Adobe Flash Flaw

newspapers This week everyone’s been talking about a new flaw in Flash that can be exploited to run malicious code on your computer. After a few days of media frenzy Adobe has released a fix for it.

If you use Windows then download the update (this includes users of FireFox, Opera and Internet Explorer). Link here.

The fixed version is 9.0.124.0. If you’re keen you can read more about the vulnerability here.

May 30, 2008 | Filed Under News/Media, Security, Software | Leave a Comment 

CSS Exploit

CSS is a web design technology that almost every web site today is using. It controls things like colour, fonts, and most of the design on every web page.

design A flaw has been discovered that can allow web site creators to know if you’ve been to a particular site. An example has been presented that lets web site owners know if you visit Digg, Del.icio.us, Reddit, and Facebook without having to ask.

This is more of a privacy concern rather than a security risk. The following tips will avoid it but it’s a little impractical to do:

It’s a documented bug in the CSS standard that might not get fixed for a while.

May 30, 2008 | Filed Under Privacy | Leave a Comment 

Mac OS X Update

Image courtesy of Apple Apple has released a major update to Mac OS X. If you use a Mac you should first make a good backup of your computer then apply this update.

It patches over 40 security vulnerabilities (don’t let anyone tell you Macs are completely safe and invulnerable). The latest version is 10.5.3.

May 30, 2008 | Filed Under Software | Leave a Comment 

Job Scam

It’s now common to see spam advertising bogus jobs. Here is an example.

This job spam promises a lot of money for working very few hours. A few things give it away as spam. Firstly the email address given in the message doesn’t match the sender’s address (it’s not even close).

Secondly: I never asked for this email to be sent, I didn’t apply for any jobs recently and haven’t put myself on any work related mailing lists. This is spam (unsolicited emails).

Next, any job ad that doesn’t actually have a job description is suspicious. And when they promise large amounts of money for 1 to 2 hours work per day it’s too good to be true.

Here is the text of the email (complete with grammatical errors):

Subject: The best offers from our company!

Greetings!

You have a chance to start making 1200+ AUD a week spending 1-2 hours a day
Monday-Friday, working most of the time from home.This opportunity is brought to you by APL Sales Company and now is hiring!You received this offer via Worldwide net of advertisement brought to you via paid ads by Google.

If you are looking for an additional job or just an extra income - this position is for you.Designed for an ease of use and the best position available nowadays, time wise and income wise.

Although some requirements need to be met:
You are 18+ years old*
You have 1-2 hours of free time a day Monday-Friday*
You are responsible and dependable*
You are located in Australia only*
—–
Some reference:

“Best offer on The Net” - “Money” magazine, -John Keppke.
“Employment situation has gotten on a new level” - “The Economist” magazine, -Laura Star.
“Amazing solution for Extra Income” - “Newsweek” magazine, -Dennis Coleman.
—–
If you meet all requirements - don’t hesitate to get more information on this great
position called “Fund Operator”.

Reply to: apple.swed404@gmail.com with subject “Interested” to receive full information on this great position. Limited time offer, don’t wait! And Good luck.

They don’t publish a link to a web site, only an email address, so I don’t really know what they hope to gain from this.

In the interest of research for FraudO I’ve replied to this spam email and will update this post when I receive a reply. I sent the reply to their gmail address (which is different to the spam’s From address) with the following line:

Please provide more information on this offer.

That’s all I’ve said. Let’s wait and see what happens.

That was fast, I’ve received a reply already. It must be an automated reply. This is what they sent:

Thank You for being interested!
You have a chance to join our team and start making money for your family or just for yourself, as an extra income.
This is a new generation opportunity and it is based on a taxation loop between two countries.
You will represent a role of a S.u.b. Distributor for our company, it means that you will help us handle payments from our customers within Australia,thus we will pay you 10% commission from every payment that you handle. Since you are an individual it gives us opportunity of paying 2% tax for every sale, that’s why we need help from you.

Here is a live example:
1. You receive 3100 AUD from our customer to your b a n k account. We send you instructions by E-mail.
2. You go to the b a n k and withdraw 90%, and you leave 10% for yourself.
3. Then you go to a Western Union and send 90% to one of our agents. (will be given in instructions)
4. Then you send us e-mail with report form. (will be given in instructions)
5. As soon as report form received - you get your next transaction the very next day and so on.
Outcome >> You earned 10% from 3100 AUD which is 310 AUD just in your pocket. And it was only one transaction.It is not complicated at all, anybody can try this out and you always can get help from one of our representatives. Feel free to Get started.

F.A.Q.
1. Do i pay any tax? This is not your income and bank will know that, we pay fee for this activity to every Australian Bank.
2. Is there a contract? No, for your convenience we made this a part-time position, you can stop anytime and continue anytime, let us know prior 2 days.
3. How many transaction a day, how often? 1 transaction a day, 4 times a week, Monday-Thursday.
4. What products do you sell and what is the average amount i will need to process? Mostly we are big on electronics and computer hardware, but we also can help any other company to make a sale, so it can invole auto parts as well ashousing equipment.
5. When is this offer valid until? Offer is valid until October the 20th 2010.
6. Is this legal in Australia? Yes, everything is above board and regulated by financial government institution. Feel Free to try yourself out in this opportunity, here is the application information required IN ORDER TO GET STARTED:

___________
*FIRST NAME:
*LAST NAME:
*ADDRESS:
*CITY:
*ZIP CODE (optional):
*COUNTRY: Australia
*DATE OF BIRTH:
*MOBILE PHONE#:
*HOME PHONE#:
*NAME OF YOUR BANK::
*ACCOUNT# (contains numbers only):
*BSB# (6 digits):
*YOUR E-MAIL(to contact you best):
————
AFTER YOU SUBMIT YOUR INFO - ONE OF OUR REPRESENTATIVES WILL ASSIST YOU BACK SHORTLY! GOOD LUCK AND WELCOME TO OUR TEAM!!!

Notice that at the end of all this text they’re asking for my bank account details. It’s a scam.

Don’t ever provide your bank account details to strangers (unless, for example, you’re selling something online and need to accept payment, then it’s a compromise between security and doing business). Read here to see what happens if you give out your bank account details to everybody.

The rest of the email is just a story about some complicated money transfer scheme. Even if they really did want to do all this and pay me 10% it just doesn’t sound legal. Could it be a money laundering scheme? It’s not something you should get involved with.

May 27, 2008 | Filed Under Scams | Leave a Comment 

St George Bank Phishing Emails

Phishing emails are very common these days. Below is a common phishing email from a local bank. Keep in mind that the same technique is used with most banks these days. Spelling and grammatical mistakes usually give them away (although this example is pretty good), and read the end of this article for the best ways to tell a phishing email from the real thing.

An email arrives with a topic “Verify Your Phone Number“. Emails asking people to verify something can be eye catching, and add a sense of urgency. Below are the contents of the email:

Dear customer!

St.George Bank Limited is constantly working to improve the account security of our customers. In order, to ensure the integrity and security of our online banking system, we periodically review accounts. We were unable to contact you by phone during the last check, so please verify the information at your account file and make sure it is right.

Please, verify your account information by following the link.
Click here for verification: https://ibank.stgeorge.com.au/verify/

The next verification will be done soon, invalid account information will result in your account being placed to restricted status.

Customer Service
St.George Bank Limited
http://stgeorge.com.au/

Some things you should keep in mind:

What would happen if you clicked on the links provided in the email? They look geuine enough.

In most email clients when you put the mouse pointer over the link and wait a second, you’ll see the real link. That’s right, the way email works is someone can display a link that looks like a bank site’s address but in fact it can go somewhere completely different. Maybe the technology behind emails should be changed to make this impossible.

In this case the links point to a site called stgeorgeverify dot com. Again this might fool some people because it has the bank’s name in the address, but it’s not the bank’s address. It’s a phishing site designed to let customers type in their bank details so that scammers can sell the information on the black market (and eventually so that money can be stolen from bank accounts).

There’s very little regulation in domain names (web addresses). It’s easy for someone to register a domain name that looks like a bank’s site. Even if it has one additional or different letter it’s enough for anyone to register. And when someone registers a new domain name they can make it do whatever they like. Technically it’s a new site (even though the name looks similar to a legitimate site).

So when you receive emails from important organisations, such as from your bank, don’t ever click on the links. Go to the bank’s web site by typing its address into a web browser. Because the links in emails can be misleading.

For further reading see our article on how domain names work, and another detailed example of phishing.

May 26, 2008 | Filed Under Fraud, General | Leave a Comment 

Ad-Aware 2008

Ad-Aware 2008 is now available. It’s a popular anti-spyware product for Windows that scans your computer for spyware and adware. It comes in three versions:

There’s a comparison chart here showing what’s different between the versions. If you’re new to this product and aren’t sure which version you need start with the free version.

Read more about Ad-Aware 2008 here including a download link.

Similar products available for Windows are:

Also note that the larger anti-virus packages such as Trend Internet Security also contain anti-spyware modules.

May 25, 2008 | Filed Under Antivirus, Malware, Software | Leave a Comment 

Email Subscriptions

Today I’ve activated email subscriptions to FraudO.com. Here’s how it works:

It’s that simple.

envelope

May 23, 2008 | Filed Under Admin | Leave a Comment 

Nigerian 419 Scams

How much money do you think Australians send to Nigerians because of the old Nigerian 419 scam? (Keep in mind that Australia has a small population of 21 million)

wallet The answer is millions of dollars.

This very interesting interview with the head of the Queensland Police Corporate Crime Investigation Group (what a long title) discusses these scams and provides some interesting details.

People who fall for these scams often don’t report it, and in many cases repeatedly fall for these scams. Watch the video, discuss it with your friends, family and colleagues, and help raise awareness of this particular kind of scam. You can also read this article on how Nigerian scams work.

Link to video.

May 23, 2008 | Filed Under General, News/Media, Scams, Statistics | 1 Comment 

Orphaned Accounts

An interesting study on orphaned accounts has found some serious security holes.

An orphaned account is when someone leaves an organisation and their network account remains active, instead of being disabled (locked). In a lot of cases those people who have left could still log onto their previous employer’s network and access files and services.

3 wise monkeysThe study found that 27 percent of people reported that they had more than 20 orphaned accounts on their system. If everyone did their job well ideally it would be 0.

38 percent of people said they had no way of knowing if a terminated employee had logged into their system. Security auditing is very important and not very difficult, without it IT managers won’t know who’s doing what on their network.

In other words, in about 27% of companies if someone left they could still log in from home, copy files, send emails, and otherwise use the system the same as when they were officially employed. And in 38% of cases nobody would ever find out.

So how long should it take to terminate an account? Accounts should be disabled at the end of the employee’s last day and not a moment later. In some companies there’s so much bureaucratic admin that, according to the above article, it ends up taking 3 days to a month to do this. Shocking.

It’ an organisation it should be everybody’s responsibility to protect the network and all private data. If your organisation is slacking in this area say something about it.

May 22, 2008 | Filed Under General, Security | Leave a Comment 

FeedBurner and RSS

Last night I set this website up to use FeedBurner. This is a more advanced way to send RSS feeds and as far as I’ve tested it works well. If you find any problems please let me know.

For those who don’t know, RSS is the technology behind a faster way to read websites such as FraudO. You set yourself up with a news reader and point it at all your favourite web sites. Then whenever something new appears on that website it shows you only the new parts. So instead of checking all your favourite sites each morning you get a real time display of what’s new in your world. It’s great.

If you haven’t used a news reader before head on over to google.com/reader and set yourself up. Then add a subscription to fraudo.com :-) There are hundreds of similar products, below are the more popular ones (they’re all FREE):

Microsoft’s Outlook is not free; many people already have this installed so I thought I’d mention it since it has a news reader built in: office.microsoft.com/en-us/outlook

The following article explains a lot more about RSS and news readers: http://www.readwriteweb.com/archives/tips_for_making_the_most_of_rss.php . If you haven’t tried it yet I suggest you have a look today.

May 21, 2008 | Filed Under Admin | Leave a Comment 

AusCERT Survey

look An Australian security organisation called AusCERT has conducted a survey and come up with the following results. I’ve added my own comments on the right.

Survey Results Comments
84% of respondents use the internet for banking 84% of internet users have something to lose if they’re not careful.
5% have used a neighbour’s unsecured wireless internet This is not only illegal but they’re using an untrusted network
11% never update their operating system Updates exist to patch known vulnerabilities, so these 11% of people have computers that can be hacked
8% never update their anti-virus software New viruses are discovered every day so these people are at greater risk
23% have malware infections on their computer Malware such as spyware and internet banking don’t go well together (i.e. this is how criminals steal money). Malware is always a bad thing to have on your computer. Do something about it.
68% are confident or very confident with computer security The other 32% should be reading FraudO.com

The full survey results have been published here. It’s an interesting read, especially seeing the reasons why some people don’t use anti-virus and anti-spyware software.

May 19, 2008 | Filed Under General, News/Media, Statistics | Leave a Comment 

SSH Brute Force Attacks

SSH is used to establish secure connections across the internet. For example a lot of people use SSH to connect to their servers because of the good security it provides. Lots of people trust it and rely on it.

In the past week there has been a large increase in the number of brute force attacks against SSH. What’s a brute force attack? It’s when someone writes a program that starts guessing passwords. It’ll keep trying to guess passwords all day and all night without rest until it finds something that works. The smarter brute force attacks do this slowly so that servers don’t lock the account in defense.

To increase a hacker’s chances of finding the right password these brute force programs use a dictionary and try to guess common words first. Then they try combinations such as replacing o’s with zeros, or putting a 1 at the end (have you ever done this with passwords?). So if your password is based on a word found in the dictionary it’ll be amongst the first ones tried.

The best defence against brute force attacks is to use a complicated password. Complicated passwords can take years to guess, simple passwords can take seconds to guess. Read here about how to evaluate the complexity of a password. And if remembering complicated passwords is a challenge then you might need a password safe.

So back to SSH. If you manage a server and use SSH to connect to it, have a look at the logs. Other people have reported a 5-10 times increase in the number of SSH attempts on their servers. Make sure your passwords are complicated enough to resist brute force attacks. Consider editing firewall rules to limit the entry points into your network. And make sure everything is patched including routers and firewalls. See this article for further information on these attacks.

And for everything that’s still wondering what SSH is, don’t worry about the jargon. Just realise that people can and do try to guess passwords.

May 19, 2008 | Filed Under General, News/Media, Security | Leave a Comment 

Phishing Audits

Some companies have started testing their employees on how they respond to phishing attacks.

Trapped man A company called Intrepidus Group has a system whereby they basically send your company’s staff spam, testing them on how they respond to it. The system can even concentrate spam on people who are ore susceptible to clicking on links.

The system sends results back to the tester on who clicked on the emails, what data they entered in (e.g., their name, credit card numbers, etc).

So the next time you see an email that doesn’t look quite right, and has links to external sites, think hard whether it’s real, spam, or this new kind of "ethical" spam.

The company’s web site explains it better, http://phishme.com/

May 13, 2008 | Filed Under General, Security | Leave a Comment 

Domain Slamming

Nick, a regular reader, offered this advice on a scam known as domain slamming. If you have any domain names registered then take note of the following.

A company known as "Domain Registry of America" has been sending letters (the paper kind) telling people that their domain will expire soon and that they need to pay to renew it.

Normally you would renew your domain name with the company you’ve already used to register. But this company sends out letters that look like invoices hoping that some people will just pay it without questioning where it came from.

paperWhen you register a domain name you’re required to provide your name, mailing address, and email address. This information is made publicly available (use any of these free Whois services to view this information about any domain name). This is where they get your details from.

There’s plenty of information about domain slamming on these pages here, here and here.

If you own a domain name, especially a .com name, make sure that it’s locked. This is just an option you select when you setup the domain name. Then ignore any letters (or emails) you receive from other companies about your domain name.

Note that this happens in most countries, not just USA.

May 11, 2008 | Filed Under General, Scams | Leave a Comment 

Yahoo! Malicious Page Alerts

Yahoo! now lets you know if a web site contains malicious content. It works very similar to how Google does it. From a technical perspective Yahoo’s implementation seems better - it scans files that automatically download.

McAfee have provided the malware detection technology, called SearchScan, so it has a company with a good reputation behind it. Below is an example of how it looks when it finds something dangerous:

yahoo searchscan

Yahoo! operates search engines in several countries, and it will be enabled by default for the following countries: Australia, Canada, France, Germany, Italy, New Zealand, UK, USA.

May 8, 2008 | Filed Under Antivirus, General, Malware | Leave a Comment 

Password Safes

rusty key lost in sand Password safes are programs that store your passwords. In general they’re a good idea because:

Below are some examples of good password safes:

And this is an example of something that looks good but still isn’t a good idea:

If you use a hosted service like this you’d be giving your passwords away to another organisation. They promise not to look at them. How comfortable would you be trusting someone you haven’t met to hold the password to your online banking?

This comes from their own web site and it should give you an idea (it’s in their FAQ page):

While we take every security precaution, we do not recomnmend storing sensitive information such as bank account passwords.

In summary:

Side Note: The 3rd of May was the 30th anniversary of spam.

May 6, 2008 | Filed Under General, Security | 1 Comment 

Next Page →