Wednesday, November 23, 2011

Bad luck, or spear phishing? A tale of Facebook, the Better Business Bureau, and Columbian Drug Lords

There has been a concerning coincidence of events over the last 18 hours that's causing me some alarm. It first started at 11:51 last night when I received an email notification from Facebook (or so it appeared) that "you requested a new Facebook password." No big deal, right? Well, I hadn't noticed that email until after I had looked at the email received very early this morning from the Better Business Bureau (or so it appeared) notifying me of a complaint about my company that looked pretty legit:


I've gotten pretty suspicious over the years, so I while I was concerned that there was possibly an outstanding complaint against our company which caused some alarm (bad guys use this fear to get you to act without thinking first), I hovered over the hyperlink (on my mac) as a precation and saw this:

Now I'm no mac developer, but this doesn't seem right, especially when looking at the top level domain of the hyperlink: .cn (China).  Incidentally, hovering the link on a PC only shows you the top level, domain, and subdomain, without all the apple gobbly-gook in front. Finding the source IP from the internet header of the message, I do a who-is lookup and find the sender is registered in Columbia (no, not as in British or District of). Buenos Dias to you, Senores! Googling "applewebdata," I find some discussion on how this syntax runs internal commands on iOS and OSX devices. My sense of alarm increases.

Then I notice the facebook email. Knowing now that I might be under targeted attack, I am much more skeptical about that email. How do I know that it is legit?  Hovering hyperlinks and doing a who-is lookup on the source IP give me confidence that this email is actually legit, which can only mean one thing. This is not a phishing email, but someone (not me) is trying to reset the password of my Facebook account. The FB email gives me the chance to disavow the original password request, which I do only after being satisfied that this is really from Facebook.

I also take the precaution of changing my Facebook password, deactivating, then reactivating my account, and reviewing my security settings. Facebook has some great options for security, including two factor authentication using a registered mobile phone, login approvals, and registered devices.


I notice six registered devices, some that I recognize and others I don't. I disable all of them, and re-register my personal and work machines. I also log out of my mobile app session.

Out of the abundance of caution, I reset my personal email password and work domain password. I'm also running an AV scan on my OSX device.

This is a lot of work, and has taken up much of my morning. I doubt the average user would know what to do or have the inclination to take all these steps. I hope this blog serves to educate end users and technical folks alike to the dangers that exist out there. Be cautious, be suspicious, and be vigilant, because "the Devil prowls around like a roaring lion, seeking who he may devour." (who knows that reference?)

Is this a case of a targeted spear-phishing attack by Colombian banditos, or just an unfortunate coincidence just in time for Thanksgiving meal story-telling? I'm not sure, but it was one of the more believable spoofs I've seen to date.
Posted by at No comments:
Labels: , , , , , , , , ,

Thursday, September 15, 2011

Android A Target for Malware Writers

New Malware: Q2 2011 by Platform

*provided my McAfee
Two things I found interesting about this graph. First, Android is obviously a huge target for malware writers. Why? Hold that thought ...
Who's missing from this graph? Why wasn't iOS among the top six OS's targeted by malware writers in Q2?  It can't be the reason OSX malware is relatively low; iOS has a significant share of it's market, much more than the others listed.

So what's different about iOS that's not true about Android? 

Android is considered an open platform, whereas iOS has been described as a walled garden. 

Apple keeps tight control over it's ecosystem, much to the chagrin of many consumers and developers alike.  But perhaps there is a security advantage to such fastidious controls, and if so, this closed posture benefits IT and consumers.

Is a closed platform inherently more difficult to hack? Is this why iOS not attracting malware authors, and why Android malware development is out of control?  Or does it have more to do with each providers app marketplace and their respective app vetting processes?

What's your opinion on the matter?








Posted by at 1 comment:
Labels: , , , ,

Wednesday, September 14, 2011

Craigslist Scam #2

This is a big week for Craigslist scams. Scam #2 could easily trick you into divulging personal information or signing up for a fallacious service.

I was on Craigslist looking for a good deal on the wildly popular iPad2 so I clicked on this ad:


The ad itself is unremarkable, so I clicked on the annonymized email address to contact the seller, which of course launched my email client.  I sent out an inquiry, asking for more detail, pictures, etc.  Several days went by, and I received this response.


Hmmm.  My spidey sense is starting to tingle.  Curious about the URL, I want to click on it, but better judgement tells me to do two things: hover over the hyperlink to made sure it's not more than meets the eye, and check out www.trustedsource.org and other URL or IP reputation databases.  Since I don't see any danger, I manually enter that URL into my browser, or better yet, into a Google search to see what's being said about that URL, rather than going directly to it.

Well, it turns out this takes me to a Penny Auction site. 


Who knows how legit this site is, meaning if I take the time to register, can I really get a new iPad2 for $300, or if my personal and financial data is safe, or is malware lurking, waiting to pounce?  I don't have a lot of confidence at this point, because BouncyBids already lost my trust.  Classic bait and switch, which is no way to start out a relationship, even a transactional one.

Incidentally, I responded to two other similar Craigslist posts this week, and got nearly identical reply emails taking me to similar Penny Auction sites with slightly different URLs.

I've said it once and I'll say it again: The best approach to protecting yourself is a combination of education and a technology safety net.  Be careful out there!



Posted by at No comments:
Labels: , ,

Craigslist Scam #1

I came across a simple yet interesting Craigslist scam this week.  The scam appears to start with your email address being scraped from a Craigslist ad that you've posted. (I am currently investigating why a Google result exposes an email address that was supposed to be annonomyzed by Craigslist.)  Since the scammer knows you've posted on Craigslist, a targeted email is sent to the scraped address that looks like this in the inbox:


Drilling down ...
Uh, oh! In a panic, I'd better investigate why my ever-so-important Craigslist account has been suspended. 

Wait, what's this?  If I hover over the Login link, what do I find? Hmmm ...  I wasn't expecting to see that URL.

Manually navigating to pw2.ro/808 in a virtual desktop environment, I am redirected cltos-change.ucoz.org/secure/survey/1/:


Whew! I'm back at Craigslist.  Or am I?  

How many times will you enter your UN and PW before you figure out you've been pwned?

At the time of this writing, trustedsource.org and senderscore.org have nothing negative to say about either of the URL's I posted, so they don't yet have a bad reputation.  

The best approach to protecting yourself is a combination of education and a technology safety net.  Be careful out there!







Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)