False Adwords Emails

Some people have been receiving emails that appear to come from Google AdWords. The email has a long story about your account being suspended and gives you a link to reactivate it.

At first glance the link  to Google Adwords seems genuine but instead it takes you to a fake web site that looks exactly like Google Adwords. It lets you type in your username and password, sends it to the person who setup this fake site, then takes you to the login page of the real Google Adwords site.

This is a common phishing email targeting Google Adwords customers.

Usually to identify real links from fake malicious links put the mouse pointer over the link and wait a second. Most email clients will show you the true destination either in a yellow tool-tip or at the bottom of the window.

I checked my spam folder and found one of these emails, let’s have a close look at it:

The sender looks legitimate. Look at the part in the angled brackets, adwords-noreply@google.com. Technically the sender’s name & email is trivial to forge. This email didn’t really originate from Google.

Now at the end of the email is a link to http://adwords.google.com/select/login. At first glance this look innocent. What everyone should get into the habit of doing is putting the mouse pointer over the link (without clicking) and looking at the bottom of the screen to see where it really points to.

Let’s have a look at where this link would really take you:

It’s says: http://adwrods.google.select.ncjd43.cn (NOTE: don’t try visiting this site).

This is not Google’s site. It’s hosted on ncjd32.cn (always look at the last 2 parts of the URL, as explained in our earlier article). CN stands for China, so this fake site was registered in China - something that should make you suspicious of this link. Also note they spelt adwords wrong (adwrods). The word Google in this link doesn’t have anything to do with the real Google, it’s only here to trick casual readers.

So there you have it, an example on how to spot a phishing email.

A good virus & spam filtering system will filter out most of these phishing emails.

Note: Google Adwords is an advertising service run by Google. Go to Google’s site and type in adwords to find the real site.

Malware Targeted Against Pro-Tibet Groups

A new malware infected email is being sent to people on Pro-Tibet mailing lists. This is an example of a targeted attack whereby a particular group of people are the intended recipients of the malware, and in this case politically motivated.

F-Secure have investigated the malware and have concluded that it originates from China. It carries a PDF file that installs a key-logger on a recipient’s computer. The key-logger sends all of the user’s key strokes to a server located in China.

To recognise the malicious email look for the following:

• The email is forged to appear to originate from Unrepresented Nations and Peoples Organization (UNPO)
• From: unpo@unpo.org
• Subject: UNPO Statement of Solidarity
• First few lines of the email:

The Hague, 17 March 2008 - The Presidency of the Unrepresented Nations and Peoples Organization (UNPO), led by President Mr Ledum Mitee, expresses its solidarity on behalf of all UNPO Members with the people of Tibet in this period of extreme tensioni and reiterates its support for their decades-long nonviolent campaign against Chinese suppression.

• Has an attachment called “UNPO Statement of Solidarity.pdf”

If you receive this email or others like it, delete it.

According to F-Secure there are other similar emails that are also part of the targeted attack and may contain any of the following attachments:

• UNPO Statement of Solidarity.pdf
• Daul-Tibet intergroup meeting.doc
• tibet_protests_map_no_icons__mar_20.ppt
• reports_of_violence_in_tibet.ppt
• genocide.xls
• memberlist.xls
• Tibet_Research.exe
• tibet-landscape.ppt
• Updates Route of Tibetan Olympics Torch Relay.doc
• THE GOVERNMENT OF TIBET.ppt
• Talk points.chm
• China’s new move on Tibetans.doc
• Support Team Tibet.doc
• Photos of Tibet.chm
• News ReleaseMassArrest.pdf
• Whole Schedule and Routing for Torch Relay.xls

For more information see here.

Brazilian Tax Return Site

Another fraudulent tax return site has appeared, this time targeting people in Brazil. It begins with a forged email claiming to be from Brazil’s Ministry of Finance, Ministerio da Fazenda.

The email has a link to a virus file called formulario.exe.

If you receive this email just delete it. Don’t click on the links and don’t download (or even worse, Run) the .exe file it offers you.

And of course invest in a good anti virus package that will filter these sites and block them.

Other recent tax scams:

• UK
• Australia
• USA

KeePass

KeePass Password Safe is a Windows application that can store all your logins and passwords. It has a long list of useful features and can even generate random passwords for you.

Some features that make this a good tool:

• Passwords are encrypted, making them impossible to read without the master password
• You can use a new password for every site without forgetting which is which
• You can use complicated (strong) passwords more easily
• You can backup your password list to a file (e.g., onto a USB flash drive that you store safely)
• It’s open source. Everyone’s free to inspect the source code and convince themselves this program is safe and doesn’t do anything malicious with your passwords. This is very important.

Of course you need to have a computer you trust and use often for this program to be of any use to you. Use a good anti virus package and regularly backup the machine.

KeePass’s website is here.

Password Meter

Recently we mentioned Microsoft’s Password Checker. Today we’ve come across a much more sophisticated password testing program, Password Meter.

Password Meter measures a wide range of password metrics and gives them weighted values. It’s quite thorough.

Apart from strong passwords the following tips are useful:

• Ensure nobody watches you type in your password
• Keep your computer safe from key-logging programs. Use a good anti-spyware tool for this
• Change your password often (every 1-2 months)
• Don’t log into important sites on a public computer, such as at an internet cafe. Important sites include online banking sites, eBay, or any sites where money transactions can occur

Password Meter’s site is here.

Identity Theft Using LimeWire

Here’s an interesting story that hopefully raises your awareness of identity theft.

Gregory Kopiloff, from Seattle USA, has pleaded guilty to a number of fraud related crimes and has been jailed for 4 years. He used LimeWire to download tax and credit reports, bank statements and student financial aid applications that people had made available using this P2P system.

Why would anyone put sensitive documents on a file sharing program for everyone to see? Maybe the people who put these files up thought they have nothing to lose, that documents should be free and shared. Whatever the reason documents like these are sensitive and should not be shared, especially through anonymous file sharing programs like LimeWire.

Gregory used this information, as well as dumpster diving and mail theft, to commit identity theft. He obtained credit cards and debit cards under these people’s names and used them to spend US$73,000 in online purchases.

In this case it’s not the technology that’s at fault, it’s the misconceived value placed on financial documents by regular people.

BBB Infected Website

The Better Business Bureau website has been infected with malware. Visitors to the site are asked to download and install an ActiveX control (that has malicious code). Their web site is www.national-bbb.com.

If you ever receive an alert you weren’t expecting, especially one asking you to download and install anything, cancel everything it asks you to do. There is no reason to install anything to view a web page.

We’ve written earlier about websites that ask visitors to install things, and on how to take more extreme measures to completely block ActiveX code.

Fake Anti Spyware

Brave Sentry is a fake anti spyware product that’s been going around a lot lately. It’s also known by these names:

• Brave Sentry
• Spy Sheriff
• Spyware Quake
• SpyFalcon

Once it gets onto your computer it tells you it found a large number of threats. For example, it could say “BraveSentry Scan found 138 threats“. This is false, following its instructions takes you to a site asking for money to remove the spyware.

Here’s a procedure on how to remove Brave Sentry, if you happen to become infected.

And to avoid infection follow these tips:

• Install a good (and well known) anti virus/anti spyware product.
• Avoid using Internet Explorer. Use one of the current alternative browsers such as:

• Firefox
• Opera
• Safari

Always use the latest web browser versions, download updates frequently.

Never ever download or run programs just because an email or a web site asked you to. This includes things like codecs to watch videos (unless you’re quite technical and know what you’re doing).

Avoid warez and porn sites (they’re often infected with malware)

4.2 Million Credit Cards Stolen

It’s no surprise there are so many stolen credit card numbers being bought and sold on the internet. Earlier this week there was a data intrusion to Hannaford Bros.’s network and 4.2 million credit card number were stolen, together with their expiry dates. Hannaford is a popular supermarket chain in USA.

If you shopped at Hannaford with a credit card recently then check your credit card statements for misuse.

The official notice from Hannaford’s CEO is here.

Free Screen Savers Carry Viruses

If you receive an email offering a free screen saver chances are the screen savers are infected with malware.

Screensavers are just like any other program and can carry malware. And as always you shouldn’t trust unsolicited emails offering something free.

3.6 Million People

Gartner is a well recognised research company. They’ve recently added up the numbers and come up with 3.6 million adults that lost money in 2007 due to phishing scams. In 2006 the figure was 2.3 million.

That’s a lot of people being conned and losing money online. According to this report it adds up to US$3.2 billion in USA alone.

Some tips you might find useful to avoid being of of these 3.6 million people:

• Never hand over personal details to people or web sites, unless you’re 100% certain of who you’re handing the details to.
• Pay attention to web addresses you click on. Read our article on this here.
• If you didn’t ask your bank or other service provider to send you an email then treat it as suspicious.
• Scammers always take advantage of popular events to send phishing emails. E.g., it’s now Easter so expect lots of Easter related scam emails.
• Be skeptical of what you read online. Chances are you didn’t really win a lottery in Spain without even buying a ticket.
• Use a good antivirus package that includes a web site scanner. The newer packages filter out fraudulent pages.

eBay Fraud

eBay fraud is rampant in Romania, Russia and China. In fact, eBay says that the majority of all eBay phishing emails comes from these countries.

Mark Lee is the trust and safety manager for eBay UK and he’s made the following comments:

• “[there's] no fear of real punishment [in these countries]“
• “These attacks are definitely organised”
• “There are towns in Romania where the entire focus is on sites like eBay as the main source of income”

There have been several hundred arrests in Romania after eBay initiated a campaign to stop fraud, in June 2007. But this hasn’t stopped them and it’s still rampant in these parts.

Techniques used by these criminals include asking eBay shoppers for personal details (when people bid or ask questions on the site) - this is known as phishing and the personal details are later used to commit other crimes.

If you use eBay to buy or sell goods have a read here [ http://pages.ebay.com/securitycenter/ ] for tips and tutorials on eBay security. And continue to read FraudO.com for online security tips.

FlashGet Malware

FlashGet is a popular free download manager. The latest version has a problem and someone exploited this problem causing anyone downloading this program to install a trojan on their computer.

Any version starting with the number 1.9 is susceptible to this problem. And if you downloaded it between the 29th of February 2008 and the 14th of March 2008 then it probably installed a trojan on your computer.

This is what FlashGet looks like:

Some useful advice:

• Use a different download manager
• Purchase a good antivirus package and scan your computer

Bypassing Passwords Using FireWire

If someone has physical access to a computer they have a pretty good chance of bypassing its security. This new attack uses the FireWire port found on some computers and notebooks to access its memory and change the system’s password.

It’s been demonstrated to work on  Windows XP and on Macs, and could possibly affect other systems.

It’s up to companies like Microsoft and other vendors to fix their software to disable this vulnerability. Some lessons to be learnt are:

• Restrict physical access to your computer
• Don’t let other people plug devices into your computer
• Apply software patches from vendors when they become available. Hopefully they’ll patch this problem
• And if you’re paranoid about this one you can disable FireWire on some computers (by disconnecting the cable inside the computer)

Here’s the article explaining how it works on Windows XP, and here is an article on how it affects Macs.

Microsoft Password Checker

Microsoft has a handy utility that rates your passwords. It doesn’t just look at the length of the password, it looks at how you mix upper case with lower case letters, numbers, punctuation marks etc.

When creating new passwords for your online services aim for Good or Best.

Try it here: http://www.microsoft.com/protect/yourself/password/checker.mspx

Note: there might be better password checkers in existence, I suggest this one because it’s hosted on Microsoft’s site. Whether you love them or hate them I believe their intentions are good and they won’t try to steal passwords.

Another Symbian Virus

There’s a new virus affecting mobile phones (cell phones) that use Symbian series 60. It’s been detected in China and is called Kiazha-A Trojan.

It gets transmitted through Bluetooth or MMS messages so you can’t completely avoid receiving it but you can delete it if it arrives on your phone.

It first deletes all text messages in the phone then displays a message asking for RMB 50 yuan (US$7) to get them back.

We have a list here showing some of the more popular phones that are vulnerable. If your phone uses Symbian S60 then be aware of virus messages like this one and delete them if you receive it.

It’s also a good idea to backup your phone’s contents to a memory card every couple of months.

Windows powered phones are also susceptible to viruses, as we’ve mentioned here.

Next Page →

• About

  Read the latest articles shown on the left, and use the options below to search for past articles. FraudO.com is committed to educating all users on the dangers of the internet and how to avoid them.

• Email Subscription

  Enter your email address:

  Delivered by FeedBurner

• Recently Written

  • Windows Steady State
  • Google Calendar Phishing
  • Don’t use old browsers
  • New Fraud Statistics
  • SMS Death Threat Scam
  • e-books
  • Bluetooth Patching
  • Plastic Container Hoax
  • Advanced Fee Fraud on LinkedIn
  • Malware in Resumes

• Categories

  • Admin (6)
  • Antivirus (34)
  • Backups (5)
  • Fraud (42)
  • General (67)
  • hoax (1)
  • Identity Theft (23)
  • Malware (63)
  • News/Media (35)
  • Privacy (6)
  • Scams (51)
  • Security (74)
  • Software (53)
  • Statistics (13)
  • Uncategorized (2)

• Archived Articles

  Select Month July 2008  (5) June 2008  (8) May 2008  (17) April 2008  (23) March 2008  (22) February 2008  (20) January 2008  (31) December 2007  (17) November 2007  (21) October 2007  (11) September 2007  (5)

• Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

• Spam Blocked

  1,271 spam comments

  blocked by
  Akismet

• Ads

• Stats