If you use Windows XP and have Adobe Reader version 7 – 8.1 you need to patch it. Use Adobe’s built in patching system to update it.
The vulnerability was discovered last month and there are already exploits that can allow attackers to take over your computer. Interestingly one of the known vulnerabilities was created by a Russian online crime syndicate called RBN (Russian Business Network). They’re responsible for a large amount of online crime.
A bulletin from Adobe is here, for reference.
Nigerian scams are so called because the majority of them originate from Nigeria, and they use the same tactic. Below is a brief summary on what it is, why it works, and how large the problem is.
A victim received an email (or sometimes an old fashioned letter) from someone posing as a lawyer. The text contains a story about a large amount of money locked up in a bank account, which gets the reader’s attention, and asks for help in retrieving it. In exchange the pretend lawyer promises a large reward.
The email can contain a statement such as “…In the discharge of my duty, I stumbled on this domiciliary account that has remained dormant for three years now with eight million, five hundred thousand United States dollars ($8.5M) in it…. That my purpose of contacting you is because the deceased has the same name with you…”
What happens next is an exchange of correspondence, with the scammer and victim writing to each other. The story usually becomes emotional and touching, keeping the victim’s attention. Then the victim is asked to hand over some money to help with legal fees. The scammer often sends the victim a cheque as a token of good faith that the money is there. Unfortunately the cheque is fake and the victim’s bank won’t accept it. This is often where the victim realises what’s happened.
This scam has apparently been in use for many years, even before emails became prevalent. It continues to work because the victims are tempted by a large amount of money.
How widespread is the problem? In this British articledated 4 Oct 2007 it states that 4500 fake documents were seized and that US$16.2m of fake cheques were seized. It also states that it costs the UK GBP4.5b every year, though this probably includes law enforcement costs. The problem isn’t limited to the UK either, it’s global.
What can you do? Be aware that this is a common scam and talk about it with anyone unfamiliar with the dangers present on the internet, especially older people. It would also be useful to report such emails (and letters) to your local authorities. A lot of people get arrested for taking part in these scams and any evidence you might have could be useful.
I’ve read articles describing victims that have gone to Nigeria to hunt down the scammer and reclaim their money, and they story ends tragically with murder or kidnapping. If I find these articles again I’ll post them here.
This article summarises some terms used to classify all the different threats out there on the internet.
Terms that end with ware:
Other terms:
This is only a small set of technical terms used to describe online security threats, most of the others are advanced and relevant to professional IT workers. The descriptions have also been simplified because this is an introduction to security.
This is a fairly new tactic used by spammers. If you frequently download MP3 files (hopefully only those you have permission to download) sooner or later you might unknowingly download a file that doesn’t contain music but instead has a recorded message.
The message is computer generated, so it doesn’t sound human at all. And it tells you to invest in particular shares, called “penny stocks”. Obviously you’d be crazy to take financial advice from an audio spam you accidentally downloaded (in other words, delete the file and don’t buy their shares).
There isn’t much you can do at this stage to avoid it, other than taking care to download audio MP3 files from reputable (and legal) sources. I expect antivirus or antispam filters to quickly start checking audio files as well as the usual emails.
For now it’s being called “MP3 spam” by the media, we’ll see how this one evolves.
This one isn’t about security online but rather over the phone. The same concept could be applied to the online world. In fact, it’s not about a scam but about how some organisations carry out legitimate work without realising how it affects the security of their customers.
From time to time some organisations contact their customers to confirm their details and just to ask if they’re happy with the service. The phone call is often from a call centre (whether internal or outsourced), and the originating phone number is often not provided.
The operator introduces themself, asks if they’re speaking to the correct customer, etc. Then the operator, following their script, goes and asks the customer to verify they’re the real account holder (or other relationship to the organisation).
The operator asks something along the lines of “to confirm you are <yourname>, can you tell me your street address?”, or asks for some other private information such as your password, date of birth, etc.
In most cases there is nothing fraudulent happening here, and I suppose most people would carry on the conversation by providing the correct information. There may even be an incentive such as a prize for completing the phone call. But what just happened here?
The customer received an unsolicited phone call from a private number asking for their personal details.
While this situation (which happens often) may be legitimate, the organisations are asking their customers to throw caution to the wind and to compromise the security of their accounts.
There are two major points to raise here:
I have received such phone calls from large service providers and even from the local tax office (government department). When I refused to provide my details the person on the phone was at first surprised, then eventually said they can’t help me any further without following their script.
Now I have no way of knowing whether these phone calls were really from who they said they represented, but I believe they were because in both cases I had recently made significant changes to my account. But I refused to provide this information in this scenario, and anyone who values their privacy (and their money) should also refuse.
What if there’s a good reason to continue with the call? Here are a few suggestions,
It’s up to everyone to be vigilant about security, both you and the service providers.
There’s a new trojan going around that is disguised as a Skype plugin called Skype Defender. If you install it, it will take your username and password and send it to a hacker.
It seems it only affects Windows users, and you recognise it by looking at the login button on Skype (the real one has a red bordeR). This document from Skype shows exactly what it looks like. It gets installed by a program called 65404-SkypeDefenderSetup.exe.
This article explains some things you can do to make a Mac more secure. Most of these ideas would also apply to Windows (XP and Vista), and Linux (in a more general sense).
This article explains that a large number of organisations have security breaches in their network and they mostly go unreported. This makes sense as it would be bad publicity to acknowledge that their customer’s records are vulnerable to hackers. Still it’s important for everyone to be aware how often it really happens.
It’s also important to keep in mind how much information you provide to companies. Personal details like a drivers license number, date of birth, mother’s maiden name etc often aren’t necessary to do business with a supplier. All this information, including marketing information, is often stored for years by companies. Whether or not they have a privacy policy the information is there, and people like hackers don’t abide with privacy policies. So be aware of what information you divulge.
And it’s really up to every organisation to be accountable for their security. At the moment the laws in most countries aren’t strong enough to enforce this, so not much will change until matters get worse.
One of the best methods of encouraging people to upgrade their computer’s security is to provide the tools for free. This security suite, PCLive Security, bundles a free antivirus product (ClamAV), a personal firewall and a popup (and adware) blocker. I haven’t had a chance to test it but it certainly looks promising.
There’s a paid version that also offers support, a hard drive maintenance module and a file optimisation module and a few other extra features. The price is US$4.95 a month, which is on par with other packages.
There’s a review here with a response from the CEO of PCLive providing a better idea of what it can do.