Of Late, Twitter has been a target of lot of spam messages, but the most recent ones are pretty dangerous phishing attacks and can allow a spammer to access your Twitter username and password. Most recently Twitter phishing attacks have spread through DM messages like “You Seen What This Person is Saying About You Terrible Things” and “Somebody is Saying Real Bad Rumors About You“.

The new phishing attack is spreading on Twitter through messages like:

Hey this user is posting very bad rumors about you…

Hi someone is posting horrible rumors about you…

The messages above are accompanied with a link which takes you to a phishing website that looks very similar to Twitter. The websites’ URL is also made to look very similar to that of Twitter.

Once you are on the website, you will be asked to sign in to your Twitter account because your session has timed out. If you enter your username and password into the phishing page, the scammers will redirect you to Twitter and ask permission to install an app which will then send out the rogue message as a direct message to all your followers and continue spreading the phishing attack.

Please DO NOT enter you username and password since the scammers will then gain access to your account username and password. If you already have done so, make sure to change your Twitter password IMMEDIATELY. Also follow our guide to remove apps from Twitter to revoke permissions to the rogue app that you granted access to.

Please do share this page with your Twitter friends so that they are aware of this phishing attack.

A German court has ruled against a disgruntled client, who sued his bank over a phishing case. The client claimed to have lost €5,000 ($6,608) in a fraudulent transfer, where the amount was sent to an account in Greece. The Sparda Bank customer in question had entered his Transaction Authentication Number (TAN) code into a phishing website that was designed to look like his bank’s website.

A TAN code a one-time password that is used for two-factor authentication. Sparda Bank, or any other bank for that sake, warns its customers of phishing attacks repeatedly. In this case, the negligent user entered his TAN code into the phishing website over ten times. The bank’s argument in the case was- having to enter the code ten times should have raised an eyebrow.

One time password is a standard (though not quite secure) way of authentication used by many banks across the world. In Germany, Sparda Bank is one of the few bans to stick to the iTAN procedure. For most banks, these codes stay valid for a maximum of 24 hours after generation. However, in this case, the transaction occurred three months after the codes were entered into the phishing website. Surprisingly, the TAN codes were valid for over three months!

This case might create a new storyline in the world of phishing and let banks wash their hands off cases where they are actually guilty for lax security measures. Clearly, the bank too has a responsibility here, because once generated, its TAN codes are valid three months later, which should not be the case.

Negligent customers can and will blame banks for their losses in phishing cases. With reports of phishing attacks in Germany going up by 82% over the last year, perhaps it is time banks and all financial institutions up their security measures, to protect their users from the phishing industry.

Phishing is a popular method of social engineering employed by scammers. A scammer posing as someone else uses popular communication medium such as email or telephone to contact a victim and request confidential information. This information is used for purposes such as withdrawing money illegally from the victim’s account or even identity thefts.

Identifying a phishing email is easy if you keep in mind certain basic fine points. I will be explaining these points with the help of an old phishing mail that circulated around 2007.

1. Generic Salutation – Phishing emails usually begin with ‘Dear User’ or ‘Dear sir/madam’ rather than specific salutation used in legitimate important mails.

2. Time frame – Usually, a sense of urgency is portrayed in phishing emails in order to make the victim anxious so that he acts in haste.

3. Threat – A threat is generally associated with the time frame so that as mentioned above, the victim is forced to act in haste. Usual threats include cancellation of accounts, charging of credit cards etc.

4. Suspicious links/Request for confidential information – While some phishing mails ask the victim to reply with certain information such as credit card numbers or PIN, others provide a web page where the victim can enter this information.

If the email asks you to reply with your password or any other sort of confidential information, you can be absolutely sure that it is a phishing mail. No company will ever ask you to send your password or credit card number by email.

In case of email with links, see if the link is pointing to the location which it is supposed to. Phishers usually use a text which looks like a URL which is linked to a phishing page. For example, it will look like google.com, but it will be pointing to some other webpage. If you hover your mouse over the link, your browser will display the actual hyperlink.

You can also use a link scanner extension with your browser for extra security. I use the link scanner from Virus Total called VTChromizer. You just have to right click the link and select ‘Scan with Virus Total’. You can also use scanners from AVG, McAfee etc.

5. Poor language– Most probably, authors of phishing emails might not be someone you could depict as masters of the English language. So, there might be grammatical, punctuation and spelling mistakes. Although it is not necessary that every phishing email will have mistakes, most of them that I have seen was not perfect on the language side.

Another equally important way to fight phishing is to make sure that the email came from the right source. If you get an email from Amazon, check whether it came from something like no-reply@amazon.com rather than something like amazon@somesite.com.

All of today’s major email providers have spam filters that will detect phishing mails and all major browsers have anti-phishing features, such as, the ‘Smart Screen’ for IE9 which can effectively protect you from phishing attempts. And now, with these simple tips, you can hopefully detect those one or two phishing mails that sneak into your inbox.

According to a report from the Kaspersky Lab, a new phishing attack on Facebook has been discovered that primarily attempts to steal account information of Facebook users and compromise the account. The attackers then attempt to gather the financial information including credit card data and other sensitive information from the victim.

According to Kaspersky Lab’s David Jacoby, the attackers are not just tricking users to visit a phishing site, but are trying to scare them by sending them warning messages by using a fake “Facebook Security” account. The compromised accounts will be used to steal available personal information and then change both the profile picture and name to try the trick on other Facebook users.

The profile picture will be changed to the Facebook logo and the name will be changed to “Facebook Security” with special ASCII characters replacing the letters such as “a” “k” “S” and “t”. Here is a screen shot of the message sent from a fake account -

The message – “Last Warning: Your Facebook account will be turned off Because someone has reported you. Please do re-confirm your account security by: [LINK] Thank you. The Facebook Team,” is used as a warning message sent to users via Facebook Messages and Facebook Chat.

The link used in the message leads users to a phishing site. When we tried opening the page using Google Chrome, the following warning message was displayed – “Phishing sites trick users into disclosing personal or financial information, often by pretending to represent trusted institutions, such as banks.”

The site, however, is designed to look like a Facebook page and prompts the victim to enter the name, email address, password, security question, email account password, country, and date of birth. After having provided with all the information, the victim will be redirected to another page with the heading “Payment Verification” that asks for the first six digits of the victim’s credit card. Accordingly, in the following pages, the user is asked to enter the full credit card number along with the expiry date, CVV code (Security code), and the billing address.

If you’re an active Facebook user, then the most important thing that you must know is that Facebook never asks its users to enter their password(s), or credit card details. Check the URL of the site that you’re visiting and make sure it is genuine. Most of the sites that require users to enter any financial information, have a secured HTTPS connection, which are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems, which was not true in this case.

Also Read: Google Chrome Now Blocks Insecure Scripts on HTTPS

If you’ve been warned with such a message on Facebook, then ignore it. Alternatively, you can contact the Facebook Security team here and check if they sent the message or not. We have reported a similar Facebook Security Network Phishing Attack back in August 2011.

“These scams are just getting more popular and we really recommend not giving out personal information, especially not email, password and credit card information over social medias,” Jacoby wrote. “It is also recommend[ed] that you contact your security vendor and the social media vendor if you encounter these sites.”

According to a recent report from Internet security company Kaspersky Labs, India has become the top source of spam emails for the third quarter of 2011.

During this period, about 79.8% of total emails sent were spam and out of this, 14.8% originated in India. The second and third positions are also held by developing nations Indonesia with 10.6% and Brazil with 9.7%. All of the top ten sources are Asian, South American or Eastern European countries.

With limited or no laws at all to tackle the issue of spam, these countries have become the safe haven for criminals looking to exploit the internet community by spamming.

India’s huge internet user base (which is currently the third largest behind China and US) and lack of awareness among the general public about general security practices could have been the reason for India’s rise as the world’s spam capital.

Some of the other important details from the Kaspersky Spam Report are -

· In Q3 of 2011, the share of spam in mail traffic was down 2.7 percentage points compared to the previous quarter, averaging 79.8%.

· The percentage of fraudulent emails in spam traffic increased twenty times, reaching 2%.

· Asia and Latin America remain the most prominent sources of spam.

· The share of partner program spam went up 5.7 times, accounting for 29% of all spam.

· The percentage of emails with malicious attachments grew by 1.17 percentage points and averaged 5.03%.

· The share of phishing emails averaged 0.03%. Three social networks were among the Top 5 organizations targeted by phishers.

You can read the entire report here.

In spite of spirited efforts from email providers, browser developers, and security firms, phishing continues to be a major nuisance. There are already repositories like Phishtank that rely on crowdsourcing to identify phishing campaigns. However, crowdsourcing is not nearly nimble enough to tackle phishing scams that often require just a few hours to cause the intended damage.

Now, a new Cisco spinoff called Agari is trying to tackle the problem by combining multiple sophisticated approaches including authentication of the sender, message analysis, and end-to-end email channel visibility. Google, Microsoft, Yahoo, and AOL, who are amongst the biggest email providers, have joined hands to provide metadata about emails passing through their networks to Agari, which uses its cloud infrastructure to analyze more than 1.5 billion messages every day. It doesn’t receive the actual messages, but might receive suspicious links contained in the message along with miscellaneous metadata. Agari, which is launching today, has Facebook and some of the largest financial institutions, social networks, and ecommerce companies as its customers. Besides the aforementioned four email giants, file sharing website YouSendIt, social network LinkedIn, and Cisco are also part of its trust fabric network.

“Facebook can go into the Agari console and see charts and graphs of all the activity going on in their e-mail channel (on their domains and third-party solutions) and see when an attack is going on in a bar chart of spam hitting Yahoo,” for instance, Daniel Raskin, vice president of marketing for Agari, explained to CNET. “They receive a real-time alert and they can construct a policy to push out to carriers (that says) when you see this thing happening don’t deliver it, reject it.”

Agari, which had been operating in stealth mode for the past couple of years, protects 50 percent of U.S. consumer e-mail traffic and more than one billion individual mailboxes. During its stealth phase, it rejected more than one billion messages across its email partners. Agari believes that by having end-to-end visibility over most messages it can rapidly react and stop phishing campaigns in their tracks.

Twitter users are being hit by a new phishing attack where affected users are sending DMs to their friends, which contain links to fake website that looks exactly like the Twitter login page.

If you receive a direct message on Twitter that says, “haha the look on your face in this pix is priceless! [LINK], DO NOT click on it. Clicking on the link will take you to a fake Twitter login page, where you will be asked to re-enter your username and password.

After clicking the link, notice the URL in the address bar of your browser. If a user provides the log-in credentials, the credential will be sent to the attackers, after which they will full control over the user’s account and can retweet the phishing message from that account.

There are a dozen of scams and phishing attacks that occur on Facebook and Twitter every day. We constantly report attacks like this, so that it helps users stay cautioned about it. Recently, another fake message that was spreading on Twitter stated Pics of Osama Bin Laden Are Finally Released

I suggest you to avoid clicking on the link and alert your followers about the attack. If you have accidently clicked on the link  and entered your login details, then change the password of your Twitter and all other accounts immediately. Also, contact your followers to avoid the message and ask them to change their account password as well.

To learn how you can avoid falling victim to a phishing scam and keeping your Twitter account secure, please read Twitter’s official guide to Keeping Your Account Secure. Here are some tips that will help you protect your Twitter account -

• Use a strong password.
• Watch out for suspicious links, and always make sure you’re on Twitter.com before you enter your login information.
• Use HTTPS for improved security.
• Don’t give your username and password out to untrusted third-parties, especially those promising to get you followers or make you money.
• Make sure your computer and operating system is up-to-date with the most recent patches, upgrades, and anti-virus software.

Sophos’ Graham Cluley explains a simple way of creating a complex hard-to-guess password – and how you should never use the same password on different sensitive websites.

Since the death of the most wanted criminal, terrorist leader Osama Bin Laden, there have been several scams and phishing attacks spreading on Facebook and Twitter, which claimed to show a leaked death videoof the terrorist.

For a while, scams and phishing attacks related to Osama Bin Laden had stopped, but now phishers are once again on the look for naive Twitter users, promising and tricking them to show leaked pictures of Osama Bin Laden.

Users on Twitter are tweeting (RT) a message that states – “Pics of Osama Bin Laden Are Finally Released! [LINK] ::wanring very gorry::”. The same message is spreading with simplified content – “Pictures of Osama Bin Laden [LINK] that leads to a page”

Clicking on the short URL will lead to a site which is a clone of Twitter home page. You are asked to login to Twitter by providing your username and password. Before you enter your login details, take a look at the URL in your browser’s address bar. You can see that it’s a fake URL and it is simply an attack to steal your login details.

If you enter your login credentials and click on Sign in button, your account details, including the password will be sent to the phisher via email. The phisher will then have complete control over your Twitter account, who can use your Twitter account by further spreading the scam message to your followers by tweeting and sending them private messages.

If you happen to use the same password in multiple places like Facebook and Gmail, it is likely that your other accounts might be compromised as well. This way, the phisher can steal more information for financial gain.

I suggest you to avoid clicking on the link and alert your followers about the attack. If you have mistakenly clicked on the link and entered your login details, then change the password of your Twitter and all other accounts immediately. Also, contact your followers to stop re-tweeting the message and ask them to change their account password as well.

Twitter has been a victim of  several  scams  in the  past, most of which were sent through direct messages (DM), however, the DM scams have come down considerably after Twitter employed a brilliant spam protection for DM messages. However, it looks like spammers have begun using the plain old email scams to trick users again.

Please feel free to retweet this post so that your friends and followers will be aware about the issue.

While surfing through Reddit this morning, I stumbled across an interesting submission from a Redditor going by the username “Tomble”. Apparently, Tomble received a standard PayPal phishing mail demanding personal information for “verification purposes”. However, unlike most of us, who would simply report it as a phishing attempt and be done with it, Tomble decided to do some snooping around.

Tomble noticed that the domain name had a structure similar to “http://www.example.net/~joe”, which indicated that the username for that domain’s control panel as well as ftp account was probably ‘joe’. He then decided to try his luck by assuming that the ftp address will be similar to the domain name. His guess turned out to be correct. He still didn’t know the ftp password. However, the domain indicated that this particular webspace was provided by an ISP. Hoping against hope that the webmaster hadn’t changed the default password, which is often just ‘password’, he entered ‘password’ as the ftp password. Amazingly, it worked, and Tomble managed to break into the server.

The website actually belonged to some clueless gentleman who probably had nothing to do with the scammer. The scammer probably managed to break into the server in the same way Tomble did, and planted a few PHP scripts to collect PayPal authentication information.

Tomble found all of this information stored in a single text file. So far, three gullible PayPal users had fallen for this scam. He immediately notified the concerned ISP. However, he didn’t receive any immediate response. On the other hand, two more users had fallen victim within the next thirty minutes.

Tomble now decided to intervene. He made a few modifications to the phishing website (see screenshot below). All of the victims, with the exception of one guy from Thailand, had left their phone numbers for verification purposes. Tomble emailed the Thai guy, and called up the other four with the following helpful suggestion.

Hi, my name’s Tomble, this might sound weird but I received a scam email pretending to be from PayPal this morning. I was able to follow it back and discovered your contact information there. You should contact your bank and let them know your credit card has been compromised, so they can protect you from fraudulent charges.

While one of the victims was initially suspicious, all of them eventually realized that Tomble was one of the good guys. In one case, he had to leave a message with the wife of the victim, who will probably find himself in some minor domestic trouble due to his gullibility.

It’s unfortunate that even today people are falling for phishing scams and Nigerian scams. Significantly, all of the victims were between the ages 39 and 60. While the younger ‘cyber-generation’ is by and large aware of the threats they face online, many from the older generations still need to be educated. Do you bit today, and educate your parents and grandparents about online security. As our fine Australian friend, Tomble, has shown, a little effort can go a long way.

The U.S. Government seems to be leaking a lot these days. After the WikiLeaks scandal, and the leak of the plan to stop leaks, we’ve heard about another leak. Two days before Christmas, an unknown number of government employees opened a greeting email that looked like it was from the White House. Normally, that’s no big deal, but this email contained a surprise gift.

Here’s what it said:

As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.

Greeting card:

hxxp://xtremedefenceforce.com/[omitted]
hxxp://elvis.com.au/[omitted]

Merry Christmas!
___________________________________________
Executive Office of the President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500

People clicking on the links in this phishing email, downloaded a trojan called ZeuS. If they installed it, their computers proceeded to send out all of the Word and Excel documents to a hacker’s website. It appears that this hacker only wanted information that he could later sell.

Here’s what the greeting card website looked like.

(image from KrebsOnSecurity)

I don’t think I should have to tell everyone this, but you should never have to download a greeting card. If you are asked to do this, exit the web page immediately.

Someone should have told the government employees about stuff like this. Very sensitive documents were stolen because the employees didn’t know about the high-risk practice of downloading from unknown websites.

Some of the documents were identified as coming from such places as the National Science Foundation, the Massachusetts State Police, the Financial Action Task Force, the Millennium Challenge Corporation, and many other .gov sites.

The US Government is now proposing that people use an Internet ID card to protect their privacy. Would you trust them to know how to guard   your private information?

[via krebsonsecurity]