PayPal Spoof?

After a pleasant outing to the twice-a-year Carlsbad Street Fair, Patricia and I came home not expecting anything special. However, when I checked my email, there was a significant letter in the inbox. It announced that my PayPal account has been limited! This slick letter even has a sidebar telling me how to protect my account and assuring me that PayPal will never ask me for a password via email.

However, they did ask me to “Click here to update your account”. When I hovered over the tab, a URL came up that was different from PayPal. It was to “cashdigger.com.” That caught my attention. So I goggled on that and found a blocked website. After nosing around a bit more, I found some hits that were to a Chinese service. At this point I stopped looking.

To see what is going on, I went to PayPal’s site and navigated to their security center to report this letter and see what they say. PayPal wanted me to forward the suspect letter to them, but that would have involved enabling the download of the images associated with it. I was reluctant to send back a request for images and thereby validate my address. After thinking about it for a moment, I selected the whole letter (Ctrl A) and copied it (Ctrl C), and pasted it into a new letter which I then sent to [email protected] with an appropriate subject heading. All this happened a few minutes ago so I do not have an answer yet as to what this probable attack is about, but I assure you I found nothing on the official PayPal site that had anything to do with my information being our of date and needing confirmation.

I do not know PayPal’s policy on returning information about security reports, so we might never know the result. However, I am willing to bet that I will not receive a reminder from them to update my account!

BTW, the English in the letter was impeccable. Often with crude phishing attempts, the text was obviously written by a non-native speaker. This was particularly true of the varieties of scare-ware that were prevalent earlier in 2010.

If this has happened to you or if you know anything more about it, please let me know.

The street fair was fun.

Email Phishing Is Getting Bad

Netflix, Banks, ISPs claims of illegal downloading, even iTunes invoices for hundreds of dollars. Clearly, we have a crisis here with email phishing schemes….so what can we do? Apparently nothing, as my ISP email among other accounts are being hit with these disturbing phishing attempts like never before.

Now for those of us using modern options like Gmail, Hotmail, Yahoo! and so on, find that these phishing attempts are not as common. After all, most of the time these things end up in the spam folder. But what about people using ISP email? No such luck based on what I’ve seen lately.

My mom, among others, have seen a SHARP increase in phishing attempts as of late. It’s becoming a real problem. While my mom has been trained with great intensity to verify what is legit email and what should be left alone, this recent stuff with Netflix has created some concern for me.

What do you think? Do you see phishing becoming a bigger issue with those without proper changes being made with better spam filtering? Hit the comments, share your thoughts.

Virtual Security Threats

At first pass, the idea of the police getting involved in a “virtual furniture theft” from an online community like Habbo Hotel might sound insane to the rational. But it’s what happened in the real world that should be raising concern. Someone is out there hacking accounts.

Seems that the above linked incident at Habbo Hotel is hardly a standalone situation. This problem is also happening in the WoW (World Of Warcraft) community, amongst others.

When real life money is used to purchase virtual goods and a theft of said virtual goods takes place, then you better believe that it becomes a legal issue in the literal sense. Digital crime doesn’t become less of a threat when the goods are virtual. Not at all.

[awsbullet:Guild Leader’s Handbook]

Facebook Loses Its Face… Board Members Hacked

The folks at Facebook would rather have kept this hack quiet, since they have been fighting growing criticism for some of the recent changes they have made. But on Sunday, board member Jim Breyer sent out a message to some 2,301 of his friends that stated:

“Would You Like a Facebook Phone Number?” it asked, presenting a link to “see more details and RSVP.”

There was just one minor problem. Mr. Breyer was not the true sender of the message since it was later learned that his account had been hacked. But does anyone really believe that any social networking site could be hack proof? I never did. So when Facebook responded with these statements, it made me wonder just how secure its servers really are.

We take security very seriously and have devoted significant resources towards helping our users protect their accounts.  We’ve developed complex automated systems that detect and flag Facebook accounts that are likely to be compromised (based on anomalous activity like lots of messages sent in a short period of time, or messages with links that are known to be bad).  Because Facebook is a closed system, we have a tremendous advantage over email.  That is, once we detect a phony message, we can delete that message in all inboxes across the site.  We also block malicious links from being shared and work with third parties to get phishing and malware sites added to browser blacklists or taken down completely.  Users whose accounts have been compromised are put through a remediation process, where they must take steps to re-secure their account and learn security best practices.  This is what happened with Mr. Breyer’s account.

I have chosen to stay away from Facebook. My family all have joined in on the fun, but I have personally decided to avoid it. My time is of value to me and I would rather dedicate my mind to enhancing it, not turning it to Jell-O!

Do you feel safe using Facebook? If so, why?

Comments welcome.

Source


Reblog this post [with Zemanta]

Consumers Still Act Like Dummies Online And Share Private Information

In what should not come as a surprise, but still does, it seems that consumers still are using the Internet like a toy. In a recent survey by Consumer Reports, 52% of respondents have posted personal information online. It gets better. These people have posted their home addresses, date of birth, and also information about their children. Unbelievable!

But when it comes to social networking sites, the numbers are less:

On Facebook only, 42 percent have posted their date of birth, 7 percent have posted street addresses, and 3 percent have disclosed when they were away from home. About 23 percent of Facebook users, meanwhile, are either unaware that Facebook has privacy controls that protect this information or do not use them.

Another 26 percent of Facebook users post their children’s photos and names, which could potentially expose them to predators, the report said.

Of the 18.4 million people who have installed Facebook apps, 38 percent were confident that the apps were secure or had not thought about. About 1.8 million computers were infected by social networking apps in the past year, Consumer Reports said.

Now that’s good news. Only 42% are idiots when it comes to posting information on Facebook! What is wrong with people?

There was also this:

Overall, Consumer Reports found that 1.7 million online households were victims of Web-related ID theft in the last year, 5.4 million online consumers submitted personal data via phishing e-mails, and that cyber-crime has cost American consumers $4.5 billion over the past two years, trashing an estimated 2.1 million computers.

Solving this problem doesn’t require expensive technology, however, the report concluded. “It requires the networks themselves to keep improving their privacy practices and better educating users,” the report said.

Better educate users? Where do these people live? In a cave? LOL

Comments welcome.

Source

Reblog this post [with Zemanta]

Huge Security Hole In Digg, Reddit And Even YouTube

I could hardly believe this video below. How could this completely obvious redirect flaw still be in play, thanks to the lazy behavior of the various social networks out there? YouTube, Digg, Reddit? All of these have proven to fool otherwise tech savvy computer enthusiasts. Click a URL for “YouTube” and find yourself being phished. Watch the video — all of it.

Here’s what is really frightening: no one seriously looks closely at the URLs we click on from social networks. While some of us might be wary of URL shorteners, how many of us really pay attention to what we’re clicking on at Digg or Reddit? Not many…

Worse is that these sites state the link provided goes to YouTube. Now that is just scary and needs to be addressed. The funny part though is that this exploit is NOT new. Reddit and Digg, let’s address this as, clearly, Google’s YouTube is not.

[awsbullet:Seven Deadliest Attacks]

A VIPRE For Safekeeping

There should be an image here!There used to be the belief that if one stays away from “bad” Web sites, then malware is not a problem. That is not true, as a recent example with the New York Times illustrated. The popular news Web site was compromised, and the trusted site was serving up malicious ads:

The malicious ad took over the browsers of many people visiting the site, as their screens filled with an image that seemed to show a scan for computer viruses. The visitors were then told that they needed to buy antivirus software to fix a problem, but the software was more snake oil than a useful program.

Exploiting weaknesses in online ad systems is an increasingly common approach for computer criminals around the globe who hope to make a quick buck from the audiences of the sites they attack. Experts say the problem is likely to get worse as companies scramble to satiate a click-happy online culture.”

This is just one way in which criminals / hackers are becoming exceedingly creative in exploiting site visitors. No reputable software company would market products in this manner, but the criminals are relying on the trust that people have in the site.

There have been malware installations without the site visitors having to do anything. These are the so called ‘drive-by’ downloads, and just visiting the site puts one at risk. No click — or download — is necessary.

It is absolutely essential to be running an anti-virus and anti-spyware program. One of our recommendations is VIPRE from Sunbelt Software. It is effective without draining your computer of resources. VIPRE’s memory footprint is very small, and this has brought a lot of memory back to otherwise bogged-down machines.

Sunbelt Software is offering our readers a 20% saving on VIPRE. This offer is good until November 18, 2009.

VIPRE works with “Windows Server 2008, Windows Vista+ (All flavors) 32 and 64-bit, Windows Server 2003, Windows XP SP1, SP2, SP3 (Home, Pro, Media Center, Tablet) 32 and 64-bit and Windows 2000 SP4 RollUp 1.” And yes, it works with Windows 7, too.

The Sunbelt people are making a generous offer to protect all the computers in your home. It is a “home site license” which allows using the program on more than one computer. There is a discount for this “home site license,” and it’s just a huge saving for our readers.

We have worked with the people at Sunbelt for years. They work diligently to keep up with what is happening with computer security. It is a ‘cat-and-mouse’ game where criminals are trying to exploit people in creative and innovative ways. The people at Sunbelt keep up with what is happening and this is reflected in their security product. Many Gnomies use this program… and we recommend it.

Gnomie Discount Of 20% For VIPRE Anti-Malware Software

There should be an image here!There used to be the belief that if one stays away from “bad” Web sites, then malware is not a problem. That is not true, as a recent example with the New York Times illustrated. The popular news Web site was compromised, and the trusted site was serving up malicious ads:

The malicious ad took over the browsers of many people visiting the site, as their screens filled with an image that seemed to show a scan for computer viruses. The visitors were then told that they needed to buy antivirus software to fix a problem, but the software was more snake oil than a useful program.

Exploiting weaknesses in online ad systems is an increasingly common approach for computer criminals around the globe who hope to make a quick buck from the audiences of the sites they attack. Experts say the problem is likely to get worse as companies scramble to satiate a click-happy online culture.”

This is just one way in which criminals / hackers are becoming exceedingly creative in exploiting site visitors. No reputable software company would market products in this manner, but the criminals are relying on the trust that people have in the site.

There have been malware installations without the site visitors having to do anything. These are the so called ‘drive-by’ downloads, and just visiting the site puts one at risk. No click — or download — is necessary.

It is absolutely essential to be running an anti-virus and anti-spyware program. One of our recommendations is VIPRE from Sunbelt Software. It is effective without draining your computer of resources. VIPRE’s memory footprint is very small, and this has brought a lot of memory back to otherwise bogged-down machines.

Sunbelt Software is offering our readers a 20% saving on VIPRE. This offer is good until November 18, 2009.

VIPRE works with “Windows Server 2008, Windows Vista+ (All flavors) 32 and 64-bit, Windows Server 2003, Windows XP SP1, SP2, SP3 (Home, Pro, Media Center, Tablet) 32 and 64-bit and Windows 2000 SP4 RollUp 1.” And yes, it works with Windows 7, too.

The Sunbelt people are making a generous offer to protect all the computers in your home. It is a “home site license” which allows using the program on more than one computer. There is a discount for this “home site license,” and it’s just a huge saving for our readers.

We have worked with the people at Sunbelt for years. They work diligently to keep up with what is happening with computer security. It is a ‘cat-and-mouse’ game where criminals are trying to exploit people in creative and innovative ways. The people at Sunbelt keep up with what is happening and this is reflected in their security product. Many Gnomies use this program… and we recommend it.

20% Off RoboForm Pro

Students returning to school at colleges and universities need to be concerned about their security online. However, the same security measures should apply to ALL Internet users. For students, they will be using new Web sites, and setting up new accounts via the school. As such, they are prime targets for hackers and criminals who phish and steal identities. College students make such nice sitting ducks because there is a high probability that they do not have criminal records, nor high financial debt.

As students, they will be told repeatedly to guard their passwords and not share them with anyone. Unfortunately, people who give this advice don’t go far enough. There are spoofed Web sites designed to steal personal information — seemingly innocent and viable sites. There are keyloggers and various other tools that hackers use embedded on these types of sites. Fortunately, there is software available to protect these people — and their passwords.

You can safeguard your personal information with RoboForm Pro. It will protect users from phishing attempts. It will remember the sites that you want to use, and it won’t allow you to use a spoofed Web site. The phony sites are sometimes so good that it’s almost impossible to tell they are fake until it’s too late. RoboForm Pro will identify which sites are “real” and which sites are not.

There are many additional features to this software, and there are online tutorials to teach you how to use it effectively. It is more than worth the time to become an expert in the use of RoboForm Pro.

With the security of our readers in mind, the RoboForm Pro people are offering all of you a very healthy savings on this product. From now until August 19th, you can save 20% off your purchase of RoboForm Pro.

For those of you returning to school — and even those of you long out of school — we highly recommend this product for your own safety. You want to guard your personal information. With as much as you have going on in your life, you may not always be as careful online as you think you are. It’s so easy to get sidetracked!

In this day and age, you can’t be too careful with your identity or your passwords. RoboForm Pro will give you the peace of mind to know that you are much safer than you thought you could be.

Domo Arigato, Mister RoboForm…o

Students returning to school at colleges and universities need to be concerned about their security online. However, the same security measures should apply to ALL Internet users. For students, they will be using new Web sites, and setting up new accounts via the school. As such, they are prime targets for hackers and criminals who phish and steal identities. College students make such nice sitting ducks because there is a high probability that they do not have criminal records, nor high financial debt.

As students, they will be told repeatedly to guard their passwords and not share them with anyone. Unfortunately, people who give this advice don’t go far enough. There are spoofed Web sites designed to steal personal information — seemingly innocent and viable sites. There are keyloggers and various other tools that hackers use embedded on these types of sites. Fortunately, there is software available to protect these people — and their passwords.

You can safeguard your personal information with RoboForm Pro. It will protect users from phishing attempts. It will remember the sites that you want to use, and it won’t allow you to use a spoofed Web site. The phony sites are sometimes so good that it’s almost impossible to tell they are fake until it’s too late. RoboForm Pro will identify which sites are “real” and which sites are not.

There are many additional features to this software, and there are online tutorials to teach you how to use it effectively. It is more than worth the time to become an expert in the use of RoboForm Pro.

With the security of our readers in mind, the RoboForm Pro people are offering all of you a very healthy savings on this product. From now until August 19th, you can save 20% off your purchase of RoboForm Pro.

For those of you returning to school — and even those of you long out of school — we highly recommend this product for your own safety. You want to guard your personal information. With as much as you have going on in your life, you may not always be as careful online as you think you are. It’s so easy to get sidetracked!

In this day and age, you can’t be too careful with your identity or your passwords. RoboForm Pro will give you the peace of mind to know that you are much safer than you thought you could be.

Malware Never Rests

There are times when Internet predictions are simply too easy. Last Monday, on these pages, there was an indication that there would be an increase in malware because of the news of the swine flu problem. Regrettably, this has come true. There has been an increase in spam, phishing, malware, and other nefarious online activity.

For this reason, the suppliers of SUPERAntiSpyware were asked if they would extend their promotion with us. They have extended the generous offer to our readers until May 8, 2009 to save ten dollars off the normal purchase price.

The other reason for extending this offer for our readers is that it gives an opportunity to address an issue that one of the commenters raised. There was a question about who in the security community recommended this product. Well, names can be listed and we will do so briefly:

  • Our very own Kat is a four-year Microsoft MVP in the area of Windows security. Kat has been working on malware-removal forums for nearly seven years now, and is an administrator at GeeksToGo. She highly recommends this program on a regular basis.
  • Catherine Forsythe and her software assessment group recommends this program. Catherine has been assessing security programs for over a decade now.
  • Mike Healan from the original SpywareInfo site and newsletter began recommending this product when it was first introduced.
  • Sean Roe, another Microsoft MVP and owner of 247Fixes calls SAS an excellent program.
  • All of the malware-removal Web sites that are “heavy hitters” in this field recommend this program to their users. The list of sites includes (but is far from limited to): GeeksToGo, BleepingComputer, SypwareInfoForum, and What the Tech.

We could go on and on, but there should be a point made here. No security program is absolutely faultless. Given the nature of the Internet and the pace of infections, absolute guarantees just do not happen. However, that being said, pains are taken to recommend the very best available. There may be disputes about which program is the most effective and that is bound to happen. What is recommended has been vetted thoroughly by literally hundreds of experts in this field on a regular basis. Each and every one of them still recommends this program to literally thousands of people every single day.

IF there was a dubious program recommended, the inbox would feel it within hours of the program being featured. This does not happen. One person raised an issue. Nevertheless, let there be no doubt whatsoever that computer security and keeping your data safe are taken seriously here. It would be wonderful if no security products were needed. That is not going to happen any time soon. Therefore, we present serious security software to our readers and do hope that, with the good prices, some time and focus will be paid to keeping the computer safe. It matters because it can have an impact upon you and others online.

It Is Phishing Season

Almost as if on a time line set with the current financial frustration being felt out there in the world, phishing schemes are really beginning to heat up. And as per usual, the phishing schemes are heavily targeting bank customers.

This level of slime never ceases to amaze and disgust me. I grow so tired of seeing messages like this ending up in my bulk mail folder or reading stories about people being taken advantage of by this type of thing. What is interesting however, is how I am finding a growing trend that these types are using the same type of tools SEOs use to keep their sites in top Google rankings.

Not all that surprising, is that phishers (if that is a word) are also using tools like Google Trends to ensure they can catch the latest fear craze. Personally, I am waiting to see when they start sending out notices announcing bank closures followed with a request to send all that users funds to some unmarked account. Yes, it sounds insane, but these are insane times.

Vidoop Labs Launches Identity In The Browser (IDIB) Dream Project

Vidoop Labs has a dream:

The dream is to see Identity baked into all browsers. Just imagine opening your Web browser and then selecting your Identity Provider (IDP) the way you select your default search provider. The benefits are numerous; never type in a username, never look for a login button/page (you are authenticated when you land on a domain), no phishing/MITM (the browser can do domain and SSL cert validation). You fire up your browser and authenticate (or login) similar to the way you log in to your computer every time you turn it on. The difference is you get to choose your provider and can take control of the data you safeguard, store and share on the Internet.

I could get into that.

Vidoop is a Portland, Oregon company that has built some interesting technology around OpenID. I really like the idea of OpenID, and I have a couple OpenIDs of my own that I use on various sites. But OpenID is not exactly perfect. It’s still relatively young, and from the usability standpoint it needs improvement. The identity and authentication requirements of the modern Internet demand some additional features and capabilities that OpenID doesn’t deliver (and you can argue that it shouldn’t). By combining OpenID with other technologies (such as Information Cards and other strong-auth offerings) and improving usability for end-users, it could become a widely-adopted, used and trusted standard, or part of a broader one covering strong authentication and identity protection/assertion in a commonly-accepted and deployed package.

Vidoop’s Luke Sontag today posted an announcement that the company’s newly-formed Vidoop Labs has fired up a community project called IDIB (pronounced “Eye-Dib”), which aims to improve on the OpenID usability model and make it stronger at the same time. They’ve released a developer preview of IDIB in hopes of involving people and getting your input and feedback.

From the Vidoop announcement:

Over the past few years we’ve seen the adoption of OpenID continue to increase but the work that we’ve done as a community to develop this technology has only just begun. Looking at the landscape of OpenID adoption, its clear that there are several key factors inhibiting adoption, but two that we want to focus on today, namely usability and security in the browser.

It was almost two years ago when the Firefox 3.0 roadmap was announced and OpenID was mentioned as a new component to the platform. The Mozilla Firefox team looked to members of the OpenID community to step up and provide guidance on what exactly we imagined identity in the browser looking like, but we failed to mobilize and answer their call.

In light of that missed opportunity, Vidoop Labs has been working hard over the last several weeks to produce a prototype that we intend to use to initiate a wider discussion about OpenID in the browser and what it might look like.

And the current developer preview (which is open-source) is just a beginning. Imagine leveraging Information Cards (such as one would use with Microsoft’s CardSpace, or the similar open-source offerings for Mac and Linux) in the cloud, and being able to use OpenID – one logon for all your Web sites – confidently, securely and with proper security protection.

The Internet needs a good, strong, reliable, usable and secure standard technology to solve the issues related to user names, passwords, single sign on and identity protection. IDIB looks like a serious and positive attempt to start the journey directly down that path.

Google Fighting Fake eBay And PalPay Messages

Google is taking another step in the fight against philshing and is authenticating any messages from eBay or PayPal. The system will try and prohibit fake messages from either company, from reaching consumers.

Gmail does its best to put a red warning label on phishing messages, but it can be hard for us to know sometimes and we can’t be 100% perfect. So, for the fraction of a time when Gmail misses it, you may end up squinting three times and turning the message sideways before suspecting that it’s phishing. Wouldn’t it be better if you never saw phishing messages at all, not even in your spam folder? Since 2004, we’ve been supporting email authentication standards including DomainKeys and DomainKeys Identified Mail (DKIM) to verify senders and help identify forged messages. This is a key tool we use to keep spam out of Gmail inboxes. But these systems can only be effective when high volume senders consistently use them to sign their mail — if they’re sending some mail without signatures, it’s harder to tell whether it’s phishing or not. Well, I’m happy to announce today that by working with eBay and PayPal, we’re one step closer to stopping all phishing messages in their tracks.

Now any email that claims to come from “paypal.com” or “ebay.com” (and their international versions) is authenticated by Gmail and — here comes the important part — rejected if it fails to verify as actually coming from PayPal or eBay. That’s right: you won’t even see the phishing message in your spam folder. Gmail just won’t accept it at all. Conversely, if you get an message in Gmail where the “From” says “@paypal.com” or “@ebay.com,” then you’ll know it actually came from PayPal or eBay. It’s email the way it should be.

Authentication should be used by ALL ISP’s. It is time to start and take spam and phishing emails seriously and to protect the consumer from fake messages. To many people fall for the deceitful emails sending personal information to the bad guys.

What do you think?

Comments welcome.

Source.