majority of these devices were located in Asia and China, many of the devices were also found in the United States. A researcher conducted a test against this list and discovered many of these devices were almost instantly exploited, often taking less than two minutes between discovery and infection.
Unsecured or poorly secured devices provide opportunities for cyber criminals to intrude on private networks and gain access to other devices and information attached to these networks. Cyber criminals often take advantage of default usernames and passwords to merge IoT devices with others into a large botnet. These botnets can facilitate DDoS attacks against popular Web sites or network resources. These attacks cause Web sites to run slow, prevent users from being able to connect, or potentially take down multiple Web sites associated with the network under attack.
Consumer Protection and Defense
It can be difficult to determine if an IoT device has been compromised. However, there are many reputable resources and tools available that search for vulnerable network devices. The following recommendations can be implemented to help secure IoT devices from cyber attacks.
Change default usernames and passwords. Many default passwords are collected and posted on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets.
If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and encryption.
Isolate IoT devices on their own protected networks.
Configure network firewalls to block traffic from unauthorized IP addresses and disable port forwarding.
Review and implement device manufacturer security recommendations, if available. Consider turning devices off when not in use.
Research your options when shopping for new IoT devices. When conducting research, use reputable Web sites that specialize in cyber security analysis, provide reviews on consumer products, and support consumer advocacy.
Look for products from manufacturers with a track record of providing security to their Internet-connected products. Look for companies that offer firmware and software updates, and identify how and when these updates are provided.
Identify what data is collected and stored by the devices, including whether you can opt out of this collection, how long the data is stored, whether it is encrypted in storage, and if the data is shared with a third party. Also identify what protections and policies are in place in case there is a data breach.
Ensure all IoT devices are up to date and security patches are incorporated when available.
Use current cyber security best practices when connecting IoT devices to wireless networks and when connecting remotely to an IoT device.
Invest in a secure router with robust security and authentication.
Most routers will allow users to whitelist, or specify which devices are authorized to connect to a local network. Whitelisting can be used to identify malicious network traffic from unauthorized devices and prevent them from making a connection.
To file a complaint concerning Booter and Stresser or exploit attacks, click HERE
G R A F F I T I
M.O.S.T. does not care about persons who paint graffiti on a sanctioned wall with the owner's permission. However, we detest cowards who paint property without consent. That changes the classification from art to vandalism. However, the vandals will still try to justify what they do by claiming it's free expression. They often try to vilify those who oppose them by labeling them oppressors of that free expression. Meanwhile, those same vandals cause hundreds of dollars in damage, drive a businesses customers away and lower property values.
We often ask if a graffiti goon would still call it "art" if it was their property being defaced without permission.
Graffiti can also have a more serious meaning due to being gang related. Gangs can use graffiti to mark territory, advertise drug sales, mourn deceased members, announce alliances and issue threats. All the more reason to report and remove it immediately.
If you see tagging in progress dial 9 1 1
For recent graffiti in Orlando report it to (407) 254-GRAF (4723) or click HERE