WebProNews

Tag: Phishing

  • Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft is warning of a new phishing attack that is abusing OAuth request links and “targeting hundreds of orgs.”

    OAuth is an open standard designed to allow services, apps, or websites access to an individual or organization’s information on other services, without the need to provide a password and full access.

    Unfortunately, it appears bad actors are using OAuth request links in a phishing attempt to gain access to users’ email. The bad actors are then able to set up filters to forward emails to another account, with experts warning this may be an attempt to acquire sensitive information.

    Microsoft warned about the issue on Microsoft Security Intelligence Twitter account:

    Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.=

    The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers.

    We’re seeing the campaign targeting hundreds of orgs. Microsoft Defender for Cloud Apps, Azure AD, and Defender for Office 365 can help protect against similar attacks by blocking the OAuth consent links or flagging unusual behavior of users or cloud apps.

    — Microsoft Security Intelligence (@MsftSecIntel), January 21, 2022

  • Keep Company Emails Safe from Phishing Attacks

    Keep Company Emails Safe from Phishing Attacks

    Email services are central to modern communication.  Ironically, 85% of emails today aren’t meant to foster communication at all.  Spam is rampant in inboxes all over the world.  While some spam is merely annoying, spam can also include real danger.  Phishing emails exist to steal personal information, and at least 3 billion phishing emails are sent every day.  While phishing emails can wear a variety of disguises, the intent is always the same: to snatch recipient’s information and use it against them.  Many phishing schemes are but the first step in a complicated cyber attack.

    By 2025, phishing attacks will cost the globe $10.5 trillion every year, according to Cybersecurity Ventures.  Cybercrime will be the 3rd largest global economy.  A criminal industry that large can choose anyone as its target, even large companies.  A recent ransomware cyber attack against Colonial Pipeline caused a nationwide gas panic in the United States.  Shipping company FedEx failed to protect consumer information in the wake of a ransomware attack against their company computers.  No one can afford to think cybercrime won’t reach their servers.

    If the largest corporations on the market can’t avoid cyberattacks, what hope do small businesses have?  Successful phishing schemes can be fatal to small companies.  It takes 2 to 6 weeks for small businesses to recover from ransomware.  Many cannot serve customers during that time.  Furthermore, customers must be notified of any data breach affecting them.  It’s understandable customers may choose not to continue shopping at a company incapable of keeping their information safe.  Between lost operating time and customer attrition, over 60% of small businesses close permanently in the 6 months following a phishing attack.

    So what can companies do to defend themselves?  The first step is to train their employees to spot phishing emails.  While regular training is not infallible, 85% of scams rely on human error to succeed.  A suspicious link not clicked is a crisis averted.  Next, companies should verify all invoices and payments.  Many attacks exist to harvest credentials, which leads to invoice fraud.  If a business can spot invoice fraud early, they can keep the crisis from growing severe.  Finally, a combination of human vigilance and email security programs should exist in every company.  43% of small businesses lack a cybersecurity plan at their own peril.  While humans alone can’t catch 100% of security discrepancies, 25% of phishing emails bypass default security.  Yet as cybercrimes grow more advanced, so too do the programs that fight against it.

    The best line of defense against phishing keeps dangerous emails out of human inboxes to begin with.  Advanced AI can stop 50% more attacks than regular security.  Some AI programs deploy inside the cloud and configure as an app would to fight phishing on all fronts.  Thanks to integration with other tools, AI email defense is a full scale operation designed to protect end users.  The best email security programs can keep the ratio of malicious emails as low as 5 to 100,000.  Effective phishing attacks defense begins with you.


    How Safe Are Your Emails From Phishing Attacks? [infographic]
    Courtesy of Avanan


  • AI Wars: 96% of Companies Using AI to Combat AI-Powered Cyberattacks

    AI Wars: 96% of Companies Using AI to Combat AI-Powered Cyberattacks

    A new report shows that AI is increasingly being used in a defensive capacity, to combat AI-powered cyberattacks.

    While AI promises to revolutionize many industries, it’s already creating significant problems in the realm of cybersecurity. A new report by MIT Technology Review Insights, in association with AI cybersecurity company Darktrace, shows just how much AI is impacting the field.

    Offensive AI risks and developments in the cyberthreat landscape are redefining enterprise security, as humans already struggle to keep pace with advanced attacks.

    In fact, 60% of respondents said that human response measures were already falling behind automated attacks. As a result, 96% of respondents are deploying AI to help defend against AI attacks.

    Of the various types of threats, email and phishing attacks were the most troubling. Some 40% found email and phishing attacks “very concerning,” with 34% viewing them as “somewhat concerning.” A staggering 94% of detected malware is spread via email. AI makes the problem even worse by creating emails that are almost indistinguishable from legitimate ones.

    Max Heinemeyer, director of threat hunting for Darktrace, saw email phishing attempts adapt as a result of the pandemic. “We saw a lot of emails saying things like, ‘Click here to see which people in your area are infected,’” he says.

    Based on MIT and Darktrace’s report, it appears the industry is entering an AI arms race, one that will have significant implications on the future of cybersecurity.

  • FBI Warns of Increased Voice Phishing Attacks Over VoIP

    FBI Warns of Increased Voice Phishing Attacks Over VoIP

    The FBI is warning that cyber criminals are taking advantage of VoIP systems to target company employees in sophisticated voice phishing attacks.

    As the pandemic has forced unprecedented numbers of employees to work remotely, maintaining the same level of corporate security has become an issue. Cyber criminals are taking advantage of this by gaining access to VoIP systems and company chatrooms and then convincing employees to log into a fake VPNs in an effort to steal their credentials.

    The FBI issued an advisory to warn companies and help them mitigate the threat.

    As of December 2019, cyber criminals collaborated to target both US-based and international-based employees’ at large companies using social engineering techniques. The cyber criminals vished these employees through the use of VoIP platforms. Vishing attacks are voice phishing, which occurs during a phone call to users of VoIP platforms. During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password. After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage.

    In one instance, the cyber criminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cyber criminals. The actors used these credentials to log into the company’s VPN and performed reconnaissance to locate someone with higher privileges. The cyber criminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service. The cyber criminals used a chatroom messaging service to contact and phish this employee’s login credentials.

    The FBI recommends multiple mitigation steps, including enabling multi-factor authentication, starting new employees with minimal security privileges, actively scanning for unauthorized access or modifications, implementing network segmentation and giving administrators two accounts, one with admin privileges and the second for other duties.

  • IRS Warns of New Stimulus Scam

    IRS Warns of New Stimulus Scam

    The Internal Revenue Service is warning taxpayers of a new scam that uses promise of a stimulus payment to get bank information.

    According to the IRS, scammers are texting individuals asking for their bank account information. The scammers claim they need the back account info to set up a direct deposit. The text message the scammers send includes a URL that takes the victim to a phishing site that collects their information.

    “Criminals are relentlessly using COVID-19 and Economic Impact Payments as cover to try to trick taxpayers out of their money or identities,” said IRS Commissioner Chuck Rettig. “This scam is a new twist on those we’ve been seeing much of this year. We urge people to remain alert to these types of scams.”

    The IRS also reminds individuals that it never sends unsolicited texts or emails. In addition, anyone receiving one of these text messages should take a screenshot of it and email it to phishing@irs.gov. The email should include the date, time and timezone when the message was received, as well as the number that sent the text and the recipient’s number.

  • Americans Being Targeted by Coronavirus Digital Fraud

    Americans Being Targeted by Coronavirus Digital Fraud

    TransUnion research shows Americans are being targeted by coronavirus-related digital fraud in alarming numbers.

    As the coronavirus pandemic forces more Americans to stay at home, ecommerce has become a critical part of everyday life. Even basic necessities are being purchased online, rather than through physical stores. Bad actors are taking advantage of that trend, targeting Americans in an effort to defraud them.

    TransUnion surveyed 1068 adults, finding 1 in 5 (22%) had been targeted with coronavirus-related digital fraud. “In the report, TransUnion Global Fraud & Identity Solutions reported a 347% increase in account takeover and 391% rise in shipping fraud attempts globally against its online retail customers from 2018 to 2019.”

    Methods of taking over accounts included buying credentials on the dark web, social engineering, romance scams, phishing and more. Once an account is taken over, fraudsters can steal packages by intercepting them at the carrier and changing the shipping address, rather than attracting attention by doing it online.

    “With so many reported data breaches, it’s not just about if your account will be hijacked, it’s about when,” said Melissa Gaddis, senior director of customer success for TransUnion Fraud & Identity Solutions. “Once a fraudster breaks into an account, they have access to everything imaginable resulting in stolen credit card numbers and reward points, fraudulent purchases, and redirecting shipments to other addresses.”

    TransUnsion’s report is a good reminder that, even in a time of global crisis, individuals need to practice solid cybersecurity to keep their information, purchases and finances safe.

  • New Chrome Feature Will Alert You If Your Password Is Stolen

    New Chrome Feature Will Alert You If Your Password Is Stolen

    In a blog post today, Google announced the addition of a significant security feature to Chrome, one that will alert users if their password has been stolen.

    With new data breaches occurring and being reported on a near-daily basis, people’s usernames and passwords are increasingly showing up for sale on the dark web. With many people reusing passwords across websites, a single compromised website can leave individuals vulnerable across a myriad of sites and services.

    First introduced earlier this year as an extension named Password Checkup, the feature has been rolled into Chrome’s settings as part of its Safe Browsing features.

    “When you type your credentials into a website, Chrome will now warn you if your username and password have been compromised in a data breach on some site or app. It will suggest that you change them everywhere they were used.”

    Google’s post also discussed improvements to Safe Browsing’s anti-phishing features.

    “Google’s Safe Browsing maintains an ever-growing list of unsafe sites on the web and shares this information with webmasters, or other browsers, to make the web more secure. The list refreshes every 30 minutes, protecting 4 billion devices every day against all kinds of security threats, including phishing.

    “However, some phishing sites slip through that 30-minute window, either by quickly switching domains or by hiding from our crawlers. Chrome now offers real-time phishing protections on desktop, which warn you when visiting malicious sites in 30 percent more cases. Initially we will roll out this protection to everyone with the “Make searches and browsing better” setting enabled in Chrome.”

    These improvements are welcome additions to one of the most popular browsers in use and Google is to be commended for making Password Checkup an included feature, where more people will benefit from it.

  • The History Of Phishing (And Spam)

    The History Of Phishing (And Spam)

    Having a spam email show up in your inbox nowadays is most of the time a harmless annoyance and we don’t really pay attention to them nearly as much as we used to. Spam has always been unpopular, but at one point it made the transition to phishing and has been a major problem ever since.

    The internet started as MIT’s Compatible Time-Sharing System, which stored shared files on a central disk and users logged in from remote terminals to access these files in 1965. In 1971, the prototype internet called ARPANET got the @ symbol, letting users send messages to specific users and help differentiate computers, and thus email was born. In 1976, Queen Elizebeth II became the very first head of state to send an email. 

    It would take another year for the first standard email to be sent, which is an email with a field for “To” and “From” and also the ability to forward messages but only a year after that for the very first mass email was sent. It was sent to 397 users in 1978, and was so unpopular that no one would try again for over a decade. In 1988, “spamming” was a prank played by players of multi-user dungeons (MUD) games. MUDers would flood their rival’s accounts with junk mail, preventing them from playing and crashing their systems. The term “spam” referring to junk emails was first said by Richard Depew, referencing a Monty Python skit of the same name. The second major attempt at mass marketing spam was in 1994 when 2 immigration lawyers sent a mass message advertising their services. But because email was not designed to be secure, spamming went from annoyance to major security threats when it turned to phishing.

    In the 1990’s the Warez Community used randomly generated credit card numbers to open AOL accounts. Using hacked accounts they could send more phishing messages to the victim’s contacts. AOL quickly introduced new security measures that stopped the use of generated credit card numbers, but Warez was a step ahead. They pretended to be AOL admins requesting logins from other users, and the spamming game grew from there. 

    The ILOVEYOU virus was the first spam that could send itself to other users. The Sirecam virus copied itself into existing files, making it harder to catch. The MiMail computer worm made it look like the emails it sent were from a trusted company. With each scam, phishing attempts became more sophisticated and believable. The John Kerry Fundraiser was a phony email sent that appeared to be part of John Kerry’s presidential campaign but instead of the donations that were sent in response to the email going to the campaign, it instead went to scammers. The Rustock botnet infected over a million computers before being finally shut down in 2011, used infected systems as a proxy server to send more emails, hijack search engine results, and even prevent access to certain legitimate websites. Many more viruses spread to thousands of machines leading to millions in damages.

    Find out how to protect your email from phishing attacks and how to recognize phishing attacks before they can do any damage here.

  • How eCommerce Businesses Can Prevent Fraud in 2018 Holiday Season

    How eCommerce Businesses Can Prevent Fraud in 2018 Holiday Season

    Given the dynamic nature of the internet, it’s not surprising to also see frequent changes in consumer buying behavior, which online retailers try to predict and cater to on various digital platforms. Convenience and revenue growth of eCommerce businesses, however, come with a price in the form of fraud.

    Sales transactions from online merchants are on an uptrend, but attacks on eCommerce businesses have alarmingly increased as well. Based on the first-quarter report by ThreatMetrix, 210 million cyber attacks were prevented in real time from January to March 2018 – up by 62 percent from prior year. Some of these attacks have cost the eCommerce industry a whopping $58 billion in losses in 2017, according to the Global Fraud Report done by PYMNTS and Signifyd.

    Image result for threatmetrix fraud report

    Image source: ThreatMatrix (2017 Cybercrime Report)

    With the upcoming holiday season, incidents of digital fraud are expected to further rise in the eCommerce industry. Avoid the pitfalls of fraud by proactively taking steps to detect its forms and prevent them from hurting your bottom line, which can be significant for some eCommerce businesses. Fraudulent purchases can translate to chargebacks from affected online retailers, resulting in financial losses.

    Pay particular attention to these three kinds of eCommerce fraud:

    Types of eCommerce Fraud

    1. Identity Theft

    Among the most common type of fraud, identity theft has been a long-running scheme of cybercriminals. Identities, along with credit card information and addresses, are stolen using the latest techniques on data hacking, malware, and theft of mobile devices, which are then used to purchase from online merchants. Aside from stolen identities of actual individuals, fraudsters can also fabricate fictitious or manipulated personalities and use these instead during transactions.

    2. Friendly Fraud

    Sometimes called “chargeback fraud,” friendly fraud happens when customers call their credit card issuer and dispute the charge. While some fraud incidents are due to misunderstanding, others are done with malicious intent. Dishonest consumers will claim that they never received the item, heavily damaged, or not as described, requesting refunds from the online retailer after getting the package.

    3. Phishing

    This type of fraud is rampant and requires technical capability, as fraudsters pretend to be a company or eCommerce platform to trick customers into typing in personal information on a rigged form. Phishing emails often contain a warning to customers that their accounts have been compromised and need to input details like user ID, password, and personal information as proof of their identity. Armed with an individual’s stolen details, fraudsters can use these to make online purchases or transfer money to another account.

    How Online Merchants Can Protect Against Fraud

    To minimize the increasing risk for eCommerce fraud, there are a few things that you, as a business owner, can do. A proactive approach, rather than a reactive one, is more effective in preventing fraud from happening and taking a cut of your profits, especially during the holiday rush.

    1. Have a good fraud protection system in place.

    Before the buying frenzy of the holidays begins, ensure that your business has fraud prevention and chargeback protection systems set up. There are numerous tools available on the market, so choose one that fits your business needs. It’s a cost-effective solution that’s well worth the investment in the long run.

    2. Use a prevention system that combines human and artificial intelligence.

    While machine learning can effectively analyze patterns of fraud based on millions of transactional data, it still takes human intelligence to know something is off with a transaction.

    3. Take advantage of the verification process as well.

    To mitigate eCommerce fraud, make use of a good address verification system. This will confirm whether the bill-to and ship-to addresses are similar, along with email address and location as part of a customer’s identity verification when the transaction happened. An extra layer of protection helps by employing the card verification value to ensure that the customer holds or has access to the actual credit card.

    Image result for ecommerce fraud 2018

    Image source: Amasty

    4. Use email authentication.

    Even though email fraud is a far-too-common occurrence, you still need a good authentication system for your business. Authentication systems with Domain-Based Message Authentication, Reporting, and Conformance will give you a heads up if an email contains dubious links or potential threats. Aside from protecting your eCommerce business against fraud, email authentication assures your customers that what you send is trustworthy.

    5. Determine transaction origins.

    Each electronic device has a particular fraud profile and depending on what was used for the transaction, you can gauge and screen for potential eCommerce fraud. Device assessment assists online merchants in identifying transactions made by bots, flagging anomalous purchases through account takeovers, and highlighting malicious intents. 

     

    When consumer spending picks up during the holiday season, it is expected that eCommerce fraud will gain momentum as well. Ensure that your business is not losing money from fraudulent transactions by beefing up your prevention and authentication systems and keeping them updated with the latest patches. 

    [Featured image via Pexels]

  • Facebook Hoax Alert: Apparently, People Are Still Falling for the ‘See Who Viewed Your Profile’ Scam

    Guys, we need to talk.

    It appears that people still think that there’s some way to see who has viewed their Facebook profiles. Scammers keep designing bogus apps to capitalize on this belief, and there’s a new one in town according to security firm Symantec.

    Here’s what Symantec found:

    The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options to activate the fake app. The first option was by downloading software containing the malware and the second was by entering user credentials and logging into Facebook. A message on the phishing page encouraged users to download the software that would allegedly send notifications to the user when someone visited their Facebook profile. If the download button was clicked, a file download prompt appeared. The file contained malicious content detected by Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site redirected to a legitimate Facebook page.

    And if you give up your personal details like passwords to phishers, well, you know what happens next. It’s a headache to say the least.

    Listen, there are a handful of classic Facebook scams that have been going around forever. Let’s just call it the Facebook hoax Hall of Fame. There’s the whole “dislike” button thing, the whole “share this or Facebook is going to charge you” thing, and then there’s this.

    Facebook is never going to let you browse a list of people who’ve viewed your profile. I mean, who do you think they are, LinkedIn? If they ever did, stalkers would stop using the service and without the stalker base, well, Facebook would probably be forced to pack it up.

    Image via Symantec Blog

  • Watch Out For Health Insurance Exchange Scams

    Security experts are warning that scammers are exploiting the new health insurance exchanges to trick consumers with phishing schemes.

    McAfee VP of Global Consumer Marketing Gary Davis told Fox Business, “I can say with a high degree of certainty that they will come. We live in a world where people look at compelling events and look to do something malicious. This is just the nature of the beast.”

    With all the confusion surrounding the exchanges, it would be more surprising if scammers weren’t taking advantage.

    Last week, Trend Micro blogged about the coming risk of scams related to the exchange sites. Threat Communications Manager Christopher Budd wrote:

    One way people will be able to sign up for coverage after October 1 is online. But because of the way this online registration will work and the type of information people will have to enter to get health care coverage, there’s a real risk of a perfect storm that can make this process a bonanza for identity thieves and cybercriminals. This could be the most significant new area for phishing and identity theft in the next year in the United States. It also can give established healthcare scammers a new field to look for victims.

    The root problem is that the Health Insurance Exchange isn’t made up of a single, authoritative site where people can go and register for coverage. In addition to the Federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage.

    At least HealthCare.gov (pictured) does let users easily find the appropriate links for exchanges for their particular states, which should help a great deal.

    There have been actual scam sites spotted in the wild, however, and they have tended to use reasonable soujnding names for their domains, such as WashingtonHealthExchange.com or MDHealthExchange.com. These particular examples have already been reported and taken down, according to a recent Washington Post article.

    The Coalition Against Insurance Fraud (via The Post) says that most of the scammers have been targeting individuals rather than businesses, though with the legitimate exchanges catering to both, there is still significant risk to businesses as well.

  • Google Adds Data on Unsafe Websites to Transparency Report

    Google is adding a new section to its online Transparency Report, which currently documents data requests from the government, content removal requests, and just recently, National Security Letter information.

    Starting now, Google will show information on malware and phishing attacks around the web. Google says that this info comes from their Safe Browsing program, which has been finding and flagging unsafe websites since 2006.

    Google’s new page in the Transparency Report on Safe Browsing displays a bunch of new graphs related to the volume of alerts, malware sites, phishing sites, and more. Specifically, users can now see how many users see browser warnings in a given week, how many unsafe websites (in the form of both malware and phishing) are detected by Google each week, how many sites hosting malware Google detects each week, and webmaster response time averages once they are informed of problems with their sites.

    “[I]n 2006 we started a Safe Browsing program to find and flag suspect websites. This means that when you are surfing the web, we can now warn you when a site is unsafe. We’re currently flagging up to 10,000 sites a day—and because we share this technology with other browsers there are about 1 billion users we can help keep safe,” says Google software engineer Lucas Ballard. “Sharing this information also aligns well with our Transparency Report, which already gives information about government requests for user data, government requests to remove content, and current disruptions to our services.”

  • Facebook Phishing Scam Poses as Message from Mark ‘Zurckerberg’

    Facebook Phishing Scam Poses as Message from Mark ‘Zurckerberg’

    Facebook CEO Mark Zurckerberg is not sending out privacy notices, requesting that users verify their accounts. That’s because no such messages would ever come from the Facebook CEO. There’s also that pesky little detail that the CEO of Facebook is not Mark Zurckerberg.

    This one should immediately throw up some red flags, considering that the scammers can’t even spell “Zuckerberg” correctly. A new phishing scam making its way around Facebook is just a new riff on a classic ruse.

    Hoax Slayer is reporting a message hitting some users’ inboxes claims to be from “Mark Zurckerberg” and states that…

    Mark Zurckerberg

    Dear Facebook user, After reviewing your page activity, it was determined that you were in violation of our Terms of service.Your account might be permanently suspended.

    If you think this is a mistake,please verify your account on the link below.This would indicate that your Page does not have a violation on our Terms of Service.

    We will immediately review your account activity,and we will notify you again via email.
    Verify your account at the link below:

    Clicking on the link will direct users to a fake Facebook login page. Although made to look like the real Facebook login page, this malicious site will simply steal your info once you enter it in.

    This type account verification scam is old, but persistent. Most claim that the user has violated some Facebook terms and must verify their account in order to keep it from being suspended. In the past couple of months, we’ve seen a couple variations of this scam hit Facebook. One version purported to come from the Facebook Security Team. Another scam message claimed that users had been “annoying or insulting” to other users and that they face account suspension. Both of those scams, like this “Zurckerberg” one, asked for personal info to “verify” the accounts.

  • Twitter Goes DMARC To Fight Phishing

    Twitter Goes DMARC To Fight Phishing

    Over a year ago, fifteen major companies joined forces to create DMARC, a “technical working group” to develop antiphishing standards. The companies were: Google, Facebook, LinkedIn AOL, Microsoft, Yahoo, PayPal (eBay), Bank of America, Fidelity Investments, American Greetings, Agari, Cloudmark, eCert, Return Path and Trusted Domain Project.

    Today, Twitter announced that it is using the DMARC technology with its emails, making it less likely that users will see any email pretneding to be from a Twitter.com address.

    “We send out lots of emails every day to our users letting them know what’s happening on Twitter. But there’s no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information, commonly called ‘phishing’,” said Twitter Postmaster Josh Aberant.

    “Without getting too technical, DMARC solves a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols,” he said. “It builds on established authentication protocols (DKIM and SPF) to give email providers a way to block email from forged domains popping up in inboxes. And that in turn lessens the risk users face of mistakenly giving away personal information.”

    Twitter began using DMARC earlier this month. AOL, Gmail, Hotmail/Outlook and Yahoo Mail all take advantage of the technology.

  • Facebook Phishing Scam Claims You’ve Violated Policy

    Another day, another Facebook-based phishing scam looking to snatch all of your personal information (including bank account info) and use it for nefarious purposes.

    The latest scam to hit the network comes in the form of messages sent to users’ inboxes. These are not simply spam messages that will get caught up in that “other” inbox that Facebook reserves for non-important communications. These messages may come from compromised accounts, ones that could be given access to your inbox.

    If you receive one of these scam messages, it’ll look like this:

    WARNING: Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation. Please confirm your Facebook account below:

    If the ridiculous assertion that you’ve “annoyed users” doesn’t immediately throw you off, there’s a link.

    Upon clicking, a page will prompt users to enter their Facebook account info and password. It then asks you to confirm which webmail service you use to sign-in to Facebook (getting more suspicious). Finally, it drops the big request – your credit card info. At this point, you should definitely realize you’ve been duped and stop entering information.

    This scam is similar to another one we reported on earlier this month that also involved private messages from “The Facebook Security Team.” Except we all know that the real Facebook Security team doesn’t send out messages to specific users asking them to verify account details. Both scams warn users that their accounts may be suspended for some sort of unspecified violation of the terms of service.

    [GFI via The Next Web]

  • Facebook Scammers Pose as Security Team to Phish Your Info

    Facebook users should be cautious if confronted by a message from the “Security Team,” as they could be unwittingly giving up their private info to scammers.

    It’s the latest phishing attack on the network, which sees its fair share of such deceptions. Some users are currently receiving messages from pages called Security Team, which ask users to verify their accounts via outside link or face an account suspension.

    Here’s what the scam message looks like, courtesy Facecrooks:

    As you can see, the scammers use the same logo that the real Facebook Security page uses, hoping that it will give the message more credibility with users. It’s also grammatically well constructed (for the most part), something we can’t say for most phishing scams that hit Facebook.

    But the link that it contains should tip you to its illegitimacy. It uses Facebook’s app’s domain to link users to a page asking for their page name, phone number, and password.

    A quick search on Facebook yields dozens of pages for “Security Team,” all using the official Facebook Security logo and all created in the last couple of weeks. These pages, as obvious scam attempts, should be removed fairly soon. But others will always pop up in their place. Always be vigilant.

  • Facebook Wants You To Help Identify Phishing Scams

    Anyone who’s spent even a little bit of time on Facebook knows that users need to be vigilant. Phishing attacks, although relatively rare, do exist, and Facebook’s media-rich login based system is the perfect place for scammers to target potential victims.

    Today, Facebook has unveiled on new way for users to report phishing attempts across the network.

    Now, if you come across any shady attempt to acquire your username, password, or other personal information, Facebook wants you to file a report. You can do this by sending an email to the new address phish@fb.com.

    “By providing Facebook with reports, we can investigate and request for browser blacklisting and site takedowns where appropriate. We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we’ll be able to identify victims, and secure their accounts,” says Facebook.

    Facebook reminds users that they should be wary of any email that asks for login or financial info. One thing that users can do to protect themselves while investigating possible scams is to navigate to websites directly, instead of using the provided links within emails, chat messages, or posts.

    “This new reporting channel will compliment internal systems we have in place to detect phishing sites attempting to steal Facebook user login information. The internal systems notify our team, so we can gather information on the attack, take the phishing sites offline, and notify users. Affected users will be prompted to change their password and provided education to better protect themselves in the future,” they say.

    In April, Facebook launched the Anti-Visus Marketplace which allows users to download trial version of various popular anti-virus software. At the time, they also incorporated those company’s databases into their own URL blacklist. Last month, they unveiled the new Malware Checkpoint, which allows users to be more proactive in their own security.

  • Google Discusses Its Safe Browsing Record

    No, this isn’t an advertisement for the benefits Google’s Chrome browser provides. Not even vicariously. Instead, the latest post over at the Google Security Blog is discussing the measures Google has taken to keep browsers safe through a number of anti-malware initiatives. While there’s still a ton to watch out in regards to phishing and various other forms of malware, but Google’s efforts to protect browsers, especially in regards to their search results, certainly helps.

    Another thing that helps is the improved attention to detail from North American web users, which helps explain the rise of phishing attempts in Latin America, the Middle East, and Asia. As for Google’s Safe Browsing effort, this month marks the five-year anniversary of the program, giving Google an opportunity to point out where they’ve been successful:

    • We protect 600 million users through built-in protection for Chrome, Firefox, and Safari, where we show several million warnings every day to Internet users. You may have seen our telltale red warnings pop up — when you do, please don’t go to sites we’ve flagged for malware or phishing. Our free and public Safe Browsing APIallows other organizations to keep their users safe by using the data we’ve compiled.
    • We find about 9,500 new malicious websites every day. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing. While we flag many sites daily, we strive for high quality and have had only a handful of false positives.
    • Approximately 12-14 million Google Search queries per day show our warning to caution users from going to sites that are currently compromised. Once a site has been cleaned up, the warning is lifted.
    • We provide malware warnings for about 300 thousand downloads per day through our download protection service for Chrome.
    • We send thousands of notifications daily to webmasters. Signing up withWebmaster Tools helps us communicate directly with webmasters when we find something on their site, and our ongoing partnership with StopBadware.org helps webmasters who can’t sign up or need additional help.
    • We also send thousands of notifications daily to Internet Service Providers (ISPs) & CERTs to help them keep their networks clean. Network administrators can sign upto receive frequent alerts.

    Their report also points out the monthly discoveries of phishing sites and malware-infected sites, all of which are things to avoid. If you haven’t been keeping up with how the war on malicious software and unscrupulous phishing attempts, you would be wise to increase your levels of vigilance:

    Phishing Chart

    As you can see, phishing attempts are very much alive and well. The same is true for malware-infected sites and sites that try to infect your machine:

    Malware-Infected Sites

    Attack Sites


    As you can see, the need for intelligent browsing coupled with a browser that has built-in anti-phishing/malware measures are pretty much a must in regards to browsing safety. For those who surf on mobile browsers, be mindful.

  • Fake Facebook Emails Claim You Have Missed Notifications

    When browsing your inbox, be cautious around any email you receive claiming that you have Facebook notifications pending. That’s because a new email scam is on the loose and it’s targeting Facebook users.

    This new email scam comes packaged in a highly convincing fashion and claims to come directly from Facebook. The subject line will tell you that “you have notifications pending,” and the body will say “Hi, here’s some activity you have missed on Facebook.” The email will also prompt recipients to click buttons to “Go To Facebook” and to “See All Notifications.”

    Of course, the only words of advice here are to stay away from those links.

    Here’s an actual, non-scammy notification email from Facebook:

    And here’s the scam email. You can see how people could be fooled – the scammers have done a remarkable job rendering a similar design to the message.

    According to Sophos’ Naked Security blog, the links took them to a Canadian pharmacy site that offered male enhancement drugs like Cialis and Viagra – typical. “Chances are that the spammers are earning affiliate cash by driving traffic to the pharmaceutical website,” they said.

    Of course, these types of links could take you on any number of malicious trips – a phishing site, a site containing malware, etc. Just be on your toes, Facebook users.

  • LinkedIn Password Leak Brings Email Spam

    LinkedIn Password Leak Brings Email Spam

    With more than 6.4 million LinkedIn passwords leaked onto a hash-cracking forum this week, there is no wonder that spammers will have a field day with the confusion it brought. Cameron Camp, a security researcher for the ESET cybersecurity software company, announced that ESET had been notified by “several” people that they had received spam emails purporting to be from LinkedIn. The emails asked users to confirm their email address with LinkedIn, and provided a link to do so. Camp reports that the link actually sent users to an online pharmacy. This spam email resembles others such as the Google+ spam email that was identified earlier this year.

    LinkedIn yesterday responded to the password leak within a few hours, announcing on its blog that affected accounts had been disabled and that members would be receiving instructions on how to reset their password. One point Vicente Silveira, director at LinkedIn, made clear in his blog post announcing the company’s response was that the emails sent out would not contain any links to reset passwords. From the post:

    …members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.

    This mirrors password advice Silveira gave in an earlier blog post yesterday where he stated that users should never change their password by following a link in an email they did not request. As Camp pointed out, these types of email spam are common, and these particular emails might not be related to the recent password leak. Still, users should be careful of these types of spam and other, more malicious phishing attacks which redirect users to websites spoofed to look exactly the same as the login page for a website they use.

    (Screenshot courtesy ESET)

  • German Court Rules Phishing Victim at Fault

    It would appear that German courts have little rational tolerance for various sorts of internet idiocy as of late, recently ruling that Youtube is responsible for its users when they upload copyrighted songs – and now a German Federal court in the town of Karlsruhe has just ruled that a victim of a phishing scam is responsible – for being phished.

    The latest case involves a retiree losing roughly $6,600 after giving up his bank information to a fake site that looked identical to the real site of his bank, which ended up illegally transferring the funds to Greece, who incidentally can use all the transfers it can get. Still, Germany’s highest civil court has decided that the retiree was the one who was negligent, as Sparda Bank had offered its clients multiple warnings regarding phishing. And, Germany’s Federal Criminal Police Office (BKA), logged 5,000 reports of phishing in 2010, a big jump from 2009.

    Still, the retiree did sit down and take the time to enter 10 TAN codes (transaction numbers) into the fake site. Who does that? The elderly maybe – and it’s clear Germans might, as the TAN codes are commonly used in that country to verify accuracy of online transactions. The codes can then be printed out, texted or looked up on a smartphone. Sparda Bank’s defense also noted that being prompted to enter multiple TAN codes is a classic sign of phishing.

    According to the Local, “The plaintiff argued that the bank had a duty to protect its customers from the abuse of these codes – But the federal court upheld previous judgements by the district and state courts, agreeing with the bank’s argument that the customer should bear responsibility for falling for the con.” So, the retiree is out almost 7 grand, and Youtube might also soon be looking at a much more substantial loss.

    In related news, it has been reported that the Syrian Electronic Army has been trying to gain access to rebel accounts using phishing tactics, though they likely shouldn’t be too worried, as Anonymous has been monitoring the goings on of that situation.