Apple’s popular MobileMe service, which offers Mac and iPhone users webhosting, a personal email address, file sharing, and online data synchronization between their devices, has been hit with a phishing scam. Users received an email that looked like it came from Apple with the following message:

         “We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?”

The email then prompts the user to click on a link to update their info. The link is actually fake, and leads to a site owned by a Gmail user in Romania. The site steals the personal information of anyone who falls for the ruse and enters it into the phony Apple page.

This is the second time this year that phishers have targeted Apple. In May a similar email was sent to users of the immensely popular iTunes service. Security experts believe that phishers are aiming these attacks at Apple services to take advantage of Apple’s reputation of being more secure than Windows. They are banking on Apple users thinking such attacks could never happen to them and as a result not being wary of such emails. It appears that Apple users are not getting a rather rude wake up call. To scammers, no OS is off limits.

Consumer Reports is recommending Mac users dump Safari due to its lack of protection against phishing. The publication’s annual Internet security survey is recommending Firefox or Opera instead. Safari doesn’t include any anti-phishing tools, while the other browsers-and IE7-warn users when they try to access a known phishing or malware infected site and blocks it. Microsoft says the upcoming IE8 will also include an anti-malware tool as well. Read the rest of this entry »

Phishing is a very big problem on the net, and Ebay and Paypal are the two biggest targets. Everyday scammers send hundreds of thousands of phishing emails claiming to be from these net giants. The goal is to fool people into giving up their personal info so that the phisher can drain their bank accounts, hijack their ebay accounts, and more. Yesterday Gmail announced they have partnered with Ebay and Paypal in the fight against these scammers. The weapon of choice is Domain Keys and DomainKeys Identified Mail. From now on Ebay and Paypal will sign all emails coming from their domains, and as a result, Gmail will automatically reject any that are not authenticated-the users will never even know they were sent.

Read the rest of this entry »

A new phishing scheme is targeting iTunes users. The emails look like they are from Apple and tell the recipent there is a problem with their account and to log into the iTunes site via the link provided. The link leads to a malicious site set up to look like the iTunes store and ask for the recipient’s credit card number, social security number, and mother’s maiden name.

Security experts speculate that Apple has become a target for phishers as a result of it’s increasing share of the computer market via it’s iPhone, iTunes service, and multi-platform QuickTime and Safari software. This increased share gives phishers a large group to hit via Apple oriented attacks.

          “The bad guys have moved on from trying to take advantage of eBay or Citibank,” said Andrew Lochart, VP of product marketing at security vendot Proofpoint. “I guess this means that Apple is now a top-tier Internet retailer. The bad guys are trying to use Apple’s brand to commit identity theft.”

Fortunately, the scammers behind this new attack are not the brightest. They didn’t bother to even try and mask the domain their malicious site is parked on and anyone paying even the slightest attention is sure to catch on before being victimized. As of now, Apple has had no comment on the matter.

U.S. and Romanian authorities worked together to bust an international phishing scheme that is responsible for the theft of thousands of credit and debit card numbers. 40 people were indicted, 33 in California and 7 in Connecticut. Among the 65 charges the group is facing are aggravated identity theft, bank fraud, conspiracy to violate the RICO (Racketeer Influenced and Corrupy Organizations) Act, and unauthorized access to a protected computer. The RICO and bank fraud charges carry a combined 50 year prison sentence.

The group sent out phishing emails that looked like legit communication from a variety of banks, including Capital One, Citibank, and People’s Bank in Connecticut. Paypal was also a target. Over a million phishing emails were sent out per attack.

The Romanians collected the stolen bank info and sent it to U.S. based cashiers via Internet chat. The cashiers then used encoders to record the stolen info on the magnetic strips on the back of credit and debit cards and directed others involved in the scheme to test the cards by checking balances. The ones that worked were used to clean out the accounts they accessed.

         “Criminals who exploit the power and convenience of the Internet do not recognize national borders; therefore our efforts to prevent their attacks cannot end at our borders either,” Deputy Attorney General Mark Filip said in a statement. “Through cooperation with our international partners, we can disrupt and dismantle these enterprises, just as we have done today with these indictments and arrests.”

U.S. authorities are currently acting on nine arrest warrants issued in the Los Angeles area while Romanian authorities carried out search warrants related to the indictments.

Researchers at Verisign are warning businesses about a new type of phishing attack called spear phishing. While traditional phishing attacks center around getting any and all unsuspecting users to give up personal info such as passwords and account numbers, spear phishing’s goal is to get specifically targeted users to visit a malicious website that downloads spy ware or malware that allows the phisher to take control of his victims computer. This latest attack has targeted senior managers and CEO’s at Fortune 500 companies around the country. The email claims that the recipient is being sued in federal court and must visit the included link to download important court documents. Once the link is clicked the victim is told they must download a plug in to view them-but the plug in is actually a Trojan that takes control of their computer, and a keystroke logger. The emails are very believable and contain the recipient’s full name, company name and phone number. Verisign claims there are over 1,800 victims so far.

          “This is probably one of the largest spear-phishing attacks we’ve seen to date in terms of number of victims,” said Matt Richard, director of iDefense’s Rapid Response Team.

All it takes is one employee falling for the scam to put your entire company at risk. Succesful spear phishers wind up with total control of the computers they infect, allowing them to access sensitive documents and valuable data. This scam has become so prevalent that the federal court system has placed alerts on the websites of each of its courthouses.

By the way, court documents are never sent out by email. If someone sues you, the documents are presented to you by a process server or sent via registered postal mail. Educate your employees and protect your business!

Paypal, the net’s most popular payment service and a favorite target of scammers who send phishing emails, has announced it plans to block older browsers and any newer ones that don’t include anti phishing features from accessing its site. This includes older versions of Internet Explorer and Firefox, and perhaps most surprisingly, Apple’s Safari browser would be completely banned.

          “It’s critical to not only warn users about unsafe browsers, but also to disallow older and insecure browsers,” said Michael Barrett, PayPal’s chief information security officer, in a paper released at last week’s RSA Conference. “Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.”

The features that browsers must have to access Paypal are the ability to block known and suspected phishing sites and support for Extended Validation Certificates. These certificates are given to companies only after they pass stringent background checks and are more difficult to obtain than SSL certificates which are relatively commonplace.  Browsers with EV support show a green address bar on safe sites.

Current versions of both IE and Firefox support these features, but Safar, the default browser for Mac computers, the iPhone, and the iPod Touch, has neither.

         “Apple, unfortunately, is lagging behind what they need to do to protect their customers,” Barrett said. “Safari has got nothing in terms of security support, only SSL, that’s it.”

For now, users of older browsers such as IE 6, Firefox 1.5, and Opera 8 which do not offer anti phishing features will simply be warned and allowed to log in, while older browsers such as IE 3,4 and 5, Netscape 4.x, and  Firefox 1.x will be completely blocked.  A specific timetable for the new plan hasn’t been announced.

          “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.” Barrett said.  Opera, IE, and Firefox are “safer, precisely because we think they are safer for the average consumer,” he added. “I’d love to say that Safari was a safer browser, but at this point it isn’t.”

So far Apple has had no comment.