Facebook “151” Phishing Attack

There’s a new phishing attack on Facebook (phishing is when people try to trick you into providing your personal details). It begins with a message that simply says:


If you click on it, it links to a site called 151-im. Don’t click on this message. It takes you to a copy of Facebook, asks you for your Facebook username and password, then steals that information.

Facebook’s response to this was:

"This is a phishing attack. We’re well aware of it and are already blocking links to these new phishing sites from being shared on Facebook. We’re also cleaning up phony messages and Wall posts and resetting the passwords of affected users…”

Fake KMart Survey

There’s a web page made to look like it’s from KMart (a retail store). It has a survey and it promises to give you $150 credit if you fill out the survey.

Like most scams, there’s an incentive to catch your attention – in this case it’s a $150 credit. This kind of scam is called phishing.

The fake survey asks a set of questions, then asks for your full name, credit card number and PIN. Never give this out in a survey!

After you enter all your details, it takes you to the real KMart’s web page so that you don’t suspect anything. Then criminals will use your credit card details to make expensive purchases.

How to identify the fake survey:

  • An email is sent to you with the subject "You have been selected"
  • The link in the email doesn’t point to KMart, it points to a web site with the word epiqteen in the URL
  • The body of the email is:

You have been selected to access the Kmart Holiday Survey and win a $150.00 gift certificate.
Please click here and complete the form to claim your prize. Thank you.

To prevent these attacks:

  • Use one of the "other" web browsers, such as FireFox, Opera and Chrome. These have better technology at detecting phishing sites.
  • Install a good anti-virus package, one that scans web sites as well as files. This a paid service and you usually get a good up-to-date list of phishing sites, and it works automatically in the background. The small cost is a great investment for your security.
  • Be very cautious of generous offers (I don’t think many companies can afford to give $150 to all their customers right now).
  • When you see a suspicious email, copy and paste its contents into Google. Then read through the results to determine if it’s a scam. E.g., Google indexes all of Fraudo’s pages, so any scams I write about here will show up on a Google search.
  • Never give out your credit card details in surveys.
  • Read the URL carefully. The URL is the address shown at the top of your web browser. If it’s not the exact name of a legitimate company then be suspicious.

Confirmation of Ticket Purchase

There’s some spam pretending to be from Delta Airlines. It tries to trick readers into opening the attached file, making readers believe that the ticket has been paid in full and that it’s ready to be used by the reader. The attachment is a trojan that gives people complete access to the PC and tries to download more malware every time you reboot.

Below is an extract from the fake email:

Thanks for the purchase!

Booking number:

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket.

It verifies that you paid the ticket in full and confirms your right for air travel and luggage transportation by the indicated flight Delta Air Lines.

…and on and on…

If you see this email delete it, don’t open the attachment.

Locked Visa Accounts

If you get an email telling you that your credit card is locked and that you need to click on the link to unlock it, treat it as a scam. It’s an example of email scams where they start with a story that sounds urgent (your credit card is locked), and that you need to click on the link right now (before you have time to think or research the email).

What usually happens is the link they give you is fake. It might look like a real company’s link, but if you hover your mouse pointer over the link you’ll be able to see where it really points to. And usually it’s a scammer’s web site in places like China or Russia.

Then when you get to that page, it’s been designed to look just like a real company’s site, and it prompts you to enter all your personal details including passwords. This information goes straight to the scammer who set up the fake site. He then sells it on a black market. Then someone buys your account details and uses it to commit fraud. It’s a large complex network that steals billions of dollars a year.

Below is an email claiming to be from Visa. When you receive emails like this, copy and paste it into Google, then Google will show you web sites like FraudO telling you if they’re scams.

Your Visa card is temporarily locked and the last transaction is on hold. Please understand we work to ensure your account safety. To restore your card and regain access you are required to register your Visa card in the Verified by Visa program, its a free, simple-to-use service that confirms your identity with an extra password when you make an online transaction.

It’s easy and only takes a few moments to activate your card. You can do it by clicking on the link below that will take you to Visa secure website.

[link removed – it looks like a Visa web site]

This is an outbound message only. Please do not reply to this email. If you have any questions, please refer to our Frequently Asked Questions (FAQ), or contact us. You will receive a response within 2 business days.

Thank you for using Visa Cards.

If in doubt just call your credit card company on the phone. They’ll reply immediately, not in 2 days, and you can be sure you’re speaking to a legitimate company.

Thanks to Erik for sending this one in. If you find other scams or fraud attempts you can send them in using our contact form.

Maybank Phishing Email

Another phishing email claiming to be from Maybank. As usual it starts with a story about something happening to your account. It gives you a link to click on and asks you to enter your personal banking details.

Please read the previous post on how to identify phishing emails.

Below is the text from the email:

Dear Maybank customer,

We are hereby notifying you that we’ve recently suffered a DDos-Attack on one of our’s Online Banking server. For security reasons you must complete the next steps to verify the integrity of your Maybank account. If you fail to complete the verification in the next 24 hours your account will be suspended.

Here’s how to get started:

1. Log in to Maybank online account (click here).

2. You must request for TAC via Maybank online banking – your TAC will be sent via SMS to the mobile phone number you registered. ( you can find the "Request a TAC" button in the Utilities menu of your account )

3. Logout from your account and close the browser.

4. When you have received the TAC (Transaction Authorization Code) on your mobile phone, go to our secured verification server and submit the requested information (Username, password and TAC). (click here) to go on our secured server.

5. Please allow 48 hours for processing.

Please comply and thanks for understanding

If you see this email just delete it.

Another PayPal Phishing Email

Phishing is when someone sends you an email designed to trick you into handing over personal details such as your passwords. Below is a new phishing email. At first glance it looks like it came from PayPal. It’s designed to trick you into clicking their link – it does this by coming up with a story about your account being locked.

Below is the email. At the end of this post I’ll explain what you can do to avoid falling for these things.

We are constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?

Your account access has been limited for the following reason(s):

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is PP-0XD2-0XBC-0XDA-0X37.)

How can I restore my account access?

Please visit the Resolution Center and complete the "Steps to Remove Limitations."

Be aware that until we can verify your identity we will have no other liability for your account or any transactions that may have occurred as a result of your failure to upgrade your account as instructed above.

Account Departement.

What can you do to avoid phishing emails?

  1. Do you have a PayPal account? If not then you should immediately suspect it’s fake.
  2. Is the email poorly written? If you look carefully you’ll find grammatical errors in the email shown above. Scammers generally have poor English skills.
  3. Use one of the newer web browsers. For example, I clicked on the link in the email to see what happens. Google Chrome immediately identified it as a phishing email and displayed a large red screen with a large warning that this is a phishing site. Opera does the same. Internet Explorer didn’t try to stop me (80% of Windows users still use Internet Explorer, it’s time to upgrade). So alternative browsers are safer to use.
  4. Install a good anti-virus package. For example, Trend Internet Security checks which web sites you’re visiting and it will stop you from going to known phishing sites. There’s a small subscription fee to buy and keep using Trend Internet Security and I think it’s a good investment (it’s cheaper than having someone take all the money out of your bank account).
  5. When you see a suspicious email, don’t click on the links they provide. If you’re really concerned about your account being locked, open a new tab in your browser and type in the address yourself. Then you know you’ll be going to the real PayPal site (or your bank, etc).
  6. When there’s a link embedded in an email you can place the mouse pointer over the link and wait a second. Usually you’ll be shown the address it points to. If the address isn’t exactly what you expect then it’s fake. Read more here about recognising fake addresses.
  7. Some email services include spam filtering. Sometimes you have to pay extra for this service. Spam filtering usually also filters out phishing emails. This removes these bad emails before you even get to see them.
  8. When you see a suspicious email, copy some of the text and paste it into Google. Then look through the results to see if it’s a known scam. (This is why I copy & paste all these bad emails into FraudO, to help Google find them).

In-Session Phishing Attack

A new way of stealing internet banking passwords has been discovered. Here’s how a victim would see it:

  • You’re reading a few web pages on the internet. One of them is infected with some malicious code – you don’t know.
  • You log onto your normal internet banking site
  • The malicious code on the other site detects that you’ve logged into internet banking
  • the malicious code bring up a window asking you to type in your internet banking password again, giving you some excuse as to why you have to log in again
  • The malicious code sends your password to a 3rd party who uses it or sells it to someone who will

How can this happen?

I won’t go into the technical explanation, suffice it to say that most browsers will trust and run code under certain conditions, and hackers have discovered how to exploit those conditions.

It works because it knows what banks to look for and won’t do anything until you log into your internet banking. So to a casual person it sounds plausible that they need your password again.

What can be done to prevent this?

  • When you use internet banking close all the other tabs you might have open. Just keep the internet banking page open by itself.
  • If you get a popup window to enter your password again you need to decide if the popup window is really from your bank.
  • Does it look the same as your normal login screen?
  • Is there a good reason why you have to enter your details again? (e.g. if you don’t use the internet banking page for 10 minutes it might time out, but otherwise it shouldn’t have timed out)
  • Does it have the SSL icon? This is often a padlock icon on the top right corner, if you click on it it should identify your bank.
  • Use a good antivirus package that scans web pages. This isn’t 100% reliable but it’s will protect you from most malicious sites.
  • A more extreme measure is to walk into your bank’s branch and use their computers to do internet banking. This is ok, it’s just very inconvenient.
  • This is also a good time to remind you not to do internet banking from public computers, such as an internet cafe, a public library, etc. You need to trust the computer you’re working on.
  • The makers of web browsers (Microsoft, Mozilla, Google, etc) need to address this issue. When they do it’s up to you to update your browser to the latest version. Then this particular problem will go away.

    Below is a press release from a banking security company offering more information on this type of attack.


    Fake Twitter Site

    Recently people have been receiving a message in Twitter that says something like

    hey! check out this funny blog about you…
    hxxp://t w i tter.access-logins..com

    The link takes you to a page that looks a lot like the Twitter login page. If you try typing in your Twitter username and password it records it in a private database. Later someone will log into your Twitter account using your password and start sending out message like the one above.

    Many people have one password for many sites, so once they have your Twitter account they could later try other services (e.g. Facebook).

    If you use Twitter and see the above message just ignore it. Don’t click on the link.

    Some web browsers (such as the latest version of FireFox and the latest version of Opera) will now detect this fake site and show you a large warning. A good antivirus package will also detect these sites and block them.

    And if you think you’ve already fallen for this change your passwords.

    Fake hi5 Requests

    hi5 is a social network, much like Facebook or Myspace. A fake email has been going around pretending to be from someone called "Sarah xxx" (the name could change), and asking the reader to add them as a friend. The message says:

    hi5 Friend Request from Sarah xxx


    I’d like to add you to my hi5 friends network. You have to confirm that we are friends, and we’ll each get to meet more people. Please approve or reject my request by accessing the hi5 web site:

    Accept Friend



    hands friends This seems real enough but there’s one serious flaw. They include a link you can click on (where it says "Accept Friend"). Clicking on this link doesn’t take you to hi5’s web site, instead it takes you to a phishing site.

    Assuming you had a hi5 account, when you enter your login details into the fake hi5 login page the system records your username and password and shares it with the criminals running this site.

    Like all phishing sites, it’s just a fake page designed to steal your password.

    What can you do?

    • If you use hi5 or any other social network, when you receive a notification email you can go their web page yourself, without clicking on the links in the email. In other words, open a web browser and type in the name of the web site (or use a bookmark).
    • When you see a link in an email, place the mouse pointer over it for a couple of seconds. Most email clients will display the real address it points to. Of course it helps to have a bit of experience recognising real addresses from fake ones – read this FraudO article to learn more.
    • Use a good anti-virus package. The big commercial packages scan your emails for fake emails like this one and filter them out. They also scan the address of every web page you go to and if it’s known to be a scam they’re filtered out too.
    • And if you don’t know anyone called "Sarah xxx" who signs her name as "Adelina" then you can just ignore the email entirely.