Zappos Hacked: Customers Beware Phishing Scams

It is being widely reported in the press that an estimated 24 million Zappos user accounts have been compromised.

Mashable reports:

Robert Siciliano, a McAfee consultant and identity theft expert, says he expects whoever hacked Zappos’s site will now sell the data to people who run phishing scams. “They’ll sell it 10,000 accounts at a time, short money, like $100,” he says. While hackers don’t have complete credit card numbers, Siciliano says there’s enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well.

The bad guys now have very useful information with which to  craft very convincing fake email.  What they cannot do is use the real Zappos’s email servers.  You can easily identify real email really coming from Zappos by using a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

IRS Email Warns Of Phishing — Is the Warning Phishing?

Today the IRS issued its Tax Tip 2012-08 warning about phishing scams aimed at US taxpayers.   Subscribers to IRS information services received an email about the warning.

This is a screen shot of the email:

Is this a real IRS email?  Did you notice these odd things about it?

Why would I open such an obviously fake email?  Because it isn’t fake — it is real.  I know it is real because I use the products of Iconix.  This is what my display looks like with SP Guard turned on:

The IRS really made spelling errors and the IRS really sends emails from the domain govdelivery.com.

Know Who.  No Doubt.   Use Email ID and SP Guard.

Apple Phishing Scam Alert

CNET is warning about a phishing scam in which the bad guys are sending emails that are fake billing error notices from Apple.

CNET reports that unlike other Apple phishing scams, in this scam the bad guys have created a reasonably convincing fake.  The grammar and spelling are correct and the message is formatted to look like a real Apple message.  The email address that is displayed looks like it could be from Apple – ”appleid@id.apple.com.”  However, it isn’t real. Following the links will land at a fake Apple website that also looks pretty convincing. The fake Apple website requests your Apple ID and password. It then prompts you to update your personal data, including your credit card information. DON”T DO IT!

CNET provides useful advice on detecting the scam. CNET explains how to unwind URLs and then how to compare the fake URLs to real Apple URLs.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

2012 Cyberattacks Predicted by IID

IID has released its predictions of the big cyberattacks for 2012.  Of the 5 predicted cyberthreats, 4 depend upon phishing scams for their evil success.

Here’s the IID predictions:

1) Phishing – London Summer Olympics cyber attacks — Cybercriminals will try to capitalize on the Olympics by tricking people into installing malware with phishing scams impersonating the Summer Olympics official website and/or official Summer Olympics vendors.  Once malware is on a victim’s computer, the miscreants can monitor or control both personal and business computer activity — enabling them to steal data, send spam, and commit fraud.

2) Phishing – Elections altered — The 2012  U.S. presidential election year will create opportunities for deceiving voters and other skullduggery.  Cybercriminals are expected to  impersonate voting websites and political emails with phishing and malware attacks.  Many U.S. states allow military and overseas voting via the Internet — creating the opportunity to alter votes.  There are also concerns about the security of voting machines.

3) Phishing – 12/21/2012 danger — The Mayan “end of times” of December 21, 2012 will allow bad guys to play into this fear through targeted phishing and malware attacks playing on people’s heightened awareness surrounding 12/21/2012.

4) Internet infrastructure attacks for financial gain — While hacktivism will persist, expect DNS (Domain Name System) and BGP (Border Gateway Protocol) attacks for financial gain to grab headlines in 2012. The December 2010 DNS hijacking of large European payment processor ChronoPayis an example of this theat. More details surrounding this attack can be found at www.internetidentity.com/images/stories/docs/ecrime_trends_report-q4-2010_by_iid.pdf.

5) Spearphishing - Infrastructure Attacks.  IID predicts attacks on physical infrastructure attacks.  The Stuxnet hack caused substantial damage to the Iranian nuclear program.  The recently discovered DUQU hack is distributed by spearphishing. 

This is an interesting forecast. While it is hard to predict the precise events and vulnerabilities that the badguys will use, there is little doubt that clever criminals will use current events and zero day exploits to cause havoc.

FBI Denver Cyber Squad Warns of New Phishing Campaign

The FBI Denver Cyber Squad issued the following warning on November 23, 2011:

With the holiday shopping season upon us, the FBI Denver Cyber Squad would like to advise citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores. The campaign involves a variant of the “Zeus” malware called “Gameover.” The spam campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.

After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found). A portion of the wire transfers (not all) are being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).

Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as “pending” and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.

The FBI in Denver is asking all consumers to be cautious of opening communications from senders that would not normally send you e-mail or are not from the normal sender e-mail address.

This is the link to the original FBI Press Release:  http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign

Phishers Use Cyber Monday for Scams

Computerworld reports that cybercriminals are using phishing scams  to rip-off consumers during this holiday shopping season.  The bad guys are using spoofing legitimate messages from real companies in order to deceive consumers.  The criminals are sending fake shipping confirmations, fake Groupon and Living Social offers and fake social traffic.  A common scam is a fake email about problems with a transaction, such as a delivery problem, a canceled order or direct deposit.  Cloudmark has reproduced this example of a fake UPS email:

Computerworld quotes Cloudmark engineering director Angela Knox about details of the UPS-based phishing  scam.  This phishing scam lures recipients into either opening an attachment or clicking on a link to infect machines with malware.

“We’ve seen a number of variants in this campaign, some with attachments, some with no attachments and bad links, all of them personalized to the recipient, and sent from an ever-changing list of fake UPS employees or the generic ‘UPS Customer Services,’” said Knox in a blog post today.

The attached files are actually .zip archives that contain malware, said Knox, while the links lead to compromised or hacker-controlled websites that host attack code.

“With Cyber Monday kicking off the online holiday shopping frenzy, online shoppers should remember to be vigilant about any email message that they receive,” said Knox.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

Xbox Live Phishing Scam — Microsoft Reimburses Ripped-off Users

The Guardian is reporting that Microsoft is giving refunds to Xbox Live subscribers who may have had their credit card information stolen in a phishing scam.   The Guardian describes the scam in its November 22, 2011 edition:

Reports are proliferating of Xbox Live users checking the credit card and bank account statements which they use to pay their Xbox Live subscriptions, and discovering payments which they did not make, generally over a period of months, which were used to buy Microsoft Points (the service’s currency which enables users to purchase extra downloadable content, games and in-game objects) which were then cashed in to buy downloadable content from EA Sports – specifically Ultimate Team Packs for its games FIFA 12, Madden and NBA.

EU provides more details about the scam on its website.

You receive an email that appears to be from EA concerning an Ultimate Team promotion. You click on the link in the email, go to what appears to be the Ultimate Team login page, and enter your account name and password. Two days later you discover all the gold players you’ve worked so hard for have disappeared.

This is the fake website that is launched from the phishing email:

EU advised that the official EA website uses the following URL:
<a href=”http://www.ea.com/”>http://www.ea.com/</a>.
Any other similar looking URL is not official and should not be clicked on.

As this image from the EA website shows, the difference between the scam website and the real website are extremely subtle.

This is a close-up of the URL’s.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

SEC Issues Guidance on Cyber Risk Disclosure

On October 13, 2011, the United States Securities and Exchange Commission (SEC) issued formal guidance on how U.S. publicly traded companies should disclose cybersecurity risks and data exposure.  In the guidance, the SEC states:

Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.

A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

Of course,  Iconix is not in the business of giving legal advice and we suggest that anyone interested in this topic should read the SEC formal guidance and consult with their attorneys.  We are in the business of providing technology that improves the integrity of email. For email correspondence with customers, we offer our Truemark service.  For internal email correspondence, we offer our SP Guard solution.

For further information on our email solutions, contact us at 408-727-6342, ext 3 or use our online form.

Hotel Refund Email Scam

Sophos reports on a new email scam.  In this scam, the bad guys are sending emails that claim to offer a refund for erroneous hotel billings. In order to claim the refund, you must use the attached zip file.  The zip file contains malware which loads a Trojan Horse onto your system. This Trojan Horse can be used to take control over your computer, giving the bad guy the ability to steal your personal information or turn your machine in spam zombie.

What can you do to protect yourself?  You should use the latest version of a reputable security product and install all the security patches for your operating system and applications.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.

Know Who.  No Doubt.  Use eMail ID.

Iconix Goes Dutch

Maarten Oelering, an IT Consultant and Email Delivery Expert in Holland, noted in a tweet today that Marktplaats (NL) is now sending with DKIM and supporting the Iconix trust icon.  Marktplaats is a Dutch affiliate of eBay.

You can check out our Marktplaats experience at http://www.iconix.com/locale/nl/marktplaats/