Posts tagged phishing
Originally posted from one of my other blogs, George’s Wonder Blog on August, 5, 2008 – and little has really changed in that Facebook is not for the faint of heart. You need to be careful.
MySpace, Facebook, and Twitter attacked by social engineering – fake flash downloads
I’ve recently read about ‘Web worm’ attacks aimed at Facebook and MySpace; and just today I read about social engineering attacks (ploys, tricks) against Twitter. ZDNet’s Ryan Naraine posted Adobe: Beware of fake Flash downloads just today, and Adobe’s David Lenoe posted Verifying Installers on Adobe’s Product Security Incident Response Team blog yesterday. Here’s the skinny from Adobe’s blog, color & formatting added by myself for emphasis:
Recently Gmail improved that anti-phishing effort with additional phishing protection to include emails sent through websites and emails, and even suspicious-looking Gmails.
MORE PHISHING FIGHTING
Gmail has beefed up account security a little recently, possibly in part due to the recent China hacking and phishing attacks and intrusions. Now, detecting suspicious account activity has gotten a little simpler.
You may remember Gmail’s 2008 Remote Sign Out and Info post where they announced the then new remote sign out and info feature which allowed you to see from what IP, and at what time your past several logins occurred in your Gmail account. You can access the Activity on This Account info window when logged into Gmail by scrolling to the bottom and clicking the Details link you can see in the screenshot below.
Now, if Gmail notices logins from different locations and figures you aren’t likely to have accessed your account from those locations, you will see a notice when you login next.
For example, you aren’t likely to be able to access your account from Canada and Mexico within 15 minutes of one another.
Now, if it looks like something unusual is going on with your account, we’ll also alert you by posting a warning message saying, “Warning: We believe your account was last accessed from…” along with the geographic region that we can best associate with the access.
- Google’s Pavni Diwanji, Engineering Director
The Activity on This Account info window has been changed to reflect new information now available to you as a result of this latest security change. Here’s what it looks like now.
Now you can more easily detect if your account has been accessed without your permission or knowledge more easily. If you think your account has been compromised you should change your password, and it won’t hurt to check your Google Account settings to make sure that your secondary email address has not been changed – or in the case you don’t have one making sure that one has not been added. I’d guess that in the future it will only get easier to determine if someone has been tampering with your Gmail account.
Today, 3/22/2010, Google stopped censoring Chinese search results as a result of continued hacking/phishing attacks and intrusions against Google and other companies as also noted in their earlier post from January, 2010 – A New Approach to China.
The search engine & web applications giant has redirected visits at Google.cn (Google China) to Google.hk (Google Hong Kong). Google has tried it the Chinese government’s way, now they are taking their new approach. Google says:
So earlier today we stopped censoring our search services—Google Search, Google News, and Google Images—on Google.cn. Users visiting Google.cn are now being redirected to Google.com.hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong.
- A new approach to China: an update (Google Blog)
Concerning the increased traffic at Google Hong Kong, Google says:
Due to the increased load on our Hong Kong servers and the complicated nature of these changes, users may see some slowdown in service or find some products temporarily inaccessible as we switch everything over.
- A new approach to China: an update (Google Blog)
Spammers are nothing if not smart copycats. Why write your own copy (text message) and come up with your own ideas for formatting emails when you can take ideas directly from valid emails? That exactly what I see happening more and more lately. Take this email for example:
This message contains images. If you don’t see images, click here to view
In case of no image, press here
Subscribe | Unsubscribe | Change of Address
This message was sent from Naedaee to email@example.com.
You have been sent The Uzqvaq because you have opted in to receive it.
Note: It may take our system up to two business days to process your unsubscribe request and during that time you may receive one or two more newsletters. Thank you for reading.
If you get an email like this and your spam filter doesn’t catch it (Gmail has GREAT spam filters! Plus you can use Gmail on your T-Mobile G1) you might need to look at it carefully. In this case I noticed the email was from me (odd, eh? mailing myself a newsletter!) Then I hovered over the links in the email and saw the website addresses ended with .cn (China). Red flags went up and I wouldn’ve sent that sucker to spam folder, except it was already there. Look at your emails before hitting that “If you don’t see images, click here to view” link and you might save yourself a lot of trouble. Normally I will freely visit .com, .net, .org, .us, .com.uk, and some others that I recognize. Whenever I see a weird one I’ll google it. For example if the domains were something orother.az I google .az domains and see what comes up. In this case its Azerbaijan which I still lump together with Russia, so any unexcepted email from there I’d mark as spam.
MORE, PLUS A LITTLE RANTING AND CONSPIRACY THEORIES
Now, I certainly did not opt in to receive any free newsletters from a Chinese website. No wonder I read about stuff like the recent mysterious virus that struck the FBI & U.S. Marshals Service and now NASA is pretty much constantly getting hacked! Emails like the one above are sent out and employees, regular Joes and Janes in our governments work force are freaking out and clicking the unsubscribe or feedback links to get themselves removed from the list or complain about being on the list they certainly did not subscribe to. But instead there is a chance that the web page they are taken to (which they probably do not even realize is a Chinese website) has a virus embedded into it or other goodies to identify or attempt to infect the computer of the person clicking the link. I can imagine the programming on a page like this:
Is the visitor from the US or a US-loving country?
- If the American or American-loving visitor is NOT at a secure location China would like to hack, try to damage the visitor’s computer.
- If the American or American-loving visitor IS at a secure location China would like to hack, then try to load software onto that computer.
- If the visitor is not from a US-loving country then display a harmless webpage.
Now I realize I am generalizing big time, because not all Chinese websites are bad. But certainly those that send spam are bad to some extent. Plus after reading those two articles above I can’t resist a little conspiracy theory. NASA is getting hacked on a regular basis and the FBI and US Marshals Service have been infected to some extent by a virus.
Its scary that in April 2005 NASA was hacked and still no one is really sure exactly who did the hacking. If they do know, they are not saying. The usual suspects include Russia and China but no formal accusations have been made.
Apparently NASA’s computers are a weak link in the DoD information chain. According to BusinessWeek online:
America’s military and scientific institutions—along with the defense industry that serves them—are being robbed of secret information on satellites, rocket engines, launch systems, and even the Space Shuttle. The thieves operate via the Internet from Asia and Europe, penetrating U.S. computer networks. Some of the intruders are suspected of having ties to the governments of China and Russia, interviews and documents show. Of all the arms of the U.S. government, few are more vulnerable than NASA, the civilian space agency, which also works closely with the Pentagon and American intelligence services.
For about 10 years now NASA has been aware of these intrusions and have not been able to stop them, and its costing actual dollars in terms of hardware, not just data and research. Another quote from this BusinessWeek online article says:
In 1998 a U.S.-German satellite known as ROSAT, used for peering into deep space, was rendered useless after it turned suddenly toward the sun. NASA investigators later determined that the accident was linked to a cyber-intrusion at the Goddard Space Flight Center in the Maryland suburbs of Washington. The interloper sent information to computers in Moscow, NASA documents show. U.S. investigators fear the data ended up in the hands of a Russian spy agency.
So in other words there was a hack incident where a satellite was turned toward our Sun and for all intents and purposes turned into a pile of orbiting junk. You would think in the 10+ years NASA would have secured funding for new software, hardware and manpower to protects its (and our) interests. Undoubtedly something has been done, but as this article seems to indicate, NASA is still a target being successfully penetrated by foreign interests.
Phishing scams are an ever-present danger because for the most part they are not filtered by your computer. Luckily the email address where I received this scam is protected by Gmail’s legendary spam filters and this one never hit my inbox. There are 2 links in the email, one is valid and the other would send you to a look-alike site setup on a .ru (Russia) domain.
ADWORDS -TARGETED PHISHING SCAM EMAIL
From: Google AdWords Team <firstname.lastname@example.org>
Date: Sat, Nov 8, 2008 at 4:28 AM
Subject: Google AdWords Alert
Our system was unable to process a payment for your outstanding Google AdWords account balance using your primary credit card. For the time being, your account is still open, and your ads are still running. However, we require you to update the payment information in your AdWords account very soon in order to ensure continued ad serving.
Please update your credit card information in order to trigger our billing system to try processing your payment again. If you plan to use the same credit card(s), please use the ‘Retry Card’ button on the Billing Preferences page of your account. Otherwise, please follow the steps below to update the information in your AdWords account.
1. Log in to your AdWords account at: http://adwords.google.com
2. Click the ‘My Account’ tab.
3. Click ‘Billing Preferences’ link.
4. Click Edit next to the appropriate ‘Payment Details’ section.
5. Enter your new or updated payment information.
6. Click ‘Save Changes’ when you have finished.
In the future, you may wish to use a back up credit card in order to help ensure continuous delivery of your ads. You can add a back up credit card by visiting your Billing Preferences page or visit the AdWords Help Centre for more.
Tip: You can review the status of your billing on the Billing Summary page, under the ‘My Account’ tab. If a payment has been declined, click ‘Payment Declined’ beside the line item to review information for that particular payment. Once your payment has been processed successfully, you can view and print an invoice from your Billing Summary page.
—————————— ———————————— This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions, please visit the Google AdWords Help Centre at https://adwords.google.com/support/?hl=en_GB to find answers to frequently asked questions and a ‘contact us’ link near the bottom of the page. —————————————————————-
Thank you for advertising with Google AdWords. We look forward to providing you with the most effective advertising available.
The Google AdWords Team
The link above to http://adwords.google.com actually goes to a Russian website that is no doubt a look-alike to the Google Adwords login page. You can fight this particular type of phishing email rather easily:
- Don’t click links in your email to visit online login pages
- Roll your mouse over the link before clicking it and read the address its going to take you to VERY carefully. This particular one began with adwords.google.com and might have passed a cursory glance. After that there was a fake session ID number (a number used by websites to track your movement around the site to do things like allowing you to access password protected content) and it ended with ssl85.ru which should set off some alarms.
Don’t forget when looking at web addresses that they can easily be hidden or faked. For example some characters are very similar and can be overlooked. For example I’ll bet looking at the web address ADW0RDS.G00GLE.COM you didn’t notice the capital O’s have been replaced with zeros. In this case it appears that G00GLE.COM is protected by Google or Markmonitor (the Global Leader in Enterprise Brand Protection, Domain Management, Online Trademark Protection, Online Channel Protection, AntiPhishing Solutions).
Don’t be fooled, be safe!