The leaves have barely begun to change their hues, but that doesn’t mean it’s too early to start thinking about email attacks launched by Internet fraudsters during their favorite time of year–Christmas.

Holidays, special occasions and high visibility disasters always prime malicious spam campaigns and keep corporate email filtering systems busy, but Christmas is considered prime time for Web miscreants intent on bringing joy to their underworld and misery to the holiday season of others.

Because exchanging greeting cards is a common practice during the holidays, electronic greeting card scams remain popular. The typical card con will alert a target via email that he or she has been sent a holiday greeting from a mystery sender. The combination of the season–Christmas is the only time many people have an opportunity to catch-up on the year’s happenings with some acquaintances–and the lure of “who could be sending me an electronic card” are powerful inducements for someone to break protocol. The email instructs a recipient to click a link in the message to see the card, a link that leads to a site where a recipient’s sensitive personal information can be stolen or malware downloaded to his or her machine.

Continue reading Never too early to plan for Xmas scams

Last month, many users of  Google’s GoogleChat service found themselves preyed upon as potential victims to the ViddyHo worm phishing scam. The phishing scam was using a come-on approach and sent messages to some users of the online chat service from someone appearing to be one of their contacts. Although the latest phishing scam was using a chat service there is always the potential for such phishing scams to resurface through email.

In this case the scammers used the traditional bait of prompting a user to click on a link from tinyurl.com, a service that shrinks URLs for easy sharing on sites like Twitter. Victims were then directed to the ViddyHo Web site where they were asked for their Google login information. Once the user had “logged in” they unwittingly opened up their contact list for the worm to spread.

This is old advice but is worth repeating: verify and confirm links sent to you from people you know before you click on the links. The names listed in the “To” field, although familiar to you, may not have really sent the email messages. I’ve discussed in previous posts the importance of authenticating the users who have sent you email and the use of certificates of authenticity – are they really who they say they are?

Continue reading ViddyHo Phishing Scam

Phishing is an email technique used by people who try to obtain your personal and financial information so that they can then purchase products or open up credit lines in your name. The emails they send are designed to deceive you and often look as if they came from a credible source.

Over the years, I have received dozens of emails that look like they came from departments in real companies such as eBay, Paypal, Amazon, etc. Sometimes the emails look like they cam from the security department or sometimes they look like they came from the “Account Team”.

There are obvious components of fraudulent email that all phishers will use to obtain your trust and personal information.

1. The From line. Often times the “From” line will include an official-looking email address that is different by one or two characters from a real department in a legitimate company that you may or may not be doing business with.

2. The Email Greeting. If your email starts off with a “Dear Sir” or “Dear User” then you know that the sender of the email does not know you by name. A legitimate source will contact you with the proper salutation which includes at the very least your last name. Continue reading Telltale Signs of a Phishing Email

The Huffington Post carried a story about how the Justice Department hoaxed its own staff with a bogus email designed, as is reported in the headline, to “test employee loyalty.” In reality, it was more of an awareness test than a loyalty test, but the idea still bears some consideration.

The bogus email was sent in January, and asked employees to click through to a Web site and enter in account information. The email promised a “bailout” to employees whose retirement accounts had lost value because of stock market declines. Signed by “Thrift Savings Plan Account Coordinator,” any savvy staffer would suspect something right off the bat. Any email, from anybody, that asks you to click through to a website and enter account information is always suspect. Because this was a test and not a real phish, the website wasn’t malicious. The test–or hoax, if you will–has caused alarm throughout the department and a lot of buzz about whether or not such things are legitimate security measures, or a waste of taxpayer’s dollars.

So is it okay to hoax your staff to test security? This may well be a legitimate best practice. It seems that no matter how many warnings are sent out, or how much education IT tries to disseminate, somebody always falls for it. There will always be those people on staff who just don’t think straight, who don’t read the memos, who don’t consider security issues, or who just plain don’t care. How better to drive the point home and test your awareness programs than to conduct a phishing hoax of your own, and then after people respond, say, “Hey, you’ve been punk’d! Wise up next time!”

Think of the test as a type of fire drill to keep people on their toes, and make them aware of the possible risks. According to a Cnet report on the issue, Justice has been doing this for about three years, “as a tool to train and educate employees.”  So just how gullible are Justice employees? Justice isn’t saying, and there’s no word on the results of the test.