Printer-friendly

The FBI Says You've Won the Lottery [1]

A Fight Identity Theft visitor forwarded this email to us today and it was so creative I just had to post it here.

The email supposedly comes from Robert Mueller - the current head of the U.S. Federal Bureau of Investigations. Not only was it sent by the FBI, the scammers try to get you to believe it's been vetted by the Anti-Terrorist and International Fraud Division. Unbelievable.

Why Do They Send These Emails?

What they're really after is the fee they want you to pay in order to collect your $850,000 - that's why they call this an "advanced-fee fraud." The fee is sent by money order which makes it very difficult to trace and impossible to recover. Here's the money paragraph:

This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $239.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).

The $239.99 will likely only be the start of the fraud. They'll continue to ask for more money in order to deliver the $850,000. No matter how much you pay, the money will never end up in your bank account.

From: robertmul@fbi.gov.us
Subject: E-mail From The FBI..
Date: Wed, 2 Dec 2009 13:53:50 -0500

Anti-Terrorist and International Fraud Division
Federal Bureau Of Investigation.
Seattle, Washington 98101-2904
Telephone/Fax Number: +1(206) 426-2866

Attn: Beneficiary

This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $850,000.00 US Dollars from a Lottery Company in the United Kingdom. During our investigation we discovered that your e-mail won the money from an Online Balloting System and we have authorized this winning to be authentic and paid to you via a Certified Cashier's Check.

Normally, it will take up to 10 business days for an International Check to be cashed by your local bank. We have successfully come to an agreement with this company on your behalf that funds are to be drawn from a registered bank within the United States Of America so as to enable you cash the check instantly without any delay, henceforth the stated amount of $850,000.00 US Dollars has been deposited with Bank Of America.
We have completed this investigation and you are hereby approved to receive the winning prize as we have verified the entire transaction to be Legitimate, Safe and 100% risk free of scams and frauds of any nature, due to the fact that the funds have been deposited at Bank Of America you will be required to settle the following bills directly to the lottery claims agent in-charge of this transaction whom is located at the liaison office of the Lottery Company in Seattle-Washington. According to our discoveries, you are required to pay for the following:

(1) Deposit Fee's (Fee's paid by the lottery company for the deposit into an American Bank which is - Bank of America)
(2) Cashier's Check Conversion Fee (Fee for converting the Wire Transfer payment into a Certified Cashier's Check)
(3) Shipping Fee's (This is the charge for shipping the Cashier's Check to your nominated destination)

The total amount for everything is $239.99 (Two Hundred & Thirty Nine United States Dollars & Ninety Nine Cents). We have tried our possible best to indicate that this $239.99 should be deducted from your winning prize but the funds have already been deposited at The Bank of America and cannot be accessed by anyone apart from you the winner. Therefore you will be required to pay the needed funds to your lotto claims Agent in-charge of this transaction via Western Union Money Transfer Or Money Gram. The payment will NOT reflect at the Bank of America with the given transaction code(EA2948-910) until you have covered the processing fees needed.

In order to proceed with this transaction, Click Here to contact your claims agent Mrs. Louise Major. You will be required to call her for verbal verification and e-mail her with the following informations:

FULL NAME:
FULL MAILING ADDRESS(INCLUDING CITY/STATE/ZIPCODE):
AGE/SEX/OCCUPATION:
CONTACT PHONE NUMBERS(CELL & HOME):

You will also be required to request Western Union details on how to send the required $239.99 in order to immediately ship your prize of $850,000.00 US Dollars via Certified Cashier's Check drawn from The Bank of America, Also include the following transaction code in order for her to immediately identify this transaction : EA2948-910.

This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $239.99 ONLY to your claims agent via the information in which she shall send to you upon your request, if you do not receive your winning prize of $850,000.00 US Dollars we shall be held responsible for the loss and this shall invite a penalty of $3,000 which will be made PAYABLE ONLY by you (The Winner).

Signed:
Robert Mueller
Federal Bureau Of Investigation

NOTE: In order to ensure your check gets delivered to you ASAP, you are advised to immediately contact Mrs. Louise Major via contact information provided above and make the required payment of $239.99 to information in which she will provide you.
__________________________________________________________________________________________________________
The information contained in this email message is legally privileged and confidential information intended solely for the use of the intended recipient(s). If you are not the intended recipient(s), any distribution, dissemination, or reproduction of this email message is strictly prohibited.

December 3, 2009

3 comments [2]

Avoid the Grinch When Shopping Online [3]

We know everyone is looking for that best deal online, especially during the Black Friday shopping blitz. Here are some quality online shopping tips from Intersections, Inc. (provider of the Identity Guard [4] identity theft protection service).

We also recommend a post from the always excellent Privacy Rights Clearinghouse - "Holiday Shopping? Ten Timely Tips [5]"

Don’t Let Would-Be “Grinches” Steal Your Financial Health and Identity During the Busiest Shopping Season of the Year!

As the biggest holiday shopping days of the year quickly approach, consumers everywhere will be lining up at stores on "Black Friday" for pre-dawn sales that will hopefully net great bargains and savings on holiday gifts. For those that don't want to fight the massive crowds at the malls and local shopping centers, they'll surf the Web on "Cyber Monday" - the Monday right after Thanksgiving - to catch even better sales, conveniently ordering their gifts online to have them shipped all over the world.

Finding the right deal on the perfect gift is going to be a priority this holiday shopping season as consumers everywhere are penny pinching during tougher economic times. The National Retail Federation expects average holiday spending this year will be around $682.74, down 3 percent from $705.01 last year, so getting the best value for your money is key, whether the gift is found on the Internet or at a retail store. With major online price breaks offered on Cyber Monday, online shopping sales are expected to increase 18 percent over last year, according to Information Resources, Inc.

To kick off the 2009 holiday shopping season, Intersections Inc. (Nasdaq: INTX [6]), a leading global provider of consumer and corporate identity risk management services, and provider of IDENTITY GUARD® Total Protection, the award winning identity theft protection service, advises holiday shoppers to take extra caution to avoid damaging their credit or becoming a victim of identity theft. Identity theft peaks this time of year -- wallets are stolen, credit cards are accidentally left behind and scammers everywhere are looking to prey on their next victims -- but there are simple steps consumers can take to avoid making careless decisions that can have a long-term effect on their financial well-being.

Intersections recommends the following safety tips for holiday shoppers:

Protect your computer from online threats including money-stealing Trojans. Fraudsters are eagerly waiting to take advantage of the millions of credit card transactions that will be made online this holiday season. They are lurking to find any weak links in your network to gain access to your personal and credit information. More recently, they are using sophisticated Trojans to grab your bank account and credit card login information, disable your security software, and sneak into your bank account by pretending to be you. Trojans are even smart enough to quietly drain your bank account over the holiday period based on the assumption that you'll be too busy to check exactly how much you're spending until the New Year. The best way to avoid Trojans is to (a) not open attachments or click on email links; (b) be careful where you surf and stick to online "neighborhoods" where you really feel safe; and (c) regularly patch your computer and update your anti-virus, anti-spyware and firewall software.
Take a tip from online merchants and "trust but verify." Whether it's online shopping searches, incredible gift offers, or holiday wishes from your Twitter "Tweeps" or Facebook friends, the best way to avoid gift-wrapping yourself for scammers this year is to turn your cynicism on to the highest level. If you think before you click, you might just play Grinch to an identity thief.
Be careful buying gift cards. Make sure that you purchase gift cards that are legitimate and secure, and avoid buying gift cards secondhand from an unverified source. UK-based security firm Corsaire recently found that the vulnerable magnetic-stripe technology used for gift cards and customer loyalty cards make these attractive targets for hackers. Additionally, the research revealed that gift cards can easily be "sniffed" off the shelf in the checkout line with a scanner and cloned, card numbers can be stolen, and retailers' gift card Web sites can be hacked.
Avoid Tweet Traps! Scammers fully understand the power and reach of social networks, and gathering places like Facebook and Twitter are a feeding ground for all kinds of thieves this holiday season. According to the eHoliday Study by Shop.org (a division of the National Retail Federation), 47.1 percent of retailers said they will be increasing their use of social media during the holidays. The biggest threat to be wary of this year is the "Tweet Trap" - a message that appears to be from a trusted friend or follower passing on some great news, a real bargain, or a worthy cause, but instead hides spam, phishing fraud, or a malicious download. Consumers should be cautious about Tweets or Facebook messages about great holiday deals, must-have gifts, or hard luck stories, even if they are coming from "friends." If they sound interesting, do your own research to see if they're genuine. But don't click or download.
If a deal sounds too good to be true, it probably is. This scam has focused on promising shoppers the hard-to-find gift at an irresistible price and in most cases, the gift doesn't exist, doesn't arrive, the seller demands far more for it, or simply steals the shopper's credit card information. But this year, hackers are upping the stakes by hacking into the search ranking systems of the major search engines like Yahoo! and Google so that their fraudulent or malware-infected web sites appear at the top of shopper searches. And most shoppers still believe that if a Web site is at the top of a search engine's list, it has to be legitimate.
Do NOT give out your financial information over the phone or email. If your bank or credit card company sends you an email or even calls you warning you of insufficient funds or other problems with your account, contact them directly using the customer service numbers posted on their web sites. Don't respond to their emails or to any number they provide in an email or phone message.
Keep travel plans private. Don't give a gift to digital burglars by Tweeting or posting updates to Facebook about your holiday plans like when you're going to be away from home or all the cool stuff you bought. Otherwise your new purchases may end up under someone else's tree.
Do a post-holiday credit health check-up. After the holidays are over, be sure to check your credit reports, credit card statements and bank statements to verify all transactions. Each transaction you made, either in retail stores or online, could have been compromised, adversely affecting your credit and your credit score. Notify your bank or credit card company immediately if you see anything suspicious.

"With a soft economy and higher unemployment rates, consumers are under increased pressure to cut holiday spending, and this may lead to an increased willingness to take on greater risks," said Steven Schwartz, Intersections' Executive Vice President of Consumer Solutions. "While retailers will respond with timely offers and special discounts, it's important for customers to protect themselves from scammers and cyber scrooges who may try to prey on their emotions with targeted offline and online schemes."

One way to protect yourself is to be vigilant about where you shop (online or at the mall), what information you provide and to whom, and to protect your computer from spyware, malicious code and Trojans. Intersections' IDENTITY GUARD® Total Protection [4] is the most comprehensive offering on the market today covering personal information, credit reports, public records, computer, Internet and mobile transactions. The service also provides sophisticated software that protects consumers against keylogging attacks, secures their passwords and user IDs as they navigate online, identifies legitimate websites, and protects their computers from advanced malware software. IDENTITY GUARD® Total Protection [4] also provides identity theft recovery services and financial reimbursement insurance in the event identity theft occurs. Find out more at www.identityguard.com [4].

November 24, 2009

4 comments [7]

Google Gives You Free Airport Wi-Fi for the Holidays [8]

Free Google Airport Wifi

The spirit of giving has hit Google. They are generously providing free Wi-Fi at 47 airports from November 10, 2009 to January 15, 2010. That's great, but there are a few precautions you should take to keep yourself safe.

Google's Free Wi-Fi

Using the free service is simple. You simply select the free Wi-Fi and accept the terms of service and there's no need to give any form of payment. However, Google wants you to catch the giving spirit and give a donation to any of the three non-profit organizations [9] they've partnered with. But, donate [9]once you're using a secure Internet connection at home - not on the Wi-Fi network. In addition to providing free Wi-Fi, Google's having a photo contest. You could win a prize just for submitting a photo [10] of you using the free Wi-Fi.

Participating Airports

You can take advantage of Google's generosity at one of the following 47 airports:

Austin (AUS [12])	Indianapolis (IND [13])	Panama City, FL (PFN [14])
Baltimore (BWI [15])	Jacksonville, FL (JAX [16])	Pittsburgh, PA (PIT [17])
Billings (BIL [18])	Kalamazoo (AZO [19])	Portland, ME (PWM [20])
Boston (BOS [21])	Las Vegas (LAS [22])	Sacramento (SMF [23])
Bozeman (BZN [24])	Louisville (SDF [25])	San Antonio (SAT [26])
Buffalo, NY (BUF [27])	Madison (MSN [28])	San Diego (SAN [29])
Burbank (BUR [30])	Memphis (MEM [31])	San Jose (SJC [32])
Central Wisconsin (CWA [33])	Miami (MIA [34])	Seattle (SEA [35])*
Charlotte, NC (CLT [36])	Milwaukee (MKE [37])	South Bend (SBN [38])
Des Moines (DSM [39])	Monterey (MRY [40])	Spokane (GEG [41])
El Paso (ELP [42])	Nashville (BNA [43])	St. Louis (STL [44])
Fort Lauderdale (FLL [45])	Newport News (PHF [46])	State College (SCE [47])
Fort Myers (RSW [48])	Norfolk (ORF [49])	Toledo (TOL [50])
Greensboro (GSO [51])	Oklahoma City (OKC [52])	Travers City (TVC [53])
Houston Hobby (HOU [54])	Omaha (OMA [55])	West Palm Beach (PBI [56])
Houston Bush (IAH [57])	Orlando (MCO [58])

*Seattle launches late November

Reasons to be Cautious

Airport Wi-Fi - like other public hotspots - is not secure and you should avoid logging into your bank account or other sites with sensitive info. Wireless network security can be compromised and put your passwords and other data out in the air and available to a fellow traveler with the right hacking tools.

We don't mean to scare you out of using the Google's Wi-Fi gift but to educate you about the potential risks

How to Protect Yourself

Here are some tips on how to protect yourself when using any Wi-Fi connection:

Google has said that their free Wi-Fi network names will vary at each airport. We'll try to provide a list of those names as soon as we can.
Make sure that you're connected to a legit network. I'm guessing there will be many Google copycats this holiday season.
Turn off your Wi-Fi auto login feature. This way you'll log in when you're ready and to the network of your choosing.
Disable sharing, especially if your laptop is networked to storage devices or computers at home.
Use a firewall.
Avoid entering sensitive data like credit card numbers or critical passwords while connected to a wireless network.
Disconnect from the network when you're done.

This video from Forbes provides more details on what you should watch out for:

Check out Google's Free Wi-Fi for the Holidays [59] site and their FAQ page [60] for more details.

November 12, 2009

0 comments [61]

New Microsoft Update Patches Big Hole [62]

Microsoft launched an update Tuesday to patch about fifteen holes in Windows 2000, Windows XP, Windows Server and Office. While most of the patches are related to various Word and Excel, or Windows Server issues, a critical vulnerability was found within the Windows OS kernel - a fairly rare occurrence.

The Big Hole

The Windows kernel is the core of the operating system and the flaw is related to how embedded font files are processed. We're not going to get into the technical mumbo-jumbo here, so we'll just tell you that the problem - if exploited - would allow malicious code to be passed directly to the system, bypassing any browser defenses that have been created to stop this sort of attack. The code could be downloaded just by visiting a web page prepared by hackers. With the increase of URL shorteners being used [63] as well as advertising attacks [64], it's easier than ever to be accidently exposed to some nasty code.

Microsoft rated the kernel flaw as critical and gave it an exploitability ranking of 1. This means that Microsoft expects there to be a working exploit within 30 days and is similar to "SEVERE - Severe risk of terrorist attacks" on the Homeland Security advisory system (if anyone is actually paying any attention to that any more).

Researchers agree that the bad guys are going to move quickly:

"An exploit will appear sooner rather than later," said Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "The target is Internet Explorer, and browsing is the number one attack vector in the world right now. Users can be infected simply by browsing on a [malicious] site.

So this is a big hole that can do some nasty things on unpatched computers.

The Solution

Take the following steps to protect your computer:

Set your computer to automatically download Microsoft updates [65].
Run updates immediately or just set the system to install them automatically.
Reconsider using Internet Explorer as your browser of choice. The same problem will not occur using Firefox or other non-IE browsers.

How to Update Windows Automatically

Windows XP

To set your PC to update automatically in Windows XP, simply access the Control Panel in the start menu, click "Automatic Updates," and choose "Automatic."

Windows Vista

For Vista, open Windows Update in the start menu, select "Change Settings," and then select "Install updates automatically."

More information can be found at Computer World [66] and The Washington Post's Security Fix blog [67].

November 11, 2009

0 comments [68]

Report Phishing Email: What to Do When You Catch a Phish [69]

We've been educating you about phishing emails [70] for years and in trolling around your inbox, it’s not uncommon to come across one of those pesky emails just about every day. The easiest approach is to ignore it or mark it as spam and go on with your day. However, by taking just a minute or two to report it, you can help make the Internet a safer place for you and the rest of the world.

Out of the Net and into the Tank

OpenDNS, the world’s largest, fastest-growing DNS service provider, launched PhishTank [71] in an effort to make the Internet a better place for all us.

Phishtank serves as a clearing house for data and information about phishing on the Internet and provides the information to developers and researchers to integrate anti-phishing data into their applications. Best of all, the Phishtank services are free!

Some Statistics

Here are some statistics from October, 2009 to give you an idea of what kind of impact PhishTank has on scam emails:

Total number of votes by the PhishTank community: 68,575
Total number of unique, suspected phishing scams reported: 23,159
Country hosting the most phishing sites: United States
Percentage of phishing sites hosted in United States: 26
Median time it took for the PhishTank community to verify phishes: 8 hours, 19 minutes

So how does this all work?

Exercising a little philanthropy has never been easier:

Complete the free registration (http://www.phishtank.com/register.php [72]). It literally takes 30 seconds.
The next time you get a phishing email, simply use your registered email address to report it. This can be done by logging directly onto the site or sending a quick email to phish@phishtank.com [73].
It is important to include as much information as possible, including mail headers if possible. For that reason, it’s best to redirect any suspected phishes to PhishTank. To submit suspected phishes from other email addresses, use your individual phish reporting address, which is available from My Account page once you are signed in. Phishtank recommends adding your individual phish reporting address to your address book in every mail application you use, for all accounts.
Also, it’s best to avoid forwarding the phishing email, as some information in the original phish is usually lost, whether mail headers, tell-tale images or even URLs.
Please note that Phishtank is just one example of sites out there trying to make the Internet better—it’s really not important which one you use. However, the next time you catch a phish, remember your Boy Scout days and “do a good turn daily”…report it.

But Wait, There's More!

As a side note, OpenDNS offers other services through innovative uses of the DNS. Some of these include free parental controls (porn filtering), phishing protection, and other advanced services for consumers and network administrators alike. Check out their free and deluxe plans here: http://www.opendns.com/start [74].

November 7, 2009

3 comments [75]

Senior Citizens Fight Medicare Fraud [76]

Medicare receives 4.4 million claims a day and approximately 1 out of 10 of those are fraudulent. All of the fraudulent claims add up to a large sum of wasted time and money and the government is trying to put a stop to it. The Department of Justice (DOJ) and the Health and Human Services (HHS) Office of the Inspector General have been working together to reduce fraudulent activity.

In 2008, the DOJ and HHS and the Centers for Medicare and Medicaid Services worked together through the criminal and civil systems to secure 588 criminal convictions, obtain 337 civil administrative actions against individuals and organizations who were committing Medicare Fraud, and recovered more than a billion dollars in health care fraud monies . . . To date in fiscal year 2009, the Department of Justice has already recovered nearly a billion dollars in health care fraud monies and recorded 300 convictions.

In addition to catching Medicare thieves the DOJ and HHS want to enable seniors to participate in the fight. They want to raise awareness about the kinds of fraud that are happening and give seniors the tools they need to deter, detect and defend!

Medicare Fraud Examples

Here are a few examples of how Medicare is scammed out of billions of dollars a year.

Medicare is billed for services or equipment not received
An unathorized person uses a Medicare card to receive treatment, supplies or equipment
Medicare is billed for equipment after it has been returned
A company offers an unapproved Medicare drug plan
A company leads you to join a Medicare plan using false information

Deter

Medicare recipients need to keep themselves safe.

Treat your Medicare number and Social Security number like gold. Avoid carrying them in your wallet or purse.
Your Medicare number is not needed to get free equipment. If someone offers you free equipment and then asks for your Medicare number, run away or hang up the phone.
Your number is for your use only. It is illegal for others to file claims with your Medicare number.

Detect

Learn to recognize common schemes. A few common fraud schemes are:

Being approached in grocery stores, parking lots, on the street, etc. and being offered goods, services or help in exchange for your Medicare number. Just run away!
Receiving a call from a phone solicitor doing a health survey and asking for your Medicare number. Just hang up! They don't need your number to conduct a survey.
Receiving a call from a telemarketer claiming to be with Medicare or Social Security asking for you to pay for equipment over the phone or the internet. Again, hang up!

Defend

It's critical that Medicare recipients check their statement summary sheets and look for:

Were you charged for the same thing more than once?
Are there doctor visit dates look unfamiliar?
Were you over charged for a service?
Were you charged for equipment or services that you didn't receive?

If you see any of these problems make a phone call to your provider or Medicare to get it resolved. It could just be a clerical error or it could be a fraudulent act that needs to be reported.

Help is Available

To some the task above may seem very overwhelming. The DOJ and HHS understand that seniors want to protect themselves but may not have the knowledge to do so. For this reason Senior Medicare Patrols (SMP's) were created. SMP's are groups or seniors, formed in communities, that help other senior citizens learn how to combat Medicare Fraud. They bring awareness to seniors in the community, teach seniors how to read and understand their Medicare summary statements and offer support.

Use the www.smpresource.org [77] web site to find a group in your area.

Medical identity theft and Medicare fraud are a huge problem that the government cannot tackle on its own. While they do their part it's important for senior citizens to do their part to protect themselves from medical identity theft and be on the watch for Medicare fraud.

Fight Back! Brochure

More detailed information is available in the Fight Back! Medical Identity Theft and Medicare Fraud brochure [78] put out by the HHS.

HHS Even Webcast on Preventing Medial Identity Theft and Medicare Fraud

Video Points of Interest

Time 7:11 Assistant Attorney General of Civil Division of DOJ, Tony West, discusses the consequences of Medicare fraud and the work of the DOJ and HHS partnership.
Time 14:38 Inspector General, Dan Levinson, discusses new fraud education materials.
Time 23:08 SMP volunteer, Joanne, discusses her experiences with Medicare fraud and her roll as part of the SMP in her community.

More information is available at Stop Medicare Fraud's website [79].

November 3, 2009

0 comments [80]

Why Twitter Links Should Scare You [63]

26% of Twitter messages contain links, half of which are from spammers and lead to malicious websites.

With only 140 characters per Twitter message, it makes sense to shorten URLs and leave characters to say what you have to say. But with shortened URLs you have no idea what your final web destination will be. A spreader of malware and malicious websites couldn't be happier!

Malicious Links in Abundance

Researchers at Kaspersky Labs have found that as many as one in every 500 links on Twitter lead to sites hosting malware. They have also discovered that about 26% of Twitter messages - tweets - contain links and about half of those are created by spammers and people with bad intentions.

The two most popular URLs that the Krawler found posted to Twitter so far passed through the system in September. Both directed users to online dating sites. One of the sites, getion.com, is known to have hosted malware in the past, Raiu said.

What Twitter is Doing

So why isn't Twitter doing something to keep its users safe? Well, it is to an extent. In August Twitter started using a filtering system by Google to detect malicious URLs. The system checks the URLs against a blacklist and then either blocks the malicious URL from being posted or warns users to think before clicking on the link. However, the system only scans URLs that are shortened using the Bit.ly shortening service - the most commonly used on Twitter. Any links shortened using any of the over 200 other formats are not picked up by Twitter's filter.

Malicious URLs were discovered over a year ago before Twitter gained it's current level of popularity. Now, malware links regularly appear in "trending topics" where people are often checking to see what is the latest and greatest.

What You Can Do

There are several companies that have developed more inclusive filters to sift through the shortened URLs on Twitter. Kaspersky [81] has developed the Krab Krawler that currently examines 500,000 unique URLs a day. Of the URLs examined, 100 to 1,000 a day are sites hosting malware.
AVG Technologies offers LinkScanner [82], a tool that scans and strips URLs of any malware that they may contain. Finjan Inc. has a tool, SecureTwitter [83], that sends out a warning message when a malicious URL is detected.
You also have the option of expanding the shortened link before you click on it. The bit.ly blog [84] has instructions on how to get the plug-in tool to expand bit.ly (and other) shortened URLs.
Consider using stand-alone Twitter software such as TweetDeck [85]. They will often provide filtering of their own and/or a preference item to expand shortened URLs before you click them.

Video Interview with Kaspersky Lab Malware Researcher Costin Raiu

Read more at the Threat Level blog [86]. Graph courtesy of Kaspersky Labs [81]

October 29, 2009

4 comments [87]

Data Breach Danger: Study Shows It’s Real [88]

Data Breach

So you received a data breach notification in the mail… no big deal, right? Not according to Javelin Strategy & Research’s latest report [89]. In fact, Javelin’s latest research reveals you are four times more likely to suffer identity fraud if you’ve received a data breach notification within the past year.

The average fraud victim will spend 30 hours and $496 out-of-pocket costs to restore their affairs, merchants and financial providers will spend billions to protect systems and brands, and law enforcement will work hard to chase the bad guys.

Many states around the country are enacting laws requiring entities that have experienced data security breaches to notify affected individuals whose personal information may be at risk. However, there seems to be a disconnect between breach notifications and consumer awareness of the risk they bring.

Why You Should Take Notice

During each of the past three years, an average of 11% of consumers received a breach notification.
Of these consumer breach victims, more than 33% experienced exposure of their Social Security numbers and 15% had their ATM PINs compromised.
Despite 19.5% of breach victims suffering some kind of fraud in the past year, only 2% attribute their fraud to the breach.

Come On, Do I Really Need To Worry About This?

It might be a good idea considering the Identity Theft Resource Center [90] has already tracked 356 data breaches so far this year. Forty-six of those breaches have involved financial institutions, and when they or their third-party service providers are breached, it’s nasty.

Take for example the Heartland Payment Systems [91] breach earlier this year. The result of this breach was a staggering compromise of 130 million credit and debit cards. Now that’s a lot of Visa cards…yikes!

What You Can Do?

There is very little we can do to avoid data breaches, however there are steps that we can take to better prepare ourselves for the next time that breach notification shows up in the mailbox:

If you get a data breach notification, don’t dismiss it. "Data breach notifications are intended to help consumers take protective action," said Mary Monahan, Javelin Managing Partner & Research Director.
Obtain credit monitoring services. Most companies will provide this free of charge in the event of a security breach, so take them up on it. You may also consider employing a more complete credit monitoring service [92] or even initiating a credit freeze [93].
Limit the amount of sensitive data you give out online or over the telephone. If the requested information has nothing to do with the transaction you’re making, don’t provide it. For more on this, read our article about becoming a "privacy grouch [94]."
Avoid or be cautious using wireless devices, “convenience cards”, credit cards or unfamiliar online transaction sites.

Lastly, remember the words of the orator, Robert Green Ingersoll when he said:

“It is a thousand times better to have common sense without education than to have education without common sense.”

October 28, 2009

0 comments [95]

For Scareware, Every Day is Halloween [64]

Halloween is all about tricks, treats and pretending to be something your not. Scareware must think every day is Halloween.

Computer experts are reporting that scareware is on the rise. Scareware - a sneaky hacker technique used to steal personal information and spread viruses - is being found in more and more places online and even on trusted sites, like the New York Times.

"The recent scareware attacks are cropping up everywhere and can be found on even the most trusted Web sites online," said Alison Southwick, BBB spokesperson. "The threat of scareware undermines consumer trust in compromised Web sites, and on the Internet in general, but there are steps computer users can take to protect themselves."

How Scareware Tricks and Treats

Scareware usually presents itself as a pop up window on your computer that looks like it is from your computer. It gives some message that your computer has been infected with a virus that needs to be removed. Often the message tells you to go to the link provided to purchase and download anti-virus software. Once the software is purchased the download begins. Unfortunately, it is not anti-virus software that is being downloaded, but more viruses and malware.

If that weren't bad enough, now the hackers have your credit card information too.

This senario is playing out all over the internet. It was in mid-September that visitors to the New York Times web site started getting the infected pop up window. The New York Times traced the infected window back to an unauthorized ad. They later found out that the ad space was sold to hackers posing as Vonage.

But The New York Times is not the only site being affected and pop up windows are only half the story with scareware. According to Computer World Magazine, hackers are also "poisoning Google search results." Hackers monitor popular search topics and then create infected web pages with related content. They work to get those to the top of Google search results and when someone clicks a link in the search results - the infamous pop up window appears.

How to Protect Your Computer

Fortunately there are steps that you can take to protect your computer from scareware:

Never let your guard down. It is a fact that scareware can show up on even the most trusted sites, Google, Twitter, The New York Times, etc.
Protect your computer. Keep your operating system updated and install a good quality anti-virus program. We recommend the following packages: Norton 360 [96] (includes backup and other features), Norton Internet Security 2010 [97] (good all around option), or avast! [98] (free and good), and keep it up to date. Also make sure that all security patches and updates are installed for your webrowser and programs like Adobe Flash Player.
Take immediate action during an attack. If a scareware window opens up, force close it using the task manager and then run your trusted anti-virus software.

If you clicked on the link and have downloaded the software all is not lost, but things aren't good. The Washington Post offers advice on their Security Fix blog [99] of how to rid your computer of the viruses and malware. But if you aren't computer savvy, you may think about calling a professional to clean up the mess.

UPDATE: An article from Wired magazine's Threat Level blog [100] sheds more light on how web sites are being targeted for malware distribution:

Web ads have become much more advanced over the years and many now include scripts that provide data tracking and other functions. Because of this, crooks are working to have their "ads" run on popular websites. Their ads also contain scripts, but the code displays scareware instead of tracking clicks or views.

In the article, Gawker Media - a major blog network of sites like Gizmodo, LifeHacker, Jalopnik and others - was targeted for ad placement, but fortunately Gawker has a team of geeks that digs into the code of any ad and confirms that it contains no malicious code. I'm guessing the NY Times now is enforcing a similar policy (yep, it is now [101]).

Heaven help us when we visit sites that have no such team of geeks to protect us from malicious ads...

October 27, 2009

2 comments [102]

Clampi Trojan Virus Attacks the World of Online Banking [103]

July 2009 not only brought the hopes of fun summer activities, but it also brought the new vicious Trojan virus called Clampi. Clampi is a newly sophisticated virus designed to attack online banking systems. And unlike most Trojan viruses this virus can be picked up from trusted sites like blogs, online magazines, search engines and mainstream news websites, not just gambling and pornography sites. It also is only designed to attack computers running the Microsoft Windows operating system. So Mac users are safe from Clampi, for now.

Currently, Clampi is tracking over 4,500 financial websites. Most Trojan viruses usually track 30-40 sites at a time. Clampi is designed to watch: banks, credit card companies, e-mails, retail sites, utilities, online casinos, wire transfer services, share brokerages, government sites and mortgage lenders. Clampi is also not just limited to the United States. It has been found attacking in the United States, Britain and other English speaking countries.

How Clampi Operates

Once Clampi has been picked up it settles into your computer and waits. What does it wait for? It waits for the user to log on to a bank account, credit card or some other financial website. Once the login information is entered, Clampi grabs it and shoots it to the cyber criminal's computer. From there the criminal uses the information to fulfill their desires. Whether it is taking money from a bank account, using a credit card to make purchases or reek whatever havoc they may.

What Clampi Can Do

Maybe you're thinking that this can't happen to you and maybe it won't. But it has been reported that through the use of Clampi criminals have stolen $75k from a car parts company in Georgia, $30k from a non-profit childcare organization [104] in Seattle, $480k from an online city bank account [105], $150k from a public school district in Oklahoma, $350k from a Chicago-are school district [106] and $700k from the Western Beaver School District [107] in Pennsylvania. There have also been reports of companies losing anywhere from $10k to $500k because of this one virus. There is really no telling how many people have been victims of the Clampi virus.

What You Can Do

The most important thing you can do is to be proactive about protecting yourself from getting Clampi. Here are some ways to be proactive:

Protect your computer with security software. It should be a natural part of being online. Make sure that you have the most current version of your anitvirus software and download any necessary patches to keep it current.
Avoid clicking on suspicious links on blogs, e-mails and social networking sites. If you are not sure that it can be trusted, then don't go there.
Don't use e-commerce sites that you are not familiar with and use a credit card instead of a debit card when making online purchases.
Use caution when using a wi-fi network - especially one outside your home, like at an airport [108] or coffe shop. Don't access financial web sites when using wifi in these kinds of locations. Make sure that your connection is password protected so that others cannot hack into your connection. Use WPA2 [109] (or stronger) encryption and strong passwords when setting up your wireless network at home.

October 22, 2009

0 comments [110]