Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« October 2010 | Main | December 2010 »

November 18, 2010

Facebook Ruse Yet Again Permalink

Today has seen a flood of malware being attached to spam claiming to come from "Facebook Support." The message Subject: lines vary a bit, but the ones I've seen all reference something to do with ones account being suspended or password being reset. The recipient is urged to open the attached .zip file to obtain new login credentials.

Here is a message body example:

Good afternoon!

A spam is sent from your Facebook account.
Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Thank you for your attention,
Facebook Service.

The attached files have random numbers at the end of their names, but all begin with Facebook_document_Nr.

Facebook has been a huge target lately for all kinds of nefarious activity. Add to that the system's privacy and security settings that change more often than you change your socks, and it's hard to know what's what over there. One thing is certain: If you receive any email concerning your Facebook account or password — regardless of who is shown in the From: field — it's more than likely to be a fake. If you're uneasy about any potential account problem, simply log into your account through normal means (through the bookmark you have previously recorded). If there's a genuine problem with your account, you'll learn right there. In 99.999999% of the cases, everything will be fine because the email you received was fake, fake, fake.

Posted on November 18, 2010 at 08:41 PM

November 11, 2010

Bank of America Phishing Permalink

It has been awhile since I followed a phishing link, so upon receiving a few Bank of America phishing email messages today (and after verifying that the pages aren't harmful on their own), I thought I'd look to see what today's phisher is up to.

Bank of America logins normally have a two-stage verification process. On the first page, you enter your user ID; the second page then has what they call a Site Key, which is a photo that you had previously chosen from a group provided by BofA and some text that you enter. In theory, you are supposed to remember to verify that the image and text are the same that you had chosen/entered before typing in your password. One potential problem with this system, IMHO, is that the login process becomes so automatic for users, that most probably don't bother to verify the image/text combo, but use muscular memory to whiz past the second page by blindly entering their password.

But that's another story.

I was curious whether this phisher was doing anything to replicate the Site Key login process. A successful mimic would likely mean that the phisher was performing a man-in-the-middle type of attack, which is very difficult for typical users to identify (and more complex for the phisher). In this case, however, the phisher took the easy way out, providing a single-page verification form.

And what a form! If someone supplies the information requested — nay, demanded, since all fields were *'d as being "required information" — losing everything in their BofA accounts would be only the beginning of their identity theft troubles. Look at this list of fields:

  • State (popup list)
  • Online ID
  • ATM or Check Card PIN
  • Passcode
  • (checkbox)Credit/Debit Card
    • Credit/Debit Card Number
    • Exp Date (popup lists)
    • Code Verification Number
    • Pin Number
    • Full Name
    • Address Line 1
    • Address Line 2
    • City
    • State (popup list)
    • Zip [sic] Code
  • (checkbox)Checking or Saving Accounts Detail
    • Account Number
    • Routing Number
  • Phone Number
  • E-mail Address
  • E-mail Password
  • Social Security Number
  • Date of Birth
  • Mother's Maiden Name
  • Mother's Middles [sic] Name
  • Father's Maiden Name [sic]
  • Father's Middles [sic] Name
  • Driver License Number
  • SiteKey Challenge Question 1 (pop up list)
  • Answer of Question 1
  • [The above repeated through Question 6]

What? They don't demand my shoe and hat sizes? It's also going to be kinda hard to supply my father's maiden name, since he never was a maiden.

This page, which has plenty of graphical hallmarks of a legitimate BofA web page, is being hosted within hijacked legitimate web sites. An image claiming the page to be a "Secure Area" doesn't match the lack of an SSL connection. The form data is passed along to a PHP program — a remailer called ZolaHacker.php — inserted into the site by the hijacker. In other words, the crook doesn't have to go any further than checking his inbox to pick up the phished data. Unless he's really stupid, I'd wager that the destination inbox is for a free email account with phony registration data.

There really isn't anything new here. A phisher was a phisher will be a phisher.

Posted on November 11, 2010 at 11:19 AM

November 08, 2010

Buy-A-Degree College Education Permalink

As an iPhone app developer, I initially misread the Subject: line of an email message:

Subject: Applications via Phone

My brain turned it into "Applications via iPhone", which was strange enough. What this message was trying to convey, however, was that a company was opening up an application period for a program that would help me earn (yah!) a university degree with transcripts. The message contained so much crap that I thought I'd repeat its body here along with my annotations [in brackets].

eAdult Education
[Oh, that famous university?]
Phone Applications are beginning Monday November 8th.
[Oooh, that's today. Wow, how lucky. Now, you wouldn't just be filling in the date via a wildcard in your email template, would you?]

Our Educational Advancement program is once again being offered to select applicants.
[Again, I'm lucky to get invited to be a select applicant...along with the other 10 million recipients of this message.]
This program will earn you a QUALIFIED degree w/ transcripts.
[You know, "qualified" has a few meanings. One of them is: "make (a statement or assertion) less absolute; add reservations to". Hmmm.]

-Must have previous work experience/knowledge in degree of choice.
[That way, if I can trick my prospective employer into believing my bogus degree is valid, I can bullshit my way through the interview with a few buzzwords.]
-Must be at least 25 years of age.
[Doogie Howsers of the world need not apply. No chemical engineering degrees given to 17-year olds.]

Accepted applicants will obtain a fully qualified university degree within a 4 to 6 week period.
[I hope they don't lose my paperwork and set up business elsewhere during that period.]
Transcripts and other supporting materials will be included.
[I can really visualize my transcripts. Sugar plums are dancing in my head!]
No studies, homework or class-time will be required.
[Whew! I'd hate to have to exercise any part of my brain for a college degree.]

Area Code:602 Phone:[removed]


Robert Merchant
Educational Consultant
eAdult Education

The only degree one can earn from this outfit is B.S. in con artistry.

Posted on November 08, 2010 at 06:02 PM