[Note: The original headline for this post mistakenly identified Ameritrade as the subject of the post. It is actually Ameriprise Financial. I deeply regret the error.] Since March of this year, security expert Russ McRee of HolisticInfoSec.org has sent 6 messages to Ameriprise Financial warning them of easily exploitable security holes on their website. They ignored every request, while at the same time reassuring customers that “No one without the proper web browser configuration can view or modify information contained on our systems.”
No, Amazon is not contacting its members and performing regular fraud checks. Jason received this e-mail, which is associated with a rather convincing Amazon phishing site.
Back in March we posted a warning about thieves masquerading as Steam in order to get into customers’ accounts and download games to resell. One reader, Richard, just received this special “alert” on his Steam IM pane this evening.
Freddie writes that his friend was tricked by a phishing email. All the warning signs were there to tip off his friend—an email saying he needed to click a link, a suspicious url, a page asking for his login info—but he clicked and entered the info anyway. Please do not be like Freddie’s friend, who is now probably on the phone with the real Wells Fargo trying to get his account number changed.
How can you tell you’ve made it on the Internet? How about if you’re turned into spambait? MSN Money reports that scammers are taking advantage of the sudden interest in swine flu by using it in subject lines to get people to open messages and download attachments. Don’t do it! Tell your friends and relatives not to do it, either!
Reader Eric says he got a fairly realistic-looking Facebook phishing email and wanted to warn others not to click.
Beware tax-themed Spam Feeding on the usual American anxiety over the annual April 15 income tax filing, online scam artist are flooding electronics inboxes with messages that “guaranteed tax rebate” or help you “get your tax refund faster” or even “get tax relief.” [Consumer Reports]
DoomNasty tells us he’s been hit three times in the past week with phishing attempts. The first two were text messages from Alarion Bank, asking him to call 1-877-240-6149 “to find out why my debit/atm card was blocked. I do not have an account, and Privacy Assist shows no account was created behind my back.” The third was from 201-968-0007, but no message was left. He traced the number to Liquidity Solutions, Inc., who told him that “one of their numbers got hijacked and the hijacker is phishing for banking info.”
The New York Times has reported that a list of over 8,000 Comcast user name and passwords were available to the public via Scribd for two months, before a Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it looks like the result of a phishing scam and isn’t an inside job, and that there are so many duplicate entries on the list that it’s closer to 4,000 customers.
PC World notes that phishers are now targeting Steam account holders. Games are an easy target because you can make quick money off of them and the security isn’t as high as with, say, credit cards. The site that first reported this, SpywareGuide, demonstrates two examples—steamgift.com and steamverification.com—that will attempt to trick you into giving them access to your digital library of games.
Phishing attacks are pretty cleverly designed, because they skip most virus checkpoints altogether and go for the true weak spot in human-computer interaction, the human. Lorrie Faith Cranor, a computer security researcher at Carnegie Mellon University, has been studying phishing attacks to identify new ways to fight them.
While French President Nicolas Sarkozy has been posturing as an international leader during this time of global financial crisis, thieves have been raiding his online bank account, withdrawing small amounts over an extended period of time. Just goes to show that identity theft can happen to anyone, whether or not you’re important enough to have people Photoshop your love handles away. For best protection, install and keep up to date a good security program, like ESET. Only log into your bank from the main URL, never click on a link in an email that appears to be from your financial institutions. Use usernames and passwords that are a string of random letters and numbers. Write them down and hide it in a secure place, not inside of a fresh hot pain au chocolat.
The various takeovers and mergers in the financial fallout give phishers a new opportunity to try to scam you into giving over your bank account warns the FTC. As most of you know, any unexpected email message that looks like it came from a financial institution, asking you to “update,” “validate,” or “confirm” your account information is invariably a scam. Unwitting victims are redirected to a login site that looks like it’s for their bank, but is really just a way to steal your account logins and/or personal information for use in further identity theft. Here’s the FTC’s tips for getting “hooked” by the “phishers” (gotta love it when the Feds pun)…
Identity theft reports to the Federal Trade Commission show that Verizon was the most frequently named company, averaging over 900 events per month in 2007. According to an updated study by Chris Hoofnagle, senior fellow at the Berkeley Center for Law and Technology, the number of complaints involving Verizon nearly tripled from 2006. Rounding out the top five are AFNI (a collection agency), JP Morgan Chase, AT&T, and Capital One.
If your email account is with Google or Yahoo, your days of seeing phishing emails from fake eBay or PayPal addresses should be over. Google announced last week that it’s now using DomainKeys to verify messages really do come from paypal.com or ebay.com—if they don’t, they never even make it to your In Box. This is possible because eBay and PayPal are now making sure “that all their email is signed with DomainKeys and DKIM.” Since Yahoo! also uses DomainKeys and DKIM (they developed it, in fact), phishing attacks for Yahoo! Mail accounts should also disappear.