By a bit of serendipity, Josh and I each got phishing attempts in the past few days.
Granted, we get a lot of phishing and malware emails. After all, we have secret email addresses we use to intentionally collect malware and phishing attempts the bad guys are sending.
It lets us see what the latest attacks are and lets us accurately test the antivirus software against the latest threats.
What made these particular phishing attacks different was they happened by phone.
Since it was, I got to have a bit of fun with the phisher.
And, even though you might get a good laugh, hopefully, it'll help you to remember to be as wary of phone calls as you are now of clicking links in emails.
Here's what happened...
I answered the phone at my office as I usually do, "Hello, this is Kevin."
"Hi, Kevin. This is 'Ron' I'm with the Wells Fargo fraud team. We've detected unusual activity on your account.
"Have you travelled to London recently?"
Since I don't have a Wells Fargo account, the gig was up right there for him, but I decided to have a little fun.
"Oh, gosh, I'd love to go to London!" I said.
Thrown by my reply, the best he could muster was, "Yessir. And have you been there in the past two weeks?"
Fish & Chips (with a Texas Accent)
At this point, I decided to give him the best Texas accent I could muster.
"Well, let's see. I guess you might say. I have done a fair bit of travelin'. First I was—sorry, we were—in Leicester. Had a wonderful fish-and-chips at a pub richt thar.
"My wife, girlfriend, and our thirteen kids, well technically I'm not sure if four of the rugrats are mine, but after five or
six, what's another?
"Love 'em all just the same.
"So we were in Leicester, the wife, girlfriend, kids and me, when one of the kids decides to wander out of the pub. Shooooot, it musta been two in the mornin'.
"Don't know what the little bugger was thinking, so he wanders out into the street. No idea how long he was gone.
"I guess the coppers must've scared him because he wandered back in. Knees looked a bit skinned, but the girlfriend tended him, so it was no concern of mine.
"After Leicester, we made our way to Brisbane for the night. Wonderful city."
"Pert near a fortnight there and we were off to Timbuktu, which if you've never been, is a real city. Sure as shootin.'
"Good luck trading your money there though, let me tell you."
How 'bout an American Express?
"So glad I had my American Express card. Don't leave home without it, I always say. So you're with American Express you say?"
"Uh. Yessir. I am. Your travel to, uh, these places. It. Uh. It has set off fraud warnings in our system."
"I need to confirm your card is in your possession. Do you have it?"
"Oh sure. Let me dig around for it. One of the kids must've just used it for some Minecraft thing or another."
At this point I put the phone down, found some sounds online of kids playing and put the phone next to the speakers, while pretending to rustle papers around.
Those Doggone Kids
Every couple of minutes, I'd shout some obscenities with a random kids name.
Every few minutes I'd go back to the phone, apologize, and tell him to hold on just another minute.
I could tell from the exasperation in his voice, my gig was almost up, but I wasn't done with him yet.
Time for a Boston Accent & a Discover Card
Switching now to a Boston accent, I went on,
"Gosh, I'm sorry. The wife and girlfriend left a while ago for some a little shaawpping. They took one of the Ferraris and left me with awl these kids.
"I just don't know where my Discover khad is."
"Oh, that's no problem. We'll just look it up with your social security number."
Darn... Maxed out the Social Security Card, too??
"My social security number? Oh, heck, I stopped using that credit caaad years ago! Maxed that thing right out. Can we use something else?"
"Sir, your social security number isn't a credit card."
"Oh right. That thing. Haven't used it in years either. I don't think I can find it."
"You don't know your social security number??"
"Well, not since little Frankie ran over the neighbah's pet alligata back in '86. Had to get the heck out of Dawdle afta that. Moved to Canada for a couple a years.
"Let me tell you, getting fifteen kids, the wife, the girlfriend, AND the Ferraris across the border took some doing.
"Oh wait, we had the Porsches then. Air-cooled engines. Great sound.
"So, no, I guess I don't really know my social security number anymore. Isn't there anything else??"
At this point, 'Ron' was nearly in tears. It was bliss.
"Well, we could use your checking account, full name, and address. The one you use to make payments with."
"Oh, right, sure thing. Easy. Peasy."
Those Pesky Kids Are Back / The Surfer - Valley Girl Arrives...
At this point, I repeated the kids shouting / playing sounds routine and pretended to rustle through belongings and occasionally shouted random kids names again.
Upon returning, I'd gone part California surfer, part Valley Girl.
"Like. I can't find the doggone check book either. Don't that like just take the cake, dude.
"I bet those two are really going to do some damage. Last time they went out together with the Visa and my checkbook, they said they were just going for a manicure but came home with a new Ferrari.
"Love those two.
" Heck, with all the kids' puke stains on the back seat, I guess it was time, man. Thing probably had 4,000 miles on it anyway.
"You know, now that I think about it, OMG! I'm not sure if they even got manicures that day."
"Well, let's confirm the account details we do have here on file, and I can call later to get the rest of the information."
"Oh. Right. Sure."
"...your full name as it appears on your account, sir?"
"Kevin Hfuhruhurr Armani Dior Steve Stifler de la Cruz IV."
Hfuhruhurr can be a real bugger to spell apparently.
Exasperation level: 10/10.
"Well, we don't really have a 'permanent address', air quotes!! ...you might say...Not with like the, you know, like, alligator incident in '91 and all."
Are You Telling Me the Truth?
"Sir. Are you telling me the truth? Or are you just making things up now?" he pleaded.
"I'm telling as much truth as you are."
"OK, I guess the gig is up for both of us."
"What's a 'gig', sir?"
"In this case, it means 'scam." I said. "Let's drop the bullshit. You called me trying to steal from me. You're not my bank. You're a scammer. Where are you, someplace in India?"
The Long Silence: Part I
After considering his options, 'Ron' decided to come clean.
"Yes. I'm in India."
I pressed on, "And this call, it's a total scam, isn't it?"
"Well. I wouldn't call it that."
"Oh, right. You're from my bank. Wells Fargo, you said. Here's the funny thing: I don't even have an account there."
'Ron' went on to confess he'd been doing it for about three months, and that the money wasn't great, but it was enough to feed his family.
I asked him how he'd feel if someone stole money from his family, and they couldn't eat.
"I never thought of it that way..." he began, "The banks pay everyone back. No one gets hurt."
"Hate to burst your bubble, 'Ron,' but that's not how it works. When you take money from someone's bank account, it's a looooong process for the victim. It takes weeks to even try to get the money back.
Sometimes, the banks say, "No," and the victim loses the money.
"There's really no difference between what you're doing and a mugger on the street: YOU are a thief telling money from people."
The Long Silence: Part II
After another long silence, I added, "You can try to justify it to yourself anyway you want, but you're a thief, 'Ron,' plain and simple. Does your wife even know what you're doing."
"No. She thinks I'm in tech support."
"Huh. That makes you a thief and a liar. A liar to your own wife. If you're earning enough to make a living stealing from people, you must be pretty convincing. You must be a pretty good salesman."
"I guess I am?" he said, almost asking me if I thought he was.
The Long Silence: Part III
"I guess... I just... I don't know..." he whispered, "I don't know what to do, sir."
"Maybe you should quit this shit, stop stealing from people, and go get an honest job, perhaps in sales." I offered, "Then whether or not you come clean to your wife is up to you, but at least come clean with yourself. Get out of there, brother."
"Thank you for your time, sir."
The scams are out there. They take many forms.
Sometimes phishing scams come by email; sometimes they come by fax; sometimes they come by phone or even text message.
Even if it's a phone call, fax, or text, there's no reason to trust it. Call 'em back.
And, if you think you can trust your Caller ID: don't. It's a fools errand.
"Spoofing" Caller ID so that it looks like the call is coming from a different number is trivial. Typically, scammers like 'Ron' really just need a T1 phone line.
After that, they can make the caller ID say anything they want.
In fact, in a lot of ways it's actually easier to fake a phone number than it is to setup a whole fake website to do phishing.
On top of that, nearly all email providers are actively working to thwart the bad guys and prevent their emails from getting through. When was the last time your phone company even lifted a finger to prevent a fake or harassing phone call from getting through?
Add to that, the challenge of getting by the anti-phishing filters built into most Internet Security Suites, and setting up a T1 line is downright easy.
Consider this, too: if you get a call from your bank, and there's a legitimate issue, they'll understand your concern for security, and your wish to call them back.
On the other hand, if the caller gets agitated at this suggestion, it's all the more reason to be suspicious.
I took a call myself from Joyce in Philadelphia late last week. She told me about how she had to wire money to India to get the viruses removed from her computer.
Their pitch to her? Her antivirus software (their fake software) had expired. When she called their so-called tech support number, they told her there was no way they could remove the virus without her making a payment by Western Union to renew the software for another year.
There were problems (of course) with her computer even after she paid the fees, so she was calling to see what the best antivirus software was because what she bought, she felt, sure wasn't very good.
Sure, some readers are going to say, "Why on Earth did she send a Western Union transfer to India?! What was the thinking??"
Let's put that aside for a while and ask the bigger question: Just how prevlent is this crap?
Funny thing is Kasperksy asked this question, too, in their survey/report Digital Consumer’s Online Trends and Risks.
A whopping 24% of users surveyed worldwide said they're encountered fake antivirus software with the worst three countries for "infection" being Russia (48%), the United States (34%), and the United Kingdom (28%).
What's the take-away message from this?
Well, there's more than just one:
- If you've seen fake antivirus software, you're not alone.
- Your chances are about 1 in 4 you will.
- Make sure you're running real antivirus software
- Familiarize yourself with what it's like and how it works
- If you're familiar with it, you're more likely to know a fake threat when you encounter it
Here's my reply: (with a little extra added here for clarification)I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Thanks for writing, Martha.
I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)
The first question here is:
Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:
The main risks of viruses are that they tend to be:
- personally invasive
- resource thieves
If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.
On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?
As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.
Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?
The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".
Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.
Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.
As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.
How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.
Ironically, just two weeks after his piece, uTorrent (a company offering legitimate BitTorrent software) saw their web servers hacked into and their legitimate BitTorrent software replaced with fake antivirus software.The fake-antivirus business was a big money-maker in the first half of this year.
"Then, at the end of June, fake-AV products practically disappeared from the web.
"Was it technology, or does traditional law enforcement deserve the credit?
As it turns out, the server in question, according to the geek.com piece, was only online with the phony antivirus software/malware for an hour and 40 minutes, from 4:20AM 'til 6AM PST.
A response of under two hours to identify the breach and take the server offline, especially in the wee hours of the morning, is really quite good. (Unless, of course, you downloaded uTorrent in that block of time.)
Here's what one version of the Security Shield fake antivirus software looks like:
(Notice the bad grammar in the fake software's interface,
Protect your PC in new level.)
Matthew Humphries, the geek.com writer behind the story, goes on to say,
I couldn't have said it better myself.uTorrent has now apologized and managed to get their servers back online after removing the rogue files.
"If nothing else this should act as a reminder to everyone to ensure any files you download from the Internet are scanned with a reputable security scanner before being run, as clearly you can’t trust legitimate sites all of the time.
And that, my friends, is why antivirus software is a must.
Even huge companies like Sony have suffered major break-ins in recent months, like Sony's entire Playstation Network (PSN) being taken down for weeks as a result, so even when you're downloading software from a known, trusted source, who's to say their servers haven't been compromised?
Here's what the junk Smiley Hat scam looks like in your facebook account:
Graham Cluley, who wrote the piece for Sophos sums it up, saying,
Here's my $.02....do you really believe that you are going to be sent a smiley hat?
"And who is this un-named company that is planning to ask 750,000 people for their name and postal address?
"Is it possible they are planning to do anything else with that information if you hand it over to them?
And what - seriously - are the chances that they are going to spend the money shipping that many hats to people who don't even know what brand it is that they are promoting.
If it's legit, how are they planning to collect mailing addresses for that many people?
Think about it. Seven hundred fifty THOUSAND people.
Let's assume the mailing cost alone is $2/hat, we'll be optimistic.
You're talking about 1.5 *million* dollars just in mailing costs. Oh, and what brand is being promoted? Who's footing the bill for mailing the hats?
And we haven't even talked about the technology required to track that many addresses, link them to facebook accounts, and ensure everyone has been mailed one (but not several! hats) as it's going to take days--or even weeks--to get everyone to send in their addresses for the hats.
Oh, yah... and what about the cost of the hats themselves?
Even if they're $1 a piece to make, you're still talking about another $750,000 in costs. All with no mention of a brand behind it.
Methinks there's a rat in here somewhere.
As for Vans, Cluely says they're already disavowed the promotion for free shoes with this post to their official Vans Europe facebook page,
What should I doIf you've already liked either of these scams, do yourself--and your friends--a favor and at least "unlike" them. No reason to help the scammers get any further in their ploy to get your personal information.
Next, pay attention to your inbox. There's little question these scammers are looking to get at your email address to send you spam, phishing, and even spear-phishing emails.
Pay attention to what you click in your inbox. Think about what you're clicking on and who might have really sent that email to you.
And, let's remember: Facebook really is an incredible site with a whole world inside. The problem is, there is a whole world inside, good people and scammers alike.
Just because you're "surrounded" by friends in facebook, doesn't mean you get to check your street smarts at the [login] box.
The bottom line here: if it sounds too good to be true, it probably is.
Thanks and credit to Sophos and Graham Cluely for the find and the screenshots.
In nearly all cases, the ads look like legitimate error messages from our computers; in one case it was a fake hard drive failing ad that was made to look like a real error message from Windows.
Whatever the case, and whatever they look like, there will be a few less of them now since in no less than twelve countries (including the U.S. and the U.K.), the FBI and other local law enforcement folks, have raided and shut down one of these malware/scareware gangs.
The BBC has some details of the FBI raid on fake security software gang, but the FBI's own press release has even better info on how they disrupted international cyber crime rings distributing scareware.
Here are some of the best details,
The most important part of this quote is,The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers [emphasis mine] with scareware and sold more than $72 million of the fake antivirus product over a period of three years.
"The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.
"Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129.
"An estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses.
"Latvian authorities also executed seizure warrants for at least five bank accounts that were alleged to have been used to funnel profits to the scam’s leadership.
The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans.
Which means the bottom line is that this is not a case where a worm or virus is spreading itself onto people's computers.
Instead this is an old-school con job. Plain and simple.
And, they were good at it, too, given that nearly a million people fell for it.
This type of malware is very, very, very difficult for regular antivirus software to detect, but it is one place where Internet Security Suites and "Premium" versions can offer an advantage.
The ISS/Premium versions typically include malicious website filtering/blocking, so often if you try to go to one of the malware sites when you're running Internet Security Software, the Security Suite can often help protect your PC from infection when someone tries to trick you into installing scamware onto your PC.
No, website filters aren't perfect, but between the website filtering in an ISS and your web browser--assuming you're using a good, modern browser and it's malicious site filters are turned on--you do at least stand a fighting chance.
There have been a couple of different variations on the infection method that MacDefender uses, which I've shown in previous blog on MacDefender removal and on MacDefender spreading on Facebook.
Joel's wrap-up to the piece is great and worth reading. To paraphrase:
- Buy software from reputable places you go to
- Buying software from a popup window just isn't smart
- Educate yourself on what's out there and how to tell
If you were walking down the Las Vegas strip, you'd know a conman from a mile away! When some huckster approaches you with his wares, you get leery--you know better than to deal with them.
You've educated yourself.
Although it took longer than most Mac users would like, Apple finally released a security update designed to remove (and thwart installation of) MacDefender and its similarly named brethren.
Getting the update is a cinch, even if you're unfamiliar with OSX. Here's how:
- Click the Apple logo and choose "Software Update"
You'll then see a window pop-up identical to this one:
- Click "Show Details" (alternately, you can skip ahead and just choose "Install" as shown here)
- If you choose "Show Details", you'll want to look for "Security Update 2011-003" as shown here:
After which you'll want to click "Install [number] item(s)"
Once you have, you'll see:
Followed by a confirmation that the update was installed...
Followed by one last check to ensure there aren't any more updates...
And finally, you'll get a confirmation that your software is up-to-date.
OK, so you've installed the MacDefender Removal & Prevention tool.
How do you know if you've got the malware? And, how do you know if it was removed?
Here are some more screenshots to help you see what OSX is supposed to do now that the MacDefender Removal/Prevention tool is installed.
First of all, let's talk about what you'll see if your Mac has been infected with MacDefender.
Let's be honest, if you see that error message appear, there shouldn't be any confusion, right?
You'll notice the only option here is to hit "OK." There's no other option to get tricked into clicking, and you'll also note that the OS detected and removed the malware on its own.
In other words, there was nothing to buy and nothing to run. It just worked. Great.
The next thing to be on the lookout for whether or not you've been infected is what to look for so that you don't get hit with this thing.
If you do accidentally download the file, you should expect to see this warning:
Interestingly, Apple choose to leave "Open" as one of the possible options. This is great for those of us in the antivirus field, and as crazy as it may seem, some people will click "Open" instead of "Move to Trash."
Sometimes it's accidental. Sometimes it's intimidation about doing the wrong thing. Sometimes it's just clicking away at things hoping to make boxes like this go away. And, sometimes it's outright stupidity.
It happens. We're only human.
So, the last tidbit of insight I can shed on things here is this: Make sure your "Automatically update safe downloads list" is checked as shown here.
You can find it under "Apple > System Preferences > Security > General."
[Editor's Note: Alternately, you can also get the update to remove MacDefender to install it manually, too.]
Given the size of the Facebook network, it should be no surprise to any of us that the scammers are trying to target their next victims here, too.
The fine folks at antivirus software company Sophos have been keeping tabs on the latest Facebook scam, "Baby Born Amazing effect". This particular scam is being tracked by Sophos security researcher Graham Cluley who says,
Messages are spreading rapidly across Facebook, as users get tricked into clicking on links claiming to show an amazing video of a big baby being born.
"The messages are spreading with the assistance of a clickjacking scam (sometimes known as likejacking) which means that users do not realize that they are invisibly pressing a "Like" button to pass the message onto their online friends.
Now the real questions:
- What danger does this pose?
- How do I get rid of it?
What danger does this pose>
The actual danger to a Facebook user is pretty negligible.
The scam is that by tricking people into "Liking" their video, they're able to artificially inflate their Facebook "Like" count. Real "Like" counts tend to grow pretty slowly, so for someone looking to make a mint in Facebook, garnering a lot of "Likes" can bring in real money fairly quickly.
How do I get rid of it
- [See: Image 1]
- Find the offending message on your Facebook page.
Remove post and unlike.
[See: Image 2]
- Go into your profile (top right corner)
- Select "Activities and Interests"
- Remove the "Born Baby Amazing Effect" (and anything else you don't like)
[N.B. We have to give full credit to Graham Cluley and Sophos for snagging these screenshots from within Facebook so we can help people get rid of this crap.]
Just to reiterate, this particular scam doesn't carry any typical virus payload and doesn't pose any threat to your PC. The only threat is in tricking other friends of yours to do the same thing and ultimately in helping a scammer inflate his or her bank account.
The one caveat here is that if you've made your Facebook personal profile information public, you have shared this information with the scammer, so who know what they're up to.
Put another way: you might want to reconsider what information you're sharing publicly within Facebook.
Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.
In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.
According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.
For starters Intego says in their blog post on Mac Defender,
Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.
"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.
"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.
Yikes. Auto-download? That sounds a lot like Windows malware to me.
And, here's where it gets really ugly.
Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.
Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.
What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.
The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.
What do they do? Click 'Continue,' of course!
What's more, according to Intego, is
Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. [Editor's note: emphasis theirs.]
This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.
In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,
Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.
"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'
"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.
That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.
Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?
That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?
Maybe this is going to be a long road after all.
[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:
- releasing a Mac Defender remover as part of their next update and
- having OSX do some sort of realtime intervention if you tried to install the malware.]