Scam: Woo Hoo–I’ve just been offered a MILLION DOLLAR ATM Card (No seriously it must be true, I just got an email telling me so)

File this under the category of “REALLY!” . The following email which was received by Tech Geek and More friends over at (LINK) zombiepancake.com (http://www NULL.zombiepancake NULL.com/) claims to be from a “Funds Clearing” and looks fairly official (At least these guys had spell checker). The email below is exactly as sent except for 2 changes, specifically to omit links, as I’m not trying to help them in their ways. Here is the MILLION DOLLAR ATM email –

********************************************************************************************

From: Funds Clearing [mailto:fundsdp@(Omitted).org]

Sent: Thursday, December 08, 2011 12:43 PM

Subject: Your ATM MASTER CARD

Season Greetings,

We are very sorry for the delay. Your ATM MASTER CARD, Valued US$1.216Million has been activated and is ready for delivery, delivery fee of $125 is needed urgently for delivery of the MASTER CARD to your home address . Note that $5000-$10,000 is permitted daily only for each cash withdraw from any ATM MACHINE within your state.

Therefore do not delay to respond immediately and quickly send us your Receiving Address, Full Names and Telephone number. Get back to us for your Payment so that we can registration the CARD for delivery to your destination including the Parcel Tracking Number which will be provided to you after the registrations is done for easy tracking of your parcel on the arrival

God Bless

Mr. Tony Roland

ATM DEPARTMENT

SKY BANK PLC

Email: mytonyroland@yahoo(Remain removed to not give them that much credit)

********************************************************************************************

Of course, the majority of people have enough common sense to know this is actually a scam. Unfortunately these scams continue to happen simply because there is always someone out there who thinks “It came in an email, it must be true”. If someone didn’t fall for it, the scammers would stop doing it, and move to something else.

The moral (and common sense tip) of this mornings post is simple, “If it sounds to good to be true, then its probably a scam”. This goes for Emails, Tweets, Facebook, or anything else in life.

Oh and lastly to Mr. Tony, from the Sky Bank, using a yahoo email address – REALLY!. Come on, if you go through all this trouble to create a scam, couldn’t you do something better than yahoo!

Alert: “If I Die” fake Facebook App scam (Via Email) – Virus Alert

Another alert, this time in the form of a new email that has started circulating around the internet, as found/reported by anti-virus software maker Bitdefender (http://www NULL.malwarecity NULL.com/blog/fake-app-sends-you-and-your-pc-on-memento-mori-trip-1140 NULL.html). The email which will appear to come from someone you know talks about “A new Facebook Application”. The claim that you can download a file that will let you record a message on Facebook, so that “If you die” your loved ones can get a final goodbye from you. The email carries an attachment that ends in .exe (That alone should be your 1st WARNING SIGN).

Death obviously isn’t an easy subject and I can only assume the bad guys are hoping to pull at the emotions of the end user. So what happens if you download/open this attachment. The .exe file will install 3 encrypted executables, and when I say encrypted, I mean they will be extremely difficult to remove once they have made it on to your machine.

Once installed the files will

- Install and use a keylogger to record all user name / passwords and other “important” number sequences (like SS#, credit cards #’s, address information) from any visited website or email account and send that information to the bad guys

- Install software so that your installed webcam (and virtually all laptops these days have a built in webcam) will automatically take snapshot pictures and send those to the bad guys. (Which could put you in an even more compromising position depending on what these pictures show)

- Install software that could let someone (the bad guys) take over and remotely control your pc. (Haunted PC anyone)

As a side note concerning the bogus email, there is a legit Facebook app called “If I Die” (LINK) http://ifidie.net/ (http://ifidie NULL.net/) , which allows you to record a message for your Facebook. Those who are aware of the legit app may confuse this email for the legit app. This email has nothing to do with the legit app.

So what should you do

NEVER NEVER NEVER open any attachment unless you can confirm with the sender that they actually sent it and what it actually does.
Make sure to have your system updates (Windows, Office, Adobe Flash / Acrobat, Java, etc) up to date. Many of these malware software scams try and use bugs, holes, or issues with older versions of software to get into your system. (Like locking your front door but leaving a window wide open)
Always make sure that your Antivirus software is up to date. When I say up to date, I mean both the software itself and the “signature files”. If your software program is more than 3 years old, you really need to be getting a newer version. You should not be running Norton Antivirus 2003 in 2011 and expect the program to protect you. You should also go into whatever AV program you are running look for the signature file date and make sure that its no more than a couple of days old. Signatures are what AV companies update to include all the new viruses/malware that’s created.
LASTLY, DON’T BE STUPID AND DON’T BELIEVE EVERYTHING YOU SEE ON THE INTERNET OR IN AN EMAIL. When in doubt always make sure and ask someone before clicking where you don’t know. Remember the computer you save may be your own.

Alert: Another version of the “See who is looking at your profile” scam on Facebook

In todays edition of Facebook scams to watch out for, is a new version of the “See who is looking at your profile” scam. In the past, you would find messages like the following on your friends profiles….

If you clicked on the link, you risked compromising your Facebook account. Seems the average user has hear of this enough that those who try and use this scam have now changed tactics…..

This one just came to my attention a short time ago. Where someone on my list was tagged in pictures

As you can see the 3 pictures appear to be completely random. If you place your cursor over any of the pictures you see the “LOL!! Me cant believe that you can see who is viewing your profile!…………”

If you were to click on any of the pictures, they will open in the Facebook picture viewer and at the bottom of the picture you will again see the message.

So lets go over this again. If you see a message in Facebook that talks about “See who checks your profile” or anything even remotely like that.

DO NOT CLICK IT!!!!!

It is a scam, at minimum it will add messages to your profile that you don’t authorize, and at worst, it can compromise your Facebook account, allow for malicious use of your account and could even install other non-Facebook related malware/viruses on your pc.

Facebook does not allow in its terms of service for anyone to be able to give you the “see who checks your profile” information. If anyone person or company says they can help you see that, THEY ARE LYING / IT’S A SCAM.

Alert: Facebook – Tagged Picture used to spread “Fake” links and Malware. (Plus How to Untag yourself)

Since Facebook is the BIG FISH currently, and most users on Facebook seem to “trust” what they see, the bad guys are now targeting Facebook with more daily scams. From Rogue apps, to fake links, to hacking accounts, to now Fake picture tagging on profiles. The following was something I came across yesterday

the tagged picture was on the profile of someone I know. I did confirm with that person that they don’t know “Julie” (either by name or picture) the person on the tag. Of course Julie has a link on her tag. If you happen to click on the link (even if just by mistake) what you get is sent to a website that will download malware on your pc.

So as always having a Facebook account means that you need to pay attention to what is happening on your account. If you run into a situation where a picture is tagged to you that you don’t want showing on your profile, here are the steps to Un-Tag yourself from the picture.

How to Untag yourself –

From your Facebook home page, locate the blue bar at the top of the screen. It says Facebook, Home, Profile, Friends, and Inbox. Click on “Profile”. Now you will be sent to your profile page.

On your profile page, look underneath your profile picture that is located at the top left. Under it, you will see “Photos”. Click on Photos

Now in the middle section of the page toward the bottom you will find the “Photos and Videos of you” section.

Look at the pictures below this section. Any pictures tagged will appear in this area. Click on the picture you would like to remove.

Now look under the picture for the section that says “In this photo”. Next to that you will find “Remove tag”.

Click remove tag. The photo will not show up on your profile anymore

Alert: Facebook Scam to look out for – “See who viewed your profile”

I ran across another (of the many) Facebook scam this week. A friend had a post listing the iknow_extension this weekend. The app is one of many floating around Facebookland all claiming that they can help a user see who have been “looking at your page”.

At the core, all these scam apps are the same, they prey on the unsuspecting who are not technologically knowledgeable. Some of the variations of catch line that I’ve seen are

Awesome! you can finally find out who has looked at your page
OMG… I cant believe this actually works! Now you really can see who viewed your profile!
Check out who has blocked you on Facebook

of course there are many more than these.

In all cases, it plays into the human curiosity factor, using social engineering to trick the user into infecting there machines. One thing that everyone should be aware of, is that even if it was possible to create an app for the purposes of seeing who has looked at your page, such an app would be completely against the Facebook privacy policy.

In cases like the “iknow” app, it will lead you to a page with an “allow” function that will do 2 things, add itself into your Facebook profile, with the specific purpose of being able to then control your profile so that it can continue to spread itself (Like a bad disease), and also then tell you that you need to “download” a file to activate the app. That download in fact being the master malware that will then infect and control your pc (I refer to it as the gatekeeper, as this malware you download in fact just handles what your pc does, so that it can continue to download more and more on your machine. In the same way of what would happen if you gave a burglar the keys to your home, and he was just there to open the door so others can steal from your house).

If you do (or have fallen for these) scams, the 1st thing you need to do is go into the Applications and plugins area in Facebook to remove the rogue app from being allowed access to your account. You do that by doing the following

Application and Plugins (http://www NULL.facebook NULL.com/help/?page=25) › General Application Support: Adding, displaying, and removing applications (http://www NULL.facebook NULL.com/help/?page=964)

How do I remove or delete an application from my account?

You can remove an application you have allowed from the Applications Y…

You can remove an application you have allowed from the Applications You Use (http://www NULL.facebook NULL.com/settings/?tab=applications) page. To get to that page, follow these steps:

Go to the Privacy Settings (http://www NULL.facebook NULL.com/settings/?tab=privacy) page from the “Account” drop-down menu located at the top of any page on Facebook.

Click the “Edit your settings” link under the Applications and Websites section towards the bottom of the page.

Click on the application you’d like to remove. If you don’t see the application listed, you can find it by clicking the Edit Settings button towards the top right-hand side of the page.

You’ll then see an expanded view of your settings for that application. From here, you can click the “Remove application” link. Once you confirm you’d like to remove the application, it will no longer have access to your data and be removed from your profile, bookmarks, and your Applications and Games Dashboards.

Once you have done that, the next step is reviewing your Facebook posts and removing any posts created by the “rogue” application. That is as a courtesy, so that others don’t fall for it from your posts.

Lastly – I recommend downloading the following applications, and running a full scan with each application (one at a time) on your pc.

Superantispyware
Malwarebytes

My suggestion for the simplest way of downloading and installing these 2 apps is by visiting www.ninite.com (http://www NULL.ninite NULL.com) and selecting them (about 1/2 of the page down). Ninite will not only download the apps on to your pc, but also handle the installation of the apps on your pc.

Remember that before running either of the apps, you should find the update tab on each and make sure that the app is updated to the latest definitions. Once each app finishes its “full scan”, clean out whatever each finds, and then reboot and run both apps again. (I know this sounds like a pain) You want to reboot and rerun both apps to make sure that nothing was left behind.

If your scans come up clean, then you should be ok. Until the next adventure in technology (at least)

Alert: Be careful shopping this coming Cyber Monday (11/29) as the bad guys are looking for easy victims

As always the bad guys are online, out to try and steal from unknowing victims this holiday season. With the popularity of Online Shopping, it has never been easier for a bad guy to steal from you without ever having to leave his home. The following post below comes from Panda Labs (LINK: http://pandalabs.pandasecurity.com/blackhat-friday-and-cybercrime-monday/ (http://pandalabs NULL.pandasecurity NULL.com/blackhat-friday-and-cybercrime-monday/) ), showing how crooks are manipulating search engines to trick users. As always, just because you are shopping online that doesn’t mean that you don’t have top pay attention. Always make sure to keep your Cyber Guard up.

*******************************************************************************************************************************************

Black(hat) Friday and Cyber(crime) Monday

by Sean-Paul Correll (http://pandalabs NULL.pandasecurity NULL.com/author/sean-paul-correll/)

You may be in for more than you bargained for if you plan on looking for the latest Black Friday or Cyber Monday deals online. Cyber criminals are quick to capitalize on new opportunities and have already done so by optimizing their Blackhat SEO campaigns to infect those looking for those hot ticket item deals.

The following image is a malicious search result aimed at innocent users looking for Black Friday deals at a popular U.S. based retail chain:

Best Buy/Black Friday Malicious Search Result (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/bestbuy_malicious_search NULL.png)

Best Buy/Black Friday Malicious Search Result

Clicking on the link in the Firefox browser will redirect you to a fake Firefox “update” website, which will then infect your computer with fake antivirus software:

Fake Firefox Update Website (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/fakefirefoxupdate NULL.png)

Fake Firefox Update Website

Clicking the link in Internet Explorer (or any other browser) will lead you directly to the fake antivirus scan page:

Rogueware "Fake Antivirus" Page (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/Roguewarepage NULL.png)

Rogueware “Fake Antivirus” Page

ALERT: Windows Live Messenger 2009 Users–“Active links in Messenger 2009 temporarily turned off to prevent a malicious worm”

Microsoft has announced via the Windows Team Blog (LINK) http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/12/security-alert-active-links-in-messenger-2009-temporarily-turned-off-to-prevent-a-malicious-worm.aspx (http://windowsteamblog NULL.com/windows_live/b/windowslive/archive/2010/11/12/security-alert-active-links-in-messenger-2009-temporarily-turned-off-to-prevent-a-malicious-worm NULL.aspx) that they are now blocking Active links in Windows Live Messenger 2009. What that means is that when you are in a chat with someone, if a link appears that you will NOT be able to directly click on it to open the link. If you wish to see the link you will need to copy it from the chat window and then past it into your browser.

Keep in mind that not only in WLM chat but in all chat programs there is always a possibility of receiving “Rogue” links that were not actually sent by the person who you are talking to. If you ever receive a link via chat, you want to make sure and check with the person you are talking to, so that you can confirm if its legit or not.

Those who click on the malicious link, will download a Worm (a form of virus), which will install on your pc, and then use your pc to send itself to all your friends links. As always you should make sure you have an up to date Antivirus.

A particularly malicious worm (a self-replicating computer virus) is currently trying to spread itself through many of the world’s largest instant messaging and social networks, including Windows Live Messenger 2009. We’re very serious about protecting our customers, and are pursuing multiple avenues to help stop its progress. The worm spreads by inserting a link into an IM conversation with a person whose computer is already infected. When someone clicks the link, it opens in a browser, downloads the worm on the recipient’s computer, and then repeats this process.

Normally, when Messenger sees a web address in a conversation it is turned into a hyperlink which, when clicked, automatically opens in a web browser. This feature makes it very easy for the malicious worm to be unknowingly installed on your computer by clicking on the link and being sent to a web site containing the malicious software. We’re pursuing a number of activities to help protect you, working actively with industry experts and law enforcement to help stop this criminal activity.

Most notably, we’ve temporarily turned off active hyperlinks for web addresses sent in IM conversations using Windows Live Messenger 2009. You will still be able to copy a web address and paste it into a browser window if you know it to be safe, but by removing active hyperlinks from Messenger 2009, we’re taking a significant step towards stopping the unintentional spreading of this worm.

Because we’ve now blocked active links in Messenger 2009, starting today, some customers may also see a notification in the main Messenger window warning them that some features might not be available.

Messenger warning message (http://windowsteamblog NULL.com/cfs-file NULL.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-53-82-metablogapi/6116 NULL.messenger_2D00_warning_5F00_3E135389 NULL.png)

Messenger 2011 is not impacted in the same way, thanks to its Link Safety feature. However, we are actively monitoring the situation and investigating different approaches to help protect customers using the latest version of Messenger, should the situation change.

As always, we encourage customers to exercise caution with links to web pages that you receive in IMs, especially if the links are to a web page that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a web page with harmful content.

If you think your computer may have already been infected by a malicious worm, check the , please visit the Security TechCenter on Microsoft TechNet (http://technet NULL.microsoft NULL.com/en-us/security/default NULL.aspx), and then download and use the malicious software removal tool (http://www NULL.microsoft NULL.com/security/malwareremove/default NULL.aspx). For additional help with Messenger, check out the Messenger Solution Center (http://windowslivehelp NULL.com/product NULL.aspx?productid=2).

ALERT: New Rogueware–This one can detect which browser your using and customize the fake alert to the browser you are using

In a never ending effort to inform the visitors to TGM, here is another ALERT concerning a new version of Rogueware (Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven)) that can actually figure out what web browser you are using and then customize the fake message to look like a standard message for the browser you are using. As always the reason these types of attacks work is because of the social engineering aspect, most people don’t know any better, they assume that if the message pops up on their pc the “it must be true”. Unfortunately the messages that you will see as a result of the Rogueware are nothing more than a trick to get control of your pc.

The following article (Written by Daniel Radu of the Microsoft Malware Protection Center) comes from the Microsoft TechNet Blog (LINK) http://blogs.technet.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piece-of-the-microsoft-security-essentials-pie.aspx (http://blogs NULL.technet NULL.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piece-of-the-microsoft-security-essentials-pie NULL.aspx) . You should pay close attention to what the fake alert can look at in each of the browsers (At the bottom of the message you get “Upgrade to a reliable solution”).

**************************************************************************************************************************************

Rogue:MSIL/Zeven wants a piece of the Microsoft Security Essentials pie

A new rogue has started making its appearance from compromised websites: Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven). We received a sample (70be8ca73142922fd78acf2aafa9f141a977f15a) and a URL and began our investigation.

Let us say from the beginning that the guys behind this rogue like to copy big-time. They start by auto-detecting what browser the user is currently using, and then faking the malware warning page if the browser is Internet Explorer, Chrome, or Firefox. This is meant to be a social engineering scheme in order to trick the user into downloading and installing the rogue, relying on the user’s trust of his day-to-day browser.

The similarity between the fake warning pages is so accurate that it can trick even highly trained eyes.

In the Firefox page, for example, you can see it’s not the real warning page because they misspelled ‘out’ and wrote ‘Get me our of here’.

Chrome

Internet Explorer

But for all three browsers, a common indication that you are not looking at the actual browser warning is the offer of some sort of an “update” or “solution”. All the “updates” point to a copy of MSIL/Zeven that promises to provide “a new approach to windows detection”. Internet Explorer, Firefox, and Chrome do not offer such a solution when a website is blocked.

When installed, the product looks very genuine: it allows you to scan files, tells you when you’re behind on doing your updates, and enables you to tweak your security and privacy settings. These features are usually available in various legitimate antivirus solutions. However, the features don’t work; everything is there just to look nice, not to offer any kind of protection (just like in all other rogue antivirus programs).

Of course once it scans your computer it’s bound to claim it found something scary (malicious), as shown below:

As usual with rogue scanners, although it “found” malicious files, it claims it cannot delete them unless you update. That implies that you need to pay for the full version, which has the ability to download updates. However, these files are totally bogus; no such files exist in the user’s computer.

If you decide to buy the product, this rogue opens an HTML window enabled with ‘Safe Browsing Mode’ and high strength encryption to “help” and ”protect” you while completing your purchase. Of course these features are totally worthless and don’t actually do anything in the way of securing your credit card details.

The main page of the rogue antivirus program itself looks awfully close to the Microsoft Security Essentials webpage – more copying from the bad guys. The people behind it have even copied the awards received by Microsoft Security Essentials and link to the Microsoft Malware Protection Center - pretty sneaky of them.

This is a screenshot of the rogue’s main webpage:

And, by way of contrast, this is a screenshot of the genuine Microsoft Security Essentials (http://www NULL.microsoft NULL.com/security_essentials/) page:

It seems that these guys want to profit on the good reputation and success of Microsoft Security Essentials in order to make money – but we remind our customers that Microsoft Security Essentials can be downloaded at no cost. And it really does protect your computer from malware!

We detect both the downloader of the rogue and the rogue itself as Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven).

Until our next encounter: browse safely!

Daniel Radu
MMPC Dublin

Facebook: ALERT – New Malware attack using Facebook. DONT CLICK ON “Most Hilarious Video Ever” wall posts.

It seems that recently Facebook has be at the center of many web issues. Unfortunately, this is a trend that seem to continue as now we have a new Facebook attack that has the goal of stealing your credentials (there for taking over your account) in addition to downloading malware on your pc. If you see any wall post about the “Most Hilarious Video Ever”, DO NOT CLICK on it. If its on your own wall delete the post from your wall, if you have already clicked on the link (Fallen for the post), you need to immediately go to your profile and change your password information.

The following information comes from the WEBSENSE blog (LINK: http://community.websense.com/blogs/securitylabs/ (http://community NULL.websense NULL.com/blogs/securitylabs/)) concerning this new FB attack, included below is a video from websense showing how the attack happens.

Most Hilarious Video attack on Facebook (http://community NULL.websense NULL.com/blogs/securitylabs/archive/2010/05/28/most-hilarious-video-attack-on-facebook NULL.aspx)

Posted: 28 May 2010 09:11 PM

Attacks on Facebook during weekends are unfortunately becoming a trend. For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes (http://community NULL.websense NULL.com/blogs/securitylabs/archive/2010/05/22/warning-for-quot-distracting-beach-babes-quot-on-facebook NULL.aspx), Sexiest Video Ever (http://community NULL.websense NULL.com/blogs/securitylabs/archive/2010/05/15/sexiest-video-ever-on-facebook NULL.aspx) or this latest attack which supposedly is the “Most Hilarious Video ever” shown in the screen shot below.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/1106 NULL.facebook_5F00_hilarious_5F00_1 NULL.png)

We predicted that this attack would happen again and unfortunately we were right.

This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you’re not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/4478 NULL.facebook_5F00_hilarious_5F00_4 NULL.png)

Regardless of what you enter in the login form you are then taken to a page on the real Facebook site that asks you to allow the application to access your profile. If you allow that you’re taken to a page saying that you need to upload your FLV Player to view the video. Up until this point it’s similar to how the two previous attacks have worked, except that this new one also has the phishing component. However, what happens now depends on which country you are connecting from.

If you are coming from a US IP address you are prompted to download the FLV Player, which is detected by 35% of antivirus engines (http://www NULL.virustotal NULL.com/analisis/ba220931f0993b752cc9cc25d449904646528fee138ace928f027bb643f3b61e-1275104977), as can be seen in the screen shot:

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/3755 NULL.facebook_5F00_hilarious_5F00_2 NULL.png) (http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/0842 NULL.facebook_5F00_hilarious_5F00_2 NULL.png)

However, if you’re coming from a UK IP address you’re taken to a quiz where they have to answer 10 questions.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/4617 NULL.facebook_5F00_hilarious_5F00_3 NULL.png)

Once completed the user then gets the chance to win an iPad! All they have to do is to fill in their address. So instead of tricking the user into installing a malicious file, this time they’re after your information in addition to your Facebook credentials from the fake login page.

(http://community NULL.websense NULL.com/cfs-file NULL.ashx/__key/CommunityServer NULL.Blogs NULL.Components NULL.WeblogFiles/securitylabs/8512 NULL.facebook_5F00_hilarious_5F00_5 NULL.png)

It’s very likely that the behavior is different than the two examples we have described depending on which country you connect from. In our testing we only had the ability to test this attack from the US and UK but regardless of where you are connecting from you shouldn’t click on the fake video and never, ever give you Facebook username and password to a website that is not facebook.com. We also recommend you to install Defensio, our free security app for Facebook that will protect your wall from posts like this. You can get it from http://defensio.com (http://defensio NULL.com)

Alert: Fake IRS email scam. This is from the PandaLabs website

With April 15th and the tax deadline here in the US being just a few days away, here is an alert from the PandaLabs Website (LINK: http://pandalabs.pandasecurity.com/ (http://pandalabs NULL.pandasecurity NULL.com/)). This alert especially goes to all those internet users out there that seem to believe everything they get in an email (You know who you are).

***************************************************************************************************************

From PandaLabs Website (LINK:http://pandalabs.pandasecurity.com/irs-1042-w-identity-theft-scam/ (http://pandalabs NULL.pandasecurity NULL.com/irs-1042-w-identity-theft-scam/))

IRS 1042-W Identity Theft Scam (http://pandalabs NULL.pandasecurity NULL.com/irs-1042-w-identity-theft-scam/)

Posted on 04/9/10 by Sean-Paul Correll (http://pandalabs NULL.pandasecurity NULL.com/author/sean-paul-correll/)

It’s tax season in the United States and the April 15th filing deadline is approaching quickly. Every year around this time U.S. citizens stress about getting their finances in order and reported to the Internal Revenue Service in time to avoid penalties. Careful though, because that nervousness might just help a cyber criminal steal your identity. A fake IRS Tax Form (1042-W, which apparently doesn’t even exist) has been spammed out and is currently circulating on the Internet.

The e-mail arrives disguised as an official correspondence (irs@irs.gov) from a rep named Cindy at the Internal Revenue Service.

Fake IRS E-mail

Two PDF attachments are included with the email, both of which were authored in Microsoft Word 2007.

Fake IRS PDF Documents

Fake IRS PDF Documents (1042-S B.PDF and 1042-S A.PDF)

The first document introduces the 1042-W form and reads:

Dear Sir/Madam,

Our record indicates that you have not submitted your form 1042-W. As a result, you are exempted from United States of America Tax reporting and withholdings, on interest paid you on your account and other financial dealing to protect your exemption from tax on your account and other financial benefit in rectifying your exemption status.

Therefore, you are to authenticate the following by completing form 1042-W, and return to us as soon as possible through the fax number: +1-780-669-7364

Fake IRS Document

The second PDF document is the form itself. It asks for the following:

Name
Date of Birth
Nationality
Place of Birth
Address
Passport Number
Mothers Maiden Name
Social Security Number
Profession
Bank Name/Account/Pin – Date bank account was opened and branch location
Attached photocopy of passport

Fake IRS Tax Form (1042-W)

After completing the form, the instructions call for faxing it over to a phone number (+1-780-669-7364) located in Alberta, Canada.

Sending this form over to the criminals would most definitely result in a stolen identity. The IRS has stressed year after year that it does not make unsolicited requests via e-mail. Here are some tips on how to spot an IRS scam and what to do if you receive one in your inbox:

How to Spot a Scam

Many e-mail scams are fairly sophisticated and hard to detect. However, there are signs to watch for, such as an e-mail that:

Requests detailed or an unusual amount of personal and/or financial information, such as name, SSN, bank or credit card account numbers or security-related information, such as mother’s maiden name, either in the e-mail itself or on another site to which a link in the e-mail sends the recipient.
Dangles bait to get the recipient to respond to the e-mail, such as mentioning a tax refund or offering to pay the recipient to participate in an IRS survey.
Threatens a consequence for not responding to the e-mail, such as additional taxes or blocking access to the recipient’s funds.
Gets the Internal Revenue Service or other federal agency names wrong.
Uses incorrect grammar or odd phrasing (many of the e-mail scams originate overseas and are written by non-native English speakers).
Uses a really long address in any link contained in the e-mail message or one that does not start with the actual IRS Web site address (www.irs.gov). To see the actual link address, or url, move the mouse over the link included in the text of the e-mail.

What to Do

The IRS does not initiate taxpayer contact via unsolicited e-mail or ask for personal identifying or financial information via e-mail. If you receive a suspicious e-mail claiming to come from the IRS, take the following steps:

Do not open any attachments to the e-mail, in case they contain malicious code that will infect your computer.
Do not click on any links, for the same reason. Also, be aware that the links often connect to a phony IRS Web site that appears authentic and then prompts the victim for personal identifiers, bank or credit card account numbers or PINs. The phony Web sites appear legitimate because the appearance and much of the content are directly copied from an actual page on the IRS Web site and then modified by the scammers for their own purposes.
Contact the IRS at 1-800-829-1040 to determine whether the IRS is trying to contact you.
Forward the suspicious e-mail or url address to the IRS mailbox phishing@irs.gov (phishing null@null irs NULL.gov), then delete the e-mail from your inbox.

Tech Geek and More

Technology Explained for All

Category Archives: Phishing Attacks