Security experts are warning about a new phone scam exploiting Microsoft. The scammers are making phone calls claiming to be from the company’s tech support department. The fake Microsoft representatives call and explain that critical errors have been detected in the recipient’s operating system and they want to help correct them. To do so they walk them through several “diagnostic” steps, one of which is to download a program from a website the scammer sends them to. If the recipient goes along, they will have given the scammers remote access to their computer. They then turn their system into a zombie, add it to a botnet and start pumping out spam. Some variations of the scam use the remote access to launch a phishing attack, scanning the system for any personal information. A few bold scammers have even demanded payment for their “help”! So far the scam calls have been reported in Australia, the UK, and the United States. It’s not yet known exactly what botnet is behind the attacks.

If you or any of your employees get such a call, hang up immediately. Should someone in your company fall for the scam, take the infected computer off your network and off the internet completely until it can be cleaned out. An even better idea would be to keep computers containing sensitive data such as financials and employee info isolated from the network and internet in the first place. If it’s not connected it can’t be infected very easily.

Microsoft says they are aware of the calls and are investigating.

It shouldn’t come as much of a surprise to learn that World Cup spam is on the rise. Spammers wasted no time taking advantage of the much anticipated soccer championship. Spam messages offering free or heavily discounted tickets to the event, “exclusive” video coverage, free gift cards in exchange for making predictions on which country will win, and even a fake Visa promotion have all been spotted and are being pumped out at an increasing rate. The spammers are counting on World Cup fans to be so eager to be a part of anything World Cup related that they’ll happily click through. When they do click on any of the links in those spam messages they are either sent to a phishing site, shady online pharmacy, or a fake news site that tries to download malware using the old video codec trick.

Security experts say the flood of spam messages will continue to rise sharply as the World Cup continues and advises all fans to be extremely careful about what they click on.

The World Cup isn’t the only event being exploited by spammers. Malicious spam messages related to actor Gary Coleman’s tragic death, the disaster in the Gulf, and the World Expo in Shanghai have also been spotted. Exploiting headlines and scandals is one of the oldest and most popular tricks in spammer’s books and that’s because of one simple reason. It works.  There are still enough people falling for the fake emails to make it profitable, and that is the keyword. As long as a scam technique is profitable enough, it will continue to be used over and over again.

The malware infected CDs mailed to several credit unions late last month may have been part of an authorized pen test. The SANS Internet Storm Center said they were notified by Microsolved that they are responsible for the mailing.

Starting a few weeks ago, credit unions around the country began receiving a set of CDs in the mail along with a letter that claimed to be from the National Credit Union Administration. It was a fake fraud alert that urged the recipient to review the documents on the CDs, claiming they were training materials, and was riddled with poor spelling and grammar:

“The NCUA has warned numerous times about “phishing” scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies or government agencies asking consumers to “re-submit” or “verify” confidential information such as bank accounts, Social Security Numbers, passwords, and personal identification numbers…

Please read the included document, as it contains important training and informational material regarding the risks of fraud…”

The NCUA immediately issued an alert warning credit unions not to run the CDs as they may cause a security breach. It’s not yet known exactly what was on the CDs but according to Microsolved it was simply a test to gauge how many employees would fall for the scam and run the CDs. So far there have been no reports of any breaches or harm caused by the mailing.

Twitter has been in the news the past few days, and it’s not been pretty. On Wednesday, the Mashable blog reported that scads of Twitter accounts were seen sending out Twitter spam with URL links all at once. The spam was not being generated by run-of-the-mill spam accounts that were created just for the purpose of disseminating spam, but rather, they were regular accounts that had obviously been hijacked. Spammy tweets had been going out by the hundreds, making it appear to many people that their friends were recommending a get-rich-quick scheme, which of course, they were not.

Continue reading Twitter hit by spam wave»

The Sydney Morning Herald reported yesterday that a new scam is making the rounds in the land down under. A perpetrator of a phishing scam has created an email scam, claiming to be the Australian Tax Office (ATO). The email promises Aussie taxpayers a $250 bonus with their tax return, and sends them to an online form that asks for their tax information, along with their bank account data.

The web site containing the form then asks the victim to mail a printed copy of the form to an address. The print-and-send is just a ruse though, the data is actually captured through a hack when the victim presses the “print” button. The email, like many such scams, attempts to create a sense of false security, by claiming the print-and-send routine is being done for the victim’s safety.

Officials still have not been able to trace the source of the fraudulent email sender, who is using a bot network to send the emails. The ATO recommends that people delete emails like this immediately, and advises that they do not ask people to provide personal information by email. The same holds true for most, if not all, tax collecting agencies in other countries.

A Missouri grand jury has indicted 4 men, including a pair of brothers, for their roles in a huge spam operation which targeted over 2,000 colleges. Authorities say Amir Ahmad Shah and his brother Osmaan created a program that harvested over 8 million student addresses from those colleges. Those addresses were then sent thousands of spams hawking such things as digital cameras and spring break specials. In order to gain the students’ trust, the brothers claimed to be campus representatives and that the businesses were alumni-owned, both of which were untrue

          “Nearly every college and university in the United States was impacted by this scheme,” Matt Whitworth, acting U.S. attorney for the Western District of Missouri, said in a statement. “Illegal hacking and e-mail spamming wreaks havoc on computer networks. These schools spent significant funds to repair the damage and to implement costly preventive measures to defend themselves against future intrusions.”

The operation allegedly netted over $4.1 million. The Shah’s and their company face 26 charges of aiding and abetting each other to access a protected computer without authorization and transmit commercial emails with the intent to deceive or mislead the recipients about the origin of the messages, as well as with conspiracy to engage in an unlawful spam operation and multiple charges of fraud using computers and email. They face a minimum of 10 years in jail as well as stiff fines.

Next time you do an Internet search to find a part for your old classic Ford, be careful what links you click on. Recent reports highlight an interesting technique for sending out spam ads by gaming the Google search engine. The spam operators target people using the Google search engine to search for Ford and Nissan parts. After a search is conducted, the results are full of spammy sites that won’t sell you a carburetor, but will download malware onto your computer and try to sell you a bogus anti-virus program. 

Many of the URLs are unusual, often with several numbers and from Polish domains. When the searcher clicks on the link, they go to a web page where they become a victim of a drive-by download, which is designed to cause the victim’s computer to generate pop-up ads and issue a security warning. The warning tells the victim they have a virus, and must purchase a security program.

The combination of Polish domains and automotive results is what caught my eye on this issue. Curious Polish domains concerning automotive care are no stranger to me. A Google search on my name will serve up hundreds of articles and links to my books, as well as links to Polish web sites that talk about automotive repair. But, in my case, it’s not scareware, it’s just because my last name is strikingly similar to the Polish word used for an auto body repair shop. 

But aside from that curiosity, the bogus URLs are a real threat, and one of the only web site spam attacks out there that actually target a specific brand. So if you’re looking for a part for an old Ford Galaxie, and you see a link from a Polish domain, it can be one of two things. It may really be someone in Poland that has a legitimate web site to sell car parts. You may even be directed to a “blacharstwo,” or an auto body repair shop. Maybe one of my relatives. But more than likely, it’s part of a scareware scam.

Yes, that’s right. Citibank, one of the largest financial institutions in the country, fell for the old 419 spam. Federal authorities have indicted a Nigerian man for attempting to scam the bank out of over $27 million! Here’s how the scam worked, according to the New York Times:

          To carry out the elaborate scheme, prosecutors in New York said on Friday, the man, identified as Paul Gabriel Amos, 37, a Nigerian citizen who lived in Singapore, worked with others to create official-looking documents that instructed Citibank to wire the money in two dozen transactions to accounts that Mr. Amos and the others controlled around the world.

The money came from a Citibank account in New York held by the National Bank of Ethiopia, that country’s central bank. Prosecutors said the conspirators, contacted by Citibank to verify the transactions, posed as Ethiopian bank officials and approved the transfers.

Continue reading Citibank Falls for Nigerian Scam»

Over the last few months I’ve noticed a resurgence of e-card spam scam from our unfriendly neighborhood spammers.

According to security expert Bill Mullins, in the last year, email inboxes have being swamped with similar scamming emails from fraudulent sites like Greetings.com, and 2000Greetings.com, amongst others.

This time around, the domain name being used by these scammers is Greetingcard.org, which is a legitimate site of The Greeting Card Association, a greeting card industry trade association. This organization makes no bones about it when it says on its website, “We do not publish cards, nor do we have an e-card pick up. If you receive an e-card notification from our association, it is fraudulent and should be deleted”.

Continue reading Fake Greeting Card Emails Resurface»

Over the past three years a powerful Trojan maintained by a cybercrime organization has been responsible for stealing the usernames and passwords of nearly half a million bank accounts and nearly as many credit card numbers. Researchers captured some of the Trojan’s (known as Sinowal, Mebroot or Torpig) code and used it to track down its drop server full of the stolen information. Further research showed it’s been active since early 2006.

The Trojan works by waiting for the user to enter the URL for a banking or credit card site. Once it senses one, it replaces it with a fake one that captures the user’s details. So far it’s known to have the ability to sense nearly 3,000 different URLs, and is not detected by most anti-virus programs. It does this by using a rootkit to infect a PC’s master boot record, making it practically invisible.

Continue reading Trojan Compromises Over 300,000 Accounts»