The Epilepsy Foundation and law enforcement are on the hunt for hackers responsible for a recent Epilepsy Foundation Cyberattack. Data breaches and account takeovers tend to be fairly straightforward. Hackers break into a network, steal useful information and then use or sell that data to someone else. Sometimes, though, cybercrimes have a far more malicious goal in mind. It might be revenge, intentional damage to a reputation or brand or some other similar focus.

In one particularly brutal cyberattack, experts initially worried that hackers broke into the Twitter account for the Epilepsy Foundation and used that access to send out dangerous tweets. Further investigations showed that they did not actually violate any accounts or even terms of use. Instead, they tweeted at those who were following the Foundation’s account and any hashtags they deployed. The tweets contained flashing, strobe-like images that were specifically intended to induce seizures in people who have photosensitivity issues. Users who rely on information from the Foundation’s Twitter feed were put at risk of a seizure due to the Epilepsy Foundation cyberattack, and the organization is taking the account hack very seriously.

The timing of the Epilepsy Foundation cyberattack appears to be no coincidence, as it occurred during National Epilepsy Awareness Month. That is a time with higher traffic because more people are looking for information and shared posts from the organization. For its part, the Epilepsy Foundation has now filed criminal complaints against the hackers and intends to assist law enforcement in discovering the culprit of the Epilepsy Foundation cyberattack and bringing the charges against them.

Social media has long had to deal with disinformation campaigns where public health is concerned, but coordinated, planned attacks of this kind are not very common. Unfortunately, as revenge-style attacks and stunts increase, hackers may attempt even more boundary-pushing tactics. This kind of weaponization is particularly alarming for a few reasons. First, it may be hard to show that the attackers actually violated any laws or even rules for using Twitter. Second, and more importantly, it demonstrates how easy it is to entice large numbers of followers to click a malicious link or download and spread harmful software.

You might also like…

Concerns Arise Around Possible LinkedIn Password Exposure

Super Bowl Means Super Scams

New York Special Olympics Email List Suffers Hack 

A business ransomware attack continues to be one of the most damaging, costly forms of cyberattacks against both businesses and consumers alike. Simply put, it is easy to pull off and it often works, all with little risk of discovery to the perpetrator.

Most ransomware attacks involve a little bit of malicious software—either designed by the criminal or purchased from another source—and some social engineering. Typically, phishing attacks work as an avenue for infecting a computer or network with harmful software. By getting even one low-level employee to click a link or open an attachment, criminals can infect the network, lock up the system and demand a ransom payment in exchange for the key to open it.

Unfortunately, the only responses to a business ransomware attack are to pay the ransom or ignore it and buy a new computer. Experts do not recommend paying the attackers because there is no guarantee they will release your network or your files. Unfortunately, getting your system back online can prove to be difficult.

One telemarketing firm, The Heritage Company, suffered a crippling business ransomware attack before Christmas. Employees were not made aware of the attack and only learned of it when all 300-plus were laid off. The company was unable to recover from the attack, despite paying the attackers to regain access via the unencryption key. In a letter to employees and a subsequent outgoing voice mail message, the company urged employees to look for other jobs.

This kind of incident is not rare, and small businesses are just as likely to be victimized as larger ones. Certain industries, like healthcare and education, are also more likely to be targeted due to the higher risks associated with being breached.

When it comes to ransomware, the best offense is a good defense. Prevention is the most important step, and it comes down to things like employee training on avoiding phishing attacks, ensuring the network has strong, up-to-date anti-malware protection and backing up all data on external storage devices every day. That way, should the other steps fail, the worst outcome is having to purchase new hardware and load the backed-up data into it.

You may also like…

Concerns Arise Around Possible LinkedIn Password Exposure

Super Bowl Means Super Scams

New York Special Olympics Email List Suffers Hack 

The U.S. Army is the latest branch of the armed services to issue an order against using TikTok.

Who Is It Targeting: Video app users

What Is It: Data theft, “leaky” app

What Are They After: The U.S. Army just became the second branch of the military to warn its members that they are not to download, install or use the app TikTok on their government-issued phones. The Chinese app, popular with young users, lets you create brief video clips that you then share on your social media channels. A number of security worries have cropped up concerning stolen information through the TikTok app, and the Army is not taking any chances.

How Can You Avoid It:

  • Make sure you understand all the privacy permissions you are granting when you open a new account
  • Do not be in a hurry to download the latest app
  • If you cannot tell what data the app uses or shares with others, then it is best to avoid it

If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. Find more information about current scams and alerts here. For full details of this scam check out this article from Fox 5 San Diego.

As this year winds down, it is important to spend a little time reflecting on the 2019 identity crimes, some of the things that went right in 2019 and the things that did not go as well. This is true for so many subjects, especially identity crime – which includes scams, fraud, data breaches, cybercrime and all of the other types of crimes that go with it.

Fallout from 2018

As in previous years, this past year has been a big one for these kinds of crimes. Tech users are still feeling the aftermath of things like the Facebook/Cambridge Analytica privacy debacle that was uncovered last year; Congress is still at work on what to do about consumer privacy in the social media age. Also, the news that phishing attacks more than doubled last year over the year before had researchers, businesses, lawmakers and consumers alike paying closer attention to the messages they receive.

What Went Right in 2019

Fortunately, new legislation has come along to make our privacy lives a little safer. The General Data Protection Regulation (GDPR) regulations went into effect in Europe last year, for example, and they inflict strict penalties on businesses that gather and store data but let it fall into the wrong hands. New laws in California and Colorado will be taking effect soon, intent on strengthening privacy and consumer choice. Best of all, the awareness of what constitutes these kinds of crimes and how to recognize them is increasing.

Top Security Incidents of 2019

However, this welcome news does not mean that consumers are safe or that hackers are finally giving up. With every new platform, tool or technology, there is even greater potential for new avenues of attack. Healthcare providers and insurance companies continued to be one of the hardest-hit targets this year, thanks to the overwhelming amount of personally identifiable information (PII) they gather. “Accidental exposure” breaches were a common 2019 identity crime for major-name companies, which happens when businesses store huge databases of private information – in an online server then fail to password protect it as an example. Even our entertainment was not safe, as many apps and online gaming portals suffered data breaches that were traced back to reusing passwords on multiple sites.

2019 did not just see a lot of large data breaches, but settlements as well.

Equifax Settlement

In July, Equifax reached a $700 million settlement for harms caused by their data breach. Equifax agreed to spend $425 million to help victims of the breach, leading to lots of discussion on how to file a claim.

Facebook Settlement

While the Equifax settlement was the largest in data breach history to date, Facebook blew it out of the water just two days later, as they were ordered to pay $5 billion. After the settlement, Facebook said it required a “fundamental shift” in Facebook’s approach at every level of the company in terms of their privacy.

Yahoo Settlement

A month and a half later a Yahoo data breach settlement was proposed for $117.5 million after over three billion Yahoo accounts were exposed. Identity Theft Resource Center CEO, Eva Velasquez, stated in a media alert that the settlement trend is moving the needle in the right direction for both consumers and victims. However, that was not without its challenges, including putting the onus on the consumer to tell the settlement administrators how they were harmed and provide proof of it.

10,000 Breaches Reported

This past year the Identity Theft Resouce Center also recorded 10,000 publicly-notified data breaches since 2005. As part of the milestone, the ITRC took a look back at some of the top breaches the last 15 years as part of our 10,000 Breaches Later blog series.

Minimizing Future Risks

While data breach fatigue is a recognized phenomenon, one that can occur when consumers are bombarded with constant news about their data being compromised, the flip side is the kind of paranoia that makes you want to unplug and go live off the grid. However, neither of those is the solution. What does work is an awareness of the threat and some good privacy habits to prevent crimes like the 2019 identity crimes:

We’re Here to Help

Remember, you are not responsible for the criminal behaviors of a hacker. However, you can take steps that reduce your risk of becoming a victim and help minimize the damage if the worst does occur. The Identity Theft Resource Center is always here to help. Call us toll-free at 888.400.5530 or live-chat with one of our advisors.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

Holiday Phishing Scams Target Small Business

Social Security Phone Scam

New Google Chrome features have privacy experts excited. Software developers spend a lot of time and money creating the programs and apps we use on a daily basis. Sometimes, that software could use a little facelift, especially as new features and innovations come along. Other times, the software desperately needs an upgrade due to security issues.

In the new Chrome web browser update, password security is even stronger. If you attempt to login on a website or account and that username and password combination has been compromised anywhere else online, Google will alert you immediately and encourage you to change your password. This new Google Chrome feature is really helpful if you are one of the many tech users who still reuses their passwords on multiple accounts, something the Identity Theft Resource Center does not recommend.

Another great Google Chrome feature is the updated anti-phishing tool. In the past, Google would compare website URLs you visited against a list of known phishing sites. While the turnaround time for updating its list was about 30 minutes, meaning Google’s team updated the list continuously, that was still enough time for scammers to slip through or redirect their web traffic to avoid being caught. The new phishing detection happens in real-time, so if you attempt to visit a phishing website, you will be alerted immediately.

While Google’s team was making upgrades for the new Google Chrome features, they included a bunch of other new features that are not really security tools. However, they are still really handy, so Chrome users will want to take a look.

With that said, there is a catch when it comes to all these great new Google Chrome features. You cannot have them if you do not update your browser. The same is true of any app or software you use. If the developer creates a new feature, launches a new tool or discovers a massive security problem, your version will not have any of the benefits or fixes unless you update it. When you receive an alert or a notification about an available update, it is important to install it right away.

Think of it this way: if a developer discovered a dangerous security flaw that allowed hackers to break in and steal identities, the last thing they would want to do is broadcast that information. Hackers around the world could swoop in and attack computers that have not installed the update. Therefore, the news of these Google Chrome features and fixes does not tend to be very widespread. Just know that it is important to update the tools you use in order to stay protected and enjoy all the great benefits they have to offer.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Exercise Car Safety to Avoid Leaving Your Identity Behind

Holiday Phishing Scams Target Small Business

Social Security Phone Scam

One week after its launch, hacked Disney+ accounts are what is being discussed rather than the new video streaming service. A week ago, Disney launched a highly anticipated video streaming service, and hackers have already found a way to make a buck while ruining your fun. The service, called Disney+, contains not only Disney film favorites but also original content and new shows in the Star Wars universe. Social media sites have been flooded with overjoyed responses from happy customers, as well as complaints from unhappy customers who have lost control over their accounts.

Hackers have been able to infiltrate accounts, change the passwords to lock out the account owners and then post the credentials online for others to use or buy. Rather than the $7-per-month subscription fee, some forums have listed accounts for sale for as little as three dollars from the hacked Disney+ accounts.

There are a couple of ways hackers may have pulled this off, most of which customers can avoid if they are careful.

First, anyone who ever reuses an old username and password combination from another site is playing with fire. If you reuse the login credentials from your MySpace, Yahoo, Adobe,, Bank of America or Capital One account, a hacker with the right information can break in. Again, any previous data breach in which usernames and passwords were stolen means that information may be available on the Dark Web. If you open any new accounts with old information, a hacker may already have access to it, which may be the case for some of the hacked Disney+ accounts.

Next, if you receive an email or text message that someone has changed your account login for any account, do not ignore it or treat it as spam. It can mean that someone is in your account at that very moment, and they are locking you out.

Also, there is some speculation that hackers may have used keylogging software to steal credentials. This can happen when you visit a harmful website and login, click a link or download a file in an email that installs harmful software on your computer or connect over public Wi-Fi and log into an account. By electronically gathering up your keyboard strokes as you type, hackers can grab your login credentials, go into your account and take control.

Once they change your password, you are not only locked out of your account, you are also powerless to delete the account or block the payment method. You must contact customer support immediately if you are ever locked out of an account you own since a hacker may be involved.

Remember, the Disney+ website was not breached. It is the individual users themselves whose accounts have been compromised. Another handy tip to avoid hacks like the hacked Disney+ accounts is to stop announcing on social media whenever you download a new game, try out a new service or some other hot commodity. No one needs to know that you have paid for a subscription, and hackers are standing by (through basic keyword searches online) to see who has got an account they can grab. It is important to avoid oversharing your personal business in this way.

Finally, all of this serves as a great reminder about password hygiene. Apart from never reusing a password on another account, it is a good idea to change up your passwords frequently. The same is true of your security questions, as those are often targeted in a data breach as well. That database of old information the hackers have will not work if you are updating your passwords from time to time.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Three-Pronged Web Service Data Breach A Cause For Alarm

Virtual Reality Privacy Concerns

Who is Responsible for Fraud Prevention? Join the Fraud Week Twitter Chat with ACFE!

If you have never heard of e-skimming before, you probably want to educate yourself, especially with the holidays right around the corner. You may have heard warnings over the years about criminals tampering with credit card swipe systems at stores, gas pumps and other point-of-sale consumer stations. This tampering, known as “skimming,” happens when someone inserts a thin film into the card reader that steals your information and allows the thief to use your account. It is rare that the process is instantaneous, though, as typically the thief has to come retrieve the skimmer in order to download all of the stolen data.

Cybersecurity experts have now uncovered a new threat that works the same way, e-skimming, although it gives the criminal instant access to your account. Even worse, the criminal does not have to tamper with any physical systems and can pull it off from anywhere in the world.

E-skimming happens when a hacker inserts malicious credential-stealing software into a retailer’s website. You think you are checking out with your credit card or debit card—because you are, and your items even arrive as intended—but the hacker is stealing your payment information from the shopping cart in real-time. They may even be using your card or selling the information on the Dark Web before you are done with the transaction.

Unlike physical card skimming, you cannot simply look at a website and tell that a hacker has tampered with the system with e-skimming. The website owner themselves may not even know unless there is an investigation. However, there are some things you can do to protect yourself.

Enable alerts on your cards

Card Not Present” transaction alerts are a good idea anyway, and they are one of your best defenses against e-skimming. This alert, usually sent by text or email, comes from your card issuer and lets you know anytime your card is used to make a number-only purchase. As soon as the transaction is processed, the alert is issued. You can contact your bank immediately and stop the payment from going through, as well as close that card and order a new one.

Monitor your account

It is important that all consumers take a routine peek at their bank and card accounts in order to make sure there is nothing suspicious going on. Your card may be used or sold by a hacker, and there can be a limited window of time for you to dispute any charges in order to avoid accepting responsibility for them.

Use trusted websites and look for HTPPS

Hackers have a fun game of seeing who can earn the most credibility by taking down bigger and bigger targets. However, the more trusted and secure the retailer, the more likely they are to have strong security protocols in place. Avoid sites you are not familiar with, no matter how great the advertised deals are.

Consider a low-limit card for online purchases

Especially with holiday shopping coming up, you might consider a low-limit credit card for use on the internet. It can help reduce the amount of damage a hacker can do if your card information is stolen online.

Pre-plan your holiday shopping

If you are doing a lot of online shopping in the next few weeks, it is a good idea to plan what you will be buying and from which retailers. First, it will help you stick to your holiday budget, but more importantly, you will not be lured into opening dozens of online accounts and spreading your spending around. Limiting where you shop can help reduce your risk of encountering an e-skimmer.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Don’t Get Scrooged by a Holiday Scam

Boss Phishing Bah Humbug: Don’t Fall for this Holiday Scam!

Millennials at Risk of Identity Theft – This Holiday and Year Round

Halloween is just around the corner, so what better time to talk about the scariest of all monsters? Zombies! And zombie apps.

Zombie apps are far more dangerous than the undead threat.

Worse, they move slowly, they can work in packs and if they get their teeth in you, you are done for. A zombie app or account is one that you do not use and may not even remember opening, but it is still lagging along out there in cyberspace with your identifying information. It might be a free trial you signed up for, a subscription service you cancelled but did not delete, a social media platform that is now defunct, a throwaway email you created that one time in order to bid on concert tickets or any other similar scenario. It can also be one of those multiple apps that take up space on your phone but you never use.

Unfortunately, just because you forgot all about it does not mean the zombie is not still sitting there. It is waiting to strike your zombie apps, or more accurately, waiting for the right hacker to bring it back to life and unleash it on humanity.

That is the real problem with zombies. You might have forgotten all about your old MySpace account, but the hackers who broke into MySpace’s servers and stole 360 million logins did not forget. If any of those 360 million account holders reused their username and password on another account—and, statistically, a lot of them did—the hackers now have access to that account, too. The MySpace zombie you forgot about came back, stalked around the internet slowly, then gave up access to your email, Facebook, Amazon or any other account where you reused your credentials.

There is another frightening thing about zombies on zombie apps: they may be slow, but they definitely move. The developer may have sold the zombie app to a company with different security protocols. Maybe the owner discovered a security flaw and issued an update, but since you have not opened it since 2009, you never installed the patch. Perhaps the company suffered a data breach and you never learned about it because you used a throwaway email when you created an account. Any of these scenarios can mean a zombie attack is coming for you.

How are you supposed to save yourself from the countless hordes of zombies out there?

If this was a horror movie, we would have to recommend taking them down and making sure you do not get bitten. Fortunately, the real answer is a lot easier and a lot less messy:

1. If you have apps on your device that you do not use, delete them. First, it will clean up some of your device’s memory and make it run better. Second, it will also be less of a chance that someone can work their way into your device via the zombie app. Don’t worry, you still own the zombie app and the account, it is just not accessible on your device until you reinstall it.

2. If it is an account that you created, either online or when you installed an app, that is a little trickier. You will need to go online to the company’s website and delete or deactivate your account. At the very least, make sure you change the password to something you will never accidentally reuse on another platform. If there is a profile section of your account, change any information that you can, like your email address, home address and phone number. Also, unlink your social media accounts from that account so that a data breach will not give the hackers access to your social media accounts as well.

3. Finally, develop good zombie defense practices to keep these creatures from coming for you in the future. If you are signing up for a new account or downloading an app, make sure it is one you need and plan to use, do not link your social media accounts to it, then make sure the password is completely unguessable and don’t reuse that password anywhere else.

Remember to just protect yourself and any tech users around you from these dangerous attacks.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

Synthetic Identity Theft: The “Frankenstein” of Identity Crime 

The Dark Web is Actually the Boogeyman in Your Child’s Closet

Who’s Haunting You This Halloween? Spooky Scams and Cyber Nightmares

Be careful about what you are searching for online regarding your favorite celebrity because it could lead to malware attacks. Social media and the internet have given us unprecedented access to our favorite actors, singers, artists and other famous people. Celebrity searches, everything from fashions and the latest gossip to viral videos and streaming shows, let us follow our favorite stars everywhere they go.

Unfortunately, there is a hidden cost for the fans if you click the wrong link. Hackers have learned that our obsession with famous people is a good way to spread viruses and other malware to a lot of people with very little effort, leading to malware attacks.

All they have to do is embed the harmful software in the code, then release that tidbit of information, a stolen article, a pirated episode of their show or any other similar content online. The very thing we are craving, information or entertainment involving these stars, is the mechanism for infecting our networks and devices, increasing the risk of malware attacks.

Security software developer McAfee tracked which celebrities were most likely to be used in this way. Each year, they compile a list that ranks celebrity search results by the number of infected hits there are. This year’s top spot, for example, goes to “Handmaid’s Tale” actress Alexis Bledel. That is followed by talk show host James Corden, actresses Sophie Turner, Anna Kendrick and Lupita Nyong’o, comedian and talk show host Jimmy Fallon, actor and martial artist Jackie Chan, performers Lil Wayne and Nicki Minaj and finally actress Tessa Thompson.

The celebrities in this list are in no way responsible for the malware attacks and the harmful software that is being linked to their names. The film studios or recording labels for actors or singers are not responsible either. This is solely the work of hackers who follow what is trending online, nab an article of video, embed the virus and post it online. As people use search engines to learn more about their favorite stars, they click on the hackers’ links and infect their own networks.

This is especially dangerous if you accidentally download a harmful virus or malware at work, as every computer on your network may be infected and suffer a malware attack. The same is true of downloading this content using a school campus’ network. Even worse, if you are simply using a shared Wi-Fi network at a coffee shop, hotel or airport when someone else downloads celebrity-linked malware, you could be at risk of a malware attack.

To avoid this danger, be careful where you search and clicking on spoofed accounts or links. Only click trusted sources for information, and make sure that your security software is installed and updated regularly. Also make sure that your security software has a malware blocker, not just a scanner. A malware blocker will actively stop harmful software from downloading rather than just locating it after it is installed.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

New Instagram Feature Fights Phishing Attacks

TikTok Platform Found to Be Full of Scams and Fake Accounts

The Harm in Hoaxes on Social Media

Two-factor authentication is a security protocol that requires users to take an extra step whenever they log in. For example, you open your online banking app and enter your username and password, and then wait a few seconds for a text message or email that contains a six-digit code. You enter that one-time code into your banking app, and you are in.

Two-factor authentication provides an extra layer of security for your accounts, especially ones that contain sensitive data or financial access. It is a great way to keep criminals out of your accounts, especially if your personal information has been stolen in previous data breaches. With two-factor authentication in place, a hacker who managed to steal your login credentials cannot sit at their computer half a world away and get into your bank account because they do not have your phone in order to receive that code.

Unfortunately, hackers work very hard to stay one step ahead. There are a variety of ways that two-factor authentication has been cracked, sometimes with disastrous results. Hackers might steal access to the entire inner workings of your smartphone by going through your cellular provider, and therefore getting the login codes as well. Other hackers have created fake websites that look like the real thing, tricking you into entering both your login credentials and your code, although this one is a little more difficult. Hardest of all, though, are the criminal operations where hackers are actually waiting at the time of login; you type your username, password and unique code, and hackers were “watching” the site while you typed.

Fortunately for most consumers, the effort it takes to breach two-factor authentication is so involved that it is usually reserved for things like cryptocurrency trading websites and online marketing. That does not mean you are completely safe if you do not trade in Bitcoin or make money from YouTube advertising, but it means that you are less likely to draw that kind of effort.

The important takeaway is that even with the potential for being breached, you are still far more protected from everyday cybercriminals if you use two-factor authentication than if you do not. Think of it like the safety restraints in your car; yes, in extremely rare and unpredictable circumstances, there have been vehicular deaths associated with the use of a seat belt or an airbag. However, seatbelts and airbags save lives literally every day, so you would never disengage them on the off chance that they could cause harm.

The same is true of two-factor authentication. Enabling two-factor authentication on your accounts will not hurt you more than not having it, as hackers were trying to get into the account for some reason. Not having it in place, though, could invite lower-level hackers who do not need special tools and know-how to steal from you.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

You might also like…

One Simple Way to Not Get Your Twitch Account Hacked

Do Your Boss a Favor and Don’t Fall for a Gift Card Scam

Instagram Creates New Feature That Fights Phishing Attacks