Date: Thu, 9 Sep 2004 09:51:43 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: SANS "OUCH" Report For 09/08/04 --------------------------------------- SANS INSTITUTE OUCH REPORT FOR 09/08/04 --------------------------------------- About a month ago I sent out the first issue of the "OUCH Report", a new monthly security alert e-newsletter published by the SANS Institute (www.sans.org) meant for redistribution by system administrators to non-technical customers and staff. The second issue of OUCH is below. I hope you find it informative. If you missed the first issue of "OUCH", you can read it in the BCPL.NET News archives at http://www.bcpl.net/news/news.2004080600.ouch **************************************************************** OUCH: The Report On Identity Theft and Attacks On Computer Users Volume 1, No. 9 September 8, 2004 **************************************************************** Major threat this month: Phishing attacks that seem to come from Citibank, Paypal, Citizens Bank and US Bank Phishing attacks have been doubling every month. In a phishing attack, the thieves pretend to be sending you to a reputable site like Citibank and ask for your private data, so they can steal your money or your identity. Recent research reports that one in twenty people are fooled by these types of attacks, which is why the thieves keep at it. One of our goals is to make sure you don't get caught in the scams. Also this month, graphical spam is increasing. Spammers send you a picture of the offer instead of the text of the offer, so that your company or internet provider's spam blockers are powerless to stop them even if they use very bad language. The attacks discussed here are the tip of the iceberg. To be safe: 1. DON'T open email attachments from anyone unless you know the sender and you were expecting the attachment. 2. DON'T click on links in emails or web sites unless you can guarantee the email came from someone who is not trying to fool you and that the web site is actually the site you think it is. 3. DON'T disclose private information unless you initiated the need to do so. ************************ What To Avoid This Month ************************ I. Emails from people trying to get you to divulge private details. These are often trying to steal your identity (and your money) I.1 Maintenance Update (from Citibank) I.2 PayPal account limited I.3 Citizens Bank Fraud Verification Process I.4 Citibank with various subjects and possibly a time stamp I.5 Attn: Citibank Update I.6 "notice: US Bank" II. Opening attachments that have interesting subjects and provocative text in the body of the email. Several viruses (Beagle, MyDoom, Netsky) are still spreading rapidly because they fool you into thinking they come from a friend and have data you want to see. Remember: do not open unexpected attachments without checking with the sender to be sure the attachment is safe. If you break this rule, you will hurt a lot of other people - people you know - because your infected computer will send viruses to people in your address book. *************************************** More Details About The Phishing Attacks *************************************** I. Emails from people trying to steal your identity (and your money) I.1 Maintenance Update (from Citibank) The bait: An email that looks as if it comes from Citibank saying the company "could not verify your current information," and asking you to update it. What it tries to make you do: Click on a link and tell them your credit Card information, social security number, date of birth and mother's maiden name. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/09-02-04_Citibank_(Citibank.com_Maintenance_upgrade).html I.2 PayPal account limited The bait: An email that looks as if it comes from PayPal and says, "We suspect that your PayPal account may have been accessed by an unauthorized third party." What it tries to make you do: Click on a link and tell them your email and your PayPal password. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/09-01-04_Paypal_(PayPal_account_Limited).html I.3 Citizens Bank Fraud Verification Process The bait: An email that looks as if it comes from Citizens Bank saying they suspect your account may have been accessed by an unauthorized third party. What it tries to make you do: Click on a link and tell them your ATM or debit card number and password. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/08-31-04_Citizens_Bank_(Citizen_Bank_Fraud_Verification_Process).html I.4. Citibank with various subjects and possibly a time stamp The bait: An email that looks as if it comes from Citibank saying, they are updating their software and asking you to click on what looks like a real Citibank url. What it tries to make you do: Click anywhere on the image (the entire scam is a single image) and then provide a wealth of very private information ranging from your ATM card and PIN to your mother's maiden name. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/08-27-04_Citibank_(various_subjects,_image-only_email).html I.5. Attn: Citibank Update The bait: "Click here" link in an email that seems to come from Citibank saying that they noticed one or more attempt to log into your account from a foreign IP address. What it tries to make you do: Click on a link and tell them your ATM card number and PIN and username and password. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/08-26-04_Citibank_(Attn_Citibank_Update).html I.6 "notice: US Bank" The bait: An email that seems to come from US Bank asking you to login. What it tries to make you do: When you click on the login button, it asks for your ATM Card number and PIN. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/08-25-04_US_Bank_(Notice_Us__BANK).html ==end== Copyright 2004, The SANS Institute. http://www.sans.org Permission is granted to copy and redistribute this material to whomever it will help. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. Web Site: http://www.bcpl.net Who To Contact For What: http://www.bcpl.net/contacts/