Phishing Attacks

facebook.jpg

Facebook: ALERT – New Malware attack using Facebook. DONT CLICK ON “Most Hilarious Video Ever” wall posts.

May 31st

Posted by anovelo in Alerts

No comments

facebook It seems that recently Facebook has be at the center of many web issues.  Unfortunately, this is a trend that seem to continue as now we have a new Facebook attack that has the goal of stealing your credentials (there for taking over your account) in addition to downloading malware on your pc.  If you see any wall post about the “Most Hilarious Video Ever”, DO NOT CLICK on it.  If its on your own wall delete the post from your wall, if you have already clicked on the link (Fallen for the post), you need to immediately go to your profile and change your password information. 

The following information comes from the WEBSENSE blog (LINK: http://community.websense.com/blogs/securitylabs/ (http://community NULL.websense NULL.com/blogs/securitylabs/)) concerning this new FB attack, included below is a video from websense showing how the attack happens.

Most Hilarious Video attack on Facebook (http://community NULL.websense NULL.com/blogs/securitylabs/archive/2010/05/28/most-hilarious-video-attack-on-facebook NULL.aspx)

Posted: 28 May 2010 09:11 PM

Attacks on Facebook during weekends are unfortunately becoming a trend. For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes (http://community NULL.websense NULL.com/blogs/securitylabs/archive/2010/05/22/warning-for-quot-distracting-beach-babes-quot-on-facebook NULL.aspx), Sexiest Video Ever (http://community NULL.websense NULL.com/blogs/securitylabs/archive/2010/05/15/sexiest-video-ever-on-facebook NULL.aspx) or this latest attack which supposedly is the “Most Hilarious Video ever” shown in the screen shot below.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/1106 NULL.facebook_5F00_hilarious_5F00_1 NULL.png)

We predicted that this attack would happen again and unfortunately we were right.

This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you’re not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/4478 NULL.facebook_5F00_hilarious_5F00_4 NULL.png)

Regardless of what you enter in the login form you are then taken to a page on the real Facebook site that asks you to allow the application to access your profile. If you allow that you’re taken to a page saying that you need to upload your FLV Player to view the video. Up until this point it’s similar to how the two previous attacks have worked, except that this new one also has the phishing component. However, what happens now depends on which country you are connecting from.

If you are coming from a US IP address you are prompted to download the FLV Player, which is detected by 35% of antivirus engines (http://www NULL.virustotal NULL.com/analisis/ba220931f0993b752cc9cc25d449904646528fee138ace928f027bb643f3b61e-1275104977), as can be seen in the screen shot:

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/3755 NULL.facebook_5F00_hilarious_5F00_2 NULL.png) (http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/0842 NULL.facebook_5F00_hilarious_5F00_2 NULL.png)

However, if you’re coming from a UK IP address you’re taken to a quiz where they have to answer 10 questions.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/4617 NULL.facebook_5F00_hilarious_5F00_3 NULL.png)

Once completed the user then gets the chance to win an iPad! All they have to do is to fill in their address. So instead of tricking the user into installing a malicious file, this time they’re after your information in addition to your Facebook credentials from the fake login page.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/8512 NULL.facebook_5F00_hilarious_5F00_5 NULL.png)

It’s very likely that the behavior is different than the two examples we have described depending on which country you connect from. In our testing we only had the ability to test this attack from the US and UK but regardless of where you are connecting from you shouldn’t click on the fake video and never, ever give you Facebook username and password to a website that is not facebook.com. We also recommend you to install Defensio, our free security app for Facebook that will protect your wall from posts like this. You can get it from http://defensio.com (http://defensio NULL.com)

, , , , , ,
email_icon.gif

Alert: Fake IRS email scam. This is from the PandaLabs website

Apr 10th

Posted by anovelo in Alerts

No comments

email_icon   With April 15th and the tax deadline here in the US being just a few days away, here is an alert from the PandaLabs Website (LINK: http://pandalabs.pandasecurity.com/ (http://pandalabs NULL.pandasecurity NULL.com/)).  This alert especially goes to all those internet users out there that seem to believe everything they get in an email (You know who you are). 

***************************************************************************************************************

From PandaLabs Website (LINK:http://pandalabs.pandasecurity.com/irs-1042-w-identity-theft-scam/ (http://pandalabs NULL.pandasecurity NULL.com/irs-1042-w-identity-theft-scam/))

IRS 1042-W Identity Theft Scam (http://pandalabs NULL.pandasecurity NULL.com/irs-1042-w-identity-theft-scam/)

  • Posted on 04/9/10 by Sean-Paul Correll (http://pandalabs NULL.pandasecurity NULL.com/author/sean-paul-correll/)

It’s tax season in the United States and the April 15th filing deadline is approaching quickly. Every year around this time U.S. citizens stress about getting their finances in order and reported to the Internal Revenue Service in time to avoid penalties. Careful though, because that nervousness might just help a cyber criminal steal your identity. A fake IRS Tax Form (1042-W, which apparently doesn’t even exist) has been spammed out and is currently circulating on the Internet.

The e-mail arrives disguised as an official correspondence (irs@irs.gov) from a rep named Cindy at the Internal Revenue Service.

Fake IRS E-mail

Fake IRS E-mail

Two PDF attachments are included with the email, both of which were authored in Microsoft Word 2007.

Fake IRS PDF Documents

Fake IRS PDF Documents (1042-S B.PDF and 1042-S A.PDF)

The first document introduces the 1042-W form and reads:

Dear Sir/Madam,

Our record indicates that you have not submitted your form 1042-W. As a result, you are exempted from United States of America Tax reporting and withholdings, on interest paid you on your account and other financial dealing to protect your exemption from tax on your account and other financial benefit in rectifying your exemption status.

Therefore, you are to authenticate the following by completing form 1042-W, and return to us as soon as possible through the fax number: +1-780-669-7364

Fake IRS Document

Fake IRS Document

The second PDF document is the form itself.  It asks for the following:

  1. Name
  2. Date of Birth
  3. Nationality
  4. Place of Birth
  5. Address
  6. Passport Number
  7. Mothers Maiden Name
  8. Social Security Number
  9. Profession
  10. Bank Name/Account/Pin – Date bank account was opened and branch location
  11. Attached photocopy of passport

Fake IRS Tax Form (1042-W)

Fake IRS Tax Form (1042-W)

After completing the form, the instructions call for faxing it over to a phone number (+1-780-669-7364) located in Alberta, Canada.

Sending this form over to the criminals would most definitely result in a stolen identity.  The IRS has stressed year after year that it does not make unsolicited requests via e-mail.    Here are some tips on how to spot an IRS scam and what to do if you receive one in your inbox:

How to Spot a Scam

Many e-mail scams are fairly sophisticated and hard to detect. However, there are signs to watch for, such as an e-mail that:

  • Requests detailed or an unusual amount of personal and/or financial information, such as name, SSN, bank or credit card account numbers or security-related information, such as mother’s maiden name, either in the e-mail itself or on another site to which a link in the e-mail sends the recipient.
  • Dangles bait to get the recipient to respond to the e-mail, such as mentioning a tax refund or offering to pay the recipient to participate in an IRS survey.
  • Threatens a consequence for not responding to the e-mail, such as additional taxes or blocking access to the recipient’s funds.
  • Gets the Internal Revenue Service or other federal agency names wrong.
  • Uses incorrect grammar or odd phrasing (many of the e-mail scams originate overseas and are written by non-native English speakers).
  • Uses a really long address in any link contained in the e-mail message or one that does not start with the actual IRS Web site address (www.irs.gov). To see the actual link address, or url, move the mouse over the link included in the text of the e-mail.

What to Do

The IRS does not initiate taxpayer contact via unsolicited e-mail or ask for personal identifying or financial information via e-mail. If you receive a suspicious e-mail claiming to come from the IRS, take the following steps:

  • Do not open any attachments to the e-mail, in case they contain malicious code that will infect your computer.
  • Do not click on any links, for the same reason. Also, be aware that the links often connect to a phony IRS Web site that appears authentic and then prompts the victim for personal identifiers, bank or credit card account numbers or PINs. The phony Web sites appear legitimate because the appearance and much of the content are directly copied from an actual page on the IRS Web site and then modified by the scammers for their own purposes.
  • Contact the IRS at 1-800-829-1040 to determine whether the IRS is trying to contact you.
  • Forward the suspicious e-mail or url address to the IRS mailbox phishing@irs.gov (phishing null@null irs NULL.gov), then delete the e-mail from your inbox.

, , , , , , ,
facebook.jpg

Alert: Fake Facebook Email – Its another trick to get you to download a virus.

Mar 22nd

Posted by anovelo in Alerts

No comments

facebook Another “old friend” seems to be making an email visit again.  People have started getting the following email claiming that “The Facebook team” has reset your password and that you have to click on the download to get your information….

***********************************************************************************************************

Facebook Password Reset Confirmation NR.2033
From: The Facebook Team | Date:
17/03/2010 8:09 AM | Email
To: xxxxxxx@xxxxxx.com
Attachments: Facebook_password_2264.zip (62 KB) (62 KB)
Hey xxxxxx ,
Because of the measures taken to provide safety to our clients, your
password has been changed.
You can find your new password in attached <document.
Thanks,
The Facebook Team.

***********************************************************************************************************

     Considering how many calls and messages I’ve gotten today about infected machines, I’m know people are falling for it.  So lets start with a simple lesson : FACEBOOK DOES NOT RANDOMLY CHANGE USERS PASSWORDS AND IT DOES NOT SEND YOU VIA EMAIL YOUR UPDATED INFORMATION IN AN ATTACHMENT. SO DONT OPEN THIS EMAIL IF YOU GET IT.  OK with that being said, here are some tips while using Facebook (Directly from the Facebook Blog http://www.facebook.com/security?ref=blog#!/security?v=app_7146470109&ref=mf (http://www NULL.facebook NULL.com/security?ref=blog#!/security?v=app_7146470109&ref=mf) )

When we talk about security, we’re talking about scams, viruses, and hacks that could infect your computer or take over your Facebook account and result in a lot of annoyance for you and your friends.
Security isn’t just an issue on Facebook, but all over the web, which is why it’s important to be aware online, and to learn how to protect your accounts and your computer.
Here are some ways to be smart and aware on Facebook and across the Internet:

  • Use different passwords for your various online accounts. If you use the same password everywhere, and it’s stolen, you could lose access to all of your accounts at once.
  • Be wary of where you enter your password. Just because a page on the Internet looks like Facebook or another site you use, it doesn’t mean that it is. Check the address bar in your browser, and learn to tell the difference between a good URL and a bad one. If you ever have doubts about the legitimacy of a link, simply type the website’s URL (for example, http://www.facebook.com) into the address bar.
  • Don’t share your passwords with anyone. Don’t do it. Most reputable online services will never ask for your password through any form of communication.
  • Don’t click on links or open attachments in suspicious emails. If the email looks weird, don’t trust it, and delete it from your inbox immediately.
  • Use a complex password that can’t be easily guessed. Avoid common words, and make sure your password is at least eight characters long and includes capital and lower case letters, numbers, and symbols.
  • Be suspicious of any email or message that contains an urgent request or asks you to update your information or provide new information.
  • Be suspicious of emails or messages that contain misspellings or use bad grammar, especially if they’re from someone who is usually a good writer.
  • Make sure you have an up-to-date web browser equipped with an anti-phishing blacklist. Some examples are Internet Explorer 8.0 and Firefox 3.0.10.
  • Make sure you have up-to-date comprehensive security software on your computer that includes anti-virus, anti-spyware, anti-phishing, and a firewall.
  • Make sure you’ve set your operating system to update automatically.
  • Make sure you’ve listed a security question and answer for your online accounts. This will come in handy if you ever lose access and need to prove who you are. You can do this on Facebook from the Account Settings (https://register NULL.facebook NULL.com/editaccount NULL.php) page. You should also add a mobile phone number from this page (http://www NULL.facebook NULL.com/mobile/?settings), which will help if we ever need to send you a text message to confirm your identity.
  • Remember that you choose what you share and with whom you share it. Think before you post, especially if the information is sensitive or personal in nature. You can learn more about how to control your information on Facebook, including how to choose an audience for each and every post you make, in our Privacy Guide (http://www NULL.facebook NULL.com/privacy/explanation NULL.php)

In addition here are some known threats that you can find while using Facebook (Also directly from the Facebook Blog http://www.facebook.com/security?ref=blog#!/security?v=app_4949752878&ref=mf (http://www NULL.facebook NULL.com/security?ref=blog#!/security?v=app_4949752878&ref=mf) )

Spammy Wall Posts, Inbox Messages, and Chat Messages
When criminals gain access to a Facebook account, they usually post spammy comments on friends’ Walls, or send spammy messages through Inbox or Chat. These messages ask you to click on a link and often try to entice you by claiming there’s a new photo or video of you somewhere on the Internet that you need to check out. The link then takes you to a phishing (http://en NULL.wikipedia NULL.org/wiki/Phishing) site that asks you to enter your login information, or a malware (http://en NULL.wikipedia NULL.org/wiki/Malware) site that prompts you to download malicious software.
Don’t click on strange links in posts or messages, even if they’re from friends. If it seems weird for an old friend to write on your Wall or send you a message, it’s possible that the person’s account has been taken over by a spammer. Be particularly cautious of posts or messages that contain misspellings or use bad grammar.
Money Transfer Scams
Scammers sometimes post status updates, or send Inbox or Chat messages, from a friend’s account claiming that the friend is in some difficult situation and in need of money. These messages ask you to help by wiring funds through a money transfer service.
Never send money without first verifying the story through some other means, such as by talking to the person over the phone. If a friend’s account has been taken over, contact us (http://www NULL.facebook NULL.com/help/?faq=14257) so that we can block access. If you’ve sent money, report it to the money transfer service, and, if you’re in the United States, the Federal Trade Commission (http://www NULL.ftc NULL.gov/bcp/edu/pubs/consumer/alerts/alt034 NULL.shtm) or the Federal Bureau of Investigation (http://www NULL.ic3 NULL.gov/default NULL.aspx). You’ll find more tips and a complete transcript of a real conversation with a scammer here (http://www NULL.facebook NULL.com/note NULL.php?note_id=96651525765).
Fake Notification Emails
Spammers and scammers sometimes send phony emails that have been made to look like they’re from Facebook or another reputable website. These emails can be very convincing, and the “From:” field can even be spoofed to include “Facebook” or “The Facebook Team.”
If an email looks strange, don’t click on any of the links in it, and delete it from your inbox immediately. Be especially wary of emails that ask you to update your account, tell you to open an attachment, or warn you to act quickly before something happens.
Chain Letters and Messages from Phony Facebook Employees
You might occasionally see a status update or message making some claim about Facebook and urging you to take an action. Examples include:

  • Facebook is becoming overpopulated.
  • Facebook is going to start charging money.
  • Certain users have special access to profile information.
  • Facebook is selling your data.

Sometimes, these come from people claiming to be Facebook employees who then ask you to provide your password or other personal information.
If a status update or message doesn’t look right, don’t believe it. Disregard it, and tell your friends that it’s phony. If someone pretending to be a Facebook employee asks you for your password, don’t give it out, and report the person immediately by clicking the report link either on the message or the person’s profile.
For more information about Facebook site governance and privacy, check out these documents:
Facebook Principles (http://www NULL.facebook NULL.com/principles NULL.php)
Statement of Rights and Responsibilities (http://www NULL.facebook NULL.com/terms NULL.php)
Privacy Policy (http://www NULL.facebook NULL.com/policy NULL.php)
Suspicious Applications
Facebook has strict policies (http://developers NULL.facebook NULL.com/policy) for developers to help make sure that applications don’t misuse your data. While most applications play by the rules, you may occasionally come across one that doesn’t quite look right.
Use caution when interacting with applications. If you think an application is violating our policies, report it to us through the link on the application’s About page. You may also want to block the application by clicking the “Block” link on its About page.

     Now that you have seen the information directly from Facebook let me add one more thing. I will acknowledge that having to chase down and fix computers for people who fall into the traps above (as well as other know internet virus/malware/rogueware traps) is job security.  Seriously this is not the type of job security I had in mind.

, , , ,

Alert: Another Fake Email install Rogue Software (From Panda Labs Blog)

Mar 6th

Posted by anovelo in Alerts

No comments

     One of the biggest reasons why TechGeekandMore started came from how many customers I had (and still have) to visit every week to either clean Viruses of PC or (even worse) recover as many files as possible and then reinstall Windows.  I wanted a way a to try and alert and educate my customers about how …..

- No African Prince was going give you millions

- Emails that say that they are from a friend or family with that weird looking attachment could actually be fake

- Hot College Girl……well this one just really doesn’t have much beyond “Don’t do it”.

ETC ETC ETC…….

     In those lines a new email starting this week, that has only 1 goal, to trick you into downloading and installing some really nasty software (more of the fake antivirus software).  This new email says that “You have received a postcard”……

The following information comes from PANDALABS blog ( http://pandalabs.pandasecurity.com/the-thousand-faced-rogue/ (http://pandalabs NULL.pandasecurity NULL.com/the-thousand-faced-rogue/))

******************************************************************************************************************

The Thousand-Faced Rogue

Mar 5

  • Posted on 03/5/10 by Olaiz (http://pandalabs NULL.pandasecurity NULL.com/author/olaiz/)

We want to inform you of a new flood of email messages that seem to contain a postcard but are actually distributing malware. Concretely, we’ve seen several thousands in a few hours.

It’s not the first time we see emails like this in circulation, as subjects like “You’ve received a postcard” are very recurrent.

The message is like the following:

postcardzip_en

The message seems to have been sent by a member of your family through a legal website to download and send postcards, so that users don’t suspect. In order to view the postcard, you have to open the attached file. It’s a file compressed with zip and if you run it, a rogueware program will be installed in your computer, which is different depending on the message and the operating system you have.

The following are some of the names of the fake antivirus that can be installed in your computer if you run this file:

% Antispyware 2010

Antivirus % 2010

% Guardian 2010

% Guardian

% Defender 2010

% Antivirus

% Antivirus 2010

% Antivirus Pro

% Antivirus Pro 2010

% Internet Security

% Internet Security 2010

where % stands for the operating system of the computer in which it is going to be installed. Some examples: XPAntispyware2010, Vista Guardian, Win 7 Antivirus Pro.

Let’s take as an example Antivirus XP 2010 and see the actions it carries out once it has been installed in the computer.

As every rogueware, it starts scanning the system to check if the computer is infected.

Once finished, it displays a list with the malware that has detected in your computer to make you believe that you’ve got a problem and that this program will offer you the solution:

AntivirusXP2010

However, all the malware it has detected makes reference to unexisting files, so the only threat you have is the own rogue.

Additionally, it prevents the execution of programs whose window title makes reference to the following programs:

Internet Explorer

Firefox

Several security suites.

When you try to run any of these, a message is displayed informing you that these programs are infected and recommending you to install the fake antivirus to solve the problem.

The following image belongs to the message that is displayed when Firefox is run:

Firefox_infected

It also contains code to uninstall different security solutions. This way, the computer would be unprotected and the real antivirus programs could not detect it.

, , , , , , ,
google phone

Alert: BlackHat SEO attack targeting Google Nexus One (Updated) (From Panda Labs Blog)

Jan 17th

Posted by anovelo in Google

No comments

From the Panda Labs Blog (BlackHat SEO attack targeting Google Nexus One (Updated) (http://pandalabs NULL.pandasecurity NULL.com/blackhat-seo-attack-targeting-google-nexus-one/))

A few days ago Google presented their brand new phone, called Nexus One:

(http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2010/01/google NULL.jpg)

And some days later we find out that if a user searchs for “buy Nexus One” he will obtain around 4,000 malicious links:

When clicking on any of these links, you will see some of the typical fake antivirus sites:

It will try to infect your computer with a rogueware called LivePcCare. Be careful while searching, and use at least some free web filtering tools (http://www NULL.mywot NULL.com/). (Like Web of Trust)

Update: 5 out of the 6 first results are malicious, including the 1st and the 2nd one.

Update 2: Now the same crew is using the Haiti earthquake

, ,
weboftrust.jpg

Software: Free add-on for Internet Explorer or Firefox can help prevent you from visiting a fake site that could infect your pc.

Nov 30th

Posted by anovelo in Internet Explorer

No comments

web of trust (http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/weboftrust NULL.jpg) There is an add-on for Internet Explorer, Opera and Firefox that may help keep you from visiting a fake site that could infect your pc with malware or worse.  The program called “Web of Trust” (From http://www.mywot.com/ (http://www NULL.mywot NULL.com/)), monitors trends (using their own information as well as information from other security providers) from the bad guys who set up these types of sites and either puts a marker or presents you with a message when a link that you are opening is considered to be either a known “phishing” site (a fake site meant to still your information) or a site that is high risk and could be a “phishing” site.  The add-on does not actually block the sites, which means that you as the user still needs to use common sense while surfing the internet, as you could click on the message and tell it to continue to the site in question. 

     The add-on which is easy to install, will show the following type of notice on searches (Green as safe sites, Red as sites that would be recommended you avoid)

image (http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image21 NULL.png) Panda WOT google search

     In addition when visiting sites that could put you at risk you will see the following message

image (http://www NULL.rj-diamond NULL.com/alex/wp-content/uploads/2009/11/image22 NULL.png)

     As already noted above, this is only an alert, this add-on with all of the browsers will still allow you to “Click here to continue to the page anyways”. That means that this program does not replace common sense, it is a tool to help you better chose but ultimately its still up to the user to use their own common sense. 

     Since I like giving real world examples to explain, here is how I explain Web of Trust.  Consider WOT like your house or car alarm. When you leave your house, you set your alarm, but because you set the alarm doesn’t mean you don’t lock your doors (At least I hope it doesn’t).  Consider your common sense as the looking of your door, if you don’t do it, your still at risk. 

Internet Explorer Add-On (LINK: http://www.mywot.com/en/download/ie (http://www NULL.mywot NULL.com/en/download/ie))

Firefox Add-On (LINK: http://www.mywot.com/en/download/ff (http://www NULL.mywot NULL.com/en/download/ff))

Opera Add-On (LINK: http://files.myopera.com/PH%60/UserJs/wot.js (http://files NULL.myopera NULL.com/PH%60/UserJs/wot NULL.js))

, ,
123