PC-Armor Computer Security News Blog

Puppy Scams

The American Kennel Club posted an advisory on their website today warning animal loving consumers about new online and/or newspaper scams.  Apparently, the scammers are offering puppies at a very inexpensive price and sometimes for free to anyone willing to pay for the shipping and other related charges.

The scammers indicate they are relocating to a foreign country and need to find a “good” home for their beloved puppy or puppies.  These scammers are successful because they play on the good-hearted nature of those who love puppies and appear to be sincere in their communication to the victim(s).

You can read this story at:

http://www.akc.org/news/index.cfm?article_id=3220

There are tips in the article to help buyers choose legitimate and reliable sellers.

Critical WMF Exploit Patch Advisory

F-Secure.com posted an advisory on their blog today warning readers of a malicious e-mail appearing to come from Microsoft Support; but instead, contains a link that if clicked, could infect a computer with the Backdoor:W32/VanBot.CA.  You can see a sample of the e-mail on the F-Secure Blog at:

http://www.f-secure.com/weblog/

When you read the e-mail, you will notice there are many typographical errors, poor grammar and sentence structure, and the link is obviously not from Microsoft.  The e-mail also attempts to gain the end user trust by suggesting they get the update from the “Windows Update Center”, but if the user wishes, they could click the embedded link.

F-Secure strongly recommends keeping your anti-virus definitions updated and if you use F-Secure products to protect your system(s), the 2007-05-28_05 update will detect this threat.

Anytime you wish to check for Microsoft Security updates, do the safe thing and check on the Windows Update site at http://www.update.microsoft.com/.

“Windows Vista”

I received an e-mail today with the subject of “Windows Vista” and after looking at the header and content information, chances are high that this could be a malicious e-mail.

The body had the following lines:

Sample Privacy Policy Terms Microsoft Windows Vista

ultimate Alpha Question guys running already. install Pirated Time because installed came counted

This was followed by an embedded GIF image, which could have malicious content or web bugs encoded within it.

The header of the e-mail indicated that it originated in Tel Aviv, Israel and there were links in the body pointing to “llsdsdof.com”, which according to DNSstuff.com, is located in Halifax, NS. Another piece of information that raised a red flag for me was that this domain was registered on May 21, 2007. It is common for spammers to register new domains right before they unleash their malicious content.

This e-mail has trouble written all over it and if you receive anything similar to this, the wisest choice would be NOT TO OPEN IT and DELETE IT IMMEDIATELY!

Call Forwarding Phishing Attack

Last month, Don Jackson wrote an article that appeared on the SecureWorks “Threat Analyses” web page outlining a new type of Phishing attack utilizing a call forwarding scheme. The victims are warned that if they do not update their bank account information using the steps outlined in the e-mail, their accounts will be suspended.

As Mr. Jackson explains, victims receive an e-mail with instructions to dial *72 and then a “secure” number they state is the victim’s bank telephone number. After completing these tasks, the victim will supposedly receive a confirmation call within an hour and then the victim will be able to complete the process, which involves updating their personal information using an online form. Once the victim has completed the steps, the scammers are then able to use their personal information fraudulently, knowing that if the victim’s bank calls the victim’s telephone number on file to verify charges on their account(s), the calls will be forwarded to the scammer’s telephone number…who will in turn tell the bank the charges are authorized. This is a clever tactic and you need to be aware of it to avoid a nightmare of consequences.

As always, computer users should never fall for any scheme, intimidation attempt, or any form of solicitation in the form of an e-mail. You can read about this new scam at:

http://www.secureworks.com/research/threats/callforward/?threat=callforward

Social Networks are an Effective Tool for Scammers

Lenny Zeltser wrote an eye-opening article for the SANS Internet Storm Center Wednesday, May 16, explaining why scammers are attracted to Social Networks and how such networks can result in huge returns for them.

If you or anyone you know uses MySpace, Facebook, or similar social networks, this is an article worth reading.  A phisher was interviewed for the article and explains how [they] use social networks for [their] malicious deeds and why social networks yield such high returns compared to other sources.

The article ends with suggestions to limit your risk of exposing sensitive information to phishers and their scams.

You can read the article at: http://isc.sans.org/diary.html?storyid=2808

10 Tips for Safer Instant Messaging

Instant Messaging has become a very popular method of communication; however, as with other popular technologies, IM can present some serious security holes.

If you or others on your network choose to use Instant Messaging; Microsoft has 10 tips to help you become more secure. You can read the tips at:

http://www.microsoft.com/protect/yourself/email/imsafety.mspx?pf=true

Security is no longer an option…practice safe habits.

419 Death Threat Scam

On Tuesday, May 8, 2007, the SANS Internet Storm Center reported on a new e-mail scam with a new twist…a death threat against your life!

In looking at the example of such e-mails, the grammar is consistent with e-mails originating from overseas addresses, or the spammers are just plain illiterate. At any rate, this is a story worth reading and offers suggestions if you receive this type of e-mail, including where to report the threat(s).

You will find the story at:

http://isc.incidents.org/diary.html?storyid=2771

“Firewall Update Notification”

I just received a fraudulent e-mail from overseas today with the subject of “Firewall Update Notification.” As you will see, the social engineering techniques used in this e-mail make it appear sincere and legitimate; which is how these online con artists write their messages to entice victims into their deadly webs. The body of the e-mail (with all the links changed for your protection) reads as follows:

Firewall Gold Message Center: You may need to update your Firewall security settings as soon as possible:

Press here to update your Firewall security settings or read below for more information: http://Fraudulent website

There is a high possibility that your PC’s Firewall security settings may become exploited by malicious websites without your knowledge. This could easily lead to the following attacks on your PC’s hard drive:

- Unwanted Virus Downloads
- Uncontrollable Trojan horse attacks
- The running of unwanted script programs
- The installation of malicious spyware

If your PC is not protected correctly then these attacks could allow hackers to track your movements across the Internet. It also means that your information, ranging from passwords to credit card numbers, can be stored by sites that you visit. A successful hacker could examine this information and extract it, setting the stage for identity theft, credit card fraud, or worse.

Press here for more information on how to make certain you are protected: http://Fraudulent website

Some unknown or untrusted websites use script programs to change your home page, modify your web history, display advertisements, disable your back button, or redirect you to different websites without your consent. Such scripts have also been recently used by Russian hackers to silently install viruses on end-user’s computers.

One way to protect your PC is to download this new FIREWALL software program.

Press here to run the Firewall system scan now:
http://Fraudulent website

If you feel that you are receiving this email in error or are not interested in receiving future “FIREWALLGOLD” offers please go to this page: http://Fraudulent website or contact us via regular mail at:

Firewall Gold Promotions
100 E. San Marcos Blvd
San Marcos, CA 92069

Please refer all questions, opinions or additional feedback to promediaadvertising@gmail.com
or write to:

ProMedia Advertising
7282 55th Avenue E
Bradenton, FL 34203

To remove your email from our database or unsubscribe
http://Fraudulent website

I did a DSN lookup for the originating IP Address of this e-mail and the search returned the following information:

IP address: 60.49.99.198
Reverse DNS: tm.net.my.
Reverse DNS authenticity: [Could be forged: hostname tm.net.my. does not exist]
ASN: 4788
ASN Name: TMNET-AS-AP (TM Net, Internet Service Provider)
IP range connectivity: 2
Registrar (per ASN): APNIC
Country (per IP registrar): MY [Malaysia]
Country Currency: MYR [Malaysia Ringgits]
Country IP Range: 60.48.0.0 to 60.51.255.255
Country fraud profile: High
City (per outside source): Batu Pahat, Johor
Country (per outside source): MY [Malaysia]
Private (internal) IP? No
IP address registrar: whois.apnic.net
Known Proxy? No

As you can see in the body of the e-mail, the contact information shows California and Florida addresses; however, this e-mail comes from Malaysia. The DNS search results also indicate that this IP Address could be forged, since the “tm.net.my” domain does not exist. There were numerous links throughout the e-mail that were likely malicious and could have downloaded backdoor Trojans, keyloggers, Rootkits, or other harmful code to your computer. In fact, the attacks they were warning about are probably the same attacks that would have occurred when someone clicked the links…imagine that!

If you do not know how to find this information, our eBook “Home Network Security” will guide you through the steps that were used to discover this information. Download your copy from our products page today at http://www.pc-armor.com/products.asp and learn how to discover fraudulent e-mails BEFORE opening them and infecting your computer.

Finally, the DNS search results gave me a range of IP address for Malaysia and since I never receive anything legitimate from Malaysia, I added the 60.48.0.0 to 60.51.255.255 Country IP Range to the list of “Banned” IP addresses in my firewall rules; thus, preventing my computer from connecting to any site within that range in the future.

Fraudulent e-mails are increasingly filling up inboxes every day…awareness and knowing how to protect yourself are tools to help you keep your computer safe from intruders. Our eBook, “Home Network Security” will show you many settings to change in Windows 2000/XP and offer numerous techniques to avoid becoming a victim.

Have you scrubbed your hard drive lately?

Eventually, you will need to erase your hard drive and when the time comes, it is important to do it right.  Why?  There are a few reasons you would need to erase your hard drive…to remove a bad infection from a Root Kit or Trojan, to prepare it for a fresh installation of the operating system, or to protect your personal information by ensuring it is completely erased before discarding your computer.

Unfortunately, many people believe formatting the hard drive will do the trick, but in reality, someone with the right tools would be able to lift the data from a formatted hard drive.  However, there are programs available to securely erase that data and some must be purchased, while others are free.  If you are on a tight budget, the SourceForge website has a free tool known as “DBAN” available as a free downloadable software program.  SourceForge.net is the world’s largest Open Source development website, offering an enormous selection of free tools for specialized tasks.  The DBAN (Darik’s Boot and Nuke) tool offers the following methods of sanitizing hard drives:

- Quick Erase
- Canadian RCMP TSSIT OPS-II Standard Wipe
- American DoD 5220-22.M Standard Wipe
- Gutmann Wipe
- PRNG Stream Wipe

The American DoD (Department of Defense) Standard is a very secure method of erasing a hard drive; therefore, if you want to ensure the data is completely removed…this would be a great choice.  You can download the program from:

http://dban.sourceforge.net/

You will also find a great FAQs page that should answer most questions users have.  Make sure you read the “ReadMe” page, as it has some useful information to help you choose the correct media, as well as avoid common problems.

If you have hard drives that need erasing, this would be a great choice!

Virginia Tech Scams

On April 17^th, we posted a short advisory on our Blog warning users of possible scams related to the Virginia Tech Massacre.  Well, the SANS Institute Security Newsletter for Computer Users, OUCH!, Volume 4, Number 5, May 2007, posted a report that spammed e-mails are making the rounds promising to show photographs of the shootings.  If the users click the link in the e-mail(s), they will be redirected to a Brazilian website, which will in turn, infect their computer with a Trojan designed to steal passwords, user logon names, and account numbers.

You can read the story at:

http://www.informationweek.com/security/showArticle.jhtml?articleID=199100863

Remember, cyber criminals know that humans are curious and even though many have learned not to take the bait…there are many who will.

Be safe and question everything; do not blindly click unknown links.