The spring break season is finally here, which means vacation time for millions of college students and families. But they aren't the only ones looking forward to their trips, scammers are also excited about the potential opportunities to glean personal information from unsuspecting travelers.
This trend has become a growing threat as cyber criminals actively target travelers. This includes both online scams and traditional crimes like robbery and break-ins that are now being aided by “off-the-shelf” hacking tools which can be easily purchased online. According to a 2013 Department of Justice report, 15 million people become victims of credit card or bank fraud each year as a result of cyber scams.
Whether you’re a 19-year old college student or a 40-something soccer mom, here are nine scams that every spring break traveler should watch out for:
Hacked Hotel Rooms. Hackers discovered a couple of years ago that most hotel room electronic locks were insecure and could be easily hacked by attaching a small electronic device to the data port underneath the lock. A string of hotel robberies resulted, and thieves are still using this door lock hacking trick to get into older or unpatched systems.
While you can’t prevent it from happening, you can protect yourself. Don’t leave money or valuables in your room, use the physical door lock and/or the deadbolt at night when sleeping and also take photos of anything valuable you leave in the room in case a break-in occurs, that way you have proof of what was lost.
Electronic Car Theft. Car thieves no longer have to break into your car to steal it - all they have to do is hack it. Police have recently discovered criminal car theft gangs are using “mysterious black boxes” that force the car doors open electronically. What are they? They’re basically just key fob spoofers - and criminals can buy them online for as little as $5. Since there’s no way to prevent this type of attack, unless you’re willing to have your keyless entry system disabled, the best advice is to try to park your car in a well-lighted visible place and don’t leave valuables in the car.
Card Skimmers. Following the massive Target (TGT) breach, credit card “skimming” should be on every consumer’s mind. Cyber criminals are increasingly targeting retailers with credit/debit card-stealing malware that infects the card readers.
There are also criminal gangs throughout the country that insert Bluetooth-enabled monitoring devices into the individual card readers of local stores and gas stations. The best way to protect yourself is to use a credit card instead of a debit card and closely monitor your bank account.
Juicejacking. Think twice before plugging your dying phone into a charging kiosk: it could be infected with malware. Researchers have found that it’s relatively easy to install spyware or other types of malware into public charging kiosks that will infect any smartphone or tablet that’s plugged into it. To keep your devices safe, stick with wall outlets and use your own plug.
Infected Thumbdrives. This is an older scam, but it still works - especially at a time like spring break. Scammers may leave thumbdrives or CD-ROMs in a parking lot, lobby or entertainment venue, often labeled with something enticing (like “Bathing Suit Photos” or “Spring Break Photos”), hoping that someone will pick it up and plug it into their laptop.
If you fall for it, you’re sure to install one or more types of malware on your laptop or computer - most likely a remote access Trojan that will enable the criminal to remotely control and spy on your PC.
Message Bait. A popular scam that often picks up over spring and summer break is the, “Did you see yourself in this video?” message with a tiny URL link sent via email, text or social media.
Other popular subject lines include, “You were so drunk!” or “I can’t believe this is you.” The whole point of this scam (known as a phishing attack) is to tap into your personal fears to get you to click on the hidden link or play the video or open the attachment. Once you do, your computer or mobile device will be infected with spyware. Don’t fall for this trick - or any others like it.
Shared WiFi. By now, everyone should know about the dangers of using an open public WiFi hotspot - but did you know you also have to watch out for ‘protected’ networks at hotels and other venues that require a password? If you use a shared WiFi network at any public venue, it’s easy for someone to intercept your data and monitor what you’re doing: what sites you’re visiting, your account passwords, emails, etc.
Hackers can also “force browse” your laptop, forcing it to visit malicious sites that will download malware or steal your password. If you can, avoid public WiFi altogether on your spring break, and use your phone’s 3G/4G signal instead. If you can’t, use a Virtual Private Network (VPN) which will encrypt your online activity.
Geotagged Photos. If you don’t have geotagging disabled on your phone’s camera, every picture you take and post will give the World Wide Web the exact coordinates of where you were when you took it. This can be dangerous, particularly for women or children. There are a number of online tools that enable people to read the EXIF data contained in this photo to get your exact location.
Social Media Attacks. Be careful about clicking on that viral video or photo that’s making the rounds with your friends. It’s difficult for social media networks to defend against two types of cyber attacks that use these viral posts to circulate: clickjacking and XSS.
With clickjacking, scammers put a fake screen over a hidden malicious link - for instance, a ‘Like’ button or a video ‘play’ button. Once you click on it, the hidden link executes which could do anything from give the scammer access to your contacts, redirect you to an infected site or more. XSS loads a malicious script in your browser to install malware or steal your account credentials. In addition to thinking before you click, you should also consider downloading a browser plugin like NoScript or NotScripts that will help block these types of attacks.
Jason Glassberg is co-founder of Casaba, a white hat hacking firm that performs hacking tests and security consulting for banks, retailers, government agencies and Fortune 500s. www.casaba.com