We’ve not seen any of these on campus yet, but reports are coming in that a series of phishing scams, complex social engineering attacks, and other scams based on the news about the Target data breach are showing up in email inboxes across the United States. As usual, the scammers are riding the wave of panic as news stories say that up to 110,000,000 of us could be affected.
Reports indicate that these scams use a variety of attack methods:
- “Our records show that you shopped at Target in the last 24 months. As a precaution, . . . visit the official identity theft database and put your information in.” (Click the image to see a copy of this scam as captured by Gar Warner of malcovery.com.)
- “Thank you for your loyalty. As a reward for your loyalty, we are offering you the chance for a $1,000 gift card if you will take a brief survey.” (The survey then asks a lot of questions about you and your finances, and just keeps going and going. Uh, folks, if you see an online survey claiming to give you a $1,000 gift card as a reward, you do recognize that that is probably a scam to get you to surrender personal information to be used in future scams, right?)
- “Add this ‘ShopAtHome’ toolbar to your web browser to earn points and enhance your shopping experience.” (Uh, right. Like I want to install an unverified piece of software on my computer that will probably report my web searches to someone.)
If you want to see a sample of one set of scams that used the fake Target warning to try to trap you into a web of deceitful shopping scams, check out Gar Warner’s January 10 blog post or this summary at Help Net Security.
Bottom line, as always, Think B4 U Click!
We all recognize email like this one as a phishing scam, right?
- No legitimate company is going to send a billing notice to a list of customers with all the customer’s email addresses visible to each other.
- Standard shock treatment. You’re supposed to react, “Oh, No! Someone charged over $1300 to my AmEx card to pay their phone bill!” Then click the link to let the scammers harvest your personal info. Don’t fall for the scam:
Click the image to see this scam full size. Note that the link doesn't go anywhere Verizon would want you to go. Nor where you should go.
- See this scam? Delete it.
- Not sure if a message like this one is a scam? Log in to your account at the alleged sender’s Web site and check your account.
- Fall for this scam? As soon as you can, contact the companies or institutions whose account information you provided to the scammers.
Superficially, this phish looks convincing. A lot of us shop at amazon.com using an American Express card. Oh, no! We’re in trouble! Only if any of us click any of the links in this message.
Look at this message for about 10 seconds and it becomes apparent that it’s just another rotten phish.
- Sent to a list of addresses. Real banks and credit card companies do not do that. They know that it’s a security breach to expose customers’ email addresses to other customers.
- Bad links: hover your mouse over either of the two links in the message body that allegedly go to an American Express site. As the screen shot below indicates, they will take you to an identity-harvesting site. Actually, three of the links in the footer will also take you to non American Express Web sites.
- Message content: Do not click any links in this email message. If you are an American Express customer, instead, in your web browser, go to the standard credit card site where you usually log in, log in there, and look for a secure message to you from your credit card company.
Even though this phish has the stolen logos and a serious looking footer, if you just pay attention for a few seconds, you’ll draw the proper conclusion: Just delete the message!
Click the image to see a larger version of this phish.
Study this message for a few seconds and you'll see it's another rotten phish. Delete it.