The scumbag scammers are at it again, this time posing as Amazon.com.

The image below is typical of e-mails doing the rounds…

Every one of the several links (arrowed) in the e-mail points not to a page in Amazon.com, but to “fukuokss.com”.  Sound like something you want to be involved with?

Click image for enlargement.

By all means visit the site if you’re curious — there doesn’t seem to be anything harmful there. But don’t give them what they want by clicking any of the links. The whole thing, from the e-mail to the website, the advertisements and the “Donate” button, is a blatant con.

If you click any of the links you’re giving this would-be con artist exactly what he/she wants. You don’t have to fall for buying anything, as they’ll get paid for clicks, whether you follow through with a purchase or not.

PR: wait… I: wait… L: wait… LD: wait… I: wait… wait… Rank: wait… Traffic: wait… Price: wait… C: wait…

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Don't get hooked like a big dumb Trout!

Owners of my security e-book The Hacker’s Nightmare have been too well educated to ever be caught by scams like the following. However they are exactly the type of thing that catches millions of less wary people on a regular  basis.

TWITTER TWADDLE!

The scumbag spam brigade is currently inundating e-mail in-boxes with fake messages purporting to be from Twitter.

You can easily identify the fakes — they contain a link that the sender wants you to click.

PLEASE KEEP THIS IN MIND…

All legitimate providers of any sort of membership service (social media sites, financial institutions, etc) are now awake to the fact that, in the interests of their customer’s security, they should not include “Click Me” links in their HTML e-mail communications.

If they really want you to login to your account and do something, they will ask you to do just that, with something like: “Please login to your account“. Maybe they will provide you with the login URL, but not as a link. However more often than not as a member you will be expected to know the login URL, along with your username and password.

HTML & PLAIN TEXT DIFFERENCES …

Be sure you know how to tell an HTML e-mail from a plain text e-mail.

Hovering your mouse pointer over a link in an HTML e-mail will usually display a little pop-up window containing the real URL that the link is pointing to — regardless of what the link text itself says.

In other words, a link in an HTML e-mail can lie to you. The link text might say something like:

Please click on the link below:
http://twitter.com/account/name@yourdomain.com

But in fact the link will take you to: http://hackerbot.xxx/gotcha/

ON THE OTHER HAND…

With a plain text e-mail, what you see is what you get. So long as you recognise the URL as being valid it is safe to click on. But you still have to be careful that it’s not a carefully constructed look-alike.

ANOTHER ONE DOING THE ROUNDS…

…is a plain text e-mail with no links in it, but with an HTML file attached. The body text of the e-mail will read something like:

You have (8) messages from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

While it makes a feeble attempt to appear to be Microsoft Outlook Support, that ain’t the case at all. The examples I’ve seen are actually from: Frillsdu64@recordonline.com.

EDUCATE YOUR PROVIDERS…

If you are a member of any legitimate service that is in the habit of putting “Click Me” links in their e-mail communications to you, PLEASE contact them and point out how dangerous this practice is. This is how the cyber crims grab your login credentials for their own nefarious purposes.

Related articles:

• Spam masquerading as Twitter e-mails lead to phishing, malware
• Twitter forcing some users to change password. Reported threat of phishing attacks

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

In Part 2 of this series I want to talk about protecting your social networking account, and it all boils down to…

PASSWORDS

And No… you probably don’t already know everything you need to know about passwords, so you really need to keep reading. I’m going to show you exactly some of the ways the bad guys get at your passwords.

If you missed it please first read
 Social Networking Self-Defense: Part I

So it’s pretty obvious that anyone who gets hold of your login credentials, most importantly your password, can modify your personal pages to their heart’s content.

Now, you might be thinking something like “OK, I’ll memorize my password, never write it down, and never tell anyone”.

Well, good, that at least that would be a step in the right direction, but unless you clearly understand how vulnerable passwords are, it won’t be a big enough step. Not by a long shot.

Let’s take a look at password cracking itself…

How to Crack Passwords

Something that very few computer users realize is just how easily common passwords can be cracked. There are all sorts of special password cracking programs readily available to those who take the trouble to look. None of those programs are infallible, but one thing is certain: passwords made up of common words, or common words with a few numbers appended, are usually cracked fairly quickly.

In the past, when writing on this topic, I have always avoided giving any details on password cracking programs. I just didn’t want to be responsible for encouraging anyone to seek out and use such tools.

However, search engines such as Google, Bing, Yahoo etc have become so accurate and all-inclusive as to make these things fairly easy to find. So now I think I can probably achieve more by actually proving their existence to you.

Here’s a list of the 10 top password crackers, according to the Security Tools [http://sectools.org/crackers.html] website, with their descriptions slightly edited for this article.

|
All of those programs work on Windows, and many of them on other operating systems as well. Obviously not all are suitable for cracking all types of passwords under all circumstances, but in the hands of even a reasonably competent person any of several can be a serious threat to your security.

Still not convinced?

A recent Computerworld article describes the massive market for usernames and passwords or social network accounts. One hacker alone has 1.5 million Facebook accounts on offer!

Seriously, you REALLY need to click here and read that article.

And hey! If you aren’t already calling up your Facebook account to change the password (in line with the suggestions here-in) then I’m afraid you’re a sucker just waiting to be sucked dry.

What NOT to do

As a result of a major phishing attack in late 2006 approximately 34,000 MySpace passwords became available for download. Some researchers saw this as an opportunity to analyze what sort of passwords people were using. Here’s a list of the 20 most popular passwords:

|
Not one of those passwords would present the slightest problem to a decent cracking program. Here are some more statistics from the analysis of those 34,000 passwords:

• Numbers were used in well over half the passwords.
• When used, numbers were most often appended to the end of the password.
• Almost 1% of users had the word “password” as all or part of their password.
• Words, colors, years, names, sports, hobbies and music groups were very popular.
• Other popular words include: angel, baby, boy, girl, big, me, the.
• Cuss words were very popular. Because these are common and well known they should be considered as dictionary words, whether they appear in any “real” dictionary or not.
• Also popular were the names of sports (golf, football, soccer, etc.), professional sports teams and college team nicknames.

Again, all very easy stuff for a good cracking program.

I’ll be going into some detail here because I want you to understand very clearly the extreme importance of using good strong passwords if you are serious about protecting yourself.

So let’s look now at exactly what makes for a strong password, from the password cracker’s point of view.

What you SHOULD do

The most important aspects of a password are its length and composition, but there is an apparent catch involved. If length and composition are right for a strong password, then it’s very unlikely you’ll be able to remember even one password, let alone the many that most people need to use. But don’t worry, we’ll solve that dilemma in a moment. First let’s look at the password itself.

The length aspect is simple: the longer a password, the harder it is to derive using special password cracking tools.

Composition is a bit more complex. To be truly effective, the characters that make up the password should consist of a mixture of upper and lower case alphabetic characters (A-Z, a-z), numerals (0-9), plus punctuation and special characters (!@#$%^&*). In addition, repetition of characters should be kept to a minimum and the password should not contain any real names or dictionary words. Here is an example of a 20 character password that conforms nicely to those rules:

Mu49#SLQ&p5^eh!6M9B2

Yes, I know what you’re thinking:

“How on earth could I ever remember something like that?”

And the answer is…

For PC users  : RoboForm
For Mac users : 1Password

Now, I’m a PC user, so I don’t use 1Password, but I have read their material, watched a video on the product and asked some Mac users whose opinions I respect. What I can tell you is that it works very much like RoboForm, performing much the same tasks, and is highly regarded by those Mac users I consulted. For all practical purposes any mention of RoboForm features that follows applies also to 1Password.

When installed, both RoboForm and 1Password take up residence on your browser toolbar.

Secure password generation is a handy feature, but the real power of RoboForm, and the thing that makes it so indispensable to security minded people, is that it can remember the complex passwords that it generates, and also remember which website or login form each password relates to. This is a massively significant feature.

On visiting a web page that contains login fields, RoboForm provides you with a one-click prompt that will fill in all the necessary fields with login information that is specific to that page only.

Similarly, when you manually fill in login fields for a site that you haven’t visited before, you can quickly and easily store those login credentials for one-click retrieval on future visits to that site.

In other words, the longer and more complex a password the better, because you’ll never have to remember it. Nor do you need to be tempted to use the same password on multiple websites, because with RoboForm having five, 25 or 50 long, complex, meaningless passwords is no more of a load on your brain than having just one.

RoboForm offers another extremely useful feature not directly related to passwords but worthy of mention if it will entice you to use this excellent utility.

One-click filling out of forms with any number of personal details can be a real time saver. Name, address, landline phone number, mobile number, fax, date of birth, credit card details — virtually any sort of information required on a form can be intelligently provided with a single click. That’s one click for the whole form, not one click for each field! RoboForm knows what’s being asked for and provides just that.

Both RoboForm and 1Password offer free 30-day trials, after which each application will continue to operate but with a reduced feature set. Here’s the situation was RoboForm:

|
By all means trial the product first, but believe me, purchasing the full version is a very easy decision. Most people will definitely need many more than 10 pass cards alone, not to mention how useful multiple identities and profiles can be, and the ability to create numerous custom fields.

Again, here’s where to get‘em:

For PC users  : RoboForm

For Mac users : 1Password

And remember…

The first line of defense is the human brain.
Keep it engaged when online.

Related articles

• SSD tools crack passwords 100 times faster

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

The FBI has released a report that clearly indicates that the level of Internet crime is not only just as bad as we suspected it was, but getting much worse, with losses more than doubling between 2008 and 2009.

The Internet Crime Complaint Center (IC3) which issued the report is a partnership between the FBI and the National White Collar Crime Center. The center acknowledges that the loss figures could be conservative because they are based only on complaints reported to IC3.

Ironically, the most reported e-mail scams involve the scammer claiming to be from or affiliated with the FBI. The aim of course being to extract information from the target.

The report is actually an interesting read, with many colorful graphics clearly displaying such revealing data as:

• Most common complaint categories
• The number of perpetrators per 100,000 of population (USA)
• The top locations of perpetrators (US states plus countries)
• Some interesting case studies
• And so on…

Download the 25 page report in PDF format

Yes, it does affect you personally…

Unfortunately there is still a public perception that most Internet scams are dreamed up by lone social misfits pounding a keyboard in their bedroom or basement.

The truth is that those days are long gone; most of today’s scams are perpetrated by professional criminals with considerable resources available to them.

To stay ahead of the these grubs you need three things:

1. The right information and advice;
2. The right security tools;
3. The right mindset.

None of those things are going to just fall into your lap. To stay safe online you must be proactive — you must educate yourself and you must actually take some action.

Information sources such as this blog can assist you immensely, but only if you review the posts regularly. So do yourself a favor and subscribe to notifications of new posts.

See the ‘Subscribe Now’ box towards the top right of this page. You have nothing to lose and you could gain substantially, if even one tip or article or idea saves you from loss.

Related articles:

• Cyber Crime Complaints Soar
• FBI reports online crime losses double in 2009
• Big Boost In Net Crimes
• Losses from Internet crime more than doubled in 2009
• Most Popular Internet Scam In 2009: Impersonating The FBI

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

January 21 saw the release by Microsoft of a very important out-of-band security bulletin to address recently publicized flaws in Internet Explorer.

So-called “out-of-band” bulletins are those released at a time other than Microsoft’s traditional Patch Tuesday — the second Tuesday of each month. Out-of-band announcements are bulletins/patches/updates that Microsoft believes are too important to delay action on until the next Patch Tuesday.

If Microsoft admit the extra importance of a new “fix” then you should definitely sit up and take notice.

These most recent exploits have been well publicized worldwide (believed to have originated in China and possibly with government sponsorship) and can also cause problems via other applications such as the Adobe PDF Reader.

You must take action NOW!

I strongly suggest that you take immediate action as follows:

1. Visit the Microsoft update website and perform an update on your PC.
2. Visit the Secunia website, download the Secunia Personal Software Inspector (PSI), install it, run it and update any out-of-date applications it reports. Thousands of computer users are being compromised/robbed/impersonated every day because they continue to use out-of-date/unpatched applications.
3. If you’re still using Internet Explorer (sigh!) download and install Firefox and set it as your primary browser. Look, Internet Explorer doesn’t hold a candle to Firefox in ANY respect. Firefox is better, safer, faster and far superior in the usability and productivity stakes.
4. If the Adobe Reader is your PDF reader of choice, disable JavaScript in that application only. You’ll find numerous suggestions to disable JavaScript in your browser, but that’s a self-defeating move. So many websites rely on JavaScript for functionality that you will effectively cripple your browser by disabling JavaScript. However, disabling JavaScript in Adobe Reader is a different matter altogether. Very, very few PDF files utilise JavaScript, and if you should encounter one (very unlikely) you can enable JavaScript just for that document (if you’re absolutely sure it’s safe). To disable JavaScript in Adobe reader, open the reader and proceed as follows:

• Edit –> Preferences
• Select the JavaScript entry in the left column
• Uncheck Enable JavaScript in the right column

And remember this:

The vast majority of damaging exploits rely on you taking some action such as clicking a link or opening an attachment. In my e-book The Hacker’s Nightmare I discussed these ploys in some depth under the heading of “social engineering”.

DO NOT ALLOW YOURSELF TO BE SOCIALLY ENGINEERED!

Related articles

• Why France and Germany Got it Right: IE Must Go
• Critical out-of-band patch for Internet Explorer now available
• Microsoft patching “Google hack” flaw in IE tomorrow
• McAfee: China attackers exploited new IE hole
• McAfee: China attackers exploited unpatched IE hole
• Mozilla releases Firefox 3.6 with promise of more speed, stability
• Microsoft to release early patch
• Microsoft confirms 17-year-old Windows bug
• Microsoft fixes 8 IE holes, including one used in attacks
• How to improve Internet Explorer security

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

I had an e-mail from a friend today, concerned about the recent increase in spam finding its way into his business. He knew about ISP spam filters and wondered if his host’s filter had been “wound back” in any way.

The short answer is simply “no”, but for those experiencing a similar increase in annoyance a little elaboration may be a welcome.

This is a cyclical problem that you will see repeated many times in your online life. Very loosely and oversimplified, what happens is this:

Programmers come up with a reasonably effective spam filter with a low false positive rate. A false positive is a legitimate e-mail that the filter wrongly classified as spam. Obviously false positives are not acceptable, as they will often mean the loss of important communications that the addressee wants to receive, or at least would not object to if he ever did receive it.

Conversely, a false negative is spam that is incorrectly identified as “good” and thus slips past the filter, eventually making its way to the addressee’s inbox. This is the stuff that annoys everyone.

The key to understanding the fluctuations of this process is to appreciate that filters aren’t people. Filters are simply software that follows preprogrammed instructions. They cannot reason.

The biggest problem with ISP filters is that their results represent the programmer’s idea of what should be classified spam and what shouldn’t. The classification of a particular message as spam is often a personal assessment, and the ISPs filter doesn’t represent YOUR opinion. Consider the following three e-mails:

E-mail #1: An unsolicited advertisement for Viagra.
e-mail #2: An unsolicited Viagra joke from your best friend.
e-mail #3: A medical newsletter on contraindicators for Viagra.

Messages #2 and #3 are clearly not spam, while message #1 just as clearly is. I’m sure you can see the problem for a conventional spam filter. Easy for a person; very, very difficult for a piece of software.

With such filters, a fair bit of compromise is necessary. Making the filter too stringent results in an unacceptable increase in false positives. Make it too generous and there is a marked increase in the volume of spam getting through.

Now, getting back to my friend’s inquiry…

A professional spammer’s success depends on him being able to get as many messages as possible past as many filters as possible. We’re talking about potential revenue from literally tens of millions of “suckers”. Not exactly small change. So the big guys in this business have programmers and analysts working constantly to figure out ways to beat the filters and get their messages through to the end user.

Thus there’s a constant see-sawing battle as each side tries to outdo the other, and each has their period of being on top.

You can probably understand now why I’m not a big fan of ISP-based spam filters.

With some ISPs and some filters you can have a little bit of control over how the filter works, but not nearly enough for my liking. I’m in business and I can’t afford to lose correspondence through false positives. I want my filters to work my way and identify messages as “good” the way I would.

Yet at the same time I can’t spare the time to wade through an ocean of spam every day.

It may sound like a big ask, but it’s not an impossible wish-list.

The new member’s website (currently under development) has a complete module devoted to understanding and dealing with spam. And yes, I agree with you: who wants to read about spam? But a little time spent addressing the problem properly can save you an enormous amount of wasted time (money!) and frustration.

There are very viable, quite practical solutions – hardware & software – for both individuals and businesses of all sizes.

For now I’ll just leave you with the personal solution (software) I’ve used and recommended to Microsoft Outlook* users for years. It’s called SpamBayes and its quite free.

* Please be aware that Microsoft Outlook and
Outlook Express are NOT the same thing.

Unfortunately SpamBayes’ installation and configuration aren’t quite as friendly as some people might need, but until the new member’s website is open and you get access to the Spam Module, the recommendation is about the best I can do for you. The member’s Spam Module describes everything you need to know about SpamBayes in step-by-step detail, complete with illustrations and screen-shots, and including instructions for e-mail clients other than Microsoft Outlook.

Many businesses that have discovered the value and effectiveness of SpamBayes install it on all workstations as a final line of defence, even though they may have some sort of enterprise filter mechanism in front of the individual workstations.

SpamBayes: http://spambayes.sourceforge.net/windows.html

So to summarize, if you’re not prepared to take personal control of spam filtering, expect to see marked fluctuations in the volume of spam arriving at your computer’s inbox. Asking your ISP to “tighten up” things at his end will certainly reduce the spam volume, but expect to lose a lot of legitimate correspondence that you would prefer to receive.

If you would like to be informed about new developments regarding the upcoming Member’s Website just complete the form below. When it’s open to subscribers you’ll be amongst the first to know.

If you found this article useful please share it on your favorite social media network
(see buttons below)

©2012 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.