Technology

For the second year in a row, malware has been discovered in major-brand digital photo frames, carried by some of the nation's biggest retailers.

Software that came pre-installed in frames manufactured by Samsung, Element, and Mercury, was found to enable the "Autorun" function in Windows, allowing it automatically install malicious code to a PC whenever it is connected. The nature of the malware varied with the device, and it isn't even yet clear in some cases whether the malicious code was put there intentionally, or if it simply replicated itself from an infected computer used in the manufacturing process.

This problem isn't just contained to digital frames though. In past years, a variety of electronic gizmos—from flash memory sticks to satellite navigation devices—have all been found to pose security threats.

Peripheral Devices And You

What do most of the popular electronic holiday gifts such as digital cameras, music players, photo printers or even cell phones have in common? They're all "peripheral devices"—meaning that they have to be connected to a personal computer in order to become fully functional. Without these devices, our home computers remain just that—stationary libraries of songs, photos, and other data, inaccessible to us when we're outside of the house.

What many consumers don't know is that anything capable of downloading data given to it by a computer, is also capable of replicating its data onto that PC in the process. So before you plug a new device into your USB port, there are a few steps you should take to keep your computer safe.

What You Can Do

As always, the best way to protect your computer is to have a good, up-to-date anti-virus program installed and running at all times. These programs can identify almost any potential threat and neutralize it immediately upon connection of a device to your computer.

Staying away from cheap brands you've never heard of before (like those $15 drug-store digital cameras or MP3 players,) is also something many experts recommend. But top-notch anti-virus software should be enough to protect you—even from those yPod and Suny products you might find at the flea market.

Myspacers have been dealing with identity theft scams for years, but now there's mounting evidence that hackers are targeting Myspace's more mature brother, Facebook. According to a Reuters wire story, a virus known as "Koobface" has been making the rounds using the Facebook messaging system.

How Does it Work?

Users are typically told that they "look awesome in this new movie" that the sender has uploaded, and are redirected to a site that in turn asks them to install a bogus Adobe Flash player update. If the user decides to take the bait, the Koobface virus is instantly installed on their computer, at which time it goes about its business gathering credit card numbers and other sensitive information.

How Do I Get Rid of It?

According to Guy Bunker of Symantec, Koobface is fairly easy to get rid of. Users can either install some anti-virus software (which will automatically find and destroy it,) or locate two files in their Windows directory. The files are named "tmark2.dat" and "mstre6.exe", and should be deleted immediately if found.

Find more details on detection, files affected, removal, etc. on the McAfee web site.

Even if Koobface itself isn't all that scary, the Reuters piece cites a security researcher with McAfee as saying that such viruses are on the rise on social networking sites. Presumably surfers are more trusting with these sites because they typically use them to connect with friends, and aren't expecting to be targeted the way they would in a random email from an unknown spammer.

In 2005 and 2006, Myspace suffered from a rash of security problems, the most widespread being a JavaScript virus named "Samy." Samy was relatively harmless since it targeted internet profiles rather than PCs. Nevertheless, more than 1 million users ended up displaying the message "Samy is my hero" on their Myspace profiles in 2005.

How Do I Protect Myself in the Future?

Social networking sites like Facebook turn us into fools when it comes to installing software.

• Want to throw a virtual snowball at someone? Install this application.
• Want to find out what kind of sandwich you are? Install this application.
• Want to know how you're going to die? Install this application.

That's why these sites are the newest playground for virus creators - people are connected, they click on stuff, they install stuff, rinse and repeat.

One good rule of thumb is to avoid redirect links in Facebook or Myspace messages unless you can absolutely verify that the URL is legit. Never download a file from a page you've been redirected to. Report the incident to the support staff at social networking site, and await further instruction.

You may know who your friends are in real life, but it's important to remember that an internet persona can always be hijacked---even if you do look really awesome in that movie.

Screenshots

Here's how the Koobface virus, and other related viruses appear within Facebook:

What Appears in Facebook

Notification in Your Email

Website Download

Updated to add:

Variants of this virus appear to be pointing to data collection or revenue generating web sites. Here are a few titles I've had reported recently:

"hey is this u on thebestphotosonline.com"

and...

"whats the deal with u bein on imdownwitu.com"

According to investigative reporters for WirtschaftsWoche, 21 million Germans have had their personal information stolen along with their bank account and bank code numbers. The thieves are offering to sell the data for 12 million euros (about 15.3 million dollars). It is believed the scammers gathered the data by using employees at financial institution call centers.

Could this happen in the U.S.?

It certainly could. Privacy laws throughout Europe are generally tighter than U.S. laws and Germany is among the tightest. Low employee morale, caused by a deteriorating job market and chaos within the financial sector makes crimes like this more likely. I'm sure it's tempting for employees to grab whatever data they can as they're shown the door or maybe they're just looking to add to a mediocre salary. Whatever the reason, it may be time to buckle up and prepare for a bumpy ride.

What could criminals do with this data? Make bank withdrawals.

Criminals can use the bank account info to make withdrawals - either big or small. A .57 cent bank withdrawal from 21 million accounts still ads up to... ummm... let me get my calculator out... $11.97 million dollars. And that's this month, and next month, and the next month, etc. until they're caught or they decide to make a big withdrawal and run.

Here's their strategy, detailed in an IT World article:

Although banking passwords were apparently not included on the CD, criminals would be able to use this data to withdraw funds from a victim's account, said Thierry Zoller, an independent security consultant based in Luxembourg.

Scammers could use this type of information to initiate a large number of debits from German banks, making each withdrawal small in hopes that it would not be noticed by the victim, he said.

This is why carefully checking your bank records is important. If you see a unexplained entry - even if it's small - you should track it down until you understand where it came from. Otherwise you might unexpectedly see a much bigger withdrawal from the same source somewhere down the line.

More about this story at the WirtschaftsWoche in English and German.

You can also find coverage at The Register, and IT World.

Every one loves a "Top 10" this time of year, so here is a great one from our friends at Kroll Fraud Solutions. It was put together by Brian Lapidus - Kroll Fraud Solution chief operating officer and identity theft expert.

Enjoy!

1. Beware the Word "Prevent"

No person and no product can prevent identity theft. As long as criminals can benefit from stealing, there will be theft. Sensitive personal information (SPI) is everywhere, housed and archived in a mind-boggling variety of ways. Individuals and companies can reduce access to SPI and improve safeguards around it by working to change how we share, collect, store and dispose of information.

2. There Are No Guarantees

This mantra holds true for a lot of things in life and dealing with identity theft is no exception. While a number of instances of fraud can be restored to pre-theft status, some identity dilemmas simply can’t be fixed. If you’re on the ‘no fly list’ thanks to an imposter or an error, you’ll stay there. A third-party solution cannot deliver a remedy.

3. Watch for "Shoulder Surfers" and "Skimmers"

Shield the entry of personal identification numbers (PINs), and be aware of people standing entirely too close by when using your credit or debit card in public. Especially with the advent of cell phone cameras, a sneaky, shoulder surfing thief can get your private information pretty easily, if you’re not careful. It’s also advisable to use teller machines that are familiar to you, so you are in a better position to identify when the equipment looks different or doesn’t “feel right.” Your increased awareness may reveal a skimmer’s attempt to steal PINs and banking details at that site.

4. Keep Your Social Security Card Safe at Home

Unless you’re on your way to fill out a job application, there are very few reasons to carry around the crown jewel of SPI. At lunch a few weeks ago, the woman beside me opened her wallet for a credit card and there was her Social Security card, too. Remember, ID theft and fraud are not exclusively credit-related – thieves can use a clean Social Security number to construct a whole new life.

Additional note from Dave: I regularly receive emails from Fight Identity Theft visitors explaining how they just had their purse or wallet stolen with their Social Security card inside. Remove that card today!

5. Destroy Before You Dump That Old Computer

Erasing data just enables the computer to write over that space again; it doesn’t actually eliminate the original bits and bytes. Physically remove the hard-drive to ensure you’re not tossing out or passing along your personal details. Our company is often called upon to recover data from an erased or damaged drive; we’re very good at it – and so are some professional thieves.

Additional note from Dave: You could also consider using a software tool like Eraser to do a complete wipe of your drive. If you physically remove your drive, smash the drive with a hammer (find someone strong) before throwing it in the trash.

6. Choose "Forget Me’ Instead of  "Remember Me"

  How many Web sites do you frequent that invite you to enable an automatic log on the next time you visit? Don’t check that box! When convenience trumps confidentiality, you’re asking for trouble. The harder you make it for hackers to follow your trail into an online store or bank account, the better.

Additional note from Dave: This is absolutely necessary when using public computers. In fact, you should avoid accessing any secure sites from a public computer (like a library, internet cafe) or when using a public wireless network or wifi hotspot.

7. Don’t Rely On Fraud Alerts Or Credit Freezes Alone

Fraud alerts are meant to stop an identity thief from opening new accounts in your name. Credit freezes let you restrict access to your credit report, which would also make it hard for someone else to open new accounts. But, neither one will stop a thief from trading your SPI for cash, or using it for tax fraud or in any of the countless other ways fraudsters exploit stolen identities.

8. Practice Prudent Posting

Social networking sites on the internet enable individuals around the world to chat, share photos, recruit employees, date, post resumes, auction property, and more. Because the Web makes it possible for any posted document to link with another, any data you put out online have the potential to stay there for what amounts to electronic eternity.

Additional note from Dave: I suggest creating usernames or an email address that don't contain your name or anything traceable to you, whenever possible. You also might consider using different usernames on different sites. This makes sense because if someone is able to determine that you use "CatLuvr55" on one site, it's an easy search to track down  "CatLuvr55" on any other sites where you have a profile.

9. Keep That Key

When you check out of a hotel where you were issued a card-key to unlock the door to your room, don’t leave the card-key behind. Hold on to it until you’re safely home and can shred or otherwise discard it safely. Some say it’s an urban myth that the card-keys hold vital details like credit card numbers, while others report having tested and confirmed the presence of private data coded into the magnetic strip. Even if there’s no definitive answer, why risk it?

Additional note from Dave: Not sure I'm convinced on this one. I'd need to see more data showing that it is a problem. Snopes.com debunks this pretty thoroughly.

10. What’s In Your Wallet?

Make photocopies of the personal material in your wallet: Driver’s license, credit cards, insurance cards, all of it – front and back. Should your wallet be lost or stolen, you won’t be left wondering what was actually taken, and you’ll be able to quickly notify the appropriate agencies about what has taken place.