.:Computer Defense:.

I have to say that I was completely shocked when I read this (via SpywareGuide)yesterday... the first thing I did was send it to everyone I was talking to on IM. Write to help protect people from phishing sites and have a complaint filed with the FBI? There's something seriously wrong with this picture.

PayPal seems to be stepping all over themselves lately, they completely stall HFC (thankfully resolved now) and now this. I just can't imagine what goes through someone's head that they send a letter to the ISP and file a complaint with the FBI... did they even have any idea what they were looking at? Did they understand that the site was helping people not hurting them?

I could continue to rant on this, but mainly I just wanted to make sure as many people as possible saw and read it. Though it should be noticed this isn't the first takedown request with the threat of legal follow-up based on a screenshot, FailBlog was hit with this not too long ago. Although Guiness Book of World Records didn't go to the FBI.

I just received one of the best scam phone calls every to my cell phone (I seem to be getting more and more of these calls to my cell phone and it pisses me off).

The call came from (916) 219-8163

It was an automated recording that said the following:

This is the second time we've called to notify you that the warranty on your vehicle is about to expire. Driving without a warranty can lead to serious problems and you should renew your warranty immediately. We will not call you again, if you do not renew your warrant we will remove your file from our system. Please press 1 to speak with a representative or press 2 to be taking of our calling list

Given that I'd already answered, I figured I might as well have some fun, so I pressed 1.

The remainder of the call went like this:

> "Hello sir, can I get your name"
< "Yes... it's Tyler Jones J-O-N-E-S"
> "Thank you sir and I just need to confirm the vehicle you drive"
< "I don't own a vehicle.. but I have a bike"
> "Does anyone in your home have a vehicle sir?"
< "Nope... we all have bikes"
> "Oh, just to confirm your number was 647-828-6206, we'll put you on our do not call list"
*click*

I didn't get to have nearly as much fun as I wanted... next time they call back I'm definitely going to own a car.

One of my favourite non-IT blogs has got to be The Consumerist. I really like the idea of a public online watchdog that has the freedom to publish pretty much anything.

Anyways, the other day this post caught my attention:

Why doesn't a bank (cough HSBC cough) offer the option to have text message alerts sent to a registered phone number any time a withdrawal is made from a specific account via ATM? "$120 was withdrawn at 2:51pm EST in Palo Verde, CA. Reference #293005"

I think this is a great idea... There's plenty of software that takes advantage of Pager/SMS/Email notifications, why can't the bank due the same? We're becoming more and more technologically advanced and cell phones are everywhere. even my 15 year old sister has an HTC S720.

I would love this feature. My fiance, a while back,  got a letter saying that her debit card had been used at a business known to have conducted malicious activities with customers banking information. She got a letter because the bank called, during business hours, and didn't leave a message (I've never quite figured out why service based businesses operate during the hours that people work... there should be an offset, especially if you're trying to contact the individual). Sure the proposed feature is for withdrawals, but why couldn't it exist for all fraudulent activities?

Now maybe the reason this doesn't exist is to avoid opening yet another avenue of attack. My bank "requires" (you don't HAVE to enter it, but they sure do want you to) an email address. They send me quasi-important information via email. The next think you know when I log into my online banking, there's a notice warning me about yet another phishing attack that's targeting customers of my bank. Perhaps they don't want to introduce a new method that phishers can take advantage of. I seem to recall getting random SMS spam with my first cell phone, coming from numbers like '00000' and '12345', however I haven't seen any of that in quite some time... either I'm really lucky or cell phone companies have figured out how to stop spoofed messages. (Which I find unlikely given that landlines can't prevent Caller ID spoofing.) So would we be making things riskier by allowing SMS Fraud Notifications?

Scenario

• Customer gets SMS stating that their account has had $500 withdrawn in Mexico.
• SMS asks customer to contact the bank, providing a number.
• Customer is in a panic and calls the number immediately.
• "Agent" asks customer to provide personal information (Bank Account info, SSN/SIN, Address, DoB) to verify that it isn't the fraudulent user.
• Customer has just been scammed.

Do I foresee that scenario happening if SMS Fraud Notification is introduced? Definitely. Do I still think SMS Fraud Notification would be very beneficial? You bet! Banks simply have to remind customers to always contact the bank following an SMS, but to use the number on their debit card or a known trusted source (bank's website, phone book, bank statement, etc.) Banks also have to accept that this is for Fraud Notification only, if customers start getting non-fraud related notifications, they'll grow lax and be more likely to succumb to a targeted phishing attack.

So thoughts... SMS Fraud Notification -- Good or Bad? Beyond that would you pay for the option or only take advantage of it if it were free?

In the past 24 hours I've received multiple "greeting card emails" telling me to visit the website and view my greeting card. A couple of points for people to keep in mind when receiving e-cards.

1. 99% of the time, the e-card email will contain the name of the person who has sent you the e-card. If the email contains phrases like "an e-card from a mate" or "a worshiper has sent you an e-card", it's most likely not a valid email.
2. The link that you are clicking on in the email will appear as a valid domain name. This doesn't mean you can automatically trust domain names, but you should instinctively delete any email where the link appears as an IP Address (dotted decimal formation, such as 1.2.3.4).
3. The email will appear as either the address of the person sending it, or a generic address from the company providing the e-card. If you see an address such as abc123@randomletters.com.tr, the e-card is a scam.

Now let's take a look at a real e-card from E-Cards.com vs a malicious e-card spoofing E-Cards.com.

Valid E-Card

Tyler Testing
	reply-to			Tyler Testing
	to			ht@xxx.org
	date			Jul 2, 2007 6:36 PM
	subject			E-CARD from Tyler Testing
	mailed-by			e-cards.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Greetings!

Tyler Testing has sent you an E-Card -- a virtual postcard from
E-Cards.com. You can pickup your card at the E-Cards.com website.

-> If your e-mail is hot-link enabled, click here:
http://cards.e-cards.com/pickup/pickup1.pl?code=xxxxx

-> You may also point your web browser to: http://www.e-cards.com/
Then, visit the card pickup page and input your pickup code:
xxxxx

Your E-Card will be available for 15 days from the sending date.
To keep your E-Card accessible indefinitely, you may want to join
"My E-Cards" -- an option to do so is provided in your E-Card!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^    Save trees. Learn about wildlife nature and the environment.
^^^          Generate an advertising sponsored donation.
^^^^^  Every E-Card sent helps support wildlife and the environment!
%
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Malicious E-Card

From: E-Cards.Com [mailto:ngz@dostbilgisayar.com.tr]
Sent: Monday, July 02, 2007 12:21 PM
To: Tyler Reguly
Subject: You've received a greeting ecard from a mate!

Good day.

Your mate has sent you a greeting ecard from E-Cards.Com.

Send free ecards from E-Cards.Com with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days. If you wish to keep
the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://xxx.209.67.xx/?XXXX

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://xxx.209.67.xx/

Your ecard number is
XXXX

Best wishes,
Mail Delivery System,
E-Cards.Com

I haven't visited the links in a secure VM to see where they point, so I don't quite feel comfortable providing the links on this page. If anyone wants the links, they can feel free to contact me.

RSnake has an interesting post on the Whois Daemon that is running for the .to TLD. It seems as though their modified daemon returns minimal results... masking all contact and registration information.

root:# whois tonic.to
Tonic whoisd V1.0
tonic
root:# whois task.to
Tonic whoisd V1.0
task    ns1.perpetualconnections.com    64.90.96.130    ns2.perpetualconnections.com    64.90.96.230

As RSnake points out this is a spammers dream.  I would add that the same is true for phishers.

This is just a quick heads up since it actually concerns me as well (being a Rogers customer)... Websense has published an alert on a new phishing attempt targeting Rogers customers..

The text of the email is:

Rogers is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Why is my account access suspended?

Your account access has been suspended for the following reason(s):
March 12, 2007: We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive Rogers account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is RR-257-057-154.)
To remove the limitation click on the following link:

Regards,
Rogers Security Departament

At this point, I can't say how wide spread this is. I've checked 3 Rogers Accounts that we have as well as a couple of "spam" accounts I maintain and I haven't seen anything yet... However it is a concern. Currently, Rogers highlights email specifically from Rogers Internet in blue if you used the web-based Yahoo! solution. It would be nice if Rogers (and other ISPs offering web-based mail) were to provide that same service... If you've sent the email, highlight it so users know it's legit, that little bit of extra warning.

So All you Rogers customers... take care when clicking email... If you are concerned about the validity of an email... contact Rogers @ 1-888-ROGERS-1

It would seem that a lot of people still haven't learned to check their address bar prior to logging into a page... I say a lot because at least 1 or 2 of the 56000 users taken in by http://www.marcolano.com/login (google cache) provided false information.

I actually feel quite bad for the users involved in this phishing quest. Generally your password is obtained by the person running the phish attempt, however someone felt the need to provide a link to the list of passwords as it was being created. After the site was taken down, someone had the "genius" thought of circulating this list on the Full Disclosure mailing list.

A quick whois of the domain provides the following details:

Domain name: marcolano.com

Registrant Contact:
LunarDev Productions
Marc Olano (marcolano@hotmail.com)
+1.8583738773
Fax: none
1252 Grand Avenue
San Diego, CA 92109
US

I've fired off an email to Marc to see if he was responsible or if it was a website compromise. If he was responsible, I've also asked him what his motivation was, although I doubt I'll receive a response. I've also fired off an email to MySpace in case they were unaware of the issue (which seems doubtful), and I find it interesting that they don't have a generic security contact address that's easy to find on their website. This is something that all major websites should have, in my opinion, easily viewable on their main page.

I would like to note that this page was submitted to the FireFox 2.0 Phishing Protection page. As soon as I attempted to visit the page, even though the server was down and no page was loaded, I received a warning about the site being reported as a fake.

[UPDATE] Brian Krebs has published an article where he performs breakdowns of the passwords. Providing the most common passwords, the number of unique passwords, and a count of the length of the passwords.  

Peace,
HT

Yet another phishing email... these guys are cleaver... I'll give them that, a few things could have made this a much better attempt but I'm not going to point out their mistakes to help them out... instead, here's yet another email to be on the lookout for.

Dear PayPal Member, This email confirms that you have paid LWPELECTRONICS (sales@lwpelectronics.com) $474.99 USD using PayPal. This credit card transaction will appear on your bill as "PAYPAL LWPELECTRONICS*". PayPal Shopping Cart Contents Item Name: BRAND NEW NOKIA 8800 CELL PHONE Quantity: 1 Total: $474.99 USD Cart Subtotal: $454.99 USD Shipping Charge: $20.00 USD Cart Total: $474.99 USD Shipping Information Shipping Info: Bill Chang 202 N Magnolia Dr. Saco, ME 04072 United States Address Status: Unconfirmed If you haven't authorized this charge, click the link below to cancel the payment and get a full refund. Dispute Transaction

Thank you for using PayPal! The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

PayPal Email ID PP120

Quite well done, no? Oh well, it's there for your viewing pleasure (Disclaimer: Don't be an idiot and provide information to any of the links you follow in it).

Peace,
HT