What’s interesting about this case is that it’s a fairly blatant example of an attempt to turn your computer into a zombie using the ZeuS Command&Control attack. If I had been stupid enough to click the link, I would have launched an executable program that would log every keystroke that I make on the machine and that would grab a copy of every form I fill out online. Since that would include my online banking login page, it would have given the hacker access to all my banking information.

ZeuS is a moderately old Trojan Horse but it is remarkably difficult for anti-virus programs to detect, even when kept completely up-to-date. ZeuS is alleged to be one of the largest botnets in the world, infecting some 3.6 million computers in the US alone.

The continued success of attacks like this show why you can never rely only on your anti-virus software. Read your email carefully, be suspicious and never click a link if you’re not sure that it’s safe to do so. Remember – it’s not paranoia when they really are out to get you.

Unfortunately, the statistics still show that we do fall for these scams at an appalling rate. Ironically, this one will probably do better than average because it alleges to offer compensation for being the victim of a prior scam. Clearly, the scammers are thinking that if you fell for the earlier scam (and with a massive spam blast, they’re sure to get some), you might be emotionally vested enough to want revenge and won’t look at the details in this “offer”.

Never reply to a spammer. And please do everything you can to help teach your co-workers, family members and friends how to avoid these scams. If it sounds too good to be true, it is.

There were a lot of signs that it’s a phish – poor grammar, hidden link destinations and generally suspicious content. On the other hand, it’s from the government… I have to admit that even after reporting it as a scam, I kept wondering if the email was a legitimate but incredibly clumsy attempt to roll out new security software. Lord knows, the state could use some investments in this area.

As it turns out, the Department of Taxation confirmed that it’s a scam in an email sent out Monday. They also updated their website with an alert. Unfortunately, the legitimate message warning users about the phish got caught in my spam filter even though the original phish came through unhindered. I’m not sure what that proves except that Murphy is alive and well.

A couple of interesting aspects to this phish.

1. It was sent out on the Friday before Memorial Day. Either the scammers got lucky or they were deliberately trying to get an extra day or two exposure before the government’s security staff could find and react to the scam. I guess we need to add to our list of suspicious clues “any ‘alert’ email sent right before a major holiday”.
2. The list appears to have been targetted only to people who have accounts with the OBG portal. (I’m on the list because I submit taxes for the local bee club.) It’s possible that they hacked the site to get the list but my guess is that the spammers just used some public records law to make an open request. Be suspicious even – perhaps, especially – when you actually do have an account with the organization.

Remember, it’s not paranoia when they really are out to get you.

• They got my login name right. A generic greeting is a common sign that the alert itself is a fraud. This one’s legitimate.
• They clearly described the incident, told me what they’re doing about it and told me what I have to do (in this case, nothing).
• They gave a simple link to find out more. Even better, they told me how I can help and/or ask questions.
• They showed screen-shots of the scam. The one showing the fake URL is excellent. (Note the missing period between www and lijit. I might have called that out more explicitly but the image is great.)
• They did all that is less space than it took me to describe it. Not a bit of lawyerese in the whole thing.

I’m keeping this as an example in case my site gets phished.

email notice from Lijit about a phishing attack using their name

There are a few clues for you as a human reader to look for, however.

• The greeting line is generic – “Dear Employee” rather than “Dear Mike” or “Mr. Rossander”.
• The From address is an odd or at least a non-corporate address (redbran@galleryfifty4.com).
• The link is spoofed. That is, it appears to point to a legitimate careerbuilder.com page but when you float over the link (or right-click and look at properties), it is actually pointing to swc.com.ua/resume.pdf.
• The spoofed address is in the Ukraine (the .ua part of the address). Careerbuilder is an international company but to the best of my knowledge, they do not have any servers there. And none likely to be handling english-speaking matters.
• Do you even have an account with Careerbuilder? They are a legitimate company and I did have a resume on file with them once but several of my coworkers did not. The age since my last contact with the company was a clue for me – the complete lack of prior relationship a better clue for my coworkers.

Unfortunately, there is no guaranteed way to block these scams. The best we can do is delete them and move on with your day. In the meantime, remember that it’s not paranoia when they really are out to get you.

• An email with the subject, “Information and resources to help you travel during the Vancouver 2010 Winter Games. TravelSmart 2010.htm” includes legitimate links but contains hidden code embedded in the email which can be used to drop almost anything on the victim’s computer.
• An email with the subject, “How to make Olympics more interesting”. In this case, the attack is buried in an attached presentation file and will attempt to install other malware on your computer.

Based on the reports so far, these scams appear targetted at specific people (an attack mode known as spearphishing). The rest of us may or may not ever see them but they are highly dangerous to the few people that do get targetted. Here are some ways to stay safe:

1. Buy from legitimate sites. This includes your Olympic tickets. Scalpers are already showing a disdain for the law. What makes you think they’ll respect your computer privacy? There are legitimate online fan-to-fan sites for reselling tickets (one such is Vancouver2010.com) but you have to do your homework to be sure it’s a reputable site.
2. If it sounds too good to be true, it probably is. We’ve said this many times before but greed remains one of the hackers’ best weapons. Be suspicious.
3. Be especially suspicious of links in emails or IM messages. Look up the legitimate site on google or type the address into your browser yourself.
4. Never fill out forms in messages. Legitimate companies will never ask for personal, financial or password information through an email message.

Enjoy the games – safely.

At the same time, the quality of the scams is dramatically better than in years past. Fraudulent “advertising” sites look just like the real sites. They pepper their pages with trusted financial, TV and/or newspaper brands to give the impression of legitimacy. Some even include encryption to give a greater appearance of legitimacy.

There is also a new trend to use social media to find and con victims. Just because it looks like a blog, if the author is bragging about how much money they got and has a link to a “home business kit”, it’s still a scam. Beware of any offer that asks you for personal information up front.

MarkMonitor also reports a huge increase in suspicious domain registrations, especially domains including the keywords “foreclosure”, “mortgage”, “refinance” and “unemployed”. These keywords are being combined with legitimate company names or domains to create fraudulent clone sites. And while most phishes are still targetted against large companies, an ever-increasing number are exploiting the trust and brand of small businesses. (This is especially true if your legitimate site accepts payments over the web. Payment services frauds are up 285 percent over last year.)

Be on the the watch for scams. And help your customers watch, too. In this economy, you have a right to be a little bit paranoid about offers that look too good to be true.

To read more, download MarkMonitor’s whitepaper on “brandjacking” at markmonitor.com.

In particular, we are already an increase in phishing messages that reference the recipient’s holiday credit care spending pattern. The messages will claim to be requests for confirmation, reports of transactions and even a few of the traditional “your account has been frozen” scams. During the holiday season, many people have more transactions and shop with more different merchants; the scammers are attempting to exploit any confusion over those transactions in order to trick you into disclosing your account information, passwords, etc. If last year is any indication, expect that phishing campaign to accelerate during this week and last until the middle of next month or so.

We are also seeing a number of scams related to the economy. The number of work-at-home scam messages is up dramatically. As you may remember from prior tips, these scams promise easy money either for helping transfer funds or to conduct “quality control checks” on merchandise. In the first case, you become part of a money laundering operation, in the second, a fence. Either way, you’re like to get a visit from some federal law enforcement agency. If it were that easy to make money, they wouldn’t need to be sending out random emails about it.

Interestingly, the old “Nigerian fraud” is back in large numbers. These are fairly transparent messages alleging that someone needs your help to get money out of a foreign country (usually in Sub-Saharan Africa) and offering you a percentage if you will allow the person to transfer the money through your bank account. Foreign lottery scams are also back in significant numbers. I believe that by now most people know that these messages are scams but in times of financial difficulty, sometimes hope trumps common sense.

If an email asks for your personal information or if it contains an offer that looks too good to be true, trust your intuition and delete the message. To learn more about how to identify common scams, check out some of the links in the archived Tips on phishing. Have a safe New Year.

If past patterns hold true, we can expect to see a dramatic rise in the volume of spam and phishing attempts during this holiday season. Some of their cons last holiday season included dedicated sites like the Merrychristmasdude.com website (a site offering suggestive holiday-themed photos along with a very malicious download) and spam emails such as the Happy New Year phishes. This group develops very sophisticated software with hundreds of variants that attempt to evade and outrun standard anti-virus software.

To combat these scams, first be suspicious. Never open unexpected messages or attachments.

Second, keep your anti-virus up to date at all times. Set your anti-virus to automatically update itself as often as the software allows. And if you’re particularly suspicious about an email or website, force a manual update before clicking the link. Remember that if your kids have a computer at home that runs under parental controls, their computer may not be able to complete the update under the restricted ID. Their computer may be at risk until you log on under your parental ID so the updates can take hold.

Finally, keep your firewall turned on and be very suspicious of any ‘free’ video or other offer sent through the internet. In particular, be cautious about electronic greeting cards. While some are legit, many are frauds. See this tip for some thoughts on how to sort out e-card invitations.

You can read the full ODI press release at ohioinsurance.gov.

Insurance companies do sometimes ask for confidential information such as SSNs and birthdates in the normal course of business. However, it would be highly unusual for the insurance carrier to contact the customer directly or to do so other than in writing. If you receive a call that strikes you as suspicious, hang up and call the number printed on your last policy statement. If the call was legitimate, the customer service representative will be able to look up your account and confirm it.

Be very cautious about handing out your personal information to anyone you do not know well. Ohio customers who have already received one of these fraudulent calls, are asked to report it to the ODI at 1-800-686-1527.

Lastly, if you believe that you may have given up your confidential information to a fraudulent caller, you should check your credit report and consider putting a fraud alert on your account. For more on how to check your credit report, you can follow this link to the archive of tips on this topic.