At the end of 2011 (just recently) the total number of unique malware (viruses, spyware, etc) reached 75 million. That’s 75 million different threats people created to cause havoc, steal passwords and steal money from you. The internet can be a dangerous place.

The figure comes from a report by McAfee. They also report that malware for Macs are becoming less common, and malware for Android are becoming more common.  You can read more details here, it’s pretty grim.

Some tips to avoid being a victim:

• Use a good antivirus product on your computer. Paid ones are usually better. Keep it updated
• Use Google Chrome
• Don’t click on every link you see in Facebook, Twitter, etc.
• Sometimes people’s accounts get hacked, so something they wrote online might not really be from them
• Don’t believe every sensational headline you see
• Don’t believe every alarming email you receive, especially emails that sound urgent and have poor spelling and grammar
• Use common sense (why would a stranger in an African country want to give you millions of dollars, or did you really enter the Spanish lottery?)
• Use Google to check if something you read is true

1234 is the most common PIN used in banking.

A new study of 1100 banking customers found that 1234 and birth dates make up a large percentage of PINS. This means if your wallet is stolen, a thief can find your birth date from your license or other ID, take your ATM card and guess your PIN. And it will work for 1 in 18 stolen wallets (or 1 in 11 for some banks). They’re good odds for thieves.

The study suggests that banks issue a random PIN instead of letting you set one yourself. I think it’s a good idea. Here’s the full document.

Which industry made $114 billion in the past 12 months? Cybercrime did.

According to  Norton’s Cybercrime 2011 report, criminals stole US$114b worth of money using the internet. This is a serious problem. Think about where all that money came from? Who do you know that had stolen from their bank account, credit card, or other cases of fraud?

Here’s a breakdown the US$114b:

• USA: $32b (74 million victims)
• China: $25b
• Brazil: $15b
• India: $4b

Daniel Amitay has been able to collect a sample of over 200,000 passcodes used to lock an iPhone. The most common ones were:

1. 1234
2. 0000
3. 2580 (a vertical row)
4. 1111
5. 5555
6. 5683 (spells LOVE)
7. 0852 (a vertical row)
8. 2222
9. 1212
10. 1998

This list represents 15% of all PINS (that’s too high). Years starting with 199 were also found to be common. And PINS starting with 1 are also very common.

The information here is relevant to other devices as well, basically anything that uses a 4 digit PIN typed into a keypad.

If you use any of these codes to lock something you consider important you should change it now.

Security companies sometimes get to analyse real people’s passwords and create interesting reports. Imperva has just done that, analysing 32 million passwords used on the Rockyou.com site (which was recently hacked).

Below is a summary of their findings. Why is this important to you? Because it means that statistically, you probably have a weak password that can be guessed.

• 41% of passwords only use lower case letters (weak)
• 15% of passwords only user numerals (even weaker)
• Nearly 50% of people used names, slang words, dictionary words or trivial words as their passwords. These can be guessed in seconds by a “brute force” program.

The ten most common passwords were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

If you use any of these as your password then change it now, it’s too easy to guess, especially now that everyone can see this list.

For tips on how to choose a good password read our previous article. And here are some tips on testing how good your password is.

Imperva’s complete report is here. It’s full of interesting technical details on what they found and what the risks are.

Avast! is a company that makes a decent anti-virus program. They recently published some statistics that are interesting:

• Their anti-virus programs blocks 1 billion malware a month. That’s 1,000,000,000 attempts to install viruses, trojans, password stealers, etc on to people’s PCs. A month. And that’s just by one small company.
• 1 in 15 people encounter a malware every day.
• They find about 3,000 new malware each day (that’s new and unique viruses, trojans, etc). They have 2.1 million in their database.

These statistics are not just marketing numbers, they give you an idea of how serious a problem malware is. If you don’t have a good anti-virus system installed on your computer they you need to take action now (today) and install something to protect you. Good anti-virus systems generally cost money – it’s a good investment, the cost of not buying one is usually greater.

And get something from a known vendor. Last week I talked about a comparison of anti-virus programs, you can use this as a guide.

And Macs and Linux computers aren’t safe either.

A quick post about spam. Some of the most common sentenced used in spam are:

• We are letting you try it for FREE, you just pay the shipping costs!
• FREE Download without limits!
• Get your Free Trial Now!
• Take FREE exotic vacations!
• Get Free trial bottle!

In similar news, Norton has published a list of what they consider the top 100 most dangerous web sites. I won’t copy & paste the names here because my site and newsletter will no doubt be blocked by filters everywhere. You can have a look here to get an idea of what they consider to be highly dangerous web sites.

The FIFA World Cup is scheduled for 2010 in South Africa and scammers have already started using this news to trick people into giving out their personal details.

A new scam email is sent to people telling them they won a lottery. The email is full of interesting things to catch people’s attention such as a large dollar amount ($850,000) and social tricks such as asking them not to tell anyone about their winnings.

At the end they ask the recipient to send them a few personal details, which the scammers then use to steal money from your bank accounts.

The email uses broken English and is full of "official looking" random letters and numbers.

Below are some quotes from the scam email. If you receive this email just delete it.

South Africa FIFA World Cup 2010
Government Accredited Licensed!!
Online National Lottery South African
2009/REF:EAASL/941OYI/04&
Batch: 12/25/DC34 RE:LOTTO

Your email have luckily won the sum of USD$850,000.00

Which subsequently won you the lottery in the 2nd category i.e. match 5 plus bonus. You have therefore been approved to claim a total sum of $850,000.00 USD… In cash credited to file KPC/9080118308/02. All participants for the online version were selected randomly from World Wide Web sites through computer draw system and extracted from over 100,000 union associations and corporate bodies that are listed online this promotion takes place weekly.

Our agent will immediately commence the process to facilitate the release of your funds as soon as you contact him. For security reasons, you are advised to keep your winning information confidential till your claims is processed and your money remitted to you in whatever manner you deem fit to claim your prize. This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program your request to fill the information below.

And it goes on and on.

Some people who fall for these things have never entered a lottery, but they want to believe it so much that they don’t stop to consider why they were selected.

Now you might be wondering who could possibly be so foolish to fall for lottery scams. In fact, a large number of people fall for these things. In Australia alone (and with a small population of 21 million) 329,000 people lost money to lottery and phishing scams in one year. 3.6 million people fell for these scams in USA. Imagine how many people worldwide fall for these things.

Not everyone in the world reads Fraudo.com. You can help by talking to people about lottery scams, making them aware of what they are and how they work (there’s more information here). Help educate people, especially those who are less tech savvy or might be desperate for money. You could also help them subscribe to Fraudo.com – get them to enter their email address in the top right corner of this page, sometimes email is an easier way to receive these updates.

It’s now 2009. I started this site in 2007 with the intention of helping people understand online fraud. Things are coming along nicely.

In 2008:

• I published 174 new articles on this site (for a total of 229 articles). My goal was 200 new articles so I’ve slacked a bit.
• 8493 people used Fraudo.com when looking for information about scams, fraud, etc.
• 576 people wanted to know if it’s ok to give out their bank account details to strangers (I answered this question here)

I also introduced an email subscription service. Enter your email address in the top right corner of this page and you’ll receive an email with all the latest updates.

Fraud, scams, and viruses are bigger problems than ever so I’ll continue my efforts on this site. The best way to overcome these dangers is through education, so continue reading this site and let everyone know about it.

All the best for 2009,

Enrique.

There was a media announcement recently from a Russian company called Elcomsoft claiming to be able to crack WPA encryption. What’s this about and how does it affect you?

WPA is the preferred encryption for wireless networks, the kind you probably have at home or in the office. Here’s a quick recap of where WPA fits in:

• WEP – the old wireless security option. This is useless, it provides no real security.
• WPA – this replaced WEP. Some old devices didn’t support it but most new ones do. WPA is good, highly recommended.
• WPA2 – this is better than WPA

So what did Elcomsoft do?
They developed a way to speed up the time it takes to crack WPA and  WPA2 encryption. Here’s a short summary:

• If you use a short password, say 10 letters long, it used to take 579,000 years to crack. With this new technology it would now take 5793 years, or 5 years if they purchase 1000 of these machines dedicated to hacking into your wireless network (at a cost of over $1m of hardware).
• If you use a good password, e.g. 20 characters long, will now take 10,000,000,000,000 years to crack, or shorter if you have thousands of computers working together on this.

In other words the article is mostly hype. Making something 100 faster doesn’t mean much when we’re talking about trillions of years.

The short version is: use WPA/WPA2 and a long password when configuring your wireless network. Use at least 20 characters.

Further:
What I’ve written above applies to small networks such as home or small offices. For large networks you should be using a technology called Radius together with WPA, this is much more secure, extremely hard to crack, and of course more complicated and expensive to install and maintain.

Another amazing statistic – across 46 states in USA there were more than 630,000 laptop computers reported lost in the past year. That’s more than 12,000 a week. And when you consider that most people still keep documents on their laptop computer when they travel they haven’t just lost a piece of hardware, they’ve potentially lost control of private and confidential documents.

What can you do?

Laptops can be insured. Anyone who carries a laptop around for work would have it insured, it’s just a cost of doing business. Nothing new here.

As for the documents stored on them, delete them before you travel!. If this sounds extreme then you need to wake up and realise what’s happening in the world.

At many airport security checkpoints customs officers now have the authority to look at the contents of your laptop’s hard drive before they let you board the plane or enter a country. And they don’t always just "look" – sometimes they make a copy of your hard drive so they can look more closely at a later time. Is this legal? Yes, in some places (including most US airports today). Read more about this in this article.

So you now have two reasons to delete all documents from a laptop before travelling:

1. You could lose your laptop (like 630,000 other people each year in one country alone).
2. You could be asked to hand over your laptop’s data to customs officers.

What a lot of large organisations do these days is hand their employees "clean" laptops that have no documents on them. Employees are given VPN access, so when they arrive at their destination they can access their office network and carry on with their regular work. If you’re new to the concept of a VPN read our previous article on its benefits. Another trick is to carry your files on a USB flash drive, and hide it in your wallet or luggage. This could be encrypted as well for security, in case you lose it.

Whole disk encryption is another technology that can help you with lost laptops. Whole disk encryption makes the entire contents of the laptop useless without a password. There’s no known way to recover the data. There are still two risks with this method:

• You need the support of your IT department to ensure your organisation can restore your data in case you lose the password. Encryption management is not difficult for IT departments. For individuals it can be a burden.
• If customs officers insist on seeing the contents of your laptop’s files you need to hand over the password, and they get to read and even copy your files. This is legal in most western countries, it’s not enough to tell them you forgot the password.

Now if you’re thinking that your laptop needs a password to startup and that this is enough to stop people, remember that the files on your laptop’s hard drive can be copied without a password. You just need to pull out the hard drive (easy to do with laptops). Whole disk encryption is the only effective password protection for laptops.

And while we’re talking about travelling now’s a good time to remind you not to trust free or hotel wireless networks. You never know who’s monitoring the network traffic (read our previous article on this).

Read the study on lost laptops here, sponsored by Dell.

So in summary:

• Insure your laptop to recover the cost of the hardware and software
• Delete all files from the laptop before you travel. Use another technique to gain access to them when you arrive (either a VPN or a hidden and encrypted USB flash drive).

A new report has concluded that 637 million people are using out of date web browsers. This is bad.

Old web browsers have security flaws and vulnerabilities. You’re meant to update your web browser to the latest version because the developers have worked hard to patch it and fix up security holes. And in almost every case an upgrade is completely free. Why would anyone choose to use an old browser?

There are no legal obligations to upgrade a web browser but with this many people ignoring the very simple task of upgrading maybe it’s time for something to change. Now’s a good time to check for updates (the option is often in the Tools menu of the browser you’re using right now).

The report is here.

Sometimes it’s hard to believe these statistics, the numbers are so large. The Australian Bureau of Statistics has finished their first survey of personal fraud. Their findings are that 800,000 Australians fell victim to fraud in some way.

453,100 of those lost money, for a total of $977 million. That’s a lot of people and a lot of money for a rather small population.

329,000 Australians lost money after responding to lottery scams and other phishing related scams.

A lot of people keep falling for scams. The best thing you can do is help them become aware of what scams and fraud tricks are being used. Remember that you can always subscribe to Fraudo.com by email or with an RSS reader.

How much money do you think Australians send to Nigerians because of the old Nigerian 419 scam? (Keep in mind that Australia has a small population of 21 million)

The answer is millions of dollars.

This very interesting interview with the head of the Queensland Police Corporate Crime Investigation Group (what a long title) discusses these scams and provides some interesting details.

People who fall for these scams often don’t report it, and in many cases repeatedly fall for these scams. Watch the video, discuss it with your friends, family and colleagues, and help raise awareness of this particular kind of scam. You can also read this article on how Nigerian scams work.

Link to video.

An Australian security organisation called AusCERT has conducted a survey and come up with the following results. I’ve added my own comments on the right.

The full survey results have been published here. It’s an interesting read, especially seeing the reasons why some people don’t use anti-virus and anti-spyware software.

Symantec, a  large security company, have reported that there are now more malware writers than legitimate software writers.

They state that 65% of the 54,609 Windows applications released to the public in the past 6 months were malicious.

Another interesting statistic from this report is the percentage of browser plug-in vulnerabilities:

• 79% ActiveX
• 8% QuickTime
• 5% Java
• 5% Flash
• 2% Windows MediaPlayer

What this means is that by disabling ActiveX from your web browser (Internet Explorer) you can avoid 79% of web browser plug-in attacks. Here’s an article on how to disable ActiveX.

As for the other types of plug-ins, keep them patched and up to date to reduce the risk of infecting your computer.

Here is Symantec’s internet security report.

Gartner is a well recognised research company. They’ve recently added up the numbers and come up with 3.6 million adults that lost money in 2007 due to phishing scams. In 2006 the figure was 2.3 million.

That’s a lot of people being conned and losing money online. According to this report it adds up to US$3.2 billion in USA alone.

Some tips you might find useful to avoid being of of these 3.6 million people:

• Never hand over personal details to people or web sites, unless you’re 100% certain of who you’re handing the details to.
• Pay attention to web addresses you click on. Read our article on this here.
• If you didn’t ask your bank or other service provider to send you an email then treat it as suspicious.
• Scammers always take advantage of popular events to send phishing emails. E.g., it’s now Easter so expect lots of Easter related scam emails.
• Be skeptical of what you read online. Chances are you didn’t really win a lottery in Spain without even buying a ticket.
• Use a good antivirus package that includes a web site scanner. The newer packages filter out fraudulent pages.

eBay fraud is rampant in Romania, Russia and China. In fact, eBay says that the majority of all eBay phishing emails comes from these countries.

Mark Lee is the trust and safety manager for eBay UK and he’s made the following comments:

• “[there's] no fear of real punishment [in these countries]“
• “These attacks are definitely organised”
• “There are towns in Romania where the entire focus is on sites like eBay as the main source of income”

There have been several hundred arrests in Romania after eBay initiated a campaign to stop fraud, in June 2007. But this hasn’t stopped them and it’s still rampant in these parts.

Techniques used by these criminals include asking eBay shoppers for personal details (when people bid or ask questions on the site) – this is known as phishing and the personal details are later used to commit other crimes.

If you use eBay to buy or sell goods have a read here [ http://pages.ebay.com/securitycenter/ ] for tips and tutorials on eBay security. And continue to read FraudO.com for online security tips.

Some new statistics on how widespread malware has become. This research comes from Google’s Anti-Malware team (full document is here)

• The majority of malware sites are hosted in China
• 1.3% of Google searches return a link to a malicious site
• They found more than 3 million unique URLs on over 180,000 web sites that automatically install malware

That’s 3 million web pages that will attempt to install some form of malicious code on your computer.

With things this bad you’d be crazy to use the internet without some kind of web filtering. This is different to virus scanning. Web filtering scans each web page before your web browser loads it, looking for things like phishing and malicious code.

All of the big antivirus products include web filtering these days, it’s a good investment if you haven’t purchased one already.

The US Federal Trade Commission (FTC) has released a report showing some statistics on fraud for 2007. These statistics come from people who report incidents of fraud to them, so it’s really limited to USA. The problem worldwide would be much much worse.

The top 20 complaint categories were:

Rank    Category    Complaints

1. Identity Theft    258,427
2. Shop-at-Home/Catalog Sales    62,811
3. Internet Services    42,266
4. Foreign Money Offers    32,868
5. Prizes/Sweepstakes and Lotteries    32,162
6. Computer Equipment and Software    27,036
7. Internet Auctions    24,376
8. Health Care Claims    16,097
9. Travel, Vacations, and Timeshares    14,903
10. Advance-Fee Loans and Credit Protection/Repair    14,342
11. Investments    13,705
12. Magazines and Buyers Clubs    12,970
13. Business Opportunities and Work-at-Home Plans    11,362
14. Real Estate (Not Timeshares)    9,475
15. Office Supplies and Services    9,211
16. Telephone Services    8,155
17. Employ. Agencies/Job Counsel/Overseas Work    5,932
18. Debt Management/Credit Counseling    3,442
19. Multi-Level Mktg./Pyramids/Chain Letters    3,092
20. Charitable Solicitations    1,843

That’s 258,427 cases of identity theft in one year, in one country! The total fraud losses recorded in this report totals more than $1.2 billion. The full report is here.

A recent survey by a security company called Secunia shows that only 5% of computers are fully patched. The other 95% are running insecure software.

It’s important to patch all of your software. This includes the operating system itself (e.g. Windows, Mac OS, Linux), your web browser (e.g. Internet Explorer, Firefox), and all your applications. And of course in an office environment patches should be carried out by IT administrators (complete with backups).

This serves as a gentle reminder to our previous post on patching. Read Secunia’s article here.

The US Army has been upgrading their servers and workstations to Macs and are claiming they’re harder to hack (i.e. they’re more secure).

The primary reason they state is that fewer attacks are written for Macs than for Windows. This seems true for now.

One common weakness between all operating systems (Mac, Windows, Linux, etc) is the user. People can be tricked into clicking on things or carrying out other hazardous tasks no matter what computer they use (this is where security education comes in).

More details here.

Sophos (a large IT security company) recently conducted a survey of 560 people. 54% of them admitted to using someone else’s wireless network without permission. That’s more than half the respondents. Why should you care?

If you have a wireless network that isn’t well secured then:

• Someone could be using your internet account and incurring expenses (or pushing you over a capped limit and effectively slowing down your connection)
• Someone could be illegally downloading copyrighted content (such as using a file sharing program to download commercial movies – it’s illegal and you’re liable for providing the connection)
• Someone could be using your internet connection to commit online crimes (just read the posts on this site to get an idea of how common this is).
• It lets anyone within range bypass your firewall, making your computers and other wireless devices vulnerable. This is especially important if you have wireless in an office environment
• It’s easier for someone to install spyware on your computer, making activities like online banking very dangerous

The most important reason of these is how easy it makes it for someone to use your network to commit crimes. Imagine being involved in a child pornography investigation, or having your internet disconnected because your network was used to send millions of spam emails.

I’ve written before on how to secure a wireless network and if you haven’t done so it’s worth reading through here.

If you’re in the 54% of people who wouldn’t think twice of using someone else’s wireless network without permission then you should know that:

• It’s illegal in a lot of countries (people get arrested for this quite often)
• It’s effectively stealing. It isn’t a victimless crime
• You can’t trust the network you’re using. It’s easy for someone to setup a wireless network in such a was that they can record all the traffic from it. This is one way to eavesdrop on other people’s traffic and to capture passwords

So the message here is to secure your wireless network, and don’t use other people’s wireless networks without permission.

A quick update about online crime.

In Italy, 26 people were recently arrested for taking part in running phishing sites (web sites that look like bank sites (for example) but are designed to capture your account number and password). Two of these people have already been sentenced (5.5 – 6 years prison). It’s important to realise how common this problem is in the world.

And a short while ago I wrote about some important disks that were lost by the British government, containing personal data on 25 million people. That incident received a lot of press coverage and it’s not an isolated case. This stuff happens frequently, like in Northern Ireland. Two CDs were lost this week by one of their government agencies containing personal data on 6000 residents. These disks were not encrypted, as the previous case. Full article here.

Then in California a laptop was stolen containing personal information on 45,000 patients of Sutter Lakeside Hospital. Again the data was not encrypted, making it all too easy for anyone to use this personal information as they see fit. I recently wrote an article on protecting laptops when used to take home work. Full press article here.

Some lessons to be learnt are:

• There are a very large number of online criminals doing everything they can to try and steal your money
• Disks and notebooks (laptops) are lost or stolen all the time. If they contain sensitive information they should be encrypted
• Keep in mind that your personal details are not all that private anymore