May 19th 2008

PayPal Plans to Ban Unsafe Web Browsers

ImagePayPal announced plans to ban older and unsafe Web browsers in an effort to provide anti-phishing protection with the use of EV SSL certificates.

PayPal, the world’s largest online payment service, announced on Thursday that it is working on a plan to block users from making transactions from unsafe Web browsers.

PayPal released a white paper that outlines a five-pronged action plan aimed at slowing down the phishing epidemic. Part of this plan is to block any transactions from going through on browsers that don’t support EV SSL certificates.

PayPal’s chief information security officer Michael Barrett says letting users view the PayPal site on a browser that doesn’t have anti-phishing protection is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts.

Some of the browsers PayPal is looking at blocking are old, out-of-support versions of Microsoft’s Internet Explorer and Apple Safari which offers no anti-phishing protection and doesn’t support the use of EV SSL certificates.

Firefox and Opera have announced that they will be offering support for EV SSL in their upcoming releases. It is unknown whether Safari will be offering EV SSL support in the near future.

Another recommendation outlined in the PayPal white paper is the “creative use of new email signing standards and cooperation with major ISPs to block unsigned email” that looks to be from PayPal, but isn’t, before it even reaches the customers.

Barrett says that if phishmail never makes it into a customer’s inbox, the customer cannot become a victim. Thus, ISPs need to adopt technologies to block fraudulent emails at the network edge. PayPal recommends installing anti-phishing and anti-spam technologies, like DomainKeys and Sender Policy Framework.

source: www.halflifesource.com/paypal_targets_phishing_epidemic/article2390.htm

1 Comment »

May 15th 2008

MySpace Wins $230 Million from Spam King Sanford Wallace

myspaceSpam king Sanford Wallace and phishing buddy Walter Rines hijacked some 300,000 MySpace accounts and sent hundreds of thousands of spam messages and comments across the service. They got their punishment: a whopping $225 million judgment in favor of MySpace, Information Week reports.

MySpace decided to sue when it discovered the duo had lured MySpace users into revealing their login information through phishing sites. After obtaining user IDs and passwords, the pair distributed messages to the users’ friends list with links to various Web sites involving gambling, pornography and ringtones. According to court documents, Wallace and Rines distributed 735,925 messages during the scam and earned over $500,000 in the process.

A blog purporting to be from Sanford Wallace (The site registration address matches the address on the court docuuments.) Says:

I am amazed whenever I read an article written about the latest crimes I’ve committed and the latest court orders I’ve broken.

I don’t even learn about most of these claims until I read about them somewhere on the Internet. I live a low profile life. In the meantime, the world around me apparently still blames me for every spam and phish page on the Internet.

Please, move on to the real spammers.

..I am still waiting to be served. And I haven’t been hiding either. The whole case was one big PR move..

source:

www.crn.com/security/207800154

government.zdnet.com/?p=3813

blogs.pcworld.com/staffblog/archives/006956.html

http://en.wikipedia.org/wiki/Sanford_Wallace

No Comments yet »

May 14th 2008

US Tax Rebates Phishing Scam

The scams rely on a technique known as social engineering to trick computer users into divulging personal information that the cybercriminals or their customers can use to bilk unwary taxpayers.

The new phishing scams use spam e-mails to gull prospective refund recipients into providing their bank account information and other personally identifiable data via a fraudulent form that is attached to the original message by a hyperlink.

“To convince consumers to reply, the e-mail warns that a failure to complete the form in a timely manner will delay the issuance of the rebate check,” the bureau said in a warning.

The bureau urged people to use caution when dealing with e-mail from unknown senders, repeating the frequently heard warning that such electronic messages often include malware. The FBI notice also included examples of the types of deceptive wording the phishing e-mails have used.

The latest FBI warning about the online flood of fraudulent tax refund e-mails comes on the heels of a rising tide of IRS-related online fraud, as reported by GCN. The recent notice follows earlier warnings on the same topic by MX Logic, which predicted the fraud tactic earlier this year.

The bureau’s fraud notice also echoes IRS’ own anti-phishing warnings and actions against IRS spoof sites. The IRS recently stated that the number of bogus IRS sites has increased twelvefold this year over last year.

source:

FBI Warns of Phishing Scam Related to Economic Stimulus Checks

IRS Warns of New E-Mail and Telephone Scams Using the IRS Name; Advance Payment Scams Starting

www.gcn.com/online/vol1_no1/46255-1.html

No Comments yet »

May 13th 2008

Phishing and ScamPages Kits

Panda Labs posted a report about a string of Phishing kits discovered recently, which unlike some of their better known counterparts are free to use. The news is not groundbreaking, but it does serve as a reminder that nowadays anyone can get in to the act of performing criminal activities online.

Panda Labs is reporting on the discovery of free Phishing kits that allow criminals, both professional and script kid in nature, to spoof bank pages and emails, online pay platforms, GMail and Yahoo accounts, online games (Xbox password theft) and blogs (Fotolog access credentials).

Upon accessing a URL that contains the kits, users obtain the files to create a fraudulent mail; one file allows them to spoof mails of banks, pay platforms etc., and the other allows them to create a fraudulent page that resembles the original. Additionally, the kit includes a PHP program, which is also free, to send emails from the spoofed page.

“The really amazing thing is, these kits are free,” explains Luis Corrons, Technical Director of PandaLabs. “Due to the simplicity of the tools, the number of Phishing attacks increases, causing companies and consumers large losses. According to a study conducted by Gartner, Phishing attacks caused U.S. consumers losses for US$3.2 billion in 2007.”

Image

source:

http://pandalabs.pandasecurity.com/archive/Scampages.aspx

thetechherald.com/article.php/200820/948/Panda-Labs-locates-phree-Phishing-kits

No Comments yet »

May 12th 2008

What Is Pagejacking? Preventing Pagejacking

Web surfing offers many different kinds of experience – the useful and the redundant, the profitable and the idle, the regular and the bizarre. And certainly one of the strangest experiences is when you try to visit a familiar page and suddenly find yourself on a completely different one, related or unrelated to the page you were trying to reach. What happened? Has the website changed its business?

Actually, the page got jacked. Perhaps you were searching for the page in a search engine, and got a link which you thought should be what you were looking for. But when you clicked on the link, you found that you were in the wrong place. Even wrong enough to get you embarrassed when there are other people nearby. Search engines do not make that kind of mistake, so what happened was the page go jacked, which fooled the search engine into thinking that it was relevant for your search.
You know how the internet works. There are banner ads and other kinds of ads which earn revenue for that site, and that is how they make a profit. Websites and businesses for alliances among themselves, and carry each other’s ads on their sites. When you got to a particular site and click on an ad that you find interesting, the original website gains some amount of money from the site to which your click takes you. So it’s possible for websites to make a profit from your visit. Naturally, they want you to visit their page.

That all fine and acceptable, as long as they use legitimate means of bringing you to their site. Like optimize their site for search engines, or promote their site in some other way. But when they become too eager, they sometimes cross the line between what’s acceptable what what isn’t. And sometimes they use pagejacking.
Sometimes in order to increase the rating of some visitor-starved website, the whole content of a popular site is copied by an unscrupulous webmaster and duplicated on his own site. This is done merely in order to fool the search engines into thinking that it was the original item. And when this ploy works, the duplicate site appears among the top results returned by a search engine on a search made using the relevant key words or phrases.

This increases the chance that users will click on that link on the results page, without looking to carefully at the address to which it leads. And when they do, they will be taken to the duplicate site briefly, before being automatically redirected to another site – the one that could use some visitors to generate revenue. This is known as pagejacking.
As a user, there is little you can do in order to prevent this kind of nuisance, except be more careful about the actual URL of the link you’re clicking on the search engine results page. If you are opening asite from your bookmarks, or typing in the URL directly, there’s no chance of your being duped by a pagejacker.

If you’re the owner or the maintainer of the website that got jacked, however, it’s a different story. The main way you can hit back against the offenders is by suing them or threatening to sue under the copyright law. The content and design of your website is copyright material, and they’re violating you copyright by reproducing it without your permission. So send them a formal letter asking them to cease and desist, and follow it up with a letter from your lawyer. Pagejackers are normally sniveling cowards, and this should suffice to solve the problem. If it doesn’t, however, do not hesitate to go to court – you’re sure to win this one, and also get compensation for the business you lost because of this obstruction.

No Comments yet »