Social malware and cunning tricks

Malware writers are moving onto using social media apps to harvest addresses and personal information.

Last week an interesting media release from anti-virus company Bitdefender appeared in the inbox describing a tricky little scam that promises to change Facebook page colours but actually grabs a user’s information to set up fake blogs associated with the victim’s email address.

Those fake blogs in turn link to a working from home scam, the type which are becoming depressingly common online. No doubt the malware authors have some sort of interest in that scheme.

What makes this malware interesting is how it brings together a range of opportunities for the malware writer – social media, apps, data aggregation, identity spoofing and the Ponzi affiliate schemes that are prevalent as people try to find new ways to supplement their income.

Many people say “I’d never get caught by these scams” but the reality is the scammers are rat-cunning, if not clever. Assuming you’re immune to these because you’re too smart, or you use a Mac or there’s nothing of value on your computer is a risk in itself.

Here’s the media release from Bitdefender.

Google Chrome App grabs identities, forges blogs in victims’ name to promote scam

Bitdefender catches Facebook colour scam with both hands in cookie jar

SYDNEY/AUCKLAND November 19, 2012 – A Google Chrome app that promises to change the colour of Facebook accounts instead nabs authentication cookies and generates dozens of blogs registered to the victims’ Gmail address, in a new scam analysed by Bitdefender, the leading global antivirus company.

Once the malicious app is installed from Google’s Chrome Web Store, it starts displaying a large Google Ads banner redirecting users to a “work from home scam.” When clicking the sign-up link, users are redirected to a fraudulent website.

“Scammers gave a new twist to the old change-your-Facebook-colour scheme that’s been luring users to fraudulent websites to grab credentials and other sensitive data,” says Chief Security Strategist, Catalin Cosoi. “By creating dozens of blogs for a single account, the scam spreads like wildfire among Facebook friends.”

The blogs generating under the email address of the victims, which are used in further disseminating the scam, have registered a large number of hits among users in the US, the UK, Germany, Spain, Romania, and other countries.

The app can also post wall messages on the victims’ account. The messages use friend tagging to convince the victim’s friends to visit the blog domains. Each time the app posts on a users’ timeline, it links to one of the auto-generated blogs as to avoid blacklisting.

Bitdefender encourages users to use an antivirus solution and the free application Safego, which protects Facebook and Twitter accounts from scams, spam, malware and private data exposure.

Similar posts:

Malware’s third party path

How to take care in a changing world of cybercrime.

One of the few constants with computer security is that threats are constantly evolving.

Malware – malicious software like computer viruses, worms or Trojan horses – are the most common security threat the ordinary technology home or business users will encounter on their PC, laptop or smartphone.

During the big computer virus epidemic of the early 2000s the main target were Windows 98 or XP machine running Internet Explorer as these were so easy to infect.

Today, it’s harder to infect Windows systems and the malware writers have become more sophisticated in the tools and methods they use to catch victims.

Right now, we’re seeing the malware writers focusing on  weaknesses in third party software such as Java, Flash and Microsoft Office.

Mac users have been affected by the Flashback worm which used flaws in the Java computer program and now Adobe have released an emergency update to their Flash application to fill a security hole that could affect all operating systems.

Along with being more sophisticated in their methods, today’s malware writers are also more organised with real criminal objectives as opposed to the earlier generations that were derided as “script kiddies”.

So there’s real risks in not taking basic steps to protect your computer system.

Have the latest updates

When your system asks you if you want to install updates, do so. Both Macs and PCs have an automatic update function which you should enable and pay attention to.

Individual software packages like Java, Flash and Microsoft Office have their own update reminders which you should also pay attention to.

Sometimes though the malware writers distribute fake updates to fool people into installing their software so if you are suspicious about an update, check online to see if you have the latest version.

Run computers in Restricted User mode

One of the big weaknesses for all systems is there is a tendency to run as an Administrator. In older Windows systems this gives almost complete control over the system and can still create problems in newer systems as well as with Mac or Linux systems.

Every user should be run as a Restricted User and this can be set up in the Windows Control Panel or Mac Preferences.

Have an antivirus

While the antivirus industry loves flogging overpriced and overfeatured software that generally slows your computer down as much as it protects the system, it’s still worthwhile having.

For Windows users, the free Microsoft Security Essentials is fine for most users. For Mac users, the free ClamAV or Sophos Anti-Virus for Mac are good choices.

Use a third party browser

Generally using the built in web browsers – Internet Explorer in Windows and Safari on the Mac – tends to amplify security risks. So use a third party browser like Firefox, Google Chrome or Opera.

Be careful

Malware writers, like all crooks and conmen, try to exploit human weaknesses so their tricks often appeal to our greed, fear or lust.

Try to avoid websites offering pirated software, movies, music or pornography and never click on emails or pop up adverts that claim you’ve won the lottery or been infected with a virus.

Cybercrime is real and growing although we should keep in the threat in perspective and not fall for the hysterical headlines we often see in the media.

The risks are going to continue to evolve as the crooks move onto trying to exploit weaknesses in smartphones, social media platforms and cloud computing services.

Despite this, most people won’t be affected by malware or other computer crime by being careful. Just don’t count on being lucky.

Similar posts:

Scammed

Social media opens up new opportunities for conmen

“Executive-level income without leaving home” claims the Facebook page, a sign at the end of my street promises a six figure wage from your own computer and one of the lead stories in this morning’s news is the tale of retirees being ripped off by ‘boiler rooms’ offering high return ‘investments’.

We all believe we have the right to be rich so the quick, easy option and the promises of those that say we can be wealthy by simply handing over a modest amount of money or trusting our investments to someone else is a tempting offer.

Deep down we know we’re being scammed.

Right now nations are on the verge of collapse because politicians promised easy wealth, corporations skirt bankruptcy because executives were entitled to bonuses regardless of performance and in the suburbs desperate people clinging to the middle class lifestyle they believed was theirs by birthright fall for get rich quick scams.

Just as the railways opened up opportunities for snake oil merchants in the 1850s and cheap telephone systems gave rise to the boiler room ripoffs of the 1970s and 80s, social media tools open up a whole new range of possibilities for the sneaky to fool the gullible or desperate.

Naturally we’ll get the nanny goats and nincompoops demanding something be done about Internet scams – maybe a law, perhaps a treaty or a code of conduct – all of which will be as effective as stopping railways, telephones or the postal system in an effort to stamp out fraud.

Fraud is technologically neutral; fraudsters just use whatever happens to be the most effective tools available at the time.

The sad thing with the social media based scams is we get to see who among our friends and family have fallen for it. Invariably when we warn them we’re told off because we aren’t believers.

Again though this is nothing new, the same thing happened when the snake oil merchant came to town or the shaman visited the village.

In the 19th Century the phrase “there’s a sucker born every minute” was coined. In today’s hyper connected world, there’s one born every second. Don’t be that sucker.

Similar posts:

Scam 2.0

We’re about to see a new wave of business scams

Invoice scams are as old as business itself, no doubt opportunistic cavemen tried to scam other hunters over made up debts and Phoenician traders had to deal with suppliers claiming they’d delivered an extra few hundred Shekels of chickpeas.

Today we see these scams in all forms – imaginary invoices for web registrations, directory inclusions and local listings are just a few we’ve seen. As the web evolves, we’re seeing a new breed of tricks developing.

Online scams can range from things like letters from deposed African presidents promising riches through to aggressive sales folk promising services they can’t deliver. The latter are part of the new breed.

In 2009 Oakland’s East Bay Express alleged the review site Yelp’s sales teams were threatening business with bad reviews if they didn’t pay an advertiser fee. Four years later businesses are claiming this is still happening.

Regardless of the truth of these allegations with Yelp these distatesful sales tactics from online companies are becoming more widespread.

As social media services investors start demanding revenue to back their businesses and group buying sites reach the limits of their growth the sales teams of these organisations are desperately try to find new ways to meet higher targets.

Small and local businesses are the obvious targets of the sales teams, as the web 2.0 business model has trained consumers into expecting not to pay for online services.

Recently a fitness trainer told me how she was hounded into placing a group buying deal with one of the bigger sites; they convinced her that she should offer an 85% discount with the service taking the remaining 15%.

She provided the service for free.

Naturally the 85% off deal was successful, she was rushed off her feet and found herself working for nothing over the next month. Even had the cheap offer resulted in all the customers coming back, it would have taken her a year to recover her losses.

Clearly she should have known better and investigated how group buying sites work and the strategies for using them effectively, but she was subject to high pressure sales techniques that took advantage of her ignorance.

Many online businesses have been giving services away for free as they try to exploit the Silicon Valley greater fool business model. When the venture capital funds dry up they have to find to new ways of paying for their trendy offices with foosball tables and free organic staff meals.

This means more cold calls to business owners promising “marketing opportunities”, “getting to the top of Google” and “getting positive online reviews”.

Over time these sales calls will morph into fake negative reviews and bills for imaginary services rendered as these businesses attract desperate and unscrupulous operators.

For businesses, this means it’s a time to be on guard by making sure any invoices received are properly checked before they are paid and any sales person’s claims are thoroughly checked out before you agree to go ahead with a service.

If you hear of dodgy dealing like what Yelp has been accused of, then try to get the promises in writing and complain to your state’s fair trading department or complain to business agencies. In Australia, the ACCC is the first point of call.

Similar posts:

Too good to be true

The same old scams catch us all

As regular as the Olympic Games are, so too are the ticket scams. Every four years we see a ‘scandal’ of vendors, these days online, offering cheap or difficult to get tickets. This year’s London Olympics are no different.

The bait used by these scammers is the almost impossible to get tickets, the frenzy to get along to the opening ceremony or top days sucks dozens, sometimes hundreds, of enthusiastic punters into losing money.

It’s not just Olympic tickets, with the ease of setting up websites scammers can be online quickly with a credible, professional looking site and new services, like group buying and ‘penny auctions’ also offer great opportunities for the enthusiastic spammer.

While it’s sometimes difficult to spot the scams, there are some signs that can reduce the risk of your being caught out.

Check the site

How long has the domain been registered? You can quickly check the details by running a whois search, a kind of online registration check.

For .com sites, the authoritative Whois site is Network Solutions while for .co.uk sites (a likely candidate for London Olympic ticketing sites) it is Nominet. Each country has its own registration list and in Australia, for .com.au it is AuDA who run the My Web Name site.

A recently registered, or long standing, name doesn’t in itself indicate whether a site is a scam or not, but it is a good start.

What are the contact details?

A reputable site that wants your money should have a phone number and street address. A site that doesn’t have these is a warning sign.

Do a web search

The web is your friend. Use your favourite search engine to search the business’ name, for most people this is Google. This can show if there’s been complaints about the site.

Make sure you do a full name search, for instance if you are searching for Joe’s cutprice tickets put the name inside inverted commas such as “Joe’s cutprice tickets”.

Also do a search on the business address, if a company operates from the same location as dozens of others then it’s almost certainly operating from a service office.

While there’s nothing wrong with a business operating from a serviced office, if a company is claiming to be a large reputable multinational then it’s probably telling porkies.

Use a disposable password

If the site asks you to create an account or a password, use something different to your regular banking or other important passwords.

Some of these scammers are actually harvesting login details for online scams so don’t use the same password as your email or social media account as you may find your account hijacked.

Don’t use social media logins

Account hijacking is becoming prevalent on social media sites. The scammers get access to a victim’s Facebook or Twitter account and then contact all the victim’s friends posing as the victim. This is particularly effective for getting more people trapped in the scam.

Increasingly we’re seeing sites using social media logins, that is offering to use your Facebook account rather than a user name or password as a convenient way of signing up. These almost always give the site permission to post on your behalf and you should not do this unless you are totally confident in the site.

Pay by credit card

Even the best of us can get caught out by scammers, so paying by credit card means you have some protection from dodgy deals as you can dispute and reverse the transaction.

Note the words credit card, if you use a debit card many banks won’t give you the same consumer protections.

Avoid direct wire payments or online services like PayPal as you’ll probably do your cash or, at best, be bogged down in the dispute procedure.

Use common sense

The most important part of avoiding scams is common sense; if something is too good to be true then it almost certainly isn’t true.

An offer for hard to get Olympic tickets, fifty dollar iPads or a million dollars from a long lost cousin in Africa always come with a catch that leaves you out of pocket and possibly with your identity stolen.

Many of these scams aren’t new, they’ve just evolved to take advantage the online world.

During the golden era of the snake oil merchant in the 19th Century, the phrase there’s a sucker born every minute was coined. Don’t be that sucker.

Similar posts: