Fake Facebook Lottery

This email is a scam, it’s not a real lottery:

ATTN:- Winner(s),

How are you? We have a good news for you. You are among the FACEBOOK lucky winners. Please reply if you get this message!

NB: Do Not Ignore This E-mail. Kindly Reply To Have Your Winnings.

Thank You,
Facebook Promo Coordinator
James Lee Curtis

If you see this email mark it as spam or delete it.

Google vs Bing

A company called AV Test has been testing Google and Bing, and has found that Google is better with filtering out dangerous websites.

They tested 10.9 million searches on both search engines and found that:

  • Google included 272 websites that were infected with malware
  • Bing included 1285 websites that were infected with malware

This is bad. If you’re searching for something, both Google and Bing test every website and hide any website that have been infected. This protects you from clicking on a website with malware. They found that Google is better at filtering infected sites. So if you want the best security possible, do your searches in Google. Full details here.

Other tips I can add are:

  • Use Google’s Chrome browser. It’s fairly good at blocking malware and resisting hacks
  • Keep your computer updates (e.g. run Windows Update frequently)
  • use a good antivirus program
  • be cautious what you click on
  • don’t believe everything you read in Facebook, emails, Twitter, etc


New PCs

It used to be that a new PC was safe and couldn’t have malware. This is no longer true. New PCs, straight from the shop or distributor and just unpacked, can contain malware.

In the past few days an investigation of PC manufacturers in China has found that some PCs came with some nasty malware already installed. Investigators bought 20 computers from different manufacturers and suppliers and found 4 were infected.

The manufacturer isn’t to blame here – the malware was installed by other parties along the supply chain. A supply chain includes delivery companies, companies that rebrand generic devices, distributors and shops. There are many opportunities to infect a computer these days – even before you turn it on.

In this investigation the malware was part of the Nitol botnet, which keeps installing more malware once the computer is connected to the internet. This makes it especially hard to clean. And it does things including turning on the computer’s camera and recording keystrokes (and recording passwords you type in).

So what should you do?

Install a good antivirus package from day one. This generally costs a bit of money but it isn’t much compared to the cost of the PC. Most computers come with a trial version of antivirus software – you can use this or go buy something else.

You should also run Windows Update as soon as you connect the computer to the internet.

There’s more information on the investigation here.

Blizzard Battle.net Hacked

Hackers have broken into Blizzard Entertainment’s Battle.net service. They’ve stolen account details including  email addresses, phone numbers, and encrypted passwords. The affected regions are China, North America, Latin America, Australia, New Zealand and Southeast Asia.

User’s passwords are safe at the moment but there’s no way to know how long it could take to crack them. It could be hours or years, it really depends how well they were encrypted.

If you have a Blizzard Battle.net account you should change your password now. And if you’re reused the password on other websites you should change those as well.

Melbourne Myki System

Melbourne (Australia) has a transport ticket system called Myki. If you use it there’s currently a security risk you should be aware of.

If you purchase a ticket using their ticket vending machines and pay by credit card, the machine issues a receipt. The receipt shows the credit card owner’s full name, the card’s expiry date, and more than the last 4 digits of the card. All of these things are considered security risk. Anyone finding the receipt can use the information on it to commit credit card fraud.

If this applies to you, don’t use a credit card to purchase tickets until the issue is resolved. I can’t verify it but apparently you can’t avoid printing a receipt. Hopefully all of these issues will be resolved soon.

And for everyone, it’s worth highlighting that you should always pay attention to credit card receipts. They should never show your name, your card’s expiry date, or more than the last 4 digits of the card. You can’t assume that the payment terminal you use is perfect, as shown above.

And you should be careful how you dispose of credit card receipts. Recently there’s been a lot of publicity over a hacked iCloud account –  the hackers used the owner’s last four digits of his credit card to gain access to various accounts.

If you use Melbourne’s Myki system and pay with a credit card or have ideas on credit card receipts please leave a comment below, I’d like to hear more.

MS-CHAPv2 Can Be Cracked

This post is a bit technical and isn’t for everyone. I still want to include it in Fraudo.com because it could help someone, someday.

MS-CHAP v2 is an authentication protocol used to secure VPNs and some wireless networks. It’s commonly used with PPTP VPNs and sometimes with WPA2 wireless networks. For the past few years it was considered secure as long as it’s used with a strong password (a complicated password).

Today some researchers at a security conference demonstrated how to crack it in one day. They demonstrated that they can decrypt all data sent across the VPN or over WiFi.

So if you’re setting up a network and come across the MS-CHAP v2 setting, remember that as of today it’s no longer secure. It’s not even slightly secure, or better than nothing. If someone wants to view your encrypted VPN or WiFi traffic and you use MS-CHAP v2 then they can, with very little effort. Full details on cracking MS-CHAP v2 are here.

Yahoo! Passwords Stolen

If you have ever used a Yahoo! service now might be a good time to change your password. Yesterday someone stole a list of passwords from one of Yahoo!’s servers – it contained details of 450,000 accounts. The server was for Yahoo Voice, so if you’ve ever used Yahoo Voice then your account is now compromised. And if you’ve ever used the same password on other web sites then those are vulnerable as well.

Why didn’t Yahoo! use better securty?

Reports say that hackers used a SQL injection attack to steal the list, a common way to hack into web sites. There are many ways of storing passwords on a server and Yahoo! didn’t use the most advanced and secure method. So the passwords were easily converted to plain text. In short, Yahoo!’s programmers got lazy, their security wasn’t good enough.

What can we learn from Yahoo!’s mistakes?

  • Yahoo’s problem is also your problem. Don’t ignore security alerts like this.
  • If you work in software development, don’t be lazy. Block all kinds of SQL injection attacks. And don’t store passwords in plain text, or MD5 hashes, or other simple hashes.
  • Everyone should use good passwords, mixed with numbers and made-up words.
  • You should not reuse a password on other sites.

Update (16 July 2012):

Yahoo! has confirmed the breach and has fixed up the source of the problem. In their words, “We have… now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users”.

You should still change your password.

Formspring Password Resets

Formspring is a social network with about 27 million members. Today they had a security breach and have reset all of their members’ passwords. If you see the following notice it’s probably genuine. But to be sure, don’t click on any links – open a new browser tab and sign into your Formspring account.

Dear Formspring user,
For security reasons, we have disabled your password and ask that you reset it. When you log back into Formspring, you will be prompted to change your password.
Thank you for taking the time to reset your password.
The Formspring Team


PIN 1234

1234 is the most common PIN used in banking.

A new study of 1100 banking customers found that 1234 and birth dates make up a large percentage of PINS. This means if your wallet is stolen, a thief can find your birth date from your license or other ID, take your ATM card and guess your PIN. And it will work for 1 in 18 stolen wallets (or 1 in 11 for some banks). They’re good odds for thieves.

The study suggests that banks issue a random PIN instead of letting you set one yourself. I think it’s a good idea. Here’s the full document.