Be Wary of ‘Order Confirmation’ Emails

Republished from http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/ originally published on 12/14/2014

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

Home Depot Scam Confirmation

An “order confirmation” malware email blasted out by the Asprox spam botnet recently.

Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.

Walmart Scam Confirmation

This Asprox malware email poses as a notice about a wayward package from a WalMart order.

According to Malcovery, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet.

Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email (such as the pharmaceutical spam detailed in my new book Spam Nation), and perpetuates additional Asprox malware attacks. Asprox also deploys a scanning module that forces hacked PCs to scan websites for vulnerabilities that can be used to hack the sites and foist malware on visitors to that site. For an exhaustive and fairly recent analysis of Asprox, see this writeup (PDF) from Trend Micro.

Malcovery notes that the Asprox spam emails use a variety of subject lines, including “Acknowledgment of Order,” “Order Confirmation,” “Order Status,” “Thank you for buying from [insert merchant name here]”, and a “Thank you for your order.”

Target Scam Confirmation

Target is among the many brands being spoofed by Asprox this holiday season.

If you receive an email from a recognized brand that references an issue with an online or in-store order and you think it might be legitimate, do not click the embedded links or attachment. Instead, open up a Web browser and visit the merchant site in question. Generally speaking, legitimate communications about order issues will reference an order number and/or some other data points specific to the transaction — information that can be used to look up the order status at the merchant’s Web site.

Sony Hack: What You Need To Know

It’s easy to think no one is safe on the Internet anymore. On December 1, tech giant Sony joined retailers like Home Depot and Target on the list of apparently vulnerable computers. A large-scale hacking effort hit its films division, Sony Pictures.

There are quite a few reasons for consumers to be aware of this developing story. First off, if you’re a PlayStation owner, you might be wondering if your data was compromised. In addition, if you’re an Internet user, you might be wondering how to keep yourself safe from future hacks. To help address those concerns, let’s go over what we know and what you need to do to protect yourself.

The Hack

On December 1, the FBI issued a “flash” warning to business owners warning them of a dangerous new strain of malware. The FBI later confirmed that this malware had been used in an attack on Sony Pictures. Sony issued a statement describing the attack that afternoon.

According to Sony, screens across the company went black, their contents replaced by the message “Hacked by #GOP.” GOP, in this case, stands for Guardians of Peace, a known group of cybercriminals. The group also threatens to release “secrets” stolen from Sony servers.

Sony suspects that North Korea, or a nation acting as its proxy, may have engineered the attack out of a desire to stop the new James Franco/Seth Rogen movie “The Interview.” In the film, Rogen and Franco are TV personalities sent by the CIA to assassinate North Korean leader Kim Jong Un. The North Korean government has condemned the film in letters to the United Nations and the White House. A representative of the North Korean government denied responsibility in the attack.

The hackers compromised several screener copies of yet-unreleased Sony movies, including WWII drama “Fury” and the forthcoming remake of “Annie.” They also gained access to a great deal of confidential internal information. The Social Security numbers of several celebrities and the home addresses of many Sony employees have already been made public.

The exact extent of the leak is, as of yet, unknown. Sony has brought in an outside security expert to determine the extent of the damage while the FBI conducts an investigation into the origin of the attack.

The Followup

On December 8, hacker group Lizard Squad launched another attack, this time targeting the PlayStation Network’s login server. Sony has not indicated whether consumer records were affected by the attack and the outage lasted only a few hours.

While there is no direct evidence linking the two events, the timing is suspicious, at the very least. Until Sony completes its investigation, there’s no way to know whether or not the same vulnerability was exploited by both groups. At time of press, the gaming network is secure.

What Was Learned

As it turns out, individual web users aren’t the only victims who need to beware of suspicious downloads. In each of the big security breaches this year, corporate computer users have downloaded devastating malware onto company computers. Even the best security software couldn’t have protected against user negligence.

There’s no need for individual consumers to panic. No user data appears to have been compromised. PlayStation Network users might consider changing their passwords, but no further action is needed. Unless you work for Sony, it’s unlikely your personal information was compromised.

Continue to follow identity monitoring best practices. Check your credit card statements. Change your passwords regularly. Keep an eye on your investment accounts. Report suspicious account activity immediately.

The real lesson from the Sony hack should be the prevalent threat of malware. Even with the highest caliber security software, downloading a dangerous file can do serious damage to your computer- and your identity. Here are a few guidelines to help keep you safe online:

  • Don’t open attachments within emails unless you’re expecting them. The rise of email worms that spread using contact lists means we should always be suspicious of attachments. If you need to share a picture or document, consider using a secure upload service. Try free apps like Dropbox or Google Drive to keep your files safe and shareable.
  • Don’t follow links if you don’t know where they’re going. A malicious program could be cleverly disguised behind a news headline. If you don’t recognize the host of the website, just don’t click it.

Safeguard your login information. Don’t share usernames or passwords for any service with anyone. Any piece of identifiable information you publish can be used to fish for more passwords.

The 12 Scams Of The Holidays

The holidays are a time of family togetherness and celebration. Scammers know you’re distracted, busy, and emotional. That’s why their schemes are so devilish. They get their own twist around holiday time.

In the interest of keeping things in the holiday spirit, let’s look at 12 scams of the Holidays. Don’t get taken in by these or similar schemes. Otherwise, you might be footing the bill for twelve drummers drumming and all the rest!

1.) Mobile malice

Be wary of “season-themed” apps that perform frivolous functions, yet demand top-level security access. An app that makes it look like there’s snow on your background image doesn’t need to send or receive texts. Such an app might send premium text messages and leave you holding the bill.

2.) E-card danger

Everyone with an email address will send these little flash programs. Scammers have designed some with malicious code. They can install data leaching programs on your computer and do untold damage. Don’t click links in emails unless you know the sender. Even then, if it looks a little out of the ordinary, it probably is.  Contact the sender to verify if they sent you the electronic holiday greeting.  If they didn’t send you the greeting, they may have already fallen victim and it would be good to let them know.

3.) Fake packages

You’ll be receiving unexpected packages this season. Scammers know this and will send realistic-looking delivery failure notifications via email or a counterfeit note on the door.  They expect you to follow up with them by clicking on the link contained in the email, or calling the number.  Clicking on the link may result in malware being downloaded on your device.  If you call, the scammer will request that you provide a debit/credit card info to pay the outstanding fee.  Instead, Head to your local post office, visit the delivery services true website to use their track a shipment feature, or call the parcel delivery service (Google the company name)  to check with a clerk before you hand over information via the internet or phone.

4.) Hotel “Lie”-Fi

The FBI issued a warning to this season’s travelers about a malicious pop-up at hotel chains around the country. This scam requests people install a foreign program before connecting to a hotel Wi-Fi network. This foreign program turns out to be data-stealing malware. Remember, Internet connections you don’t own or control can easily be used against you. Before you use the Internet at a hotel, ask yourself if it’s worth the risk. If you do need access, be wary of what you’re installing–there shouldn’t be a need to install anything.

5.) Festive spam

We’ve all gotten used to filtering out spam in our email. Now prepare yourself for it to take on a more holiday-oriented theme. Messages will suggest that off-brand Rolex watches and cheap pharmaceuticals would make excellent gifts. Be careful, though, because these companies might just be in the market for your personal information.

6.) Bogus gift cards

There’s a bonanza of savings to be had buying gift cards through second-hand retailers. Be careful, though, because many of these retailers might be a front for scammers. Gift cards may be invalid, used, or forgeries, and you’ll be left holding the bill.

7.) Fake charities

These crop up every time there’s a major disaster, but they also show up at the holidays. Leaflets and phone calls from organizations with familiar-sounding names will soon appear. To be safe, don’t give to any charity with whom you didn’t start the contact. Do your research on the alleged charity to make sure it is legitimate and give to charities whose values align with your own.

8.) Must-have gift scams

There will soon be an “it” gift. You’ll know it by the high demand, low supply, and hugely inflated prices. Almost on cue, websites will pop up offering the rare widget at unbelievably low prices. This is a scam – the advertiser doesn’t have the product and is only using the offer to harvest personal information or bilk you of your hard-earned money through sites like Craigslist or eBay, where they will seek payment through PayPal and never send the item you purchased.

9.) Holiday catfishing

“Catfishing” means pretending to be seeking a romantic partner on the Internet to dupe people. Scammers take advantage of the loneliness the holidays can evoke to trick people out of gifts or worse. As tempting as it is to believe in love stories during the holidays, keep your feet on the ground and practice safe Internet dating. A good rule of thumb: If you’re single at Halloween, stay that way until after New Year’s.

10.) Holiday vacation scams

If it’s cold and miserable where you are, it’s always tempting to go someplace tropical for a few weeks. If you’re thinking about getting away, be careful of unrealistic prices or “too-good-to-be-true” travel offers. Scammers have been setting up phony travel sites to harvest personal information. Only book through reputable websites.

11.) Devious Holiday games

If you’re facing a 5-hour flight and a 3-hour layover, it’s fantastic to have a distracting mobile game to pass the time. Be careful, however, not to download the wrong one. Mobile games can harvest data from your phone or steal password information. Always do a quick search to check the validity of the app you’re downloading and read the permissions carefully. A fun game should never ask for permission to send texts or send information to third parties.

12.) Free USB Tricks

Be careful with unsolicited gifts of “free” USB thumb drives. Security firm McAfee warns that many of these devices come pre-loaded with malware. Such scams often target company computers, so ensure you only use approved hardware on your work network. USB storage is cheap enough that you can pass on the freebies.

 

Consumers Targeted in Counterfeit Check Scam

We have been alerted to a counterfeit check scam where consumers have received counterfeit checks via FedEx as part of an online job offer that was accepted by the recipient.  The counterfeit checks may be accompanied in the FedEx package by a generic letter claiming to be from “Lisa Banks from the Payment Department.”  The letter instructs recipients to deposit the check into their personal account, and then send a portion of the funds back, usually by Western Union. The checks are not valid financial institution checks.

If you receive a FedEx package containing a check with the NASA FCU name and address and believe that it may be part of this counterfeit check scam, or if you would like to verify a check presented for deposit, please contact the Credit Union at 1-888-NASA-FCU (627-2328).

Text Scam Warning

Consumers Targeted by Text Scam

We have been alerted to a text message scam where consumers have received text messages stating that their Visa Debit cards have been deactivated. They are then instructed to call to reactivate their cards. If consumers call the number, a prerecorded message asks them to input their debit/credit card information for “verification purposes.”

The text contains a generic message stating, ”Card Services Alert: You Visa card has been temporarily deactivated because we suspect unauthorized transactions may have or could occur. You may reactivate your card by calling us at 301-880-3305.”

The phone numbers used to send the text and receive returned calls are no longer in service, however it’s possible that the scammers may try to use or spoof a new local phone number.

If you received a similar text, please do not call the number provided. If you have called the number and provided your card information, please contact NASA Federal immediately so we can block your card and reissue a new one. Or, you can visit a branch office to obtain a new card.

As a reminder, NASA Federal only sends text alerts to members who have enrolled to receive them either through eAlerts or our new Debit Card Text Alert service (https://www.nasafcu.com/debitcardtextalerts/). Texts from the Debit Card Text Alert service will be branded with our name, and will contain the call back number of 1-866-763-3373. They will also contain a Case ID number and the option to reply with the STOP command to cancel your enrollment.

Financial Self Defense: Internet Hygiene

The Best Computer Time Investment You Can Make

Wash your hands after you use the bathroom. Cover your mouth when you sneeze. Brush your teeth daily. These are all basic elements of personal hygiene. We practice them, in part, to minimize the amount of gross stuff that our bodies do, but we also practice them to help protect us from disease.

You might think “Internet hygiene” means wiping down keyboards after you use them and not spilling things on your computer. While these are good habits, there’s another range of behaviors that security experts call “Internet hygiene,” and it can be the difference between a safe and effective Internet and a world of hackers, bots, and identity thieves.

For most people, the beginning and end of cyber-security is a piece of anti-virus software. Imagining that there is nothing on their computer worth stealing, most users don’t take their online security very seriously. Increasingly, that’s the attitude hackers are counting on people exhibiting.

One such recent cyber attack, a malicious worm called Game Over Zeus, infected around 10,000 computers. The worm allowed hackers to remotely control infected computers, using them to launch attacks on major websites. In addition, users frequently found their personal files encrypted. A window created by the worm would inform them that, unless they paid a ransom that sometimes was as much as a few thousand dollars, they would lose access to the contents of their hard drive forever.

How did such a vicious worm spread so quickly? Hackers have gotten better about choosing their targets. It’s easy to find out-of-date software and exploit known structural weaknesses in it to gain control of a computer. From there, it’s a trivial task to create emails that look like they come from the owner of that computer, which makes it easier to infect that person’s friends and family members’ computers.

Security expert Tom Kellerman compares the state of a compromised computer to a neighbor who always leaves the front door to an apartment complex unlocked. Not only can thieves break into the neighbor’s apartment, but they can use their expanded building access to more easily break into other units. If you aren’t maintaining the security protocols on your computer and being vigilant about what links you click, you aren’t just putting your own security at risk. You’re creating a more dangerous Internet for your friends, co-workers, and family, too.

The lesson of Game Over Zeus is pretty simple. Computer viruses spread a lot like human viruses. They infect people who don’t practice good hygiene, then spread to their friends and family. If you wouldn’t sneeze on your hand before pushing buttons on an elevator, don’t practice unsafe internet behaviors.

How can you practice good Internet hygiene? You don’t need to be a tech guru to keep your PC safe. Security experts consistently recommend you take at least these five steps.

1.) Download an anti-virus software program, like AVG or McAfee, and keep it up-to-date. Schedule updates for it to run when your computer is on, and don’t interrupt the process. Do the same thing with an anti-malware program, like MalwareBytes. Tens of thousands of new malicious programs are being created every day. If you’re not regularly updating your security software, you might as well not have it.

2.) Run scans of both anti-virus and anti-malware software on a weekly basis. Just like people with strong immune systems can get sick, even if you have a Mac computer, you can still be infected with malicious programs. If you’re on the Internet, you’re at risk.

3.) Do it right away. If your computer gives you a message that it needs to download or install critical updates, do it the first time you see the warning. It’s annoying to stop what you’re doing and restart your computer, but it’s better than having your computer compromised. When IT professionals call something a “critical update,” it usually means it fixes a known software exploit. Make sure the message that pops up is from a trusted source, however. There are malware programs around that use fake “critical update” popups to infiltrate your computer.

4.) Don’t click links that take you to sites you don’t recognize, even if they’re emailed to you by a friend or family member. These emails are frequently generated by bots to keep malicious software spreading. You clicking that link might make you yet another disease vector.

5.) Don’t download, install or run any software you don’t recognize. For these bots to keep spreading, at some point human beings have to authorize them. If you’re installing software you think might be dangerous, you’re putting your computer and the computers of everyone you know in jeopardy.

This might seem like a lot of work, but it’s the price of doing business and living in a digital age. With the convenience of a world of information at your fingertips comes the responsibility to maintain the health of that system. Do your part – install and update security software, and be constantly on guard for threats!