IC3 Annual Report – 2018 Internet Crime Report

Dear Reader,

The FBI is the lead federal agency for investigating cyber-attacks by criminals, overseas adversaries, and terrorists, and the FBI’s IC3 provides the public with a trustworthy and convenient reporting mechanism to submit information concerning suspected Internet facilitated criminal activity.

The 2018 Internet Crime Report emphasizes the IC3’s efforts in monitoring trending scams such as Business Email Compromise (BEC), Extortion, Tech Support Fraud, and Payroll Diversion. In 2018, IC3 received a total of 351,937 complaints with losses exceeding $2.7 Billion.

This past year, the most prevalent crime types reported by victims were Non-Payment/NonDelivery, Extortion, and Personal Data Breach. The top three crime types with the highest reported loss were BEC, Confidence/Romance fraud, and Non-Payment/Non-Delivery.

In February 2018, the IC3 established the Recovery Asset Team (RAT) to assist in the recovery of funds for victims involved in BEC schemes by streamlining communications to financial Institutions. The RAT works within the Domestic Financial Fraud Kill Chain (DFFKC) to recover fraudulent funds wired by victims. The DFFKC is a partnership between law enforcement and financial entities. In 2018, the IC3 RAT notified 56 field offices and 12 Legal Attachés of 1,061 DFFKC’s totaling $257,096,992, a recovery rate of 75%.

Another new asset of the IC3 was the creation of the Victim Specialists-Internet Crimes (VSIC) position. The VSIC contact victims of internet crimes, provide crisis intervention, conduct needs assessments, and refer victims to resources and referrals when appropriate. This new position is designed to ensure timely support and services are provided to victims to prevent further victimization and to engage the recovery process as quickly as possible. These positions also lead to a greater coordination of services with the victim’s local field office Victim Specialist.

We hope this report provides additional information of value as we work together to protect our nation against cyber threats.

Matt Gorham
Assistant Director
Cyber Division
Federal Bureau of Investigation

Read the full report here: https://www.ic3.gov/Media/PDF/AnnualReport/2018_IC3Report.pdf

Security Update – 2019

Article (PSA-0011)
Submitted by: Billy Joe Long
Company: PSA Computer Services
Titled: Security Update
Original release date: February 16, 2019

Security Update

“From the sudden spread of WannCry and Petya/NotPetya ransomware, to the swift growth in coinminers, 2017 provided us with another reminder that digital security threats can come from new and unexpected sources. With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so.” – Excerpt from Symantec 2018 Internet Security Threat Report (ISTR), volume 23, clarifications by Billy Long.

The Internet can be a dangerous and costly place. Network and computer security threats are a very real concern for businesses and home users alike. Symantec, the world’s leading cyber security company, reported an astounding 8,500% (yes, that’s correct eight thousand five hundred) increase in detections of coinminers on endpoint computers, a 92% increase in new downloader variants and an 80% increase in new malware on Macs.

Data and identity theft are a profitable sector, but that is not the only thing at risk in today’s Internet connected world. Your network connected device has processing power and that processing power has become a commodity to many “bad actors” who are diligently punching in to work each day.

These “attack teams” or “attack groups” are constantly developing methods for infecting devices and computers with malware for their own nefarious purposes. Malware can spread through, what appear to be, legitimate files, links or websites. What’s even worse is “attack toolkits,” can be downloaded for free or purchased from the Internet making cybercrime accessible and inexpensive to commit and allowing these crimes to be perpetrated by relatively unsophisticated attackers.

It’s important for all Internet users to have a basic understanding of these threats and to learn how to protect themselves. This article is the first in a series of articles which will provide an overview of malware threats, suggestions for infection prevention and steps to take if you suspect your computer is infected.

What Is Malware?

The word “malware” is a portmanteau, blended from the words “malicious” and “software.” It is most often used as a catchall term for computer related threats such as viruses, spyware, adware, and other software installed without a user’s consent or knowledge.

Malware can get into your system in a variety of ways. Here is short, non-exhaustive list:

  • Infected email attachments
  • Infected removable storage devices such as portable “thumb-drives”
  • Downloaded software
  • Links in email, social media websites, or instant messages

For more information on methods of attack and attack terminology, check out the “Threat Glossary” being compiled at the PSA Computer Services support website: https://psa-2.com/threat-glossary/

Do You Need to Worry About Malware?

So, you may be thinking this all sounds scary, but does it really affect me at home or at my small business? Yes! It is not just large companies or government organizations that need to protect themselves. Anybody can be a victim of cyber-crime if not properly protected.

If you are a business, your customers trust you with their information. If you’re a home-based user, you may have family pictures, important documents or business data stored on your computer. If you’re not taking appropriate steps to secure your network and data, your computer and information are not safe. Preliminary statistics indicate 1 in 3 people were hacked in 2018. Information security breaches can have major financial and legal consequences.

In the next article we will look at what network and computer protection is available to you and how to exercise common sense Internet usage to help reduce the probability of you or your business being compromised.

Directory Structure and File Name Conventions

Article (PSA-0010)
Submitted by: Billy Joe Long
Company: PSA Computer Services
Titled: Directory Structure and File Name Conventions
Original release date: October 19, 2018

Directory Structure and File Name Conventions

When storing data we, as responsible digital citizens, need to ensure our directory structures and file names are human readable and well organized. This ensures the digital information stored within your company (or home) can be retrieved efficiently and accurately. We start this discussion by looking at a few directory structure conventions and a usage example.

As with most things in life, consistency is critical. Organize directories in a way that makes sense within the context of your home or company, and then stick to it. It should make sense to anyone who happens to be working within the directory structure. For example, I work from a home based office, so my computer contains not only personal data (pictures, documents, ect), but also business data. The root of my storage directory structure clearly describes that distinction by providing two directories: ‘Personal’ and ‘Business’. Within the ‘Personal’ directory I have organized my personal digital life, and within the ‘Business’ directory I have organized my business digital life.

Once the initial directories were in place, I began to make more distinctions about the type of data the directory contained by using descriptive names and nesting related directories, where appropriate, in a hierarchical fashion.

Here is a simple example; let’s say you have hundreds (or more) pictures collected over many years. To efficiently organize these pictures, we first, create a ‘Pictures’ directory (one probably already exists on your computer). Then organize the pictures further by creating a year directory within the ‘Pictures’ directory, eg. 2018, 2019, ect. Then within each year directory you could include month directories, eg. JAN, FEB, ect. This directory structure can be as simple or complex as necessary. Personally, I adhere to the ‘keep it simple and consistent’ policy. Next, let’s take a look at ‘File Naming Conventions’.

A file name should be distinguishable among other files. Groups of files should be easily sorted for efficient reviewing and searching. File names should also be unique. Over time files can be moved and without the existing folder structure, important descriptive information about the contents of the file could be lost. Carefully consider whether your filename would be meaningful outside of your directory structure.

Here are guidelines I use consistently for file names within my company as well as at home:

  1. If the date the file was created is important, include it in the filename. If you are going to use the date, be sure to pick a date format and stick to it consistently. I like to use the MMDDYY format (two digit month, two digit day, two digit year.)
  2. If the file is related to a project, consider using an abbreviation of the project name as part of the file name.
  3. If the file is part of a multi-organizational effort, consider using your organizations initials in the name. Be sure your initials are unique among the other involved organizations.
  4. If there will be multiple versions of the file, consider using a ‘zero padded’ numbering system as part of the name. You will need to make an educated guess as to how many versions there may be, and pad the version number appropriately. At a minimum, I pad file versions with two zeros, eg. 001, 002, ect.

Finally, here is a list of the “Do’s and Don’ts” of file naming.

  1. Don’t use spaces and punctuation, except for the hyphen and underscore.
  2. Do use underscore or “camelCase” between file name elements, eg. my_data_file.txt or myDataFile.txt . Neither approach is better – but whichever one you pick, stick to it!
  3. Don’t use spaces, tabs, semicolons or periods in your filename.
  4. Do try to keep the file name to a maximum of 25 characters in length if possible.

A well thought out directory structure coupled with an equally well thought out file naming convention makes searching and sorting information a very straightforward task. If you work at a company, be sure to check and see if they have employee guidelines to directory and file naming conventions … they really should! One day we will retire, will the guy or gal replacing us be able to find anything efficiently? It’s really up to us.