Latest Phishing Alerts
A quick intro to phishing (OnGuardOnline) | Phishing and Identity Theft: phishinginfo.org | Anti-Phishing Working Group | FraudWatch International Phishing Alerts | Other Scams and Attacks: US-CERT Current High Impact Security Incidents
Phishing Scam Targeting Outlook Web Access (OWA) Users
A new email scam, targeting OWA users, looks like an auto response coming from the official email system. The message asks recipients to click on a link that takes them to a web site where they are told to download and install an exe file. This is a phishing email. Do not click on the link in this email spam. Your email system administrators will never ask you to click on a link in an email message to update your email service.
A sample of the phishing spam message follows:
From: notifications@our.org [mailto:notifications@our.org]
Sent: Friday, January 08, 2010 09:06 AM
To: Targeted User (at our.org)
Subject: For the owner of the targeteduser@our.org mailbox
Dear user of the our.org mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (targeted.user@our.org) settings were changed. In order to apply the new set of settings click on the following link:
http://our.org/owa/service_directory/settings.php?email=targeted.user@our.org&from=our.org&fromname=targeted.user
Best regards, Our.org Technical Support.
Hotmail, Gmail, and Yahoo! Passwords Posted Online
Another Phishing scam is active in which webmail messages with links to fake web sites that look like the Hotmail, Gmail, Yahoo!Mail, or other webmail service sites are being sent to lure people into revealing important private data: email account addresses and passwords. Millions of Hotmail, Gmail, and Yahoo!Mail users have received the 'phishing' emails with links to the fake web sites and tens of thousands have supplied their email addresses and passwords.
A list of more than 10,000 Hotmail email addresses and passwords acquired from this phishing scam and another list of more than 30,000 Gmail, Yahoo!Mail, AOL, Comcast, and Earthlink accounts have been posted on the web and circulated.
If you believe your email account info has been illegally acquired via an webmail message that asked you to click on a link to supply your password, change your password immediately. For more details about this scam: read Gmail, AOL, Yahoo! All Hit by Webmail Phishing Scam (www.theregister.co.uk).
Yet Another Version of the Nigerian Bank Scam
In this version of the Nigerian Bank Scam a "huge amount of money" is floating in an unspecified bank system with no beneficiary's name attached to it. If you are extremely gullible, then you will send a bank account number to the scam artist who will proceed to empty out your bank account. Never send bank account or other confidential information via email. Never reply to any unsolicited email message asking for confidential information. You can read more about this type of scam at: http://www.snopes com/crime/fraud/nigeria.asp.
A sample of the phishing scam follows.
Date: Tue, 06 Oct 2009 17:48:40 +0400
From: Fred Kelley
Reply-To: kkelley_001@yahoo.cn
To: undisclosed-recipients: ;
Subject: Get back to me
Good day
I am the chief computer operator in my bank and account manager to a huge amount of money; the fund in question has been floating in our system for couple of years without a beneficiary's name affix to it. You may ask me why? It was so because some members of Nigeria National Petroleum Corporation NNPC contract awarding committee during their tenure in office, over invoiced a contract awarded to a foreign firm. The original contract value was suppose to be US 0 million, but those government officials over invoiced it with the sum of million, hence bringing the contract value to the tune of 5 million with the view of sharing the excess among themselves.
The contract was perfectly executed, and the main contractor has been paid of their due amount of 0 million, leaving the access amount of million in the account. Soon after the main contract was paid, luck ran out of those government officials as a new government took over the mantle of leadership in the country. Hence there was drastic change in various government ministries and retrenchment of many government officials. This brought about the removal those government officials from office; as a result they have no access of this money again. For this reason this money has been lying in this bank over the years without any beneficiary.
Take note that the ministry in question has no knowledge of this money, as it was assumed that the entire amount of $175 million has been used to pay the main contractor. Also it may also interest you to know that my bank is not aware of the mystery behind the existence of this money, which I am the account manager.
All I need from you is that you provide an account where this money could be transferred into for our mutual benefit. A foreigner is needed due to the nature of the deposit as it was meant for foreign contract payment.
Anticipating your prompt response!
Fred Kelley
Malicious Code Spreading via IRS Scam
US-CERT is aware of public reports of malicious code circulating via spam email messages related to the IRS. The attacks arrive via an unsolicited email message and may contain a subject line of "Notice of Underreported Income." These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.
US-CERT encourages users and administrators to take the following measures to protect themselves:
- Review the How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites document on the IRS web site.
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software.
- Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
- Refer to the Social Engineering and Phishing Attacks document for more information on social engineering attacks.
PayPal, Inc. - Limited Account Access Alert
Yet another phishing attempt that tells users to download an attached form and open it in a web browser in order to restore account access. Do not, of course, download the attached form: this is a phishing attempt to get you to supply personal information on the form to the scammers. Here is the message:
Date: 21 Sep 2009 03:17:26 -0700
From: PayPal Inc
Subject: Notification of Limited Account Access RXI792
As part of our security measures, we regularly screen activity in the system. We recently contacted you after noticing an issue on your account. We requested information from you for the following reason: We have observed activity in this account that is unusual or potentially high risk.
Case ID Number: PP-571-827-951
Please download the form attached to this email and open it in a web browser. Once opened, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account
safety.
Sincerely,
PayPal Account Department. All rights reserved.
[ Part 2, Application/OCTET-STREAM (Name: "PayPal - Security ] [ Measures.html") 34KB. ]
Phishing Scams: Some Quick Facts
There is a constant stream of messages being received purporting to be from banks, credit unions, the IRS, other government entities, individuals with get rich quick schemes and nonexistent lotteries. There are messages enticing you to provide bank account numbers, passwords, or other personal info; open infected attachments; or go to websites designed to infect your computer with malware (e.g., viruses, trojans, worms, keystroke loggers). There is even an e-mail scam involving death threats designed to extort payment to avoid being killed. Identity theft spam and scams are becoming more sophisticated, and these are all cons designed to gather information useful in spamming and other illegal Internet-based con games.
UB currently receives in the neighborhood of 4 million spam messages each day. While our spam filters are very good, they are not perfect and they do take some time to identify new types of spam. You need to be on the lookout for identity theft and other scams.
Now that many users are familiar with phishing schemes, thieves are switching their efforts to "vishing" -- leaving recorded phone messages telling recipients that their credit card numbers have been breached and to call the following regional phone number immediately. When a user calls the number, they reach a Voice over Internet Protocol (VoIP) telephone system that recognizes telephone keystrokes, and another message tells them to provide their account number to verify their account.
Healthy skepticism is the best approach to anything you receive via email or telephone broadcast. Here's some specific recommendations:
- Don't open attachments or click on websites in unsolicited e-mail from sent from unknown sources.
- You should never email your password or any other private information (e.g. credit card number, driver's license number, bank account information or social security number), and UB will never ask you to do so.
- Don't be tricked - never reveal your password(s) to anyone.
- Reputable banks and financial institutions will never ask for your account numbers, pins or passwords by email.
- Never enter your credit information into a non-secured web page. A secured web page starts with https:// (note the "S" for "Secure") and will display a lock on the browser frame.
- Never contact a bank, credit card company, or other business using the phone number provided in an email or recorded phone message: many scam artists and identity thieves send messages that look or sound official, purporting to be from a reputable business or organization, seeking account or other personal information from you. Don't trust this type of message: look up phone numbers of your bank and other organizations in a phone directory or other official source.
- Don't fall for stories about winning the lottery, promises of money from newly discovered relatives or requests to act as an agent for a business or individual. If the story sounds too good to be true, it is a probably a scam.
Instant Messaging (IM) Phishing Scam from individual posing as FBI Agent
Individuals at many colleges and universities are now being contacted via IM by someone posing as an FBI agent and asked to provide personal information. You should NEVER send any private, personal, sensitive, or regulated information (e.g., passwords, credit/debit card numbers, social security numbers, state drivers' license or non-drivers' identification numbers, FERPA-regulated (student records) or HIPAA-regulated (health) info via instant messaging. Here is a "scrubbed" version of the IM conversation.
*fbiwesternunion1* (8:44:14 AM): Hello, this is EFCC police here. We recover the sum of $200,000,000.00 from scammers and we and federal govt are willing to give all the people that have been scammed before the sum of $20,000 each and nigeria federal goverment said we should give the sum of $20,000 to each AIM and yahoo IM, we see on the scammer list...and your IM is one of the SN we have to give the sum of $20,000...I am here with my staff ID card for you to know that i am a real member of FBI cuz i know that there are many fake FBI online that scam people of there money...we have arrested many of them and they are in our custody...be honest with us we dont like game and give us the right information about you so that we will not give the money to wrong person.
*fbiwesternunion1* (8:44:27 AM): good day
*fbiwesternunion1* (8:44:34 AM): am officer wale james
*John Q Public* (8:46:12 AM): Hello
*fbiwesternunion1* (8:46:31 AM): what is your name
*John Q Public* (8:46:37 AM): XXXXXX...
*John Q Public* (8:46:41 AM): are you an officer here at RIT?
*fbiwesternunion1* (8:47:18 AM): full name
*John Q Public* (8:47:56 AM): XXXXX XXXXXX
*fbiwesternunion1* (8:48:40 AM): what is your address
*John Q Public* (8:48:56 AM): it is NNN NNNN Rochester, Ny 14623
*John Q Public* (8:49:25 AM): hold on..why do you want my address?
*fbiwesternunion1* (8:50:23 AM): to know you are real
*fbiwesternunion1* (8:50:34 AM): what is your phone number
*John Q Public* (8:50:38 AM): no phone number
*fbiwesternunion1* (8:51:36 AM): so we can text you
*John Q Public* (8:51:48 AM): i have a cell but I am out of texts
*fbiwesternunion1* (8:52:04 AM): what is your ssn
*John Q Public* (8:52:32 AM): lol sorry, not giving out that info
*fbiwesternunion1* (8:52:58 AM): we want you to be honest with us ok
*John Q Public* (9:03:22 AM): is there a number I can reach you at?
*fbiwesternunion1* (9:03:43 AM): yes
*John Q Public* (9:03:51 AM): what is it?
*fbiwesternunion1* (9:04:21 AM): +2348034813948
*fbiwesternunion1* (9:04:30 AM): that is the number
*John Q Public* (9:04:48 AM): Where are you located?
Beware of links in email messages even when they appear to be legitimate and/or from a friend
Consider the possibilities of a fake "email to a friend" look-alike phishing scam that masquerades as a legitimate CNN or New York Times article referral in an email using a forged UB email address like xxxxxx@buffalo.edu. Clicking on the link in the message would take you to a malware distribution site via a search engine insertion ploy URL that looks quite legit unless you read it to the end very carefully. Since many news outlets have that option and it's used frequently, we expect to see a wave of this type of scam shortly. We haven't seen or heard of this particular vector being exploited yet, but are expecting it any day now.