That’s right. Flying phish.
The newest phishing scam is an email claiming to come from British Airways. It tells you your recent ticket purchase is complete, and it gives you links to what appear to be an electronic copy of your new ticket and the customer service desk.
However, the links will actually attempt to download malware and spy on your data.
For more information about this scam, read Graham Cluley’s article, British Airways e-ticket malware attack launched via email.
No Comments »
We’ve not seen any of these on campus yet, but reports are coming in that a series of phishing scams, complex social engineering attacks, and other scams based on the news about the Target data breach are showing up in email inboxes across the United States. As usual, the scammers are riding the wave of panic as news stories say that up to 110,000,000 of us could be affected.
Reports indicate that these scams use a variety of attack methods:
- “Our records show that you shopped at Target in the last 24 months. As a precaution, . . . visit the official identity theft database and put your information in.” (Click the image to see a copy of this scam as captured by Gar Warner of malcovery.com.)
- “Thank you for your loyalty. As a reward for your loyalty, we are offering you the chance for a $1,000 gift card if you will take a brief survey.” (The survey then asks a lot of questions about you and your finances, and just keeps going and going. Uh, folks, if you see an online survey claiming to give you a $1,000 gift card as a reward, you do recognize that that is probably a scam to get you to surrender personal information to be used in future scams, right?)
- “Add this ‘ShopAtHome’ toolbar to your web browser to earn points and enhance your shopping experience.” (Uh, right. Like I want to install an unverified piece of software on my computer that will probably report my web searches to someone.)
If you want to see a sample of one set of scams that used the fake Target warning to try to trap you into a web of deceitful shopping scams, check out Gar Warner’s January 10 blog post or this summary at Help Net Security.
Bottom line, as always, Think B4 U Click!
In my email this morning, I just learned that someone tweeted a picture of me!
Not so fast. It’s email from a scammer impersonating a legitimate twitter account to get me to surrender my account information.
Click the image to see a larger version.
Even though the email appears to have come from twitter (the fake domain “postmaster.twitter.com”), it’s a phish. It’s not legit. Someone has spoofed a legit twitter account and standard twitter traffic, trying to social engineer your response: “Oh goody! A picture! [Click bit.ly link.]” If you follow the link in the email, you’d see a forged twitter page. The design and images make the page look just like twitter’s login screen, but look carefully at the URL:
Click the image to see a larger version of this forged twitter login page. Look carefully at the URL….
This scam points to the need for caution in following “shortened” links and to the need to Think B4 U Click! This scam is designed to make you so happy that one of your twitter contacts has posted a picture of you that you’ll just react by clicking the link, thinking you need to log in to twitter using the fake screen and–boom!–the scammer has captured your twitter username and password.
This scam probably originated with a legitimate account being compromised. Therefore, if you receive a phishing scam like this one, notify the real holder of the twitter account about the phishing attempt.
If you fall for this scam, log in to twitter.com and change your password immediately. If you cannot change your password because the scammer has already changed it, contact twitter to report that your account has been compromised.
The folks in UD’s Development Office report receiving a phone call that could be a variation on the phone support scam we mentioned last month.
I just received a telephone call from a man who claimed to be “Tom Collins,” with UD Business Solutions. He said his boss asked him to call me to get the serial number from my laser deskjet printer. I looked at the caller ID and it showed “PRIVATE NUMBER”, so I asked him if he was a UD employee. When he replied “yes,” I asked for his boss’s name and phone number saying that I would call him back. He then hung up on me.
This employee recognized that this phone conversation could have been the beginning of a scam support call. She knew not to give out serial numbers or confidential information to an unknown caller. Nice move asking for the phone number to call back!
3 Comments »
Verizon recently sent out a phishing warning to many of its customers.
Recent phishing email has gone out with the Verizon logo and a link that LOOKS like a legitimate link. However, when you follow the link you go to a “pharming” site–a web site designed to harvest your personal information for criminal purposes–in this case, your bank account or credit card information.
After including an image of one of the recent scams, Verizon provided some very sound advice and announced a change in their policy (Emphasis added.):
To avoid getting hooked by such bogus emails, here are some tips to help safeguard your personal information:
- Do not open suspicious emails. Look for misspellings, awkward requests or inconsistent grammar.
- A Web site link included in an email can make getting to a Web site easy, but it can also be used to send you to a malicious Web site.
- If you have doubts about the authenticity of an email, do not click on any links in the email – instead, type the Web site or Web page address into the ‘address bar’ of your browser.
- Never type sensitive personal information, such as social security and/or driver license numbers or account numbers and/or passwords, in a reply email.
- Use spam filters to block suspicious emails.
- Use anti-virus and anti-malware software to automatically detect and eliminate malicious software.
- The best practice when you find a phishing email is to either immediately delete it or report it to the company or organization being impersonated. Like Verizon’s email@example.com mailbox, many companies have set up an ‘abuse’ or ‘security’ mailbox to receive those reports and provide customer assistance.
Finally, in order to provide you with additional confidence in Verizon alert messages going forward, Verizon will be removing live ‘clickable’ links from any alert messages we send you regarding payment processing problems or credit card and/or bank account issues. You can continue to access and make changes to your account any time of the day or night at www.verizon.com.
We quote the Verizon email at length because it provides such good advice and because it announces Verizon’s new policy NOT to include links in a variety of different billing and customer service email messages.
Stay safe. Keep deleting those phishing scams.