Author Archives: axlemacuvex

Online Security – Friend Request from Yourself? Watch out for Facebook Fakes

1387478737000-gty-113888420

A few weeks ago, I got a Facebook request from “myself.”  I recognized it right away as a common Facebook cloning scam.

The way it works is simple. Cyber-crooks snag a photo of you, usually right from your own profile page, poach any information you’ve made public, then reach out to all your real friends and family. Once anyone you actually know accepts the fake Facebook friend request or engages with them on Messenger, the scammers typically make a play for money, personal info, or even try to infect your computer or phone with malware.

When the same thing happened to my mom last year, the scammer (pretending to be my mother) hit up my cousin with a sob story asking for money. He texted me instead and I told  my cousin how to report it to Facebook.

A few hours later, another one of her friends received a message from the crook to “click this link to see a great YouTube video you’re in.” She too, smelled a skunk. Had she actually clicked the link, though, it could have infected her computer with malware or a virus, logged her passwords and given hackers the fast track to her bank account, email or store accounts.

Spotting the fakes

So how do you know that a friend request is real vs. fake? Here are a few questions to help you figure that out.

Are they a duplicate? This is the most obvious test for any fake friend, and all you have to do is see if someone with the same name is already friends with you on Facebook. Nobody has any reason to make more than one account, so if your best friend from college is still on your friends list but just sent you another friend request, send it straight into the trash. Then report it.

Check their photos. Okay, so a hacker will probably find a few freebie photos for their profile, but if you dig into their albums their plan totally falls apart. Before you accept a shady friend request, click on their name and go to their profile page. Browse through their photos and albums and see what’s there. If it’s bare, aside from the profile picture, or has just a couple random photos with no comments or likes, you’ve just nabbed a faker.

Don’t become a victim to a Facebook impostor

Frisk their friends list. If someone is targeting you, their fake account is likely just a shell with very little going on. Click on their friends list and see how many they have. If it’s blank, run for the hills, but even if it’s well populated, those could all be fake or spam profiles too, so be sure to check what mutual friends you have in common. If the person isn’t friends with any of your friends, it’s almost certainly a scammer.

If you do spot a fake, block, report, and warn your friends. (Facebook also cracks down pretty hard on these kind of shenanigans these days.) From the scammer’s main Facebook profile page, you can click the little “more” icon (three little dots in a row) next to their profile picture and then select “Report.” A little menu pops up asking you what you want to report, so select “Report this Profile.” Once you do this, Facebook will know to look at the account and take any actions needed. After you’ve reported, click that little “more” icon again and select “Block” to remove the account from your life forever.

Leave the links behind

Even if you’re good about ditching fake friends and ignoring anonymous requests, anyone on Facebook can still send a message to your “Other” inbox. In Facebook Messenger, these pop up as “Message Requests,” and even if someone isn’t your friend, he or she can still send you nasty links and malware without much consequence.

Never ever click on any links you get in these unverified messages, and do your best to avoid interaction with anyone who sends you a chat request out of the blue, even if he or she looks like someone you know. Follow the rules above and verify before you even reply, and if you determine it’s a fake, head to the scammer’s profile page and block them.

Eastern Alliance Insurance Group: Ebola in the Workplace

As the threat posed by the Ebola virus continues to spread globally, EAIG knows our policyholders and their employees are looking for guidance on preparing their workplace to counter the threat of virus transmission from colleagues and customers.

OSHA, NIOSH and the CDC have resources dedicated to information regarding the disease and how to protect workers, including medical information, hazard recognition, prevention and control, standards for protecting workers, and additional topics. This information is pertinent to many industries, particularly those in healthcare; airline and travel; mortuary and death care workers; laboratory workers; border, customs and quarantine workers; emergency responders; and workers in other critical sectors. – Eastern Alliance Insurance Group

OSHA Fact Sheet on protecting workers (not in healthcare or laboratories) involved in cleaning and decontamination of surfaces that may be contaminated with the Ebola virus:

https://www.osha.gov/Publications/OSHA_FS-3756.pdf

OSHA Ebola Microsite; includes links to CDC and NIOSH Ebola information:

https://www.osha.gov/SLTC/ebola/index.html

CDC Ebola Microsite:

http://www.cdc.gov/vhf/ebola/

Additional resources can be through this safety blog, which features links to many of the documents distributed by the CDC and OSHA:

Ebola – Free – Additional Materials, Banners, Fact Sheets, Posters

Japan Asia Group Limited Review: Towards Sustainability

Kokusai Kogyo actively contributes toward the realization of our Group Mission: “Save the Earth, Make Communities Green.” 2015 was a landmark year, where the United Nations renewed three international frameworks that relate closely to our Mission and our work. The concepts of disaster risk reduction and resilience building in the Sendai Framework, adopted in March, was mainstreamed into the Sustainable Development Goals, adopted in September, as necessary foundations towards sustainable development. The Paris Agreement at COP21 in December saw more than 190 countries agree to cooperate towards reducing global warming.

Working with international organizations

Kokusai Kogyo has been active in delivering private sector views and expertise into the international dialogue, even joining, in the case of the Sendai Framework, discussions at its formative stages. In return, we bring back a deeper understanding of global issues and trends, which we apply to our business activities. Sandra Wu Wen-Hsiu, our Chairperson and CEO, has taken a leading role in our work with the international community, and especially the following three organizations:

UN Global Compact

The UN Global Compact is the main UN the main United Nation initiative for engagement with the private sector and business

UN Office for Disaster Risk Reduction (UNISDR)

UNISDR strongly promotes disaster risk reduction and resilience through public private collaboration and private sector engagement

World Economic Forum

The World Economic Forum is committed to improving the state of the world and is an international organization for public-private cooperation

Additionally, Kokusai Kogyo assists developing countries implement these international frameworks through our international development consulting operations.

Our Activities

With UN Global Compact (UNGC)

The Global Compact was launched at UN Headquarters in New York on 26 July 2000, and aims to bring about sustainable growth through the responsible, innovative leadership of businesses and other organizations acting as good corporate citizens and voluntarily committing to a universal set of principles.

Kokusai Kogyo joined the Global Compact in 2013, and agreeing to meet fundamental responsibilities in its Four Areas and to adhere to its Ten Principles, and reporting on progress through our Creating Shared Value (CSV) report.

2015, Kokusai Kogyo became signatory to the Caring for Climate initiative, which is jointly convened by the UNGC, the secretariat of the United Nations Framework Convention on Climate Change (UNFCCC) and the United Nations Environment Programme (UNEP).

The massive Russian cybercrime operation stealing millions from advertisers – Inside ‘Methbot’

Security experts have uncovered what appears to be the biggest and most profitable advertising fraud scheme known to date.

In a report released Tuesday, cybersecurity firm White Ops mapped out a massive operation through which Russian cybercriminals are stealing millions of dollars from publishers and advertisers in the form of fake video views.

Nicknamed “Methbot” for the frequent references to the drug in its code, the ongoing scheme involves an army of bots whose sole purpose is to watch as many as 300 million video ads per day, thus tricking brand advertisers into paying millions of dollars for fake views.

The company believes it to be the work of a ring of Russian hackers, who researchers say have netted upwards of $180 million in profits since launching the operation in September.

While employing automated users to scam ads is nothing new — it’s the foundation of the multibillion-dollar ad fraud industry — the company says the staggering scale and technical intricacy at play here are unprecedented.

“This is an attack perpetrated against the entire industry,” says White Ops CEO Michael Tiffany. “It was robbing both advertisers and publishers, and it was operating at a level of sophistication that’s just unheard of.”

How it works

The whole operation takes place within a sort of Potemkin Village version of the internet located entirely within the bounds of Methbot’s servers.

To populate it, the hackers took over more than half a billion IP addresses — unique strings of characters designed to identify web users — from two major registries and broke them into chunks, which were then assigned to various internet service providers like Comcast and Verizon.

Doing so created the illusion that each of these millions of bots were real web surfers spread across America rather than programs operating out of one of two centralized data centers in Amsterdam and Dallas.

The perpetrators also built custom software designed to make the bots appear convincingly human — they mimicked clicks and cursor movements; installed fake cookies that indicated demographics, online browsing histories and other targetable traits; and even gave them fraudulent social network credentials that made it appear as if they were logged into Facebook or other social media accounts (though no such accounts actually existed).

This elaborate operation goes far and beyond that of your average ad fraudster, Tiffany says. In a typical operation of this kind, bots latch onto the addresses of actual people through malware so that hackers don’t have to go through the trouble of creating identities out of whole cloth.

“We’ve never seen anything like that before,” Tiffany says. “It’s just astonishing.”

But spawning this army of robo-users was just one piece of the puzzle; the cybercriminals also generated more than 6,000 imitation sites designed to resemble major outlets across the web.

These include fake versions of publishers like CNN, the New York Times, BuzzFeed and Mashable; platforms like Facebook, Yahoo and Quora; and even some brand websites like those of Air France and Pokémon.

The fake sites allowed the thieves to take advantage of a common form of arbitrage in the ad tech industry in which unsold ad space is bought from an outlet then resold at a higher price. The criminals would pretend to be reselling space on, say, CNN’s website through an automated ad exchange but then instead direct the ad to their shell version of the site that nobody could actually see.

There, the brand would unwittingly pay to have its video ad viewed solely by the millions of bots assigned to visit each of these sites.

As a whole, the operation racked up between 200 to 300 million views per day and bilked advertisers and media companies out of $3 million to $5 million in revenue.

Such intricate attention to detail might seem excessive for a scam that’s already considered to have the lowest risk and highest reward of any form of cyber crime.

But the whole plan was put in place in service of making the machine as profitable as possible at every level. Bots imbued with a targetable profile and brand-name outlets are worth much more to advertisers than unknown visitors to a no-name webpage, and video is the most expensive form of online advertising.

“By using these very sophisticated mechanisms to hack some of the architectural systems of the internet, they were then able to unlock much greater profit potential than other operations usually have,” Tiffany said.

What’s next

White Ops, which specializes in ad fraud detection, first took notice of the operation in October, when its system picked up on some of the bots. The rest of the scheme unraveled from there.

“We had this one thread to pull on, and then as we pulled on it, we uncovered layer upon layer upon layer of complex forgeries,” Tiffany said.

Now that the report is out, White Ops is releasing a full list of fake addresses and domains so that ad networks and other fraud detection firms can block accordingly. It is also working with U.S. law enforcement authorities to try to track down the parties responsible.

While the massive scale of Methbot might make other ad fraudsters seem like small-timers in comparison, ad fraud as a whole remains a huge headache for the advertising industry. A research report from an advertiser trade group last year predicted that it could cost digital advertisers around $7.2 billion this year alone.

Tiffany says it’s entirely possible that ad fraud rings of comparable scope are currently operating undetected. The murky nature of the crime makes it uniquely hard to suss out.

“It hardy ever leaves traces of the crime behind,” he says. “It’s such an extraordinarily successful form of theft because nothing goes missing.”

Security and Risk Online: Get ahead of online fraud this holiday season

security-and-risk-online-get-ahead-of-online-fraud-this-holiday-season

Holiday shopping has changed a lot in the last few years with major online shopping events from around the world gaining popularity in Australia. This year’s Black Friday and Cyber Monday sales were one of the biggest online shopping days in Australia, kicking off the pre-Christmas rush. Cyber Monday broke records in the US hitting US$3.45 billion in online sales, up 12 per cent from last year with Australia and the rest of the world following suit.

But with the increase in online holiday shopping comes a commensurate increase in the instances of fraud. Australian internet businesses suffer dramatically more card fraud than the global average, with online fraud rising by 38% between 2014 — 2015, compared to the global average of 13%.

It’s a lesser-known quirk of the financial industry that, unlike their brick-and-mortar counterparts, online businesses are responsible for not only detecting fraud, but also paying the associated costs. On average, every $1 of fraudulent orders costs an online business an additional $2.69. A couple of weeks ago a foreign syndicate was busted by the Australian Federal Police for the theft of more than 30,000 Australian credit cards, spending more than $30 million. A hefty sum, for sure, but nothing close to the US$32 billion that online retailers spent preventing and remediating hacks in 2015. Online businesses are also susceptible to a wider range of fraud schemes, including credit card fraud, payout scams and faux refunds.

So as the holiday sales kick off, what can online businesses do about it?

The basics: getting started with fraud prevention

To begin, businesses should examine the address verification code (a postcode that matches what’s on file with the cardholder’s bank), require a card verification code (the 3- or 4-digit code on their card), and delay shipping. The latter step is especially helpful for expensive items, as it provides a safety window when the actual cardholder might flag a large fraudulent purchase.

However, these checks aren’t foolproof: Legitimate customers can easily enter a typo in their street address or move and forget to update their billing zip code, resulting in false positives, and fraudsters are often able to buy stolen credit card numbers together with their card verification codes.

The next step is manual reviews: Many business rely on employees to audit transactions and create complex, custom rules (such as, “temporarily block all orders over $500 until reviewed and approved”). All of this sound pretty complicated and manual. The answer? Machine learning.

Let machines do the heavy-lifting

Thanks to recent advances in machine learning and AI, businesses today can analyse millions of online transactions and identify buying patterns across large numbers of retailers, spotting outliers in real-time and flagging odd charges long before a human analyst would spot a problem.

Sift Science offers machine-learning-based fraud detection trained on a business’s data; other tools like Riskified and Signifyd offer chargeback insurance, screening every charge for a fee, blocking suspicious purchase, and compensating their customers when they failed to block fraud.

Stripe’s fraud tool, Radar, constantly learns from the hundreds of thousands of businesses taking payments through Stripe around the world. This new approach enabled Watsi, a global funding platform for medical treatments, to block more than $40 million in attempted fraud over a two-month span, all with limited to no human involvement.

Don’t leave money on the table

Of course, the difficulty with fraud is that pre-emptively blocking too many transactions means foregoing legitimate purchases too. In theory, you could prevent fraud from Southeast Asia by blocking all transactions from Southeast Asia; but that approach means you’d also be foregoing legitimate transactions from one of the world’s most populous regions.

So even once you’ve implemented tools for preventing fraud, it’s important to remember that your ultimate goal isn’t blocking fraud — it’s maximizing revenue. This means you should:

  1. Consider multiple metrics: Don’t just focus on one metric like false positive rate (legitimate transactions that you’re blocking) or dispute rate. After all, you can easily make the former zero by not trying to catch any fraud (and the latter zero by not accepting any payments). Your overall fraud protection approach will offer a trade-off between false positives and false negatives, and you should understand what that trade-off is and what is optimal for your business. This break-even calculator can give you an example of the kind of calculations it can be helpful to do.
  1. Find your “healthy” dispute rate: Unsurprisingly, fraud varies by sector. For example, the median fraud rate for retail is 0.02 per cent, while for nonprofits it’s 0.1%. Once you know your industry’s rate, compare it to your business’ unique situation and data to identify a “healthy” fraud benchmark. Trying to drive your dispute rate far below what is natural for your sector can be more effort than it’s worth.
  1. Always be measuring: No matter what solution you choose, be rigorous in assessing efficacy. For example, if you’re manually customising rules, you can evaluate their performance by backtesting them or by running A/B tests in real-time. Don’t rely on intuition that tells you all payments from a certain region, or at a certain time of day, are fraudulent. Formulate your hypothesis and validate it with data!

On the internet, the only constant is change itself. As consumer behaviour and fraud schemes continue to evolve, businesses that want to maximise their revenue this holiday season — and year round — should be using modern fraud defences that can adapt and help them stay a step ahead of fraudsters.

Cyber-attacks by: hacker group Anonymous on the rise in Japan

Distributed denial of service (DDoS) attacks launched to protest dolphin hunting.

A masked hacker, part of the Anonymous group, hacks the French presidential Elysee Palace website in this 2012 file photo. The group is said to be behind a growing number of attacks in Japan.  (JEAN-PHILIPPE KSIAZEK / AFP/GETTY IMAGES FILE PHOTO)

Cyber-attacks against targets in Japan, apparently carried out by international hacker group Anonymous, have been increasing since September.

Last autumn, a number of government websites and other sites came under attack.

However, the recent attacks are different from sophisticated cyber-attacks that aim to steal information.

Experts call for people to respond calmly by taking necessary steps in advance without fearing them too much.

Late at night on Sept. 3, the website of the Hiroshima National Peace Memorial Hall for the Atomic Bomb Victims became inaccessible.

Shortly after, a group saying it was Anonymous and opposed to dolphin hunting and other issues, posted a statement online claiming responsiblity.

An official at the memorial hall said in bewilderment: “We have nothing to do with dolphin hunting.”

It is believed a series of Anonymous attacks, called Operation Killing Bay, started around 2013 in protest against Japan’s whale hunting and the annual dolphin hunts in Taiji, Wakayama Prefecture, in September.

Last year, to protest against the dolphin hunting in Taiji, distributed denial of service (DDoS) attacks were launched against government offices websites and infrastructure operators such as airports. DDoS attacks are aimed at rendering websites and other online services unavailable by sending a huge amount of data to the server.

According to police, the number of cyber-attacks Anonymous is believed to be involved in has grown since September. There were no cyber-attack-related website problems from May to August, but 29 incidents were confirmed in September, followed by 26 in October. From Nov. 1 to Nov. 27, there were 53 cases, bringing the total from September to Nov. 27 to 108.

In comparison, incidents ranged between the 10s and 20s each month from September to November last year, but rose to 56 in December.

“Their aim is not to make websites unavailable, but to promote their presence,” said Nobuhiro Tsuji, senior security researcher at SoftBank Technology Corp.

This year, the targets of the attacks have conspicuously been small organizations and shops such as izakaya Japanese pubs, and groups totally unrelated to dolphin hunting.

“The hackers could be different from last year, and their resources could be smaller,” Tsuji said.

When Anonymous started around 2006, it advocated the establishment of the freedom of the Internet and made political appeals through legally permitted activities such as street demonstrations.

Now, Anonymous tends to carry out cyber-attacks with the aid of unknown individuals who respond to invitations on Twitter and other websites.

The website of the Kasumigaura river office of the Land, Infrastructure, Transport and Tourism Ministry came under attack in 2012. Anonymous is believed to have confused Kasumigaura with Tokyo’s bureaucratic district of Kasumigaseki.

Anonymous’ main attack method, DDoS, can be committed without significant expertise. There is almost no way to defend against such attacks. It is a matter of waiting for an attack to cease, although measures have recently been developed to mitigate damage.

“Compared to cyber-attacks aimed at stealing information, DDoS attacks are not so sophisticated. In most cases, the websites attacked went down and that was it,” said Masakatsu Morii, a professor at Kobe University specializing in information and telecommunications engineering.

Some observers point out that such cyber-attack could increase ahead of the 2020 Tokyo Olympics and Paralympics. Morii said, “It is important that companies and organizations take necessary measures calmly. If they are attacked, they should respond coolly without overreacting.”

Celebs draw fentanyl addict headlines by Insurance Fraud Advocacy

pic

Reminds that insurance fraud helps finance opioid epidemic

First came Prince, who died from an overdose of the painkiller fentanyl in his Minnesota home.

Next came singer Chaka Khan. She beat the reaper by entering into rehab this month, along with her sister

The Grammy winner admitted fentanyl is her escape drug of choice. Chaka wisely gave up her summer concert appearances to focus on getting clean.

“The battle of addiction is a serious and long process, which is why I chose to address my use of prescription medications — which came about as a result of the knee surgery I had a few years ago,” she said.

Fentanyl is one of latest prescription painkillers to grab headlines. It’s used for severe pain, and is approved for long term treatment. The stuff also is up to 100 times stronger than morphine, and 50 times stronger than heroin.

Fentanyl quickly shoots into the bloodstream. Dopamine then elevates, stoking the brain’s reward areas. The sweet euphoria grows into dependence, then addiction.

States like New Jersey and Mississippi are reporting spikes in fentanyl overdose deaths.

Insurance fraud is the largely untold story. It’s helping finance America’s epidemic of opioid addiction — billions of stolen insurance dollars worth.

Some fentanyl addicts reportedly are scamming health insurers to score prescriptions that feed the need. Same with other painkillers such as hydrocodone, or anti-anxiety meds and muscle relaxants.

Insurance scams may or may not have funded Prince’s or Chaka’s highs. Yet scams still are part of the bigger opioid picture, so we should be very concerned.

Insurers are stepping up investigations, plus education of doctors and patients to head off addiction. Law enforcement is going after shady pain clinics and pharmacies that dole out insurer-paid scripts.

Still, we risk getting exhausted by it all. We’re subject to steady parades of news stories about people dying from insurance-paid overdoses. Plus welcome busts of cold-blooded pain docs. They’re keeping addicts fed with pills — are we getting fed up?

Sadly, it may take a celeb’s drug death or rehab to keep headlines fresh and the public concerned. Let’s stay concerned, whether it’s a Grammy winner or small-town factory worker just trying to get clean.