Digital Wild West

Computer security is now personal security. Active scams detailed below.

Latest:

1   Identity thieves target superannuation accounts
2   Facebook users being lured by ever-more devious attempts to steal accounts
3   Mobile phone scam - text message announces a big win
4   Commonwealth Bank "phishing" email. Looks real - how do you know it’s not?

1.  Identity fraud syndicate targets superannuation accounts  [17 May 09]

This swindle reminds us of the age-old advice to shred personal and financial letters, invoices, bank statements, and household bills before dropping in your garbage bin. Home shredders are cheap and compulsory for this reason alone.
Story online at police media:

" ..Members of the syndicate have allegedly stolen cheques and banking details from letterboxes across metropolitan Sydney and used personal details from the stolen mail to produce high-quality counterfeit identity documents, such as drivers’ licenses and Medicare cards. .."

Click link for more:
http://www.police.nsw.gov.au

2. Facebook - beware of apparent "friends" inviting you to click a link  [15 May 09]

The aim of Facebook criminals is to steal your account information to further their evil plans for world domination. Or more likely, to spread links to web sites that infect unprotected computers. Why?  Mostly to secretly use your computer to serve more spam emails without you knowing - a common reason for Internet broadband maxing out each month.

" .. once hackers have your Facebook username and password they can spread their attacks further, by logging in as you, assuming your identity and forwarding an attack to your friends and contacts online.    When people receive a message on a social networking site they typically trust it much more than a traditional email. They think "Oh, it’s Bob.. he always sends me fun stuff.. this link has got to be okay to check out.."

More at Sophos: 
http://www.sophos.com/

3.  Mobile phone text message announces a ‘big win’   [19 May 09]

It might seem these need no warning, being too obvious, but ’social engineering’ is the name of the game, and smart amoral people spend all their time figuring how to catch you off guard.

" .. people have been sent unsolicited text messages or SMSs advising that they have won an unexpected prize, usually money. The amount of the ‘big win’ is usually around US$123,000 and the phone numbers from where the messages are being sent start with the numbers 856207. Details may vary .. "

Warning signs:

• An unsolicited text message to your mobile phone says you have won an unexpected prize.
• The message asks you to respond with an email address where details of your win can be sent.
• The email will lead to requests for personal details including information about your bank accounts, credit cards, personal documents and payment of an upfront fee.

How do they get your phone number? They don’t. It’s randomly generated and if you respond you confirm it’s real. Your number might then become unusable, as a target of relentless phone spam.

Details at ACCC Scamwatch:

http://www.scamwatch.gov.au/

[Example from Reddit.com. Coarse language from frustrated victims in this forum, but insight into the magnitude of phone spamming in the US from a 'car warranty expiry' scam: 

http://www.reddit.com/ ..  /want_the_phone_number_to_the_your_cars_warranty/  ]

4.  Commonwealth Bank email scam  [15 May 09]

Email reproduced immediately below looks completely real. The only giveaway is where the "Log On" link actually takes you when clicked.

For most of us, the only defence is ignore the email.  Remember these rules when confronted with genuine-looking emails that, if true, require urgent attention.

*  Never reply. Call the organisation directly.

*  Never call the phone number in the email. Call the organisation directly.

*  Never click links in the email.

The "Log On" link in the bank scam email shown above goes to an odd web address (hidden in the code): http://mail.loveitts.co.uk which if clicked takes you to an equally odd web address:

http://82.147.46.230/i/https://www3.netbank.commbank.com.au /netbank/bankmain/

where a perfect reproduction of the Commonwealth Bank logon screen is fabricated.

In this case the links are safe to click (possibly) as it is the action of logging in that the criminals want, not to infect your PC. Or maybe both.

If you log in, criminals capture your bank account credentials and empty your account within minutes via a simple bank transfer.

An excellent defence for home computers is McAfee’s Site Advisor, which intercepts most malicious web sites.

Another protection, highly recommended, is to install Google’s new web browser, called "Chrome."  You can download it by clicking here:  http://www.google.com/chrome

On a Google Chrome browser, clicking the link in the email scam presents this screen:

Google has a database of the zillions of malicious websites. It is always being updated and can only ever be 99.99% complete. Considerably better than nothing, however.

For techies, and depending on which email client received the email, right-clicking the message body and select any option resembling "View source" shows the code behind the email you see. Searching the page of text for the term "Log On" reveals a web address nearby.

You then decide how legitimate that web address appears.

If you’ve got this far, you are seriously interested. This is the resulting ‘phishing’ screen you end up.

Note two things:

* It’s a perfect rendition of the Commonwealth Bank web site

* You do NOT need to be expert in spotting the flaw, just observant. Note the ‘URL’ or web site address at top of browser in this screenshot below. At left, the rogue IP address, at right what was probably the original and real Netbank address.

Just to fool the casual reader of such details.

http://82.147.46.230/i/?https://www3.netbank.commbank.com.au/netbank/bankmain/