Apple’s walled garden, also known as the iTunes store, showed a crack this week when reports began flooding the Internet of compromised accounts being used to siphon money from PayPal for unauthorized purchases at the online music outlet.

Sums charged to PayPal varied, but one iTunes customer claimed $4700 had been debited to his account through the Apple store by parties unknown. Other users reported more modest thefts–$500, $650 or $1000.

Although the bandits were exploiting connections between iTunes and PayPal, they exhibited behaviors associated with credit card scammers. For instance, they always spent less than $100 on an item. That’s a tactic used to stay off the radar screen of fraud trackers. It’s also a significant cut off point for merchants. At $100 or above, they’ve got to foot the bill for a fraudulently purchased item.

PayPal has denied its systems had been breached. “We’ve looked into this extensively, and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account,” the company’s chief information security officer Michael Barrett wrote in a blog.

While PayPal was advising its customers to report their problems to the company so they could be reimbursed for   any money they may have lost to scammers, Apple passed the buck to others. “We’re always working to enhance account security for iTunes users,” it said. “If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about chargebacks for any unauthorized purchases.”

Continue reading Phishing primary cause of bogus iTunes charges»

In newspaper circles, when a correction to a story has to be written, a rule of thumb used by many organizations is to omit the original mistake from the correction. That’s not to eschew embarrassment, although it often works out that way, but to avoid printing the incorrect information twice. Bad information, you see, has a way of sticking to little gray cells when it’s the first to arrive in the information marketplace. Repeating it, even in a correction debunking it, tends to add to its stickiness.

That seems to be the case with the recent hullabaloo over the “dislike” button in Facebook.

Members of the vast Facebook social network have the ability to click a button when they “like” a posting they see in their news feeds, but unlike other websites that solicit mob opinion on their content, Facebookers can’t show their displeasure with what they see on the network. That omission has vexed more than a few of the Facebook faithful, including columnist Dan Tynan.

          “Like many people of an inherently cynical nature, the fact Facebook only allows you to express your ‘Like’ on various topics, posts, and advertisements irks me,” he wrote. “I know I’m not alone, and so do Facebook scammers, which is why the latest viral ‘Dislike button’ scam has spread so quickly.”

As many popular scams begin on Facebook, a member sees a message with an enticing pitch. In this instance, it was “I just got the Dislike button, so now I can dislike all of your dumb posts lol!!” or “Get the official DISLIKE button NOW!” Included with the message is a shortened URL, so victims don’t know where they’re going when they click on it.

Clicking on the short URL in the Dislike message displays a screen for installing the Dislike Button. When members attempt to install the feature, they’re asked to give their permission to allow the app to access their basic information, post to their “walls” and access their data at any time, which pretty much opens the door to the chicken coop for the foxy spammers.

Once they have access to your Facebook information, the spammers use the member’s information to promote–under the member’s name–the Dislike Button to all the member’s friends.

Meanwhile, the member still doesn’t have a Dislike Button. Before he or she gets the button, they must fill out a survey, which makes the scammers some cash. After finishing the survey, the member is sent to a website where they can install a browser add-on called Dislike Button. The app began as a Firefox add-on, but now it can be downloaded as a executable file that will work with Chrome, Internet Explorer and Opera. Support for Apple’s Safari browser is in the works.

What got lost in all the hubbub about the scam, though, was the fact that the Dislike Button is a legitimate add-on. Its makers, FaceMod, were being victimized by the scammers as much, if not more, as Facebookers clicking on the URL in the fraudster’s pitch message. Unfortunately, the maker’s message was lost in the digital din that erupted when the scam was revealed by a malware fighting firm.

          “Recently, the Dislike Button has been mentioned in several articles, blogs and tweets, in conjunction with a scam, which silently sends the link to users’ Facebook friends, and requires the user to then take an online survey, which makes money for the scammers,” FaceMod wrote on its website. “Due to the high demand for the Dislike Button,” it continued, “unaffiliated people and/or groups are attempting to monetize FaceMod’s products by re-directing to online surveys. FaceMod does not require a user to fill out a survey, is not affiliated with this Scam and urges users to avoid unofficial posts.”

For the sake of clarity, FaceMod’s add-on only works with other Facebook members who have installed the app in their browsers. In other words, if you click “dislike” and the person who posted the item you disapprove of doesn’t have FaceMod’s software installed in their browser, they won’t see your thumbs down.

Initially, FaceMod sent a message to a person when a user of its app gave the thumb’s down to an item, but it removed that feature–although the company’s website still says it’s there–after receiving complaints from people who received what could be interpreted as spam messages announcing they’d been “disliked.”

A new spam statistics report is out that names the top 10 most spammed states. Let’s take a look:

1. North Carolina-91.3
2. New Hampshire-91.3%
3. Washington-91.3%
4. Utah- 91.5%
5. Illinois-91.8%
6. Tennessee-92.1%
7. Indiana-92.7%
8. South Carolina-93.6%
9. Alabama- 94.4%
10. Idaho- 95.2%

North Carolina, New Hampshire, and Washington were all tied for the 10^th spot while Idaho came in first for the second year in a row. All 10 states had spam levels well above the national average of 89.3%. On the other end of the spectrum, Puerto Rico came in as the least spammed U.S. state or territory for the second year in a row. It’s not known exactly why some states get more spam than others, but it may have to do with state spam laws and advertising regulations.

Some other facts the study revealed:

Most Spammed Industries: Engineering, Construction and Automotive.

Least Spammed: Admin, Public Sector, and Finance.

Most Spammed Countries: Luxembourg, China, Hong Kong, Germany, and The Netherlands.

As far a phishing goes, New Zealand takes the top spot while Japan was the least phished country. A new phishing scam was discovered – this one sent came in the form of emails offering a brand new PDF reader. Overall phishing levels increased with 1 in every 557.5 emails being a phishing attempt, an increase of .02% over June.

The report also found that the Storm botnet has come raging back and is pumping out pharmaceutical spam using URL shortening services. The masked URLs are easier to get by spam filters and blacklists. Storm was once the largest botnet in the world.

Virus levels decreased slightly with only 1 in ever 306 emails containing malware. That’s a drop of .04% from June.

It’s really not surprising but it’s disgusting anyway. A new phishing attack is aimed squarely at the victims of the disaster in the Gulf. Emails claiming to be from BP CEO Tony Hayward are circulating on the net. The emails offer a $500,000 “grant” from the company in exchange for some personal info such as their bank account number and social security number, so the email claims, they can deposit your grant funding right away.

Authorities say the emails actually originate in Nigeria. The Florida Attorney General’s office is so concerned they issued a statewide alert about the scam. It’s not the first time scammers have exploited a tragedy and it won’t be the last. After pop legend Michael Jackson’s sudden and tragic death last year, spam campaigns exploiting the event exploded across the net, offering links to “exclusive” videos and autopsy photos. Similar spam campaigns have exploited the financial crisis, the death of actress Brittany Murphy, Swine Flu, the World Cup and other big news events. Holidays are also exploited and we can expect to see Halloween and Christmas themed spam start rising in a few months. Those types of spam campaigns often hawk fake pharmaceuticals and designer goods.

Authorities say while the person or group responsible for the fake BP emails hasn’t been tracked down yet, the United States Postal Inspection Service is investigating. The scammers may have to rethink their scam though as Tony Hayward is no longer CEO of BP.

We all know the value of short URLs. Certain forms of social media, most notably Twitter, have strict character limits on their content and when every character counts, you don’t want to be wasting them on  Web addresses. So if you can reduce a 64-character URL to 16 characters, chances are you’re going to do it. In addition, long URLs can be truncated in email messages, which can be annoying to both a sender and a recipient.

As is often the case with online convenience, though, it often invites abuse. That’s the case with short URLs. Internet miscreants have found that the unintelligible combinations of letters and numbers are a good way to disguise their intentions. You might be able to scan a full URL and detect irregularities that  tip a scammer’s hand, but that’s not the case with a short URL.

Black Hats “abuse these services to hide their phishing sites, malware or affiliate links,” one security firm observed recently in its company blog.

Continue reading Phishers favor TinyURL.com to hide Web destinations»

Hackers hit the Yahoo! email account of Iowa State Senator Bob Dvorsky earlier this month and used it to send phishing emails to everyone on his contact list. The emails were titled “Emergency Please” and claimed the Senator was stranded in Scotland because he had been mugged and needed money to pay his hotel bill and get home. Presumably in an effort to cover all bases, the hackers made sure the emails also mentioned that he had contacted the U.S. Embassy and had gotten no help.

Anyone who believed the message and replied would have received instructions to wire 10,000 pounds (roughly $15,000 US) overseas. In reality however, Dvorsky was safe at home and in no need of any financial assistance. He found out about the scam emails from his friends. He admits that the hackers probably had his password because he gave it to them. Dvorksy said that earlier this year he got an email claiming to be from Yahoo! and asking for his password. He complied with the request.

This scam is nothing new. Last year a member of Britain’s parliament was hacked and just last week I got a scam mail from a friend which was nearly identical to the one described here. The hackers use this trick figuring that a person’s friends will trust that the sob story is true and send the money.

Unfortunately, if people don’t check sources when they get an email asking for their password, phishing scams will remain alive and well.

Internet Identity reported that the United States remained the leader in hosting phishing sites during Q1 of this year.

Phishing attacks by the notorious Avalanche gang slowed to a drip during this year’s first quarter, according to a report recently released by Internet Identity, a company based in Tacoma, Wash. that’s focused on fighting online crime against the enterprise.

The report revealed that a coordinated assault on the Avalanche gang in November of 2009 has had devastating effects on the crew. “This factor, among others, was a primary reason why the attack volume in Q1 was a mere shadow of the numbers seen in 2009,” it said. “To wit, only 133 attacks were recorded in March 2010–down 95.5 percent from December 2009.”

According to the Anti-Phishing Working Group, “by mid-2009, phishing was dominated by one player as never before-the ‘Avalanche’ phishing operation.”

“This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and ‘crimeware’ malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts,” the group disclosed in its report on phishing activity during the second half of 2009.

It reported that Avalanche was responsible for two-thirds (66 percent) of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet.

Although Avalanche attacks were severely curtailed during the period, the Internet Identity report noted that non-Avalanche attacks increased 14 percent quarter-to-quarter.

Continue reading Avalanche phishing attacks slow to trickle»

The spam reports are out for May and here’s the latest list of the top 10 phishing targets:

10. NatWest - This bank is a newcomer to the list. Like many other financial institutions, it’s likely the target of the Zeus banking Trojan, which pumps out massive amounts of spam to distribute itself. The emails pretend to be notices from the bank asking recipients to log into their accounts to verify info or download a security update. Those that do find their login credentials captured by a keylogger and their bank accounts compromised.

9. Bank of America – A favorite phishing target, BOA briefly fell out of the top 10 but is back again. Zeus has hit them especially hard.

8. MSN - Users of MSN have begun receiving spam messages that look like they came from friends inviting them to try a service that claims to tell you who, if anyone, has blocked you recently. Those that fall for the phish have their MSN logins stolen and are brought to a page advertising a variety of free offers, all of which lead to adult chat rooms and try to push adware. Victims will also discover that their entire address book was sent the same spam.

7. Halifax – This bank, located in the UK, is yet another victim of Zeus.

6.Bradesco - Yet another bank that’s fallen victim, this time it’s one of Brazil’s biggest.

5. Google - This phishing attack targets Gmail users, who have being receiving spam messages warning them that their account will be deleted unless they “verify it” by providing their name, Gmail ID, password, and country. It’s one of the oldest phishes around.

4. Facebook - Like the Google attack, Facebook users are receiving fake emails that claim to be from Facebook announcing that Facebook has rolled out a new login system and they need to update their account.

3. HSBC - HSBC, a bank with customers around the world, is yet another victim of Zeus and other phishers. Interestingly enough, I’m an HSBC customer and have never received a phishing email pretending to be them!

2. eBay – One of the favorite targets of phishers. Their goal is to steal people’s eBay accounts and either use them to post scam auctions or attempt to hijack the Paypal account attached to it.  Speaking of Paypal…

1. PayPal - It’s no surprise they are at number one. Phishers have been exploiting them for years and there’s no end in site. Hijacked Paypal accounts can be both very lucrative and very useful!

The folks over at Sunbelt have an interesting blog post.  It seems a huge database of stolen data gathered from people who fell for phishing emails was found in the unlikeliest of places – a government website. Paraguay’s to be exact. The website for their “Gobernacion Departmento Central”, which is roughly equivalent to the U.S. State Department, was found to be hosting login credentials from over 14 different UK banks including Barclays, Abbey, Northern Rock, Halifax, Lloyds TSB, Royal Bank of Scotland and FirstDirect. According to the dates on the directory page the data had been sitting there for nearly 4 months, completely undetected. The company contacted the site and the directory has since been yanked offline.

Just goes to show you how sneaky spammers, phishers and other cybercriminals can be. It’s easier and safer for them to “borrow” space from a legit site to host their stolen treasure. They don’t have to worry about being caught red handed or losing anything if they get knocked offline.

Not long ago both Twitter and Amazon were found to be hosting the C&C servers for a botnet, and it’s very likely there are more legit websites out there hosting stolen data or C&C servers. This is at least partly because site owners don’t secure their FTP portals, making it easy for the bad guys to slip in. If you don’t use FTP, block it all together. If you do, change your password regularly and make it hard to guess. Checking all your directories with a fine tooth comb is a good idea too. The sooner you catch an intrusion, the better!

Raskin: airs method to hijack browser tabs.

Since their introduction, tabs have grown in importance in browsers, and now they’re an absolute necessity. That’s why the news that they may be exploited for mischief by phishers is a shocker.

The exploit  was exposed by Aza Raskin, a Firefox developer, design and interface expert, cardboard furniture maker and son of Jef Raskin, the father of the Mac. It takes advantage of websters who tend to have inactive tabs open in their browsers. When the outlaw code, written in JavaScript, senses a tab has been inactive for a period of time, it stealthily redirects the tab to a phishing site. The code can be planted on a computer in a number of ways, such as surreptitious execution at legitimate site that’s been compromised by phishers.

“Most phishing attacks depend on an original deception,” Raskin explained at his website.  “If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.”

“What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking,” he added. “That’ll catch us by surprise.”

Tabnapping is most effective on targets who like to keep a lot of tabs open at one time  in their browser, and who have volatile short-term memories. Here’s a scenario cited by Raskin.

You navigate to a legitimate website that contains tabnapping code. You continue jumping to sites and opening new tabs. The code at the tabnapping site recognizes its tab has been inactive for several seconds. In the blink of an eye, the code changes the tab’s label and icon, or favicon, to, let’s say, Gmail, and creates an underlying URL to a phony Gmail login page. After a while, you notice the Gmail tab. You don’t remember opening Gmail, but you assume you must have forgotten opening it. You click the tab, are taken to the bogus login page, enter your login information which is promptly stored on the phisher’s server and then redirected to the real Gmail site.

Continue reading Phishers push mischief with tabnapping»