Saturday, April 14, 2007

Oprah's name spoofed in sweepstakes scam

At about the same time, Oprah did a show on Internet scams, the Illinois Attorney General (Lisa Madigan) issued (another) alert about scammers using Oprah's name to instill (trust) in the garbage they send.

Although, Oprah has run some sweepstakes recently, this one is a scam!

From Attorney General Madigan's press release:

According to Harpo Productions, Inc., which produces The Oprah Winfrey Show, several legitimate sweepstakes were held in the summer of 2006 through Oprah.com but all winners were previously notified. Harpo Productions, Inc. has not sent any letters in 2007 announcing additional winners for this sweepstakes. The sweepstakes letters being mailed to consumers have a check enclosed that is made payable to the letter recipient. The checks look real but are actually counterfeit. Consumers should disregard these letters and should not attempt to cash the checks.

The letters and checks are props in an especially devastating form of consumer fraud—conning check recipients into believing the checks are real, convincing recipients to deposit the checks into their banks, and even persuading the recipients to wire their own money to the con artists.

Full release, here.

Oprah covered this (and a lot of other scams) on her show yesterday, which can be seen on her site, here.

She also mentions this and another scam involving tickets to see her show on her site, here.

Tom Fragala (MyTruston) and I collaborated on a post about counterfeit checks being used in a variety of I-Scams a few months ago:

Counterfeit Cashier's Checks Fuel Internet Crime

Oprah's name is being used because of her immense popularity, which is a common theme in a lot of this activity. Popular brands, disasters and even government agencies are used in same manner, also!

Friday, April 13, 2007

Symantec's Family Resource Web Site

Symantec has launched a new web page designed to educate children (and their parents) about how to avoid the (sometimes) murky waters of the Internet.

The goal of the page is to (in their own words):

Our goal is to help parents provide guidance to their children who are using the Internet . We want you to keep your children and your computer safe online, and help you make sure your children are good cybercitizens. With your direction and supervision, the Internet can be a positive, safe place for your child to research, learn, communicate, and socialize.

The page can be viewed, here.

Symantec has also hired someone to administer this effort (Marian), who writes columns to support the page.

You can even submit a question to her, here.

The page has links to other sites on this important subject, also:

iKeep Safe

Web Wise Kids

National Cyber Security Alliance

Taking the time to educate our children, as well as ourselves, on how to safely use the Internet is an important effort!

Thursday, April 12, 2007

Sage Predictions on the State of Cyber Crime from McAfee

According to McAfee, cyber crime is growing and as soon as the good guys (white hats) close one loophole, the bad guys (black hats) exploit another.

Unfortunately, technology grows faster than laws and security fixes. Criminals, who are becoming increasingly organized, realize and exploit this fact, frequently.

The report confirms predictions that exploiting VoIP and mobile devices will become more common.

Vishing will probably become more dangerous than phishing - it adds a more personal (voice) touch to tricking people into giving up their personal details. VoIP (cheap long distance) is one of the reasons for this. Since caller-id spoofing is easily available and legal, it makes sense that a lot of people are going to fall victim to vishing attacks.

Also covered is the growth in music and software privacy. Billions of dollars are being lost in both these areas - systems are now being sold with pirated software already installed on them.

To me, this shows how organized, the activity is becoming!

The report also covers RFID technology (quickly becoming commonplace) and how easily it can be exploited. Despite warnings from a lot of concerned experts, we seem to be implementing this technology at a foolish pace (my emphasis).

McAfee deserves recognition for having the courage (there is a lot of money behind RFID technology) to point out the dangers behind this highly profitable, but dangerous (my emphasis), technology.

Enough ranting for the moment, I highly recommend reading the full report, which can be viewed, here.

Wednesday, April 11, 2007

Warning if you don't open (and respond) to snail mail from American Express, they will sell your personal information!

I get snail (mostly junk) mail from credit issuers, daily. Being concerned about identity theft and my personal privacy, I try to shred all of them. But am I doing the right thing? As you will see, some of them probably hope I never do.

Here is what happened to someone, who is a lot more diligent than I am (he actually opens the mail). Christoper Null (ATT/Yahoo Tech blogger) got his most recent privacy notice from American Express, which informed him if he didn't want all of his personal and financial information sold, he needed to opt-out with them.

They gave him two methods to do so, snail mail and a 1-800 number. Chris selected the 1-800 number and here is what happened:

I call (800-297-8378 if you want to try it for yourself). I get a recording welcoming me American Express and notifying me that the call could be recorded... thenabruptly says: "The computer system needed to answer your questions is not available." And it hangs up.

Now I understand computers go down, but that was five days ago, and I'm still getting the recording. Will it ever come back online or is it all a scam? The paranoid side of me believes that there is no computer connected to this 800 number, and that it's designed to trick me into forgetting about the entire matter and being too lazy to fill out the paperwork so I'll remain opted in.

According to several comments on his post, the 1-800 was down for quite awhile.

He later (being the saavy tech guy he is) tried to go to their webstite to opt-out and was only able to opt out from electronic, not snail communication.

Very REVEALING post from Chris, here.

It is pretty scary that credit card companies require us to opt-out, and if we don't, they sell our information to, anyone and everyone. After all, selling information, is highly profitable.

The Personal Finance Blog did a post about how much personal information is worth (retail-value), here.

The post is about a year old, and the prices might vary, depending on who is selling it.

I guess the finance industry has found a way to get around recent privacy concerns, and they do it under the guise of a privacy notice!

It's no wonder there is so much identity theft!

Tuesday, April 10, 2007

Blog exposes risk in reporting ID Theft

(Screenshot courtesy of the In Security Blog)

I'm surprised no one has called this one out before. John Sharp, author of the In Security Blog writes:

Those of you who follow my blog know that I'm worried about the increasing sophistication of keyloggers. Which is why, when I went on the FTC site this morning, I was a little shocked to discover that the format of the FTC ID Theft Complaint Form presents a veritable gift to keyloggers.

Full post from the In Security Blog (great read), here. There are also some great tips on how to avoid becoming a crimeware victim on the PR release on this from Authenium (John's company), here.
John's concerns are well founded. The Anti Phishing Working Group, which tracks phishing, malware and crimeware (normally keylogger variants) shows their use increasing, monthly.
Keyloggers (once on a system) record keystrokes, sending them back to the person, who covertly placed the software on the system. Criminals often install (drop) these cybernasties using spam e-mails, which lure people to click on their links.
The information, the criminals intend to log (steal) is personal and financial, which is then used to steal money.


(Chart courtesy of Websense and the APWG)


Sadly enough, keylogging software has so-called legitimate uses and can be legally purchased by anyone. One of the legitimate (so-called) uses is to spy on other people (invade their privacy).

Just about anyone can buy this wonderful technology right on the Internet, which can bee seen, here. Perhaps if it wasn't so easily available, the problem wouldn't keep getting worse?

The FTC does a lot of good in their battle to fight identity theft. You can get a lot of good information about how not to become a victim by visiting their page on it, here.

Once a computer has been compromised with crimeware (keylogging software), anything entered on it can be logged (exposed). Even if the site you are sending the information to is "secure," your computer IS NOT!

The Internet is full of sites requesting your personal details, the bottom line is to make sure your system is secure, or if it IS NOT - avoid sending personal or financial details, anywhere.

Monday, April 09, 2007

Fake e-mail claiming U.S. has attacked Iran contains Trojan

If you receive a e-mail that Iran has been toasted by a U.S. strike, be careful of clicking on the attachment. Doing so, might toast your computer system.

John McDonald posted this information on the Symantec blog:

Over the weekend Security Response received samples of the latest variants of Trojan.Peacomm and W32.Mixor doing the rounds. The social engineering trick employed this time is in appealing to people's sense of fear as well as natural curiosity of a possible Middle East war involving the United States, Iran and Israel.

Subjects include "USA Just Have Started World War III" / "Missle Strike: The USA kills more then 20000 Iranian citizens" / "Israel Just Have Started World War III" / "USA Missile Strike: Iran War just have started". From the sample emails that we have seen to date, the actual email body is blank, and the attached files have various names such as "video.exe", "movie.exe", "click here.exe", "clickme.exe", "readme.exe" and "read more.exe".
More on this on the Symantec blog, here.

An unprotected computer might be turned into a zombie, which becomes part of a botnet (used to harass the rest of us with lots of more spam) if one of these attachments is clicked on.

Spam is often used to facilitate financial crimes, such as identity theft.

It pays be to EXTREMELY careful before clicking on any (unknown) attachments received via e-mail.

Are we being gouged with hot gas?

Gas prices seem to keep going up, too frequently. According to ABC, buying gas could even be more expensive than what we see posted at the pump:
Consumers are feeling the pain at the pump, as gas prices have risen for nine straight weeks.

Now lawsuits around the country claim drivers are being ripped off in a gas gouge they can't even see.

There are at least nine lawsuits pending that claim some gas stations are padding their profits by selling warm gasoline.

According to the article, the cost impact of this might be:

An investigation by the Kansas City Star newspaper found that American drivers may overpay $2.3 billion a year, with drivers in warm states like California hit the hardest.

ABC News story, here.

Of course, the industry (petroleum) is arguing these statistics.

You can e-report suspected gas gouging to the DOE (Department of Energy) by linking, here.

DOE states that:

All complaints registered with the Department of Energy will be collated and transmitted to the Federal Trade Commission, U.S. Department of Justice and individual State Attorneys General for investigation and prosecution where appropriate.
Unfortunately, no one has ever been able to prove the oil companies were gouging consumers.

Still, the way they raise prices doesn't make a lot of sense to a layman like myself?

Meanwhile Reuters is reporting:

Occidental Petroleum's (OXY) chairman and chief executive took in more than $400 million in compensation last year, the company said in a filing, one of the biggest single-year payouts in U.S. corporate history.

Reuters story (courtesy of USA Today), here.