Spear Phishing – Targetting Students

Spear phishing is a term referring to targeted attacks on organisations to collect personal details. This latest warning will explain:

Students and staff at a few colleges and universities in the US have been receiving emails that appear to come from their system administrators. The emails state that a database is being updated and asks users to provide their username, password, and date of birth.

The schools targeted include Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame.

This information is collected by the people who sent the emails and used to compromise their accounts.

Be very suspicious of emails asking you to provide any personal details, especially if you didn’t request the email. And pay particular attention to which website the email links to – it’s a common tactic to use a similar sounding address that contains a typo (something that the human mind sometimes ignores).

Update: Australian universities have also been targetting in this attack. 

Extreme Protection – Disabling ActiveX

Quite a few problems with malware come from malicious bits of code hidden in what’s known as ActiveX controls. Some web sites use this feature to add functionality. Other web sites hide malicious code inside ActiveX controls that can take control of your computer. You can’t really tell good ActiveX controls from bad ones.

One way to deal with suspicious ActiveX controls and to increase the security of your computer is to completely disable ActiveX for all sites. It’s an extreme measure and the downside is that some websites will no longer work.

To disable ActiveX:

• Start up Internet Explorer (if you haven’t already)
• Look on the bottom right corner for the word Internet, double click on it
• Highlight "Internet"
• Set the security level to High
• Click OK
• See this screenshot:
  

Some web sites this will affect are Facebook and MySpace. This is a good thing because Facebook and MySpace will publish ActiveX code written by unknown people. Even if you lose some functionality it’s a good thing to block code from people you don’t trust (and that the Facebook or MySpace companies don’t really trust).

If you come across a legitimate web site that no longer works because of this change, such as your bank’s web site, you need to decide if you trust them. In the case of a bank then you most probably do trust them and you can add them as an exemption.

Follow these steps (after the previous steps) to exempt an important web site that you trust:

• Open the web page you want to allow to allow ActiveX code
• Highlight the address and copy it (Control C, or right click and select Copy).
  E.g. 
• On the bottom right corner of Internet Explorer you’ll see the word "Internet". Double click on this.
• Click on the "Trusted Sites" icon (large green tick)
• Click on the Sites button
  
• Paste the address you copied (it might already be here)
• Uncheck the option called "Require server verification (https:)"
• Click Add
  
• Click Close, then OK again

Be wary of what pages or sites you’re exempting. What you’re in effect doing is trusting the author of any code found on that sites. Social sites such as Facebook and MySpace allow anyone to publish code, and this makes it a playground for writers of malicious code.

As stated at the beginning of this article, it’s an extreme measure that will increase the security of Internet Explorer. Increasing security always decreases convenience and these days with so many talented people out there trying to steal money online it’s definitely worth considering.

Skype Update

Skype has released up update that fixes some issues including (like the one reported earlier). The new version is 3.6.0.248, all Windows users should upgrade to it.

Skype’s announcement is here.

Fake IRS Tax Refunds

Emails are being sent claiming to be from USA’s IRS department. They claim to offer a $375 refund for filling out a form. The form is hosted on a hacked web site, not on the IRS’s web site. The form asks for a large amount of personal information including credit card numbers and PIN numbers. This information is collected (a trick known as phishing) and later used to commit identity theft (and effectively stealing your money).

When doing any taxes online please ensure the website is correct. See this earlier article on how to recognise deceptive domain names (URLs) and check for SSL certificates on the page (double click on the padlock icon in Internet Explorer, read who owns the site).

Good antivirus packages these days will also keep track of which web sites you go to and alert you if it’s a known fraud site. So it’s a good investment to purchase one.

New Vulnerability in Adobe Reader

It’s not news that PDF files can contain viruses. As useful as PDF files are the flaw is with the reader program, called Adobe Reader (previously called Adobe Acrobat Reader).

It’s possible to embed code in PDF files and it’s been shown that this code can download malicious programs from the internet and install them on the computer. At the moment the latest malicious code comes from Netherlands, and as with all things on the internet it can move or spread quickly.

If you have one of the following programs then you’re at risk. According to Adobe’s notice it affects all platforms (Windows, Mac, etc).

• Adobe Reader 8.1.1 and earlier versions
• Adobe Acrobat Professional 8.1.1 and earlier versions
• Adobe Acrobat 3D 8.1.1 and earlier versions
• Adobe Acrobat Standard 8.1.1 and earlier versions

The vulnerability has been fixed in version 8.1.2 so update all your computers to avoid this one. Antivirus software can also protect you if you keep it up to date and use a well established product.

Another fake anti spyware site

All these fake sites and applications are becoming a bigger problem. The latest is called removal-tool . com (warning, do not try going to this site). It appears to be a collection of spyware removal tools except that it actually tries to install quite a few different bits of malware on your computer. It’s a malicious web page in disguise.

The web site looks nice, contains a blog, a news section, and reviews. The authors went to some effort to make it look convincing. Most of the links on the site even work. It would be difficult to tell that this site will compromise your computer.

Good anti virus software these days has the option to filter all web pages and they stop most of these sites before your web browser starts loading them. It’s a good investment.

Another technique to avoid these traps is to use a less popular web browser such as Firefox or Opera, or to use a less popular operating system such as Mac OS or Linux.

At the moment the majority of malicious code is designed to target Windows and Internet Explorer. That’s not to say that other systems are immune, malware is just less common on them.

.com.au.com

Any web address that ends with .com.au.com should be treated with caution. At the moment these pages are redirecting to a fake anti spyware page, tricking people into downloading malicious software.

For example an address such as importantcompany.com.au.com

• is not the same as importantcompany.com.au
• is not the same as importantcompany.com

Because the last few letters are different it takes users to a completely different site. Even having one different letter or the dot in a slightly different position is enough for your computer to go to a different site, one owned and operated by an individual with questionable intentions.

In this example importantcompany could be any company or web site you’re familiar with (eg Google).

This is a problem because people are good at recognising patterns and the addresses look similar. However they are in fact different. Care should always be taken with deceptive addresses.

HP Laptop Support Software

HP laptops come with some software to keep them updated and to help HP provide support. Lately there have been a couple of vulnerabilities discovered in these tools.

A support feature on HP computers is something called HP Virtual Rooms, an online collaboration suite. There’s a flaw in the ActiveX control that it uses and it’s possible to create a web page that lets someone install programs on your computer.

The file at risk is called HPVirtualRooms14.dll. If you have an HP computer you can check the properties of this file (do a search for the file), if it’s version 1.0.0.100 then it’s at risk.

The best defence is to have a good anti virus package, and to update this tool when HP get around to releasing an update.

The second HP vulnerability is with HP’s Software Update utility. This utility keeps the computer patched, which is always a good thing to do. Except that it also has a vulnerability and the computer can be compromised by visiting a web page with malicious code.

The program affected is called HP Software Update Client, version 3.0.8.4.

Again, use a good anti virus program and update the update tool when HP releases a fix.

MSN Worm

There’s another bit of malware spreading through MSN’s messaging network (MSN Messenger and Live Messenger), known as the IRCBOT-RB Trojan, also called a worm because of how it spreads.

It works by showing people a message with links to pictures on MySpace and Facebook. It includes messages such as "Wanna see my pictures before i send em to facebook?". Clicking on the link takes the user to a web page with malicious code.

This particular worm/trojan changes the message into different languages, depending where the user is located.

Once infected a user’s machine waits for instructions from the malware author and will let them control the machine at will.

• About

  Read the latest articles shown on the left, and use the options below to search for past articles. FraudO.com is committed to educating all users on the dangers of the internet and how to avoid them.

• Email Subscription

  Enter your email address:

  Delivered by FeedBurner

• Ads

  • Anastasia International Scam

• Recently Written

  • Another Scam Job
  • ICS Monitoring Team
  • Facebook Groups And Toolbars
  • An Interview with a Nigerian Internet Scammer
  • Fake CUA Email
  • Microsoft Does Not Send Updates By Email
  • Texaco Money Mule Scam
  • Facebook Un Named App
  • Avast 5
  • ATM Card Skimmers
  • Common Passwords
  • Fake ATO Emails
  • TwitterBuilding
  • IE6
  • BlackBerry Hoax Message

• Categories

  • Admin
  • Antivirus
  • Backups
  • Fraud
  • General
  • hoax
  • Identity Theft
  • Malware
  • News/Media
  • Phishing
  • Privacy
  • Scams
  • Security
  • Software
  • Statistics
  • Uncategorized

• Archived Articles

  Select Month March 2010  (2) February 2010  (5) January 2010  (11) December 2009  (1) November 2009  (2) October 2009  (4) September 2009  (10) August 2009  (9) July 2009  (7) June 2009  (20) May 2009  (15) April 2009  (12) March 2009  (10) February 2009  (14) January 2009  (10) December 2008  (10) November 2008  (3) October 2008  (7) September 2008  (5) August 2008  (11) July 2008  (17) June 2008  (8) May 2008  (17) April 2008  (23) March 2008  (22) February 2008  (20) January 2008  (31) December 2007  (17) November 2007  (21) October 2007  (11) September 2007  (5)

• Ads

• Affiliates

• Spam Blocked

  30,775 spam comments

  blocked by
  Akismet

• Stats