New Phishing Scams Target Apple Users

Threads have popped up over on the Apple Support forums detailing new phishing scams aimed directly at Apple owners and iTunes users. In a multitude of individual threads forum members have posted information about at least three attempts to scam them out of their Apple ID or get them to visit malware infected links or site.

 In one post a user shows a fake receipt for iTunes charges which offers several links including a download link. The link then leads off to a malicious site. In other postings users posts fake emails claiming the "users account has been temporarily blocked." A third posting shows a rather realistic looking Apple Care email as well as a few follow-up emails offering information about OSX 10.8 Mountain Lion or claiming that iTunes will be shut down.

In this case it is fairly easy to spot the scam as the email comes from a Gmail account or asks the user to reply to the Gmail account. However, should the recipient click one of the links contained in the email they are likely sent to a fake landing page which would ask for your Apple ID and password.

In the cases pertaining to emails telling the users their accounts had been blocked the e-mails provided a “Confirm Your Identity” button or link, which, of course, leads you to a phishing site. The malicious site will either ask you for your Apple ID or attempt to load malware on your machine. Most companies, including Apple, will not send you "account blocked" emails and if they do you should check the email closely for discrepancies. I always prefer to visit the sites directly to verify that I need to re-instate my account. In this case an Apple user can simply head over to Apple’s My Apple ID site, where you can login, reset your password, and check that your credentials are safe and sound.

Phishing is not something new to the online community and certainly not something new to Apple. But phishing attacks have become big business and scammers are becoming increasingly more sophisticated. If you receive an email from Apple or iTunes (or any other site for that matter) you should be very wary of the links provided. Legitimate emails from legitimate companies will never ask you to provide personal information or sensitive account information (such as passwords or credit card numbers) via email.

For more help determining the validity of those Apple emails checkout Apple's support page "Identifying legitimate emails from the iTunes Store."

Warning Phishing Scam Targets Apple AppStore Users

Security firm F-Secure is warning Apple AppStore customers about a new new phishing scam that has some rather uncanny timing.

The scam email, which oddly enough was sent to a person who recently made a purchase from the AppStore on his iPad, appears to be from the "Apple AppStore," with a message informing the recipient that their app order "has been successfully cancelled." Users are directed to click on a link titled "order information," to get to the bottom of the problem.

Currently the link sends you off to a fake pharmaceutical site. Typically in these scams you'd be sent to a traditional phishing site that looks more like an official Apple page. So its really uncertain as to the goal behind the attack but F-Secure is more worried about the fact that the phony Apple AppStore message appears in email inboxes immediately after you purchase an app from Apple's legitimate App Store. At this time it is still unclear how the scammers know you just bought something from the App Store.

Beware Japan Earthquake Scams And Phishing Emails

The sad reality of life is that scammers will use any chance they can to bilk unsuspecting people from their money. With all the attention the earthquake and tsunami in Japan are receiving its likely that we'll see an influx of scams and phishing emails related to the incident. Meaning people truly wanting to help the victims of this sad incident need to take caution and be on the look-out for suspicious emails and websites. Below is some very useful information that should help keep you safe and keep your money out of the hands of scammers.

The Internet Storm Center (ISC) issued a warning on its Web page Friday morning warning readers to expect "emails (sp) scams and malware circulating regarding the recent Japanese earthquake."Examples of Tsunami-related spam have already shown up in spam filters, according to the Web site spamwarnings.com.The ISC warns users should avoid opening questionable attachments or clicking suspicious links within any unsolicited emails. Users looking to make donations via website should also been warned that scammers have become adept at using search engine optimization (SEO) strategies to place scam Web pages high in the search results of major search engines like Google.

You should always verify your links and double check the websites and web address before you donate. For instance users wanting to donate to the Red Cross should go directly to RedCross.Org. When you decide to donate make sure you are on a secure page. Look in the address bar for the HTTPS:// security protocol.

Here's a good list of reputable organizations accepting donations (via MSNBC):

• Using your cell phone, you can text-message donations of $10 to the Red Cross. Text the letters REDCROSS to 90999 to make the $10 donation, or visit the organization's website.
• The International Medical Corps is putting together relief teams, as well as supplies. The organization is in "contact with partners in Japan and other affected countries to assess needs and coordinate our activities,” said Nancy Aossey, IMC president, on its website. You can donate here. Or, you can text MED to 80888 to donate $10 to emergency relief efforts.
• Save the Children is accepting donations for its Children's Emergency Fund. "We are extremely concerned for the welfare of children and their families who have been affected by the disaster. We stand ready to meet the needs of children who are always the most vulnerable in a disaster,' said Eiichi Sadamatsu of the organization in a statement. You can also text “JAPAN” or “TSUNAMI” to 20222 to donate $10.
• GlobalGiving, based in Washington, D.C., is providing relief and emergency services to victims of the earthquake and tsunami. Text JAPAN to 50555 to donate $10.
• The Salvation Army, which has had a presence in Japan since 1895, is sending an assessment team from Tokyo to the city of Sendai "to assess damage and will begin providing basic necessities (food, water, etc.) beginning as soon as possible tonight or tomorrow," a spokesperson said. In Tokyo, the Salvation Army "opened its main building to help shelter commuters who were unable to reach home. They served hot drinks and packed meals." You can text JAPAN or QUAKE to 80888 to make a $10 donation to the Salvation Army’s relief efforts.
• World Vision, with a staff of 75 in Japan, focuses its relief efforts on children. Visit the website to donate, or call 1-888-56-CHILD (1-888-562-4453). You can text “4JAPAN” or “4TSUNAMI” to 20222 to donate $10.
• The mGive Foundation, which helps with mobile donations, said these groups are also accepting text-based donations: Convoy of Hope, text TSUNAMI to 50555 to donate $10; World Relief Corp. of National Association of Evangelicals, text WAVE to 50555 to donate $10. "When prompted, mobile donors should reply with YES to confirm a one-time gift," the foundation says. "The $10 one-time donation will appear on the donor’s next mobile bill. All donations are tax deductible and receipts may be printed" from the mGive site. "Message and data rates may apply."
• Facebook has a Disaster Relief page with lots of good information about organizations that are offering aid, and that you can help, in turn.
• Portland, Ore.-based Mercy Corps  is "accepting donations to help survivors of Japan's earthquake and tsunami through our longstanding partner, Peace Winds Japan." Donations will go to meeting the "immediate and longer-term needs of the survivors," a spokesperson said. You can text “MERCY” to 25283 to donate $10.
• Microsoft has a Disaster Response Effort underway. "We are taking a number of steps, including ensuring the safety of our employees and their families and proactively offering customers, partners and local response agencies technical support to help ensure business continuity," the company said. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)

Android App Used In Phishing Attack Steals Bank Login Details

It was recently discovered that an application found in Google's Android Market was infected with a trojan designed to steal users' bank login details. The program uploaded by Droid09 has already been removed from the Android Market following some quick action and publicity following a warning issued by US credit union First Tech from the 22nd of December, 2009.

According to First Tech's advisory, the application originated from the Android Market and didn't  specifically target First Tech customers. Apparently the application targeted several banks however First Tech was the only one seeming reporting the incident. The bank insured their customers that no First Tech customer suffered any financial damage, nor would they should they fall victum to the malicious app.

The application reportedly pretended to simplify the customer's mobile access to accounts at various different banks. Commenting on the issue Google spokesperson said "The Android Market Content Policy clearly states that we don't allow applications on Android Market to identify themselves with third-party marks without permission. If an application violates the content policy, we will remove it from Android Market, and developer accounts will be terminated for repeated violations."

The developer has been banned, but It's not clear how many people downloaded the fraudulent app before it was pulled by Google. Users who downloaded the app, or think they may have, should be sure to visit the "My Downloads" section of their Android phone to remove the application. 

While this may be one of the first know Android based malware attacks it certainly isn't the first to hit cellphones. Early last year we reported that Kaspersky Labs had discovered a new piece of malware that targets Symbian based cell phones provided by an Indonesian mobile phone operator. The virus know as Trojan-SMS.Python.Flocker, sends SMS messages with instructions to transfer part of the money in the user’s account to another account, which belongs to the cybercriminals.

This news should be a reminder that users should be extremely careful when downloading applications to any device! And be sure to take notice where and how your information is being used.

FTC Warns Of Stimulus Scams

Looking to cash in on the recent stimulus bill signed by president Obama scammers have begun setting up shop with phony sites and fake email scams.

The Federal Trade Commission (FTC) as well as the Better Business Bureau (BBB) have recently posted advisories warning consumers about advertisements from companies and websites that promise easy access to government money. The ads promise big money, as much as $12,000 in some case, or offer to sell consumers information that is readily available for free. The scammers use the collected information to commit identity theft often times draining the consumer's bank account.

"The bottom line on this is, these are scams," says Eileen Harrington, acting director of the FTC's Bureau of Consumer Protection. "The stimulus is not passing out checks to individual consumers."

In several phishing attacks consumers have reported e-mail messages asking for bank account information so that stimulus check deposits can be made directly to the consumers bank account. Instead, the scammers drain consumers' accounts of money and disappear. Or the bogus e-mails may appear to be from government agencies and ask for information to "verify" that you qualify for a payment. The scammers use that information to commit identity theft.

The FTC warns that some of the e-mail scams don't ask for information, but provide links to find out how to qualify for funds. By clicking on the links, consumers have downloaded malicious software or spyware that can be used to steal more information from the unsuspecting victims.

"Web sites may advertise that they can help you get money from the stimulus fund. Many use deceptive names or images of President Obama and Vice President Biden to suggest they are legitimate. They're not," says Eileen Harrington, Acting Director of the FTC's Bureau of Consumer Protection. "Don't fall for it. If you do, you'll get scammed."

Some sites suggest that for a small sum of money - as little as $1.99 in some cases - consumers can get a list of economic stimulus grants they can apply for. But two things can happen: the number of the credit card the consumer uses to pay the fee can fall into the hands of scam artists, or the $1.99 can be the down payment on a "negative option" agreement that may cost hundreds or thousands of dollars if the consumer does not cancel.

PCWorld found two such sites, PresidentObamaGrants.com and OfficialStimulusGrants.com, both of which have been removed at this time. The two sites promised to provide consumers with information on how to get thousands of dollars in free stimulus money if they paid about $2 to sign up. Users that failed to cancel the service were then hit with hefty monthly fees, as much as $99 a month if consumers didn't cancel within seven days. Both sites, and others like them, buried the terms in long user agreements, and the sites required consumers to go through a "detailed and complex" cancellation process

"Consumers who may already have fallen for these scams should carefully check their credit card bills for unauthorized charges and report the scam to the FTC," Harrington said.

33 High Profile Twitter Accounts Hacked

Twitters growing pains continue as the site is now confirming that 33 accounts linked to celebrities and prominent Twitter-ers like Rick Sanchez, Barack Obama, Britney Spears, Bill O’Reilly and others were indeed hacked this morning.

Here is Twitter’s official explanation:

Monday Morning Madness
This morning we discovered 33 Twitter accounts had been "hacked" including prominent Twitter-ers like Rick Sanchez and Barack Obama (who has not been Twittering since becoming the president elect due to transition issues). We immediately locked down the accounts and investigated the issue. Rick, Barack, and others are now back in control of their accounts.

What Happened?
The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure.

Twitter has been working on restoring accounts that have been phished and those that have been hacked. This is likely to be the first of many such attacks on the site so I strongly suggest reading our Tips to avoid Twitter phishing post.

Tips To Avoid Twitter Phishing

Unless you've been under a rock over the weekend, or maybe you were just unplugged, you've probably hear that Twitter has been hit by a round of serious phishing attacks. The Twitter-verse has been a-buzz all weekend long with numerous reports of DMs being sent out with links to phony Twitter pages.

The nuts and bolts of it:
The attackers are sending out Direct messages (DMs) with a link that send users off site to a fake log-in page. Unsuspecting users then log-in to that page in turn handing over the log-in credentials to the phishers. They then use those log-ins and accounts to send more DMs creating a vicious cycle.

Avoiding phishing scams is just a matter of a little common sense.
Phishing is nothing new, people have been scamming users for years with these techniques and they are almost always the same. It usually involves a very well copied log-in page, a poorly copied URL and a few unsuspecting users to get it all started. Once one user sends out a message to a trusting friend then it begins to spread like wildfire.

Here are a few tips that are very helpful in avoiding these scams.

Don't log-in to any page without looking at the URL first
This seems simple enough, but how many times do you really look at the page you are logging into? If you look at the screenshot taken by Twitter you can clearly see its not the correct page. This info applies to any page, not just Twitter. Phishing has been around long enough that users should know to double check their URLs first. In this case the URL is not masked very well and easily spotted!

Use your bookmarks, back button or go directly to the main site
If you click an off site link and somehow end up on a log-in page it is always best to get the hell out of there. Use your back button, click your own bookmark or type the URL in directly. You are always better safe than sorry

Change your passwords often
Yes this can be a pain in the rear, however you should be changing your passwords a few times a year just to be on the safe side.

If it is too good to be true it usually is **Read update below**
The latest round of phishing DMs involved getting a free iPhone, do you really think they are handing these things out like they are candy? The old adage has always rang true, if it sounds too good it usually is. So avoid it like the plague.

Don't be a blind Re-Tweeter
Don't blindly Re-Tweet those messages sent to you by people you follow. Sending out links you aren't taking the time to check-out yourself puts your followers at risk. If you don't checkout the link first then you might just be sending out a link to a phishing site or even worse something with malware or viruses!

Trim the fat
Pro-Blogger Chris Brogan was scoffing at the idea of having to unfollow 25k Tweeters. While most of us are no where near that level I'm sure we all have Tweeters on our page we don't know and probably don't need. Now would be a good time to click through some of those followers and check them out. Contact and or remove anyone that looks suspicious.

For those of you unlucky enough to have already been hit by the phishing scam don't fret there is hope for getting your account back. Follow the steps outlined in the Twitter blog post for having your password reset. Once that is done I'd suggest doing some serious makeup with everyone on your follow list!

You can follow updates on the attack by subscribing to the Twitter topic #phishingalert as well as the Titter topic #phishing.


Update - Information regarding the iPhone DM scam is now available.
Twitter users are reporting that they are receiving direct messages with links for a chance to win an Apple iPhone. The links in the DMs are sending Twitter users to two different sites suggesting that visitor sign up for a chance to win a free iPhone.

You’re asked for your gender, your mobile carrier and eventually your mobile number. Reading the fine print however shows you that by signing up for this promotion, you’re also signing up for a third party text messaging service which starts at $5.99 a week. For more details checkout Venture Beat's post "You don’t want that free iPhone — another Twitter scam breaks out".

FBI Undercover Sting Nets 56 Arrests From "Dark Market" Forum

Last week the FBI announced the conclusion of a two-year undercover operation targeting members of the online “carding” forum known as Dark Market.

In their press release the FBI says their joint two-Year undercover operation resulted in 56 arrests and $70 million in economic loss prevention.

"Carding" forums trade stolen credit card information and other personal information often obtained through phishing or other online schemes; the term can also be used to refer to the process of verifying the validity of stolen credit card accounts by making discreet purchases.

Cyber criminals using this forum (Dark Market) represented a virtual transnational criminal network spanning numerous countries who were involved with the buying and selling of stolen financial information including credit card data, login credentials (user names and passwords), as well as equipment used in carrying out certain financial crimes. At its peak the Dark Market website had over 2,500 registered members.

FBI Cyber Division Assistant Director Shawn Henry said, “In today’s world of rapidly expanding technology, where cyber crimes are perpetrated instantly from anywhere in the world, law enforcement needs to be flexible and creative in our efforts to target these criminals. Leads in many of these investigations take us to the online world of Internet forums, where criminals go to engage in the business of selling and trading innocent person’s credit card numbers and other personal information. By joining forces with our international law enforcement counterparts, we have been, and will continue to be, successful in arresting those individuals and dismantling these forums. The arrests this week in the U.K. are a good demonstration of the coordination taking place today between the FBI, the Serious Organised Crime Agency (SOCA), and other law enforcement agencies around the globe.”

The FBI conducted this operation with the assistance of multiple domestic and international law enforcement partners, including the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, United Kingdom’s Serious Organised Crime Agency, Turkish National Police – KOM Department, Bundeskriminalamt (German Federal Criminal Police in Wiesbaden), and the Landeskriminalamt Baden – Wuerrtemberg (State Police of Baden Wuerrtemberg).

PayPal's Answer To Phishing, Block Older Browsers

According to recent reports PayPal plans to take the dramatic step of locking out people using older versions of Web browsers in order to stem phishing attacks.

PayPal has said a "significant" group of people still use older version of IE such as IE3, IE 4 and IE5. Those browsers lack a phishing filter, which can block users or will at least warn them when they are trying to access a reported phishing Web site.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts," according to a paper released during the RSA security conference in San Francisco earlier this month.

The ban on older browsers could eventually mean trouble for users of Apple's Safari browser, which has no phishing filter. PayPal could decided to try and block any/every browser that is not equipped with the filter. Internet Explorer 7, Firefox 2 and Opera 9 have phishing filters, but Apple's browser -- Safari -- does not. Safari also does not support Extended Validation SSL (Secure Socket Layer) Certificates, issued to Web sites that have been vetted as legitimate.

Obviously there are several flaws in PayPal's plan. Phishing has been around for a long long time, and even though it has been highly publicized people still get duped into clicking links and entering personal information on the would be sites. This does prevent a person from being victim, this only pushes people towards updating. Updating to the latest version of your browser is always a good idea, as is staying away from IE. But the use of common sense and safety are the only things that will solve the phishing issues.

Everyone should learn safe internet practices, and learn to spot phishing attempts, scams, hoaxes ect. By now you should know to question any emails you get from your bank, Pay-pal or any other site that involves important personal information. Don't just click the links in the emails, use your own bookmark so you know where you are going to. Once you are there double check the address bar and make sure you are actually on the right site.

Be On The Look Out For Tax Related Phishing

Scammers using very good phishing techniques are targeting people in both the US and the UK.

US IRS phishing emails redirect their victims to sites hosted in Russia and other former Soviet States and they mimic the actual Internal Revenue Service web site almost perfectly. As soon as you've entered your personal and financial information you get redirected to the actual IRS site. Fiendish! Message Labs reports that this type of spam spiked in January, hitting ten times the normal level.

The IRS has pointed out that "The IRS does not send unsolicited e-mail about tax account matters to individual, business, tax-exempt or other taxpayers." If you're wondering how your refund is doing, go directly to www.irs.gov and check the "Where's My Refund?" page. Don't click any links in email that claims to come from the IRS--it doesn't!

According to McAfee, UK phishers are pulling off a similar scam.

Currently an email is being sent out that claims that recipients can get an attractive tax refund from the Government by visiting what turns out to be a bogus website.

"After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of £215 ($420)," says the email. Clicking the links send you off to a bogus site, which is intended to steal person information for identity theft.

New Phishing Method Could Be Undetectable

Loopholes in the the Domain Name System (DNS) could make financial scams such as phishing attacks practically undetectable.

According to a recent Techworld.com article "Phishing attacks could be undetectable". Researchers David Dagon, Chris Lee and Wenke Lee of Georgia Tech, and Niels Provos of Google presented their study "Corrupted DNS Resolution Paths" describing the exploit, called "DNS resolution path corruption".

The study noted in a previous article describes how an attack could be carried out by a simple piece of code implanted via a malicious website or email attachment. The code would change a file in the Windows registry settings, telling the PC to use the malicious server for all DNS information.

The Techworld article states, "The problem is "open recursive" DNS servers, which are used to tell computers how to find each other on the internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks, according to the study."

"Using Google's network of web crawlers, researchers uncovered more than 2,100 Web pages that used exploit code to change the Windows registry of visitors."

Beware Harry Potter Spoilers a Phishing Scam

An attacker named "Gabriel" claims to have stolen the text of the upcoming "Harry Potter and the Deathly Hallows" from Bloomsbury Publishing by use of a phishing scam.

He has published what he claims are all of the plot points—including main characters who get killed and the final outcome of the seven-book series.

Gabriel says he used "the usual milw0rm downloaded exploit." The exploit entailed delivering to a Bloomsbury employee an e-mail with an invitation to click on a link, open a browser and click on a maliciously crafted animated icon that allowed the attacker access to the victim's system.

"It's amazing to see how much [sic] people inside the company have copies and drafts of this book," Gabriel wrote in a posting on Insecure.org. "Curiosity killed the cat." (Ed. note: Spoiler alert: Do not click on the link to read Gabriel's posting if you don't want to have the plot spoiled.)

milw0rm is a group of politically motivated "hacktivists" whose most famous exploit was penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Bombay, the primary nuclear research facility of India, on June 3, 1998. They have anti-nuclear and pro-peace agendas and, in this case, anti-Harry Potter and pro-Pope Benedict XVI.

"We did it by following the precious words of the great Pope Benedict XVI when he still was Cardinal Joseph Ratzinger," Gabriel said. "He explained why Harry Potter bring the youngs [sic] of our earth to Neo Paganism faith. So we make this spoiler to make reading of the upcoming book useless and boring."

Gabriel said he did it "to protect you and your families."