Virus threats, E-mail and phishing scams !!

Originally posted on: 9/8/07 at 9:33 am

It's Phishing Time

I almost got hooked the other day by a company trying to find out my personal information through a scam called phishing. Not familiar with phishing? Well, in order to understand what I am about to cover, we first have to understand what phishing means. Read here

for a complete description.

Okay, once you've got that handled, here is an example of what I'm talking about. I was checking my e-mail when I received this message in my Inbox (I removed the hyperlinks for this example):

**PLEASE READ THIS IMPORTANT EMAIL REGARDING YOUR LISTING(S)**

We would like to let you know that we removed your listing because the intellectual property rights owner notified us, under penalty of perjury, that your listing or the item itself infringes their copyright, trademark or other rights.

We have temporarily suspended activity on your account in order to allow us to investigate this matter further. If you believe that this action may have been taken in error or if you feel that your account may have been tampered with, please contact our Live Help team so that we can provide additional information and work with you to resolve this issue.

We have credited any associated fees to your account. We have also notified the bidders that the listing(s) was removed and that they are not obligated to complete the transaction.

If you believe your listing was ended in error or have questions regarding the removal of this listing, please click here or contact the intellectual property rights owner directly at: Entertainment Software Association.

Ebay is available to answer questions, but since it is the rights owner that requested the removal of your listing(s), we encourage you to contact them first.

For more information on Ebay's cooperation with rights owners through the VeRO Program and a list of rights owners that have created About Me pages, please visit:

htps;//pages.ebay.com/vero-removed-listing.html
htps;//pages.ebay.com/help/community/vero-aboutme.html

Thank you for your cooperation.

Regards,

Customer Support (Trust and Safety Department)
Ebay, Inc.

Well, to someone who doesn't know any better, this may look like a legitimate e-mail. So, they would probably click on the links and fill out their personal information. Unfortunately, that is the wrong thing to do, because that is the whole purpose of phishing. If you do that, you're giving the hackers exactly what they want.

Phishing typically comes in the form of e-mails targeting a recipient. There are some scams that just ask the person to update their information, but this specific one was informing me that the activity on my Ebay account was temporarily suspended and that I needed to visit the links they provided.

Well, when I clicked on the link above, this is what I got:



The picture above looks like an Ebay sign up, but take a closer look at the Web address it gave me when I clicked on it:



If you look at that link, it's obvious it isn't from Ebay at all. This is often called a spoof link. It cloaked the true destination of the link. So, a good way to tell if it is a legit site or not is to look where the link takes you in your browser's address bar.

The actual Web page above would be what we would call a hoax Web page. This term simply means that the page is made up of graphics stolen from the actual Web pages and an interface made up to steal a person's identity.

So, what happened when I clicked on one of the links? Well, it took me to the sign in page shown above, which is the hoax Web page that this particular Ebay scam uses. That page is a gateway that someone created and tailored to make it look like a legit Ebay page, just to get your personal information.

If I would have went through the entire form and actually filled everything out and sent it in, it wouldn't have gone to Ebay. Rather, it would have went to whoever is behind this scam. As a result of me falling for this scam, someone would now have all the information they needed to commit identity theft, using my good name. A good name and a good credit history that took me a lifetime to build up, could be all destroyed in the blink of an eye and that is very scary to even think about.

So, the best thing to do to avoid falling for a scam like this one is the following:

You need to look for any kind of spelling or grammatical errors, because that is a real tip off. If they don't know their English very well, there will, more than likely, be some errors. Also, if it asks you to fill in information regarding your bank account information or even your username and password, it's fake, because Ebay (or any other sites, for that matter) would never ask for that kind of information.

If it asks you to verify your username or password, it is most likely not a genuine site. If it asks you to do this, just type in the URL that it's known to be associated with and any information they want you to verify will be brought to your attention. Be sure to look at the hyperlinks for any weird characters or anomalies that you normally wouldn't see in a Web address as well.

With this information in hand, you will be able to see through e-mails like these for what they truly are: a scam. I tend to follow a general rule of thumb if I get e-mails like this. I just log into my account from the known Web address and check my account to see if I do actually have any issues that need to be addressed.

Lastly, please keep this in mind: If Ebay needed to contact you, they would have a message appear when you log into your account informing you of anything that needs your attention. If you find one of these e-mails, please inform the legitimate company's help line or IT department as soon as possible.

If you have any questions, contact Ebay and address it as pertaining to the phishing scam you received and/or your account.

Until next time, keep your shields up!

~ Shawn

Originally posted on: 9/1/08 at 10:27 am

Q:
I know this is kind of an odd question, but do you have any statistics on the phishing attacks that hit in the year 2007? I was just wondering how everything ended up with them. Thanks for any information you may have!

A:
That's actually a great question and I'm sure you're not the only one out there who has been wondering the same thing. As a matter of fact, I saw some interesting information about phishing attacks awhile back, but I didn't know if you all would be interested in it or not, so I passed it by. But when I saw this question in my e-mail the other day, I figured there were at least a few of you who wanted to know about it, so this one's for you!

So, I guess we might as well get right into it. According to a survey conducted by Gartner market researchers, 3.6 million U.S. citizens were victims of various phishing attacks in the year 2007. Wow, 3.6 million! Can you even imagine? Plus, in the mix of all that, 3.2 billion U.S. dollars were lost as well. That's extremely higher than last year's statistics, which amounted to a loss of 2.3 billion dollars. And as you can probably tell, it's only going to get worse from here on out.

Now, there is one positive note in all of this. In 2007, the average loss per individual person was lowered to $886 from $1,244 in 2006. While that's good news, in the whole scheme of things, the overall damage increased because so many more U.S. citizens gave in to the phishing attacks. The survey also said that most of the phishing attacks came in disguise under the eBay and PayPal names. Of course, there are several others looming around the Web today, but those two seemed to be the most popular last year.

The Gartner company went on to explain that most phishers go for debit card numbers and bank account information first. They said the security measures for that kind of data are a lot less strict than credit card information. And since a lot of people give out that information for their eBay and PayPal accounts, there's no easier way for phishers to get ahold of our personal information.

Gartner said they believe the same kind of phishing attacks will continue to increase until at least 2009. They may even go beyond that unless e-mail providers start to take firmer action against malware. All in all, I know this information is a little scary, but if you continue to use common sense when you're going through your e-mail or when you're signing up for a new online service, you will be just fine. As always, just be cautious of the e-mails you're opening and if something looks suspicious, just delete it. If you use certain Web sites like eBay and PayPal, just make sure you're logging in under a secure connection. If you pay close attention to everything you do online, you will be as safe as you can be.

Plus, if you're not part of that 3.6 million statistic yet, you must be doing something right!

~ Erin

More on IRS Phishing Attacks

I'm sure you all know it's tax time again, right? As we all battle the hassles of doing our taxes, some phishers have decided to take advantage of this time of year. As you know, phishing is the act of sending e-mail or other communications with the intent of trying to get personal information from an individual. Since it's tax time, it's the perfect opportunity for phishers to pretend they're the IRS. They will send an e-mail that appears to be from the IRS. They will ask you to click on a link or reply to an e-mail and provide your personal information, such as your social security number, birth date, tax payer IDs, bank account information and so on.

The IRS has reported that phishing scams using their name has gone up nearly 12 times the amount of last year. The IRS has also said that they have shut down nearly 1,700 phishing Web sites that claim to be part of their service. This issue has grown to be a huge problem. With these threats at an all time high and identity theft also being a major issue, it's important not to fall as a victim to one of these attacks.

Protecting yourself from these types of attacks can be tricky though. Many attempts at phishing your personal information will seem very real. They will appear to be a legitimate e-mail from the IRS asking for your information. The links in the e-mails will take you to Web sites that appear to belong to the IRS, which is why they have made a very clear policy for e-mailing. The following is a quote from the official IRS Web site:

“The IRS never sends out unsolicited e-mails and under no circumstances, requests credit card information and pin numbers through e-mail. Persons receiving e-mails that claim to be from the IRS should not attempt to visit any site contained within the e-mail and should report suspicious e-mails to TIGTA or the IRS.”

If you feel you have received a phishing e-mail that claims to be from the IRS, you should not delete the e-mail. Rather, you should immediately forward it to the phishing@irs.gov address. Doing that will help the IRS find and prosecute the people who are creating the phishing attacks. It will not only help you to stay safe, but it will help others remain safe as well. Until next time, stay safe out there, my friends!

~ Gary

MonaRonaDona - Another Security Tip

I have received a number of e-mails and calls about a new threat called MonaRonaDona, so instead of a download today, here's another security tip for you! The MonaRonaDona is a virus that will stop certain programs from running correctly and it will put a message on your Internet Explorer screen that says "MonaRonaDona." If you search on the Internet for a fix to this issue, you will most likely come across a program called Unigray Antivirus, which claims to be the best program to fix this issue.

All I have to say is, "Do not buy the Unigray Antivirus!"

You see, the MonaRonaDona virus is not a virus at all. It's actually just an elaborate scam. Unigray Antivirus will only fix MonaRonaDona and it will not protect your computer in any other way. It is speculated that the makers of MonaRonaDona are also the makers of Unigray Antivirus. This is a very clever way to make money from unknowing users.

So, now that you know about this scam, please don't fall for it! If you become infected by MonaRonaDona, don't panic. Just follow the steps below to get your system back to normal.

First, you will need two free programs from the Internet. One is called HijackThis and the other is called OTMoveIT2. Save both of these programs to your desktop or some place that's easy to find. You can get HijackThis here and OTMoveIT2 here.

After saving them to your computer, follow these steps very carefully:

1.) Go to the location where you saved HijackThis. Double click on it and install it. After the installation is done, run the program (there should be a new icon on your desktop for it).

Next, select System Scan Only.

Place a checkmark next to these items (if found):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O4 - HKLM\..\Run: [.NET.] \FUD.exe
O4 - Global Startup: SRVSPOOL.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe

Click Fix Checked and when it finishes, go ahead and exit HijackThis.

2.) Go to the location where you saved OTMoveIT2 and double click it. (If you're using Vista, right click on it and choose Run as Administrator).

Copy all the information found below. Highlight all of it, right click it and choose Copy.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Window Title
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Window Title
HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\\Window Title
C:\Program Files\RegistryCleanFix2008
C:\Program Files\UniGray Antivirus
C:\Documents and Settings\All Users\SRVSPOOL.EXE /S /D
C:\Users\SRVSPOOL.EXE /S /D

Next, return to OTMoveIt2 and right click in the "Paste List of Files/Patterns to Search For and Move" window.
Important: Paste only into the bottom input panel (under the yellow bar). The top panel will not help you. Then just right click and choose Paste.

Now, click the red MoveIt button and wait several minutes. When it's finished, look in the large right hand panel that says Results. You should see that at least the principal infector files were deleted and whichever applicable registry changes were made. (They may not all apply in your case). Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately, you may be asked to reboot your computer to finish the move process. If you're asked to reboot, simply choose Yes.

Now, double click and open OTMoveIt2 again. Click the green Clean Up! button at the top. (Note: It will need to access the Internet to download a small script file, so please allow your firewall to do so).

When it finishes, it will have deleted all of its quarantines, as well as, the OTMoveIt2 program and all the folders it created. Then just reboot your computer to finish up.

These steps should remove any signs and symptoms of MonaRonaDona. Stay safe!

~ Gary

Trojans: Still on Top

Do you often wonder where different types of malware stand in comparison to each other? For instance, are Trojans more dangerous than spyware or is it the other way around? I don't know about you, but I spend a lot of time thinking about which one is the worst when it comes to the damage it could do to my computer. Well, today, I've got all the answers you've been looking for and more. Keep reading for all the details!

According to ActiveScan (Panda Security's online scanner), Trojans accounted for 23.70 percent of all infections found during the month of February 2008. Yikes! On a good note, the same test was done for the last few months of 2007 and the percentage has decreased since then, but the results are still a little scary. On the other hand, worms came in second for the most active malware in February and that number jumped from 15 percent to 17.60. Adware stayed about the same though, clocking in at 20.71 percent.

Even more, as far as the most active malicious code goes, first on the list is a Trojan called Downloader.MDW, which is designed to infect computers with several different types of malware at once. Second on the list is a worm called Bagle.RC and coming in third is another worm that goes by the name of Lineage.GXD. It's hard to tell where all of these Trojans, worms, etc. come from, but as long as you keep your computer secure, you'll be just fine. You can do that by running all of your scans (antivirus, spyware, etc.) on a regular basis. Be safe!

~ Erin

Viruses: The Good and Bad

Today, I have some information about viruses, spyware and other malware. Listen up!

Did you know that the number of malware programs on the Web today is predicted to increase to one million this year? Yikes! The number of bad programs continues to grow at an alarming rate, but that's actually some good news! That's right, I said one million viruses is good news. Here's why!

It seems as if the numbers are growing so quickly because fewer malware programs actually get the chance to infect a user's PC. With antivirus, anti-malware and anti-rootkit software doing better and better as time goes by, the chance of a new threat ever reaching your computer is dwindling down. Because of that, people who write those nasty programs are being forced to write them faster and faster in order to keep up.

According to stats by Sophos, a leading threat researcher, 85 to 90 percent of malware families have a fix created almost immediately. Also, e-mails with viruses attached have less of a chance of getting through to your computer. In the past, one out of 40 attempts would successfully infect your computer. Now, that number is one out of 1,000. That is great news for all of us! That's even more of a reason to keep your protection up to date. It just shows that we're all doing much better at keeping viruses at bay. Let's keep up the good work and give those virus makers a run for their money!

Until next time, stay safe out there, my friends!

~ Gary

Kraken Botnet

Over the past year, we here at WorldStart have written many times about the Storm Worm. This worm has become well known worldwide because of its ability to infect computers and remotely execute commands, without any detection by normal antivirus software. Well, until recently, the Storm Worm has been the "big one" to look out for, but now, there's a new botnet on the loose that's causing even more havoc. It's called Kraken.

The Kraken botnet is very similar to the Storm Worm in how it infects computers. It is a decentralized set of botnets that infect computers and send out spam e-mail, but Kraken is quickly becoming more of a threat. According to some of the first data found on this worm, it has infected nearly twice the amount of systems as the Storm Worm. Researchers at Damballa also said it has infected nearly 400,000 systems, including at least 50 Fortune 500 companies.

As of right now, there is no protection against the Kraken botnet. It changes its code very quickly and is able to avoid detection by antivirus software. The good news is, now that this worm has been detected and made public, antivirus and anti-botnet companies can begin finding a way to fight against its attacks. In time, there will be a fix, but it will take awhile to slow this one down.

So, as always, I will keep you posted on this new bug and let you know as soon as a resolution arrives. For now, keep your eyes peeled for any strange activity on your system. Some antivirus software programs are detecting Kraken as an “Unknown File,” so if you see that, you should quarantine the file immediately. Also, since this botnet sends out spam, you might see strange activity in your e-mail, including a high number of returned e-mails and a slow connection. If you see those signs, you should update your antivirus software and run a full system scan just to be safe.

Until next time, stay safe out there, my friends!

~ Gary

New Ransomware on the Loose

I'm sorry to be the one to break this to you, but I have some bad news on the security front today. Do you remember a few months ago when I wrote about ransomware? Ransomware is basically a virus that takes over your computer and demands you to pay the creator of the virus for a code that will bring your data back. Most of the time, viruses like that are more bark than bite. They're usually fixed rather quickly by antivirus companies that figure out the codes needed to unlock your data. Well, at least that was the case up until now.

Just last week, researchers at Kaspersky found a new ransomware virus that is on the loose and is very dangerous. The virus is called Gpcode.ak and it's a type of ransomware that has no fix as of yet. Gpcode.ak will infect your computer and encrypt all of your personal files with a 1024 bit security key. Kaspersky has said that it would take a supercomputer to figure out the code for this one.

People who are infected with Gpcode.ak will see a screen that says something like this: “Your files are encrypted with a RSA-1024 algorithm. To recover your files, you need to buy our decryptor. To buy our decrypting tool, contact us at ********@yahoo.com."

As I mentioned above, there is currently no fix for this virus, but if your computer becomes infected with it, you can help! Kaspersky is asking for anyone infected with the virus to contact them immediately. That way, they can use your experience to try and find a solution for this nasty virus.

Now, if you become infected, Kaspersky is asking you to do the following:

Contact the Kaspersky Lab using another computer connected to the Internet. Do not restart or power down the potentially infected machine.

E-mail Kaspersky at stopgpcode@kaspersky.com with the following information included:

* Date and time of infection.
* Everything done on the computer in the five minutes before the machine was infected, including programs executed and Web sites visited.

The Kaspersky Lab will then try to recover any encrypted data.

Kaspersky analysts are continuing to analyze the virus code in search of a way to decrypt the files without having the private key. Until a solution is found, it's recommended that your anti-malware programs are set to their maximum security and that extra care is taken while browsing the Internet and reading your e-mail. Until next time, stay safe out there, my friends!

~ Gary

Socially Engineered Attacks

Do you use the popular social Web site of Facebook.com? I'm sure if you don't, you probably know someone who does. Facebook is one of the best Web sites out there for keeping in touch with friends and family. You can share your interests, pictures, ideas and happenings with everyone you know on the site.

Now, I'm sure if you've read any of my other articles, you know I'm not writing this just to tell you how great Facebook is. The reason I'm talking about Facebook is because of a security issue that has popped up.

It seems as if hackers have found a way to get into your computer using Facebook. Now, don't worry too much, because this isn't some magic trick they're pulling. Hackers are using a method called social engineering to pull off the attacks.

Here's what happens: a hacker either creates a Facebook account or somehow steals someone else's account. They then post messages on a very popular part of Facebook, called "the wall." The message looks like it's from a friend and it has a link to a funny video. If you click on the link, you're taken to a malicious Web site that infects your computer.

It's not a very complicated process. If I wanted to, I could make an attack like that happen. What makes this type of attack interesting is that no security software could ever protect you against this. That's why it's called social engineering. The only reason why the attack works is because the victim feels safe clicking on a link from a friend on Facebook.

The attack on Facebook is just an example of social engineering. This type of attack could happen anywhere: e-mail, newsgroups, other social Web sites, message boards, etc.

That's why it's so important to always be on the lookout for tricks on the Web. Sometimes it takes a computer genius to create a virus, but sometimes it doesn't. Until next time, stay safe out there, my friends!

~ Gary

XP Antivirus 2008

I'm willing to bet that a lot of you started groaning as soon as you read the title for today's Quick Tip. Several of you have been e-mailing me the last few weeks about the XP Antivirus 2008 ordeal, so I figured it was about time I go over it. I know the whole issue has put many of you in a panic, but I have some information for you today that I think will help calm you down. Let's get right to it!

First of all, let me explain a little about what XP Antivirus 2008 really is. It's basically one of the latest scams to hit the Web. It's a fake antivirus program, but it looks so real and it has fooled a lot of computer users. It usually starts showing up after you've downloaded a video (or something similar) that supposedly has a virus attached to it. You are then urged to install XP Antivirus 2008 to get rid of the malware. That is, after you pay for it, of course. Once you shell out your money and install it, it starts popping up false virus alerts and fake scans. It also takes up a lot of your system memory and makes your computer almost impossible to operate.

Now, if you have fallen for this scam, don't feel bad. You're definitely not the only one. It's awful that things like this even happen, but they do, so you just have to deal with them. Luckily, there's a rather simple way to remove XP Antivirus 2008 from your computer. The directions are pretty lengthy and I didn't want to take up all that space here in the newsletter, but you can find three different removal methods on this Web site. The first one is already on the page for you and the links for the other two can be found down below. Just make sure you follow the instructions very carefully and before you know it, you'll be rid of this nasty scam for good!

~ Erin

New Spam: From CNN and MSNBC?

I have received several phone calls this week from readers saying they have been getting a ton of spam e-mail from CNN and MSNBC. The e-mails have headlines indicating they are breaking news alerts from either of the very popular news companies. Now, I'm sure all of you are smart enough to know that CNN and MSNBC would not actually send out spam, but where are the e-mails coming from?

Well, the e-mails are an attack from a botnet. Currently, several Web sites have been taken over by the worm and they are sending out millions of e-mails a day. While the e-mails look like they are from CNN and MSNBC, they're not.

If you receive an e-mail from CNN or MSNBC, do not read it! You should immediately delete those messages and mark them as spam. Reading those e-mails and clicking on the links inside will put your computer at risk. You will be prompted to install a file that says it's an update for the Flash player. That's actually a virus. Installing that program will infect your system and turn your computer into a spam machine.

Usually, I would say you should report the issue to the company that is being spoofed, but in this case, they're already very aware of the issue. Just hang in there and the messages will stop once the offending computers are taken offline and disinfected.

If you have been fooled into installing the "Flash Update," you should run a full virus scan immediately. Until next time, stay safe out there, my friends!

~ Gary

Antivirus 2009

Just a few weeks ago, Erin wrote about a fake antivirus program called XP Antivirus 2008. That program forces itself onto your computer and starts causing all kinds of trouble.

Now, it looks like there's another program out there doing the exact same thing. I have received several phone calls and e-mails about a program called Antivirus 2009. That program does the same thing XP Antivirus 2008 did. If you go to an infected Web site, you'll be bombarded with pop ups asking you to install the program. It will seem like there's no way to get rid of the pop ups besides installing the program.

First of all, do not install Antivirus 2009. If you go to a site that's trying to make you install it, you should close your Web browser immediately. If you need to, press Ctrl + Alt + Del on your keyboard and click on the End Task button. If that doesn't work, shut your computer down. Do whatever it takes to get rid of the pop ups, but do not install the program.

Antivirus 2009 is not only infecting computers, but it's also infecting Web sites. It will gain access to a site and then spread to users who visit that site. It will also change the site so that it gets better search results and appears under searches for antivirus software and virus removal. Keep an eye out for sites that offer it and stay away from them! It will take time before those sites are repaired and back to normal.

If you're already infected with Antivirus 2009, there is some good news! It looks like there's a pretty simple way to remove the bug. All you need is a program called Malware Bytes Anti-Malware. The basic version is free and you can download it right here.

Install the program and then run the Quick Scan. (Note: The Quick Scan isn't necessarily quick. It took nearly 30 minutes on my computer). After the scan is complete, a message will pop up and tell you it's done. Click OK.

Next, you will see a list of all the malware it found. They should all have checkmarks next to them. Just click on the Remove Selected button and it will remove all of them for you.

After that, a page will pop up telling you exactly what it did. You can save it if you want, but you don't have to.

That should be it. Just close the Malware Bytes program and the Antivirus 2009 bug should be gone. Until next time, stay safe out there, my friends!

~ Gary