Archive for the ‘Phishing’ Category

It’s an interesting morning. I received three spam messages in rapid succession, each alleging to come from “NSA online security” and reporting a “critical vulnerability” in “a certain types of our token devices.” While I don’t expect perfect grammar from a government functionary, the mistakes in this email were pretty obvious. The alleged link to “fix” the problem point to “national-security-agency.com” which looks pretty plausible until you remember (or look up) that the real NSA uses the domain nsa.gov.

What’s interesting about this case is that it’s a fairly blatant example of an attempt to turn your computer into a zombie using the ZeuS Command&Control attack. If I had been stupid enough to click the link, I would have launched an executable program that would log every keystroke that I make on the machine and that would grab a copy of every form I fill out online. Since that would include my online banking login page, it would have given the hacker access to all my banking information.

ZeuS is a moderately old Trojan Horse but it is remarkably difficult for anti-virus programs to detect, even when kept completely up-to-date. ZeuS is alleged to be one of the largest botnets in the world, infecting some 3.6 million computers in the US alone.

The continued success of attacks like this show why you can never rely only on your anti-virus software. Read your email carefully, be suspicious and never click a link if you’re not sure that it’s safe to do so. Remember – it’s not paranoia when they really are out to get you.

After the last impressive sophistication of the last two scams we’ve talked about, the one I got today is laughable. Note the poor grammar, absurd payout claim, lack of personalized address, generic reply address and, of course, the inevitable request for a copy of your drivers license. There’s been a significant uptick in these classic phishes in the past few months. It’s embarrassing that people still fall for these scams.

Unfortunately, the statistics still show that we do fall for these scams at an appalling rate. Ironically, this one will probably do better than average because it alleges to offer compensation for being the victim of a prior scam. Clearly, the scammers are thinking that if you fell for the earlier scam (and with a massive spam blast, they’re sure to get some), you might be emotionally vested enough to want revenge and won’t look at the details in this “offer”.

Never reply to a spammer. And please do everything you can to help teach your co-workers, family members and friends how to avoid these scams. If it sounds too good to be true, it is.

I got an interesting phishing email on Friday alleging to be from the Ohio Business Gateway, the portal that small businesses have to use to file their Ohio Sales Taxes. The phish builds credibility by including good security advice like changing your password regularly and keeping your anti-virus software up to date. But then it goes on to demand that you “Download and install OBG Secure Software” and, of course, claims that failure to comply will result in the shut-down of your account.

There were a lot of signs that it’s a phish – poor grammar, hidden link destinations and generally suspicious content. On the other hand, it’s from the government… I have to admit that even after reporting it as a scam, I kept wondering if the email was a legitimate but incredibly clumsy attempt to roll out new security software. Lord knows, the state could use some investments in this area.

As it turns out, the Department of Taxation confirmed that it’s a scam in an email sent out Monday. They also updated their website with an alert. Unfortunately, the legitimate message warning users about the phish got caught in my spam filter even though the original phish came through unhindered. I’m not sure what that proves except that Murphy is alive and well.

A couple of interesting aspects to this phish.

  1. It was sent out on the Friday before Memorial Day. Either the scammers got lucky or they were deliberately trying to get an extra day or two exposure before the government’s security staff could find and react to the scam. I guess we need to add to our list of suspicious clues “any ‘alert’ email sent right before a major holiday”.
  2. The list appears to have been targetted only to people who have accounts with the OBG portal. (I’m on the list because I submit taxes for the local bee club.) It’s possible that they hacked the site to get the list but my guess is that the spammers just used some public records law to make an open request. Be suspicious even – perhaps, especially – when you actually do have an account with the organization.

Remember, it’s not paranoia when they really are out to get you.

Yesterday I got an email from Lijit about a phishing attack that is being spread among their subscribers. Lijit is the service I use for the search engine on this site. This is an excellent example of how a phishing alert should be done.

  • They got my login name right. A generic greeting is a common sign that the alert itself is a fraud. This one’s legitimate.
  • They clearly described the incident, told me what they’re doing about it and told me what I have to do (in this case, nothing).
  • They gave a simple link to find out more. Even better, they told me how I can help and/or ask questions.
  • They showed screen-shots of the scam. The one showing the fake URL is excellent. (Note the missing period between www and lijit. I might have called that out more explicitly but the image is great.)
  • They did all that is less space than it took me to describe it. Not a bit of lawyerese in the whole thing.

I’m keeping this as an example in case my site gets phished.

email notice from Lijit about a phishing attack using their name

email notice from Lijit about a phishing attack using their name

Several coworkers and I got the same scam email this morning. The message body is attached below. It’s sneaky in its simplicity. There is so little content that the spam filters have nothing to work with – there’s little that a computer can use to differentiate this from a thousand similar but legitimate business emails.

There are a few clues for you as a human reader to look for, however.

  • The greeting line is generic – “Dear Employee” rather than “Dear Mike” or “Mr. Rossander”.
  • The From address is an odd or at least a non-corporate address (redbran@galleryfifty4.com).
  • The link is spoofed. That is, it appears to point to a legitimate careerbuilder.com page but when you float over the link (or right-click and look at properties), it is actually pointing to swc.com.ua/resume.pdf.
  • The spoofed address is in the Ukraine (the .ua part of the address). Careerbuilder is an international company but to the best of my knowledge, they do not have any servers there. And none likely to be handling english-speaking matters.
  • Do you even have an account with Careerbuilder? They are a legitimate company and I did have a resume on file with them once but several of my coworkers did not. The age since my last contact with the company was a clue for me – the complete lack of prior relationship a better clue for my coworkers.

spoof careerbuilder email

Unfortunately, there is no guaranteed way to block these scams. The best we can do is delete them and move on with your day. In the meantime, remember that it’s not paranoia when they really are out to get you.