Facebook Exposes Birth Dates

dates A flaw in a beta version of Facebook made it possible to see member birth dates, even those set to hide this information. Birth dates are often used to confirm someone’s identity. By having a full name and birth date it’s possible to phone up companies and ask for more private information (this is called Identity Theft).

Facebook has already fixed the flaw. However it’s a good reminder that any private information you enter into a social network such as Facebook could some day be read by someone not meant to read it.

If something is important enough to be private then don’t enter it into someone else’s system without thinking through the potential consequences.

You can view a video of how this flaw works here.

July 28, 2008 | Filed Under Identity Theft, Privacy | Leave a Comment 

Skype Phishing Emails

Skype has issued a warning that people have been receiving emails that appear to be from Skype. When a user clicks on a link in the email, they’re taken to a login page that looks like Skype’s website (but in fact it’s operated by someone else). When you enter your username and password, they’re sent to someone who will then use them for some malicious purpose.

How can you tell a real Skype login page from a fake one?

According to Skype the only page that they will ask you for login details is:

https://secure.skype.com/…(anything else is ok here)…

If you’re about to enter your Skype details into a website that doesn’t exactly match the above then it’s probably fake. What if it’s just a few letters different? What if the dot’s in the wrong place?

The part after the // and before the first / needs to be an exact match. I’ve made this bold just to make it as clear as possible. The part at the end is ok.

Below is a copy of one of these Skype phishing emails. I’ve copied the contents here to help Google index this page. When you receive suspicious emails it’s a good idea to copy and paste a few lines into Google. You’ll soon be able to tell if it’s a known fake email or real.

Account blocked

Hello!

We have to notice that your account is suspended because Skype major Terms are being changed.
To re-activate your account you need to agree with the new Terms here:

Follow this link to re-activate: ACTIVATE

after that, your account will be automatically re-activated.

Thank You!

Skype Administration

The word ACTIVATE has a link that goes to the fake Skype login page. In most email clients, if you hold the mouse pointer over the link you can see the real destination. If it’s not like the one shown at the top of this article then it’s fake. See this screenshot of the fake one:

July 12, 2008 | Filed Under General, Identity Theft, Software | Leave a Comment 

Google Calendar Phishing

password Here’s a new spin in phishing attacks. The idea is to trick people into providing confidential data. This new technique is aimed at Gmail users. Here’s how it works:

VERIFY YOUR ACCOUNT (…)

This Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email to so that you can verify and let us know if you still want to use this account. (…)

You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 24 hours for security reasons.

* Username:

* Password:

It’s an attempt to get you to provide your username and password. If you see anything like that simply delete it.

July 5, 2008 | Filed Under Fraud, Identity Theft, Scams | Leave a Comment 

Vishing

Vishing is short for voice phishing. This involves tricking someone into calling a phone number, listening to a recorded message, then being tricked into providing personal information to the phone service.

phoneWhy would someone want to set this up? To collect your personal information, such as credit card number, its expiry date, your date of birth, PIN codes, etc. That information is then either sold on the black market or used by the scammers to steal or spend your money (this is also called identity theft).

Setting up an automated phone system like the ones described here is fairly easy these days, and fairly cheap.

Do people fall for it? Oddly enough, yes. Hopefully by now everyone’s getting the message not to trust strange web sites on the internet. But less obvious methods such as automated phone services are easily forgotten.

Anti virus software can’t stop you making a phone call. And people can be more trusting of “old fashioned” technology such as phones.

How does it work in practice? Here’s a summary of a recent vishing attempt.

  1. Emails are sent in bulk to as many people as possible.
  2. The emails have forged headers to appear to come from service@irs.gov
  3. The email contains an important looking message. Note that it doesn’t have any links to click on, instead it gives a phone number.
  1. Internal Revenue Service Tax Refund

    After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $215.

    Tax Refund Number: <number here> - Will Expire on <date here>

    Attention!

    Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.

    To receive your tax refund please call the IRS Tax Refund Department at: 602-427-59x

    Internal Revenue Service

  • The reader takes an interest because of the offer for free money (who wouldn’t!) and calls the number shown.
  • Because the email already warned people they need a VISA or Mastercard card to receive payment they would be more willing to provide the card’s details.

    • Tips to avoid this scam:

    This isn’t limited to tax refunds. Other vishing variations may appear to be from banks or other financial institutions.

    Another variation of this scam is to send people an SMS instead of an email, with a shorter version of the message above. Treat SMS’s like you would treat emails. Note: it’s also easy to forge SMS’s to appear to come from other people.

    Automated voice systems can also initiate phone calls with fake caller IDs. The technology’s easily available. VoIP systems are even easier to set up.

    The potential to trick people into handing over personal details is just as easy using phones as it is using emails and web pages.

    April 8, 2008 | Filed Under Fraud, General, Identity Theft, Scams | Leave a Comment 

    Protect Your Tax File Number

    In Australia your Tax File Number (TFN) is used by the Australian Tax Office to identify you. It could be used against you by other people to commit identity theft and fraud so you should take measures to ensure its security. Below are some tips to help you with this:

    tax The following are allowed to request your Tax File Number:

    April 3, 2008 | Filed Under Fraud, General, Identity Theft | Leave a Comment 

    False Adwords Emails

    Some people have been receiving emails that appear to come from Google AdWords. The email has a long story about your account being suspended and gives you a link to reactivate it.

    At first glance the link  to Google Adwords seems genuine but instead it takes you to a fake web site that looks exactly like Google Adwords. It lets you type in your username and password, sends it to the person who setup this fake site, then takes you to the login page of the real Google Adwords site.

    This is a common phishing email targeting Google Adwords customers.

    Usually to identify real links from fake malicious links put the mouse pointer over the link and wait a second. Most email clients will show you the true destination either in a yellow tool-tip or at the bottom of the window.

    I checked my spam folder and found one of these emails, let’s have a close look at it:

    adwords phishing

    The sender looks legitimate. Look at the part in the angled brackets, adwords-noreply@google.com. Technically the sender’s name & email is trivial to forge. This email didn’t really originate from Google.

    Now at the end of the email is a link to http://adwords.google.com/select/login. At first glance this look innocent. What everyone should get into the habit of doing is putting the mouse pointer over the link (without clicking) and looking at the bottom of the screen to see where it really points to.

    Let’s have a look at where this link would really take you:

    adwords_2

    It’s says: http://adwrods.google.select.ncjd43.cn (NOTE: don’t try visiting this site).

    This is not Google’s site. It’s hosted on ncjd32.cn (always look at the last 2 parts of the URL, as explained in our earlier article). CN stands for China, so this fake site was registered in China - something that should make you suspicious of this link. Also note they spelt adwords wrong (adwrods). The word Google in this link doesn’t have anything to do with the real Google, it’s only here to trick casual readers.

    So there you have it, an example on how to spot a phishing email.

    A good virus & spam filtering system will filter out most of these phishing emails.

    Note: Google Adwords is an advertising service run by Google. Go to Google’s site and type in adwords to find the real site.

    March 31, 2008 | Filed Under Fraud, Identity Theft, Scams | Leave a Comment 

    Identity Theft Using LimeWire

    Here’s an interesting story that hopefully raises your awareness of identity theft.

    Lime Gregory Kopiloff, from Seattle USA, has pleaded guilty to a number of fraud related crimes and has been jailed for 4 years. He used LimeWire to download tax and credit reports, bank statements and student financial aid applications that people had made available using this P2P system.

    Why would anyone put sensitive documents on a file sharing program for everyone to see? Maybe the people who put these files up thought they have nothing to lose, that documents should be free and shared. Whatever the reason documents like these are sensitive and should not be shared, especially through anonymous file sharing programs like LimeWire.

    Gregory used this information, as well as dumpster diving and mail theft, to commit identity theft. He obtained credit cards and debit cards under these people’s names and used them to spend US$73,000 in online purchases.

    In this case it’s not the technology that’s at fault, it’s the misconceived value placed on financial documents by regular people.

    March 25, 2008 | Filed Under Fraud, Identity Theft, Privacy | Leave a Comment 

    3.6 Million People

    crowdGartner is a well recognised research company. They’ve recently added up the numbers and come up with 3.6 million adults that lost money in 2007 due to phishing scams. In 2006 the figure was 2.3 million.

    That’s a lot of people being conned and losing money online. According to this report it adds up to US$3.2 billion in USA alone.

    Some tips you might find useful to avoid being of of these 3.6 million people:

    March 17, 2008 | Filed Under General, Identity Theft, Scams, Statistics | 1 Comment 

    G-Archiver Password Theft

    G-Archiver is an archival tool for Gmail. It lets you backup your Gmail emails to your computer. It’s been discovered that it also has a darker purpose.

    emailG-Archiver costs US$29.95, and it does what it claims. To use it you enter your Gmail username and password, and it downloads emails to your computer as a backup.

    Unfortunately the program has also been sending people’s usernames and password to the program’s creator (identified as John Terry).

    If you’ve used G-Archiver before then uninstall it and change your Gmail password.

    March 10, 2008 | Filed Under Backups, Identity Theft, Privacy, Scams, Security | 2 Comments 

    PayPal Phishing

    There’s a new phishing attack targeting PayPal customers. It begins with an email like the following:

    Subject: PayPal Account Review Department

    Dear PayPal customer,

    We recently reviewed your account, and we suspect an unauthorized transaction on your account

    Protecting your account is our primary concern. As a preventive measure we have temporary limited your access to sensitive information.

    Paypal features. To ensure that your account is not compromised, simply hit “Resolution Center” to confirm your identity as member of Paypel.

    • Login to your Paypal with your Paypal username and password.
    • Confirm your identity as a card member of Paypal

    Please confirm account information by clicking here Resolution Center and complete the “Steps to Remove Limitations.”

    hookAll typos and grammatical errors are from the original email.

    If someone was to click on the link provided in the email they would be taken to a hacked copy of PayPal’s site and they’d be asked to provide their bank’s name, ATM PIN code, mother’s maiden name, birth date,and social security number. All very personal information that the real PayPal doesn’t need.

    So avoid traps like these by never giving out sensitive information like the above, not trusting emails you didn’t ask for, and most of all use a good antivirus package that also scans web sites for attacks such as this. Also have a look at the new version of Haute we discussed recently, available for free.

    There are thousands of phishing emails such as this and over time the quality of them gets better, such as the tax scams we wrote about earlier (Australian version here, US version here) and the student phishing attack last month.

    March 9, 2008 | Filed Under Antivirus, Fraud, Identity Theft, Scams, Security | Leave a Comment 

    Fraudulent eBay Bid

    Records Imagine someone steals your eBay password and bids $3,002,500 on an item on eBay? That’s what happened last week to someone only identified as jopsoup.

    His password was stolen while he was at an internet cafe and it was used to make a bid on a record collection.

    The matter’s been cleared up by eBay because it was of such a large amount. For smaller items it might not end so well. Always be cautious when using other people’s computers, especially public computers at internet cafes or at hotels.

    (Full article here)

    March 1, 2008 | Filed Under Fraud, Identity Theft | Leave a Comment 

    Has your email been hacked?

    If you suspect someone else is reading your emails you normally change your password immediately and figure out how they were able to access your account.

    lens If you’re curious then the following information could interest you ;-)

    There’s a free online service called OneStatFree that can be used as a tripwire to detect access to your emails. It will tell the time and day your email was opened (by someone other than you), the country it was access from, the IP address and possibly more information (such as city) depending on the actual network used.

    The way it works is you create a special email and send it to yourself. You never open this email yourself and if someone else does it will instantly send some information to the OneStatFree service, which you then check at a later date.

    Full instructions are provided here, it should be fairly easy for most people to follow.

    Just keep in mind that if someone is indeed reading your emails this trick won’t stop them. So think carefully if you want to continue compromising your email while you investigate the culprit, or take immediate action and change your password.

    February 22, 2008 | Filed Under General, Identity Theft, Security | Leave a Comment 

    Fraud Statistics

    The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.

    The top 20 complaint categories were:

    Rank    Category    Complaints

    1. Identity Theft    258,427
    2. Shop-at-Home/Catalog Sales    62,811
    3. Internet Services    42,266
    4. Foreign Money Offers    32,868
    5. Prizes/Sweepstakes and Lotteries    32,162
    6. Computer Equipment and Software    27,036
    7. Internet Auctions    24,376
    8. Health Care Claims    16,097
    9. Travel, Vacations, and Timeshares    14,903
    10. Advance-Fee Loans and Credit Protection/Repair    14,342
    11. Investments    13,705
    12. Magazines and Buyers Clubs    12,970
    13. Business Opportunities and Work-at-Home Plans    11,362
    14. Real Estate (Not Timeshares)    9,475
    15. Office Supplies and Services    9,211
    16. Telephone Services    8,155
    17. Employ. Agencies/Job Counsel/Overseas Work    5,932
    18. Debt Management/Credit Counseling    3,442
    19. Multi-Level Mktg./Pyramids/Chain Letters    3,092
    20. Charitable Solicitations    1,843

    That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.

    February 21, 2008 | Filed Under Fraud, Identity Theft, News/Media, Statistics | Leave a Comment 

    Tax Refund Scams Have Reached Australia

    The tax refund scam mentioned a few days ago now comes in an Australian version. It’s the same email and same scam but customised to look like the Australian Tax Office (ATO). They even make a fake website that copies the ATO’s website.

    The scam involves asking people for their credit card number, expiry date, security code, and other personal details.

    australia

    February 14, 2008 | Filed Under Fraud, Identity Theft, Scams | 1 Comment 

    Spear Phishing - Targetting Students

    spear Spear phishing is a term referring to targeted attacks on organisations to collect personal details. This latest warning will explain:

    Students and staff at a few colleges and universities in the US have been receiving emails that appear to come from their system administrators. The emails state that a database is being updated and asks users to provide their username, password, and date of birth.

    The schools targeted include Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame.

    This information is collected by the people who sent the emails and used to compromise their accounts.

    Be very suspicious of emails asking you to provide any personal details, especially if you didn’t request the email. And pay particular attention to which website the email links to - it’s a common tactic to use a similar sounding address that contains a typo (something that the human mind sometimes ignores).

    Update: Australian universities have also been targetting in this attack. 

    February 12, 2008 | Filed Under Identity Theft, Scams | 1 Comment 

    Fake IRS Tax Refunds

    Emails are being sent claiming to be from USA’s IRS department. They claim to offer a $375 refund for filling out a form. The form is hosted on a hacked web site, not on the IRS’s web site. The form asks for a large amount of personal information including credit card numbers and PIN numbers. This information is collected (a trick known as phishing) and later used to commit identity theft (and effectively stealing your money).

    cash_hand When doing any taxes online please ensure the website is correct. See this earlier article on how to recognise deceptive domain names (URLs) and check for SSL certificates on the page (double click on the padlock icon in Internet Explorer, read who owns the site).

    Good antivirus packages these days will also keep track of which web sites you go to and alert you if it’s a known fraud site. So it’s a good investment to purchase one.

    February 12, 2008 | Filed Under Fraud, Identity Theft, Scams | 2 Comments 

    Next Page →