False Adwords Emails
Some people have been receiving emails that appear to come from Google AdWords. The email has a long story about your account being suspended and gives you a link to reactivate it.
At first glance the link to Google Adwords seems genuine but instead it takes you to a fake web site that looks exactly like Google Adwords. It lets you type in your username and password, sends it to the person who setup this fake site, then takes you to the login page of the real Google Adwords site.
This is a common phishing email targeting Google Adwords customers.
Usually to identify real links from fake malicious links put the mouse pointer over the link and wait a second. Most email clients will show you the true destination either in a yellow tool-tip or at the bottom of the window.
I checked my spam folder and found one of these emails, let’s have a close look at it:
The sender looks legitimate. Look at the part in the angled brackets, adwords-noreply@google.com. Technically the sender’s name & email is trivial to forge. This email didn’t really originate from Google.
Now at the end of the email is a link to http://adwords.google.com/select/login. At first glance this look innocent. What everyone should get into the habit of doing is putting the mouse pointer over the link (without clicking) and looking at the bottom of the screen to see where it really points to.
Let’s have a look at where this link would really take you:
It’s says: http://adwrods.google.select.ncjd43.cn (NOTE: don’t try visiting this site).
This is not Google’s site. It’s hosted on ncjd32.cn (always look at the last 2 parts of the URL, as explained in our earlier article). CN stands for China, so this fake site was registered in China – something that should make you suspicious of this link. Also note they spelt adwords wrong (adwrods). The word Google in this link doesn’t have anything to do with the real Google, it’s only here to trick casual readers.
So there you have it, an example on how to spot a phishing email.
A good virus & spam filtering system will filter out most of these phishing emails.
Note: Google Adwords is an advertising service run by Google. Go to Google’s site and type in adwords to find the real site.
Malware Targeted Against Pro-Tibet Groups
A new malware infected email is being sent to people on Pro-Tibet mailing lists. This is an example of a targeted attack whereby a particular group of people are the intended recipients of the malware, and in this case politically motivated.
F-Secure have investigated the malware and have concluded that it originates from China. It carries a PDF file that installs a key-logger on a recipient’s computer. The key-logger sends all of the user’s key strokes to a server located in China.
To recognise the malicious email look for the following:
- The email is forged to appear to originate from Unrepresented Nations and Peoples Organization (UNPO)
- From: unpo@unpo.org
- Subject: UNPO Statement of Solidarity
- First few lines of the email:
The Hague, 17 March 2008 – The Presidency of the Unrepresented Nations and Peoples Organization (UNPO), led by President Mr Ledum Mitee, expresses its solidarity on behalf of all UNPO Members with the people of Tibet in this period of extreme tensioni and reiterates its support for their decades-long nonviolent campaign against Chinese suppression.
- Has an attachment called “UNPO Statement of Solidarity.pdf”
If you receive this email or others like it, delete it.
According to F-Secure there are other similar emails that are also part of the targeted attack and may contain any of the following attachments:
- UNPO Statement of Solidarity.pdf
- Daul-Tibet intergroup meeting.doc
- tibet_protests_map_no_icons__mar_20.ppt
- reports_of_violence_in_tibet.ppt
- genocide.xls
- memberlist.xls
- Tibet_Research.exe
- tibet-landscape.ppt
- Updates Route of Tibetan Olympics Torch Relay.doc
- THE GOVERNMENT OF TIBET.ppt
- Talk points.chm
- China’s new move on Tibetans.doc
- Support Team Tibet.doc
- Photos of Tibet.chm
- News ReleaseMassArrest.pdf
- Whole Schedule and Routing for Torch Relay.xls
For more information see here.
Brazilian Tax Return Site
Another fraudulent tax return site has appeared, this time targeting people in Brazil. It begins with a forged email claiming to be from Brazil’s Ministry of Finance, Ministerio da Fazenda.
The email has a link to a virus file called formulario.exe.
If you receive this email just delete it. Don’t click on the links and don’t download (or even worse, Run) the .exe file it offers you.
And of course invest in a good anti virus package that will filter these sites and block them.
Other recent tax scams:
KeePass
KeePass Password Safe is a Windows application that can store all your logins and passwords. It has a long list of useful features and can even generate random passwords for you.
Some features that make this a good tool:
- Passwords are encrypted, making them impossible to read without the master password
- You can use a new password for every site without forgetting which is which
- You can use complicated (strong) passwords more easily
- You can backup your password list to a file (e.g., onto a USB flash drive that you store safely)
- It’s open source. Everyone’s free to inspect the source code and convince themselves this program is safe and doesn’t do anything malicious with your passwords. This is very important.
Of course you need to have a computer you trust and use often for this program to be of any use to you. Use a good anti virus package and regularly backup the machine.
KeePass’s website is here.
Password Meter
Recently we mentioned Microsoft’s Password Checker. Today we’ve come across a much more sophisticated password testing program, Password Meter.
Password Meter measures a wide range of password metrics and gives them weighted values. It’s quite thorough.
Apart from strong passwords the following tips are useful:
- Ensure nobody watches you type in your password
- Keep your computer safe from key-logging programs. Use a good anti-spyware tool for this
- Change your password often (every 1-2 months)
- Don’t log into important sites on a public computer, such as at an internet cafe. Important sites include online banking sites, eBay, or any sites where money transactions can occur
Password Meter’s site is here.
Identity Theft Using LimeWire
Here’s an interesting story that hopefully raises your awareness of identity theft.
Gregory Kopiloff, from Seattle USA, has pleaded guilty to a number of fraud related crimes and has been jailed for 4 years. He used LimeWire to download tax and credit reports, bank statements and student financial aid applications that people had made available using this P2P system.
Why would anyone put sensitive documents on a file sharing program for everyone to see? Maybe the people who put these files up thought they have nothing to lose, that documents should be free and shared. Whatever the reason documents like these are sensitive and should not be shared, especially through anonymous file sharing programs like LimeWire.
Gregory used this information, as well as dumpster diving and mail theft, to commit identity theft. He obtained credit cards and debit cards under these people’s names and used them to spend US$73,000 in online purchases.
In this case it’s not the technology that’s at fault, it’s the misconceived value placed on financial documents by regular people.
BBB Infected Website
The Better Business Bureau website has been infected with malware. Visitors to the site are asked to download and install an ActiveX control (that has malicious code). Their web site is www.national-bbb.com.
If you ever receive an alert you weren’t expecting, especially one asking you to download and install anything, cancel everything it asks you to do. There is no reason to install anything to view a web page.
We’ve written earlier about websites that ask visitors to install things, and on how to take more extreme measures to completely block ActiveX code.
Fake Anti Spyware
Brave Sentry is a fake anti spyware product that’s been going around a lot lately. It’s also known by these names:
- Brave Sentry
- Spy Sheriff
- Spyware Quake
- SpyFalcon
Once it gets onto your computer it tells you it found a large number of threats. For example, it could say “BraveSentry Scan found 138 threats“. This is false, following its instructions takes you to a site asking for money to remove the spyware.
Here’s a procedure on how to remove Brave Sentry, if you happen to become infected.
And to avoid infection follow these tips:
- Install a good (and well known) anti virus/anti spyware product.
- Avoid using Internet Explorer. Use one of the current alternative browsers such as:
4.2 Million Credit Cards Stolen
It’s no surprise there are so many stolen credit card numbers being bought and sold on the internet. Earlier this week there was a data intrusion to Hannaford Bros.’s network and 4.2 million credit card number were stolen, together with their expiry dates. Hannaford is a popular supermarket chain in USA.
If you shopped at Hannaford with a credit card recently then check your credit card statements for misuse.
The official notice from Hannaford’s CEO is here.