By Mitzi Perdue

WeNews correspondent

Wednesday, May 16, 2012

Cybercriminals may be “spear phishing” your Facebook or Twitter account. A gorgeous PowerPoint attachment may harbor a malicious program. Women are more vulnerable to online security breaches, so here are a few words from the Web-wise.

(WOMENSENEWS) — “Celebrating my birthday tonight at Alfredo’s!”

If a woman posted that on her Facebook page it would worry MIT-trained cryptographer Mark Herschberg.

“Your Facebook/Twitter status and photos say a lot about you,” says the New York-based cybersecurity expert. “A determined person may already have found out that you’re a woman, learned where you live and whether you live alone. With that post, the bad guy now knows that you’re not home. That post could set you up for a robbery or even a physical attack.”

While the dangers of a physical attack are not large, Herschberg says it’s prudent to remain cautious and minimize the risk. Not only that, Herschberg adds that with such a Facebook status update, “the bad guy now knows it’s your birthday, and if he’s a determined cybercriminal, this could help him hack your identity.”

But do you really need to worry if you keep your Twitter and Facebook accounts private?

Herschberg’s answer: “Even if you have your privacy settings set to friends of friends, some of those friends might be easygoing and accept all friend requests, and now you have a hole in your security. Cybercriminals are out there, looking to exploit those kinds of holes.”

A big part of cybercrime is identity theft, which allows criminals to get information about your “secure” online accounts and either withdraw money from your bank or run up charges on your credit accounts.

Identity theft is a serious hazard for everyone, but it’s particularly costly for women. Seventeen percent of female identity theft victims have lost $1,000 or more due to the crime, versus 10 percent of males, according to the Affinion Security Center, based in Stamford, Conn.

Spear Phishing Pointers

Herschberg also warns about “spear phishing,” a new tactic used by cybercriminals to exploit your social media information against you.

Unlike traditional spam or phishing, which sends messages to a broad number of people, spear phishing is highly targeted at you. A sender may impersonate a friend or colleague and send a message based on details gleaned from your social media accounts. The message may invite you to a conference on a topic that interests you, or ask you to check out a report on a topic they’ve learned is important to you.

The goal is to trick you into clicking on an infectious attachment or visit a malicious website so the cybercriminals can get sensitive information such as passwords. If this happens, Herschberg recommends contacting your friend or associate to ask if they really did send the e-mail.

Jody Westby heads Global Cyber Risk, a cybersecurity company in Washington, D.C. Since women are often the ones to discuss safety with their children, she says it’s important not to forget talking about online privacy as part of this discussion.

“Today children need to know not to give out their full name, or where they go to school, or their phone number when online unless they know the person,” she says.

Brian Krebs, an Internet security journalist in Washington, D.C., says to also beware of financial risks lurking in sudden, strange messages. “A hallmark of a malicious program is they try to get you to act quickly,” he says. For example, “Your credit card has expired. Click this link immediately or we will cancel your account.”

Krebs recommends, “If you get an e-mail that purports to be from your bank and asks for information, or asks you to click a link and log in, it is very often a scam or a trap. If you have questions about whether one of these e-mails addresses a real problem, call your financial institution. Do not reply to the message or take any other action!”

Pause First

It’s never a good idea to respond to spam, but if it comes from your friend or family, it can be tricky. It might be real or it might mean an account was just hacked.

So pause when you get e-mails that seem to come from a friend or relative or co-worker with short messages like, “Hey, check out this movie I saw, it’s really funny,” or “OMG! There’s a video of you posted online that’s awful!” or “Check out the attached file!”

Like Herschberg, Krebs recommends writing back and asking, “Did you send this?”

Krebs predicts that in a disconcerting number of cases, the intent of the message wasn’t at all friendly.

He also cautions against forwarding chain letters of the sort that tell you something wonderful will happen if you send it to 10 of your friends. Chain letters are often generated by spammers as an exceptionally effective way for them to harvest current addresses. The chain letters are carefully worded to touch your heartstrings or religious beliefs, but don’t forward them unless you’re wishing more spam on yourself and your friends.

Chain letters that have PowerPoint presentations of, for example, irresistibly beautiful scenes from China or scantily clad women from Russia, may have malicious programs hidden behind them that can take control of your computer.

Almost everyone in cybersecurity says to exercise extreme caution when opening attachments or clicking links. As Krebs says, “It may be good for instant gratification, but it can also be good for an instant bad day.”

Additional Advice

1. Change your passwords every 90 to 180 days.

2. Don’t use the same password for different accounts. If someone is able to crack one password, you don’t want him or her to be able to attack all your accounts.

3. Choose passwords that have a combination of numbers and upper and lower case letters. (One lady at the Fifth Avenue Apple Store in Manhattan uses the address of her dog’s vet preceded by her first boyfriend’s initials, so it comes out something like this: BAF348W94th. Three months later, she’ll change it to her dentist’s address and still later, she’ll use the address of a local restaurant.)

4. Be careful about using passwords on public computers, which could have spyware or key loggers installed on them.

5. Keep all your software up to date, especially JAVA, which is a vector for malware.

6. If you have an iPhone or an iPad, activate their password protection. There are thieves in major cities who specialize in targeting people with iPhones or iPads in order to harvest information to sell to identity thieves.

Assuming you have virus protection software, you’re part way to cybersecurity, but your computer with software protection is like a castle surrounded by a mote. The software can protect you, but not if you lower the drawbridge and open the castle gate.