The leaves have barely begun to change their hues, but that doesn’t mean it’s too early to start thinking about email attacks launched by Internet fraudsters during their favorite time of year–Christmas.

Holidays, special occasions and high visibility disasters always prime malicious spam campaigns and keep corporate email filtering systems busy, but Christmas is considered prime time for Web miscreants intent on bringing joy to their underworld and misery to the holiday season of others.

Because exchanging greeting cards is a common practice during the holidays, electronic greeting card scams remain popular. The typical card con will alert a target via email that he or she has been sent a holiday greeting from a mystery sender. The combination of the season–Christmas is the only time many people have an opportunity to catch-up on the year’s happenings with some acquaintances–and the lure of “who could be sending me an electronic card” are powerful inducements for someone to break protocol. The email instructs a recipient to click a link in the message to see the card, a link that leads to a site where a recipient’s sensitive personal information can be stolen or malware downloaded to his or her machine.

Valid Web site addresses are frequently used in the e-card messages, but they often have phony domain names. A typical malicious link might lead to a site that’s a direct ripoff of a genuine electronic greeting card site. On arriving at the site, a visitor is told that the cyber-outlet is testing a new Web feature and instructs the visitor to click on a button to test it. Clicking the link results in malware being downloaded to the target’s computer.

One way that legitimate greeting card companies have counted attacks on their business is requiring that both the name of the sender and recipient be included in any correspondence notifying someone that they’ve received a card. The requirement takes the pleasant surprise out of receiving an e-card, but it blunts the unpleasant surprises that arise without it.

As awareness of greeting card scams has grown, fraudsters have honed their message. It’s quite common, for instance, for the bait message to contain warnings about email cons in an attempt to make it appear as if the message is coming from a legitimate e-card retailer.

Hot gift items are another popular target of spam scum. Every year, there are hot gifts in great demand but in short supply. Scammers will take advantage of that situation by crafting emails announcing great deals on the hot gift. To take advantage of the deal, all a recipient needs to do is click a link. Once clicked, the email mark is taken to a bandit web site and electronically mugged.

Because of a surfeit of jolliness during the Christmas season, malicious spammers are unabashed about recycling transparent scams that would yield very little success at any other time of the year. One such con is the lottery scam. Targets receive a message saying that they’ve won a Christmas Lottery sponsored by a large, recognizable organization. They’re told that winners were chosen by picking random email addresses. A link is provided to collect their winnings. Click the link and…you get the picture.

Since Xmas is the time for giving, scammers like to solicit donations for charitable organizations. Those solicitation letters, though, usually lead to a bogus website and some form of theft and mischief perpetrated on a good soul intent on helping his or her fellow man.

In preparation of the Xmas uptick in nefarious spam  activity, email adminstrators should start dusting off their caution messages for users. While the warnings may seem repetitive to some, it doesn’t hurt to remind users about good security practices before dubious messages begin to appear in their inboxes. Such warnings should contain tried and true advice such as:

• Never open attachments from strangers, or from friends, colleagues or family who don’t ordinarily send you messages with attachments.
• Never click on Web links in email from strangers, or from institutions like banks, especially banks with which you don’t do business.
• Never forward a message to a large number of recipients at the request of an email sender, whether the sender be known or unknown. Oftentimes friends foward emails without forethought and after it’s too late to avert the adverse consequences of a malicious message.
• Always be suspicious of emails with bad spelling and syntax or which contain technical language intended to obfuscate, or emotional subjects tugging the heartstrings while tapping the wallet.

No doubt scammers will come up with a few new twists to their cons during this holiday season, but the basics of their schemes remain the same. With a little education and some good spam filters, an email administrator should be able to assure a safe and secure holiday season for his or her system’s users.

Never too early to plan for Xmas scams

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Last month, many users of  Google’s GoogleChat service found themselves preyed upon as potential victims to the ViddyHo worm phishing scam. The phishing scam was using a come-on approach and sent messages to some users of the online chat service from someone appearing to be one of their contacts. Although the latest phishing scam was using a chat service there is always the potential for such phishing scams to resurface through email.

In this case the scammers used the traditional bait of prompting a user to click on a link from tinyurl.com, a service that shrinks URLs for easy sharing on sites like Twitter. Victims were then directed to the ViddyHo Web site where they were asked for their Google login information. Once the user had “logged in” they unwittingly opened up their contact list for the worm to spread.

This is old advice but is worth repeating: verify and confirm links sent to you from people you know before you click on the links. The names listed in the “To” field, although familiar to you, may not have really sent the email messages. I’ve discussed in previous posts the importance of authenticating the users who have sent you email and the use of certificates of authenticity – are they really who they say they are?

In 2008, many people received emails from foreigners overseas who claimed to know someone who recently had died but had left a large sum of money. The foreigner would offer to split some of the proceeds with the email recipient in exchange for cooperation and some help with wiring the money to the states. Most variations of these email phishing scams were offshoots of the Nigerian money wires. Now that people are fully aware of these scams the scammers have to invent new methods and new false scenarios to suck in the innocent email recipients. As a result, tricking people into viewing video links is becoming more and more prevalent as the perpetrators are able to infect the computer by uploading malware in the background while the videos run.

So to protect your company’s user community it would be wise to post an internal message warning your users not to click on links sent to them or to log on to any sites related to ViddyHo.com site from emails received from friends or acquaintances.

ViddyHo Phishing Scam

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Phishing is an email technique used by people who try to obtain your personal and financial information so that they can then purchase products or open up credit lines in your name. The emails they send are designed to deceive you and often look as if they came from a credible source.

Over the years, I have received dozens of emails that look like they came from departments in real companies such as eBay, Paypal, Amazon, etc. Sometimes the emails look like they cam from the security department or sometimes they look like they came from the “Account Team”.

There are obvious components of fraudulent email that all phishers will use to obtain your trust and personal information.

1. The From line. Often times the “From” line will include an official-looking email address that is different by one or two characters from a real department in a legitimate company that you may or may not be doing business with.

2. The Email Greeting. If your email starts off with a “Dear Sir” or “Dear User” then you know that the sender of the email does not know you by name. A legitimate source will contact you with the proper salutation which includes at the very least your last name.

3. A Warning Message. Phishing emailers will try to create fear or panic by stating that the message is urgent and that if you don’t act soon you will lose account privileges or you will soon be unable to access your account altogether. To keep your account open and accessible you are requested to please login and verify your account by providing private information.

4. Fraudulent Links. You may be asked to click on a reasonable looking link that takes you to a website that also looks legitimate. Clicking on the link will take you to a site that asks for your personal information or, worse, launches a virus. Never click on links if you suspect a false email source.

5. Attachments. Never click on an attachment if you do not trust the source. As with fraudulent links, attachments can also be used to download spyware or viruses.

If you suspect you have received a phishing email send or forward the email to spam@uce.gov – and to the company or organization impersonated in the phishing email. You can also report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group is a consortium of ISPs, security vendors, financial institutions and law enforcement agencies that use these reports to fight phishing.

If you think someone has used your information to steal your identity then please go to the Federal Trade Commission’s Identity Theft website, ftc.gov/idtheft, to learn more about how respond to and recover from identity theft.

Telltale Signs of a Phishing Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Huffington Post carried a story about how the Justice Department hoaxed its own staff with a bogus email designed, as is reported in the headline, to “test employee loyalty.” In reality, it was more of an awareness test than a loyalty test, but the idea still bears some consideration.

The bogus email was sent in January, and asked employees to click through to a Web site and enter in account information. The email promised a “bailout” to employees whose retirement accounts had lost value because of stock market declines. Signed by “Thrift Savings Plan Account Coordinator,” any savvy staffer would suspect something right off the bat. Any email, from anybody, that asks you to click through to a website and enter account information is always suspect. Because this was a test and not a real phish, the website wasn’t malicious. The test–or hoax, if you will–has caused alarm throughout the department and a lot of buzz about whether or not such things are legitimate security measures, or a waste of taxpayer’s dollars.

So is it okay to hoax your staff to test security? This may well be a legitimate best practice. It seems that no matter how many warnings are sent out, or how much education IT tries to disseminate, somebody always falls for it. There will always be those people on staff who just don’t think straight, who don’t read the memos, who don’t consider security issues, or who just plain don’t care. How better to drive the point home and test your awareness programs than to conduct a phishing hoax of your own, and then after people respond, say, “Hey, you’ve been punk’d! Wise up next time!”

Think of the test as a type of fire drill to keep people on their toes, and make them aware of the possible risks. According to a Cnet report on the issue, Justice has been doing this for about three years, “as a tool to train and educate employees.”  So just how gullible are Justice employees? Justice isn’t saying, and there’s no word on the results of the test.

Justice Department scams its own staff

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators