realistic looking web sites part 2

Posted in identity theft, scams, social engineering, telemarketing on May 4, 2014 by King Ables

And speaking of realistic looking web sites, I recently had another instance of this type of scam. My cell carrier is AT&T and a I received a recorded call from someone claiming to be AT&T telling me I was entitled to a $500 bonus just for being a good customer. All I had to do was go to http://www.myattbonus.com and login to have the bonus applied to my account.

The web site did actually look pretty believable, but all that means is they did a good job of scraping the real AT&T site to create this one. Any link you clicked other than the login link took you back to att.com. But the scam is still so obvious that it didn’t really require a lot of research:

  • the site was not att.com (why would you be able to login with your att.com credentials?)
  • no business hands out $500 for no reason (and lots of media attention)

I did a WHOIS lookup on the domain and the owner was, of course, not AT&T. And as usual, the registrar was GoDaddy.com, scammer haven. I called AT&T customer support to report this in case they could do anything about it. The agent was very interested and said they had seen many of these lately and this was a new one. I talked to them in the morning and by that evening the domain had been taken down! Impressive!

But the scammers weren’t finished. Over the next few days I received two more calls with the same voice delivering the same message but for different domains, all three attempts to scam me:

  • myattbonus.com
  • attsuperdiscount.com
  • attmegabonus.com

You see the pattern. Doing some googling I also found several months old articles about the last run they did, with sites like att100.com, att500.com, att99.com, to try to trick you with the amount of the bonus/discount built into the domain name. I also found stories of how the scammers use this to login to your cell phone account and add phones so they can use your service and you get the bill.

AT&T and their customers are getting better at handling this. When I received and reported the second call, it was down in a couple of hours and by the time I received the third one, it was already down before I could even look at it!

Don’t be fooled by domain names, they mean NOTHING without some associated reputation. If you are unfamililar with a domain name, do a WHOIS lookup to see who owns it. If the owner of the domain is not the same owner as the “real” domain, then it is not the same organization and any information you give them about your account will be used to impersonate you and steal money or services from you on the real web site.

anybody can create a realistic looking web site

Posted in identity theft, scams, social engineering on April 23, 2014 by King Ables

I don’t have cable. Most cable or satellite is more than I want to pay for how little I would watch. But now and then I look just in case I find a deal.

Today I was doing a web search to see if there was a local provider I didn’t know about and I found a page advertising Cox Cable in Austin, TX!

http://www.coxcabledeals.com/austin-cox-cable-tv-tx.html

I found this surprising because I’m familiar with Cox but never heard of it serving this area. The page looked fine but had only a phone number, 866-790-5521, to call, no web-based way to place an order. This is odd because all large telecomm companies have complicated web sites that usually provide multiple contact and ordering methods.

It was also strange that the domain name was not cox.com but coxcabledeals.com. Some companies purchase alternate domain names, but more often they create a specialized domain within the domain they already own (e.g., deals.cox.com).

My skeptic brain aroused, I googled the phone number and found it was not associated with Cox Communications but it was associated with multiple scam and telemarketer trouble reports. Then I went to the real Cox Cable web site at cox.com and did a query to find out if they service the Austin area. They do not. Obviously the page I found is a scam.

Next I did a WHOIS lookup on coxcabledeals.com. Turns out the domain registrar is GoDaddy, notorious for working with scammers, and the domain is not owned by Cox Communications:

http://who.godaddy.com/whoisstd.aspx?domain=coxcabledeals.com&prog_id=GoDaddy

So somebody has scraped text and image content from cox.com and built their own web site claiming to provide cable in areas where someone might search for cable service. When someone calls the 800 number on the page, they assume they are talking to a legitimate business and may turn over all manner of personal and possibly payment information to a total stranger who has no connection with the business they wanted.

We have notified GoDaddy of the abuse. We’ll see if it is remedied.

Don’t be fooled by an official looking web site. Anybody can reserve a knockoff domain name and scrape content from another site and build a good looking site. Doesn’t make it the business you think it is. Confirm their identity through another means, like looking up phone numbers or domain registrations.

letters from Santa!

Posted in e-mail, identity theft, scams, social engineering on December 26, 2012 by King Ables

A classic spammer tactic is an offer of something you want at a good price. When the offer is from a well-known (and trusted) business, this might be a deal. But when it is from a stranger who gives no indication of who they are, it’s almost never a good deal.

This season I’ve been flooded with the following spam:

santa

Who wouldn’t want to send their child such a great gift? You might convince yourself something so “nice” couldn’t be a scam. Who would use kids as scam bait!? Right. Let’s see the scam indicators:

  • I don’t have any children.
  • The date in the message is 2038. This seems to be a new scammer tactic to keep the message as the latest in your inbox whenever you might see it. Any message dated more than 20 years in the future is clearly lying about the date, so you must assume everything else as well.
  • The banner at the top telling you to click “not spam” to be able to read it is a dead giveaway. This has shown up in a lot of spam lately and tells me that the spam tools of many email providers are working and causing them trouble. Just as any ad that says “this is perfectly legal” means it is not, any email that tells you to click “not spam” tells you it is spam.

Don’t be fooled into thinking this might really be some deal you want. Best case scenario is they’re desperate merchants trying to sell their poorly delivered product and disappear before you could complain. More than likely they’re collecting credit card data from you to use on the black market and you’ll never see any letter from Santa. Since the ad says nothing about who it is, it’s a stranger. Why would you give an unknown stranger any money, much less a credit card number they could turn around and use as their own?

Have a safe and secure Christmas and 2013.

the value of security awareness training

Posted in education, scams, social engineering on July 25, 2012 by King Ables

You may have seen this article which has been getting a lot of discussion:

Why You Shouldn’t Train Employees for Security Awareness

http://www.pcworld.com/businesscenter/article/259461/why_you_shouldnt_train_employees_for_security_awareness.html

Pardon me for a moment while I speak my mind: WHAT A LOAD OF CRAP! The people who believe a specific tool is the answer are the people who sell tools.

No security measure is 100% effective. But just because a security measure is not completely successful does not mean it is completely useless. Security is all about “defense in depth.” I have recently done some security awareness training at my company and from the conversations that followed I can tell it did some good. Does it guarantee we might not have a problem in the future? Of course not. Do I feel better about the risks we face now? Absolutely!

This blog is predicated on the idea that there is a bug between the keyboard and the chair (i.e. the human). Fixing the human bug is not the only part, but it is a big part of fixing computer security.

Some exploits attack, some are invited in. Remember the Trojan Horse? A perimeter can only stop the attacks that have no insider assistance.  Dracula could not enter your house unless invited. Renfield invited him. Security awareness is teaching Renfield not to invite Dracula into the house. He may still get in another way, but at least he won’t get in the easiest way!

No security tool can prevent bad choices, only knowledge and good judgement can do that. To rely only on the tool and not on the judgement, is to eat bugs and invite Dracula to just come on in and bite everyone in the house.

what happens to your friends when you lose your login credentials

Posted in e-mail, scams, social engineering on May 28, 2012 by King Ables

Long time no post. I don’t know if this blog has any regular readers, but if it does, my apologies for being silent. I have transitioned from unemployed with lots of spare time to employed with negative spare time! I hope to have more information and time to post in the future.

But a recent event has put me over to the top to make time for a posting. I recently received a classic spammer message (supposedly) from a friend:

From: FRIEND NAME <myfriend@yahoo.com>
Subject: TRAGIC NEWS (FRIEND NAME) HELP NEEDED
To: undisclosed recipients;

I’m writing this with tears in my eyes My Family and I traveled on a trip to Manila,Philipinnes,Unfortunately we were mugged at the park of the hotel where we stayed all cash,credit card and cell were stolen off us but luckily for us we still have our passports with us.

We’ve been to the embassy and the Police here but they’re not helping issues at all and our flight leaves in less than 5hrs from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the bills.

We need your financial assistance to settle the hotel and we Promise to pay back as soon as we get back home.

Am freaked out at the moment.

FRIEND

Right. Several things about this message indicate it is NOT my friend:

  • who puts their own name in a subject line?
  • my friend is not a close friend and would likely not ask me for this sort of help
  • my friend is a teacher and would not write this message this way

I realized immediately that my friend’s Yahoo! email account had been hacked (well, not hacked, she was probably social-engineered into giving away her username and password).

Ultimately, I called a mutual friend who sent her a message on Facebook to let her know of the hack– alternate communications paths are sometimes very useful! However, before doing that, I made the mistake of replying to the message, hoping she would check her email and see it.

Of course, about the time I sent the message, I realized if the scammer was still using her account, he would see the message. And of course, that’s exactly what happened. Only a few hours later, I received the following message in an attempt to steal *my* Yahoo! email credentials:

From: Yahoo Alert <email_verification@consultant.com>
Subject: Verify This Account
To: undisclosed-recipients;
Bcc: myaddress@yahoo.com

Image
Dear Customer,

Your E-mail account has exceeded its limit
and needs to be verified, if not verified within
24 hours, we shall suspend your account.
Click here to verify your email account now

Thank you
Yahoo

This was good because I had never actually received one of these to know exactly what they looked like. While it is simple and somewhat believable, it does have a few things that make it an obvious ruse:

  • what limit did I exceed? number of messages? size of messages? length of time? number of logins? — when someone tells you you’ve broken a rule, they generally tell you what rule you’ve broken
  • it does not even claim to come from a Yahoo! address (which is odd since they could easily fake that)
  • the Bcc: header appears which never appears in the destination if sent by a real mail client
  • the URL in the message does not go to a Yahoo! web page (the copy of the Yahoo! page that it did go to has been removed so it’s safe for me to include the actual URL here)

While it is easy to see how people might fall for this, if one takes a moment to look at it critically, there are plenty of indicators to tell you it’s a fake.

Don’t be fooled by an unexpected and out of the ordinary call for help (that comes without some corroborating evidence or communications), especially from someone who would probably not come to you for such help. Verify any such request through another communications mechanism (i.e. hear the words in their own voice that you know).

And don’t be fooled by business requests for you to confirm or resupply information the business already has from you. If you are unsure, verify this request through an alternative communications path (at least a different email address that you already know is valid).

I hope none of my friend’s friends fell for the scam.

1000 comment spams!

Posted in e-mail, malware, scams on May 20, 2011 by King Ables

Blog comment spammers are just as vile and useless as e-mail spammers. If you run a blog you know them well. You may know of them even if you only read a couple of blogs. Comment spammers post completely unrelated, random, and often nonsensical comments to blogs all over the Internet. Their drivel always contains at least one (sometimes 50 or 100!) links to some web page. Their hope is that by planting links to their advertising or malware-ridden web page, search engines that rank pages higher based on how many other pages link to them will rank their page higher so more people will find it.

Most blog servers provide some method to filter such comments. WordPress, where NoFoolin’ is hosted, uses a tool called Akismet to filter spam comment postings. Earlier this week, Akismet filtered its 1000th spam comment on this blog.

Blog comments on NoFoolin’ are moderated, so no comment is ever posted until it has been approved by a person. Any automated process will miss a few of its targets, and since Akismet can only block the comments that it recognizes as spam, some have gotten past it and required moderation (i.e. deletion). So the real 1000th comment was probably months ago, but this milestone still represents 1000 comments that NOBODY even had to read!

What amazes me about the moron mentality of comment spammers is that when they find this blog, they don’t notice that there are NO comment spams in any of the articles. One might guess that the reason a blog has no spam is because it gets blocked so there would be no point in posting their garbage here. But their tools are, no doubt, automated and it costs them nothing but a bit of time to try anyway, so they do. Stupid is as stupid does, as Forrest Gump told us. Perhaps they believe there is a window of time when the comment is posted. There is not. Their browser– and only their browser– will show it as having been posted and awaiting moderation. But no one except the comment spammer sees it. Kind of pointless, eh?

So Happy 1000 Blocked Spam Comments to NoFoolin’!! And a special “hello” to all the pathetic parasitic pinheads who come here to try to deposit their excrement– you know who you are. Comment all you want, your words and links will never see the light of day. Perhaps you should consider getting a real job? It might be less work.

3 Comments »

When not to unsubscribe

Posted in e-mail, malware, scams on April 2, 2011 by King Ables

If you spend much time on-line, you probably get a lot of e-mail. You may have signed up for mailing lists, you might get e-mail from web sites because of previous orders, and if you’re reading this blog, you probably get spam. People often ask me, “how can I get the spammers to remove me from their mailing list?” The very question shows how little they understand about how differently spammers and legitimate businesses use e-mail.

Legitimate businesses want to be able to send you email about new products and services. A web site you provide with your e-mail address may add you to a mailing list, though the good ones at least let you know or ask before doing so. While possibly unwanted, this is not my definition of spam, because it comes from a known entity and you can stop it if you want to. Any legitimate business provides a method for you to unsubscribe, so if you don’t want to be on their list, you can ask to be removed. Businesses long ago realized that it serves no purpose to send e-mail to people who don’t want it, it only annoys them and drives them away.

Spammers, however, cannot adopt that philosophy. By definition, nobody wants their e-mail because nobody actually wants to be scammed. So spammers will never provide an authentic unsubscribe method. If they put any unsubscribe link in their message, it is merely an attempt to look more legitimate, but you can bet it won’t work. No spammer/scammer will voluntarily remove any address from their list because that would mean one less potential future customer victim.

Unsubscribe links in spam are sometimes nonsense links just to make the message look more official. This is a “best case,” it could be much worse. The link might add your address to a list of known working addresses or it could be a link to download malware to your machine.

Any legitimate unsubscribe link should go either to a URL at the business web site or at some well-known e-mail marketing business if they outsource the function. It should not, for example, go to a site in China, like this link I got recently:

http://wvgoum.xuzfarey.cn/unsubscribe.aspx?mail=user@yahoo.com

This site has nothing to do with anyone remotely resembling a legitimate American business. At best it simply won’t work, or it might give me a response saying (falsely) that I have been removed from the mailing list so I feel better. It may log that my address received the spam so I’m a good candidate for more.

The spam message may even say “you opted in” to receive such mailings. Of course, that doesn’t make it true. Only you know if the source of the message is anybody you have dealt with in the past.

Don’t be fooled by e-mail claiming to be from a legitimate business and trying to look professional by including an unsubscribe link. If you aren’t sure you know them or if the link goes someplace “funny,” you can’t be sure what will happen when you click on it, other than that it won’t unsubscribe you from more spam.

1 Comment »

Security questions can be harmful

Posted in identity theft on March 22, 2011 by King Ables

Many web sites, especially financial web sites, ask you to answer security questions so that they have an alternative method of identifying you in case you forget your password or no longer identify correctly by whatever method they use. In principle, this provides another way of asking you something that only you should know (and something you might actually remember, unlike your forgotten password). In practice, security questions open a huge security hole for your web site accounts.

The  questions usually concern information that is far too common, like your mother’s maiden name, the name of your pet, or the city where you were born. All of this information is generally easy to find on-line, in public documents, or from unsuspecting friends. In the age of Facebook, this has gone from moderately challenging to completely trivial.

Some sites have a larger selection of less pedestrian questions or may even let you type in your own question(s). This is better, but most people will still choose “easy” questions so they can remember the answers.

I refuse to answer security questions whenever possible. But many sites no longer allow you to pass, they believe they are protecting you (really all they’re protecting is themselves from having to handle customer support calls about forgotten passwords). When forced to answer security questions, I take the next best approach. I lie. In what city was I born? Tuxedo. What was my mother’s maiden name? Tomato. If you provide real answers, it will only give the thieves another vector into your account using information about you that they can probably find.

Of course, if you expect to be able to answer these questions later, which is sometimes necessary, you have to keep track of the lies, too. But you have to keep track of your password already. Get a well-respected password manager and keep it all in there (I can highly recommend KeePass).

If you must select security questions and answers you’ll remember, make up clever answers. You could use a friend’s mother’s maiden name or you could take one from a favorite TV show.  Select security questions that don’t even apply to you– like a pet’s name if you don’t have a pet– then just make up an answer! At least then the bad guys can’t investigate you and find out the answer.

If possible, don’t use security questions at all, just keep track of your passwords. If you must use security questions, lie. But as with all lies, once you’ve told it, you have to remember what you said, or you may have other trouble later.

1 Comment »

Skepticism is your friend (part 2)

Posted in e-mail, scams, social engineering on January 31, 2011 by King Ables

The wire transfer of money has always been a favorite tool of scammers. A wire transfer guarantees the money arrives, that’s all. It does not guarantee anything about the sender or the recipient. People who don’t know each other conduct business with checks and credit cards for the accountability. Friends and family in remote locations sometimes need money delivered quickly, but don’t need any accountability since they know each other well. These are mutually exclusive problems. And over time, we’ve learned if someone you don’t know wants you to wire them money, it’s a scam. Always.

However, the scammers are figuring this out. So now they impersonate friends to whom we might still be willing to send money via a wire transfer. Recently, a friend of mine was fooled by such a scam. Her friend e-mailed her saying she was stranded in London and needed to borrow some money and could she please wire it to her? This new twist has an advantage over the typical wire transfer scam because you think you know the person involved. But of course, you don’t.

This scam works because of our built-in trust and desire to help our friends, especially those with whom we’ve connected on various social networking web sites. Unfortunately, my friend’s friend had apparently had her e-mail password stolen through some other social engineering trick. The scammer then logged in as that user and sent pleas for help to everyone in the user’s address book. My friend received the e-mail and it looked legitimate. In fact, from an e-mail standpoint, it was legitimate, because it came from the proper e-mail account. My friend had no way of knowing that account had been compromised and someone else was sending the e-mail.

Though it is hard to do in this kind of situation, skeptical thinking would have helped. In a situation like this, ask yourself:

  1. Does the e-mail read like other e-mail you’ve received from this person? Often an impersonator does not write or sign the message the same way as the real sender does.
  2. Are you really close enough to this person that they might ask to borrow a large sum of money?
  3. Did you even know your friend was traveling abroad? If not, go back to #2.
  4. Are you sure your friend is traveling abroad? Call their home or work numbers or check with others who know them.
  5. Couldn’t (and, really, wouldn’t) this person call you to talk about their request rather than asking in e-mail?

And even if you find they really are traveling abroad, it doesn’t mean the request is valid. They could have read their e-mail at an Internet cafe and simply forgotten to logout when they left. Before responding to any significant request, talk to your friend. Any foreign site that has Internet access has a telephone. If they truly are traveling, they can call you. You should try to reach them at home, too, because if they are not traveling, you will want to warn them that someone is trying to scam all their friends in their name!

Don’t be fooled by assuming any message from your friend’s e-mail address (or even a text message from their mobile phone number) is actually from them.

Skepticism is your friend (part 1)

Posted in e-mail, scams, social engineering on January 30, 2011 by King Ables

A while back, a virus got into some military sites via USB thumb drives. The military’s solution was to fill all USB ports in their computers with glue.  While admittedly effective for this specific problem, this is the wrong solution.  The USB stick is just a symptom, not the root cause of the problem.  Although the USB attack vector has been eliminated, the people who fell for this are likely to repeat their mistake in a new and different scenario in the future because they do not understand the risks they apparently take.

Spam filters are a similar band-aid solution.  I spent many years working with filters trying to stop spam delivery. But the solution is not to prevent the spammer from getting his message to you, the solution is to get you to recognize it as a scam and ignore it. The minute we all ignore spam it will stop because it will no longer be of any benefit to the sender.

The reason most of these ploys work is that people assume e-mail messages are legitimate until proven otherwise.  This is reasonable in a judicial system, but on the Internet, this is completely backward. Think skeptically. Assume everything is fake until you have reason to believe it is legitimate. Be as skeptical with your e-mail as you are when a stranger knocks on your door (because it’s exactly the same scenario). Some things to keep in mind when reading e-mail include:

  • you didn’t win a lottery you didn’t enter and no lottery enters random e-mail addresses
  • you don’t want to reorder from any place you haven’t ordered from before
  • never order anything from any site unless you personally know someone who has done business with them and is satisfied
  • never order prescription drugs from any place that (illegally) doesn’t require you to have a prescription
  • nobody has shipped you something you didn’t order
  • nobody has charged your credit without listing your credit card number
  • you didn’t get a loan you didn’t apply for, no one loans money to strangers
  • no business, especially a bank, ever needs you to confirm any personal or account information
  • nobody from a foreign country wants to date you or send you money
  • nobody offers a total stranger a job
  • no business sends e-mail for any critical issue requiring your immediate attention
  • the IRS does not do business via e-mail at all

 Also, pay attention to the header lines, not because they are legitimate (because often they are not), but because they can give you clues.  Spammers often create fake From: and To: lines with random addresses or even with your own address (to try to bypass spam filters). The message is likely fake if:

  • the From: address is your own address but you didn’t send it
  • the name by your address in any header field is a name other than yours

Don’t be fooled by assuming all e-mail is legitimate. Even if most of your e-mail is legitimate, 99% of all e-mail messages traversing the Internet today are fake and will lead to scams if you respond.

« Older Entries
Design a site like this with WordPress.com
Get started