Category: Scams

A New Way To Spread Viruses Using Google

This technique to spread viruses was only just discovered, and it’s clever.

Firstly it’s based on the assumption that people trust Google (which is a fair assumption since Google has done a lot to maintain good ethics and to help users avoid malware). So when people see a link to a Google site they would naturally assume it must be safe to click on.

Now someone sends you spam and in the body of the email is a link to Google’s website. The link is a clever trick that takes you to a gambling site containing a virus. How does it work?

On Google’s search engine there is a button called “I Feel Lucky“. This has been a distinctive feature of Google for many years and when you click on it, instead of showing you a page of results, it takes you directly to the first website. Now someone wishing to spread a virus just has to come up with some search terms that places their website at the top of Google’s results. Then they paste the link that created that search, with an option to take you straight to the “I Feel Lucky” link.

In short, it’s using a little known feature in Google to take you to someone else’s website, and the rest is reusing the usual spam and virus techniques.

For now this has been observed in spam emails and we should expect it to appear in other places such as websites, forum links, Facebook etc.

The best defence against this is to use a good antivirus package, one that checks webpages as well as the traditional virus checks.

It’s also good to pay attention to links before you click on them. Look out for things related to online gambling or pornography as these are the most common websites used to distribute malware.

And Google will most probably improve their systems to filter out exploits such as this one.

Lottery Scams

A reader of FraudO.com, LotteryChristoph, has reminded us of a particular type of scam called Lottery Scams, also called a Dutch Lottery or a 419 Scam or a lottery of various other European countries. These scams begin with a letter or email telling the victim they have won a lottery.

The email instructs the victim to contact a “claims agent” to collect their prize money. The agent then sends the victim a claim form to verify their identity. The fake agent is building rapport and making it appear that there’s a real agency behind the emails. The form is in fact used to collect personal information about the victim, such as their passport number and driver’s license number. This is where the identity theft begins.

If the victim asks for some proof of the agency’s legitimacy they often fax back a legal looking document (which of course doesn’t prove anything, it just makes the victim feel more comfortable). This web page has examples of the fax and other documents the scammers send.

The victim is then given some options on how to collect the alleged winnings. In each case the scammer is setting up the victim:

  • The winnings can be deposited directly to the victim’s bank account. This seems to be the more popular option. The scammer will request a large fee to make this happen (such as special taxes, insurance or legal fees). The scammer will end up keeping this money.
  • The victim has the option to open a new overseas bank account to receive the alleged winnings. The bank is fake, but the victim is told that the bank requires a large deposit to open the account.
  • The winnings can be picked up in person, often in The Netherlands. The victim will later be told that they have to pay a fee in cash to release the winnings. The victim is then given counterfeit prize money.

What to do:

  1. Don’t reply to the emails (or letters or phone calls). Don’t give the scammer any indication that you exist.
  2. Don’t send any money or provide any personal details.
  3. Report the scam to your local authorities.

It seems many people are victims of this particular kind of fraud. In most cases the scammers are never caught, and even if they are the money is usually never recovered. Please be aware of how common this scam is and help your colleagues, friends and family to be aware of it.

The scam works because people want to believe it’s real, even if they didn’t enter a lottery in a foreign country. It’s up to everyone to talk openly about it and increase awareness of it.

A Summary On Nigerian Scams

Nigerian scams are so called because the majority of them originate from Nigeria, and they use the same tactic. Below is a brief summary on what it is, why it works, and how large the problem is.

A victim received an email (or sometimes an old fashioned letter) from someone posing as a lawyer. The text contains a story about a large amount of money locked up in a bank account, which gets the reader’s attention, and asks for help in retrieving it. In exchange the pretend lawyer promises a large reward.

The email can contain a statement such as “…In the discharge of my duty, I stumbled on this domiciliary account that has remained dormant for three years now with eight million, five hundred thousand United States dollars ($8.5M) in it…. That my purpose of contacting you is because the deceased has the same name with you…”

What happens next is an exchange of correspondence, with the scammer and victim writing to each other. The story usually becomes emotional and touching, keeping the victim’s attention. Then the victim is asked to hand over some money to help with legal fees. The scammer often sends the victim a cheque as a token of good faith that the money is there. Unfortunately the cheque is fake and the victim’s bank won’t accept it. This is often where the victim realises what’s happened.

This scam has apparently been in use for many years, even before emails became prevalent. It continues to work because the victims are tempted by a large amount of money.

How widespread is the problem? In this British articledated 4 Oct 2007 it states that 4500 fake documents were seized and that US$16.2m of fake cheques were seized. It also states that it costs the UK GBP4.5b every year, though this probably includes law enforcement costs. The problem isn’t limited to the UK either, it’s global.

What can you do? Be aware that this is a common scam and talk about it with anyone unfamiliar with the dangers present on the internet, especially older people. It would also be useful to report such emails (and letters) to your local authorities. A lot of people get arrested for taking part in these scams and any evidence you might have could be useful.

I’ve read articles describing victims that have gone to Nigeria to hunt down the scammer and reclaim their money, and they story ends tragically with murder or kidnapping. If I find these articles again I’ll post them here.

Stock fraud using MP3 files

This is a fairly new tactic used by spammers. If you frequently download MP3 files (hopefully only those you have permission to download) sooner or later you might unknowingly download a file that doesn’t contain music but instead has a recorded message.

The message is computer generated, so it doesn’t sound human at all. And it tells you to invest in particular shares, called “penny stocks”. Obviously you’d be crazy to take financial advice from an audio spam you accidentally downloaded (in other words, delete the file and don’t buy their shares).

There isn’t much you can do at this stage to avoid it, other than taking care to download audio MP3 files from reputable (and legal) sources. I expect antivirus or antispam filters to quickly start checking audio files as well as the usual emails.

For now it’s being called “MP3 spam” by the media, we’ll see how this one evolves.

Unsolicited phone calls

Phone handsetThis one isn’t about security online but rather over the phone. The same concept could be applied to the online world. In fact, it’s not about a scam but about how some organisations carry out legitimate work without realising how it affects the security of their customers.

From time to time some organisations contact their customers to confirm their details and just to ask if they’re happy with the service. The phone call is often from a call centre (whether internal or outsourced), and the originating phone number is often not provided.

The operator introduces themself, asks if they’re speaking to the correct customer, etc. Then the operator, following their script, goes and asks the customer to verify they’re the real account holder (or other relationship to the organisation).

The operator asks something along the lines of “to confirm you are <yourname>, can you tell me your street address?”, or asks for some other private information such as your password, date of birth, etc.

In most cases there is nothing fraudulent happening here, and I suppose most people would carry on the conversation by providing the correct information. There may even be an incentive such as a prize for completing the phone call. But what just happened here?

The customer received an unsolicited phone call from a private number asking for their personal details.

While this situation (which happens often) may be legitimate, the organisations are asking their customers to throw caution to the wind and to compromise the security of their accounts.

There are two major points to raise here:

  1. People should never divulge private data (passwords, dates of birth) to someone they can’t be 100% sure is a legitimate representative of the organisation.
  2. Companies should never ask their customers to do so.

I have received such phone calls from large service providers and even from the local tax office (government department). When I refused to provide my details the person on the phone was at first surprised, then eventually said they can’t help me any further without following their script.

Now I have no way of knowing whether these phone calls were really from who they said they represented, but I believe they were because in both cases I had recently made significant changes to my account. But I refused to provide this information in this scenario, and anyone who values their privacy (and their money) should also refuse.

What if there’s a good reason to continue with the call? Here are a few suggestions,

  • Ask for the caller’s name and the department they’re calling from. Then find their phone number from a directory service and call them back. Don’t ask them directly for their phone number, this doesn’t prove very much. You need to go to a trusted 3rd party for their phone number (such as a phone book, directory assistance, the company’s web site).
  • Ask them to provide the information in writing.
  • Ask them questions that you consider private and that they should have available in their computer system. Questions along the lines of when and where did you open the account, how much was your last bill, your password. (In my examples above the operator wasn’t allowed to tell me because of their security policy, after which I politely ended the call).
  • And most of all let them know that you have no way of distinguishing them from a scammer and that their phone call sounds suspicious.

It’s up to everyone to be vigilant about security, both you and the service providers.

“Microsoft Security Update” Emails

There have been some bogus emails recently with a subject of “Microsoft Security Update“. It contains a whole lot of text encouraging you to click on a link to install a security update. If you look at the email carefully you might notice that it contains a link to a website not owned by Microsoft, and instead it will attempt to download and install a virus.

How are you supposed to know it’s false? For a start Microsoft probably doesn’t know who you are or what your email address is. If you’re a home user it’s very uncommon (and unnecessary) to register your address with them. And even if you did, email is not the method Microsoft uses to advise you on updates or to distribute the updates.

For business users, you have an IT department that takes care of all updates. You shouldn’t be trying to install security updates so treat any such email as bogus.

Bottom line: delete these emails. Any good spam or virus filter should catch most of them, and it’s best to be cautious.