Archive for the “Shopping Scams” Category

We’ve not seen any of these on campus yet, but reports are coming in that a series of phishing scams, complex social engineering attacks, and other scams based on the news about the Target data breach are showing up in email inboxes across the United States. As usual, the scammers are riding the wave of panic as news stories say that up to 110,000,000 of us could be affected.

Target.Database.SpamReports indicate that these scams use a variety of attack methods:

  • “Our records show that you shopped at Target in the last 24 months. As a precaution, . . . visit the official identity theft database and put your information in.” (Click the image to see a copy of this scam as captured by Gar Warner of malcovery.com.)
  • “Thank you for your loyalty. As a reward for your loyalty, we are offering you the chance for a $1,000 gift card if you will take a brief survey.” (The survey then asks a lot of questions about you and your finances, and just keeps going and going. Uh, folks, if you see an online survey claiming to give you a $1,000 gift card as a reward, you do recognize that that is probably a scam to get you to surrender personal information to be used in future scams, right?)
  • “Add this ‘ShopAtHome’ toolbar to your web browser to earn points and enhance your shopping experience.” (Uh, right. Like I want to install an unverified piece of software on my computer that will probably report my web searches to someone.)

If you want to see a sample of one set of scams that used the fake Target warning to try to trap you into a web of deceitful shopping scams, check out Gar Warner’s January 10 blog post or this summary at Help Net Security.

Bottom line, as always, Think B4 U Click!

Comments Comments Off

So far this fall, UD has seen plenty of phishing scams, but not a lot of new ones. We’re using Black Friday to remind you about some of the common shopping and shipping scams you might see during the holiday gift-shopping season and giving you some resources to help you tell which email is fraudulent and which is authentic.

If it looks too good to be true, it probably is a scam.

Have you seen email making an outrageous claim (“Click here to get a new iPad for 69 cents!”)? Sometimes email like that carries malware that will infect your computer, perhaps to gather information about your Web browsing, perhaps to take control of your computer and make it part of a botnet. Sometimes, it will lead to a series of questionnaires or Web sites designed to harvest your personal information.

See an offer that sounds too good to be true? Delete it.

Holiday shopping means holiday eBay scams.

During the holiday bargain hunt, some people fall for a variety of eBay scams. Consult eBay’s Security Center for official information about avoiding fraud on eBay.

One of the best user-published guides to eBay scams has been published by the merchant Pennant Palooza. This guide offers information about fake second chance offers, phishing and other email scams, hijacked accounts, and other eBay-related frauds. Here is one excerpt describing a new form of eBay fraud:

The scammer will create a fake eBay page making it look like an auction listing. Then the scammer will send real email through eBay asking [a] seller if the item he has for sale is similar to “this one.” The seller is directed to the fake page where he has to sign in. When [the seller] signs [in to] the fake eBay auction, the scammer will have the seller’s ID and password. Answering buyers’ questions will increase sales, but you have to be very careful and question all emails.

Package scams

Last year, we published some sample package delivery scams. This year’s holiday shopping season will include even more of these scams. Rather than post more samples, this year we’re posting links to the fraud protection pages at major shipping companies:

You can see more information about malware and viruses contained in fraudulent package delivery notices at the Snopes.com Web site.

Not sure whether a message is authentic or fraudulent?

  • Review the information linked from this site for samples and tips.
  • Check with your department’s IT professional for assistance.
  • Contact the IT Help Center.

Comments Comments Off

Superficially, this phish looks convincing. A lot of us shop at amazon.com using an American Express card. Oh, no! We’re in trouble! Only if any of us click any of the links in this message.

Look at this message for about 10 seconds and it becomes apparent that it’s just another rotten phish.

  • Sent to a list of addresses. Real banks and credit card companies do not do that. They know that it’s a security breach to expose customers’ email addresses to other customers.
  • Bad links: hover your mouse over either of the two links in the message body that allegedly go to an American Express site. As the screen shot below indicates, they will take you to an identity-harvesting site. Actually, three of the links in the footer will also take you to non American Express Web sites.
  • Message content: Do not click any links in this email message. If you are an American Express customer, instead, in your web browser, go to the standard credit card site where you usually log in, log in there, and look for a secure message to you from your credit card company.

Even though this phish has the stolen logos and a serious looking footer, if you just pay attention for a few seconds, you’ll draw the proper conclusion: Just delete the message!

An AmEx Amazon phishing scam

Study this message for a few seconds and you'll see it's another rotten phish. Delete it.


Click the image to see a larger version of this phish.

Comments Comments Off