Rossander’s Security Reader

Westfield recently started receiving "alerts" about internet domain registrations from a company in Asia. This company claims to have received an application for internet domains that are close to Westfield’s main domain, westfieldinsurance.com, but carry different suffixes such as westfieldinsurance.net.cn, westfieldinsurance.hk or westfieldinsurance.asia. The email claims that the company "discovered" that the brand keyword matched our name and trademark and asks someone to contact them "before we finish the registration" for the other company.

On the Internet, the domain naming system treats every combination of domains as a unique destination. Owning example.com gives you no special rights to example.org. And while you may be able to make a case for trademark infringement, the domain naming system has a strong bias in favor of "first-come, first-served." If a domain name is important to your brand, you need to act to protect it.

If you’re not already monitoring internet domain registrations that are similar to your trademark and business, you really should start. There are several good monitoring services out there, some that will send daily alerts for free. Remember, however, that you can’t commandeer every possible variation of your domain – there are just too many possibilities. Get the domains that you think are most important and monitor the rest.

The message from the Asian company, however, is a scam. We have traced two different types of these messages so far. In the first case, it was a straightforward con for a credit card number. In the second case, it was an actual domain registrar using questionable tactics to generate business. In both cases, we investigated the company – a Google search on some keywords from the email will often return examples of others who have run into the same con – and decided not to respond to their phishing attempt.

If someone registers a domain name similar to yours, look at the domain registration. (There are several excellent lookup tools on the web. I tend to use whois.domaintools.com). If the other person registering the domain appears to be a legitimate business that just happens to have a similar name to yours, don’t worry too much about it. We regularly bump into the the Westfield Group that owns Westfield Shoppingtown Malls (an Australian firm). We also know about domains registered to a car repair shop on a Westfield Road in Indiana. There’s no connection and no evidence of fraud – and they got to the domain first. As long as they keep the domain out of the phishers’ hands, I can live with that. I also don’t worry too much about the domain resellers who buy the domain name then “park” it with some generic ads. (Here is an example.) As long as there’s no evidence of misuse and no obvious confusion with my brand, I’m willing to let most of those sit.

Last month, we wrote about scareware and hackers using fake update notices. In the past few days, we’ve seen a sudden increase in one of these attacks coming from one of the former Soviet republics. This group is exploiting a "DNS hole" to hijack visitors who are attempting to visit legitimate websites (such as a hotel in a common vacation destination like Hilton Head). The hacker redirects the victim to the hacker’s virus-infected website, then automatically loads a virus onto your computer. From what we’ve seen so far, this virus first disables your existing anti-virus program, then slows down your machine and finally starts to present you with a false warning that your computer is badly virus infected and needs to run AntiVirusXP2008 to clean it up (for only $50 which they want you to send to them in Russia). The warning message lists hundreds of "infected" files on your machine. Many of those files are, in fact, on your machine but are legitimate files needed by the operating system.

At home, fix your firewall, update your antivirus and patches and practice safe surfing. If google or yahoo (or your existing antivirus program) give you a warning that you are about to go to a sight that might contain malicious code, heed the warning. Do not override it just because you think that you’re going to a "safe" site like the hotel.

At work, shut your computer off every day. (Your IT department probably pushes updates to your computer’s defenses every day but many of those updates can’t take effect until you restart your computer. If you leave your computer on for an extended period, you will be missing those critical updates.) And, of course, practice safe surfing.

If you get one of these pop-up warnings, never allow it to scan your computer. If you think you might have triggered one of these scams, call IT.

A few months ago, we started seeing a new trend where the hacker seeds the internet with websites which will trigger a fake Microsoft alert. When you open the website, you also get a pop-up box which looks just like an authentic Windows pop-up and tells you that you need to update the software on your computer. The security guys are always saying that you should keep your computer fully patched so many people click the link, thinking that they are protecting their computer. According to Tad Heppner of McAfee Labs, clicking on the box prompts an executable window requesting users to install the updates but actually leads to "a true malware cocktail."

Spoofing of the Microsoft Malicious Software Removal Tool (MSRT) is particularly common but all the Microsoft updates have been spoofed in one form or another.

In one recent case, the spoof was triggered by infected ‘friend’ requests on MySpace. Users triggered the trap when they went to check on the profile of the person trying to befriend them. If you are a MySpace or Facebook user, beware of friend requests from people you don’t know and be cautious when surfing other people’s profiles.

If you get a request to update software on your work computer, ignore it unless you also received an email from your IT department explaining the update. If you receive the pop-up on your home computer, go to your Control Panel and look for the Security Center. Once there, initiate the check for updates yourself rather than trusting the pop-up. Never click a pop-up that shows up on your computer unexpectedly.

Phishers and hackers continue to get more creative and more sophisticated in their attacks. A recent trend is to write very specialized attack messages targeting rank-and-file employees. One example is a personal email that appears to come from the company’s HR manager. The message included the HR manager’s name (it was posted on the company’s website) and asked the employee to review a .pdf attachment to confirm vacation accruals. The attachment was a malicious trojan.

Luckily, many of these attacks are blocked by our anti-virus software but some will always get through. Be on the lookout for these kinds of scams. If you see a message that looks suspicious, do not open it, even if it appears to come from someone you know. If you’re unsure about the message, call the alleged sender and just ask if he/she really sent it.

If you run a business, make sure that your staff know about these scams, too. Make sure you set a culture of security where it’s safe for the employee to call you and confirm a message’s legitimacy. (If you’re the one writing the messages and you’re getting a lot of calls, check out "How not to look like a phish".)

There has been a recent resurgence of the so-called "phoner/toner" scams. They are popular because they are highly effective, very profitable and, while deeply unethical, not technically illegal (which makes them relatively safe scams from the criminal’s point of view).

In this scam, you will get a very friendly call from someone who knows your name (possibly because they called your number late last night just to see whose name came up on the voicemail) and who may even claim to be from your own IT department. After a minute of friendly chatter, he/she will ask for the number on the printer behind you, perhaps saying that "it’s part of our inventory of systems". The scammer is betting that most people today have a printer very close to their desks.

Several weeks later, you will receive an unsolicited replacement toner cartridge in the mail. You don’t remember ordering toner but who keeps track of things like that? And if you didn’t order it, one of your co-workers probably did. So you open the box and tuck the toner away for a rainy day.

Weeks after that, the scammer sends an invoice for five to ten times the market price for the toner cartridge. The scammer is counting on the fact that most finance departments will just pay small invoices and even if they don’t, they’ll forward the invoice to you for approval. You remember receiving the toner and, since most of us assume we are dealing with honest people, you are likely to approve the payment without checking the price. The great thing about this scam is that it’s not illegal to charge too much for a product. Under US law, it’s "buyer beware". If you agree to pay five times what something is worth, that’s between you and the seller.

If you don’t pay, expect a series of followups demanding payment. If you call about the invoice, the scammer will likely offer to play back a tape recording of your employee saying "yes" to a request for toner. The scammer likely did get your employee to say "yes" to something and then cut-and-pasted the sound clip in front of a different question.

If you get one of these scams, first refuse to answer the question. No one should be asking about your systems without cause – even something as seemingly innocuous as your printer models. Second, alert your Receiving folks to watch for toner or other office supplies coming from someone other than your regular supplier. If you can identify the shipment in time, refuse to accept delivery. Third, do not pay the scammer. Do not pay any return or restocking fees either. Under Federal Trade Commission rules, any unordered merchandise can be considered a gift. You didn’t order it. You have no obligation to give them money. (You might, however, want to have your legal counsel send the scammer a cease-and-desist letter. You should probably also double-check your state laws. Ohio gives even stronger protection and permission to consider the unordered package a gift.)