Friday, November 23, 2007

Consumers Union launches a holiday campaign against unsafe products!

Some might say that the global economy has ushered in an era of corporate irresponsibility. Daily, we discover that certain corporations are distributing goods that pose a clear and present danger to our safety.

Many of us are also wondering if certain politicans have let us down on this matter.

After all, how could only 15 inspectors be assigned to oversee 200 million containers of goods being shipped into the country every year?

Consumers Union, who is the non profit right arm of Consumer Reports has launched a major campaign to let Congress know the public is sick and tired of corporate irresponsibility in the global economy.

With Black Friday and holiday season upon us, they are focusing on dangerous products being passed on to our children with a campaign called, "Not in my cart."

You can see that this campaign is all about in a parody about this matter. To view the parody, click on the picture below:

Not in My Cart


Also included in the video is information, where to let Congress know how you feel about this!

To sum up what the parody is about, Consumers Union writes:

We hope you enjoyed our parody, but the truth is that our system for keeping food and products safe is in serious need of repair.

This year, more than 25 million toys have been recalled, many for dangerous lead paint.

80% of toys are made in China.

The agency responsible for the safety of more than 15,000 products has only 15 inspectors at ports nationwide.

The FDA inspects only about 1% of imported food.

Despite the severely underfunded staff of FDA Inspectors, Consumers Union has made it a little easier to keep track of all the recalls, here.

The sheer number of them is enough to scare just about anyone!


Not in My Cart

Thursday, November 22, 2007

Symantec predicts a flood of spam this holiday season!


dejaking posted this picture of the 2005 Symantec Christmas Party on Flickr. I wonder if they will be singing the "12 days of Christmas Spam" at this year's party. The words for this song (written by some creative Symantec types) are at the bottom of this post!

With Black Friday upon us and Cyber Monday a few days away, spammers are preparing to flood the Internet with their attempts to commit fraud, phishing and financial misdeeds.

There is no doubt that spam is the vehicle used to spread 99 percent of the scams on the Internet. From misleading advertising to outright criminal schemes, spam has become a potential threat to anyone who uses the Internet.

Just clicking on a spam link can download malicious software on your system, which can steal all your personal and financial details.

According to the National Retail Federation 39 percent of us are going to do some shopping on line. If gas prices continue to go up, we might see this number go up (my prediction).

If this occurs, this could be extremely lucrative for e-commerce merchants. Online sales are already predicted to be $26 billion this season -- up $5 billion from last year's figure of 21 billion, according to the Conference Board.

Spam is a big business that has a negative impact on the economy. The estimate of how much negative impact spam causes has reached $100 billion a year, worldwide. $35 billion of this is in the United States, according to Ferris Research.

According to Symantec -- a leading computer security company, who monitors 450 million inboxes for spam -- 71 percent of e-mail sent out is spam.

This is up from 59 percent of the e-mail sent out a year ago.

Symantec is also predicting the top lures spammers will be using to trap people in their web-of-deceit:

1. Laptops

2. Replica watches (historically the most popular online
holiday buy according to NRF)

3. Business cards (even Santa doesn’t leave home without them, at least that’s the case in the spam sample going around)

4. Male enhancement drugs (always a popular sale during the holidays)

5. MP3 Players

6. Discount software (who wants to pay hundreds of
dollars for that new Office suite for your new PC, when you can get it for $25?)

7. Free cellphones

8. Handheld video games

9. Weight loss solutions (playing right into the pending New Year’s resolutions of shedding those added holiday pounds)

10. Gift cards (from every imaginable large retailer and up to $500)
Here are Symantec's recommended Best Practices to Can Holiday Spam:

1. Protect your desktop with an up-to-date antivirus, firewall, and spam filter.

2. Do not click on, or reply to, any email that appears to be spam. Doing so could alert the spammer(s) that the user is replying from a legitimate email address (therefore, the spammer would find it worth the time to send more spam in the direction of that Inbox).

3. Never click on any link in a suspicious email. If it is felt that the sender is legitimate, contact the sender directly (not by email) to ensure the email message is also legitimate.

I would also add to make sure you only shop on legitimate websites that can be verified. One way to verify if a site is legitimate is to use TrustWatch. The site uses a color-coded system, which shows whether or not a site has been verified.

There are a lot of fake websites out there, which often appear to be real. While there is no way to be 100 percent sure because sites are sometimes hacked, it pays to be cautious.

Get Safe Online has a page on their site, which gives more detail on how to spot fake websites, here.

To end on a lighter note, the folks at Symantec seem to have changed the words to the 12 days of Christmas:

12 Days of Christmas Spam

On the first day of Christmas,
a spammer offered me
A brand new shiny PC

On the second day of Christmas,
a spammer offered me
A Rolex watch,
And a brand new shiny PC

On the third day of Christmas,
a spammer offered me
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the fourth day of Christmas,
a spammer offered me
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the fifth day of Christmas,
a spammer offered me
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the sixth day of Christmas,
a spammer offered me
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the seventh day of Christmas,
a spammer offered me
Super chee – eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the eighth day of Christmas,
a spammer offered me,
A blue Razr cellphone,
Super chee - eap software
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,

A Rolex watch,
And a brand new shiny PC

On the ninth day of Christmas,
a spammer offered me
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the tenth day of Christmas,
a spammer offered me
A Canon camera
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the eleventh day of Christmas,
a spammer offered me
The perfect weight loss drug,
A Canon camera,
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the twelfth day of Christmas,
a spammer offered me
$500 gift cards
The perfect weight loss drug,
A Canon camera,
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

Gift card due diligence 101

According to most statistics, the buying public spent approximately $100 billion on gift cards last year. Because of their popularity, gift cards are used to commit fraud fairly frequently, also.

Retail criminals use fraudulent credit cards, debit cards and checks to buy large amounts of gift cards. Since a lot of sites exist, where anyone can sell these cards, criminals can turn them into cash fairly easily.

Shortly after the much talked about TJX data breach -- where 90 million personal and financial records were compromised -- a group was caught in Florida buying $8 million in gift cards using credit card numbers stolen in the data breach.

In another method to commit fraud, cards are picked up off a display and taken to a more private location in the store. The numbers and PINs are then recorded -- either with a portable card skimmer, or written down by hand. The people doing this then simply call in to check the value of a particular card, and use them when they discover they've been activated.

I've seen articles written on this that recommend buying cards from behind a counter. While this may be safer, we have to remember that most retailers have a problem with dishonest employees. This is more prevalent during the holiday season, when retailers hire a lot of temporary help.

In wouldn't be too far fetched to have a dishonest employee skim the details of these cards and drain them when they are activated.

There have also been reports of employees stealing credit card numbers and then using them to activate gift cards.

A couple days ago, TwinCities.com did a story about a Target employee stealing $19,500 in gift cards.

Since gift cards can be purchased on the Internet, fraudulent payment devices are used to purchase them on websites, also.

I would be extremely wary of buying any gift card on an auction, or gift card site. These sites rarely offer very much protection for people using them. It is a lot safer to visit the site that issues the cards, if you prefer shopping on the Internet.

Simply stated, a gift card purchased on a third-party website might not work, might not have the advertised value, or you might never receive what you bought.

I'm not saying not to buy gift cards. Being a lazy shopper, I buy them myself. Saying that, here are some tips to make sure you are getting what you pay for:

Make sure you buy them from a reputable retailer.

Keep your receipt and if possible, use a credit card to purchase them. Credit cards offer a little extra protection if there is a problem.

Inspect any card you buy for signs that it has been tampered. If the card is in a cardboard holder remove it and inspect it, the PIN should be protected up with a plastic coating that has to be scratched off.

Please note that if you work at a reputable retailer be wary of people returning gift cards. Stolen blank cards are often replaced for the cards that were previously activated.


I haven't seen anything come out about gift card fraud from the National Retail Federation (NRF) this year yet, but here is an interesting press release they released on the matter last year.

Wednesday, November 21, 2007

Too good to be true employment opportunities

Patrick Jordan (Sunbelt blog) did a nice post about a huge problem that frequently occurs on the dark-side of the Internet.

The problem, I'm referring to is people being recruited (some might say duped) to assume the risk involved in collecting the proceeds of Internet crime.

With all the fraud occuring on auction and e-commerce sites -- criminals need a way to move they money they are stealing. This activity is often referred to as money laundering.

They accomplish this with money transfer scams, which are sometimes referred to as job scams.

These scams are nothing more than a way to trick people into negotiating bogus financial instruments, or launder the proceeds of auction fraud!

We've all probably seen a spam e-mail, or two (I get several daily) with job offers that seem a little too good to be true. Most of these jobs seek a financial representative to handle payments for a foreign company. In reality -- the person is moving stolen money overseas -- where it disappears into thin air.

Besides being offered in spam e-mails, people are also recruited off job sites and sometimes even from the classifed sections of newspapers and magazines.

A sister scam to money transfer scams is referred to as a reshipping scam. The difference is in this job a person reships hot merchandise (normally from auction sites) to their bosses.

In most of these scams, they prefer you use Western Union or MoneyGram to send them their money. Once the money is picked any efforts to recover it will most likely be useless. Please note that there are many e-cash venues that are used, also.

While these jobs might have fancy titles, a lot of people refer to someone doing this as a "mule."


(courtesy of mattcoz at Flickr)

In Patrick's post, he reveals another twist to this activity, which are websites set-up to make these jobs appear to be legitimate.

Here is a screen shot (courtesy of the Sunbelt blog) of the site Patrick discovered:



He also lists some other sites to avoid from the same IP in his post, which can be seen, here.

Most of these scams are pretty easy to discover because they are offering too much money for too little work.

These job offers are nothing more than a way for criminals to get other people to take all the risk, while they reap the rewards of their illegal efforts!

Besides facing almost certain financial ruin, some of these employees are ending up living in new digs:

Tuesday, November 20, 2007

DOJ is the latest badge of authority phishermen are using to net victims


This is the DOJ banner used in the screenshot of the phishy e-mail Websense is reporting. Please note, in this instance, I merely copied it right from the DOJ website. With minimal knowledge, just about anyone can do this with any picture from a website.

Apparently, Websense deserves credit for discovering a Trojan downloader pretending to be a e-mail from the Department of Justice (DOJ). Clicking on this attachment is likely to turn your computer into a zombie (part of a botnet) used to send more spam, or even worse used to steal information stored on your computer.

This might turn you into an identity theft statistic, depending what personal and financial information you store on your computer.

Here is the alert from Websense:

Websense® Security Labs™ has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them on our site.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email.

The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.

None of the major anti-virus vendors detected the malicious code.

Websense Security customers are protected from this threat.

In the e-mail Websense used as an example, it refers to a specific company. This means that this attack is possibly directly targeting people, who are associated with this company. This type of more directed attack has is now being referred to as spear phishing.

Spoofing (impersonating) government agencies is nothing new. The Phishermen use the badge of authority the name of these agencies invoke to trick people into clicking on the attachments in their spam e-mails.

The warning from Websense mentions that the IRS (Internal Reveue Service),BBB (Better Business Bureau) and many others have had had their badges of authority used to lure victims into the Phishermen's web.

I was unable to find a recent press release on this directly from DOJ, however a press release on a similiar attack using DOJ's name was released in June.

In it they speak to the fact that DOJ would never send a communication of this nature via e-mail:

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at http://www.ic3.gov/.
In this memo, they also offered some educational resources, which I highly recommend if you are unfamiliar with how the dark side of the Internet works:

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html.

Current Websense alert, here.

June alert from DOJ on similar attack, here.

Sunday, November 18, 2007

One Bot herder facing 60 years is a small dent in the overall problem!


(Screen shot of botnets for rent courtesy of the Mind Streams of Information Security Knowledge blog)

While John Schiefer a.k.a. "acid and "acidstorm," is facing 60 years in prison and $1.75 million in fines for operating a botnet, the problem isn't likely to disappear anytime soon.

Schiefer was part of a hacker group known as Defonic, who gained a lot of notoriety for hacking Paris Hilton's cell phone and breaking into Lexis Nexis. Lexis Nexis is an information broker used by a lot of investigative and collection types to find people they are looking for.

Besides Paris, Defonic seemed to have a penchant for celebrity information, a lot of which they gathered by hacking Lexis Nexis, according to Brian Krebbs of the Washington Post.

While I knew this already, I ran into a very interesting blog written by Dancho Danchev that illustrates the problem that botnets have become, worldwide.

In his own words, Dancho describes how botnets can be bought, or rented fairly cheaply by spammers, phishermen and corporate spies, alike:

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

The bottom line is that although Mr. Schiefer and some of his friends have been taken down, there are a lot of hackers ready to fill the small void he may have left in the botnet market.

Very INTERESTING read from Dancho on his blog, "Mind Streams of Information Security Knowledge," here.

A lot was written about John Schiefer when he pled guilty. Brian Krebs of the Washington Post deserves a "hat-tip" for giving everyone a lot of insight about Mr. Schiefer's previous dealings.

The post, he wrote about this in his blog, Security Fix can be read, here.

The best way to avoid having your computer becoming a zombie (botnet member) is to avoid clicking on any links in a spam e-mail, or downloading additional software that is presented to you after visiting a questionable website.

Most of the time, social engineering lures (trickery) is used to get a human being to put malicious software on their system.

Of course, trying to make sure your system is bulletproof (protected by reputable security software) is recommended, also.