Saturday, March 29, 2008

Beware of "false warnings" from ISP's: a new kind of "phishing"

There is a new kind of “phishing” scam that readers should know about. This affects individuals who have hosting accounts and domains (where they own the domain name) on any number of larger hosting companies: Network Solutions, Yahoo!, Verio, etc. It’s possible that the scheme may focus on those who also have AOL mail.

An email arrives claiming that the target person’s account has had unusual activity and has been “locked down”. It uses a lot of industry jargon (POP) and is likely to talk about undeliverable emails. It gives a link to reactivate your account and a phone number, and claims to have called the account owner.

This appears to be another scheme to get personal information and credit cards. Furthermore, it may be an attempt to get access to the person’s hosting account and use it for illegal purposes, for which the person could be legally responsible. The email may have link that still appears legitimate when pre-testing with a cursor.

Although these sorts of emails claiming to be from banks and the IRS are well known and common, this is the first time I’ve seen spam emulating an ISP.

Anyone who owns a domain and uses a hosting account should first verify that the account really is locked. It’s advisable to check the functionality of the site and view the email queues, as well as bandwidth statistics (as with Urchin). It’s likely that the domain owner will not find any problems. In any case, the owner should not click on the link, but should call the ISP, which will probably direct the owner to forward the email to the abuse department for the ISP. The abuse department will be listed on the WHOIS entry for the account.

A possible theory, though speculative, is that an attacker could want to create hoaxes and "harass" an ISP or some of its subscribers, without doing "real harm". If so, doing so, while petty, would probably be a crime and still be prosecutable (at the federal level, in some cases a felony) under the CAN-SPAM of 2003, for sending multiple emails with falsified headers, that are commercial or appear to be commercial. A literal reading of the Act suggests that even a single such email can be cause for civil action, injunctive relief, and damages.

Here is a report Phishing Activity Trends from APWG, here. About 1.5% of phishing incidents in Dec. 2007 involved ISPs as the marks. There have been recent problems with persons trying to get personal information from AOL subscribers, and these emails somehow get past AOL's spam filters; there was also a problem like this back in the 1990s when AOL was the most conspicuous ISP.

Thursday, March 20, 2008

Companies must increase their vigilance; so must home users (2 stories today)

Brian Krebs has an important story on p D3 Business of the March 20, 2008 Washington Post, “Firms Struggle Against Web Viruses: Security Companies Scramble to Combat Rise of Malicious Programs,” link here.

Krebs notes that around 1990, companies were dealing with a few new viruses a week, mostly spread by floppy diskettes (like the Michelangelo Virus or Jerusalem Virus). Sometimes security departments in companies would even give employees diskettes to take home to check for very specific viruses.

Now, Krebs writes, security companies like McAfee and Norton sift through 2000 new viruses an hour. It amazes me that the daily DAT update from McAfee can keep up with so much and encapsulate so much in the signature files, especially to check for heuristic and polymorphic viruses.

Virus writers have actually hired young programmers, luring them away from legitimate companies and pursuits. They actually do “QA.” And they are trying to make viruses harder to remove completely, at least for home users. Many of them are relatively symptom free and are more concerned with stealing personal information or setting up launchpads for attacks.

So far, even in 2008, it does not seem that home users have been pursued legally when their computers became “contagious”, but I’ve always wondered if there needs to be a legal and legislative initiative to deal with potential downstream liability problems. I remember a conversation about this in the Libertarian Party of Minnesota in the summer of 2000 with an AOL contractor in Minneapolis. I will probably address this on my Wordpress blog later.

Krebs has another important story today, “New Interagency Group to Oversee Cyberattack Defense,” link here. The interagency group may be headed by Rod Beckstrom (known for, a “certified Wiki” platform) and be housed in the Homeland Security department.

Sunday, March 09, 2008

FTC pamphlet: guide for parent(s) on Internet safety

The Federal Trade Commission does have a leaflet “FTC Facts for Consumers: Social Networking Sites: A Parent’s Guide.”

Notice, first, that the work “parent” is singular. Anyway, the pamphlet does give some recommendations that serve response.

First, they are right, the Children’s Online Privacy Protection Act (COPPA) does regulate the collection of information about minors, and this has not been controversial.

The FTC recommends keeping the family computer (or at least any computer with kids’ access) in an open area. That sounds like the safest thing to do. However, the Internet can be a valuable aid to school work when used properly. (That says a lot: there are other issues that concern teachers, such as plagiarism). If a student is mature enough and in advanced courses in high school, it seems like it ought be all right to let him or her have more control of access. I’m reminded of a cereal commercial where a middle school kid is looking up Shakespeare on a computer on a family kitchen table and the kid says to his father, “You had it easy. I had to write a report.” And he had six weeks to do it. The father chuckles.

A more serious concern is the possibility of kids giving out personal information. The most obvious danger is on social networking profiles. Personal information could endanger other family members, too. Nevertheless, the risk is reduced if parents practice good home and auto security, and watch their own credit and financial affairs properly. The practical reality is that many parents don’t do this, and that many companies and financial institutions have been careless about verifying identities of people they make loans to. The FTC warns that kids can even give away personal information with unwisely constructed screen names.

Social networking sites allow profiles to be made private, and generally require that for kids under 16; teens should certain start out with whitelisted profiles and a known audience, although even that sometimes leads to unwanted disclosure of private information.

Parents should definitely monitor the postings of kids, at least until they are mature enough. They should also monitor email. It takes a certain amount of judgment to learn to recognize spam, scams, and illegitimate communications. Even some parents do not know how to recognize these the way more experiences users do.

Of course, they should also regulate their kids’ use of chat rooms. We all know what some of the dangers are, given the recent sensational NBC Dateline series with Chris Hansen. (I won’t describe the details here.) There seems to be little legitimate reason for kids to own webcams and keep them near family computers, unless the family or kids are involved in making legitimate videos. (Yes, the Hotz family made appropriate use of home-generated video when the teen brothers made some informative films about how to unlock certain kinds of cell phones; look at this, Aug. 26.

Larger ISP’s offer kids’ accounts, with the ability of parents to regulate what sites their kids can visit, at different ages and levels of intellectual and social maturity.

A whole generation that has become accustomed to the potential for “instant fame” on the Internet, and this seems particularly attractive to teenagers and college students. Our culture has allowed and encouraged this, without requiring the training or maturity that normally goes with publication of things – understanding of copyright, trademark, libel, privacy invasion, and now the amorphous concepts of “implicit content” and “reputation defense.”

The pamphlet names a number of organizations and websites.:

FTC’s own.

Internet Keep Safe Coalition


National Center for Missing and Exploited Children

National Crime Prevention Council

Center for Safe and Responsible Internet Use (blog).

I have some discussions of "reputation defense" on other blogs. A major discussion occurs here on the January 28, 2008 entry.

Thursday, March 06, 2008

So, what if you make a mistake? And more on the fake anti-virus

So, what if you’ve been fooled and clicked on something you shouldn’t have, and worry that your PC could be compromised?

Well, it depends. It’s a good idea to reboot once, and then run a full manual virus scan. Hopefully you have a major anti-virus vendor like McAfee or Norton, which will check for the latest updates before running the scan.

The other thing is to go to the website for your anti-virus vendor, and look up the name of the virus you’re concerned about. Normally there will be a list of symptoms, and a list of files that the virus would have deposited on your machine. With any sort of windows system, you can run a “search” for file names. Be careful that you pick a filename that really would identify the virus, as many applications use filenames with similar prefixes or letter combinations in their names.

With McAfee, the Security Center has a “SystemGuards” report that lists changes to your registry. You should check that if you use McAfee. I presume Norton has a similar report.

If all these tests are negative, everything is probably OK. I always wonder about the complicated instructions for virus removal. It would surprise me that a virus can run if even one critical component file is removed.

I recall one time in 2002 when my CD player on a Sony Vaio stopped working, that CompUSA said, it wouldn’t be covered by the Silver plan if it was caused by a virus. McAfee had always been negative. They ran a scan with Norton. Still negative. I was covered, and they replaced the drive.

More on the fake “antivirus”:

There’s more to report about the “xpantivirus epidemic.” To wit, on a couple of my blog entries, I’ve found comments that got past moderation. One of them simply said “Here!” with a link, another said “Attention!” In each case, if I ran my cursor over the link, a blogspot link appeared, but in each case, the link was phony and equated to an xpantivirus site to try to “scare” the visitor into buying the product. (It produces a Visual Basic style box on the task bar warning the visitor that the computer may be infected.) It does not appear that the incident harms the computer unless the visitor actually buys the product or runs the exe element. (Scans come up clean, no registry changes, no files loaded.) The name of the blog is like to suggest food or beverages, but changes each time. It appears that the “comment” is changing (in “polymorphic fashion”) to get around Blogger security.

Xpantivirus is flagged as “Red” by McAfee Site Advisor.

In one case, I did get an email from the Blogger comment facility asking for approval. Inside the blogger framework, the comment had only the word “Here” leaving the impression (social engineering) that the format for these emails has changed. It has not. This is still part of the scheme. If you have a blog on blogspot and get an email like this, you should not click on the link, but merely Reject the comment.

A true blog on Blogger allows the visitor to “flag” the blog for review. But a “fake blog” set up with an address-record on a domain (like xpantivirus) may not allow this. I presume that Blogger is working on this security problem.

Blogger has also added the capacity to remove comments “permanently.” I don’t see any comments about the xpantivurs (or similar scams) issue at the Help center yet, but I expect that I will find some discussion there soon.

In the past, I’ve found comments like “I am on the way to the airport and I am glad to meet you” with spammy-like links. A few of these got posted without moderation.

It is possible that older blog entries will have a few of these comments, or that somehow a few will get past Blogger content automatic monitoring before I find them. I delete them when I find them, but there is no practical way to find all the older ones. If you want to advise me by email (my profile) by all means feel free to do so. By all means, do not click on links in comments that look like “spam” or that don’t seem to have any explanation, or that don’t seem to have any legitimate relationship to the subject matter of the blog. Experienced human-being “web surfers” and visitors to blogs know how to recognize these, but it is hard for a blogger-hosting company to write scripts that can reliably identify all of these. Wikipedia has a useful reference on the "spam in blogs" problem here.

My "legislative tracking" Wordpress blog (hosted separately) has attracted spam comments, but so far the hosting company (Verio) has trapped all of them for being marked as spam,

I found another blog (not part of Blogger) that had discussed this problem on Feb. 28. Here is his link (“Blip tv”).

Personal Information:

As always, if you find that you did click on a phishing email for a financial institution where you have accounts, contact them immediately. Legitimate banks and brokerage companies do not send emails asking for personal information; and neither do Paypal, Ebay, or AOL.

Update: March 16

I've noticed that two of my blogs, the International and "disaster movies" blogs, did not have proper settings for comment moderation. That seems to be why a few "spam comments" got through recently. Apparently I overlooked it. I'll check the settings on the other ones.