Personal PC Pro Blog
posted by personalpcpro at
7:56 PM
Links to this post
If it seems like you’re getting hit with more email scams than ever, you’re right. Deb Shinder explains what you and your users should watch out for to avoid being duped.
Spam is one thing. It’s annoying to get email messages that are nothing but blatant attempts to sell you something. But other than using up your bandwidth, they don’t really cause you any harm. Email scams are quite another thing. They aren’t trying to sell you something; they’re trying to steal something from you, con you out of or into something, or just scare you.
Email scams have been with us since the Internet went commercial back in the early 1990s. I remember getting those Nigerian scam messages back then. And believe it or not, they’re still around. But scammers have gotten more sophisticated, and some of the more recent email scams are harder to detect — unless you know what you’re looking for.
The holiday season seems to bring even more scammers out of the woodwork, perhaps because the average computer user is more vulnerable this time of the year. We’re busy and in a hurry and may be less likely to notice the signs that a message isn’t legit, and/or we’re in a generous and giving mood and may be more likely to fall prey to a well crafted story that plays on our sympathy.
Let’s look at some of the email scams that are currently going around the Internet and how you (and your users) can recognize them and keep from being victimized by them.
Note: This article is also available as a PDF download.
The popularity of social networking has surged, and scammers have jumped on that bandwagon to take advantage of the way the social sites work. For example, depending on your account settings, you may get email messages whenever someone posts to your Facebook wall or sends you a private message. Recently, I received a message with the subject line “Caroline sent you a message on Facebook.” As with real Facebook messages, there was a link to click on to reply. But I get a lot of those messages, and this one didn’t look quite right. Figure A shows the fake message.
I clicked back to a Facebook notification that I knew was real to compare the two. Figure B shows real message (with the content blacked out to protect the privacy of the sender).
The first thing that caught my attention was the Reply To address. I expected the URL domain to be www.facebook.com, but the one in the fake message was facebook.montadalitihad.com. If you know how domain naming works, you know that means “facebook” is just the name of a Web server in the montadalitihad domain. As if that weren’t enough, I also noticed that the To field in the message didn’t show my name; instead it said “Undisclosed recipients,” indicating this message was sent to multiple people. All this was enough to cause me to check out the message headers (in Outlook 2007, you do this by clicking the Options icon. Figure C shows the headers.
In a real Facebook message, the Received: field in the header would be from mx-out.facebook.com. In this one, it’s mail.illimail.com. Now I knew for sure that it didn’t come from Facebook.
I had opened the message in a virtual machine, so if there was malicious code attached, it wouldn’t affect my real OS. Now I clicked the Reply To link and found that it opened a page that looks very much like the Facebook login page. The red flag here was that I was already logged into Facebook with that Web browser. You should not get the login page if you’re already logged into the service. I did not, of course, enter my credentials. That’s the scam. If you do, the scammer will now have your Facebook user account and password and can hijack your Facebook site.
Of course, variations on this scam may use other popular social networks, such as MySpace or LinkedIn. If you’re in doubt about the legitimacy of any “friend” message, just log in to your social network account via your browser (not by clicking the link in the email) and check your Inbox. If the message is real, there will be a copy of it there.
You might just ignore a “friend” message (especially from a friend you’ve never heard of). But scammers know that a message from the site administrator is more likely to get your attention. This message pretends to be from “The Facebook Team” and purports to notify you of a policy change that requires you to submit a new account agreement. They try to scare you by warning that your account might be closed down or restricted if you don’t do it. Figure D shows this message.
This time, the scammer did a better job with the From name, which shows to be from facebookmail.com, just like a real Facebook message. But the first clue that it’s a scam is the To address. That’s not my name, and that’s not the name of anybody in my domain. I have our Exchange server set up to forward messages to me when they’re sent to nonexistent addresses (assuming they don’t meet other spam criteria, which would block them at the server’s spam filters). Spammers and scammers often get hold of an email domain name and send messages to random names at that domain in hopes they’ll hit on a real one.
The second warning signal is the attachment. Facebook agreements don’t come as attachments; if this were real, it would direct me to a web page where I could read the new terms and click Agree. Attachments from strangers should always put you on alert.
I copied the attachment into a virtual machine and ran a virus scan on it. Sure enough, it was infected with a virus called VirTool:Win32/VBInject.gen!CN. Luckily, most antivirus programs that are up to date will be able to detect it. A check of the Internet headers on this message indicated that the Reply To address is somewhere in Germany.
While we think of scam messages as those by which the scammer profits, some don’t benefit the scammer at all — except for whatever gratification a person gets from causing others to be upset or afraid. Unfortunately, this makes some individuals feel powerful.
There are many examples of these types of messages, and they usually seem to play on the current headlines. A few years ago, there was a flood of such messages warning that if you saw another car on the road at night with headlights off and blinked yours to signal to the driver, you were in dire danger of being shot as part of a gang initiation. This article details the history of this email hoax.
Similar fear-mongering scams have warned about a serial killer who lured women out of their homes by playing a recording of a crying baby and a rapist who would approach women in parking lots claiming to have picked up a five dollar bill the woman dropped.
The latest in fear-mongering messages like to play on health fears caused by all the recent media attention to swine flu (H1N1). An email message has been going around the Internet for several months warning that “The CDC says H1N1 is wiping out entire villages in Asia and expect it to hit the U.S. in January, where it will kill 6 out of 10 people.” The message goes on to predict that martial law will be declared and you’ll be shot if you leave your house to buy food, and urges recipients to stock up now and to buy face masks, use Purell, and take Enzacta products to “keep your immune system strong.” If you weren’t already a little suspicious, you probably will be by the time you get to the end, where the sender says the pandemic was predicted years ago by a Russian mathematician and that it was caused by a tsunami. Here’s the full text of the message.
They always say that if something seems too good to be true, it probably is. The same goes for over-the-top bad news — especially if you’re hearing it for the first time in an email message. You can bet that if the CDC had really put out such an announcement, it would be all over the mainstream news outlets.
It seems that around the holidays, more of these than usual start popping up. I’ve received a number of messages telling me that my account has been or is about to be cancelled — purportedly from Amazon, PayPal, even from the bank. Close examination of the messages show them all to be bogus. Of course, in many cases, I already knew that, because I don’t even have an account with the organization.
Here’s another clue: The message contains a link that looks legit, such as www.mybank.com, but when you hover your mouse pointer over it to show the actual URL, it’s something different, often with a foreign country code such as .ru (Russian) or .cn (China).
Still another clue is that these scam messages often contain typos or grammatical errors you wouldn’t expect from a legitimate company.
There are numerous Web sites through which you can send virtual holiday cards to your friends, and many people take advantage of this quick and easy — and inexpensive (no postage stamps required!) — way to send season’s greetings at this time of the year.
Scammers have co-opted the idea, though. They know that many computer users won’t think twice about clicking a link to view a card from a friend, so they send out messages notifying you that you’ve received a card, with a link to a Web site that will download malicious software to your computer if you aren’t properly protected.
So how do you tell the real card services from the scams? For one thing, when a friend sends you a card from a real service, it will almost always tell you the name of the sender. Scam messages are more likely to use the generic “A friend sent you a greeting.” The safest way to check is to do a Web search for the card service and read about it to find out if it’s a legitimate one. Or to really be safe, just ignore the card notification and send holiday greetings to your friends the old fashioned way (through the postal service) or by personal email, instead of using a Web service.
Any other time of the year, you might be suspicious if you were notified that you had an unexpected delivery from DHL, FedEx, or UPS. During the holidays, it’s a common occurrence. Scammers know this, so they’re seizing the opportunity and sending email messages telling you that you have a package that couldn’t be delivered because of some problem with the shipping address.
This particular scam contains an attachment that’s supposed to be a form you need to print and fill out so you can pick up the package. However, there is no package and when you open the attachment, it infects your computer with a virus.
Also beware of variations on this theme. Many people know not to download email attachments, but they’ll readily click a link to go to a Web site. So more sophisticated scammers will send you to a site that looks like that of the delivery service, but that delivers only malware — straight to your system.
A sharply divided partisan political system has resulted in a growing distrust of government in many circles. Some scammers are now playing on those sentiments. A recent scam email has been going around that purports to warn you that the Department of Homeland Security and the FBI have been informed that you’re allegedly involved in money laundering and/or terrorist activities. The email goes on to say that you can avoid prosecution by obtaining a certificate from the Economic Financial Crimes Commission Chairman — for only $370. Who wouldn’t jump at that deal?
Many similar scams use the names of government agencies. Of course, they’re all hoaxes. If you were really the target of a DHS or FBI investigation, you wouldn’t be able to buy your way out of it for a few hundred bucks. And those agencies would be contacting you in person, not sending threatening email messages.
Another recent email scam also involves the federal government, but instead of accusing you of a crime, it uses your knowledge of real, routine government activities against you. Everyone knows that the U.S. government conducts a census every 10 years, and 2010 is the year. Citizens are required by law to answer the census-takers’ questions. Most people also know that many government-related tasks can now be done online.
Scammers are taking advantage of this to send phishing emails that claim to be from the Census Bureau, making it “convenient and easy” for you to fulfill your census obligation, either by filling out an attached form and emailing it back or by visiting a Web site to fill in a form. The form asks for all sorts of personal information, including the social security number and date of birth of everyone in your household, which can be used for identity theft.
In addition to asking you these personal questions, the emails may include attachments containing malicious code that can infect your computer. The same goes for the Web links contained in the email message. The Census Bureau does, in fact, send email regarding your participation in a survey — but it does not ask for detailed personal information.
There are dozens of email scams out there that attempt to exploit users’ trust in the vendors that make their computer software or hardware. These messages say they’re from the vendor and range from fake security warnings with attachments that claim to be vulnerability fixes (but are really malware) to bogus “special offers” to “payment requests” that require you to download and install a “transaction inspector module” (which is really a Trojan) if you want to decline to have the payment charged to your credit card.
There are many new twists on an old theme: You’re a winner in the lottery, contest, or drawing. All you have to do to claim your prize is fill out a form and email it back. Of course, the entity awarding the prize needs your social security number because the value of the prize must be reported to the IRS.
The bad thing about this scam is that you will indeed have to provide such information to claim a prize in a legitimate contest. As a Microsoft Windows 7 Launch Party host, I was automatically entered in a contest to win a Dell laptop — and I won. When I got the email notification, you can bet I was suspicious. Before doing anything, I checked it out with my contacts at Microsoft. Even after confirming that the notice was real, I declined to send my personal information back via email; I printed out the form and sent it via snail mail (registered and certified) instead.
Even if you really did enter the contest that you’re being told you won, don’t get careless. Check into the legitimacy of an email notification of the good news. And I recommend never sending your social security number or other sensitive information in unencrypted email. A legitimate contest will almost always have alternatives methods by which you can submit your information.
Labels: tips and tricks
posted by personalpcpro at
11:03 AM
Links to this post
If you have received an e-mail from the Internal Revenue Service or the Federal Deposit Insurance Corporation, chances are it was a phishing attempt. If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing.
Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password.
And anyone can be at risk. The wife of FBI Director Robert Mueller banned him from doing online banking after he came close to falling for a phishing attempt.
Here is some basic information that can help people avoid being tricked by phishing attacks.
What is phishing?
Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information. Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their "winnings" could be deposited into their accounts.
Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.
Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a live chat window was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for additional information.
This phishing e-mail looks legitimate and even offers to provide tips on how to avoid fraud and spoof e-mails.
(Credit: Screenshot by Elinor Mills/CNETNews.) What are other recent examples of phishing attacks?
A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"
E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.
E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.
A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.
What are some tell-tale signs of a phishing attempt?
Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don't typically ask for via e-mail.
What should I look for in an e-mail?
Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used "Alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could indicate it's a phishing attempt.
The e-mail address may also be obscured. Hitting "reply all" may reveal the true e-mail address. You can also set your e-mail preferences to show "full header" to see the full e-mail address and other information. If you are at all unsure whether the e-mail is legitimate, go to the company's Web site to see the address listed.
Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like "Dear PayPal customer."
Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use subdomains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, www.BankA.security.com would link to the 'BankA' section of the 'security' Web site. Often, it's difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers.
In addition, PayPal, Amazon, banks, and many other businesses use the SSL (Secure Sockets Layer) protocol which is designed to ensure that customers are visiting the real site. That means https:// will be seen in the URL address bar instead of just http:// and usually there will be some other change in the address bar. For instance, PayPal displays a "P" and its name is highlighted in green at the front of the URL. The major browsers have antiphishing measures designed to detect malicious sites. Some phishers also try to hide the real Web address they are sending victims to by using URL shortening services.
If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.
Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.
How can phishing attacks be avoided?
Try to stay off spam lists. Don't post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of bobsmith@xyz.com, use bob.smith.az@xyz.com.
If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don't use any phone number provided in the e-mail.
Don't give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.
Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.
Don't open e-mail attachments that you did not expect to receive. Don't open download links in IM. And don't enter personal information in a pop-up window or e-mail.
Make sure you are using a secure Web site when submitting financial and sensitive information.
Change passwords frequently. Don't use the same password on multiple sites.
Regularly log into online accounts to monitor the activity and check statements.
Use antivirus, antispam, and firewall software and keep your operating system and applications up-to-date.
posted by personalpcpro at
11:01 AM
Links to this post
Which Date Works is a nitfy little online group planning and invitation management site that makes planning an event really easy.
Note that this kind of service is only useful if you have not already picked out a date for an event, but want to ask everyone which date works best for them.
Here’s how the whole thing works. First, you give you event a name and some details about the event such as the location, etc, etc.
Now you will go ahead and put in the email addresses of everyone who will be involved in this event. You can also quickly import contacts from Gmail, Yahoo! and other email services.
Next, everyone picks the dates on the calendar that they are available and the days that are not good.
After people start responding, you will be able to see which dates everyone picked. The calendar also has numbers indication how many people were available or not on that particular day.
Lastly, you finalize the date for your plans and Which Date Works will send out an email to everyone letting them know when the plans are taking place.
What’s nice about the service is that no one has to sign up, including you! You can do everything on the site without having to login or create an account, which is great!
Source: Online Tech TipsLabels: New Products
posted by personalpcpro at
10:37 AM
Links to this post
As you've probably discovered after years of taking digital snapshots, keeping a photo library organized can be a nightmare. Far and away your best ally: tags, which are little descriptors attached to each photo.
Unfortunately, it's a major hassle to manually assign tags, which is where the new automatic-tagging feature in the just-released Google Picasa 3.5 comes in.
When you first run the new version, it starts scanning your library for faces, automatically grouping those that look similar (and with impressive accuracy, based on initial tests).
To get started with face tagging, click the Scanning option under the new People section in the lefthand toolbar. (Depending on the size of your library, it might take Picasa several hours to complete its initial scan--but you can start tagging while it's working.)
You'll immediately see a batch of faces in the main pane. Click Add a name under any one of them, type the person's name, and then hit Enter.
In the dialog box that appears, click New Person, and then click OK. (You can also supply a nickname and/or e-mail address at this point; Picasa can sync these tags with your Picasa Web Albums.)
Repeat the process with other faces. If you want Picasa to ignore a face (you might not want to tag everybody, after all), just click the little x in the corner.
Each "new person" you add creates a tag in the aforementioned People section. Click one of those tags to see all the matches Picasa has detected. You can refine these matches further by selecting one or more photos, then clicking the green checkmark if they're accurate (i.e. the correct face) or the red x if they're not.
The more you fiddle with this feature, the more sense it will start to make. Keep in mind that all this scanning and tagging makes no actual changes to your photos. Ultimately, it's just a quick way to find all your photos of, say, Fluffy the Dog, or your Uncle Ed. Great stuff.
Labels: New Products, tips and tricks
posted by personalpcpro at
12:05 PM
Links to this post
Savvy online shoppers will often use disposable credit-card numbers (which are available from PayPal and some banks) to protect their privacy.
Here's a perfect companion: inumbr, which gives you free, temporary phone numbers. These throwaways are ideal for things like Craiglist ads, where you might want to include contact information--but not your contact information.
To use inumber, choose your closest city or area code (the service has roughly two dozen of them), then specify how long you want the number to last: an hour, a day, or a week.
Next, enter your real phone number, which is where inumbr will forward incoming calls. You'll also need to supply an e-mail address in order to activate the temporary number.
Once you've done that, you can log into the service and access a wealth of options, including extending the expiration date, adding a second number (in case you can't be reached at the first one), and even checking voicemail.
All this is free, believe it or not, making inumbr a must-bookmark site.
Labels: New Products
posted by personalpcpro at
9:47 AM
Links to this post
This guide will show you how to add your GMail account to Windows Explorer, thus enabling a drag & drop system for you to use you GMail account as additional storage on your computer. Even if you don’t use GMail as an email provider nobody can turn down an extra 8GB of storage, can you?
Be aware that support for this tool may suspend at any time if Google decides to block its use.
To get started, download the latest version of GMail Drive from www.viksoe.dk/gmail/ and install it.
You’ll notice that it’s dropped an addition to your ‘Computer’ in Explorer.
Right click the GMail Drive in Computer an select Login As…
Enter your vital statistics and hit OK
You may get a window saying “enumerating folder”. Try not to disturb Explorer or this window whilst it’s working.
Once your in, it’s a simple case of dragging and dropping your documents, pictures, music into the GMail Drive.
It’ll instantly sync your GMail Drive with your online GMail account, where you can view the item, download, or view as a Google Document.
Labels: tips and tricks
posted by personalpcpro at
8:56 PM
Links to this post
Subscribe to
Posts [Atom]