Rossander’s Security Reader

Online scams are up sharply since the start of the latest recession. According to MarkMonitor, phishes in Q1 2009 are up 36 percent over the same quarter 2008. The current trend is toward mortgage refinancing traps and phony get-rich-quick investments.

At the same time, the quality of the scams is dramatically better than in years past. Fraudulent “advertising” sites look just like the real sites. They pepper their pages with trusted financial, TV and/or newspaper brands to give the impression of legitimacy. Some even include encryption to give a greater appearance of legitimacy.

There is also a new trend to use social media to find and con victims. Just because it looks like a blog, if the author is bragging about how much money they got and has a link to a “home business kit”, it’s still a scam. Beware of any offer that asks you for personal information up front.

MarkMonitor also reports a huge increase in suspicious domain registrations, especially domains including the keywords “foreclosure”, “mortgage”, “refinance” and “unemployed”. These keywords are being combined with legitimate company names or domains to create fraudulent clone sites. And while most phishes are still targetted against large companies, an ever-increasing number are exploiting the trust and brand of small businesses. (This is especially true if your legitimate site accepts payments over the web. Payment services frauds are up 285 percent over last year.)

Be on the the watch for scams. And help your customers watch, too. In this economy, you have a right to be a little bit paranoid about offers that look too good to be true.

To read more, download MarkMonitor’s whitepaper on “brandjacking” at markmonitor.com.

I trust everyone had a good holiday break and hope you have a good new year. With the way 2008 ended, many people are making plans for the future. Unfortunately, some of those planners include phishers and social engineers. And as I’m sure you’ve seen, they are getting more and more creative and professional in their scams. The days when you could delete a message just because it was poorly written are long gone. Today’s scams are targeted, well-written and spell-checked.

In particular, we are already an increase in phishing messages that reference the recipient’s holiday credit care spending pattern. The messages will claim to be requests for confirmation, reports of transactions and even a few of the traditional “your account has been frozen” scams. During the holiday season, many people have more transactions and shop with more different merchants; the scammers are attempting to exploit any confusion over those transactions in order to trick you into disclosing your account information, passwords, etc. If last year is any indication, expect that phishing campaign to accelerate during this week and last until the middle of next month or so.

We are also seeing a number of scams related to the economy. The number of work-at-home scam messages is up dramatically. As you may remember from prior tips, these scams promise easy money either for helping transfer funds or to conduct “quality control checks” on merchandise. In the first case, you become part of a money laundering operation, in the second, a fence. Either way, you’re like to get a visit from some federal law enforcement agency. If it were that easy to make money, they wouldn’t need to be sending out random emails about it.

Interestingly, the old “Nigerian fraud” is back in large numbers. These are fairly transparent messages alleging that someone needs your help to get money out of a foreign country (usually in Sub-Saharan Africa) and offering you a percentage if you will allow the person to transfer the money through your bank account. Foreign lottery scams are also back in significant numbers. I believe that by now most people know that these messages are scams but in times of financial difficulty, sometimes hope trumps common sense.

If an email asks for your personal information or if it contains an offer that looks too good to be true, trust your intuition and delete the message. To learn more about how to identify common scams, check out some of the links in the archived Tips on phishing. Have a safe New Year.

For the past year or so, we’ve seen a significant uptick in attempted scams and frauds around every holiday. Many of them trace back to the Storm Warn gang, a crime ring based out of Germany that sells hacker software. Their last big attack was at the Fourth of July and tricked many thousands of users into downloading the ‘storm-bot’ trojan by offering a fake video clip of “the largest fireworks” celebration in the nation. Victims found their computer hijacked as part of a bot-net or had keystroke loggers and other malicious software loaded onto their computer.

If past patterns hold true, we can expect to see a dramatic rise in the volume of spam and phishing attempts during this holiday season. Some of their cons last holiday season included dedicated sites like the Merrychristmasdude.com website (a site offering suggestive holiday-themed photos along with a very malicious download) and spam emails such as the Happy New Year phishes. This group develops very sophisticated software with hundreds of variants that attempt to evade and outrun standard anti-virus software.

To combat these scams, first be suspicious. Never open unexpected messages or attachments.

Second, keep your anti-virus up to date at all times. Set your anti-virus to automatically update itself as often as the software allows. And if you’re particularly suspicious about an email or website, force a manual update before clicking the link. Remember that if your kids have a computer at home that runs under parental controls, their computer may not be able to complete the update under the restricted ID. Their computer may be at risk until you log on under your parental ID so the updates can take hold.

Finally, keep your firewall turned on and be very suspicious of any ‘free’ video or other offer sent through the internet. In particular, be cautious about electronic greeting cards. While some are legit, many are frauds. See this tip for some thoughts on how to sort out e-card invitations.

The Ohio Department of Insurance has confirmed an on-going scam targeting insurance policyholders. According to the ODI, the scam is currently targeted primarily at auto policies. In this scam, the caller alleges that “there was a problem with your insurance payment” and asks for confidential information such as bank account numbers, birthdates, SSNs, etc. The call often includes a threat that “your coverage will lapse” if the customer does not comply.

You can read the full ODI press release at ohioinsurance.gov.

Insurance companies do sometimes ask for confidential information such as SSNs and birthdates in the normal course of business. However, it would be highly unusual for the insurance carrier to contact the customer directly or to do so other than in writing. If you receive a call that strikes you as suspicious, hang up and call the number printed on your last policy statement. If the call was legitimate, the customer service representative will be able to look up your account and confirm it.

Be very cautious about handing out your personal information to anyone you do not know well. Ohio customers who have already received one of these fraudulent calls, are asked to report it to the ODI at 1-800-686-1527.

Lastly, if you believe that you may have given up your confidential information to a fraudulent caller, you should check your credit report and consider putting a fraud alert on your account. For more on how to check your credit report, you can follow this link to the archive of tips on this topic.

As the holidays get closer, many of us will turn to online shopping. Done right, online shopping is about as safe as catalog shopping – and much more convenient. If you don’t take basic precautions, though, you could lose your shirt. Take the time to learn about the kinds of scams and cons that are used online.

The Federal Trade Commission hosts a terrific site with lots of content on identifying and deflecting these kinds of scams. If you haven’t already been out to visit www.onguardonline.gov, I strongly recommend the site. It has some excellent overview material on security at the personal and small business level. The site also has a set of games covering a variety of topics like spyware, online auctioneering, peer-to-peer, phishing and spam. Test your knowledge of internet security and safe shopping. It’s well worth the time to visit the site.

The site’s material comes from a number of public and private sources but is all released for public use. If you run your own personal website, you can post their games, videos and handouts to your own site and help spread the word. (Instructions are here.)

Addendum:
This tip has inspired me to create a more permanent set of links to some of the better games and awareness quizzes that I’ve run across. I’ll try to get them posted in a permanent sidebar on the blog but in the meantime, here are a few good links.

• CMU Anti-Phishing Game – Learn to identify fraudulent URLs
• Mission:Laptop Security – Protect your laptop while traveling
• Anti-phishing Father’s Day card – Flash video on phishing
• Auction Action – Test your knowledge of online auctioning
• P2P Threeplay! – a quick quiz on file-sharing
• Invest Quest|http://www.onguardonline.gov/games/invest-quest.aspx – a simple quiz but the ‘disclaimers’ are pretty funny
  From westfieldinsurance.com