Most of us have received emails asking us to click on a link and confirm our account information by typing in our personal financial information such as a credit card account number. Later we find out that we’ve been scammed and that our information was used so that someone else could rack up hundreds of dollars in purchases, maybe even thousands of dollars.

Our immediate thoughts are that we hope they catch the criminals who have now enjoyed a spending spree at our expense. We picture the police breaking down the doors of the living domains of these criminals, catching them while they enjoy their falsely purchased electronic gear or perhaps while they are out enjoying some fine dining at an upscale restaurant that we would never spend money on for ourselves.

The truth of the matter is that most phishers are not living lifestyles of the rich and famous, are not dining on lobster tails nor are they watching March Madness from arena box office seats and spending hundreds of dollars in pricey meals each day.

Continue reading Phishers Not Getting Rich

Last month, many users of  Google’s GoogleChat service found themselves preyed upon as potential victims to the ViddyHo worm phishing scam. The phishing scam was using a come-on approach and sent messages to some users of the online chat service from someone appearing to be one of their contacts. Although the latest phishing scam was using a chat service there is always the potential for such phishing scams to resurface through email.

In this case the scammers used the traditional bait of prompting a user to click on a link from tinyurl.com, a service that shrinks URLs for easy sharing on sites like Twitter. Victims were then directed to the ViddyHo Web site where they were asked for their Google login information. Once the user had “logged in” they unwittingly opened up their contact list for the worm to spread.

This is old advice but is worth repeating: verify and confirm links sent to you from people you know before you click on the links. The names listed in the “To” field, although familiar to you, may not have really sent the email messages. I’ve discussed in previous posts the importance of authenticating the users who have sent you email and the use of certificates of authenticity – are they really who they say they are?

Continue reading ViddyHo Phishing Scam

 Neoseeker is reporting that as many as 8000 Comcast email accounts have been compromised. The breach was discovered by a professor at Wilkes University. While doing a search on his email address he found a document hosted on Scribd that contained the usernames and passwords of thousands of Comcast customers. What’s more, the list had been there for at least 2 months and had been accessed thousands of times. Comcast is denying responsibility:

Jennifer Khoury, a Comcast spokeswoman, responded stating that they did not believe this information was provided by anyone inside the company citing lack of structure on account numbers and duplicity on some of the information. Instead, the information appeared to have been gathered through a phishing type scheme.

Comcast says they are freezing the accounts that were compromised and will notify their owners. If you have a Comcast account you’d be doing yourself a favor if you changed your password. Can’t be to careful! It’s not yet known who owns the document or how the data was obtained but experts believe it could be the result of a phishing scheme.

Phishing is an email technique used by people who try to obtain your personal and financial information so that they can then purchase products or open up credit lines in your name. The emails they send are designed to deceive you and often look as if they came from a credible source.

Over the years, I have received dozens of emails that look like they came from departments in real companies such as eBay, Paypal, Amazon, etc. Sometimes the emails look like they cam from the security department or sometimes they look like they came from the “Account Team”.

There are obvious components of fraudulent email that all phishers will use to obtain your trust and personal information.

1. The From line. Often times the “From” line will include an official-looking email address that is different by one or two characters from a real department in a legitimate company that you may or may not be doing business with.

2. The Email Greeting. If your email starts off with a “Dear Sir” or “Dear User” then you know that the sender of the email does not know you by name. A legitimate source will contact you with the proper salutation which includes at the very least your last name. Continue reading Telltale Signs of a Phishing Email

The United States Computer Emergency Readiness Team (US-CERT) Current Activity web page (http://www.us-cert.gov/index.html) includes a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

As of February 6, the US-CERT Current Activity web page is warning that they are aware of public reports indicating that phishing scams are circulating which involve fraudulent United States Internal Revenue Service emails. The fraudulent emails offer users stimulus package payments to recipients and ask for personal information by including text that attempts to convince users to follow a link to a website or to complete an attached document.

One such recipient reported that he had received a similar email last year that included information about the stimulus check sent out at that time. The user went to say that the senders of this phishing email scam had approximated how much money the recipient received in his stimulus check and was off by $23 dollars. Because the amount was so close to what the recipient had received the recipient almost fell for the scam. Luckily the recipient noticed that the sender’s email address was suspicious. The user followed up by sending warnings to about seven different agencies including the IRS in regards to that scam.

Continue reading IRS Stimulus Package Phishing Scam

The Escapist is reporting that the popular video game Call of Duty is being used in a new email phishing scam. The emails claim to be offering keys to a new beta of the game called Call of Duty: Modern Warfare 2. It also directs the recipent to click on a link to download the alleged beta, which Call of Duty’s creator, Infinity Ward, was quick to announce does not actually exist:

Robert Bowling, better known as Infinity Ward’s community manager “fourzerotwo”, would like you to know that there is no such thing as a Call of Duty: Modern Warfare 2 multiplayer beta. In fact, there may not even be Modern Warfare 2 and that Infinity Ward, creator of the war-time series, has yet to even announce what their next project is, despite reports to the contrary. Secrets, these be. Of course, that never stops the internet as a widespread email scam has been sent around the tubes, inviting one and all to a multiplayer beta for Call of Duty: Modern Combat 2. The reason as to why this particular scam is so believable is that the content of the email is exactly the same as the one Infinity Ward sent out themselves in 2007 for the Call of Duty 4 beta. It also doesn’t hurt that the creator of the phishing scam has gone the extra mile and hoaxed its origin, as the emails appear to come from COD5BETA@infinityward.com.

Bowling advises anyone who receives the fake announcement to delete it immediately. He said it simply copies an email sent out last year announcing the current Call of Duty version, but with certain parts updated to make it look like it’s announcing a brand new beta.

A research note from TowerGroup, sponsored by IBM, addresses the issue of security in online banking, and the techniques that cybercriminals are using to gain access to online bank accounts. Although the report, published in 2005, is a bit outdated, its message still hits home.

Generally speaking, so long as you follow standard security protocols (complex passwords, change password regularly, don’t share passwords, and beware of emails claiming to be from your bank asking for login details), online banking is just as safe as driving to your local bank branch. In fact, locally there have been a rash of bank robberies, so online banking may be even safer!

One of the threats highlighted by the report is email phishing, which has become a very common way for attackers to try to steal account information, and sometimes, it works. The report recommends stronger authentication methods to combat this type of fraud. Continue reading A solution to email-based bank phishing attacks

Social networking sites have changed the game of the Internet, ushering in a new layer of functionality and connectivity. People have new ways to connect, both for fun and business. Unfortunately, attackers also have new ways to connect as a result.

A recent report showed that ten thousand users of LinkedIn, a networking site for business professionals, were targeted in a spear phishing attack which attempted to trick users into downloading a malicious attachment. Spear phishing is particularly dangerous because of the level of trickery involved. By now most of us know to raise the red flag when we receive an email from a web site we use addressed to “Dear Member,” or some other generic greeting, which then proceeds to ask us for personal information. But spear phishing addresses us by name–thereby lulling us into a false sense of security and trust. In this attack, the email appeared to be from LinkedIn and addressed the recipient by name, and asked them to download a file, implying that the member had requested it.

Continue reading Spear phishing attacks can target social networking sites

The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.

In the first quarter of 2008 the APWG published an excellent “Phishing Activity Trends Report“.  It provides detailed statistics that cover various aspects of how phishing activities are exponentially on the upswing. The report starts out by giving  very concrete definition of phishing being a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social-engineering schemes use spoofed e-mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as user names and passwords.

Some overview topics covered in the APWG report include:

Countries Hosting Phishing Sites
The United States remains is the top country hosting phishing sites due to a large majority of attacks being targeted toward United States-based companies. Russia remained in the top four of all countries throughout the period. There was an interesting drop for China in the last month, when they only rendered 3% of top countries hosting websites.

Most Targeted Industry Sectors
Financial Services continues to be the most targeted industry sector during the first quarter of 2008.  This is consistent with results since the APWG began tracking targeted industry sectors. The up tick of Government as a target in March reflects a rise in IRS-related phishing attacks or similar scams – by phishing and other media – related to the IRS-administered 2008 Economic Stimulus Refund program. Continue reading Phishing Email Trends Reported by the APWG

John Markoff’s article in the New York Times “Larger Prey Are Targets of Phishing” emphasizes that people must always be vigilant in not opening emails from unknown entities.  It’s important for email administrators to continue educating their email community.   Quite a few email administrators were definitely in the hot seat with this high profile phishing attack. Continue reading Phishing is Whaling with Executives