03.10.08
Posted in IT, Interesting Stuff, Phishing / Scams at 3:43 am by Tyler Reguly
One of my favourite non-IT blogs has got to be The Consumerist. I really like the idea of a public online watchdog that has the freedom to publish pretty much anything.
Anyways, the other day this post caught my attention:
Why doesn't a bank (cough HSBC cough) offer the option to have text message alerts sent to a registered phone number any time a withdrawal is made from a specific account via ATM? "$120 was withdrawn at 2:51pm EST in Palo Verde, CA. Reference #293005"
I think this is a great idea... There's plenty of software that takes advantage of Pager/SMS/Email notifications, why can't the bank due the same? We're becoming more and more technologically advanced and cell phones are everywhere. even my 15 year old sister has an HTC S720.
I would love this feature. My fiance, a while back, got a letter saying that her debit card had been used at a business known to have conducted malicious activities with customers banking information. She got a letter because the bank called, during business hours, and didn't leave a message (I've never quite figured out why service based businesses operate during the hours that people work... there should be an offset, especially if you're trying to contact the individual). Sure the proposed feature is for withdrawals, but why couldn't it exist for all fraudulent activities?
Now maybe the reason this doesn't exist is to avoid opening yet another avenue of attack. My bank "requires" (you don't HAVE to enter it, but they sure do want you to) an email address. They send me quasi-important information via email. The next think you know when I log into my online banking, there's a notice warning me about yet another phishing attack that's targeting customers of my bank. Perhaps they don't want to introduce a new method that phishers can take advantage of. I seem to recall getting random SMS spam with my first cell phone, coming from numbers like '00000' and '12345', however I haven't seen any of that in quite some time... either I'm really lucky or cell phone companies have figured out how to stop spoofed messages. (Which I find unlikely given that landlines can't prevent Caller ID spoofing.) So would we be making things riskier by allowing SMS Fraud Notifications?
Scenario
- Customer gets SMS stating that their account has had $500 withdrawn in Mexico.
- SMS asks customer to contact the bank, providing a number.
- Customer is in a panic and calls the number immediately.
- "Agent" asks customer to provide personal information (Bank Account info, SSN/SIN, Address, DoB) to verify that it isn't the fraudulent user.
- Customer has just been scammed.
Do I foresee that scenario happening if SMS Fraud Notification is introduced? Definitely. Do I still think SMS Fraud Notification would be very beneficial? You bet! Banks simply have to remind customers to always contact the bank following an SMS, but to use the number on their debit card or a known trusted source (bank's website, phone book, bank statement, etc.) Banks also have to accept that this is for Fraud Notification only, if customers start getting non-fraud related notifications, they'll grow lax and be more likely to succumb to a targeted phishing attack.
So thoughts... SMS Fraud Notification -- Good or Bad? Beyond that would you pay for the option or only take advantage of it if it were free?
Permalink
Digg this post
07.02.07
Posted in IT, Phishing / Scams, Security at 5:57 pm by Tyler Reguly
In the past 24 hours I've received multiple "greeting card emails" telling me to visit the website and view my greeting card. A couple of points for people to keep in mind when receiving e-cards.
- 99% of the time, the e-card email will contain the name of the person who has sent you the e-card. If the email contains phrases like "an e-card from a mate" or "a worshiper has sent you an e-card", it's most likely not a valid email.
- The link that you are clicking on in the email will appear as a valid domain name. This doesn't mean you can automatically trust domain names, but you should instinctively delete any email where the link appears as an IP Address (dotted decimal formation, such as 1.2.3.4).
- The email will appear as either the address of the person sending it, or a generic address from the company providing the e-card. If you see an address such as abc123@randomletters.com.tr, the e-card is a scam.
Now let's take a look at a real e-card from E-Cards.com vs a malicious e-card spoofing E-Cards.com.
Valid E-Card
| Tyler Testing
|
|
|
|
|
reply-to |
 |
Tyler Testing
|
|
|
to |
 |
ht@xxx.org |
|
|
date |
|
Jul 2, 2007 6:36 PM |
|
|
subject |
|
E-CARD from Tyler Testing |
|
|
mailed-by |
|
e-cards.com |
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Greetings!
Tyler Testing has sent you an E-Card -- a virtual postcard from
E-Cards.com. You can pickup your card at the E-Cards.com website.
-> If your e-mail is hot-link enabled, click here:
http://cards.e-cards.com/pickup/pickup1.pl?code=xxxxx
-> You may also point your web browser to: http://www.e-cards.com/
Then, visit the card pickup page and input your pickup code:
xxxxx
Your E-Card will be available for 15 days from the sending date.
To keep your E-Card accessible indefinitely, you may want to join
"My E-Cards" -- an option to do so is provided in your E-Card!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^ Save trees. Learn about wildlife nature and the environment.
^^^ Generate an advertising sponsored donation.
^^^^^ Every E-Card sent helps support wildlife and the environment!
%
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Malicious E-Card
From: E-Cards.Com [mailto:ngz@dostbilgisayar.com.tr]
Sent: Monday, July 02, 2007 12:21 PM
To: Tyler Reguly
Subject: You've received a greeting ecard from a mate!
Good day.
Your mate has sent you a greeting ecard from E-Cards.Com.
Send free ecards from E-Cards.Com with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days. If you wish to keep
the ecard longer, you may save it on your computer or take a print.
To view your ecard, choose from any of the following options:
--------
OPTION 1
--------
Click on the following Internet address or
copy & paste it into your browser's address box.
http://xxx.209.67.xx/?XXXX
--------
OPTION 2
--------
Copy & paste the ecard number in the "View Your Card" box at
http://xxx.209.67.xx/
Your ecard number is
XXXX
Best wishes,
Mail Delivery System,
E-Cards.Com
I haven't visited the links in a secure VM to see where they point, so I don't quite feel comfortable providing the links on this page. If anyone wants the links, they can feel free to contact me.
Permalink
Digg this post
04.12.07
Posted in IT, Phishing / Scams at 11:29 am by Tyler Reguly
RSnake has an interesting post on the Whois Daemon that is running for the .to TLD. It seems as though their modified daemon returns minimal results... masking all contact and registration information.
root:# whois tonic.to
Tonic whoisd V1.0
tonic
root:# whois task.to
Tonic whoisd V1.0
task ns1.perpetualconnections.com 64.90.96.130 ns2.perpetualconnections.com 64.90.96.230
As RSnake points out this is a spammers dream. I would add that the same is true for phishers.
Permalink
Digg this post
03.13.07
Posted in Phishing / Scams at 9:48 pm by Tyler Reguly
This is just a quick heads up since it actually concerns me as well (being a Rogers customer)... Websense has published an alert on a new phishing attempt targeting Rogers customers..
The text of the email is:
Rogers is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access suspended?
Your account access has been suspended for the following reason(s):
March 12, 2007: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive Rogers account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.
(Your case ID for this reason is RR-257-057-154.)
To remove the limitation click on the following link:
Regards,
Rogers Security Departament
At this point, I can't say how wide spread this is. I've checked 3 Rogers Accounts that we have as well as a couple of "spam" accounts I maintain and I haven't seen anything yet... However it is a concern. Currently, Rogers highlights email specifically from Rogers Internet in blue if you used the web-based Yahoo! solution. It would be nice if Rogers (and other ISPs offering web-based mail) were to provide that same service... If you've sent the email, highlight it so users know it's legit, that little bit of extra warning.
So All you Rogers customers... take care when clicking email... If you are concerned about the validity of an email... contact Rogers @ 1-888-ROGERS-1
Permalink
Digg this post
01.16.07
Posted in Phishing / Scams at 5:31 am by Tyler Reguly
It would seem that a lot of people still haven't learned to check their address bar prior to logging into a page... I say a lot because at least 1 or 2 of the 56000 users taken in by http://www.marcolano.com/login (google cache) provided false information.
I actually feel quite bad for the users involved in this phishing quest. Generally your password is obtained by the person running the phish attempt, however someone felt the need to provide a link to the list of passwords as it was being created. After the site was taken down, someone had the "genius" thought of circulating this list on the Full Disclosure mailing list.
A quick whois of the domain provides the following details:
Domain name: marcolano.com
Registrant Contact:
LunarDev Productions
Marc Olano (marcolano@hotmail.com)
+1.8583738773
Fax: none
1252 Grand Avenue
San Diego, CA 92109
US
I've fired off an email to Marc to see if he was responsible or if it was a website compromise. If he was responsible, I've also asked him what his motivation was, although I doubt I'll receive a response. I've also fired off an email to MySpace in case they were unaware of the issue (which seems doubtful), and I find it interesting that they don't have a generic security contact address that's easy to find on their website. This is something that all major websites should have, in my opinion, easily viewable on their main page.
I would like to note that this page was submitted to the FireFox 2.0 Phishing Protection page. As soon as I attempted to visit the page, even though the server was down and no page was loaded, I received a warning about the site being reported as a fake.
[UPDATE] Brian Krebs has published an article where he performs breakdowns of the passwords. Providing the most common passwords, the number of unique passwords, and a count of the length of the passwords.
Peace,
HT
Permalink
Digg this post
09.03.06
Posted in Phishing / Scams at 2:15 am by Tyler Reguly
Yet another phishing email... these guys are cleaver... I'll give them that, a few things could have made this a much better attempt but I'm not going to point out their mistakes to help them out... instead, here's yet another email to be on the lookout for.
Quite well done, no? Oh well, it's there for your viewing pleasure (Disclaimer: Don't be an idiot and provide information to any of the links you follow in it).
Peace,
HT
Permalink
Digg this post
08.27.06
Posted in Phishing / Scams at 3:44 am by Tyler Reguly
Shocking...
Mind-blowing...
Ridiculous...
These are the words that came to mind today while reading the Saturday edition of the Toronto Star. Half the front page was dedicated to introducing a story... a story that took up 2 pages inside the paper... a story that made me think those words. An 89 year old man was the victim of title fraud... The first thing I asked myself was, “What is title fraud?” The answer to that question is why I'm posting here... Title fraud starts with Identity theft... Most people are well aware of identity theft these days.. Someone steals your identity, obtains a credit card in your name and runs up bill. However it can be much more serious. Generally with credit card companies, since it wasn't actually you, they forgive the debt... making that form of identity theft the least of your problems. Identity theft involving title fraud can leave you homeless.
First, I steal your identity... remember that email you received last week from your bank asking you to confirm your account details.. Gotcha! So now I can pass myself off as you. Now I, acting as you, go with my buddy to a lawyers office and sign a deed over to my buddy. The lawyer checks out our ID and notarizes the deed for a couple hundred bucks. Now my buddy walks down to the local bank and applies for a mortgage. The bank does a quick title check and sees that indeed my buddy does have the title to that land. They give him $300,000 and he walks out. We then make a run for it and look for another city and another victim.
So you're sitting there thinking big deal, it's the banks fault... well then, the jokes on you. Given current Ontario law the bank owns your house. That's right... the Ontario Court of Appeal decided that a fraudulent mortgage is valid. The bank can kick you out, and sell it. The ran a title search and my buddy was the owner according to the title search. You are left without a house and there's not a whole lot that you can do. You can attempt to obtain your money via the Land Titles Assurance Fund,however they are backlogged with claims and it could take years (in addition to thousands of dollars) before you see your money again. In the mean time I bet the back seat of your car looks like a wonderful place for your family of four to sleep.
This has been happening for years, however with recent increases in identity theft, there are increases in title fraud. The government keeps saying that they are trying to help the victims but they still haven't stepped in and changed the laws or amended the Land Registry Act. In the mean time, you may want to look into title insurance but even that won't save you now, thanks to the Ontario Court of Appeal many insurance companies are refusing the claim because the mortgage is valid, even if the title was forged.
So remember... the next time you're sitting back in your chair, enjoying a a steaming mug of mocha java... that knock at your door, it might not be a visitor. It might be the bank informing you that you no longer own your home. You can thank the government and the system for not feeling the need to protect you, perhaps the Prime Minister will let you sleep on his couch while they sort this out and do the right thing.
Peace,
HT
Permalink
Digg this post
Digg this story ?
08.24.06
Posted in IT, Phishing / Scams, SpamMailBag.com at 1:24 am by Tyler Reguly
I'd like to introduce my latest project... SpamMailBag.com. Here's the plan:
Using domain/task specific email addresses, I will be signing up for various services, websites and posting on various forums. I'm also hoping to pull some favours and have some fellow bloggers do blog specific ones.... For example I will be setting up computerdefense.org@spammailbag.com. I would give other examples but that would negate the effort. All emails will automatically be posted to SpamMailBag.com.
What is the goal? Well, for me it's simply a social project. I'm curious to see which services and websites requiring sign-ups sell your information and who they sell it to. I'm curious to see which blogs are harvested and which aren't, I'm curious to see which forums are harvested. I may even ask users to create contacts for certain addresses in outlook and outlook express or maybe gmail or hotmail to see if those addresses end up elsewhere.
For me, it will be a fun project... Maybe I'll even email The Colbert Report, or take out custom ads in the paper to see if anyone harvests from TV and Newspaper/Magazine ads.
Additionally, as the addresses become more popular, I may end up with a bit of a honeypot for new email malware... Maybe I'll catalogue phishing attempts or scams... and maybe I'll see viagra advertisements so often that I'll end up buying some...
It my flop... but it may work out really well and if it does I may be calling in favours as far as hosting goes, I'm not sure just how much I'll be able to effectively handle.
Those of you eager to check it out... I've yet to deploy the site... it currently points to a VERY old domain that until recently was hosted elsewhere... I'm hoping to have the SpamMailBag.com blog up before I go to bed and if not, then in the very near future.
Peace,
HT
Permalink
Digg this post
Digg this story ?
08.18.06
Posted in Phishing / Scams at 1:26 am by Tyler Reguly
I actually had to go and double check my wallet tonight after receiving an email from PayPal to one of my accounts... It's not an account I use a lot, and I didn't remember having a PayPal account linked to it so I doubted it was real, however it was interesting.. It was the one legit email that you do get from PayPal... the Credit Card expiration reminder... I actually had to get my wallet and double check that it wasn't the last four digits of my CC that were showing...
Here's the email:
Dear
,
Your credit card ending in 3812 will expire soon.
To avoid any interruption to your service, please update your credit card
expiration date by following the steps below. If you do not update your credit
card expiration date
- You will no longer be able to fund payments with this card
To update your credit card expiration date:
1. Log in to your PayPal account
2. Go to the Profile subtab
3. Click on the 'Credit Cards' link in the Financial Information column
4. Choose the radio button next to the credit card you would like to update and
click 'Edit'
5. Enter your credit card verification number
6. Enter the new credit card expiration date
7. Click 'Save'
Thank you for using PayPal!
The PayPal Team
----------------------------------------------------------------
PROTECT YOUR PASSWORD
NEVER give your password to anyone, including PayPal employees. Protect yourself
against fraudulent websites by opening a new web browser (e.g. Internet Explorer
or Netscape) and typing in the PayPal URL every time you log in to your account.
----------------------------------------------------------------
Please do not reply to this email. This mailbox is not monitored and you will
not receive a response. For assistance, log in to your PayPal account and click
the Help link located in the top right corner of any PayPal page.
----------------------------------------------------------------
PayPal (USA) Limited is authorized and regulated by the Financial Services
Authority in the United States as an electronic money institution.
PayPal Email ID PP031
So yeah.... it's getting more and more difficult to distinguish the real from the not-so-real... Had this been a real account and I not been up on phishing and not checked my real credit card for comparison (or paid attention to the domain being used) I may have been taken in by this
Peace,
HT
Permalink
Digg this post
08.12.06
Posted in Phishing / Scams at 10:03 pm by Tyler Reguly
I recently received yet another phishing attempt, this time to my email address associated with this site, from one Mr. Lord Freeman. I decided that for a change... I would reply and see what happened. I was rather impressed with how bold the individual was and how quickly they asked for information without any attempts to build comradery or familiarity. I'm interested to see how the individual will respond to the most recent email, and will keep you apprised... In the mean time.. here's how quickly it happens.
Original Email:
>From Mr Lord Freeman
P.O Box 3038,
57 victoria Street,
London SW1H,
LONDON.
Hello
in order to transfer out (Twelve million, five hundred
thousand British pounds) from our Bank. I
have the courage to look for
a reliable and Honest Person who will be capable for this Important
business Transaction,believing that you will never let me down either
now or in Future.
The owner of this account is Mr. David Hagen
foreigner and the Manager Of petrol chemical service,a chemical
engineer by Proffession and he died since 1990.the account has no other
beneficiary And my Investigation proved to me as well that his company
does not know anything About this account.
I want to transfer this
money into a safe foreign account abroad but i Don't know any
foreigner,
i know that this message will come to you as a surprise as
we don't know ourselves before,but be sure that it isreal And A Genuine
business.
I believe in God that you will never let me down in this
transaction,at the conclusion of this
business,you will be giving 30%
of the total amount, 70% will be for me.I look forward to your
earliestreply by email for more details.
Best regards
Mr. Lord
Freeman
My Response:
Hello,
I apologize for the slow response, I've been busy lately.
How can I assist you?
I then received:
| From: |
Mr LORD FREEMAN < mrlord_freeman2@yahoo.co.uk> |
| To: |
XXXX |
| Subject: |
send to me as a matter of urgency followings for the claim in your name! |
| Date: |
Sat, 12 Aug 2006 22:01:59 +0100 (BST) (17:01 EDT) |
|
Thank you for your prompt response to my mail, The content therein is well understood. However, I quite appreciate your situation of been skeptical since we have not meet each other before and also because of too many bad people that one encounter with this days one do not know who to trust, But I thank you for seeing the sincerity in my mail as I have good intention for both of us. Be that as it may, One must trust each other some how because "There is no way you can identify an angel without having an encounter with one" So it is always good to have an open mind in what ever your dealings are.
Nevertheless, I can read from your mail that you are a truthful person like my self because there is this saying that "from there words we shall know them" So I can identify you even without meeting you, This is spiritual because I always trust my spiritual instinct and I do listen to it, I have feelings that we can do this transaction together if we understand our self.
Subsequently, Having accepted the above, Please let me have this from you so that we can commence the process of arranging the documents of claims of inheritance in your favor after which we will submit to the bank for approval of claims on your behalf. Modalities would be worked out at the highest levels at the Department of Justice for the immediate notarization and procurement of all needed back-up legal documentations. The process of funds transference would be concluded within 14 working days subject to your satisfaction of the stated terms. My assurance once again is that your role is risk free. To accord this transaction the legality it deserves and for mutual security of the fund, the whole procedures will be officially and legally processed with your name as the Bonafide beneficiary. This is the most important aspect of the project because it is at this stage that all important and vital back-up legal documents would be procured. Substantiating our claims with this document, we would await further fund release Approvals/Recommendations. Once they are issued, it means that the greater tasks of the processes of the fund transfer have been concluded. To proceed in earnest send me one of your personal checking accounts, You can either provide us with an existing bank account, or to set up a new Bank account immediately to receive this money, Your account details should go like this i.e. (a) BANK NAME
(b) BANK ADDRESS
(c) ACCOUNT NAME
(d) ACCOUNT NUMBER
(e) SORT CODE OR ROUTING NUMBER This is to enable the attorney draft an application, which he would be sending to the bank for claims on your behalf. The information as requested below would also be used by the attorney to raise legal back-up documents that will substantiate your claims.
1. Your Full Names:
2. Your Occupation:
3. Date of Birth/Age:
4. Marital Status:
5. Your Telephone/Cell Phone and Fax Numbers for effective communication between us.
6. A scanned copy of your ID, preferably your International Passport or Drivers License is as well needed to enable me set my eyes on the face of my partner. On my receipt of the above information and a strong assurance from you that my trust and confidence in you is never misplaced, I will then start to process the transfer of the fund to your account without further delays. The attorney with my assistance will forward an application for the release of the said amount on your behalf to the bank. He will also forward your account detail to the bank and to the H.M Treasury Department for foreign transfer approval in your favor. As soon as the fund is approved for transfer to your account, you as the foreign beneficiary of the fund will be required to go to the bank's offshore payment center closest to you for the signing of the Final Fund Release Order. You can see you would not necessarily come to London, as the attorney here would represent you down here. After the signing, the fund will be transferred to your account in your presence while you are still in the payment office and you will call your bank to confirm the receipt of the fund in your account.
At the moment, you should not tell your bank that huge amount is to be transferred into your account until after you must have signed the Final Fund Release Order Form (M) in the bank's foreign offshore payment office closest to you, because that will be the only time all the documents to back up the transfer as a legitimate fund which did not originate from drug, money laundry, terrorism or any other illegal act will be ready in your name and will accompany the fund to your account so that your bank or your government will not question the transfer. This information is highly confidential and you should always keep it only to yourself. I would like to receive in return your acceptance to proceed as suggested. Urgency is indeed needed. I am also looking forward to a mutual beneficial partnership with you. Call me at + 44 7040 111 132 for us to talk more on this transfer which we shall all benefit from. On my next email to you, I will send my international id to you as sign of good faith and any other clarification you may require as i will have to renuew my passport so that i will send it to you in my next mail hoping to see yours in your reply. Your Partner and Friend,
Mr.lord freeman
My final response to date:
| To: |
Mr LORD FREEMAN < mrlord_freeman2@yahoo.co.uk> |
| Subject: |
Re: send to me as a matter of urgency followings for the claim in your name! |
| Date: |
Sat, 12 Aug 2006 22:45:30 -0400 |
| Mailer: |
Evolution 2.6.0 |
|
 |
G'day sir,
I look forward to doing business with you and am glad to have received
your contact. I am however worried. A friend at work was recently
telling me about something called fishing... I'm not exactly sure what
it is... but it sounded a lot like this... How can I be sure that this
is indeed legit? Perhaps, since you contacted me, as a sign of good
faith you could provide me with a copy of your ID first? I've found I
can tell a good deal about a person by looking at their person and am
curious to see your picture to determine if I can trust you.
Thank you...
I have not yet recieved anything else, however as soon as I do, I will update this blog.
Peace,
HT
Permalink
Digg this post
