Phishing Attack List: Windows Live ID Scam

Kaspersky Lab experts are warning of a new scam that uses Windows Live ID as bait to catch personal information stored in user profiles on services like Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger and OneDrive.

What appears to be a typical phishing email contains a link that goes to the actual Windows Live website, with no apparent attempt to get the victims’ logins and passwords. So what’s the trick?

  • After following the link and authorizing the account, users receive a prompt: an application requests permission to automatically log into the account, view the profile information and contact list, and access a list of the users’ email addresses.
  • Users who click “Yes” don’t give away their login and password credentials, but they do provide their personal information, the email addresses of their contacts and the nicknames and real names of their friends.

Scammers gained access to this technique through security flaws in the open protocol for authorization, OAuth. The collected information can be used for fraudulent purposes, such as sending spam to the contacts in the victim’s address book or launching spear phishing attacks.

Read the full story.

Phishing Attack List: E-Z Pass Virus Spam

This is a new category I will be including in the newsletter: phishing attacks that are currently trending and which you may see some examples of in your inbox. If you have any examples to share with the list, please forward it to me with a link to the information or news story that describes the phishing attack.

A series of fake E-Z Pass virus spam emails are going around, that claim you owe money for driving on a toll road. A zip file attached to the spam email contains a javascript file that downloads malware. The javascript files aren’t for execution by a browser but by Windows Script Host, so Windows machines are vulnerable. If you use Windows + Internet Explorer you will receive a randomly-named .gif file that is actually an .exe file.

Read more about this phishing attack here.

Fake MIT Emails Become More Sophisticated

Cyber criminals are getting more savvy with their attempts to scam potential victims using phishing emails.

It’s likely that once a company or organization has fallen for several scams in the form of phishing emails, the criminals sending them may realize that after time, the targeted organization has learned from previous attacks. The organization becomes harder to fool, so the same group of criminals will attempt more sophisticated attacks on the organization. They step up their efforts by using language and information in their phishing emails that makes their emails harder to spot as being bogus.

Learn how to spot these bogus emails. There are examples in The Knowledge Base (kb.mit.edu) of these more sophisticated — as well as obvious — phishing attempts, all using fake MIT information to scam recipients:

Examples of phishing emails that appear to come from MIT.

Malicious Ebola-Themed Emails

Fake emails that purport to be from the World Health Organization are inviting people to download an attachment or click a link for more information about the Ebola virus.

Last week US-CERT, a division of the Department of Homeland Security, issued an advisory warning users about spam campaigns that use the Ebola virus to bait users into inadvertently downloading malware. Once the malware program is on the victim’s machine, it can grab shots off the webcam, take control of the machine remotely, or steal passwords.

Read the full story online.

Video: Cybercrime Exposed

In this 2-minute video, Trend Micro educates about the ins and outs of phishing scams, what you might lose when you fall victim, and what you can do to stay protected. This cybercrime exposé specifically looks at a phishing operation that was in affect in Brazil during the 2014 World Cup. Criminals hosted phishing site templates, malware and the victims’ personal documents in an online sharing site. It lured victims to click their links, then stole their money.

Knowing the different tactics used by bad guys will help you avoid becoming a victim of cyber crime.

View the video on YouTube.

What Happened in the JP Morgan Chase Breach?

According to news released last Thursday, 76 million household accounts and 7 million small businesses were affected by a breach that occurred earlier this year. JP Morgan Chase is one of the oldest, best-known and largest financial institutions in the world. The cyber attack leaked names, addresses, phone numbers and email addresses. There is no evidence yet of passwords, sensitive personal information, or account information being stolen.

The bank discovered the intrusion on its servers in mid-August and believes the breach may have begun as early as June, a spokesperson for the bank has said. They have “identified and closed all known access paths.” It is possible the original access point came by getting a password from an employee.

In a post on their website, they told customers there’s no need to change their password or account information. No cards will be reissued.

Because email addresses were accessed by the hackers, beware of any phishing emails; don’t click on links from email addresses you don’t know or links inside messages that look like they might come from Chase or another trusted source, and were received unexpectedly.

Read the full story in the news.

Increase in Spam Attacks at MIT this Weekend

Over the weekend, two MIT Kerberos accounts were compromised, leading to a spike in spam in our email inboxes. The emails were not sent by anyone at MIT, but were sent using the compromised users’ accounts, to make it look like they came from MIT.

When spam comes from a compromised email account at MIT, the spam filters at MIT are less likely to block them than if they come from an account outside of MIT. The only action MIT can take is to notify the user and temporarily suspend the account, preventing it from sending further emails. The user must change their account password before it is reactivated by MIT.

To prevent your MIT account from compromise, it is important to have a strong password and to protect it appropriately. Do not use your Kerberos password for other accounts. Do not use your password on an insecure network. When off-campus, be sure to use an encrypted wireless network or use VPN.