Fight Identity Theft Blog

"Smishing" Scam Audio Sample

Lately I've received several "smishing" text messages on my phone and I finally captured the audio of a full phone interaction with their voice response system.

Audio of Smishing Call

Here is the audio from a smishing phone call I recorded. Listen closely to see how they use fear to manipulate the victim into providing information.

What is Smishing?

Well, someone somewhere comes up with these cute names for things and "smishing" is no different. It's a play on the term "phishing", and the "Sm" part comes from SMS, which is the technical name for text messages on cell phones (Short Message Service). Did that make sense? If not, here's a description from the fount of all knowledge - Wikipedia:

Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system.

Scam Tactics 101

As you listened to the call, you should have noticed a few tactics scammers use to get your information:

Sound Official - The call starts with "You have reached Credit Union's National Association online banking center." That doesn't even make sense, but it sounds good. Scammers will imitate real brands or sometimes use something pretty generic like this, but they're always going to try to look and sound official.
Create Fear and a Sense of Urgency - It doesn't take long before they start to scare you with "Compromised accounts may ruin your credit, place you in debt with us or other financial institutions." They add "Failure to run this process will result in account suspension or financial penalties." My favorite attempt to scare you is when they threaten you with prosecution if you give inaccurate information - unbelievable.

What Do They Ask For?

In this call, they are trying to capture a credit card number, expiration date, PIN, and card security code. With this information they will attempt to make purchases online with your card, pull money from your account with an ATM, or possibly create a fake card containing your information.

How to Protect Yourself

It should be obvious to most people that these messages are scams. Unfortunately, the scammers just have to get a small percentage of people to fall for these messages to make it worth their time. Just like spam email, if a few people respond it will continue to be financially viable.

What complicates things a bit is some banks are now using text messages as a communication method for alerts or other information. In these alerts they'll often ask you to phone in to confirm a transaction or to alert you to a problem with your account.

If you're concerned at all about the origin of an alert, always call your bank directly using the phone number from a bank statement or official web site. Never call using the number provided in a text message.

Read more about about smishing tactics in this recent Yahoo article.

April 21, 2009

3 comments

Secure Your ID Day - April 18th

The Better Business Bureau (BBB) has announced that April 18th is Secure Your ID Day and is offering free document shredding at various locations across the U.S.

You can bring up to three boxes/bags of paper documents and they will shred them on the spot. Even if you have your own shredder I imagine they'll have a bigger one that will be much faster, so it's worth checking out.

What Should You Shred?

If you're wondering what to bring, check out our shredding page and get a few tips. The short answer is you should shred any documents that has a signature, account number, social security number, or medical or legal information (plus credit offers).

Enjoy!

April 17, 2009

1 comment

Obama's BlackBerry Security Strategy

When Barack Obama famously refused to relinquish his treasured BlackBerry, he became the first president in American history to use email while in office. He will also be the first to have to worry about personal internet security.

The president's new BlackBerry is a special modified variation with top-notch encryption features—further details are not being shared with the media. Vice President Joe Biden and other key officials have also been given this most limited of limited edition devices.

But is it Really Hacker-Proof?

But famed hacker Kevin Mitnick says that despite its special security features, no BlackBerry is impossible to compromise. In an interview with Fox News, Mitnick said "It's a long shot, but it's possible. You'd probably need to be pretty sophisticated, but there's people out there who are."

According to Mitnick, who is credited with hacking Motorola, Nokia, Sun Microsystems, FBI, and Pentagon networks (among many others,) the best course of action for a hacker would probably be to infiltrate the personal computer of somebody close to Obama. Then, the hacker would have to use that person's identity to divert Obama to a compromised website that would upload malicious code onto the BlackBerry.

The Most Exclusive List in Washington

That's precisely why the president's security team is keeping his email address such a closely guarded secret. Obama will also have to frequently change his email address.

Who exactly has this address is unknown, but the number is believed to be considerably less than 50, with Biden, advisers David Axelrod and Valerie Jarrett, press secretary Robert Gibbs, and chief of staff Rahm Emanuel almost certainly at the top of the list. Beyond that, one can only guess: top supporter Oprah Winfrey, secretary of state Hillary Clinton, celebrity email buddy Scarlet Johanson, DNC chair Tim Kaine? One can only speculate.

If any of our readers are on the list, please let us know so we can send him our suggestions on the economy...

February 20, 2009

8 comments

Learn How to Dispose of Cell Phones

Remember when the McCain campaign had that garage sale a few months back and sold two BlackBerries with hundreds of GOP contacts still saved on them? It may have seemed like a silly blunder to those who heard about it at the time, but it turns out that most of us are just as careless with our mobile phones and handheld devices as the McCain staffers were with theirs.

99% of Cell Phone Recyclers Neglect to Erase Data

According to a study by Regenersis, one of the leading electronics recycling firms in the world, 99 percent of recycled cellular phones are handed over with their owners personal information and contact lists completely intact. The company did a random sampling of 2000 devices in the month of December, and found that only a handful of consumers had bothered to delete information like emails, banking data, or addresses.

How to Remove Data Before Handing Over An Old Cell Phone

Very few recyclers offer the service of wiping devices before they pass them along, but even if they did, you'd still be handing over an extensive catalog of personal information to a perfect stranger and trusting them to do the right thing.

To take matters into your own hands:

Remove the SIM card from your phone. It's a little plastic memory card usually located behind the back cover underneath the battery.
Call your service provider and ask them to disconnect the phone from your account.

That's it! That wasn't hard, was it?

Unfortunately, if you own an iPhone or BlackBerry, it can be a little more complicated but these videos should help:

Erasing a BlackBerry

Erasing an iPhone

An Important Disclaimer

If you've got national security secrets on your phone or maybe mission briefings and data from U.S. soldiers in Iraq and Afghanistan, it's important to remember that there's no way to completely erase a handheld device. Sophisticated forensic recovery methods are capable of reversing pretty much any data-destroying trick that doesn't involve a hammer or a blowtorch, so for highly sensitive data, you should probably contact a specialist. For the rest of us though, the above methods should do the trick.

To read more about phone recycling, head on over to Earth911 blog.

February 7, 2009

7 comments

Is Someone Stealing Pennies From Your Bank Account?

It May Be "Salami Slicing." It May Be Petty Theft.

The latest identity theft scheme doesn't aim to empty your debit account or charge you to the credit limit—not yet anyway. According to The Boston Globe, at least 800 credit and debit cardholders have reported finding tiny fraudulent charges on their statements in recent weeks.

The charges range from 21 to 48 cents, and are billed under at two phony business names: "Adele Services" and "GFDL."

The mysterious charges have lead to a range of speculation over the nature of the scam. Some think that the small charges are meant to test the validity of a registry of stolen credit card numbers which may have been resold by the original thieves. If the theory is correct, those whose cards have already been charged can probably expect to be targeted for much larger amounts down the line.

A Slice of Salami

A less likely theory parallels the scam attempted by the main characters in the movie "Office Space," which featured three disgruntled computer programmers who attempt to slowly embezzle money from their company, pennies at a time. The scheme is sometimes referred to as "salami slicing", but usually targets businesses or customers rather than an unconnected group of individuals.

If this theory holds, those who fail to notice that their accounts have been compromised will continue to be targeted for small amounts of money indefinitely. Most likely, the thieves would have to create new false companies with each wave of thefts.

Plan of Action

Regardless of the intent of the perpetrators, the course of action for those who notice small, unexpected charges on their debit and credit card statements is the same:

Report the charges to your bank or other financial institution.
Report your card stolen so that you can be issued a new credit card and credit card number.

As always, it's important for everyone to pick carefully through their statements each month (if not more frequently,) looking for charges they don't recognize. Whether a questionable charge is 1 cent, $1, or $100, it should always be treated as a potentially serious problem.

February 3, 2009

12 comments

Breaking News: Obama Refuses to Be President

Did that get your attention? Scammers are hoping it will.

Breaking News Malware Emails

An ongoing strategy of scammers is to send out spam emails with shocking or titillating subject lines. They've decided the recent nomination of Barack Obama is a perfect topic and Symantec has reported that emails are showing up that read something like this:

Sample Emails

Subject: Breaking news

Barack Obama refused to be the president of the United States of America

Yours Sincerely,
Cecily Lynn

Subject: What is going on with our country?

Obama has gone

Yours faithfully,
Rodney Lynch

The link in the actual emails (we're not linking to anything in the examples above) point to the following site:

What is the Threat?

The site instantly attempts to bypass any browser security and install malware on your computer. If that fails, any link on the site will download and install malware software. The software is called W32.Waledac. Here's what it does, as described from the Symantec web site:

Rest assured that we detect this piece of malicious software under the name W32.Waledac. This particular piece of malware is capable, among other things, of:

harvesting sensitive information on your computer

turning your machine into a spam zombie

establishing a back door on your computer that will allow it to be remotely accessed

How Can I Protect Myself?

Resist the Impulse to Click - scammers will try to provoke an emotional response in order to keep us from thinking about what we're doing. When you see an email like this, think for a moment if it's even reasonable. Ask why someone would send an email like this. What's the point?

Keep Your Software Up to Date - we've recently talked about keeping your Windows systems updated. The same goes for browsers, email clients, or anti-virus software. If you're software is up-to-date, you're more likely to avoid being hurt by scams like this.

By the way, Obama certainly didn't refuse to be president. I watched the inauguration myself and my thoughts and prayers are with him. Whatever your political affiliation or citizenship, we should all hope and work for his success.

January 20, 2009

2 comments

Latest Worm Infects 9 Million PCs

The Worst Outbreak in Years

Using a flaw in the Windows Server service that was detected and patched months ago, a single worm has managed to infect nearly 9 million PCs in just over two weeks — and the rate of infection is increasing by the day. In just four days, the "Downadup" worm (which is also sometimes referred to as "Conficker,") spread from an estimated 2.4 million computers to 8.9 million. It has been described by many security experts as the worst outbreak of malicious software in years.

In October, Microsoft sent out a rare emergency security update for all of its operating systems, including Vista, XP, and Windows 2000. Unfortunately, this update seems to have been ignored by a large portion of PC users, leaving millions vulnerable to Downadup.

Full Dangers Still Unknown

Right now the intentions of developers responsible for the malicious software remains unclear. For the time being, the hackers have only bothered to send out a fake security security program, which creates pop-ups designed to annoy users into paying for a worthless program. But Downadup could potentially hijack millions of computers and use them as bots capable of carrying out whatever commands the hackers send them.

That the whole problem could have been averted if users had just bothered installing a patch Microsoft issued long ago, underscores the importance of setting your operating system to automatically download and install security updates. Those with infected computers undoubtedly let the patch languish for months in an update queue, alongside much less essential software updates.

How to Update Windows Automatically

Windows XP

To set your PC to update automatically in Windows XP, simply access the Control Panel in the start menu, click "Automatic Updates," and choose "Automatic."

Windows Vista

For Vista, open Windows Update in the start menu, select "Change Settings," and then select "Install updates automatically."

How to Remove the Worm

Your computer might not be showing any signs of infection or you may have seen some odd behavior.

From Microsoft:

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

Account lockout policies are being tripped.

Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.

Domain controllers respond slowly to client requests.

The network is congested.

Various security-related Web sites cannot be accessed.

If your PC has already been infected by Downadup, first install the emergency update, then run the latest edition of Microsoft's Malicious Software Removal Tool to remove the worm from your computer.

More information about the worm is available from Microsoft. You can also read more on Computerworld.

January 18, 2009

4 comments

British Postman Loses £130,000 to MySpace "Friend"

The British newspaper Mail Online reports that a local postman was scammed out of his life savings by an an attractive female "friend" he met on the popular online community site MySpace.

Saving the Damsel in Distress

The postman, Shane Symington, seems like a nice fellow who was simply trying to help a fellow human being. He befriended an American woman named 'Angela Gates' on MySpace in 2007. After a few weeks of friendly banter, the woman began asking for money to pay for her mother's funeral and for medical expenses.

What could Shane do but rush in and save her from her predicament? She needed him!

In order to hit every soft spot Shane had, 'Angela' also told him she needed more money to pay for legal fees that would allow her to inherit a $2 million piece of property. Anyone who's studied Advanced Fee Fraud scams will recognize this kind of story.

Damsel Turns Out to Be a Dude

Unfortunately, it appears Shane hadn't studied much about scams. It turns out this attractive, bikini-clad and potentially rich American woman was really a Nigerian man. Surprised? I doubt it.

After emptying Shane's bank account the Nigerian man even contacted Shane and admitted his fraud, but the story doesn't end there.

From the Mail Online:

He was then contacted by another woman, again from America, claiming she had also been caught in the scam.

He said that he then helped pay her legal expenses and the cost of hiring two ex-FBI agents in an attempt to regain the lost money for both of them.

Mr. Symington said that he now believes that these people are also involved in the scam. He said that he had paid out more than £30,000 to them, bringing his total losses to more than £130,000.

Ouch!

The lesson to learn here is that when this scammers find a victim, they hit them with multiple scams from multiple people until they have milked their target completely dry.

What does Shane have to say about all of this:

I feel sick from it all, I feel disillusioned, they have just played on my good nature. I've lost my life-savings, I have two loans and credit card debts, I'm in huge debts because of all of this.

You just can't trust anyone on the internet. I want to warn people but I know I won't be the last to fall for something like this.

The police in Hampshire working the case said that there's little they can do to recover the money because of the current political situation in Nigeria.

What Can We Do?

These stories are hard to read. We can't believe someone can be so easily manipulated. So what can we do? I suggest you help your friends, relatives, and neighbors by educating them about these kinds of scams. Shane said it best - "I won't be the last to fall for something like this."

Don't let it happen to someone you know.

Read the whole story (w/ pics of the lovey 'Ms. Gates' on the Mail Online web site.

January 16, 2009

5 comments

New Phishing Technique Discovered. Learn How It Works...

It's a new year and — what do you know — there's a new tactic in the endless quest for new and improved phishing schemes from scammers.

Here's How It Works

Researchers at Trusteer recently released a security advisory detailing this new phishing technique. Rather than using email to lure unsuspecting victims into clicking over to a fake web site, this technique uses what Trusteer is calling "in-session" attacks. Here's a typical scenario:

A user opens a browser and logs into their banking web site
Leaving that browser session open, they open another browser window to check on their Webkinz or some other web pursuit.
After a time, a pop-up window opens — supposedly from their bank web site — asking for them to re-enter their username and password.
Since the user has recently logged in to the targeted web site, they are more likely to enter their info.

That's it! Their login credentials are now in the hands of the scammers.

What Makes It Possible?

A few things have to be in place for this to work. First, the scammers need a compromised web server in order to install the malware. Fortunately, there are lots of those around. Second, the malware has to be able to determine which other sites the user has visited. This is possible based on a vulnerability in the JavaScript engine used by Internet Explorer, Firefox, Safari, and Chrome.

From Trusteer:

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

How Can You Protect Yourself?

Well, the planets have to align a bit to pull this scam off and it's likely the JavaScript vulnerability will be patched in the near (hopefully) future.

Until then, Trusteer recommends the following preventative measures:

Have an up-to-date anti-virus installed
Be suspicious of any pop-ups asking you to login

and most of all...

Log out of banking or other sensitive sites before heading over to Pogo.com for your bingo fix.

Learn more about this attack by downloading Trusteer's security advisory.

January 15, 2009

3 comments

Surprise! Your 9-year-old is the Proud Owner of a Lexus!

Of all the worries that parents of young children face, few would rank the prospect of their 7-year-old opening up six credit cards and running up $35,000 in debt as one of the most pressing. But increasingly, parents and young adults are struggling with a very similar reality these days — only the children themselves aren't to blame, identity thieves are.

Last week, two stories of childhood identity theft hit the headlines...

In Florida, a woman was accused of opening up a Capital One credit card under her daughter's name, and then using the card until the girl's father began to notice collection notices being sent to their home.
In California, a man was discovered to be using the identity of a 4-year old who died in 1984. He was caught after using the deceased child's name to buy a home, a car, and to obtain several credit cards.

A Growing Problem

According to the Federal Trade Commission, there were more than 34,000 incidents of childhood identity theft reported between 2005 and 2007. The figure makes up about 5 percent of all identity thefts.

Chiefly to blame is a credit check system that at no time makes an effort to verify the age of individuals. With nothing but a Social Security number, thieves are often able to gain a credit history by finding creditors who don't require a photo ID or birth certificate. The first age that goes into a system like Trans Union, Experian, or Equifax, becomes permanently associated with the applicant's name and Social Security number.

Here's how John Moira, the father of the girl who had her identity stolen by her mother, describes it:

"My heart dropped, I couldn't believe it," said John Moisa, who became suspicious when he received correspondence from the credit card company addressed to his daughter. "At first I didn't think about it until my mom said she was getting collection calls at her house."

Moisa called the credit card company, which wouldn't initially talk to him until he faxed proof of his daughter's age. Moisa said he's spent the past several months trying to repair the girl's credit.

"It was unpaid, past-due bills, so it didn't look good," Moisa said.

Parents Are the Best Protectors (and Most Likely Culprits)

Some experts estimate that around half of childhood identity theft is committed by parents and relatives with access to a full range of information and documentation associated with a child. Other reports point to teachers, administrators, coaches, babysitters, and others with easy access to documents and records. (Some teachers have even been known to have pupils write their social security numbers on all homework and tests, exposing students anyone who bothers sifting through the school's wastepaper baskets.)

With a down economy, parents and family members might be more likely to turn to identity theft as a way getting their hands on additional credit.

"The majority of cases involve parents who may be going through a tricky time, going through a divorce and looking for additional credit," said Purl, Chief Operating Officer for Grand ISS, a St. Petersburg-based investigative security firm.

Purl said with more people out of work, identity theft cases involving young children are likely to increase.

"I think we're going to see more crime in general, as money is more tight for people. We've seen that with credit card fraud and white-collar crime. It's an easy way to make money," Purl said.

How Can We Protect Our Kids?

It's becoming increasingly important for parents to help their kids get savvy about giving away personal information on the internet, or over the telephone. Beyond that, responsibility falls on parents to be vigilant about who they send copies of birth certificates to, and to notice things like debt consolidation notices coming in the mail addressed to their children.

For more on how to prevent childhood identity theft and what to do if you think your child has been targeted, check out this fact sheet from the Identity Theft Resource Center - www.idtheftcenter.org.

January 13, 2009