Category Archives: Phishing

Maybank Phishing Email

Posted by on 7 February, 2009 3 comments

Another phishing email claiming to be from Maybank. As usual it starts with a story about something happening to your account. It gives you a link to click on and asks you to enter your personal banking details.

Please read the previous post on how to identify phishing emails.

Below is the text from the email:

Dear Maybank customer,

We are hereby notifying you that we’ve recently suffered a DDos-Attack on one of our’s Online Banking server. For security reasons you must complete the next steps to verify the integrity of your Maybank account. If you fail to complete the verification in the next 24 hours your account will be suspended.

Here’s how to get started:

1. Log in to Maybank online account (click here).

2. You must request for TAC via Maybank online banking – your TAC will be sent via SMS to the mobile phone number you registered. ( you can find the "Request a TAC" button in the Utilities menu of your account )

3. Logout from your account and close the browser.

4. When you have received the TAC (Transaction Authorization Code) on your mobile phone, go to our secured verification server and submit the requested information (Username, password and TAC). (click here) to go on our secured server.

5. Please allow 48 hours for processing.

Please comply and thanks for understanding

If you see this email just delete it.

Another PayPal Phishing Email

Posted by on 6 February, 2009 No comments

Phishing is when someone sends you an email designed to trick you into handing over personal details such as your passwords. Below is a new phishing email. At first glance it looks like it came from PayPal. It’s designed to trick you into clicking their link – it does this by coming up with a story about your account being locked.

Below is the email. At the end of this post I’ll explain what you can do to avoid falling for these things.

We are constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?

Your account access has been limited for the following reason(s):

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is PP-0XD2-0XBC-0XDA-0X37.)

How can I restore my account access?

Please visit the Resolution Center and complete the "Steps to Remove Limitations."

Be aware that until we can verify your identity we will have no other liability for your account or any transactions that may have occurred as a result of your failure to upgrade your account as instructed above.

Sincerely,
Account Departement.

What can you do to avoid phishing emails?

  1. Do you have a PayPal account? If not then you should immediately suspect it’s fake.
  2. Is the email poorly written? If you look carefully you’ll find grammatical errors in the email shown above. Scammers generally have poor English skills.
  3. Use one of the newer web browsers. For example, I clicked on the link in the email to see what happens. Google Chrome immediately identified it as a phishing email and displayed a large red screen with a large warning that this is a phishing site. Opera does the same. Internet Explorer didn’t try to stop me (80% of Windows users still use Internet Explorer, it’s time to upgrade). So alternative browsers are safer to use.
  4. Install a good anti-virus package. For example, Trend Internet Security checks which web sites you’re visiting and it will stop you from going to known phishing sites. There’s a small subscription fee to buy and keep using Trend Internet Security and I think it’s a good investment (it’s cheaper than having someone take all the money out of your bank account).
  5. When you see a suspicious email, don’t click on the links they provide. If you’re really concerned about your account being locked, open a new tab in your browser and type in the address yourself. Then you know you’ll be going to the real PayPal site (or your bank, etc).
  6. When there’s a link embedded in an email you can place the mouse pointer over the link and wait a second. Usually you’ll be shown the address it points to. If the address isn’t exactly what you expect then it’s fake. Read more here about recognising fake addresses.
  7. Some email services include spam filtering. Sometimes you have to pay extra for this service. Spam filtering usually also filters out phishing emails. This removes these bad emails before you even get to see them.
  8. When you see a suspicious email, copy some of the text and paste it into Google. Then look through the results to see if it’s a known scam. (This is why I copy & paste all these bad emails into FraudO, to help Google find them).

In-Session Phishing Attack

Posted by on 19 January, 2009 No comments

A new way of stealing internet banking passwords has been discovered. Here’s how a victim would see it:

  • You’re reading a few web pages on the internet. One of them is infected with some malicious code – you don’t know.
  • You log onto your normal internet banking site
  • The malicious code on the other site detects that you’ve logged into internet banking
  • the malicious code bring up a window asking you to type in your internet banking password again, giving you some excuse as to why you have to log in again
  • The malicious code sends your password to a 3rd party who uses it or sells it to someone who will

How can this happen?

I won’t go into the technical explanation, suffice it to say that most browsers will trust and run code under certain conditions, and hackers have discovered how to exploit those conditions.

It works because it knows what banks to look for and won’t do anything until you log into your internet banking. So to a casual person it sounds plausible that they need your password again.

What can be done to prevent this?

  • When you use internet banking close all the other tabs you might have open. Just keep the internet banking page open by itself.
  • If you get a popup window to enter your password again you need to decide if the popup window is really from your bank.
  • Does it look the same as your normal login screen?
  • Is there a good reason why you have to enter your details again? (e.g. if you don’t use the internet banking page for 10 minutes it might time out, but otherwise it shouldn’t have timed out)
  • Does it have the SSL icon? This is often a padlock icon on the top right corner, if you click on it it should identify your bank.
  • Use a good antivirus package that scans web pages. This isn’t 100% reliable but it’s will protect you from most malicious sites.
  • A more extreme measure is to walk into your bank’s branch and use their computers to do internet banking. This is ok, it’s just very inconvenient.
  • This is also a good time to remind you not to do internet banking from public computers, such as an internet cafe, a public library, etc. You need to trust the computer you’re working on.

    • The makers of web browsers (Microsoft, Mozilla, Google, etc) need to address this issue. When they do it’s up to you to update your browser to the latest version. Then this particular problem will go away.

    Below is a press release from a banking security company offering more information on this type of attack.

    http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

    Fake Twitter Site

    Posted by on 4 January, 2009 No comments

    Recently people have been receiving a message in Twitter that says something like

    hey! check out this funny blog about you…
    hxxp://t w i tter.access-logins..com

    The link takes you to a page that looks a lot like the Twitter login page. If you try typing in your Twitter username and password it records it in a private database. Later someone will log into your Twitter account using your password and start sending out message like the one above.

    Many people have one password for many sites, so once they have your Twitter account they could later try other services (e.g. Facebook).

    If you use Twitter and see the above message just ignore it. Don’t click on the link.

    Some web browsers (such as the latest version of FireFox and the latest version of Opera) will now detect this fake site and show you a large warning. A good antivirus package will also detect these sites and block them.

    And if you think you’ve already fallen for this change your passwords.

    Fake hi5 Requests

    Posted by on 17 December, 2008 1 comment

    hi5 is a social network, much like Facebook or Myspace. A fake email has been going around pretending to be from someone called "Sarah xxx" (the name could change), and asking the reader to add them as a friend. The message says:

    hi5 Friend Request from Sarah xxx

    Hi,

    I’d like to add you to my hi5 friends network. You have to confirm that we are friends, and we’ll each get to meet more people. Please approve or reject my request by accessing the hi5 web site:

    Accept Friend

    Thanks,

    Adelina

    hands friends This seems real enough but there’s one serious flaw. They include a link you can click on (where it says "Accept Friend"). Clicking on this link doesn’t take you to hi5′s web site, instead it takes you to a phishing site.

    Assuming you had a hi5 account, when you enter your login details into the fake hi5 login page the system records your username and password and shares it with the criminals running this site.

    Like all phishing sites, it’s just a fake page designed to steal your password.

    What can you do?

    • If you use hi5 or any other social network, when you receive a notification email you can go their web page yourself, without clicking on the links in the email. In other words, open a web browser and type in the name of the web site (or use a bookmark).
    • When you see a link in an email, place the mouse pointer over it for a couple of seconds. Most email clients will display the real address it points to. Of course it helps to have a bit of experience recognising real addresses from fake ones – read this FraudO article to learn more.
    • Use a good anti-virus package. The big commercial packages scan your emails for fake emails like this one and filter them out. They also scan the address of every web page you go to and if it’s known to be a scam they’re filtered out too.
    • And if you don’t know anyone called "Sarah xxx" who signs her name as "Adelina" then you can just ignore the email entirely.

    Fake McDonald’s Survey

    Posted by on 1 December, 2008 1 comment

    There’s a new phishing email that takes readers to a fake survey claiming to be from McDonald’s (the fast food company). It’s similar to this one seen recently.

    The email suggests that McDonald’s will give you $75 for filling in the survey. Clicking on the link takes you to a web site with a survey and some McDonald’s images.

    When you submit the survey form it then asks you for:

    • Your full name
    • Your email address
    • Your credit card number
    • Your credit card’s expiry date
    • Your credit card’s security code

    This information is collected and later used for fraudulent purposes (i.e. to make purchases using your credit card). If you receive this email or similar ones just delete them. Don’t be tempted by whatever they promise to give you.

    And remember that to fill in a survey form there’s never any reason to give out your credit card details. It’s always a scam.

    Fake Survey Emails

    Posted by on 17 November, 2008 1 comment

    A fake email has been sent claiming that JP Morgan Chase (a financial services company) will pay you $50 for filling in a survey. Sounds tempting, except that the link they want you to click on does not take you to the real JP Morgan Chase’s web site.

    Instead it takes you to a fake web site with a form asking you a few questions (the form looks like a real survey). At the end it asks you for your full name, credit card number, expiry date, and PIN number! This kind of trick is known as phishing. Any information you enter here is collected and eventually used to steal money from people’s accounts.

    The idea is to entice you with filling in a survey by promising a reward ($50), making their site look like it’s from a large company, then collecting private information that you really shouldn’t be giving out to anyone.

    The email reads:

    Online Survey – Add 50$ to your account in 2 minutes!

    Dear Customer,

    You are invited to take part in our nation-wide 5 question survey. Your time is very important to us so $50 will be credited to your account upon the completion of this survey.

    Please note that no sensitive information will be required, collected or stored. The information will be used to further improve our services

    To take part please click here

    So if you see any emails like this just delete them. Also keep in mind that a good anti-virus package can often detect you’re going to a fake web site and stop you.

    WorldPay Fake Emails

    Posted by on 31 October, 2008 No comments

    Another fake email, this time claiming to be from WorldPay. The body of the email makes you think you’ve paid for something, and since you surely haven’t you’ll be suspicious enough to open the attachment hoping to find more information.

    The attachement is a zip file, disguised as something else. The attachment’s filename is WorldPay_CARD_Transaction_Confirmation_OrderNo76621.doc.zip – this is an old trick of using two extensions at the end. .doc is usually a Word document, but the real extension is the last one, in this case .zip. A zip file can contain programs (.exe) such as malware. So always look at the last bit of the extension (.zip) when deciding whether or not to open the attachment.

    Below is an extract of the email:

    Thank you!

    Your transaction has been processed by WorldPay, on behalf of Academic Resources Center Inc. 

    The invoice file is attached to this message.

    This is not a tax receipt.

    We processed your payment. 

    Academic Resources Center Inc has received your order, and will inform you about delivery. 

    Sincerely,

    The AcaDemon Team

    Enquiries

    This confirmation only indicates that your transaction has been processed successfully. It does not indicate that your order has been accepted. It is the responsibility of Academic Resources Center Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

    Fake eNom emails

    Posted by on 31 October, 2008 No comments

    Below are two fake emails claiming to be from eNom (a domain name and web hosting provider). The emails are worded such that they sound technical and that they require immediate action.

    Both emails contain a link you’re supposed to click on, however if you examine the link closely you’ll see they actually point to someone else’s site. This is sneaky and you really need to be aware how to distinguish real links from malicious ones like these.

    In this case the link is displayed as: http://www.enom.com – but if you place the mouse pointer over the link and wait a second, you’ll see the real link displayed (depending on which browse and email client you’re using). In this case the link really points to httpz: // w ww.enom.com.com92. _biz  - See what they did there? They added a few characters to the end. This is enough to make it point to a completely different site. Even though is has part of eNom’s address in there, it’s different. (Note that I broke up the URL to stop you from accidently clicking on it).

    The second email is similar, it really points to h ttp :/ / www. enom. comcom94._com – Again this is different, even though it has part of eNom’s address. Even one letter or number is enough to make it go somewhere else. (Again I broke up the address to stop you clicking on it).

    How can they do this? Unfortunately at this time nobody stops scammers registering an address that is very similar to a legitimate address. It’s up to you to take care what you click on.

    Another couple of tips to protect you from these tactics:

    • Use a good antivirus package that checks every web page you load. These days they have a list of good and bad sites, and it’ll warn you if you’re going to a known “bad” site.
    • If your web browser or email client doesn’t let you see the real link (by hovering the mouse pointer over the link) then upgrade to another browser or email client.
    • Use some kind of spam filtering with your email. This is fairly common these days.
    • Use an alternative browser, such as FireFox, Opera, Chrome, or Safari. This isn’t always enough these days, as we’ve seen with Flash malware. But it helps a little.

    Below are the two emails. I’m putting them here so that people can search Google and get to this page to learn what they really are.

    Email 1:

    Dear eNom Customer, 

    Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable: 

    * Main site 

    * All web hosting services 

    * Email services 

    * Communication with the registry affecting new registrations, renewals, and transfers 

    For access your account follow this link – http://www.enom.com 

    The following services will not be affected and will continue to be fully operational: 

    * DNS will resolve normally – although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period 

    * Email forwarding and site redirection will operate normally 

    We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience. 

    Sincerely, 

    eNom Tech Support

    Second email:

    Dear eNom Customer, 

    Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable: 

    * Main site 

    * All web hosting services 

    * Email services 

    * Communication with the registry affecting new registrations, renewals, and transfers 

    For access your account follow this link – http://www.enom.com 

    The following services will not be affected and will continue to be fully operational: 

    * DNS will resolve normally – although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period 

    * Email forwarding and site redirection will operate normally 

    We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience. 

    Sincerely, 

    eNom Tech Support