This scam has appeared on Twitter recently. There are a few minor variations but they all seem to work the same. It starts with a Twitter message saying,

I will follow back if you follow me

There’s a link at the end of the message that goes to a web page. On this page are two signup options, one free and a paid one called VIP.

The free one asks for your  Twitter username and password. It then asks prompts Twitter to grant you access to your account. You should not enter these details into any untrusted service.

Once they have your account password they send spam using your Twitter account, sending them to this same web site.

The VIP service is just as bad. It asks for your credit card details and Twitter account details, promising hundreds of Twitter followers. People who fall for this also end up sending spam from their own account, with the added risk of losing money.

Please help stop this scam by letting people know about it.

Twitterbuilding (dot com) is a web site that promises a few Twitter features. It’s a fake site. It steals people’s Twitter account details. Do not use the Twitterbuilding site.

McAfee, a large anti-virus company, has published a report called “Inside the Password Stealing Business: the Who and How of Identity Theft”. It goes into the details of password stealing programs and explains the “industry” driving it.

It’s quite detailed and at 17 pages it won’t take too long to read – it’s not very technical.

Password stealing is when a program gets installed on your PC that catches every stroke of your keyboard and sends it back to a criminal. The idea is that it’ll record all your passwords as you type them, no matter how strong they are. It’s a sophisticated piece of technology and a very large problem worldwide. If you’re not constantly upgrading your anti-virus software, web browser and OS then you’re at high risk.

These passwords are then sold off and used to steal money from your bank account or to commit other crimes. Even if you don’t use online banking you still have something to lose – someone can apply for a credit card under your name and use it to make expensive purchases, then you’re left to deal with the credit card company and convince them it wasn’t you (this happens every day).

So click on this link and have a read of the report.

Accounts are often hacked, including Facebook accounts. Too many times people fall for scam emails telling them to (urgently) click on a link and type in their password. Too many times people don’t know how to tell the difference between the real Facebook login page and one made by a scammer (read here for some hints).

And when an account does become compromised and hacked, the scammers usually use it to send out spam. Then it can be difficult for people like you to get that account back.

Facebook has given this problem some thought and added a way to recover a compromised account. They will send you an email and ask you to verify your account. Then on their web site they’ll ask you some security questions and ask you to change your password.

There’s more info here.

Today I received from someone claiming to be from Vodafone (a local phone company), offering me a new phone and new plan. Fair enough, I’m a Vodafone customer and my contract’s close to renewal.

But things turned ugly when the person on the phone asked for my account password, so that he could verify he’s talking to the right person. I refused.

I explained that I received an unsolicited call, I don’t know who I’m really speaking to, and that I’m not prepared to give a random stranger my account password.

He’s probably heard this several times so he said he understands, and I could give a few other personal details instead. I refused again. Confused, he put me onto his team leader, or at least someone claiming to be his team leader – I have no way of knowing who I’m speaking to. If I had been the one to initiate the call then I know I’m speaking to the right company. If I receive a call then I don’t know. There’s a fundamental difference here.

The team leader tried to explain they need to confirm who they’re speaking to. She claimed to understand my position, but wouldn’t change her argument. I continued refusing to give my password to a random stranger just so I can hear about new phones.

So we agreed to end the conversation. I wrote Vodafone a complaint using their website, explaining the situation. I’m not sure if the complaint went through because their web page took me to an answer’s and questions page after I’d typed everything out.

It’s not completely the cold-calling people’s fault, they’re doing what they’re paid to do. It’s Vodafone’s problem that they came up with this procedure. They’re giving their customers an expectation that it’s normal for strangers to call them and ask for their passwords.

And if you haven’t worked out the problem yet, look at it this way. I now know that Vodafone customers must be used to receiving unsolicited calls and giving out their passwords. So if I call 20 random people in Australia, chances are at least one will be a Vodafone customer. I just have to say I can offer them a new phone plan if they can give me their password. Then I can call up Vodafone, confirm my identity using that password, change my mailing address, and order a new phone and ask for it to be sent to my residence. I wouldn’t actually do it this way but you get the idea. It’s called identity theft.

I’ve written about the same problem before in 2007, it seems nothing’s changed in the past 2 years.

Yesterday a web site published a hack for Facebook that lets anyone read anyone’s profile. It was possible to read details such as location, gender, relationship status, political views, religious views, etc. It didn’t matter what privacy settings people had set, this hack made it all visible.

Today Facebook have acknowledged the problem and fixed it.

This is a good reminder that when you publish information online, you lose some control over it. If something is so private that you can’t risk others seeing it then don’t publish it.

You can read more about the exploit here.

The email below suggests you can receive $20k from the US government. They ask you to send an email with your personal details. These type of scams then ask you for more details.

Your details are then used for fraudulent activities, under your name (this is called identity theft). It’s also common for the scammer to start asking you for money – there’s usually an excuse that they need to pay lawyers or some other convoluted story.

Below is the scam email, if you see this just delete it:

Hello

Secure $20k in Govt Grants and you never need to pay it back.

All American residents can apply for Govt Grants.

Allotment of grants doesnt depend on your credit history.

The strength of our firm is grants writing.We’re doing business since 1999 and we have helped around 20,000 people obtain grants.

Our company is taking fees of 10% only after our clients receive funds from Govt.There’s no risk for you at all.You’re paying our fees only when you’ve received grant money in your bank account.

Send us details including first name, last name, address, profession, date of birth, annual income, reason for govt grant.

grantswriting27@mail.com
Reply back to this email.

Regards

Johnathon Hodge

Twitter is the biggest internet craze since Facebook, there are currently an estimated 6 million people using it.

A few days ago Twitter users were asked to take part in a “game” called #twitterpornnames. How does it work? You’re supposed to announce a made-up name along with the hash tag and share it. The formula provided to create your name just happens to match some very common security questions to help people reset their passwords. Pet’s name. First teacher. Street you grew up on.

So when people started participating they were in fact sharing the same information used by web sites to reset passwords. It’s called social engineering. It tricked people into revealing sensitive information. And the nature of Twitter is that people share information and click on links without much thought (is this a Gen-Y thing?)

If you use Twitter and see these sort of “games” going around, don’t share private sensitive data so easily. This same data can be used to hack into your accounts.

Passports these days have a small chip inside called an RFID. Governments who issue these passports say they’re secure and safe to use. And for years hackers have been saying they’re not secure. So who’s right?

Chris Paget, a white hat hacker (the good kind of hacker), recently did an experiment to see how many passports he could copy using some very simple tools. His aim was to see if he could read the RFID inside someone’s passport. The results?

In 20 minutes he managed to find 2 people carrying a new RFID passport, and was able to copy the contents of the RFID chip.

He did this from his car while driving around San Francisco. The people carrying the passports have no idea this happened. There’s no way for them to know. He made a video of his experiment that you can watch here:

(If the video above doesn’t play click here)

So what can we learn from this?

• The RFID chip inside passports are not secure
• The RFID chip inside passports can be copied from a distance

What can you do?

• If your governments wants to tag people using RFID, e.g. by embedding RFID chips in drivers licenses, be aware of the ramifications.
• It’s technically possible to shield your RFID passport by using a metal film. Some companies have started selling passport wallets that can block radio signals, stopping people reading the chip remotely.

Below are some passport wallets that can shield RFID signals (Click here to view in a full page)

The FIFA World Cup is scheduled for 2010 in South Africa and scammers have already started using this news to trick people into giving out their personal details.

A new scam email is sent to people telling them they won a lottery. The email is full of interesting things to catch people’s attention such as a large dollar amount ($850,000) and social tricks such as asking them not to tell anyone about their winnings.

At the end they ask the recipient to send them a few personal details, which the scammers then use to steal money from your bank accounts.

The email uses broken English and is full of "official looking" random letters and numbers.

Below are some quotes from the scam email. If you receive this email just delete it.

South Africa FIFA World Cup 2010
Government Accredited Licensed!!
Online National Lottery South African
2009/REF:EAASL/941OYI/04&
Batch: 12/25/DC34 RE:LOTTO

Your email have luckily won the sum of USD$850,000.00

Which subsequently won you the lottery in the 2nd category i.e. match 5 plus bonus. You have therefore been approved to claim a total sum of $850,000.00 USD… In cash credited to file KPC/9080118308/02. All participants for the online version were selected randomly from World Wide Web sites through computer draw system and extracted from over 100,000 union associations and corporate bodies that are listed online this promotion takes place weekly.

Our agent will immediately commence the process to facilitate the release of your funds as soon as you contact him. For security reasons, you are advised to keep your winning information confidential till your claims is processed and your money remitted to you in whatever manner you deem fit to claim your prize. This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program your request to fill the information below.

And it goes on and on.

Some people who fall for these things have never entered a lottery, but they want to believe it so much that they don’t stop to consider why they were selected.

Now you might be wondering who could possibly be so foolish to fall for lottery scams. In fact, a large number of people fall for these things. In Australia alone (and with a small population of 21 million) 329,000 people lost money to lottery and phishing scams in one year. 3.6 million people fell for these scams in USA. Imagine how many people worldwide fall for these things.

Not everyone in the world reads Fraudo.com. You can help by talking to people about lottery scams, making them aware of what they are and how they work (there’s more information here). Help educate people, especially those who are less tech savvy or might be desperate for money. You could also help them subscribe to Fraudo.com – get them to enter their email address in the top right corner of this page, sometimes email is an easier way to receive these updates.

hi5 is a social network, much like Facebook or Myspace. A fake email has been going around pretending to be from someone called "Sarah xxx" (the name could change), and asking the reader to add them as a friend. The message says:

hi5 Friend Request from Sarah xxx

Hi,

I’d like to add you to my hi5 friends network. You have to confirm that we are friends, and we’ll each get to meet more people. Please approve or reject my request by accessing the hi5 web site:

Accept Friend

Thanks,

Adelina

This seems real enough but there’s one serious flaw. They include a link you can click on (where it says "Accept Friend"). Clicking on this link doesn’t take you to hi5′s web site, instead it takes you to a phishing site.

Assuming you had a hi5 account, when you enter your login details into the fake hi5 login page the system records your username and password and shares it with the criminals running this site.

Like all phishing sites, it’s just a fake page designed to steal your password.

What can you do?

• If you use hi5 or any other social network, when you receive a notification email you can go their web page yourself, without clicking on the links in the email. In other words, open a web browser and type in the name of the web site (or use a bookmark).
• When you see a link in an email, place the mouse pointer over it for a couple of seconds. Most email clients will display the real address it points to. Of course it helps to have a bit of experience recognising real addresses from fake ones – read this FraudO article to learn more.
• Use a good anti-virus package. The big commercial packages scan your emails for fake emails like this one and filter them out. They also scan the address of every web page you go to and if it’s known to be a scam they’re filtered out too.
• And if you don’t know anyone called "Sarah xxx" who signs her name as "Adelina" then you can just ignore the email entirely.

One of the best things you can do to avoid falling victim to malware is to use an alternative browser.

Microsoft’s Internet Explorer (IE) is very popular. Not long ago almost everyone used IE, it comes setup with almost every new PC sold (Windows PCs). And malware writers targeted IE because they could attack a majority of users just by concentrating on exploiting one browser. You could call it tall poppy syndrome.

Today Firefox is extremely popular. It’s gone from a small minority of people using it to an amazing 44% (depending on which statistics you read – I used this one). This makes for a fairly large demographic, and malware writers are taking notice.

There’s a new trojan that hides in a Firefox add-on. Once installed it waits for you to go to an online banking site. When it detects that you’re using online banking it starts recording your actions (account details, your password). Then it sends this off to cyber criminals who auction off your details and eventually someone can log into your online banking and transfer money. This isn’t good.

There are a few things you can do to avoid this:

• If you want to install an add-on for Firefox, make sure you get it from a well known site. This is the official Mozilla site for Firefox add-ons: https://addons.mozilla.org/en-US/firefox/
• Use a good anti-virus package (it’s a small investment you make to protect your PC). Make sure it’s kept up to date.
• Once a web browser becomes too popular it’s time to start looking at less mainstream alternatives. At the moment you should consider Opera, Safari and Chrome (these are available for all the popular platforms)

In summary, Firefox is a very secure browser. It’s also fast and powerful, explaining why it’s become so popular. You just shouldn’t take its security for granted. Most malware infections happen when users are tricked into clicking something they shouldn’t have.

A flaw in a beta version of Facebook made it possible to see member birth dates, even those set to hide this information. Birth dates are often used to confirm someone’s identity. By having a full name and birth date it’s possible to phone up companies and ask for more private information (this is called Identity Theft).

Facebook has already fixed the flaw. However it’s a good reminder that any private information you enter into a social network such as Facebook could some day be read by someone not meant to read it.

If something is important enough to be private then don’t enter it into someone else’s system without thinking through the potential consequences.

You can view a video of how this flaw works here.

Skype has issued a warning that people have been receiving emails that appear to be from Skype. When a user clicks on a link in the email, they’re taken to a login page that looks like Skype’s website (but in fact it’s operated by someone else). When you enter your username and password, they’re sent to someone who will then use them for some malicious purpose.

How can you tell a real Skype login page from a fake one?

According to Skype the only page that they will ask you for login details is:

https://secure.skype.com/…(anything else is ok here)…

If you’re about to enter your Skype details into a website that doesn’t exactly match the above then it’s probably fake. What if it’s just a few letters different? What if the dot’s in the wrong place?

The part after the // and before the first / needs to be an exact match. I’ve made this bold just to make it as clear as possible. The part at the end is ok.

Below is a copy of one of these Skype phishing emails. I’ve copied the contents here to help Google index this page. When you receive suspicious emails it’s a good idea to copy and paste a few lines into Google. You’ll soon be able to tell if it’s a known fake email or real.

Account blocked

Hello!

We have to notice that your account is suspended because Skype major Terms are being changed.
To re-activate your account you need to agree with the new Terms here:

Follow this link to re-activate: ACTIVATE

after that, your account will be automatically re-activated.

Thank You!

Skype Administration

The word ACTIVATE has a link that goes to the fake Skype login page. In most email clients, if you hold the mouse pointer over the link you can see the real destination. If it’s not like the one shown at the top of this article then it’s fake. See this screenshot of the fake one:

Here’s a new spin in phishing attacks. The idea is to trick people into providing confidential data. This new technique is aimed at Gmail users. Here’s how it works:

• An email arrives in your Gmail inbox. It’s a genuine email addressed to you so Gmail won’t filter it out.
• The email was sent by someone called "customer care". This is enough to get most people’s attention.
• The email is well laid out with a link to your Gmail calendar. This is pretty special as far as spam goes. How did they get a valid link to a calendar entry in there? (Spammers found a way to place calendar entries in other people’s Gmail calendar).
• The email says:

VERIFY YOUR ACCOUNT (…)

This Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email to so that you can verify and let us know if you still want to use this account. (…)

You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 24 hours for security reasons.

* Username:

* Password:

It’s an attempt to get you to provide your username and password. If you see anything like that simply delete it.

Vishing is short for voice phishing. This involves tricking someone into calling a phone number, listening to a recorded message, then being tricked into providing personal information to the phone service.

Why would someone want to set this up? To collect your personal information, such as credit card number, its expiry date, your date of birth, PIN codes, etc. That information is then either sold on the black market or used by the scammers to steal or spend your money (this is also called identity theft).

Setting up an automated phone system like the ones described here is fairly easy these days, and fairly cheap.

Do people fall for it? Oddly enough, yes. Hopefully by now everyone’s getting the message not to trust strange web sites on the internet. But less obvious methods such as automated phone services are easily forgotten.

Anti virus software can’t stop you making a phone call. And people can be more trusting of “old fashioned” technology such as phones.

How does it work in practice? Here’s a summary of a recent vishing attempt.

1. Emails are sent in bulk to as many people as possible.
2. The emails have forged headers to appear to come from service@irs.gov
3. The email contains an important looking message. Note that it doesn’t have any links to click on, instead it gives a phone number.

1. Internal Revenue Service Tax Refund

   After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $215.

   Tax Refund Number: <number here> – Will Expire on <date here>

   Attention!

   Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.

   To receive your tax refund please call the IRS Tax Refund Department at: 602-427-59x

   Internal Revenue Service

Tips to avoid this scam:

• A good anti virus package will detect fraudulent emails such as the one above and filter them out, so invest in one if you haven’t already.
• In a company (small or large) invest in mail filtering. This is usually not included in corporate anti virus software.
• Think carefully why you received this email. Did you really lodge a tax submit a tax return recently, and in the country the email says it’s from? (e.g., if you live in USA and receive an email offering a tax refund from Australia, it’s most probably a scam).
• Does your country’s tax department even have your email address? If you didn’t give it to them then why are you receiving this email?
• Don’t blindly dial the number shown in the email. Look them up in your local phone book.

This isn’t limited to tax refunds. Other vishing variations may appear to be from banks or other financial institutions.

Another variation of this scam is to send people an SMS instead of an email, with a shorter version of the message above. Treat SMS’s like you would treat emails. Note: it’s also easy to forge SMS’s to appear to come from other people.

Automated voice systems can also initiate phone calls with fake caller IDs. The technology’s easily available. VoIP systems are even easier to set up.

The potential to trick people into handing over personal details is just as easy using phones as it is using emails and web pages.

In Australia your Tax File Number (TFN) is used by the Australian Tax Office to identify you. It could be used against you by other people to commit identity theft and fraud so you should take measures to ensure its security. Below are some tips to help you with this:

• Don’t give it out to just anyone else who asks – it’s confidential. See the list below.
• There have been bogus job ads on the internet and in newspapers that ask people to provide quite detailed personal information including tax file numbers. Don’t provide any of this information until you’ve met the potential employer at their office and confirmed their validity.
• Don’t carry your Tax File Number in your wallet or mobile phone
• Securely destroy any mail you receive from the Tax Office showing this number
• Only use tax agents that are registered on the Tax Agents Board, http://www.tabd.gov.au/

The following are allowed to request your Tax File Number:

• the Tax Office
• employers
• banks & other financial institutions
• tax agents
• Centrelink
• superannuation funds

Some people have been receiving emails that appear to come from Google AdWords. The email has a long story about your account being suspended and gives you a link to reactivate it.

At first glance the link  to Google Adwords seems genuine but instead it takes you to a fake web site that looks exactly like Google Adwords. It lets you type in your username and password, sends it to the person who setup this fake site, then takes you to the login page of the real Google Adwords site.

This is a common phishing email targeting Google Adwords customers.

Usually to identify real links from fake malicious links put the mouse pointer over the link and wait a second. Most email clients will show you the true destination either in a yellow tool-tip or at the bottom of the window.

I checked my spam folder and found one of these emails, let’s have a close look at it:

The sender looks legitimate. Look at the part in the angled brackets, adwords-noreply@google.com. Technically the sender’s name & email is trivial to forge. This email didn’t really originate from Google.

Now at the end of the email is a link to http://adwords.google.com/select/login. At first glance this look innocent. What everyone should get into the habit of doing is putting the mouse pointer over the link (without clicking) and looking at the bottom of the screen to see where it really points to.

Let’s have a look at where this link would really take you:

It’s says: http://adwrods.google.select.ncjd43.cn (NOTE: don’t try visiting this site).

This is not Google’s site. It’s hosted on ncjd32.cn (always look at the last 2 parts of the URL, as explained in our earlier article). CN stands for China, so this fake site was registered in China – something that should make you suspicious of this link. Also note they spelt adwords wrong (adwrods). The word Google in this link doesn’t have anything to do with the real Google, it’s only here to trick casual readers.

So there you have it, an example on how to spot a phishing email.

A good virus & spam filtering system will filter out most of these phishing emails.

Note: Google Adwords is an advertising service run by Google. Go to Google’s site and type in adwords to find the real site.

Here’s an interesting story that hopefully raises your awareness of identity theft.

Gregory Kopiloff, from Seattle USA, has pleaded guilty to a number of fraud related crimes and has been jailed for 4 years. He used LimeWire to download tax and credit reports, bank statements and student financial aid applications that people had made available using this P2P system.

Why would anyone put sensitive documents on a file sharing program for everyone to see? Maybe the people who put these files up thought they have nothing to lose, that documents should be free and shared. Whatever the reason documents like these are sensitive and should not be shared, especially through anonymous file sharing programs like LimeWire.

Gregory used this information, as well as dumpster diving and mail theft, to commit identity theft. He obtained credit cards and debit cards under these people’s names and used them to spend US$73,000 in online purchases.

In this case it’s not the technology that’s at fault, it’s the misconceived value placed on financial documents by regular people.

Gartner is a well recognised research company. They’ve recently added up the numbers and come up with 3.6 million adults that lost money in 2007 due to phishing scams. In 2006 the figure was 2.3 million.

That’s a lot of people being conned and losing money online. According to this report it adds up to US$3.2 billion in USA alone.

Some tips you might find useful to avoid being of of these 3.6 million people:

• Never hand over personal details to people or web sites, unless you’re 100% certain of who you’re handing the details to.
• Pay attention to web addresses you click on. Read our article on this here.
• If you didn’t ask your bank or other service provider to send you an email then treat it as suspicious.
• Scammers always take advantage of popular events to send phishing emails. E.g., it’s now Easter so expect lots of Easter related scam emails.
• Be skeptical of what you read online. Chances are you didn’t really win a lottery in Spain without even buying a ticket.
• Use a good antivirus package that includes a web site scanner. The newer packages filter out fraudulent pages.

G-Archiver is an archival tool for Gmail. It lets you backup your Gmail emails to your computer. It’s been discovered that it also has a darker purpose.

G-Archiver costs US$29.95, and it does what it claims. To use it you enter your Gmail username and password, and it downloads emails to your computer as a backup.

Unfortunately the program has also been sending people’s usernames and password to the program’s creator (identified as John Terry).

If you’ve used G-Archiver before then uninstall it and change your Gmail password.

There’s a new phishing attack targeting PayPal customers. It begins with an email like the following:

Subject: PayPal Account Review Department

Dear PayPal customer,

We recently reviewed your account, and we suspect an unauthorized transaction on your account

Protecting your account is our primary concern. As a preventive measure we have temporary limited your access to sensitive information.

Paypal features. To ensure that your account is not compromised, simply hit “Resolution Center” to confirm your identity as member of Paypel.

• Login to your Paypal with your Paypal username and password.
• Confirm your identity as a card member of Paypal

Please confirm account information by clicking here Resolution Center and complete the “Steps to Remove Limitations.”

All typos and grammatical errors are from the original email.

If someone was to click on the link provided in the email they would be taken to a hacked copy of PayPal’s site and they’d be asked to provide their bank’s name, ATM PIN code, mother’s maiden name, birth date,and social security number. All very personal information that the real PayPal doesn’t need.

So avoid traps like these by never giving out sensitive information like the above, not trusting emails you didn’t ask for, and most of all use a good antivirus package that also scans web sites for attacks such as this. Also have a look at the new version of Haute we discussed recently, available for free.

There are thousands of phishing emails such as this and over time the quality of them gets better, such as the tax scams we wrote about earlier (Australian version here, US version here) and the student phishing attack last month.

Imagine someone steals your eBay password and bids $3,002,500 on an item on eBay? That’s what happened last week to someone only identified as jopsoup.

His password was stolen while he was at an internet cafe and it was used to make a bid on a record collection.

The matter’s been cleared up by eBay because it was of such a large amount. For smaller items it might not end so well. Always be cautious when using other people’s computers, especially public computers at internet cafes or at hotels.

(Full article here)

If you suspect someone else is reading your emails you normally change your password immediately and figure out how they were able to access your account.

If you’re curious then the following information could interest you

There’s a free online service called OneStatFree that can be used as a tripwire to detect access to your emails. It will tell the time and day your email was opened (by someone other than you), the country it was access from, the IP address and possibly more information (such as city) depending on the actual network used.

The way it works is you create a special email and send it to yourself. You never open this email yourself and if someone else does it will instantly send some information to the OneStatFree service, which you then check at a later date.

Full instructions are provided here, it should be fairly easy for most people to follow.

Just keep in mind that if someone is indeed reading your emails this trick won’t stop them. So think carefully if you want to continue compromising your email while you investigate the culprit, or take immediate action and change your password.

The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.

The top 20 complaint categories were:

Rank    Category    Complaints

1. Identity Theft    258,427
2. Shop-at-Home/Catalog Sales    62,811
3. Internet Services    42,266
4. Foreign Money Offers    32,868
5. Prizes/Sweepstakes and Lotteries    32,162
6. Computer Equipment and Software    27,036
7. Internet Auctions    24,376
8. Health Care Claims    16,097
9. Travel, Vacations, and Timeshares    14,903
10. Advance-Fee Loans and Credit Protection/Repair    14,342
11. Investments    13,705
12. Magazines and Buyers Clubs    12,970
13. Business Opportunities and Work-at-Home Plans    11,362
14. Real Estate (Not Timeshares)    9,475
15. Office Supplies and Services    9,211
16. Telephone Services    8,155
17. Employ. Agencies/Job Counsel/Overseas Work    5,932
18. Debt Management/Credit Counseling    3,442
19. Multi-Level Mktg./Pyramids/Chain Letters    3,092
20. Charitable Solicitations    1,843

That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.

The tax refund scam mentioned a few days ago now comes in an Australian version. It’s the same email and same scam but customised to look like the Australian Tax Office (ATO). They even make a fake website that copies the ATO’s website.

The scam involves asking people for their credit card number, expiry date, security code, and other personal details.

Spear phishing is a term referring to targeted attacks on organisations to collect personal details. This latest warning will explain:

Students and staff at a few colleges and universities in the US have been receiving emails that appear to come from their system administrators. The emails state that a database is being updated and asks users to provide their username, password, and date of birth.

The schools targeted include Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame.

This information is collected by the people who sent the emails and used to compromise their accounts.

Be very suspicious of emails asking you to provide any personal details, especially if you didn’t request the email. And pay particular attention to which website the email links to – it’s a common tactic to use a similar sounding address that contains a typo (something that the human mind sometimes ignores).

Update: Australian universities have also been targetting in this attack. 

Emails are being sent claiming to be from USA’s IRS department. They claim to offer a $375 refund for filling out a form. The form is hosted on a hacked web site, not on the IRS’s web site. The form asks for a large amount of personal information including credit card numbers and PIN numbers. This information is collected (a trick known as phishing) and later used to commit identity theft (and effectively stealing your money).

When doing any taxes online please ensure the website is correct. See this earlier article on how to recognise deceptive domain names (URLs) and check for SSL certificates on the page (double click on the padlock icon in Internet Explorer, read who owns the site).

Good antivirus packages these days will also keep track of which web sites you go to and alert you if it’s a known fraud site. So it’s a good investment to purchase one.

There’s another scam targeting World of Warcraft players. It starts with an email claiming that the recipient’s World of Warcraft account has been suspended. There’s a long explanation and a link to a website.

The website asks for a username and password. It then passes on the username and password to whoever wrote the email, it’s not a legitimate service.

This is called phishing. It works by tricking people into typing in their credentials onto a fake site.

These days good anti-virus packages can filter for these sites. You should also pay careful attention to the web page address. Read this explanation on how to identify false addresses (URLs).

Identity theft can happen in many ways. Before computers people just stole mail from letterboxes and documents from people’s wallets (watch the movie Catch Me If You Can for an example).

Then when the internet came along criminals starting tricking people into handing over personal details, or they employ hackers to write spyware that achieves the same result.

A new identity theft trend emerging in the world is coming from call centres. Staff working at call centres have access to the person details of a lot of customers, and since a lot of call centres have been outsourced to countries such as India, the Philippines, etc, companies are having a difficult time keeping things under control.

There’s an article here that mentions a few of the crimes happening in call centres. In summary:

• Using mobile phones to take screenshots
• Quickly copying people’s details into hidden books
• Using USB drives to copy data

Theft of personal information is serious. The information can be easily sold, especially if staff feel they’re underpaid (a likely situation for overseas call centres).

It’s good to remember that in this day and age your personal details can be known to many parties, there isn’t much that’s still personal or secret. Be selective in what information you give to companies. And as mentioned previously don’t give personal details to call centre staff when they call you (instead of you calling them).

Understanding URLs is extremely important in avoiding online scams. If there’s only one technical skill you need to know about the internet it’s this, and it will save you being caught out one day.

I’ve limited acronyms to just one (URL) to make it easier to understand.

URL. It doesn’t matter what the letters stand for, it means the address of the web page you go to. You get to see URLs in the top of your web browser. An example of a URL is:

www.fraudo.com

You probably see these every day, every page on the internet has one, and you see links for them every day. This is basically how the internet works.

The only other thing you’ll need to keep in mind for this article is that there are good web pages and bad ones – legitimate sites and scam sites created for various evil purposes.

Now we’ll explain how to recognise a good URL from a bad URL.

I’ve made up two names to demonstrate, and apologies in advance to anyone who’s real business name is similar to these (I googled the names and they came up blank so I’m fairly certain they aren’t real business names at the time of writing).

Let’s say a legitimate company is called SomeFancyBank, and that their legitimate website is www.somefancybank.com. It’s the good site. And imagine you have an account with them and a fair bit of money in there.

And let’s say there’s a fraudulent website registered as confusinglookingname.com. So this one is controlled by someone intent on stealing your money, it’s the bad site.

So if you get an email asking you to click on www.somefancybank.com/login.asp you’ll probably feel safe to do so.

If you see a link that looks a little like www.confusinglookingname.com/login.asp you’ll be surprised and you won’t click, it’s a fake website designed to look like the real bank’s site, only they capture your details.

What if the link is www.somefancybank.confusinglookingname.com ? You can see your favourite bank’s name in there so maybe it’s real… Read on, you’ll see why this is definitely illegitimate.

A URL can be broken down into three parts:

1. There’s the stuff at the beginning (often it’s www but doesn’t have to be). And it could be long and could include many dots.

2. Then there’s the domain name (e.g. somefancybank). It’s usually a company name or some other trademark, followed by a .com. There can only be one dot in this part.

3. Then there’s a / followed by a bunch of technical bits. We’re not covering this part in this article. It’s what comes before the / that’s important.

So there are three parts to a URL and we’re only concerned with the first two.

Let’s go straight to some examples (the important bits have been highlighted in bold):

• somefancybank.com/login.php – good
• abcde.somefancybank.com – good
• 123.somfancybank.com/123/456/789 – good
• abc.somefancybank.com/scaryletters/ – good
• confusinglookingname.com/login.php – bad
• 123.abc.zz45xy.confusinglookingname.com/some/fancy/bank – bad
• www.somefancybank.confusinglookingname.com – bad
• www.some.fancy.bank.confusinglookingname.com/somefancybank – bad
• important.clicknow.confusinglookingname.com/some/fancy.bank/login.asp – bad

I’m sure you’re starting to get the idea by now. Now for some trickier examples:

• www.somefancybank.com.au/login.php – bad
• www.somefancybank.com.login.confusinglookingname.com – bad

Let’s leave things simple and end it there.

Humans are good at recognising patterns, so when you see your favourite company name in the URL you might immediately think it’s legitimate. Scammers take advantage of this and deliberately make these links to trick people.

You’ll find these fake links in emails, other web pages, chat programs, etc. They’re everywhere so get used to recognising how they work and you’ll be a lot better off.

Sophos (a large IT security company) recently conducted a survey of 560 people. 54% of them admitted to using someone else’s wireless network without permission. That’s more than half the respondents. Why should you care?

If you have a wireless network that isn’t well secured then:

• Someone could be using your internet account and incurring expenses (or pushing you over a capped limit and effectively slowing down your connection)
• Someone could be illegally downloading copyrighted content (such as using a file sharing program to download commercial movies – it’s illegal and you’re liable for providing the connection)
• Someone could be using your internet connection to commit online crimes (just read the posts on this site to get an idea of how common this is).
• It lets anyone within range bypass your firewall, making your computers and other wireless devices vulnerable. This is especially important if you have wireless in an office environment
• It’s easier for someone to install spyware on your computer, making activities like online banking very dangerous

The most important reason of these is how easy it makes it for someone to use your network to commit crimes. Imagine being involved in a child pornography investigation, or having your internet disconnected because your network was used to send millions of spam emails.

I’ve written before on how to secure a wireless network and if you haven’t done so it’s worth reading through here.

If you’re in the 54% of people who wouldn’t think twice of using someone else’s wireless network without permission then you should know that:

• It’s illegal in a lot of countries (people get arrested for this quite often)
• It’s effectively stealing. It isn’t a victimless crime
• You can’t trust the network you’re using. It’s easy for someone to setup a wireless network in such a was that they can record all the traffic from it. This is one way to eavesdrop on other people’s traffic and to capture passwords

So the message here is to secure your wireless network, and don’t use other people’s wireless networks without permission.

A quick update about online crime.

In Italy, 26 people were recently arrested for taking part in running phishing sites (web sites that look like bank sites (for example) but are designed to capture your account number and password). Two of these people have already been sentenced (5.5 – 6 years prison). It’s important to realise how common this problem is in the world.

And a short while ago I wrote about some important disks that were lost by the British government, containing personal data on 25 million people. That incident received a lot of press coverage and it’s not an isolated case. This stuff happens frequently, like in Northern Ireland. Two CDs were lost this week by one of their government agencies containing personal data on 6000 residents. These disks were not encrypted, as the previous case. Full article here.

Then in California a laptop was stolen containing personal information on 45,000 patients of Sutter Lakeside Hospital. Again the data was not encrypted, making it all too easy for anyone to use this personal information as they see fit. I recently wrote an article on protecting laptops when used to take home work. Full press article here.

Some lessons to be learnt are:

• There are a very large number of online criminals doing everything they can to try and steal your money
• Disks and notebooks (laptops) are lost or stolen all the time. If they contain sensitive information they should be encrypted
• Keep in mind that your personal details are not all that private anymore

It’s amazing how many new tactics these people come up with in order to steal your personal information. There’s a new “bot” that chats with users on Russian online chat rooms (a bot is a program that mimics a real person online). It’s called CyberLover and apparently it’s quite clever in impersonating a human and gets people talking to it.

During a test it was found that the CyberLover chat bot got 10 real people to have conversations with it, in only 30 minutes. During this conversation it tricked people into providing their real names, contact information and photos. This is all private data, provided to the chatbot.

The darker side of this clever piece of software is that the bot is run by hackers intent on committing identity theft. Personal information like this is regularly sold on an online black market, and then used to commit fraud, such as opening credit card accounts in your name. Serious crimes indeed.

CyberLover is an interesting piece because it has different levels of its personality, and they’re mostly of a sexual nature. This type of conversation seems to get people’s attention more easily making it easier to manipulate them into providing personal information (called Social Engineering).

At the moment this is all in Russian however it won’t be long until it appears in other languages including English.

Wireless keyboards can be intercepted, very easily. This is something you should be aware of not only when purchasing new equipment but when using someone else’s computer. There’s no real defence against it either, other than using a wired keyboard.

Before I explain the risks let me point out which keyboards it does and doesn’t affect:

• All keyboards using a 27MHz transmitter are at risk (which includes most of them)
• Keyboards that advertise "wireless encryption" or "secure" features are also at risk
• Bluetooth keyboards are safer (though these are generally more expensive)

The risks of such an "attack" should be obvious – other people within range could be recording every keystroke. This includes the address of websites you go to, usernames, passwords, the contents of emails, chat conversations, etc.

In a business environment this would be a critical breach of security. Giving away passwords, trade secrets, and other sensitive information is quite serious, and in a lot of cases criminally irresponsible. Wireless keyboards that fall into the "at risk" categories above should be banned.

At home the risks are just as serious. Anyone using a home computer to do internet banking should immediately recognise the dangers of giving away too much information (i.e. finding a large amount of money removed from your bank account). Again, either use a wired keyboard at home, a Bluetooth wireless keyboard (expensive), or limit the keyboard & computer’s use to trivial tasks such as gaming.

How does the attack work?

Well, it seems there are only 256 possible encryption codes, so hackers have cleverly written software that tries them all within seconds. Then there are other tricks they use to break the encryption that some keyboards use (for the IT savvy reader, it’s an XOR protocol).

So it takes about 20 to 50 keystrokes before enough information can be gathered to break the encryption.

How close does one need to be to "sniff" wireless keyboard signals? Usually it’s 4-8 feet, or 1-3 metres. But with more powerful aerials this can be extended much further (hundreds of metres).

Also keep in mind that Bluetooth generally isn’t a very security protocol. It’s only considered safer because of how easy it now is to hack normal wireless keyboards. But you shouldn’t use it to keep million dollar secrets.

There’s a video here demonstrating how it works (warning, it’s geeky and technical): Wireless keyboard hacking.

So go back to wired keyboards, they not only more reliable and more secure, they don’t have batteries that need replacing or recharging.

A reader of FraudO.com, Christoph, has reminded us of a particular type of scam called Lottery Scams, also called a Dutch Lottery or a 419 Scam or a lottery of various other European countries. These scams begin with a letter or email telling the victim they have won a lottery.

The email instructs the victim to contact a “claims agent” to collect their prize money. The agent then sends the victim a claim form to verify their identity. The fake agent is building rapport and making it appear that there’s a real agency behind the emails. The form is in fact used to collect personal information about the victim, such as their passport number and driver’s license number. This is where the identity theft begins.

If the victim asks for some proof of the agency’s legitimacy they often fax back a legal looking document (which of course doesn’t prove anything, it just makes the victim feel more comfortable). This web page has examples of the fax and other documents the scammers send.

The victim is then given some options on how to collect the alleged winnings. In each case the scammer is setting up the victim:

• The winnings can be deposited directly to the victim’s bank account. This seems to be the more popular option. The scammer will request a large fee to make this happen (such as special taxes, insurance or legal fees). The scammer will end up keeping this money.
• The victim has the option to open a new overseas bank account to receive the alleged winnings. The bank is fake, but the victim is told that the bank requires a large deposit to open the account.
• The winnings can be picked up in person, often in The Netherlands. The victim will later be told that they have to pay a fee in cash to release the winnings. The victim is then given counterfeit prize money.

What to do:

1. Don’t reply to the emails (or letters or phone calls). Don’t give the scammer any indication that you exist.
2. Don’t send any money or provide any personal details.
3. Report the scam to your local authorities.

It seems many people are victims of this particular kind of fraud. In most cases the scammers are never caught, and even if they are the money is usually never recovered. Please be aware of how common this scam is and help your colleagues, friends and family to be aware of it.

The scam works because people want to believe it’s real, even if they didn’t enter a lottery in a foreign country. It’s up to everyone to talk openly about it and increase awareness of it.

This one isn’t about security online but rather over the phone. The same concept could be applied to the online world. In fact, it’s not about a scam but about how some organisations carry out legitimate work without realising how it affects the security of their customers.

From time to time some organisations contact their customers to confirm their details and just to ask if they’re happy with the service. The phone call is often from a call centre (whether internal or outsourced), and the originating phone number is often not provided.

The operator introduces themself, asks if they’re speaking to the correct customer, etc. Then the operator, following their script, goes and asks the customer to verify they’re the real account holder (or other relationship to the organisation).

The operator asks something along the lines of “to confirm you are <yourname>, can you tell me your street address?”, or asks for some other private information such as your password, date of birth, etc.

In most cases there is nothing fraudulent happening here, and I suppose most people would carry on the conversation by providing the correct information. There may even be an incentive such as a prize for completing the phone call. But what just happened here?

The customer received an unsolicited phone call from a private number asking for their personal details.

While this situation (which happens often) may be legitimate, the organisations are asking their customers to throw caution to the wind and to compromise the security of their accounts.

There are two major points to raise here:

1. People should never divulge private data (passwords, dates of birth) to someone they can’t be 100% sure is a legitimate representative of the organisation.
2. Companies should never ask their customers to do so.

I have received such phone calls from large service providers and even from the local tax office (government department). When I refused to provide my details the person on the phone was at first surprised, then eventually said they can’t help me any further without following their script.

Now I have no way of knowing whether these phone calls were really from who they said they represented, but I believe they were because in both cases I had recently made significant changes to my account. But I refused to provide this information in this scenario, and anyone who values their privacy (and their money) should also refuse.

What if there’s a good reason to continue with the call? Here are a few suggestions,

• Ask for the caller’s name and the department they’re calling from. Then find their phone number from a directory service and call them back. Don’t ask them directly for their phone number, this doesn’t prove very much. You need to go to a trusted 3rd party for their phone number (such as a phone book, directory assistance, the company’s web site).
• Ask them to provide the information in writing.
• Ask them questions that you consider private and that they should have available in their computer system. Questions along the lines of when and where did you open the account, how much was your last bill, your password. (In my examples above the operator wasn’t allowed to tell me because of their security policy, after which I politely ended the call).
• And most of all let them know that you have no way of distinguishing them from a scammer and that their phone call sounds suspicious.

It’s up to everyone to be vigilant about security, both you and the service providers.