Security

Twitter users were hit with another attack over the weekend featuring tweets reading "Best Video" and a link to a Web site that downloads malware, a security firm said on Monday.

The Web site, with a .ru (Russia) domain, purports to show an embedded YouTube video. Instead, the page downloads a malicious PDF that contains a "flurry of exploits" and if successful downloads fraudware that displays a fake security warning to try to get people to pay money, according to Kaspersky's Viruslist.com blog.

Contrary to earlier reports that the attack was a worm, the Kaspersky blog post speculates that the attackers were using accounts stolen in a phishing attack about a week ago.

Thousands of Twitter users were affected by what looked like a worm-like phishing attack last week, but was instead a site designed to help Twitters increase their number of followers quickly. The TwitterCut site looked like a Twitter log-in page and prompted people to type in their user names and passwords. Site administrators denied the phishing allegations and said they were shutting it down, according to the TrendLabs Malware Blog.

"This attack is very significant," the Kaspersky post says of the latest attack. "It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we've seen on other social platforms are any indicator for Twitter, then we can only expect an increase in attacks."

Twitter said on Saturday that it was aware of the problem and working on it. Another message from Twitter on its status page said some legitimate accounts affected by the attack were suspended but would be restored and that no personal information had been compromised.

The 'Best Video' scam displays a fake security warning in order to get people to pay for antivirus software they don't need, Kaspersky says.

(Credit: Kaspersky Labs)

You might have heard about online "phishing" scams designed to steal money from unsuspecting Web users, but now criminals are using another type of scam called "vishing" to commit the same crimes.

Last week, the Federal Trade Commission filed lawsuits against two telemarketing firms in Florida and a company claiming to sell extended automobile warranties for violating the Do Not Call registry and fraud for selling bogus warranties for between $2,000 and $3,000 a pop. Since 2007, the companies supposedly made 1 billion calls and generated more than $10 billion.

These companies likely used spoofed caller ID numbers to hide their identities from consumers and law enforcement authorities.

The case is the latest example in what is known as vishing attacks, which use the phone network to swindle people out of money. To help readers understand what these scams are, how they work and how they can protect themselves. CNET News has put together this FAQ.

What is vishing? The term "vishing" is a socially engineered technique for stealing information or money from consumers using the telephone network. The term comes from combining "voice" with "phishing," which are online scams that get people to give up personal information.

How does it work? Typically attackers use a technique called caller ID spoofing to make it look like calls are coming from a legitimate or known phone number. It's a very similar technique to email spoofing, which makes e-mail addresses look like they are coming from a trusted source. But because people typically trust the phone service and caller ID, spoofing phone numbers can be particularly damaging.

And just like with online phishing attacks, which direct consumers to phony Web sites, vishing attacks usually have a recorded message that tells users to call a toll-free number. The caller is then typically asked to punch in a credit card number or other personal information. In the case of the warranty scams, users are asked to buy a bogus extended warranty for their car, which can cost anywhere between $2,000 and $3,000.

How easy is it to spoof a phone number? With voice over IP phone technology, caller ID spoofing is very easy to do. The traditional phone network works by connecting one circuit to another. Each circuit on either end of the call is assigned a phone number by the phone company. So changing the phone number of a caller was more difficult. Of course, there were people who had figured out ways to hack into the old phone network to do this, but it wasn't as easy as it is today with voice over IP technology. With VoIP services, there is no circuit. These services use the Internet, which assigns different devices on the network IP addresses instead of actual phone numbers. Phone numbers are actually assigned by the users themselves.

There are several companies offering commercial spoofing services, such as SpoofCard. And even VoIP services, such as Skype, allow people to pick an area code and even the prefix number they want when they set up a new phone number. These numbers can be used to disguise where calls originate. Of course, Skype is built for individual use, but other services like Flowroute provide VoIP services for businesses using PBXs. A PBX, or private branch exchange system, makes connections among the internal telephones of a private organization, such as a business, and it also connects them to the public switched telephone network (PSTN). These services allow companies to pick any phone number for caller ID they want. And some telemarketers use the service to spoof telephone numbers.

The practice of caller ID spoofing is so widespread and common that one of the telemarketers accused in the FTC lawsuit supposedly bragged to a prospective client that he could call the entire United States in just a few hours and would not get caught calling people on the Do Not Call List.

Is caller ID spoofing illegal? No it's not. But there is proposed legislation that could make manipulating a phone number to look like it's coming from someone else illegal.

Are there legitimate uses for caller ID spoofing? Yes, there are some legitimate uses for spoofing. Voice over IP providers by definition must use spoofing, or some kind of number manipulation, to create phone numbers. But there are other legitimate uses. For example, doctors who might want to call back patients from their home may use spoofing to conceal their their home numbers. Some online dating services use spoofing to let people talk to potential matches without revealing their real phone numbers. And some lawyers involved in domestic violence cases may use caller ID spoofing to protect the whereabouts of abused clients.

Even though there are some legitimate uses for caller ID spoofing, Lance James, co-founder of Secure Science, which specializes in fraud protection, says 75 percent of all caller ID spoofing is likely for illegitimate purposes. Still, he believes that any new laws written that make caller ID spoofing illegal, should distinguish between people using spoofing for legitimate purposes and those looking to harm or scam people out of money.

Who typically uses caller ID spoofing and vishing scams? Most of the vishing attacks have been from nefarious individuals or crime rings who are stealing credit card numbers or other personal information in identity theft. But telemarketers are also using the technique to get people to buy bogus products. Because the costs are so low for to spoof caller ID numbers using a voice over IP service, it means that companies using the technique only have to get a few people to buy a phony product or hand over personal or financial information to make the efforts profitable.

How do the scams usually work? Scammers often use either a war dialer, which is software that identifies numbers that can be used to make calls, to call phone numbers in a given region, or they access a legitimate voice messaging company with a list of phone numbers stolen from a financial institution. Usually they set up an automated recording to call individuals telling them that their credit cards have been flagged for fraudulent activity. Then they either ask people to provide credit card numbers, PIN codes, and/or Social Security numbers to verify their account or they provide another number where the consumer is to call to provide account details.

Some sophisticated attacks combine vishing and phishing. These scams typically start with a phishing e-mail that says there has been a problem with an online account from a known Web site, such as a bank, credit card company, or online retailer, and it directs users to call a number and enter information to verify their account.

Is it hard for authorities to catch vishers? Yes and no. Because all calls originate and terminate somewhere, there are billing records that law enforcement officials can use to trace calls to their sources. But this often takes several subpoenas to get access to the right information, which takes time and costs money.

Are there any technologies that can be used to identify vishing attacks? The biggest vulnerabilities in the communications network occur where older technologies meet new technologies, according to Secure Science's James. As a result, he believes that a coordinated effort by traditional phone companies and newer VoIP companies can help stop many attacks. Essentially, traditional phone companies and VoIP providers can verify and authenticate calls to ensure people making calls are who they say they are. This practice should cut down on much of the illegal activity that is done by spoofing caller ID numbers, James said.

Carriers could also add clauses to their terms of use that would prohibit customers from using spoofed IDs to commit fraudulent acts. And if these users are caught doing something illegal, they could have their service terminated.

Some companies are offering blacklist software that blocks certain caller ID phone numbers. Of course, blacklisting can be tricky since scammers and telemarketers can numbers can change the pool of numbers they use to conceal their identities. For example, Google will offer a feature in its Google Voice product that will allow phone calls to be filtered like email so that users can block calls or send some calls from certain phone numbers to a "spam" folder.

And finally caller ID spoof providers like SpoofCard, which handles the large majority of spoofed numbers on the market, can work with service providers and law enforcement to flag suspicious spoofers.

What can consumers do to protect themselves? Here is some advice from security experts:

• Be aware. Consumers need to know that these scams exist. To find out more information, go to the FTC Website.

• Be suspicious of all unknown callers. People should be just as suspicious of phone calls as they are of e-mails asking for personal information. And some experts suggest letting all calls from unknown callers go to voicemail.

• Don't trust caller ID. Just because your caller ID displays a phone number or name of a legitimate company you might recognize, it doesn't guarantee the call is really coming from that number or company. As explained earlier, caller ID spoofing is easy.

• Ask questions. If someone is trying to sell you something or asking for your personal or financial information, ask them to identify who they work for, and then check them out to see if they are legitimate.

• Call them back. Again if someone is selling you something or asking for information, tell them you will call them back and then either verify the company is legitimate, or if it's a bank or credit card company, call them back using a number from your bill or your card. Never provide credit card information or other private information to anyone who calls you.

• Register your number with the National Do Not Call registry at donotcall.gov. Even though criminals and unscrupulous telemarketers may ignore the list, if you are on the list and get a call from a supposed telemarketer, that could be a tip that the offer is bogus. Most legitimate telemarketers obey the rules and laws about contacting consumers. Also, the Website provides a place where complaints can be filed.

• Report incidents. Report vishing calls to www.ftc.gov or call (888) 382-1222. The FTC wants the number and name that appeared on the caller ID as well as the time of day and the information talked about or heard in a recorded message. If you think you've been a victim of a vishing attack you can also contact, the Internet Crime Complaint Center.

In what's just the latest Facebook phishing scam, hackers on Thursday broke into accounts and sent e-mails to friends urging them to log on to fake Facebook sites, according to new reports and anecdotes from members.

The social-networking site is in the process of cleaning up from the hack and is blocking compromised accounts, Reuters reported. "Victims were directed to log back in to the site, but actually logged into the one controlled by the hackers, unwittingly giving away their passwords," Reuters said, adding that the fake domains include www.151.im, www.121.im and www.123.im.

Facebook did not immediately respond to an e-mail seeking confirmation and information about the hack. The number of users affected remains unknown, but a Facebook spokesman told The New York Times it "is not widespread and is only impacting a small fraction of a percent of users."

In addition to the scam, Facebook security made the news Thursday in relation to upcoming plans for "verified apps" on the site. Under this program, Facebook will review developer apps for a $375 fee to make sure they fit security and transparency standards, and will award a graphic badge to apps that make the cut.

Security experts warned on Monday of a new insidious e-mail scam that features false information about a bomb explosion in the recipient's hometown and leads to a malicious Web site.

The subject lines include "Take Care!" and "Are you and your friends in good health?" The e-mail includes a link to what looks like a news article on a Reuters page about the bombing. But the Web page and the news are fake, according to e-mail security provider Marshal8e6 and antivirus firm Sophos.

The scammers are using IP address geolocation techniques to figure out what city the recipient lives in and are localizing the fake bomb news to that location.

Meanwhile, clicking on the fake Reuters video page leads to malicious Waledac code being downloaded on the computer, the security firms said.

Earlier this year, the Waledac worm tricked people with fake Valentine's e-mails.

The fake page circulating now also includes Wikipedia and Google search links as "Related Links" at the bottom in an attempt to make the page look legitimate. However, missing words in the text of the story and poor grammar are giveaways that the page is fake.

Attackers are using IP address geolocation techniques to tailor fake news to the home town of the e-mail recipient in the latest Waledac scam.

(Credit: Marshal8e6)

WASHINGTON--President Obama's economic stimulus plan has already spurred activity in at least one online industry, though not one the administration was hoping to encourage.

Deceptive Web sites, advertisements, and e-mail campaigns have cropped up across the Web in recent weeks, luring consumers into scams by promising them federal grant money from the stimulus package, the Federal Trade Commission said Wednesday.

The FTC is investigating these scams and is reaching out to the private sector for help. Google on Wednesday morning committed to investigating stimulus-related ads that violate its anti-scam policy, and Facebook has pulled ads for stimulus funds from its site, in accordance with a new advertising policy it implemented this week.

The deceptive sites and ads "have literally mushroomed up almost overnight," Eileen Harrington, the acting director of the FTC's Bureau of Consumer Protection, said Wednesday.

Web sites fraudulently offering ways for consumers to receive stimulus funds often use pictures of President Obama.

(Credit: Screenshot provided by the Federal Trade Commission)

Scammers have created sites with domains like PresidentObamaGrants.com and OfficialStimulusGrants.com, Harrington said, and include pictures of President Obama and Vice President Biden. The sites prompt consumers to enter a credit card number to pay a small fee in return for a list of grants supposedly available for things like mortgage payments. Those small fees, however, are often nothing more than a down payment on a "negative option" agreement that could cost someone thousands of dollars over the course of a year if not canceled.

"These Web sites tout free money for you," Harrington said. "But as the saying goes, the devil is in the details. Buried deep within the Web site is the fact that they'll charge you a lot of money."

Advertisements for these sites have started on appearing on social-networking sites, video-streaming sites, and search engines. While Google and Facebook have been cooperative, Harrington said not all sites have been responsive to the FTC's request for help, though she declined to name any such sites. She also said the FTC has been in communication with network advertising groups about the problem, though she once again declined to name which ones.

"We've spent a lot of time educating advertisers how to screen for ads and this one should be a no-brainer for them," she said.

Facebook started noticing the suspect stimulus-related ads on its site about four to five weeks ago, before the FTC contacted the company, said Joe Sullivan, senior counsel for Facebook. Through Facebook's own ad screening and the "thumbs down" function that lets users give feedback on ads, it was able to identify the problem. Facebook launched a new policy this week to prohibit ads on its site with any obscure recurring billing schemes.

Spammers are also targeting consumers through e-mails that encourage consumers to click on a link within the message or to fill out attached forms to find out more about receiving stimulus funds. Clicking on the links or the attachments, however, can result in identity theft or in harmful software being downloaded to one's computer.

The FTC will not discuss ongoing investigations publicly, but Harrington said the deceptive negative-option marketing campaigns found on many of the fraudulent stimulus sites fit the profile of scams the FTC has already challenged in many law enforcement actions.

"The FTC has broad authority to challenge deceptive and unfair practices," she said.

Either through court proceedings or administrative challenges, the agency could take actions that could result in any number of consequences, such as prohibiting the use of certain ads or requesting that money be returned to consumers.

Update at 9:30 a.m. PST: A new chart has been added to the end of the article.

This was originally published in ZDNet's Between the Lines.

Identity theft cases surged in 2008, according to the Federal Trade Commission.

Last year, ID theft was by far the biggest complaint to the FTC, representing 26 percent of total problems reported. The next biggest one--third-party and creditor debt collection scams--represented only 9 percent of complaints.

The FTC's annual Consumer Sentinel Network report (PDF), released Thursday, details that ID theft complaints totaled nearly 314,000 in 2008, up from about 259,000 in 2007 and up substantially from about 31,000 in 2000.

The Consumer Sentinel Network is a secure online database that harvests complaints from law enforcement authorities, as well as other groups such as the Internet Crime Complaint Center and Better Business Bureau.

(Credit: FTC)

Here are the top 10 complaint categories, which often dovetail with the Internet.

(Credit: FTC)

E-mail is clearly the preferred means of propagating fraud. Scam artists are most likely going to nail you via e-mail. Phone scams have fallen from 11 percent to 7 percent from 2007 to 2008. My hunch: as more consumers use wireless as their primary phone, it's harder to track down victims.

(Credit: FTC)

What's also notable: the demographics. Twenty-somethings are most likely to get hit with ID theft.

(Credit: FTC)

(Credit: Macworld)

MobileMe users are being targeted by a phishing scam.

Users of MobileMe, which automatically sends e-mail, contacts, and calendar events to your computer, iPhone, or iPod, have been receiving a new e-mail that looks like it comes from Apple. It warns that attempts to renew the MobileMe subscription have failed because of a problem with charging the credit card and prompts the recipient to log in and update information on a site that looks legitimate but is not, Macworld reported on Wednesday.

A similar phishing scam targeting MobileMe users was discovered in August, according to Macworld.

Tips for MobileMe users and anyone who does any transactions online include never clicking on links in an e-mail that prompt for financial information and looking for the "https" in the Web address for more secure communication with sites.

A new report from the Anti-Phishing Working Group is yet another reminder of the information security threats we all face. This latest publication states that the number of compromised URLs used to distribute malicious code nearly tripled in the 12-month period from July 2007 through July 2008.

This data, along with similar research from McAfee, RSA Security, Symantec, and Trend Micro, demonstrate that the bad guys are taking advantage of the global recession with an increase in attack volume and sophistication. Certainly, security professionals recognize this unsettling trend, and according to ESG Research data, security remains a top IT priority for 2009. Based upon recent activities, it appears the federal government also sees the need for countermeasures.

While insiders seem to see the storm approaching, however, I'm worried about the Internet everyman--"Joe the Online User," if you will. Information security tends to be an esoteric topic sure to bore the pants off friends and neighbors at upcoming holiday parties, but there's more in play than ignorance alone.

I am starting to see a whole bunch of no-name security grifters pitching second-tier products and services with Chicken Little, "the sky is falling" scare tactics. You tend to find these guys are on drive-time radio and entertainment Web sites. I'm not alone in this observation. This week the U.S. District Court in Maryland ordered two fly-by-night companies to stop promoting "scareware" through online advertisements. These pop-up ads would warn Web surfers that their systems had been compromised by viruses, spyware, and even "illegal pornographic content." They were even so brazen as to suggest that users could be investigated or outed as some type of degenerate porn addict. Of course, they were happy to sell you software and services to alleviate the problem.

Unfortunately, there will always be a population of low-down dirtbags willing to take advantage of people's fears and hardships. After September 11 they pitched gas masks; they sold bottled water for $10 a piece following Hurricane Katrina. Given the cybersecurity activity out there, we are bound to see more and more of these security scams. The difference here is that security con artists are preying on fears that users really don't understand. Consumers may get scammed or become cynical--neither of which is good.

We need a focused effort to pull together as a security community, educate consumers, and push for strict punishment of these flimflammers. If not, things can only get worse.

Think you can spot the difference between a legitimate e-mail and a phishing scam sitting in your in-box? According to one security vendor, many people can't.

The SonicWall Phishing and Spam IQ Quiz test presents a series of e-mails that may or may not be from PayPal, Wells Fargo, the IRS, and others. Test takers must decide whether the e-mail is a phishing attempt, legitimate, or provide no answer. Afterward, a score card is presented and if any questions were missing, there's an opportunity to see why: A page opens up identifying the clues that should have told you a given e-mail was probably bogus.

According to SonicWall, only 59.4 percent of test takers so far this year have been able to properly identify a legitimate e-mail, compared with 77.8 percent of the test takers in 2004. And this year, only 7.4 percent of test takers were able to correctly identify and categorize every e-mail they were presented.

The good news is that people are better at spotting a likely phishing scam. This year 86.1 percent caught the scam, as opposed to only 69.2 percent in 2004.

Real or fake? By taking the test, you can test your ability to spot a phishing scam.

(Credit: SonicWall)