Smartphones aren't just smart, they're personal computers. Unlike a desktop or even a laptop PC, those devices and other mobile phones can easily slip out of a pocket or purse, be left in a taxi, or get snatched off a table. They let you store photos, access e-mails, receive text messages, and put you one browser click away from potentially malicious Web sites.
In effect, gadgets like the Apple iPhone and those running Google's Android software can be as risky to use as PCs, except that the wide variety of mobile platforms has deprived malicious hackers of one dominant software element to target, such as they have with Microsoft's Windows operating system on desktops and laptops.
Here is a look at the different types of threats that affect smartphone users and what people can do to protect themselves.
Researchers Collin Mulliner and Charlie Miller at the Black Hat security conference last summer where they proved they could attack my iPhone with a text message, even after a beer or two.
(Credit: Elinor Mills/CNET News) What's the biggest security threat to my mobile phone?
Losing it. "You are way more likely to leave it in the back of a taxi than to have someone break into it," Charlie Miller, a principal analyst at consultancy Independent Security Evaluators, said in a recent interview. The best way to protect data in the event of losing a device is to not store sensitive information on it, he said. If you must store sensitive information on it, use a password on the phone and encrypt the data. Devices can be configured so that they ask for a password every time e-mail or a VPN is accessed. Use a strong enough password that a stranger can't guess it. And back up your data frequently.
There are also ways to lock the phone remotely or wipe the data if it is stolen. AT&T spokesman Mark Siegel said users who lose their phone should call the company immediately and "with just a keystroke, we can prevent anyone else from using the phone--and from running up charges."
A number of companies offer software and services to protect mobile phones. One of them is a start-up called Lookout that offers a Web-based service that backs up the data, remotely wipes the data if stolen, can help locate the device, and includes antivirus and firewall protection.
Mobile device users should also be careful about leaving the phone unattended, or loaning it to people. Spyware can be installed without you knowing it if someone has physical access to the device and knows your password if you have one set. For instance, the PhoneSnoop program can be used with BlackBerry devices to remotely turn the microphone on to eavesdrop on nearby conversations. However, a spokesperson for BlackBerry maker RIM points out that if the application is installed, the user would be able to see it running and could then remove it.
Can mobile phones get viruses?
Yes. Mobile viruses, worms and Trojans have been around for years. They typically arrive via e-mail but can also spread via SMS and other means. Mobile phone users should be diligent in installing security software and other updates for their devices. All the major desktop security vendors have mobile antivirus and related offerings.
In November, several worms hit the iPhone, but only devices that had been jailbroken so they can run apps other than those approved by Apple. One worm changes the wallpaper on affected devices to a photo of 80s pop singer Rick Astley of "Rickrolling" fame. The second, more dangerous worm attempts to remotely control affected iPhones and steal data such as bank login IDs. Jailbroken iPhones have also been directly hacked via SMS, including by one Dutch hacker who was demanding $7 from victims for information on how to secure their iPhones.
Miller says: "Don't jailbreak your phone. It breaks all the security, basically." If you simply must jailbreak it, you should change the default root password and not install SSH (Secure Shell network protocol).
What are other types of attacks?
Just like with computer users, smartphone users are vulnerable to e-mail and Web-based attacks like phishing and other social-engineering efforts. All attackers have to do is create a malicious Web page and lure someone to visit the site where malware can then be downloaded onto the mobile device. People should avoid clicking on links in e-mails and text messages on their mobile device. (For more anti-phishing tips read "FAQ: Recognizing phishing e-mails.")
SMS offers another avenue for attack. Last year, researchers demonstrated several ways of attacking phone using SMS messages. In one, they exploited a vulnerability in the way the iPhone handles SMS messages. Researchers also showed how an attacker could spoof an SMS to make it look like it comes from the carrier to get the target to either download malware or visit a site hosting it. In another proof-of-concept attack, a text message was used to launch a Web browser on a mobile device and direct it to a site that could host malware. When the attack is used to phish for personal information it is referred to as "SMiShing."
Is it safe to use Wi-Fi and Bluetooth?
Yes and no. If you are doing something sensitive on your phone, like checking a bank account or making a payment, don't use the free Wi-Fi at a coffee shop or other access point. Use your password-protected Wi-Fi at home or the cellular network to avoid what is called as a man-in-the-middle attack in which traffic is intercepted. Pairing a mobile phone with another Bluetooth-enabled device, like a headset, means any device that can "discover" another Bluetooth device can send unsolicited messages or do things that could lead to extra fees, data being compromised or corrupted, data stolen in an attack called "bluesnarfing," or the device being infected with a virus. In general, disable Wi-Fi and Bluetooth unless you absolutely need to use them.
Which is safer: the iPhone or Android?
Apple vets all the apps that are used on the iPhone, and that tight regulation of the Apps store has kept users safe from malicious apps so far. Nothing is foolproof, however. Once apps are approved they can do any number of things. For instance, Apple removed free games in November developed by Storm8 that were found to be collecting users' phone numbers.
From an architecture standpoint, Android offers more granular access control. But the open-source nature of the Android platform means apps aren't as controlled as they are on the iPhone and holes can be introduced by any number of parties. For instance, Miller found a vulnerability in the Android mobile platform last year that could have allowed an attacker to remotely take control of the browser, access credentials, and install a keystroke logger if the user visited a malicious Web page. The hole was not in code written by Google, but was contributed by a third party to the open-source Android Project. However, any risk was mitigated by an application sandboxing technique Google uses that is designed to protect the device from unauthorized or malicious software that gets onto the phone, Google said. Miller recommends that Android users only download software from trustworthy vendors and reputable sites.
Are standard mobile phones safe?
Obviously regular mobile phones don't pose the Web-based threats that smartphones do. But they are still used to store sensitive information that can be accessed by gaining access to the device. For instance, the inbox and outbox for text messages can contain information that can be used for identity fraud, said Mark Beccue, a senior analyst for consumer mobility at ABI Research. "Regardless of what type of cell phone, the most dangerous current threat is through a cellphone's in/out message boxes," he said. "Clear (them) out regularly. Do not transmit full account numbers, PIN or passwords within a text message unless you immediately delete the out box message."
Standard phones that support Java can be susceptible to certain threats that smartphones are. For instance, scammers in Russia and Indonesia are hiding a Trojan in pirated software that surreptitiously sends SMS messages to premium rate numbers - costing as much as $5 each, thus racking up huge bills, said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.
And what about spam?
That's a growing problem on mobile devices. For information on what to do when you get mobile spam read "FAQ: How to vanquish mobile spam."
Updated January 7, 2010 with BlackBerry maker RIM adding that in order for PhoneSnoop app to work someone would need physical access to the device and know the password if one is used, and that users are able to see what apps are installed and could then remove any unwanted app.
You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
Facebook has sued three men, alleging they used phishing techniques to get access to Facebook user accounts and then sent spam from the compromised accounts.
The lawsuit was filed Monday in federal court in San Jose, California, and named as defendants Jeremi Fisher, Philip Porembski, Ryan Shimeall and the companies associated with them, Choko Systems, Harm, and iMedia Online Services, according to a Facebook statement late on Tuesday. The defendants could not be reached for comment.
The defendants are accused of launching at least four spam campaigns over the last couple of years, the latest in the last three months being responsible for nearly three-fourth of all spam on the site, according to the suit. The latest "escalated attack" included spam offering a colon cleanser, fake messages purporting to show a video of the recipient and offers for recipients to make money through a fake "Google Campaign." Clicking on the spam typically sends a user through various marketing sites before landing them on a page that prompts for their Facebook log in information.
It is unclear exactly how Facebook user log in information, used to send spam to friends, was obtained.
Facebook has spent $5,000 combating the spam, according to the suit.
The lawsuit makes claims under the Can-Spam (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, the Computer Fraud and Abuse Act, the California Anti-Phishing Act and the California Computer Data Access and Fraud Act, according to Facebook.
This is the latest legal action the social networking site has taken related to spam. In October, Facebook was awarded $711 million in a judgment Thursday against self-described "spam king" Sanford Wallace.
The largest judgment ever under the Can-Spam Act was an $873 million award Facebook won in November 2008 against Adam Guerbuez, of Montreal, and his company, Atlantis Blue Capital.
Updated December 16 at 7:55 a.m. PST with details from the lawsuit.
If you have received an e-mail from the Internal Revenue Service or the Federal Deposit Insurance Corporation, chances are it was a phishing attempt. If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing.
Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password.
And anyone can be at risk. The wife of FBI Director Robert Mueller banned him from doing online banking after he came close to falling for a phishing attempt.
Here is some basic information that can help people avoid being tricked by phishing attacks.
What is phishing?
Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information. Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their "winnings" could be deposited into their accounts.
Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.
Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a live chat window was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for additional information.
This phishing e-mail looks legitimate and even offers to provide tips on how to avoid fraud and spoof e-mails.
(Credit: Screenshot by Elinor Mills/CNETNews.) What are other recent examples of phishing attacks?
A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"
E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.
E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.
A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.
What are some tell-tale signs of a phishing attempt?
Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don't typically ask for via e-mail.
What should I look for in an e-mail?
Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used "Alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could indicate it's a phishing attempt.
The e-mail address may also be obscured. Hitting "reply all" may reveal the true e-mail address. You can also set your e-mail preferences to show "full header" to see the full e-mail address and other information. If you are at all unsure whether the e-mail is legitimate, go to the company's Web site to see the address listed.
Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like "Dear PayPal customer."
Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use subdomains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, www.BankA.security.com would link to the 'BankA' section of the 'security' Web site. Often, it's difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers.
In addition, PayPal, Amazon, banks, and many other businesses use the SSL (Secure Sockets Layer) protocol which is designed to ensure that customers are visiting the real site. That means https:// will be seen in the URL address bar instead of just http:// and usually there will be some other change in the address bar. For instance, PayPal displays a "P" and its name is highlighted in green at the front of the URL. The major browsers have antiphishing measures designed to detect malicious sites. Some phishers also try to hide the real Web address they are sending victims to by using URL shortening services.
If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.
Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.
How can phishing attacks be avoided?
Try to stay off spam lists. Don't post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of bobsmith@xyz.com, use bob.smith.az@xyz.com.
If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don't use any phone number provided in the e-mail.
Don't give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.
Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.
Don't open e-mail attachments that you did not expect to receive. Don't open download links in IM. And don't enter personal information in a pop-up window or e-mail.
Make sure you are using a secure Web site when submitting financial and sensitive information.
Change passwords frequently. Don't use the same password on multiple sites.
Regularly log into online accounts to monitor the activity and check statements.
Use antivirus, antispam, and firewall software and keep your operating system and applications up-to-date.
What can I do if I think I've been victimized by phishing?
The Anti-Phishing Working Group has a comprehensive site explaining exactly what steps people should take based on what type of information they have given out.
Where can I report phishing attempts?
You can forward suspected phishing e-mails to reportphishing@antiphishing.org and spam@uce.gov. Companies typically have an address to forward phishing examples to, such as "spoof@company.com." Always include the entire phishing e-mail. Complaints can be lodged with the Internet Crime Complaint Center at the FBI.
Here are additional resources.
http://apwg.org/consumer_recs.html
http://www.irs.gov/newsroom/article/0,,id=154848,00.html
http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx
This phishing e-mail includes a sender e-mail address and link that are obviously not associated with Facebook.
(Credit: Screenshot by Elinor Mills/CNETNews.)
(Credit:
FBI)
Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.
"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.
The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.
Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.
Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.
The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.
The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.
In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.
Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.
Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.
"Money mule activity is essentially electronic money laundering...," the FDIC statement said.
Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.
"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."
Twitter and Facebook users were getting hit with scams on Monday.
Twitter users warned about direct messages that said, "I make money online with google. i learned how here [link]," according to Twitter users.
A Twitter representative said it was not a phishing scam because the site to which the spam links does not ask for a username and password, or look like a Twitter page.
"We're on it and fixing accounts as fast as possible," she wrote in an e-mail. "You can keep posted on known issues as well by checking in on the Twitter Status page."
On Facebook, meanwhile, people were seeing messages from friends that said, "just take a look at it and read it over and try it if you want [link]." The link goes to a site that appears to be hosting malware. Accounts that are generating the messages are likely compromised, and the owners should change their passwords immediately.
"We're aware of this campaign, and are blocking malicious URLs and resetting affected users' accounts," a Facebook representative said in an e-mail. "The link in the spam message is for a work-at-home scam, not a phishing site. We're still investigating, but it's likely people's accounts were compromised through a previous phishing scheme."
Twitter users warned about a "make money online with google" scam on Monday.
(Credit: Twitter Search)Updated at 3:39 p.m. PST with Facebook comment and at 2:15 p.m. PST with comment from Twitter.
This is Twitter's spam warning.
(Credit: Twitter)Twitter warned on Wednesday about a new phishing attack in which direct messages to users link to a fake log-in page that steals passwords.
"We've seen a few phishing attempts today; if you've received a strange (direct message), and it takes you to a Twitter log-in page, don't do it!" the Twitter spam warning says.
The direct messages say: "hi. this you on here? http://blogger.djh****.com," Sophos reports in a blog post. The full URL is obscured to prevent people from unwittingly visiting the phishing site.
Clicking on the link takes a user to a page that looks like a legitimate Twitter log-in page. When the user types in the username and password, a fake version of Twitter's "over capacity" message is displayed, with the image of the notorious "fail whale" held aloft by birds.
"When I visited the page, I was then slingshot to another Web page on Blogspot.com, claiming to belong to a blogger called NetMeg99," Sophos researcher Graham Cluley wrote. "It's not clear if NetMeg99 is involved in the phishing scam, but there is a suggestion that her Web page did also try to phish for credentials at one point."
If you have been duped by this phishing ruse, Sophos suggests that you immediately change your password at Twitter and any other sites where you used the same log-in credentials.
On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.
In the latest scam being blasted to e-mail in-boxes, a legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system, said Fred Touchette, a senior security analyst at AppRiver. When the user clicks the "update" button in the e-mail, they are directed to a fake Facebook log-in screen where their user name is filled in and they are prompted to provide their password.
This is a screen shot of the message in the body of the fake Facebook e-mail.
(Credit: AppRiver)When they provider that information, victims are taken to a page that offers an "Update Tool," but that is actually the Zeus bank Trojan that is designed to steal financial and personal data, Touchette said.
Users of smart phones that have the Facebook app installed can also easily be duped because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon, he said. The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, he added.
There are likely to be a lot of victims given how many e-mails the scammers are sending. AppRiver has captured about 6 million e-mails in its filters and noticed that the messages were coming in at a rate of 30,000 a minute at one point, according to Touchette. That's about 10 times the usual botnet e-mail message rate, he said.
More details are on the AppRiver blog.
On Tuesday, researchers reported that a different botnet, Bredolab, was distributing fake "Facebook Password Reset Confirmation" e-mails that included a Trojan. As of late Wednesday night, security provider Cloudmark said it had seen more than 730,000 of the Bredolab-related e-mails.
To protect against such phishing attacks, people should be extremely cautious about clicking on links in e-mails and they can mouse over the link to see if the domain is a legitimate domain, Touchette said.
Meanwhile, Facebook users should easily be tipped off that the latest scam is just that, a scam, he said. "Facebook doesn't need all of its users to update their accounts in order for them to make changes to their site," he added.
If there is any question about the legitimacy of the e-mail or the link, users should close the e-mail and go directly to the site to check for important notices to customers, he said.
This is the prompt Facebook users get as part of the latest phishing scam. Downloading the "update tool" installs a Trojan.
(Credit: AppRiver)
It's still unclear exactly how 20,000 passwords discovered on the Web recently were stolen, but the finding reveals much in the way of people's password habits: some of us are lazy.
Several lists of passwords from Hotmail, Gmail, Yahoo Mail, and other accounts were discovered and reported on earlier in the week. While, Microsoft, Google, and Yahoo are blaming phishing, a researcher at ScanSafe thinks password-stealing malware on computers could be the culprit, which would mean that more than just the Web e-mail accounts may have been compromised.
More on that later. First, let's look at what an analysis of the leaked passwords reveals.
Security researcher Bogdan Calin did a statistical analysis of the list of more than 10,000 Windows Live Hotmail passwords and wrote about his findings on the Acunetix blog. He discovered that the most common password was "123456," used for 64 of the passwords. In second place was "123456789," used for 18 of them. Also, 42 percent of the passwords used only lower case letters.
While that shows some people aren't exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it.
For instance, 30 percent used a combination of uppercase and lowercase letters and numbers. Twenty-two percent of the passwords used six characters, 14 percent used seven, 21 percent used eight, and 12 percent used nine characters. One account even had a password that was 30 characters long.
"My impression is that these passwords have been gathered using phishing kits," Calin writes. "Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticate the users to the Hotmail/Live Web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."
Mary Landesman, senior security researcher at ScanSafe, theorizes that passwords were obtained by a data-stealing Trojan horse and not phishing.
There are errors in the list of Hotmail passwords that appear to be the result of improper extracting or merging data, she writes on the ScanSafe blog.
Among other reasons, Landesman notes that usernames often appear multiple times with the same password except for a slightly different spelling. Also, she said the "@" separating the username from the account is not always present, which could indicate that the data was pieced together from a form or was extracted from a larger set of data.
Asked to comment on Landesman's speculation, Microsoft and Yahoo representatives said the companies still think the passwords were phished.
A Google spokesman offered this comment: "Passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important Web sites, and use antivirus software to help detect software that may try to steal your password."
It's important to remember that phishing can lead to the download of malware onto a victim's computer. So people may never been known what happened.
Regardless, be careful out there.
(Related: See Larry Magid's story for tips on making strong, easy-to-remember passwords.)
Update, 1:20 p.m. PDT on October 9: The list of passwords analyzed apparently was limited to usernames starting with A and B, which is not exactly a representative sample but could explain the use of Spanish words beginning with "A."
Robert Mueller
(Credit: James Martin/CNET)SAN FRANCISCO--No one is immune from cyberthreats, not even the head of the FBI.
FBI Director Robert Mueller was banned by his wife from doing online banking after he nearly fell for a phishing scam, he said on Wednesday during a talk at the Commonwealth Club of California.
He received an e-mail purporting to be from his bank that looked "perfectly legitimate" and which prompted him to verify some information. He started to follow the instructions but then realized that that "might not be such a good idea," he said.
"Just a few clicks away from falling into a classic Internet phishing scam," Mueller "barely caught himself in time" and admitted he "definitely should have known better."
He said he changed his passwords and tried to pass the incident off to his wife as a "teachable moment," but she was having none of it and told him, "It is our money. No more Internet banking for you!"
(He would have benefited from reading Larry Magid's tips for avoiding phishing scams.)
Earlier on Wednesday, the FBI in Los Angeles announced indictments of 100 people in the U.S. and Egypt, and the arrest of 33 people in California, Nevada, and North Carolina as part of "Operation Phish Phry"--the largest cybercrime investigation to date in the U.S.
Egyptian hackers are accused of targeting two U.S. financial institutions in phishing attacks and using the stolen bank account information to get unauthorized access to the accounts, coordinating with associates in the U.S. to transfer the money out of the accounts, the FBI alleges.
The U.S. defendants allegedly recruited "runners" to set up bank accounts where the funds from the compromised accounts could be transferred and withdrawn. There were hundreds or thousands of bank customer victims, the FBI estimated.
"It's the largest international phishing case ever conducted," Mueller said.
Many of the scams come from people in Eastern Europe, he said. To support investigations in Romania, the FBI has agents embedded in the police agencies there and managed to arrest more than 100 people in that country and in the U.S. in the last year, he said.
During a question-and-answer session, Mueller was asked how vulnerable the U.S. is to attacks on its critical infrastructure. The U.S. is "well ahead of just about any country (in) walling off access to outsiders to our most sensitive" systems, he said. Officials have seen instances of cyberattacks by terrorists, but "they have not yet been of the magnitude that would cause us substantial concern," Mueller said.
Meanwhile, terrorists are using things like Google Earth as tools in their mission, he said.
One audience member submitted a comment card that the fear of the FBI reading citizen e-mail was greater than the fear of teenage hackers. The FBI does not intercept communications without a court order of some kind, Mueller said. "I would worry about that teenage hacker more than you should worry about us," he added.
"I'm comfortable with the stances we've taken," on balancing civil liberties and national security, he said, adding that he supports the Patriot Act because it "broke down the walls between the intelligence community and law enforcement." He warned people against revealing too much of their lives online, on sites like Facebook.
The personal moments shared with friends as a youth may later "come back to haunt you" during a job search, he said, despite the use of passwords and the supposed anonymity of screen names. "To the extent that you are going to rely on that forever, it's very, very weak security," Mueller said.
"I do not have a Facebook profile," he later added.
Young hackers also shouldn't expect to parlay their computer skills into a legitimate career if they get arrested for breaking into systems and serve time, he warned.
"You hack, you get caught," he said. "You are going to jail... You are not going to get a good job afterward. You are going to be identified as a person who has broken the law."
Asked what keeps him awake at night, Mueller responded: "The threat of a weapon of mass destruction in the hands of a terrorist... One person with access to a biological or chemical agent can cause massive harm."
Related podcast: Symantec Internet safety adviser Marian Merritt discusses how to avoid being a phishing victim.
FBI Director Robert Mueller talks about how the agency fights cybercrime.
(Credit: James Martin/CNET News)
