Olympics – Scammers Exploit the Games

The official website of the  London Olympics includes a “Stay Safe Online” page.  The page contains a link to a list of  hundreds of scams that use the Olympic Games as bait to trap the unwary.  The most common scams are fraudulent emails scams

where emails are sent falsely claiming to be from London 2012, or other organisations involved in the Games, but that are actually the first step in a fraud scam. They typically encourage the recipient to reveal information such as bank details or to part with money as an up-front payment in order to release a prize.

In order to help the public avoid fake Olympic websites, the official Olympics website offers a website validation tool.  Regrettably, at the time this posting is being written, that tool isn’t available.

A tool that is available is emailID from Iconix.  emailID marks real email from the London Olympics, making it easy to avoid fake Olympics emails.

Know Who.  No Doubt.  Use eMail ID.

Iconix Named to OTA 2012 Online Trust Honor Roll

ICONIX, Inc., has been named to the Online Trust Alliance (OTA) 2012 Honor Roll.  This designation is based on a composite trust score of security and privacy measures at hundreds of online sites. Designed to recognize leadership, the Honor Roll distinguishes Iconix as a “North Star” to inspire others. Of the companies evaluated by the non-profit, member-based OTA, less than 30% made the grade.

As part of the 2012 study, released June 6, 2012, OTA analyzed the adoption of key security and privacy initiatives, providing benchmark reporting and comparisons between key industry sectors including leading internet retailers, FDIC Top 100 Banks, and social networking sites. Other companies recognized by OTA include financial institutions such as Bank of America, PayPal and Wells Fargo, social networks such as Twitter and Zynga, online retailers such as Amazon.com, Apple, Buy.com, Costco and Walmart, and technology providers such as Microsoft and Symantec.

“Today’s businesses are stewards of ever-increasing amounts of users’ personal and sensitive data that necessitate the implementation of privacy and security best practices,” said Craig Spiezle, executive director and president, Online Trust Alliance. “Being a member of the 2012 OTA Online Trust Honor Roll means ICONIX has demonstrated exceptional leadership and commitment towards online safety, to enhancing the vitality of the internet, and, most importantly, to consumer trust.”

“From the inception of ICONIX our focus has been to increase trust in online interaction, especially in email,” said Jeff Wilbur, vice-president of marketing at ICONIX. “We are proud to be recognized by OTA for the 2012 Online Trust Honor Roll, and we are committed to ongoing efforts to implement and promote technologies that will continue to improve users’ safety online.”

You can read the press release here.

Zappos Hacked: Customers Beware Phishing Scams

It is being widely reported in the press that an estimated 24 million Zappos user accounts have been compromised.

Mashable reports:

Robert Siciliano, a McAfee consultant and identity theft expert, says he expects whoever hacked Zappos’s site will now sell the data to people who run phishing scams. “They’ll sell it 10,000 accounts at a time, short money, like $100,” he says. While hackers don’t have complete credit card numbers, Siciliano says there’s enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well.

The bad guys now have very useful information with which to  craft very convincing fake email.  What they cannot do is use the real Zappos’s email servers.  You can easily identify real email really coming from Zappos by using a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

IRS Email Warns Of Phishing — Is the Warning Phishing?

Today the IRS issued its Tax Tip 2012-08 warning about phishing scams aimed at US taxpayers.   Subscribers to IRS information services received an email about the warning.

This is a screen shot of the email:

Is this a real IRS email?  Did you notice these odd things about it?

Why would I open such an obviously fake email?  Because it isn’t fake — it is real.  I know it is real because I use the products of Iconix.  This is what my display looks like with SP Guard turned on:

The IRS really made spelling errors and the IRS really sends emails from the domain govdelivery.com.

Know Who.  No Doubt.   Use Email ID and SP Guard.

Apple Phishing Scam Alert

CNET is warning about a phishing scam in which the bad guys are sending emails that are fake billing error notices from Apple.

CNET reports that unlike other Apple phishing scams, in this scam the bad guys have created a reasonably convincing fake.  The grammar and spelling are correct and the message is formatted to look like a real Apple message.  The email address that is displayed looks like it could be from Apple – ”appleid@id.apple.com.”  However, it isn’t real. Following the links will land at a fake Apple website that also looks pretty convincing. The fake Apple website requests your Apple ID and password. It then prompts you to update your personal data, including your credit card information. DON”T DO IT!

CNET provides useful advice on detecting the scam. CNET explains how to unwind URLs and then how to compare the fake URLs to real Apple URLs.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

2012 Cyberattacks Predicted by IID

IID has released its predictions of the big cyberattacks for 2012.  Of the 5 predicted cyberthreats, 4 depend upon phishing scams for their evil success.

Here’s the IID predictions:

1) Phishing – London Summer Olympics cyber attacks — Cybercriminals will try to capitalize on the Olympics by tricking people into installing malware with phishing scams impersonating the Summer Olympics official website and/or official Summer Olympics vendors.  Once malware is on a victim’s computer, the miscreants can monitor or control both personal and business computer activity — enabling them to steal data, send spam, and commit fraud.

2) Phishing – Elections altered — The 2012  U.S. presidential election year will create opportunities for deceiving voters and other skullduggery.  Cybercriminals are expected to  impersonate voting websites and political emails with phishing and malware attacks.  Many U.S. states allow military and overseas voting via the Internet — creating the opportunity to alter votes.  There are also concerns about the security of voting machines.

3) Phishing – 12/21/2012 danger — The Mayan “end of times” of December 21, 2012 will allow bad guys to play into this fear through targeted phishing and malware attacks playing on people’s heightened awareness surrounding 12/21/2012.

4) Internet infrastructure attacks for financial gain — While hacktivism will persist, expect DNS (Domain Name System) and BGP (Border Gateway Protocol) attacks for financial gain to grab headlines in 2012. The December 2010 DNS hijacking of large European payment processor ChronoPayis an example of this theat. More details surrounding this attack can be found at www.internetidentity.com/images/stories/docs/ecrime_trends_report-q4-2010_by_iid.pdf.

5) Spearphishing - Infrastructure Attacks.  IID predicts attacks on physical infrastructure attacks.  The Stuxnet hack caused substantial damage to the Iranian nuclear program.  The recently discovered DUQU hack is distributed by spearphishing. 

This is an interesting forecast. While it is hard to predict the precise events and vulnerabilities that the badguys will use, there is little doubt that clever criminals will use current events and zero day exploits to cause havoc.

FBI Denver Cyber Squad Warns of New Phishing Campaign

The FBI Denver Cyber Squad issued the following warning on November 23, 2011:

With the holiday shopping season upon us, the FBI Denver Cyber Squad would like to advise citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores. The campaign involves a variant of the “Zeus” malware called “Gameover.” The spam campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.

After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found). A portion of the wire transfers (not all) are being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).

Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as “pending” and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.

The FBI in Denver is asking all consumers to be cautious of opening communications from senders that would not normally send you e-mail or are not from the normal sender e-mail address.

This is the link to the original FBI Press Release: 
http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign

Phishers Use Cyber Monday for Scams

Computerworld reports that cybercriminals are using phishing scams  to rip-off consumers during this holiday shopping season.  The bad guys are using spoofing legitimate messages from real companies in order to deceive consumers.  The criminals are sending fake shipping confirmations, fake Groupon and Living Social offers and fake social traffic.  A common scam is a fake email about problems with a transaction, such as a delivery problem, a canceled order or direct deposit.  Cloudmark has reproduced this example of a fake UPS email:

Computerworld quotes Cloudmark engineering director Angela Knox about details of the UPS-based phishing  scam.  This phishing scam lures recipients into either opening an attachment or clicking on a link to infect machines with malware.

“We’ve seen a number of variants in this campaign, some with attachments, some with no attachments and bad links, all of them personalized to the recipient, and sent from an ever-changing list of fake UPS employees or the generic ‘UPS Customer Services,’” said Knox in a blog post today.

The attached files are actually .zip archives that contain malware, said Knox, while the links lead to compromised or hacker-controlled websites that host attack code.

“With Cyber Monday kicking off the online holiday shopping frenzy, online shoppers should remember to be vigilant about any email message that they receive,” said Knox.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

Xbox Live Phishing Scam — Microsoft Reimburses Ripped-off Users

The Guardian is reporting that Microsoft is giving refunds to Xbox Live subscribers who may have had their credit card information stolen in a phishing scam.   The Guardian describes the scam in its November 22, 2011 edition:

Reports are proliferating of Xbox Live users checking the credit card and bank account statements which they use to pay their Xbox Live subscriptions, and discovering payments which they did not make, generally over a period of months, which were used to buy Microsoft Points (the service’s currency which enables users to purchase extra downloadable content, games and in-game objects) which were then cashed in to buy downloadable content from EA Sports – specifically Ultimate Team Packs for its games FIFA 12, Madden and NBA.

EU provides more details about the scam on its website.

You receive an email that appears to be from EA concerning an Ultimate Team promotion. You click on the link in the email, go to what appears to be the Ultimate Team login page, and enter your account name and password. Two days later you discover all the gold players you’ve worked so hard for have disappeared.

This is the fake website that is launched from the phishing email:

EU advised that the official EA website uses the following URL:
<a href=”http://www.ea.com/”>http://www.ea.com/</a&gt;.
Any other similar looking URL is not official and should not be clicked on.

As this image from the EA website shows, the difference between the scam website and the real website are extremely subtle.

This is a close-up of the URL’s.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

SEC Issues Guidance on Cyber Risk Disclosure

On October 13, 2011, the United States Securities and Exchange Commission (SEC) issued formal guidance on how U.S. publicly traded companies should disclose cybersecurity risks and data exposure.  In the guidance, the SEC states:

Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.

A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

Of course,  Iconix is not in the business of giving legal advice and we suggest that anyone interested in this topic should read the SEC formal guidance and consult with their attorneys.  We are in the business of providing technology that improves the integrity of email. For email correspondence with customers, we offer our Truemark service.  For internal email correspondence, we offer our SP Guard solution.

For further information on our email solutions, contact us at 408-727-6342, ext 3 or use our online form.