4 ways to avoid holiday phishing on Black Friday

Cybercriminals are raising the black flag this Black Friday and Cyber Monday. These are the biggest shopping days of the year and these criminals know that the sales ads and offers will soon start pouring in. Buried among those offers will be fake deals from these cyber criminals. Use these tips to stay safe this year.

1. Verify deals

The first thing you can do is verify deals on the retailer’s website. If you receive a deal from a website, go to the site and verify the same deal there rather than trusting the email alone. Do not click the links contained in the email to access the site as these might take you to an attacker site first or direct you to an entirely different site. Please note that phishing sites may look exactly like legitimate sites such as Best Buy or Walmart. Type the address for the site you wish to validate in your browser instead.

2. Verify addresses

Sometimes retailers send out deals only to those who subscribe to their mailing list. In such cases, you will not be able to verify the deal on the retailer’s site. If you still believe the message might be a hoax, you can verify the addresses in the email links. Hover over links in the email to see the address. Make sure the address displayed matches the address in the link. Make sure that links attached to images are going to the retailer’s website address. For example, if the email has a picture of a Dell laptop and it says it is from Dell, make sure that the address is Dell.com.

Also, make sure that there are no additional names following the .com. Dell.com.dealsexpress.fr will not take you to Dell.com. The address is composed of a few elements. Items before the site name are subdomains so support.dell.com is a subdomain of Dell.com. Items listed before the .com, .org, or other top level domain name in the address direct you to a specific site while items following a / will take you to a specific location on that website. For example, Walmart.com/toys/lego.html would take you to a page called lego.html in the toys folder on the Walmart.com website.

3. Browser warnings

If you do click a link and your browser displays a warning, close the browser window or tab and do not proceed to that link. Browser warnings might include “There is a problem with this website’s security certificate” or “This connection is untrusted”.  These warnings indicate a problem with the web site’s certificate.

Certificates are used by websites to prove their identity. Certificate issuers are companies that computers are configured to trust and companies go through a validation process and then purchase certificates from these companies. The certificates are installed on a website and then your browser verifies that the certificate was issued for the site you are visiting and that the certificate came from a certificate authority that you trust.

Take these warnings seriously and do not proceed to such sites. While there are some instances where a legitimate site could have a certificate problem, it is generally not worth the risk to proceed.

4. General phishing signs

You should also watch out for other phishing messages in addition to the holiday specials. Some other signs for spotting these messages include bad spelling, the request for personal information or a detailed sad story that requests you to send money.

I hope you stay safe this holiday shopping season. Catch the Black Friday and Cyber Monday deals without getting pillaged by following the tips above. Above all, remember if a deal sounds too good to be true, it probably is a hoax or a scam.

Continue reading

A Certified Lack of Confidence: The Threat of Rogue Certificate Authorities

For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an owner’s name.  The process relies on trust.  “Secure” websites utilize such a certificate to validate their identity.  This digital certificate is usually procured from a company that will verify the identity of the company administrating the site.  The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root.  This chain of certificates is called a certificate hierarchy.  A small group of trusted certificate authorities is installed on computers within the operating system.  These authorities include such names as Equifax, VeriSign, and Thawte.  So what happens when the system breaks down?

Last year a series of attacks took place against certificate authorities resulting in the issuance of many rogue certificates. These attacks began with an SQL injection attack against Comodo’s GlobalTrust and InstantSSL databases leading to the issuance of rogue certificates for addons.mozilla.org, login.skype.com, login.live.com, mail.google.com, google.com, and login.yahoo.com.  This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as *.google.com which allowed the certificate to be used for any google.com site.  In response, DigiNotar was removed from the trusted list so that all the certificates it had issued were no longer valid.

Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated.  Users then will be redirected to such sites through phishing or ‘”crucial  that man in the middle” attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem legitimate.  For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates.  The threat of rogue certificates that McAfee lists rogue certificates as one of their ten threat predictions for 2012.

In the wake of attacks on certificate authorities, security professionals are speculating whether there are other certificate authorities that are compromised but do not yet know it.  The containment action against DigiNotar was extreme but necessary given the scope of the compromised certificates.  A significant disruption of e-commerce could result if other root certificate authorities need to be similarly revoked.

There are several ways companies can protect their users from the damage caused by the use of rogue certificates.  The most important action that can be taken is to install browser patches as soon as they are released because updates to root certificate authorities will be distributed through these patches.  To do this, revisit your patch management policy to determine optimal patch deployment intervals and minimize the number of time that machines are vulnerable to attacks.

Similar to server hardening and other security techniques that limit asset exposure, an examination and subsequent reduction of the number of trusted certificate authorities is important in assuring safe computer usage.  Some certificate authorities are region specific. Thus, they can be removed if sites in those countries are not utilized.

It is important to configure the Internet browser to check for certificate revocations.  Certificate revocation lists are maintained by certificate authorities who list the certificates that should not be trusted anymore.  Depending on the browser’s settings, it may be accepting revoked certificates.  Make sure the browser is set to treat certificates as invalid if the Online Certificate Status Protocol (OCSP) connection fails.

Firefox addons such as CertPatrol, Convergence or Perspectives routinely check certificates against a collection of network notaries or against a locally stored database of certificates to further validate certificate credibility.  These add-ons warn users when the certificates are different from those recorded elsewhere.  A change in a certificate is no guarantee that the certificate is a rogue certificate, but it is a warning sign that the certificate is potentially rogue.

Attacks in recent years have shown that the certificate trust relationship can be exploited to be used to impersonate legitimate sites and services.  The best way to assure actual service is to maintain current computer browser and operating system patches.  In addition to keeping patches current, reduce your potential exposure to rogue certificates by limiting the number of certificate authorities you trust and enforce certificate revocation checking.

 

 

Six Email Scam Tactics you should recognize

Scams exist.  That is a simple truth.  There are honest people, and then there are others who try to cheat.  Email and the technology age facilitate scamming through email.  Often these emails promise jobs or an irresistible offer, but sometimes they are more subtle than that.  This article analyzes the types of email phishing traipsing around the World Wide Web so that, armed with the knowledge of email phishing attacks, you can avoid them in the future.

1. Irresistible Offer

Here is the ultimate dream held by many Americans: Get rich quick.  It just doesn’t work.  The ads that are frequently displayed online or the spam messages sent to people every day offer ways to get rich quick, have free money, receive free gifts or services, or meet someone beautiful and sexy.  The scammers want to take your money, not give it to you and that beautiful woman you see in the picture might not even be a woman.

2. Money Mule
The money mule scam offers you the opportunity to make lots of money by transferring cash. It appears somewhat legitimate but it is actually illegal and you will be the one the evidence points to.  You may see an advertisement for a financial position where you move money around from home and make a lot of cash.  You are actually transferring stolen money or money laundering.

3. Pyramid schemes

Follow this formula with several people and they will all send you money after you send money to me and other more complex variations of this.  You get money if enough of the people you send the message to end up sending money and also participating.  Eventually, the system runs out and someone loses.  Other times you participate in a service that requires little but promises much.  What you actually get, if anything, is far different from what is promised because the only ones that make out of the deal are those who first started.  When it is time for you to get paid, there is nothing left in the pot.

4. Stolen Goods Mule

Similar to the money mule but goods are transferred instead of money.  These services typically offer themselves as a shipping consultant and your job will be to receive packages and then ship them to another location.  Criminals purchase goods using stolen credit cards and then sell the items on eBay.  You receive the stolen goods and sent the merchandise off.  Unfortunately, when the fraudulent charges are noticed, the address they shipped to is the one the police will go to.

5. Spear Phishing

Spear phishing messages provide you with a link to what appears to be the site, and they ask you to log in or to update your password.  Spear phishing messages are crafted to appear to come from some service that is legitimate but they are just copies or fakes.

6. Whale Phishing

Whale Phishing is a specific attack against an individual with wealth or access to valuable assets or information.

Awareness of such attacks is increasing, but the mere fact that the average user still receives so much spam means that it must be paying off for someone.  Don’t be the one who gets burned.  Educate your employees on the risks.

Tips:

There are steps that can be taken to safeguard yourself against potential malfeasance.  First, always pay attention to the website you are visiting.  Frequently, phishers will set up a mirror site that looks exactly like the site you want to see.  Always be skeptical and go to the website directly rather than clicking on any link provided in an email.  Be wary of hyperlinks within emails and remember that banks will not ask for personal information via email.  Installing anti-spam software from a reputable source will significantly diminish your vulnerability to attack.  Finally, if something phishy does occur to any one of your accounts, change your password and secret questions.

Scamming happens, that is a simple fact.  Today I looked at multiple ways that a person could get burnt ranging from spear phishing to a money mule.  In any case, the best defense is a proactive one.  Pay attention to your financials, and always protect your personal information.  Be cautious about any offer that seems too good to be true.  Follow these steps and the job of sifting out what is potentially dangerous versus what is benign becomes much easier.

Pyramid Schemes: Building lies on hopes and dreams

A pyramid scheme is much like the old chain letters people received when the post office was the en vogue form of communication. The way this scheme works is simple and very identifiable. One person begins at the top of the pyramid and recruits a few other people to “invest” some amount of money, say $100, into the initial investor. These new recruits go out and recruit more people, who recruit more people thus promulgating the scam further. The fraud comes in when people closer to the bottom of the pyramid cannot recruit enough people to pay off those who are a level above them, thus losing money. There are many types of pyramid schemes that have similar motives and results: invest in order to see a profit, but there is nothing tangible to invest in. Other similar schemes are called, ponzi schemes, chain letters, and multilevel marketing.

Despite the name, money mules are not good

The life of a money mule begins simply enough. An email arrives, often unsolicited, that asks whether or not you would like to change careers, receive copious amounts of money, and work unsupervised. Who wouldn’t want that? The job ads might call this position a payment processing manager, fund manager, transaction processing agent, or some other legitimate sounding name. Those who accept the position are instructed to transfer funds from one account to another, in the meantime gaining a percentage on the amount transferred. It seems like an easy job with more than adequate compensation so what’s the catch?

If you read the fine print you will see that this is just a basic money-laundering scheme. These money transfers the person engages in are illegal since the funds transferred are stolen. Those who participate could be fined or jailed. In the best case scenario, participating in such a scheme, even unknowingly, could result in a freezing of the victim’s account, while investigations go on.

There is another variation you should be aware of. Instead of transferring money over the wire some scams may ask you to deposit checks and then wire money elsewhere. The check will arrive in the mail and you go to cash it taking your promised percentage. The problem happens when the check bounces and the bank deducts the money from your account along with a fine after you have already wired the money elsewhere.

Beware of the irresistable offer

In this type of phishing, this dream of getting rich quick is exploited by informing you of your good fortune and how to make the dream come true.  Take, for example, an email from Williams and Williams Probate division saying you’ve inherited $1 million from your distant relative in the UK.  Elated and overtaken with joy at your good fortune, you are asked to provide bank and other personal information so that the money can be wired to your account.  As you wait for the money to arrive the attackers drain your account instead.

Interesting Phishing – Churches are targets – Beware!

Phishing has finally gotten more interesting.  I am tired of the Nigerian phishing schemes that continually enter into my mailbox.  In the last week, I have received two new phishing ploys.  I want to post them so that others will be aware of them and also to point out that phishing artists are becoming creative again.  Below are both messages.  Let’s take a look at both emails to find out how you can tell if it is a phishing message.

 

Message #1

My Beloved one In Christ,

Greeting’s in the name of my Lord Jesus Christ. I am Mrs Rebecca Thomas,69 years old widow & a new Christian convert, suffering from long time cancer of the blood (Leukaemia According to my doctor my condition is critical and I might not survive.

Although as a Christian, I believe in God and I know that I will not die, but will live to declare the glory of God. My late husband (Dr Martins Thomas) and my only son were killed during the ABIDJAN-BOUAKE Crisis some years back(take a look) Our Lord Jesus Christ is my only comforter.I have the sum of Five million, One hundred thousand US Dollars($5.1m) The fund is presently deposited with a financial company for security reasons and all the documents concerning the fund are in the custody of my lawyer.I inherited the money from my late husband who was an industrialist and international businessman. I have prayed concerning this donation for God’s guidance and if in your heart you genuinely and faithfully desire-to use this fund for the propagation of God’s work in any form whether for charity, ministry, evangelical work or otherwise in relation to God’s work, do get in-touch with me for further arrangements with my lawyer on how you will receive my Charity donation.God bless you once again and as you receive, give and give God all the Glory.

Remain blessed in the Lord Yours in Christ;

Mrs. Rebecca Thomas,DIVINE CALL.

This message appeals to Christians and those interested in taking money from Christians.  The first tip that this message is a fake can be found in the grammar errors.  There should be an ending bracket “)” after Leukaemia and the later placement of “(take a look)” just makes no sense.  The next hint can be found in the reply-to address.  The sending address is listed as mrs-rebeccat69@hotmail.com, but the reply-to address is mrs_rebecca@gawab.com.  Gawab.com is another free webmail service, but if you go to the site, you will notice that all the ads are in Arabic.  Wouldn’t this seem odd for a Christian woman named Rebecca Thomas to have an Arabic email account?  Lastly, who puts Mrs. before their name?  The only time you see a title before a name is when you are writing to someone else or when you are a doctor, teacher, or member of the clergy. (ex: Dr. Rev. Pastor. Prof.)

 

Message #2

Dear Friend,This letter confirms my understanding of the mutual present intent of my client (Jan Andrew Stecko), who wants to deal with you in respect to his investment portfolio in canada.

Mr. Jan Andrew Stecko is a British National you assisted some time ago during his active business life. One good turn deserves another he says, he gave us your names and mandate to work with you. He has chosen to entrust his investment portfolio to you as his apparent heir who will manage his resources as a result of his deteriorating health condition.

However, he was unable to provide us with your current address, but I carried out a detailed search on the names and location he provided from which I got your address. We hope that you are indeed who I are looking for and you will be willing to handle this brief in spite of your busy schedules.

Mr. Stecko is currently on a sick bed suffering severely from leukemia and stroke. He is unable to carry out his normal business activities effectively and needs you to act in his place as he is confident that you can manage his investment portfolio in charity work effectively.

Before his ailment struck, he was a philanthropist who was consistently involved in humanitarian projects and also the Executive Director of Gazprom Ltd., a gas company in Moscow Russia. He had most of his business activities in Russia, Canada, the United States of America and United Kingdom.

Over the years, I have worked indefatigably and uncompromisingly to locate any of his immediate relatives but to no avail hence, the need for this correspondence. Though I do not know you in person, I have decided to take this chance with you as instructed and hope you will not let us down. We would be delighted to have you as the apparent heir of my client to claim and manage his charitable investment portfolio in fulfillment of his last wishes.

Considering the volume of money involved in this transaction, there is need for us to have proof of your credibility and your age rang as proof of maturity. Please endeavor to provide us with detailed information about yourself and/or your business life that will enable us verify whether you are indeed the person he referred to have deserved another good turn who he always talked about.

Meanwhile, I have worked out the logistics and modalities of realizing this goal and details shall be discussed with you in due cause.

We need your courage and commitment to actualize this transaction and together I can make it happen.

My earliest response is imperative as my client is currently on life support hence he has a very limited time to live. We can be reached by phone, fax or email.

Thanking you for your attention in anticipation of your response ASAP!

 

Most Sincerely,

Marlene O’Malley,

Campbell Law firm

32-43 Chart Street,

4th Floor, London N1 6EF, United Kingdom.

Tel: +44 – 70 0596 8740

Fax: +44 – 70 0596 8744

E-mail: ma2malley@aol.co.uk

URL: http://www.campbell-law.co.ukWARNING: The information on this email sent from a law firm and it may be legally privileged and confidential. If the reader of this message is not the intended recipient you are notified that any use, disclosure, copying or distribution of the information is prohibited. If you have received the message in error please notify us immediately, delete the original and all electronic copies, and destroy any hard copies.

This message also suffers from bad grammar and odd sentence structure.  Complex words are used when common words would make more sense. Indefatigably, for instance, means tirelessly.  I have never heard anyone use the word indefatigably in normal writing.  Consider the following example of an odd sentence structure:

Considering the volume of money involved in this transaction, there is need for us to have proof of your credibility and your age rang as proof of maturity. Please endeavor to provide us with detailed information about yourself and/or your business life that will enable us verify whether you are indeed the person he referred to have deserved another good turn who he always talked about. We would usually write: Considering the amount of money involved in this transaction, please provide documentation of your identity and age.  A driver’s license or birth certificate will be satisfactory.

This sentence here We need your courage and commitment to actualize this transaction and together I can make it happen. It sounds like a poorly written motivational statement.  I also love this statement: Thanking you for your attention in anticipation of your response ASAP!

It is also odd to ask for this information since the law firm apparently knows who I am.  They also claim that their client did business with me in the past.  I know I never did business with him.  This might appeal to someone greedy which is a common appeal phishing emails use.  Both emails referenced Leukaemia, but I find this to be a coincidence.  Anyway, there are some other ways to determine that this is a phishing message, but I think I have pointed out enough.  Please do not be fooled by such messages.