Tag Archives: Phishing

India’s CLAT Exam Leaks Applicant’s Emails, Leads to Phishing Scam

CLAT-Law-Exam-IndiaPrivacy and internet aren’t exactly best friends. In fact, it might well be better to assume that as long as you are on the web, you will suffer from an unexpected privacy breach sooner or later – whether it is due to your own naiveté or due to third party security mishaps. However, that doesn’t make irresponsible, careless, and purposeful data leaks any less aggravating. Today’s offender is CLAT or Common Law Admission Test.

CLAT is a fiercely competitive centralized test for admission to prominent National Law Universities in India. Last month, CLAT closed its application procedure. Soon after, in an amazingly dumb headed move, it mailed all applicants a PDF titled “3. Online Applications (UG) Submitted till 30th March 2013”. Here’s a look at its content.

CLAT-Email-Leak

Yes, someone in CLAT thought that it was perfectly appropriate to dispatch the full list of more than eighteen thousand candidates along with their email ids in a PDF. Now I understand that CLAT probably has more lawyers than technically minded folks, but it’s shocking that no one in its technical team acted to stop this amazingly boneheaded move. For good measure, CLAT also uploaded this document to its website (where it is still available).

Now, an email address isn’t very high on the list of sensitive information. However, in the wrong hands it can be misused. And, misused it was. Over the past few weeks, candidates listed in the document have been receiving mails appearing to be from [email protected], claiming to be sent by Dr. Dipak Das, Registrar In-Charge of Hidayatullah National Law University, Raipur and the Convenor of CLAT-2013. The mails ask the Candidates to immediately deposit Rs. 2000, in order to avoid cancellation of their application due to non-payment of fees. Considering the state of the candidates mind, and the relevance of the message, it’s not surprising that many have fallen victim to the phishing scam. Thankfully, the scammer in this particular case was naïve enough to demand a money transfer to an SBI (State Bank of India) account, which should be easily traceable. CLAT might not have a lot of technical expertise or common sense. However, one thing it does have is access to plenty of lawyers. Unsurprisingly, CLAT-2013/Hidayatullah National Law University, Raipur, is taking necessary legal steps.

(hat tip: Sameer Gupta)

Beware of “Page Security Team” Phishing Attack on Facebook

A new phishing attack has been discovered on Facebook that targets and tricks Facebook Page owners into entering their Facebook password and email address. This is perhaps one the trickiest phishing attack I’ve come across in the last few months.

If you are a Facebook Page owner and have received a message that asks you to verify your Facebook account, then ignore it. The scam message spreading through Facebook Messages is as follows:

We have reviewed the suspension of your Page. After reviewing your page activity, it was determined that you were in violation of our Terms of Service. We have provided a warning to you via email, but you have not responded to our notifications. Therefore, your account might be permanently suspended.

At the bottom, it says that “Verify your account at the link below: [link].” This message is a scam and do not click or open any links provided. The link actually leads to a Facebook application and is not a Facebook Security Page. Once you click on the “verify your account” link, you will be directed to a malicious Facebook app page where you are asked to provide your page name, email address or phone number, and password.

The ‘Facebook Verification’ form of the Page Security Team phishing attack app looks as shown below:

Facebook Phishing Attack

The details entered will be directly sent to the developer of the app. It is advised that you avoid clicking the link. If in case you have already fallen victim to this scam message, it is highly recommended that you change the password of your Facebook account immediately. Alternatively, you can also visit the Facebook Help Center and try to reclaim your account if it has already been compromised.

Last year, we reported that spammers created fake ‘Facebook Security’ accounts created to send phishing messages that primarily attempted to steal account information from Facebook users. It is always recommended not to click on any links on Facebook. You cab bookmark Techie Buzz Facebook Scams and stay updated with the latest scams spreading on Facebook.

[via]

Phishing 2.0; Phishing Without Fake Webpages

Nowadays everyone will be familiar with phishing attacks. It is basically the process of obtaining confidential information from a person by communicating with the victim (using emails, phone calls etc.) posing as someone else. The typical phishing attack includes creating a fake login page, storing them in a server and emailing the victim with the fake login page link. Now a new research paper from InfoSec student, Henning Klevjer shows how a hacker can create phishing attacks without the need for storing the fake login page on a server.

This method uses URI or universal resource identifier which is basically a string of characters that are used to identify a name or a resource. Using URI, the required data (the code for login page in this case) is stored within the URI with the following scheme

data:[<mediatype>][;base64],<data> 

Here <data> will contain the fake login page. The procedure for creating a phishing URI starts with creating a login page using the code from the original page.  The original code is modified accordingly so that the entered data such as password are sent to a location as desired  by the hacker. This page is then encoded using a scheme called Base64. Base64 is a method of encoding binary data to ASCII format which will increase the data size by around 33%. The next and the final step is to append this information to the URI.

The final URI will be extremely long and suspicious looking one. But as all browsers support legacy URI schemes, it will be rendered properly, as long as it doesn’t extend more than the maximum URL limit allowed by the browser.

Although, the large URI can be masked using a URL shortening service, Henning states that this method has some major limitations thanks to implementation of data URIs in Chrome and Internet Explorer.

You can read more about this method here(PDF).

Via: Naked Security

Watch out for Fake Facebook Photo Tag Emails

Not every Facebook user has fair knowledge about how they are being tricked into sharing their Facebook information with spammers. Some install rogue applications, while some click on spam links. Of late, users are being tricked by a fake email, which appears to be a “notification” from Facebook, but with a fake email id with an extra “o” in it.

The fake email id – notification(at)facebooo(dot)com has an extra “o” in the domain name. Users generally do not notice this and tend to believe that the email is genuinely from Facebook. The email contains a message indicating that the user has been tagged in a photo on Facebook. It also contains two button links “See Photo” and “Go to Notifications,” which when clicked, activates and runs a malware program automatically, reports Sophos.

Here is an example of what the email looks like:

Facebook Fake Photo Tag Notification Email

Subject: Christine McLain Gibbs tagged a photo of you on Facebook

From: Facebook <[email protected]>

Clicking the link provided in the email will not take you to your Facebook account; instead it will redirect you to a bogus web page that is hosting a malware program. The malicious grogram is designed to put your computer at high risk using the Blackhole exploit kit. Seconds after that, you will be redirected to a random Facebook profile page.

Security firm SophosLabs, have investigated on this and concluded with the detection of the malware as Troj/JSRedir-HW. Read more about the malware here.

If you receive any email that is claiming to be coming from Facebook, then make sure you check the email details before clicking on any of links embedded in it. The best practice is to ignore the email and go to your Facebook profile directly t check for notifications.

Back in January, we reported that spammers created fake ‘Facebook Security’ accounts created to send phishing messages that primarily attempted to steal account information from Facebook users. It is always recommended not to click on any links on Facebook. You cab bookmark Techie Buzz Facebook Scams and stay updated with the latest scams spreading on Facebook.

Hey This User is Posting Very Bad Rumors About You – Twitter Phishing

Of Late,  has been a target of lot of spam messages, but the most recent ones are pretty dangerous phishing attacks and can allow a spammer to access your Twitter username and password. Most recently Twitter phishing attacks have spread through DM messages like “You Seen What This Person is Saying About You Terrible Things” and “Somebody is Saying Real Bad Rumors About You“.

The new phishing attack is spreading on Twitter through messages like:

Hey this user is posting very bad rumors about you…

Hi someone is posting horrible rumors about you…

The messages above are accompanied with a link which takes you to a phishing website that looks very similar to Twitter. The websites’ URL is also made to look very similar to that of Twitter.

twitter_phishing_dm_attack

Once you are on the website, you will be asked to sign in to your Twitter account because your session has timed out. If you enter your username and password into the phishing page, the scammers will redirect you to Twitter and ask permission to install an app which will then send out the rogue message as a direct message to all your followers and continue spreading the phishing attack.

Please DO NOT enter you username and password since the scammers will then gain access to your account username and password. If you already have done so, make sure to change your Twitter password IMMEDIATELY. Also follow our guide to remove apps from Twitter to revoke permissions to the rogue app that you granted access to.

Please do share this page with your Twitter friends so that they are aware of this phishing attack.

German Court Rules Against a Bank Client in a Phishing Case

A German court has ruled against a disgruntled client, who sued his bank over a phishing case. The client claimed to have lost €5,000 ($6,608) in a fraudulent transfer, where the amount was sent to an account in Greece. The Sparda Bank customer in question had entered his Transaction Authentication Number (TAN) code into a phishing website that was designed to look like his bank’s website.

phishingA TAN code a one-time password that is used for two-factor authentication. Sparda Bank, or any other bank for that sake, warns its customers of phishing attacks repeatedly. In this case, the negligent user entered his TAN code into the phishing website over ten times. The bank’s argument in the case was- having to enter the code ten times should have raised an eyebrow.

One time password is a standard (though not quite secure) way of authentication used by many banks across the world. In Germany, Sparda Bank is one of the few bans to stick to the iTAN procedure. For most banks, these codes stay valid for a maximum of 24 hours after generation. However, in this case, the transaction occurred three months after the codes were entered into the phishing website. Surprisingly, the TAN codes were valid for over three months!

This case might create a new storyline in the world of phishing and let banks wash their hands off cases where they are actually guilty for lax security measures. Clearly, the bank too has a responsibility here, because once generated, its TAN codes are valid three months later, which should not be the case.

Negligent customers can and will blame banks for their losses in phishing cases. With reports of phishing attacks in Germany going up by 82% over the last year, perhaps it is time banks and all financial institutions up their security measures, to protect their users from the phishing industry.

Anatomy of a Phishing Email

Phishing is a popular method of social engineering employed by scammers. A scammer posing as someone else uses popular communication medium such as email or telephone to contact a victim and request confidential information. This information is used for purposes such as withdrawing money illegally from the victim’s account or even identity thefts.

Identifying a phishing email is easy if you keep in mind certain basic fine points. I will be explaining these points with the help of an old phishing mail that circulated around 2007.

clip_image002

1. Generic Salutation – Phishing emails usually begin with ‘Dear User’ or ‘Dear sir/madam’ rather than specific salutation used in legitimate important mails.

2. Time frame – Usually, a sense of urgency is portrayed in phishing emails in order to make the victim anxious so that he acts in haste.

3. Threat – A threat is generally associated with the time frame so that as mentioned above, the victim is forced to act in haste. Usual threats include cancellation of accounts, charging of credit cards etc.

4. Suspicious links/Request for confidential information – While some phishing mails ask the victim to reply with certain information such as credit card numbers or PIN, others provide a web page where the victim can enter this information.

If the email asks you to reply with your password or any other sort of confidential information, you can be absolutely sure that it is a phishing mail. No company will ever ask you to send your password or credit card number by email.

In case of email with links, see if the link is pointing to the location which it is supposed to. Phishers usually use a text which looks like a URL which is linked to a phishing page. For example, it will look like google.com, but it will be pointing to some other webpage. If you hover your mouse over the link, your browser will display the actual hyperlink.

clip_image004

You can also use a link scanner extension with your browser for extra security. I use the link scanner from Virus Total called VTChromizer. You just have to right click the link and select ‘Scan with Virus Total’. You can also use scanners from AVG, McAfee etc.

5. Poor language– Most probably, authors of phishing emails might not be someone you could depict as masters of the English language. So, there might be grammatical, punctuation and spelling mistakes. Although it is not necessary that every phishing email will have mistakes, most of them that I have seen was not perfect on the language side.

Another equally important way to fight phishing is to make sure that the email came from the right source. If you get an email from Amazon, check whether it came from something like no-reply@amazon.com rather than something like [email protected]

All of today’s major email providers have spam filters that will detect phishing mails and all major browsers have anti-phishing features, such as, the ‘Smart Screen’ for IE9 which can effectively protect you from phishing attempts. And now, with these simple tips, you can hopefully detect those one or two phishing mails that sneak into your inbox.

Fake ‘Facebook Security’ Account Used to Send Phishing Messages

According to a report from the Kaspersky Lab, a new phishing attack on Facebook has been discovered that primarily attempts to steal account information of Facebook users and compromise the account. The attackers then attempt to gather the financial information including credit card data and other sensitive information from the victim.

According to Kaspersky Lab’s David Jacoby, the attackers are not just tricking users to visit a phishing site, but are trying to scare them by sending them warning messages by using a fake “Facebook Security” account. The compromised accounts will be used to steal available personal information and then change both the profile picture and name to try the trick on other Facebook users.

The profile picture will be changed to the Facebook logo and the name will be changed to “Facebook Security” with special ASCII characters replacing the letters such as “a” “k” “S” and “t”. Here is a screen shot of the message sent from a fake account –

Facebook Security Phishing Attack

The message – “Last Warning: Your Facebook account will be turned off Because someone has reported you. Please do re-confirm your account security by: [LINK] Thank you. The Facebook Team,” is used as a warning message sent to users via Facebook Messages and Facebook Chat.

The link used in the message leads users to a phishing site. When we tried opening the page using Google Chrome, the following warning message was displayed – “Phishing sites trick users into disclosing personal or financial information, often by pretending to represent trusted institutions, such as banks.”

The site, however, is designed to look like a Facebook page and prompts the victim to enter the name, email address, password, security question, email account password, country, and date of birth. After having provided with all the information, the victim will be redirected to another page with the heading “Payment Verification” that asks for the first six digits of the victim’s credit card. Accordingly, in the following pages, the user is asked to enter the full credit card number along with the expiry date, CVV code (Security code), and the billing address.

Payment Verification - Fake

If you’re an active Facebook user, then the most important thing that you must know is that Facebook never asks its users to enter their password(s), or credit card details. Check the URL of the site that you’re visiting and make sure it is genuine. Most of the sites that require users to enter any financial information, have a secured HTTPS connection, which are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems, which was not true in this case.

Also Read: Google Chrome Now Blocks Insecure Scripts on HTTPS

If you’ve been warned with such a message on Facebook, then ignore it. Alternatively, you can contact the Facebook Security team here and check if they sent the message or not. We have reported a similar Facebook Security Network Phishing Attack back in August 2011.

“These scams are just getting more popular and we really recommend not giving out personal information, especially not email, password and credit card information over social medias,” Jacoby wrote. “It is also recommend[ed] that you contact your security vendor and the social media vendor if you encounter these sites.”

India becomes the top source of Spam emails in Q3 2011

spamAccording to a recent report from Internet security company Kaspersky Labs, India has become the top source of spam emails for the third quarter of 2011.

During this period, about 79.8% of total emails sent were spam and out of this, 14.8% originated in India. The second and third positions are also held by developing nations Indonesia with 10.6% and Brazil with 9.7%. All of the top ten sources are Asian, South American or Eastern European countries.

spam_countries

With limited or no laws at all to tackle the issue of spam, these countries have become the safe haven for criminals looking to exploit the internet community by spamming.

India’s huge internet user base (which is currently the third largest behind China and US) and lack of awareness among the general public about general security practices could have been the reason for India’s rise as the world’s spam capital.

Some of the other important details from the Kaspersky Spam Report are –

· In Q3 of 2011, the share of spam in mail traffic was down 2.7 percentage points compared to the previous quarter, averaging 79.8%.

· The percentage of fraudulent emails in spam traffic increased twenty times, reaching 2%.

· Asia and Latin America remain the most prominent sources of spam.

· The share of partner program spam went up 5.7 times, accounting for 29% of all spam.

· The percentage of emails with malicious attachments grew by 1.17 percentage points and averaged 5.03%.

· The share of phishing emails averaged 0.03%. Three social networks were among the Top 5 organizations targeted by phishers.

You can read the entire report here.

Google, Microsoft, Yahoo and AOL Team Up to Combat Phishing

In spite of spirited efforts from email providers, browser developers, and security firms, phishing continues to be a major nuisance. There are already repositories like Phishtank that rely on crowdsourcing to identify phishing campaigns. However, crowdsourcing is not nearly nimble enough to tackle phishing scams that often require just a few hours to cause the intended damage.

Now, a new Cisco spinoff called Agari is trying to tackle the problem by combining multiple sophisticated approaches including authentication of the sender, message analysis, and end-to-end email channel visibility. Google, Microsoft, Yahoo, and AOL, who are amongst the biggest email providers, have joined hands to provide metadata about emails passing through their networks to Agari, which uses its cloud infrastructure to analyze more than 1.5 billion messages every day. It doesn’t receive the actual messages, but might receive suspicious links contained in the message along with miscellaneous metadata. Agari, which is launching today, has Facebook and some of the largest financial institutions, social networks, and ecommerce companies as its customers. Besides the aforementioned four email giants, file sharing website YouSendIt, social network LinkedIn, and Cisco are also part of its trust fabric network.

Agari

“Facebook can go into the Agari console and see charts and graphs of all the activity going on in their e-mail channel (on their domains and third-party solutions) and see when an attack is going on in a bar chart of spam hitting Yahoo,” for instance, Daniel Raskin, vice president of marketing for Agari, explained to CNET. “They receive a real-time alert and they can construct a policy to push out to carriers (that says) when you see this thing happening don’t deliver it, reject it.”

Agari, which had been operating in stealth mode for the past couple of years, protects 50 percent of U.S. consumer e-mail traffic and more than one billion individual mailboxes. During its stealth phase, it rejected more than one billion messages across its email partners. Agari believes that by having end-to-end visibility over most messages it can rapidly react and stop phishing campaigns in their tracks.