Date: Thu, 23 Dec 2004 20:55:55 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: SANS "OUCH" Report For December 2004 -------------------------------------------- SANS INSTITUTE OUCH REPORT FOR DECEMBER 2004 -------------------------------------------- The "OUCH Report" is a monthly security alert e-newsletter published by the SANS Institute (www.sans.org) meant for redistribution to non-technical customers and staff. The latest issue of OUCH is below. I hope you find it informative. A great deal of the report is devoted to current "Phishing" scams. For more information about Phishing, see the description on the front page of our Web site at http://www.bcpl.net . **************************************************************** OUCH: The Report On Identity Theft and Attacks On Computer Users Volume 1, No. 12 December 2004 **************************************************************** Major threat this month: Don't Get Hooked By Phishing Scams During the Shopping Season Experts are warning that online shoppers need to be extra watchful for phishing scams this holiday season. Online shopping is expected to surge 25 percent over last year and email phishing scams have rocketed by a staggering 1,200 percent since last January. Read the full story here: http://www.internetweek.com/showArticle.jhtml?articleID=53701025 ************************ Take Note: When you update your Windows computer, you usually must get both the Windows updates and Microsoft Office updates. They are at different sites, which are: Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/en-us/officeupdate/default.aspx (or use the link to Office Update on the Windows update page) Office Update often requires the user to have their original media CDs available to perform updates. Microsoft's explanation for this is in the Office Update FAQ (frequently asked questions) at http://office.microsoft.com/en-us/FX010402221033.aspx#6 Users taking advantage of Microsoft's automatic updating and patching of Microsoft Windows may not be aware that Windows update does *not* also automatically update Microsoft Office products. You have to do it manually. ************************ What To Avoid This Month ************************ I. Email from people trying to get you to divulge private details. They are usually trying to steal your identity (and your money). I.1 Sovereign Bank - 'Sovereign Bank Unauthorized Account Access' I.2 Paypal - 'Your Account Will Be Suspended' I.3 Citibank - 'Citibank Alerting Service' I.4 People's Bank - 'New Mail from People' I.5 Suntrust Bank - 'Internet Banking with Bill Pay Fees Waived' I.6 Citibank - 'Your online activity confirmation' I.7 eBay - 'Account Suspension Notice - Section 9' II. Virus and Hoax Alerts II.1 Sophos: Training course emails are a scam II.2 W32.Sober.I@mm II.3 SymbOS.Skulls II.4 Latest Mydoom Virus May Signal 'Zero Day' Attack II.5 W32/Mydoom.ah@MM III. Covert phishing scam lies in wait for its victims IV. Important Phishing Information IV.1 What To Do If You've Given Out Your Personal Financial Information IV.2 Identity Theft Help Sites IV.3 Things you should do to protect yourself. V. Alleged Phisher Arrested in Boston VI. Many Users Replacing Internet Explorer VII. Alliance Formed to Fight ID Theft, Phishing Schemes ********************************** More Details About Things To Avoid ********************************** I. Email from people trying to steal your identity (and your money) I.1 Sovereign Bank - 'Sovereign Bank Unauthorized Account Access': The Bait: An email sent to you stating that 'We recently reviewed your account, and suspect that your Sovereign Internet Banking account may have been accessed by an unauthorized third party...as a preventative measure, we have temporarily limited access to sensitive account features...check your account profile...To get started, please click the link below...' What it tries to make you do: Divulge the victim's name and credit card information, and sovereignbank.com username/password Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/11-02-04_Sovereign(sovereign_bank_unauthorized_account_access)/11-02-04_Sovereign(sovereign_bank_unauthorized_account_access).html I.2 Paypal - 'Your Account Will Be Suspended' The Bait: 'We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address.' What it tries to make you do: Divulge your personal information such as your name and credit card number and your paypal.com username/password. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/11-09-04_Paypal(Your_Account_Will_Be_Suspended)/11-09-04_Paypal(Your_Account_Will_Be_Suspended).html I.3 Citibank - 'Citibank Alerting Service' The Bait: It arrives in the form of an email that requests "...We Were unable to process the recent transactions on your account. To ensure that your account is not suspended, please update your information by clicking here..." What it tries to make you do: Divulge your personal banking information such as your debit card information, citibank.com username/password Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/11-10-04_Citibank/11-10-04_Citibank.html I.4 People's Bank - 'New Mail from People' The Bait: It arrives in an email asking that you confirm immediately with your People's Bank account What it tries to make you do: Divulge your debit card information. Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/11-15-04_Peoples_Bank/11-15-04_Peoples_Bank.html I.5 Suntrust Bank - 'Internet Banking with Bill Pay Fees Waived' The Bait: According to the email it will waive your monthly Bill Pay fees on Internet Banking What it tries to make you do: Divulge your credit/debit card information Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/11-16-04_Suntrust/11-16-04_Suntrust.html I.6 Citibank - 'Your online activity confirmation' The Bait: Sending you an email telling you that your Citibank account is on a hold status for maintenance What it tries to make you do: Divulge all your personal information such as credit card information, SSN, citibank.com username/password, contact information (name, address, etc.) Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/11-17-04_Citibank/11-17-04_Citibank.html I.7 eBay - 'Account Suspension Notice - Section 9' The Bait: Sending you an email telling you that your eBay account has been suspended due to a violation of eBay's site policy What it tries to make you do: Divulge your eBay username/password and email address Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/11-18-04_Ebay/11-18-04_Ebay.html II. Virus/Hoax Alerts: II.1 Sophos: Training course emails are a scam The Bait: An offering for training for well-paid jobs in the financial sector. What it tries to make you do: Sign up for a training course that it claims will lead to a job with the financial institution Credit Suisse. Where you can learn more about this scam: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1022149,00.html?track=NL-358&ad=496431 II.2 W32.Sober.I@mm The Bait: An unexpected email that arrives in your mailbox with various subject lines such as 'hi there', 'Registration confirmation', etc. What it tries to make you do: Open the attached file, and if you do, and follow the instructions, it infects your machine with this virus. Where you can read more on this story: http://www.symantec.com/avcenter/venc/data/w32.sober.i@mm.html II.3 SymbOS.Skulls The Bait: An extended theme for your cell phone What it tries to make you do: Get you to download a new feature for your phone and install it. The new "feature" replaces the Phone's system files. Where you can read more on this story: http://securityresponse.symantec.com/avcenter/venc/data/symbos.skulls.html or http://www.gcn.com/vol1_no1/security/27982-1.html II.4 The latest version of the Mydoom virus suggests to security experts that a much-anticipated "zero day" attack may have already arrived. "Zero day" refers to an exploit, either a worm or a virus, that arrives on the heels of, or even before, the public announcement of a vulnerability in a computer system. This week's version of Mydoom appeared only two days after a security flaw in Windows Internet Explorer was made public by two hackers, according to experts. Where you can read more on this story: http://enterprisesecurity.symantec.com/content.cfm?articleid=5054&PID=182998&EID=796 II.5 W32/Mydoom.ah@MM The Bait: Receiving an unexpected email that states "Congratulations! PayPal has successfully charged $175 to your credit card" What it tries to make you do: It tries to make you click on a link provided within email. Where you can read more on this story: http://vil.nai.com/vil/content/v_129631.htm III. Covert phishing scam lies in wait for its victims: According to experts, this is a low risk for now, but this could be a sign of worse things to come. Experts have detected a phishing scam that will not require you to click on a link in the email in order to gather your personal data while banking online. It works by installing a diverter script on your browser so that when you try to go to your bank's website, you are diverted to the phisher's fake website which appears identical to your bank's. Where you can read more on this story: http://software.silicon.com/security/0,39024655,39125549,00.htm IV. Important Phishing Information: IV.1 What To Do If You've Given Out Your Personal Information If you have been tricked by a phishing method into giving out your personal financial information, do not wait for things to happen or wait for the problem to resolve itself. Take immediate action to protect your identity and your money. Click on the following link for advice on what to do if you are in this situation: http://www.antiphishing.org/consumer_recs2.html IV.2 Identity Theft Help Sites The following links are provided to assist you in case of Identity Theft. http://www.consumer.gov/idtheft/ http://www.identity-theft-help.us/ http://www.identitytheft.org/ http://www.usdoj.gov/criminal/fraud/idtheft.html http://www.ifccfbi.gov/index.asp http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm Canadians will find the following site especially valuable: http://www.psepc.gc.ca/publications/policing/phishing_e.asp IV.3 Things you should do to protect yourself: Since most of the phishing emails come through spam, get a spam filtering software program and install it on your computer. If you suspect a phishing attempt, report it immediately to your bank. Every bank web site has a link or a toll-free number to report scams. Don't be embarrassed if you were tricked into divulging account information. If you report it immediately, your account will be protected until you receive a new PIN. Change your password and PINs regularly. Banks advise that you use separate PINs and passwords for different accounts. That way, if one gets compromised, your entire financial life won't be revealed. If you are a frequent user of eBay, download its Web browser toolbar, a small program that runs with a user's Web browser. It flashes red when the user visits a possible spoof site. The toolbar uses a database of spoof site URLs submitted by customers, and is updated quite often. Check your computer frequently for possible virus infection with an anti-virus software program. Regularly update your browser with patches. And more ideas from InfoWorld http://www.infoworld.com/article/04/11/01/HNonlineidtheft_1.html V. Boston police have arrested an alleged phishing scam artist. Andrew Schwarmkoff has been arraigned on counts of fraud, larceny, identity theft and receiving stolen goods. Schwarmkoff, who is alleged to be a Russian mobster, was ordered held in lieu of US$100,000 bail. Where you can read more on this story: http://www.techweb.com/article/printableArticle.jhtml?articleID=52600627&site_section=700028 http://asia.cnet.com/news/security/printfriendly.htm?AT=39200964-39037064t-39000005c VI. Many Users Replacing Internet Explorer The Washington Post reports that after Microsoft cemented a monopoly of the Web-browser market, it let Internet Explorer (IE) go stale, parceling out ho-hum updates that neglected vulnerabilities routinely exploited by hostile Web sites. Then came FireFox, the latest in web browsers. Firefox blocks pop-up ads automatically, does not use Active X (which has been known to cause problems), and resists "phishing" scams, in which con artists lure users into entering personal info on fake Web pages. Where you can read more on this story: http://www.washingtonpost.com/wp-dyn/articles/A47146-2004Nov13.html?sub=new (This site requires registration) Editor's Note (Paller): FireFox, like IE, has security vulnerabilities. Another IE alternative is the Opera browser (www.opera.com) which will probably be found to have security flaws, as well. VII. Alliance Formed to Fight ID Theft, Phishing Schemes Five online security software and service providers have formed the Anti-Fraud Alliance Group in order to help e-commerce and financial services firms fight fraudulent online activities such as phishing and identity theft. Where you can read more on this story: http://enterprisesecurity.symantec.com/content.cfm?articleid=5077&PID=182998&EID=799 Copyright 2002-2004 The SANS Institute