Lookalike web page addresses

 Computer, Desktop, News, Notebook, Phone, Research, Tablet  Comments Off on Lookalike web page addresses
Jan 302019

Ever mistype a Web page address? Mistype the URL? Like typing “Gogle” instead of “Google.” Ever click a result from a Google search that looked like the site you wanted but took you to something else? With maybe some scary ads?

Well, these two articles (links below) are a reminder about this common way criminals seek to trick and exploit us. Much like spoofed phone caller IDs, eh.

Engadget: Google Chrome will warn you of lookalike URLs

It’s pretty common for malicious actors to lock down common misspellings of popular sites in attempts to catch people off guard when they make a mistake typing in a URL. Those sites often look like the real thing but are designed to steal a person’s credentials and other information. While Google Chrome’s experimental feature, the browser will present a dropdown panel under the URL bar. The notification draws attention to the fact that the user may be visiting a site they don’t intend to and offers to redirect them to the correct domain. That combined with Chrome’s existing warnings about unsecure sites should hopefully be enough to keep people from falling for scams.

Wired: Google Takes Its First Steps Toward Killing the URL

Currently, the endless haze of complicated URLs gives attackers cover for effective scams. They can create a malicious link that seems to lead to a legitimate site, but actually automatically redirects victims to a phishing page. Or they can design malicious pages with URLs that look similar to real ones, hoping victims won’t notice that they’re on G00gle rather than Google. With so many URL shenanigans to combat, the Chrome team is already at work on two projects aimed at bringing users some clarity.

While enabling these new feature is somewhat technical, it’s good to know that Google (among others) is working on ways of making us safer on the Web. These features probably will become standard for general use this year.

Phishing attacks — fake “Apple” emails

 Computer, Desktop, Notebook, Phone, Tablet  Comments Off on Phishing attacks — fake “Apple” emails
Mar 282018

I’ve noticed these types of scams for awhile: email messages (supposedly) from Apple purportedly about a payment or Apple ID or login from another device (which in fact you may not own). More and more email apps (especially on mobile devices) do not permit examination of the raw message text, which often permits detection of the fraud. So, what to do?

This Vipre Security News blog post (March 16, 2018) is a good summary of the situation: “Apple Phishing Attacks Prompt Advice From Tech Giant.”

Apple customers don’t get phished quite as much as Microsoft ones, but they do face a fairly annoying variety and frequency of fake emails. The problem stems from the fact that Apple sends emails to its customers quite regularly, thereby making the millions of Apple customers juicy targets for the bad guys.

There are three basic fake emails going around. The first appears as an email invoice for your “recent Apple purchase.” Another is a “Reminder” notifying you of an account login from an iPad in Monaco. The third, and possibly most alarming, is a text message informing you that your Apple ID is expiring today.

If you’re not sure whether an email about an App Store, iTunes Store, iBooks Store, or Apple Music purchase is legitimate, these tips from Apple may help.

As in all phishing scams, these fake messages want you to click on a link or open an attachment (which may include further fake links) and then trick you into providing personal or account information — which (genuine) “App Store, iTunes Store, iBooks Store, or Apple Music purchases will never ask you to provide.”

Checking or updating any account or payment information should only be done in the Settings on your Apple device.

Anti-phishing test results 2017

 Computer  Comments Off on Anti-phishing test results 2017
Aug 022017

If you’re particularly worried about somehow landing on a malicious website while browsing the Internet, then this PC World (August 1, 2017) article “AV-Comparatives’ anti-phishing results for 2017 put Avast, Bitdefender, Fortinet, and Kaspersky on top” may be useful.

In previous posts, I’ve noted PC World’s summaries of test results by the independent computer security test organization AV-Comparatives.

All four passing software packages got through the false alarm test without making a mistake. Bitdefender won the top spot for detecting actual phishing sites with a detection rate of 96 percent. Coming up right behind Bitdefender was Fortinet with a 95 percent detection rate followed by Kaspersky and Avast with 93 and 92 percent detection rates, respectively.

You can check out the full anti-phishing results on AV-Comparatives’ website.

Some of my clients use free anti-virus (AV) programs. Pros and cons.

Should I go free or paid for antivirus? But there isn’t a good answer to that question. It really comes down to what you’re willing to put up with. If you just need basic protection then most free antivirus suites are probably fine.

The best way to use AV-Comparatives’ free vs. paid report is as a reference guide for the 15 services it covers.1

And remember, regardless of your choice for AV, use Malwarebytes Anti-malware also (free or premium version).


[1] The report is available in PDF format here.

Adaware Antivirus Free
Avast Free Antivirus
AVG Antivirus Free
Avira Free Antivirus
Bitdefender Antivirus Free Edition
Comodo Internet Security Free
Fortinet FortiClient
Kaspersky Free
McAfee Cloud AV
Microsoft Windows Defender / MSE5
Panda Free Antivirus
Qihoo 360 Total Security Free
Sophos Home Free
Tencent PC Manager
ZoneAlarm Free Antivirus + Firewall

Phishing — what it is and tips

 Computer  Comments Off on Phishing — what it is and tips
May 062015

The May issue of HP’s “Technology at Work” contains some useful information on phishing scams.

Phishing is the act of posing as a familiar, trustworthy entity in electronic communications and using that familiarity and trust to get recipients to release confidential information, such as passwords and bank account numbers.

The article summarizes tips to detect these scams.

  • Unusual sender address
  • Unusual URL
  • Lacks personalization
  • Misspellings
  • Urgent action
  • When in doubt
  • (The “What now?”)

As I’ve noted before, scams do not need to be particularly artful or sophisticated. Just a simple subject like “Alert User ID Suspended” or “Your document is attached” or “Is this your photo” — to make you anxious or provoke your curiosity. Many want you to open an attachment.

Be safe! And watch out for Mother’s Day scams.

Fake Gift Card Surveys — another email scam

 Computer  Comments Off on Fake Gift Card Surveys — another email scam
Dec 112014

Fake gift card surveys. I’ve seen more of these scams the last month or two. The email messages claimed to be from Amazon with “Amazon Coupons” as the subject. Examination of the messages revealed sender addresses having nothing to do with Amazon. Like from amazon@someothersite.com. Encoded (indecipherable) links in the bodies of the messages went to strange sites. Message bodies contained gibberish.

These survey scams appear on social media sites as well, e.g., on Facebook. There’s also a CVS survey / coupons scam.

How can you tell if the message is a scam? Well, there’s the tease itself — something for nothing, eh. If the promotion really was from Amazon, you’d see the offer when logged into your Amazon account. If you impulsively open such a message, at least check any embedded links (you know how to do this, correct?).

Getting your personal information isn’t the only downside to these scams, as they can involve other bogus offers, malicious Web sites, and malware.

And regarding malware. It’s not always easy to tell if your PC’s been infected, but this PC World article provides some tips: “Does your computer have malware? Here are the telltale signs.”

Fake order confirmations — another email scam

 Computer  Comments Off on Fake order confirmations — another email scam
Dec 082014

Fake order confirmations. I’ve seen a lot of these the last couple of weeks. Particularly repeated email messages claiming to be from Costco (Walgreens, etc.) with “Order Confirmation” as the subject. Of course, I never placed any such order(s). Examination of the messages (without actually opening them in an email app) revealed various sender addresses having nothing to do with Costco. Links in the bodies of the messages went to various Web addresses, sometimes indecipherable. Some used attachments, bogus receipts or order confirmations, as well.

Some of these scams are crude self-declarations. Just one or two sentences. But others are artfully crafted to look legitimate — well written copies of legitimate order or shipping notices from well-known companies.

I hope that most people will be suspicious of such email messages, resist the impulse to open them, and just delete them immediately. Many of these scams use Web beacons which notify the scammers that your email address viewed their message (which means that you’ll keep getting more spam scams). But clicking on an embedded link or opening an attachment is worse, possibly infecting your PC with malware.

This holiday season these scams are in full swing once again. As PC World summarized in their article “Beware this online shopping scam: Fake order confirmations” (12/8/2014):

Brian Krebs, a respected authority on security and all-things-cybercrime, wrote a cautionary post earlier this week. “If you receive an email this holiday season asking you to ‘confirm’ an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.”

Remmember, if you have an online account with the vendor, you always can login and check your order status. Some vendors also have customer service phone numbers.

Malicious email — warning signs

 Computer  Comments Off on Malicious email — warning signs
Sep 202014

So, you’re careful when looking at your email inbox’s message list. You delete messages from strangers. You delete obvious promotions and ads. Yet, some messages appear okay. You open those messages. Here’re some things to check, as noted in a recent PC World “Three warning signs that email is malicious” article:

1. Dear customer
2. That link is crazy
3. It has an attachment

I see “Dear” spam every week. But checking any links in the body of a message is particularly important. While the text of a link may look valid, the actual link can be “crazy.” Lately I’ve seen quite a few TinyURL-style links in messages that cloak their malicious character. Just delete those messages!

So stay alert.

Prof’s Hack Challenge Revealing

 Computer, News  Comments Off on Prof’s Hack Challenge Revealing
Dec 092013

PC World summarized the results of a New York University Professor’s challenge to conduct a personal “pen test” on him.

And the answer, at least in his case, is that knowing that they were out to get him didn’t stop them. He got hacked. As he wrote, in an account of the project last month, while conducting a class at NYU, “without warning, my computer freezes. …”

This article may be viewed at: http://www.pcworld.com/article/2070671/anatomy-of-a-hack-team-meets-a-professors-challenge.html.

Of particular note was that social engineering was key to the attack, “hacking someone’s head” versus clever tech. A phish email was used. As has been recommended many times, beware of emails with links to view something, although prima facie the message appears authentic, from someone you know. Check that link first!

The article concluded with some general advice.

Phishing Attacks August 2013

 Computer, News  Comments Off on Phishing Attacks August 2013
Sep 242013

PC World summarized a Kaspersky Lab’s study that noted:

Spam volumes took a usual seasonal drop in August, but phishing spiked, including a noticeable interest in hijacking Apple accounts.

This article may be viewed at: www.pcworld.com/article/2049287/apple-is-a-tempting-phishing-target-for-scammers.html#tk.rss_all

Of particular note was the resurgence of some old malware which infects your email contact list. Phishing attacks continued as well — email scams purportedly from a company which you have an account with, claiming that your account requires action by clicking on a link.

Employees Fall for Phishing

 Computer  Comments Off on Employees Fall for Phishing
Jun 062011

This Enterprise Systems article highlights once again that protecting yourself from phishing attacks requires guidance and training. Relying on good intentions is not enough. Many are tricked into clicking on links in phishing e-mail messages anyway.

The cleverness of cybercriminals can still overcome the best intentions of employees. As Sjouwerman [KnowBe4 founder and CEO Stu Sjouwerman] points out, “Many of the top Phish-prone industries are regulated and subject to compliance rules, so well-meaning employees can be tricked into clicking a link if they believe an e-mail was sent by a government or law enforcement agency, or by someone they know and trust.”