Last week, the Company revealed that the hackers had gained access to it’s systems by way of a “back door” installed on the terminals of several employees. Once they had “remote control” of these computers they were able to search through data across the network to steal the information they were looking for.

So how did the hackers get in?
GeekSpeak on
Several employees received an email with an Excel spreadsheet named “Recruitment Plan 2011″. The spreadsheet contained an embedded Flash object which exploited a known vulnerability (now patched) and installed a remote access program called “Poison Ivy”, which then allowed the hackers to gain control of the computer. GeekSpeak off

OK, so how did they know who to target?

This is where the whole social networking thing comes in. The hackers carefully researched their targets through analysing publically available information on social networking websites. Once they had their names, contact details and crucially what department they worked in, it was easy to launch an attack that would have the best chance of success. Reading between the lines, it would seem that in this case, the targetted individuals had some function in the HR department, hence the “Recruitment Plan” spreadsheet containing the trojan.

So could they target you?

The simple answer is “probably”. If your business uses email or the Internet for any purpose, you could be the next target. Just because RSA was a high profile “mark”, it doesn’t mean that all victims of this sort of attack are huge Companies. In this instance, the hackers were after sensitive data. They could just as easily have taken control of the network to host illegal websites, send spam or collect usernames and passwords for online banking accounts.

By posting details of their job, employer and corporate contact details on social networks, your staff could be making it easier for scammers and hackers to target them at work, using carefully crafted emails to lower their defences and trick them into opening virus-laden attachments.

What can you do to protect your business?

Train your staff in spotting and dealing with phishing emails and other email scams (and if you don’t know enough about them yourself, contact us or buy our book!). The first rule is this: Don’t open email attachments unless you are expecting the email, the attachment is referred to in the body of the email and you have verified with the sender that they intended to send the attachment.

Consider talking to your staff about the information they share publically to avoid becoming a target. Do they REALLY need to be on that business networking site? Is it essential to their function or just an ego-trip collecting “connections”? Do their Facebook friends not already know where they work and what they do?

Remember that RSA is a major provider of security solutions, with 90% of Fortune 500 Companies using their products and services. If they can fall for a simple “social engineering” scam, then so could you.

Blatant Sales Pitch: “Spammers, Scammers & Social Engineers: A Scam Detectives guide to keeping your business safe online” is now available in paperback for only £9.99 plus p&p (or to download for £7.99) here. It’s written in plain English with a minimum of “geek speak” and will help you and your staff to recognise and avoid common scams and ripoffs that could affect your business. For less than a tenner you could save your business thousands.

Occasionally Clear as Crystal is approached by students from the local University looking for work experience placements, so it was no surprise when we received an email this morning from a parent of a boy scheduled to start a web design course in September, asking about private tutoring to prepare him for the course. Initially, all seemed to be in order, but it very quickly became apparent that all was not as it seemed.

The email exchange was as follows:

Good Morning,

How are you doing today and I hope you and our family had a memorable holiday season? I am looking for a private tutor for my son who is due to attend Glyndwr University in September. Ethan want to be a web designer and I want someone to prepare him for the first year syllabus covering HTML, CSS & AJAX as we all know this is a core requirement in web design.

If you are available, kindly get back to me with your hourly rates and hopefully we can go from there.

Regards,
Annabelle

I replied:

Dear Anabelle

Thank you for contacting Clear as Crystal. I am pleased that your son has chosen a career in web design and would be happy to help him to prepare for his degree course. Glyndwr is an excellent University and I’m sure that Ethan will do very well there.

My usual hourly rate is £30 but this is negotiable if you would like to discuss paying for a block of tutoring hours in advance.

To discuss this further and to commence planning of Ethan’s syllabus, please call me on (*****)*******

Kindest Regards,

Charles Conway
Clear as Crystal Web Design

10 minutes later:

Good Morning Charles

Thanks for getting back to me with the information I asked for anyway, I would like to know if there will be any other expenses that I am not aware of as I would like to make all arrangement including payment prior to commencement of his tutoring.

My husband and I have agreed to start with you for an initial 6 week period 4 days a week for 8hrs, 2 hours a day. From my calculations that would cost us £1440. However this could continue depending on the progress you are able to make with him.

You mentioned a negotiable rate for advance bookings. Please advise of your best possible rate for advance payment.

Thanks Again
Annabelle
NB: My sister in-law lives close to Glyndwr, so I am thinking that the University library or an on campus cafe will be a good place to hold the lessons

My reply:

Dear Annabelle,

Thank you for your email. I would like to thank you for placing your trust in Clear as Crystal to tutor your son at this most important time in his education.

As you have committed to a significant number of tutoring hours, I will be happy to offer you an advance payment discount of 15%, which equates to a total figure of £1224.00

Ethan will require a number of text books, however these will not differ from his University set texts which you will be purchasing anyway, so there will be no additional charges or expenses incurred.

Please let me know how you would prefer to make payment. I can accommodate payments by cheque, bank transfer or by Credit/Debit card via Paypal.

I look forward to hearing from you,

Kindest regards,

Charles Conway,
Clear as Crystal Web Design

Almost immediately this came back:

Dear Charles

Ethan will be coming along with his study books but you can go ahead and bring any that you think will be helpful and we will reimburse you for them. I spoke to my husband about your rates and at this point,I’m most delighted to say we have a deal!

I want you to know that my husband and i had initially hired a private tutor for Ethan and he was supposed to tutor him for three months which we already paid him upfront for but just before we concluded on lesson days and time,he lost his wife and decided to quit teaching and take proper care of his family but he has long agreed to have my money sent to any alternative teacher who’ll be handling Ethan with his lessons.
The payment you will receiving is the amount of £2,850. I’ll need you to deduct your fees for Ethan’s lessons as agreed at (£1224) from the funds received and have what’s left sent out via western union to pay for Ethan’s accommodation and travel costs.

If this OK Charles, I’ll need you to provide me with your full name as to be written on the payment,your contact address(where the payment will be sent to and your phone number and I’ll instruct to have the payment issued and sent out to your location asap.
OK then have a great day and get back to me and i can make relevant arrangements duly then.Also anytime or day of the week that suits you best for lessons works just fine with us as Ethan’s schedule for now is fully open.
Regards,
Annabelle

I replied:

Dear Annabelle,

Thank you for your email. Unfortunately I am unable to proceed with the payment method you have described as my accountant would have a fit! Please arrange for Ethan’s previous tutor to send the money back to you and issue a cheque to me for the agreed amount only.

Kindest Regards

Charles Conway
Clear as Crystal Web Design

This email exchange started at 9.00 this morning and ended with my last reply at 11.00. I don’t expect to hear from Anabelle again. You see, this whole scenario is a scam.

How does the scam work?

Basically, it’s an overpayment scam more commonly seen on classified advertising websites such as Craigslist or Gumtree, or on Ebay.

The client arranges to make a payment by cheque which by some pretence or other will be for way more than the price agreed, and you agree to deduct the payment amount, sending the balance to a third party by Western Union.

In reality, the cheque that arrives on your doorstep is a result of another scam, or from a stolen bank account. Once the cheque’s cleared and you’ve sent on the balance, the bank will discover the fraud and withdraw the full amount from your account. Not only will you be significantly out of pocket, but your financial affairs will come under scrutiny from the police, as you’ve just been implicated in a fraud.

How can you avoid being taken in?

Whatever you’re selling, however you’re advertising it, you should be aware of the existence of this scam. NEVER accept a payment for more than the amount you’ve agreed with the buyer. If a cheque arrives that’s for a larger amount without prior discussion, don’t bank it and inform the buyer that you are cancelling the transaction.

If you’ve been a victim of an overpayment scam, you should immediately report it to report it to Action Fraud

We’re pleased to report that the site has now been shut down and we’d like to thank our friends at Privacy Protect and UK2 for their help and support in achieving this great result.

How did we do it?

After we’d proven that the website was fake, we checked the whois data for the website and found that it was protected by “Whois Privacy”, a service which (whilst having genuine uses) is often used by scammers to hide fake registration details and slow down investigations into the origins of their scam websites. A quick report to Privacy Protect was enough to remove this privacy, as the website was clearly in breach of their terms and conditions forbidding unlawful activity.

Once the whois privacy was lifted, we were able to ascertain two key points:

1. That the sponsoring registrar for the domain was UK2.net
2. That the whois details were false, in violation of ICANN regulations

This enabled us to submit abuse reports to both ICANN and UK2.net asking them to intervene and shut down the website.

We’d like to thank the abuse teams at PrivacyProtect, ICANN and UK2 Group for their swift action in processing our report and getting the site shut down.

A drop in the ocean

Unfortunately, this is only one of many websites that solicit donations to fake charities. We can’t shut them all down (much as we’d love to) because of the time and effort that it takes to find, investigate and report them. We are looking for corporate sponsors for Scam Detectives to help us fund our work.

If you’d like to help, please contact us via Twitter (http://www.twitter.com/scam_detectives) or by email at charles(at)scam-detectives(dot)co(dot)uk

Thanks again to everyone who helped to get this vile site shut down.

I just got off the phone with a scammer. Yes, another one.

What were they trying to sell me?

The call came from a young lady who identified herself as a “registrar for the internet”. She told me that a rival company had tried to register ten domain names, which were all similar to my domain and company name.

A matter of principle

Her script was well crafted to instil panic. She’d apparently received the registration request and had “smelled a rat” because she recognised my brand. “As a matter of principle” she’d decided to take it upon herself to call me and offer me the opportunity to register these domains to stop the rival firm from hijacking my brand name and passing themselves off as me. I could register the ten (.co.uk) domain names for 10 years to secure them long term for only £1,000 + VAT. All she needed was my credit card number and she’d put it in place straight away.

What’s the scam?

Most of us are fiercely protective of our brand. We’ll go to great lengths to protect it and the suggestion that someone else is trying to use our brand name to promote a rival business is enough to throw us into a flat spin panic. The scammers know this, and that’s the hook that they use for this scam. The truth is that nobody tried to register these domains, and the scammer is simply trying to sell them to you at over-inflated prices (around 300% above market value) for a period that they simply can’t offer.

Key points to remember:

• Domain name registration is an automated process. You choose your domains, pay for them and that’s it, they’re registered.
• Domain name registrars do not take responsibility for ensuring that the registrant has the right to use the brand name they are registering. If the domain is available, they’ll sell it. Under no circumstances would a sales agent for a registrar offer to sell those domains to someone else to block your registration – it would be unethical and possibly consititutes a breach of data protection legislation.
• The going rate for a .co.uk domain is around £3.00 + VAT a year and you can only register it for 2 years at a time. There’s no way to register it for longer than that.

If you get a call or an email with a similar story, hang up or hit “delete”!

At Scam Detectives HQ we’ve just returned from a great holiday (which is why you haven’t heard from us for a few days!) – No phones, no email, no internet, no contact with the outside world. OK, so we had snow, hail, rain, wind, sleet and (a very little) sunshine, but we didn’t let the great British weather spoil our fun.

When we got home, we were treated to this despicable, unforgivable scam designed to convince you to give your hard earned cash to the children affected by the Haiti earthquake.

First, the email:

Mercy & Sharing is an organization that was co-founded by evangelical
Christians Susie and Joe Krabacher. Dedicated humanitarian, whose work is
saving, feeding and educating children, that’s how People magazine, Marie
Claire, The Wall Street Journal is used to characterize Susie for her deeds in
helping the poor. While Joe is known for his blessed business career by
co-founding satellite communications company and fiber-optic networking company
as well as for his law practice with the law firm Sherman Howard. From the beginning
the organization’s aim was at helping abandoned and mistreated children in the
Republic of Haiti, but in the recent years Mercy & Sharing’s mission has
expanded to provide food to the elderly and oppressed in the northern part of
Haiti. Surveys have showed that in Haiti one of every three children dies by
age 5, because of the great rate of poverty 80% of population lives in poverty
and 54% are living in even more worse conditions. But with God’s blessing the
organization succeeded in helping 5,100 children and elderly.
Mercy & Sharing have always been helping the poor population of
Haiti by using the inner infrastructure of Haiti. Due to the quake disaster
that recently happen, we have brought all our capacities to rescue, providing
emergency food, shelter, medical treatment to children and elderly. In addition
we are supervising over your donations so the right people who really need them
receive them.

www.helptohaitichildren.com

Now, the charity Mercy & Sharing does exist, and is run by Christians Susie & Joe Krabacher, who do amazing work in the humanitarian field around the world. They run a genuine charity and website at www.haitichildren.com

So how do we know that THIS website is fake?

The content has been taken from www.haitichildren.com and simply rearranged a bit. Compare the two websites and you’ll soon see what I mean.

Despite their “About Us” page claiming that they have been in existence since 1994, the website was registered on 8th February 2010. The “Whois” details for the registrant are protected by a privacy service, as we’ve seen in previous scam investigations.

The address listed on their contact page is:

316 kennington road
London
SE11 4LD

This is the address of a “Pizza Express” branch in South East London, as can be seen in this Google Streetmap View

There is no charity of this name registered in the UK at any address.

The telephone number listed on the site is fake.

The bank account is a personal savings account. We have reported the account details to the Halifax who have been extremely helpful and are currently investigating. We would like to point out that the account holder may well be a completely innocent party who has fallen victim to a money mule scam.

What should I do if I’ve donated money?

Contact your local police to report the fraud.
Contact the Halifax on 01133 809 574 and tell them that you have donated money to a fake charity – We have already reported the account details to them and they are investigating, so they will be aware of it.

I want to donate – where is it safe to do so?

Please do not respond to unsolicited emails asking for donations. To ensure that your money will get to those organisations who need it most to get help to the survivors, donate directly to:

The Disaster Emergency Committee – www.dec.org.uk

The Committee will ensure that all donations are used as intended and reach those that need it.

If you have a preferred charity that you would like to donate to, then make sure you go to the official website via your web browser, and not through a link in an email.

Who’s helping them hide?
We ran a report recently about domain registrar Dotster helping V festival ticket scammers hide their identities by offering a private domain registration service. We’re pleased to report that Dotster are not involved in the registration of this domain. This time it’s Privacy Protect who go to great lengths to tell us that “We do not own any domains protected by our service”. Guess what guys? The US courts don’t agree with you, and we’ll be reporting the domain to the US authorities for investigation. If you’re reading this – Stop letting these vile, despicable scammers hide behind your service. Now.

Additional note 8/4/10: As a result of our complaint, PrivacyProtect.org have removed whois privacy from the domain. We thank them for their prompt response and action.
Why couldn’t Dotster do this when we contacted them about www.v-festival-tickets.net?

Why is this such a concern?

It’s always been one of the most glaring red flags with virus/scam/phishing emails. The email would be addressed to “Dear Facebook User”, “Dear Online Banking Customer”, “Dear Valued Member”. This immediately betrayed the email for what it was, a mass mailing designed to trick as many users as possible.

By addressing the email to you personally, scammers have removed this first line of defence and made it that little bit harder to spot a scam.

How did they get my name?

They didn’t. What they have done is to develop a mail merge script that takes everything before the “@” sign in your email address and insert it into the body of the email so it appears that it is personal to you.

We’ve had emails this morning addressed to “Dear Charles” (to charles@scam…..co.uk) but we’ve also had them to “Dear Sales” (to Sales@clear…co.uk) & “Dear Info”(to Info@scam….co.uk).

What can I do about it?

You now need to be even more vigilant.

• Never click on a link in an email that asks you to log in to your account
• Never open attachments contained in an email that purports to come from an organisation with which you have a relationship, including your bank, Paypal, Facebook or anyone else for that matter
• Never click on a link that says you’ve received an e-card, or that tells you that your photo has been posted online
• Always report such emails to the organisation they’re posing as by sending a copy to “spoof@YOURBANK.com

Be careful out there!

===============================================================================
We now have a great range of PC and Home Security products available in the Scam Detectives Security Supplies online store (powered by Amazon).

]]> http://www.scam-detectives.co.uk/blog/2010/03/19/scammers-get-smarter-every-day-scam-emails-get-personal/feed/ 4 http://www.scam-detectives.co.uk/blog/2010/03/11/scam-detectives-live-online-chat-with-bt-tradespace-paypal/ http://www.scam-detectives.co.uk/blog/2010/03/11/scam-detectives-live-online-chat-with-bt-tradespace-paypal/#comments Thu, 11 Mar 2010 13:44:11 +0000 admin http://www.scam-detectives.co.uk/blog/?p=294 We were pleased to be invited to take part in a live chat by BT Tradespace this lunchtime, along with the lovely Aline from Paypal.

We talked about safe online shopping, fake designer goods, keeping your kids safe online, viruses & malware and “phishing” scams.

The full transcript is below:

If there’s anything you’d like to know that we didn’t cover in the live chat, please feel free to drop us a line

]]> http://www.scam-detectives.co.uk/blog/2010/03/11/scam-detectives-live-online-chat-with-bt-tradespace-paypal/feed/ 3 http://www.scam-detectives.co.uk/blog/2010/02/25/is-this-you-no-its-a-twitter-phishing-scam/ http://www.scam-detectives.co.uk/blog/2010/02/25/is-this-you-no-its-a-twitter-phishing-scam/#comments Thu, 25 Feb 2010 11:42:47 +0000 admin http://www.scam-detectives.co.uk/blog/?p=251 Twitter users have been hit by yet another phishing scam. Messages such as “Lol. this is me??”, “lol, this is funny.”,”Lol. this you??” and “ha ha, u look funny on here”. have been appearing on Twitter profiles and in emails all over the world.

The link contained in the message leads to a fake Twitter login page, which, when you login, transmits your username and password to the scammer, who can then

Bearing in mind that many people also use the same passwords for other online services such as Facebook, Hotmail and even their online banking/credit card servicing accounts, you could also find that your total online world is compromised.

Remember:

• NEVER enter your login details on a page that you’ve reached via an email link or DM
• DO NOT use the same password for every web service that you use
• NEVER reveal your username and password to anyone
• TAKE CARE that any applications that you authorise to access your Twitter account is genuine

If you think that your Twitter account has been compromised, Visit the Twitter Support page on compromised accounts here

===============================================================================
We now have a great range of PC and Home Security products available in the Scam Detectives Security Supplies online store (powered by Amazon).

]]> http://www.scam-detectives.co.uk/blog/2010/02/25/is-this-you-no-its-a-twitter-phishing-scam/feed/ 2 http://www.scam-detectives.co.uk/blog/2010/02/18/has-someone-sent-you-an-e-card/ http://www.scam-detectives.co.uk/blog/2010/02/18/has-someone-sent-you-an-e-card/#comments Thu, 18 Feb 2010 16:28:20 +0000 admin http://www.scam-detectives.co.uk/blog/?p=240 Sending someone an e-card can be a nice gesture and can be environmentally friendly

There are loads of legitimate e-card sites out there, which will help you to send your e-cards without incident.

Unfortunately, there’s also a load of viruses that are transmitted disguised as e-cards.

We received this email a couple of minutes ago

You have received an e-card

To pick up your eCard, click on the following link (or copy & paste it into your web browser):

http://kamien-grabica.**.**/ecard.exe (LINK DISABLED)

Your card will be aviailable for pick-up beginning for the next 30 days.

This one links to e-card.exe, a nasty little virus which has been reported to cause some machines to display the “Blue screen of Death” and refuse to boot in anything but safe mode.

So how do I tell if someone really has sent me an e-card?

If there’s no name on the email and it just says “Someone sent you an e-card” then delete it. A legitimate e-card site will tell you who has sent the e-card.

Email your friend (using the email address in your contacts, not the one from the email) to ask them if they really did send you an e-card. Explain nicely that you’re wary of opening e-cards because you’ve heard that some of them contain viruses. If you get a response saying “Yes, I sent it”, then you know it’s for real. If they respond “Hey, nice to hear from you, but it wasn’t me” then you can safely delete the email without fear of offending anyone!

]]> http://www.scam-detectives.co.uk/blog/2010/02/18/has-someone-sent-you-an-e-card/feed/ 0 http://www.scam-detectives.co.uk/blog/2010/02/17/fake-microsoft-virus-warning-conficker-worm/ http://www.scam-detectives.co.uk/blog/2010/02/17/fake-microsoft-virus-warning-conficker-worm/#comments Wed, 17 Feb 2010 10:57:51 +0000 admin http://www.scam-detectives.co.uk/blog/?p=233 This little gem is quite clever. It relies on a few things
• That you will trust an email from Microsoft
• That you will have heard of the “Conficker Worm” which is a real virus
• That you will believe that your ISP will have notified Microsoft that your network is infected, rather than advising you directly

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

Rather than containing software to repair the infection, the attachment itself contains malware which will infect your machine. Delete the email immediately.

Points to remember

• Microsoft would not contact you directly to warn of a virus infection
• Even if they did, they wouldn’t send you the software to delete it
• Your ISP would not advise Microsoft of a virus infection on your network. If they picked it up at all (which is doubtful) they would advise you directly
• You should NEVER open an attachment sent to you by email unless you are expecting it and trust the source

===============================================================================
We now have a great range of PC and Home Security products available in the Scam Detectives Security Supplies online store (powered by Amazon).

]]> http://www.scam-detectives.co.uk/blog/2010/02/17/fake-microsoft-virus-warning-conficker-worm/feed/ 3