When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.
The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple’s MobileMe service.
Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in ‘the cloud’ and wirelessly push them to all of your devices).
Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.
Welcome to iCLOUD
Important information for MobileMe members.
Dear MobileMe member,
Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.
Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.
Click here to update iCLOUD
The Apple store Team
If you make the decision to click on the link in the email, however, you are not taken to an official Apple website – but instead a third-party site that is trying hard to present itself in an Apple style.
Yes, it’s a phishing website.
And just look what it’s asking for: your credit card details, your address, your social security number, your full date of birth, your mother’s maiden name and your Apple ID credentials.
Crumbs! Imagine the harm a fraudster could cause with all that information.
Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox. It could be you who gets hit by a phishing attack next.
By Graham Cluley @ nakedsecurity.sophos.com
One that I have seen crop up a lot, is appearing in the status updates of Facebook users with phrases like:
This horrific photo forced photographer to kill himself! http://tinyurl.com/VerySadPhoto
This horrific photo forced photographer to kill himself! http://tinyurl.com/HorriblePic
Clicking on links like these can take you to Facebook pages which names such as “Man Commits Suicide 3 Days After Taking This Photo”.
These Facebook pages force you to first “Like” them and then republish the link on your own Facebook page (advertising it to your online friends) before you eventually get to see the photograph.
Just ask yourself this – do you really want to recommend a page to your friends, before you know what lies behind it? For all you know, you could be passing on a link which will ultimately take your online pals to a phishing page or malware.
As it happens, the pages are lying in any case.
The photograph – of an emaciated young girl in Sudan – was taken in March 1993 by prize-winning South African photo-journalist Kevin Carter. Carter did kill himself – but it was over a year later in South Africa, not three days after the photo was taken as claimed by the Facebook links.
You can probably imagine, however, that people would easily agree to publish the link to all their friends – in their morbid interest to see the photo – and thus help it spread quickly.
In fact, it’s no surprise that links like these are spreading so quickly and virally across Facebook, when popular pages such as “I like your makeup…LOL JK, it looks like you got gangbanged by Crayola” (currently 1.7 million fans and counting) have republished it to all of their followers.
There are a number of Toolbars out there in the wild with a nasty sting in the tail for anybody using them to login to Facebook. We’ve seen two of these so far; it’s possible there are more.
Promoted as toolbars that allow you to cheat at popular Zynga games such as Mafia Wars, they appear to be normal at first glance with a collection of links to various websites and other features common to this type of program.
Should the end-user hit the “Facebook” button, however, things start to go wrong very quickly. In testing, what opened up for us wasn’t the real Facebook login screen – it was a verified Facebook Phish.
Taken to apps-facebook-inthemafia(dot)tk, only the anti-phish protection in both IE and Firefox would probably have saved the end-user from entering their details into the fake page. mafiamafiamafiamafia(dot)t35(dot)com was also flagged on Phishtank, and it looks like we arrived just in time to catch the suspicious activity taking place because the t35 URL was deactivated shortly after.
The story doesn’t end there, however – once the above domain went down at around 5:20 GMT, it was around 90 minutes or less before the toolbars were now pointing to a fresh URL!
As you can see from the above screenshot, the toolbars now took end-users to apps-inthemafias-facebook(dot)tk, which was a cover for another t35 URL: mafiawars200uk(dot)t35(dot)com. Again, it wasn’t too long before the domain looked like this:
Currently, the toolbars we have point to the real Facebook URL – the obvious danger is that they could suddenly switch to another fake site and continue harvesting Facebook logins. I’ve reported both Toolbars (which can be created by anyone through this Community Toolbar form) to Conduit, and hopefully action will be taken shortly. If we see any new phish pages linked to, I’ll update this entry.
For now, some handy tips:
1) If you install a toolbar from the ourtoolbar(dot)com domain, pay attention to what kind of toolbar it is. Does it promise “cheats” for Zynga games? If so, you might want to avoid logging into Facebook by clicking buttons on the toolbar itself.
2) If you do click a Facebook button on one of these toolbars, are you taken to a .tk domain? If so, check at the bottom of the page – the phish page creators are a little lazy, and have left a rather large clue that you’re not on the real Facebook site:
Adverts and a T35 hosting notice – probably a bit of a giveaway (you can also View Source in your browser and confirm you’re on a T35 domain and not Facebook).
We detect this as Trojan.Fbphishbar. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.
by paperghost at sunbeltblog.blogspot.com
Last Thursday, an anonymous user posted details of over 10,000 accounts – with addresses starting with the letters A or B – on a developer site.
Although the precise cause of the leak is still unclear, Microsoft said that once it had learned of the issue, it requested that the credentials were removed and launched an investigation.
A spokesperson said in a statement: “As part of that investigation, we determined that this is not a breach of any Microsoft servers.”
The statement added: “Subsequently we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts.”
Microsoft also said that phishing was an industry wide problem, and advised users to keep anti-virus software up to date as well as renew passwords every 90 days.
IT security firm Sophos said that users of Microsoft’s online services should change their passwords, and the fact that the accounts began with A or B suggested that it could be the “tip of the iceberg”.
“My recommendation for users of Microsoft’s online services is to change your passwords immediately,” said Sophos senior security advisor Chester Wisniewski in a statement.
“You are better to be safe than sorry, and password rotation is something we are often to lazy to do,” he added.
By Asavin Wattanajantra from itpro.co.uk
A recent phishing scam resulting in usernames and passwords of Microsoft’s Hotmail, Google’s Gmail, and possibly accounts of AOL and Yahoo users being posted online is cause for concern for anyone who uses any of those services. Rather than panic, though, there are simple ways to avoid becoming a victim or being further victimized, if your account has already been compromised.
Microsoft and Google said the compromised information likely came as a result of a phishing scam, through which millions of people are sent e-mail (often warnings about a fake security breach), asking them to click on a link to take them to a Web site so that they can enter their correct information.
When phishing attacks first became prevalent, the fake sites were often crude imitations of the real things, but these days, they can look exactly like the legitimate site, typically of a bank, a payment service such as eBay’s PayPal, or another financial company. When the user logs in with a username and password, or provides credit card numbers and other confidential data, that information is captured by the e-mail senders, who can use it to impersonate the victims.
In addition to someone being able to read your messages, a risk of having your e-mail account compromised is that many sites will send a lost password to an e-mail address, so if criminals can access your e-mail, they might be able to use it to get passwords from other sites, including financial accounts.
BBC News is reporting that it has seen lists containing more than 30,000 names and passwords, some of which “appear to be old, unused or fake,” but “many–including Gmail and Hotmail addresses–are genuine.” To put this into context, Gmail and Hotmail sites had more than 84 million unique visitors in July. Yahoo Mail had more than 156 million unique visitors, according to ComScore.
Here’s some advice that can help you avoid becoming a phishing victim.
Change passwords regularly
Even if this particular breach hadn’t occurred, many experts recommend that you change your password about every three months. This is as good a time as any to do just that. It’s also a good idea to avoid using the same password on multiple sites, but if you’re one of the many people who have done that, be sure to change your password elsewhere. Gmail asks users to provide them with an alternate e-mail address, so be sure to change the password for that account as well.
As I pointed out in this post about password security, consider using a password manager like LastPass (free) or RoboForm that can generate and manage strong passwords.
If you get an e-mail that appears to be from legitimate site with a request that you click on a link to visit the site for any reason, including updating your security information, think before you click. It might be taking you to a rogue site that captures that information for possible identity theft or other crime. It’s safer to just type in the URL yourself. Be extremely wary of any requests to provide Social Security numbers or credit card information, unless you’re absolutely sure that you’re dealing with a legitimate site. When visiting a site, make sure that the URL is that of the organization.
Look for secure sites
If you’re asked to provide sensitive information such as a credit card number, be sure that the URL begins with “https” (the “s” stands for “security”) and that there is a padlock icon, typically in the lower-right corner of the browser.
Use a phishing filter and good antimalware software
The most recent versions of most browsers, including Microsoft’s Internet Explorer and Mozilla’s Firefox, help filter phishing sites, as do security suites from McAfee, Symantec, TrendMicro, and other companies. Security software also helps protect you against malicious software that can log your keystrokes, or otherwise jeopardize your privacy and security. Make sure that your security software and your operating system are up-to-date.
If something seems too good to be true, it’s almost invariably too good to be true. Think about what you’re about to do on any site you visit, especially if it’s a site you don’t already trust. Never use the same password on an unknown site that you use for e-mail, banking, or other sites where security is essential.
The U.S. Department of Homeland Security’s National Cyber Alert System has additional tips to help you avoid phishing and other social engineering attacks, and ConnectSafely.org has tips to create an manage strong passwords.
by Larry Magid from CNET
We have received samples of a new phishing mail targeting users of MSN Messenger inviting them to see who deleted or blocked them from their contact list. Users would be interested to know who among their friends have deleted them from their lists.
Figure 1. Phishing email
Clicking on the link displays the following fake login page asking the user to input his or her password:
Figure 2. Phishing website
It is obvious that the intention of the cybercriminals is to harvest the user’s MSN Messenger login credentials. Afterwards, they can then continuously sends spam messages to the account or, worse, they can use the account for their malicious intent.
Getting in touch with friends is now much easier than before. Because of the growth of social networking sites, we can stay connected with our old friends, or even find new ones. This may include reading the profile pages of other members, sending and receiving invitations to fun games, videos and other applications. However, users must be on guard when interacting within online social networks. Spammers are now abusing these in their phishing attacks.
Always be mindful in accepting “invitations”, especially when it concerns your personal information. This particular spam message, and the associated website, are already blocked by Trend Micro products via the Smart Protection Network.
by Merianne Polintan (Anti-spam Research Engineer)
It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before.
Earlier this week, however, Trend Micro researcher Rik Ferguson found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s legitimate Facebook profile, as shown below. The links to the malicious site are highlighted:
Figure 1. Facebook notifications page
After entering the credentials, users would then be redirected to Facebook itself. (The posts detailing these findings can be found at the Counter Measures blog; the initial report is here and a follow-up was posted here.)
While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites. The particular site involved in this phishing attack is already blocked by the Smart Protection Network.
Image credits: thanks to Rik Ferguson, Countermeasures blog.