Everyone who’s been online in the past couple days knows the net has basically been on fire. News about the Heartbleed Open SSL exploit is all over the place, and people are scrambling to change their passwords. But maybe we shouldn’t be so hasty – not everything has been compromised, and not every email is legit.
For example, we had lots of people calling in about the email sent out on the 9th instructing UD members to change their passwords. Many of you astutely noticed that the provided link was wrong, and we’re glad to see the UD community is alert for the signs of phishing scams. This brings up two important points.
First, be wary of emails containing links. Although it sometimes happens, legitimate organizations generally shouldn’t put links in their security emails. Instead, they should instruct you to visit their websites and take actions there. If you get an email containing a link, verify the actual link destination by hovering your mouse cursor over the link and reading the destination in the bottom left of your screen. Don’t assume that the link text points to a legitimate site.
Second, make sure you can verify the information in the email. While UD’s own email did contain a misspelled link, the information it provided could be verified by a UDaily article and by the UD IT Heartbleed info page. The CAS page (through which you sign in to UDSIS) also displays a reminder about password changes. If an email instructs you to change your password or take an action related to your account, make sure you check that the information is correct and legitimate.
Some people have even been getting emails about sites with which they don’t even have accounts. This post on SANS’s forums is a perfect example.
So remember to be careful when changing your passwords this week. It’s always better to go directly to the affected website than to click a link in an email. Otherwise, you could be giving scammers your new login info and getting some malware in return.
No Comments »
Some of us are gamers, and some of us gamers have been waiting for Grand Theft Auto V’s PC release.
Unfortunately, phishers have taken this opportunity to scam unsuspecting PC gamers by providing what appears to be a PC beta key for GTA V. IGN, Trend Micro, and plenty of other gaming and computer security groups have already spotted and jumped on the hoax. The image on the left comes from Trend Micro and shows what one of the beta scam emails might look like.
The email, which is poorly written, attempts to get you to download a .zip file to get your beta key. Anyone who’s received a legitimate beta key via email knows that it’s common practice to provide that key in plain text in the body of the email. Downloadable beta attachments are never provided by legitimate game producers.
Keep an eye out for this one. GTA may include gunpoint robbery, but backdoor theft is just as real a threat.
For more information, check out IGN’s article (bonus points if you already knew about this article from the @ITatUD Twitter feed).
That’s right. Flying phish.
The newest phishing scam is an email claiming to come from British Airways. It tells you your recent ticket purchase is complete, and it gives you links to what appear to be an electronic copy of your new ticket and the customer service desk.
However, the links will actually attempt to download malware and spy on your data.
For more information about this scam, read Graham Cluley’s article, British Airways e-ticket malware attack launched via email.
We’ve not seen any of these on campus yet, but reports are coming in that a series of phishing scams, complex social engineering attacks, and other scams based on the news about the Target data breach are showing up in email inboxes across the United States. As usual, the scammers are riding the wave of panic as news stories say that up to 110,000,000 of us could be affected.
Reports indicate that these scams use a variety of attack methods:
- “Our records show that you shopped at Target in the last 24 months. As a precaution, . . . visit the official identity theft database and put your information in.” (Click the image to see a copy of this scam as captured by Gar Warner of malcovery.com.)
- “Thank you for your loyalty. As a reward for your loyalty, we are offering you the chance for a $1,000 gift card if you will take a brief survey.” (The survey then asks a lot of questions about you and your finances, and just keeps going and going. Uh, folks, if you see an online survey claiming to give you a $1,000 gift card as a reward, you do recognize that that is probably a scam to get you to surrender personal information to be used in future scams, right?)
- “Add this ‘ShopAtHome’ toolbar to your web browser to earn points and enhance your shopping experience.” (Uh, right. Like I want to install an unverified piece of software on my computer that will probably report my web searches to someone.)
If you want to see a sample of one set of scams that used the fake Target warning to try to trap you into a web of deceitful shopping scams, check out Gar Warner’s January 10 blog post or this summary at Help Net Security.
Bottom line, as always, Think B4 U Click!
In my email this morning, I just learned that someone tweeted a picture of me!
Not so fast. It’s email from a scammer impersonating a legitimate twitter account to get me to surrender my account information.
Click the image to see a larger version.
Even though the email appears to have come from twitter (the fake domain “postmaster.twitter.com”), it’s a phish. It’s not legit. Someone has spoofed a legit twitter account and standard twitter traffic, trying to social engineer your response: “Oh goody! A picture! [Click bit.ly link.]” If you follow the link in the email, you’d see a forged twitter page. The design and images make the page look just like twitter’s login screen, but look carefully at the URL:
Click the image to see a larger version of this forged twitter login page. Look carefully at the URL….
This scam points to the need for caution in following “shortened” links and to the need to Think B4 U Click! This scam is designed to make you so happy that one of your twitter contacts has posted a picture of you that you’ll just react by clicking the link, thinking you need to log in to twitter using the fake screen and–boom!–the scammer has captured your twitter username and password.
This scam probably originated with a legitimate account being compromised. Therefore, if you receive a phishing scam like this one, notify the real holder of the twitter account about the phishing attempt.
If you fall for this scam, log in to twitter.com and change your password immediately. If you cannot change your password because the scammer has already changed it, contact twitter to report that your account has been compromised.