Rossander’s Security Reader

Ignore any email warning you receive that your cell phone number is about to be released to telemarketers unless you sign up for the Do Not Call Registry. These "warnings" are a hoax. Please DO NOT "help others by passing this on to all your friends." Your friends will not thank you for perpetuating the hoax.

Under existing federal law, telemarketers who use auto-dialers (in other words, almost all telemarketers) are prohibited from calling cell phones. There is no legislation pending to change that law.

These hoax warnings have been around for years. They tend to resurface every time the cell phone companies talk about creating a cell phone directory. Adding your number to the Do Not Call Registry will not keep your number out of the directory nor will it prevent anyone who gets your number from calling you.

If you want to sign up for the DNC Registry anyway, call 1-888-382-1222 from the phone that you want excluded or go to www.donotcall.gov. Despite the panicked tones of these hoax emails, there is no deadline for doing so.

Last week, we highlighted two of the recent explosion of new scams and frauds. Here are two more examples. Always be alert for suspicious messages and never give out confidential information unless you are absolutely sure who’s on the other end of the line.

Dept of Justice spams
The US Department of Justice announced a number of fraudulent emails claiming to be from the DOJ and alleging that the recipients (or their businesses) have been the subject of complaints filed with the DOJ and/or the IRS. The message often contains a "copy of the complaint" as an attachment and offers contact information to resolve the issue. Do not open the attachment. It’s a trojan horse and will load malicious software onto your computer. Don’t call the contact information either. You’ll just open yourself up to a social-engineering scam as the person attempts to scare you into revealing confidential information. The DOJ does not send out email notices for these issues. Read more here.

MySpace worm
Many thousands of MySpace.com websites were successfully attacked by a new and particularly complex computer worm. In this attack, MySpace visitors who are browsing an infected page are redirected to a fake login page that attempts to steal the visitor’s username and password. According to one researcher, about one in four falls for the scam. The hacker then changes the code on their MySpace page to trap even more visitors. The redirect works against some recent vulnerabilities in MS Windows and Internet Explorer. The same attack will also install software onto your computer, turning it into a part of a hostile botnet and possibly exposing all the personal information on your computer to the hacker.

Protect yourself by keeping your computer fully patched. By the way, the same research showed that many people choose weak passwords on MySpace, thinking that there’s nothing to protect. Remember that hackers use this as an avenue into your personal information. Pick strong passwords even for websites like MySpace. Read more here.

Next week, we’ll have an update on the State of Ohio’s recent security breach and the relative merits of their "identity theft protection service".

In the past few days, there have been a surprising number of new electronic scams discovered or announced. These kinds of attacks seem to come in waves but right now it seems like we’re facing a tsunami. Here are just a few examples of recent scams. Be on the alert for messages that seem fishy and never give out confidential or personal information unless you are absolutely sure who you are talking to.

Fake "Red Cross" calls targeting military spouses
In this scam, a caller with a young-sounding, American accent phones a military spouse and identifies herself as a representative from the Red Cross. She says that the spouse’s husband was hurt while on duty in Iraq and was medevaked to a hospital in Germany. She says that they can’t start treatment until some paperwork is finished and they need the spouse to verify her husband’s SSN and date of birth.

This is an out-and-out scam. The military does not need any additional information before they can begin treatment. They already know the member’s SSN, date of birth, medical history, etc. The American Red Cross also won’t initiate this kind of call. Notices of injuries, etc. come through official channels – usually the commander or first sergeant. Read more at redcross.org.

Fake Microsoft patch email
In this scam, users receive an official-looking email claiming that you have received a notice about a new Microsoft patch because you’re signed up to an official Update mailing list. The email includes your name and sometimes your company in the body of the email. After scaring you about the dangers of this new vulnerability, it provides a link to microsoft.com and instructions on how to download the patch. The link instead redirects you to a fake site and downloads malicious software onto the affected computer.

This particular scam seems to have been targeted at users with high-level IT accounts, perhaps in an attempt to trick them into loading this new “security patch” onto all the computers in their network. Whether you’re an IT administrator or not, always be suspicious of unsolicited emails and never follow a “helpful” link in an email. Read more here.

Next week, we’ll highlight two more of these recent examples.

Symantec, a computer security company, recently announced that they have seen a significant increase in message traffic containing a new variant of the old Sober worm. This email (generally written in either English or German) hides the malicious code in an attachment and uses social engineering in order to con the user into opening it.

The known English versions of the message read either
You notified us that you have forgotten your password. We have changed your password to a random sequence of letters and digits! For more detailed information, see the attached password file.
or
Your eMail has occurred an unknown error on our Server. Please read your mail and check the text. The full email is attached!

More variations of the wording of the scam email are likely to appear over time. The message can seem to come from anybody and could appear to come from a trusted institution like your bank. The attachment could be under several different names but so far have all been .zip files. (.Zip files are sometimes not as well screened by anti-virus programs.)

While this is probably not going to be a particularly dangerous worm, it is a reminder to:

• Never open attachments in unexpected emails
• Always keep your anti-virus software up to date.

The Sober worm was first released back in October 2003. Variants remained in circulation and caused significant damage for several years. The last major variant of this worm was in 2005. The hackers sending out this worm typically set it to take over PCs, send spam, download keyloggers, install rootkits, etc.

A US Airman assigned to a Colorado Support Squadron recently discovered a new scam that exploited a hole in his bank’s ACH (automated clearinghouse) process. This is the process by which banks move money around to settle all our checks, credit card and debit card transactions, mortgage payments, etc.

In this scam, the thief randomly generates account numbers and attempts to deposit a single penny into the account using the ACH system. When one of these tiny deposits clears, the scammer knows that he/she has found a live account and immediately processes a withdrawal from the account. According to one bank’s representative, this has been a recurring attack. In each case, the scammer makes only a single, fairly small withdrawal from the account – $124.90 in this case. Presumably, that’s small enough that it won’t overdraw most bank accounts immediately and that it might get overlooked if you don’t reconcile your checkbook regularly but it’s large enough to make money for a scammer conducting thousands of these attacks.

The scammers particularly like to make their initial transactions at the start of the month, knowing that their scam will likely go undiscovered until the end of the month when the bank statements are sent out. From the available evidence, this attack was automated and is likely to become more common, at least until banks are able to address the lack of real-time validation in the Federal Reserve’s ACH system. Read more at Air Force Link.mil.

The only defense against this kind of attack is to watch your bank account carefully. Reconcile your statement monthly and consider checking your account online a couple of times during the month to see if there are any unrecognized transactions. If you find one, contact your bank immediately.

Remember that a Bank error in your favor is only a good thing in Monopoly. Any unknown transaction, positive or negative, should be treated with suspicion.