The practice of trying to trick someone into giving out their personal information, such as bank account, social security number, even your name and address, is called phishing. The goal of phishing is identity theft.

I received this e-mail last night. First lets, take a look at the e-mail itself and then I will point out some items of interest and common techniques used by phishers. And finally, what you can do to help in the fight against phishers.

Subject Notification from Billing Department
Sender Paypal
Date Fri 10:00

Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently
contacted you after noticing an issue on your account. We requested information from you for the
following reason:

We have reason to believe that your account was accessed by a third party. We have limited
access to sensitive PayPal account features in case your account has been accessed by an
unauthorized third party. We understand that having limited access can be an inconvenience, but
protecting your account is our primary concern.

Case ID Number: PP-308-080-099

This is a second reminder to log in as soon as possible, to your PayPal account at
https://www.paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 .

Be sure to log in securely by opening the provided PayPal link. Once you log in,
you will be provided with steps to restore your account access. We appreciate your
understanding as we work to ensure account safety.

In accordance with PayPal’s User Agreement, your account access will remain limited until the
issue has been resolved. Unfortunately, if access to your account remains limited for an extended
period of time, it may result in further limitations or eventual account closure. We encourage you
to log in to your PayPal account as soon as possible to help avoid this.

We thank you for your prompt attention to this matter. Please understand that this is a security
measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

—————————————————————-

PayPal Email ID PP638

// Limited Account – Please Restore Your Account Access

Let’s start at the top. First it says the sender is Paypal. On closer inspection you will find it claims to be from noreplay@sec.mail.com which is actually mail.com a place where anyone can set up a free e-mail account. This is your first clue, but don’t assume just because an e-mail says it is from, let’s say paypal.com, it really is. The sender e-mail is easily spoofed to say anything.

The second clue is the link they provide. What you see in my post is the way it looked in the e-mail. However, that is not where you would go if you clicked on the link in that e-mail. If you placed your mouse over the link, you would see paypal.com, however this was also spoofed. The actual link went to mail.empl.hu, BTW; I have already reported this site but when I checked the domain registration, this domain was registered back in Feb. 2010 and chances are it could remain active. Phishing sites registered in the U.S. are usually shut down fast, but when they are registered in other countries, it can be much harder or next to imposable to get the registrar to disable the domain name.

I don’t suggest try the following, but I went to the site to see how good of a fake it was. Many times the fake site will have errors like bad grammar. This site is a very good fake, or was. I reported it earlier and will tell you how to do the same at the end of this article, it appears to have been taken down already. Anyways, this site was an actual clone of the paypal site. When I inspected the source code of it, while it was still operating, all of the links except the login, were actually paypal’s. They copied the Paypal page and only modified the login page. So if you clicked on anything other than login, you would end up back at the real Paypal site. The site is down now so I don’t know what would happen if I tried the to login. One technique I have used in the past is to use a made up e-mail and password. Most likely, what would happen would be it would let me in, even though my user name and password was not real, they would not know this. The owner of this site would then have captured the account name and password. And more than likely I would have either been redirected to the real Paypal site or they would have set up another page with something like, we suspect fraudulent activity on your account and we need you to enter your account information. Then you would be asked to enter all your account information like full name, address, phone number, and social security number. Then you may get a message thanking you for the information and your account has been verified. At this point you have just had your identity stolen. You have just handed over all your account and identity information to the crooks.

However, just by “logging in” you have given them enough information to get into your account. Keep in mind that just visiting a site like this exposes you to fraud. When you visit a phishing site, they may try to attack your computer by installing software on to your computer with out your knowledge. This software, which I call malware but is also referred to as crimeware, can run on your computer without your knowledge and logs all you keystrokes. If you go to any website and type in your name and password, it has just been captured and uploaded some place that the crooks can access it.

Now I would also like to point out something in the content of this e-mail. One of the common tricks used by phishers is to tell you that you will lose access if you don’t respond immediately. They will either tell you to click on a link in the e-mail, or reply to the e-mail or call a phone number. If you receive an e-mail asking you to verify your account, unless you requested it by clicking on a I lost my password link at the site before hand, do not respond to it, do not click on any link it contains, do not open an attachment, do not call any phone number it contains. Banks will never send out an e-mail requesting this information. If you still think it may be a real request, contact them yourself directly. Do not use the information in the e-mail to contact them. Look up their phone number yourself, or get it from a directory assistance. Do not reply to the email, create a new e-mail and type in the e-mail address yourself if you already know it. Or open a new browser window and type in the address yourself if you know it and if you don’t, use a search engine. What you are trying to avoid is using any part of the email you received. That includes phone numbers, links, or replying to the e-mail.

And now you should report it. You can do some good and help other from falling victim to a phishing scam and it’s very easy. Just forward a copy of the suspected e-mail to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org You can also visit US-CERT & Anti-Phishing Working Group. You can also do a search for report phishing if you would like to find other places to report it to. I reported the example in this article to US-CERT and antiphishing.org before I started writing this and the site was down before I wrote half this article.

My next download was AdAware. Also one of my old standbys. After a couple of hours of scanning, it didn’t find anything. Even though it wasn’t finished I had hoped that after a couple hours it would have found something, anything. Then I thought there must be some other tools out there these days. There was one more on my old reliable but I’ll skip that for now since I didn’t get it. I figured I should find some malware related forums and update my knowledge on what’s out there these days. I don’t mind getting my hands dirty and digging through registry keys and directories. Which, I didn’t mention, but had already gone through the auto start and run registry keys and files that were created around the time my hijacking took place. In my search I came across the Malwarebytes users support forum. After reading a couple of posts I realized this was a good place for finding out about new malware and removal techniques as well as the program Malwarebytes. Since I haven’t tried it before and the forum, which is a forum that was created by users/fans of Malwarebytes, spoke so highly of it, I downloaded and installed it and started a complete scan. In a couple of minutes it had found 2 infections. I let it scan my system, which scanned 653800 objects and took 6 hours 28 minutes for the full scan. The scan just completed and found 35 infected objects. A quick view of the results shows me several registry files and the rest are files, non of which are cookies. Since I ran Spybot S&D earlier and deleted the cookies it found, I can’t say if cookies would have been part of the results. With the exception of a couple of false positives, some of my security tools, the results are looking very promising. One item I see right of the back is svchost.exe which is in my /Local Settings/Temp/ which is defiantly bad. This is something pretending to be a legit windows service but it doesn’t belong here. There are also a couple of registry keys listed as Trojan.BHO which, even though I forgot to mention I did run earlier, Hijackthis didn’t identify. Now I unchecked the couple of false positives, and told Malwarebytes to delete the rest and save a log file. After this I’m told it needs to reboot. No problem, I expected that. Windows is rebooting and I’m anxiously waiting to see if this fixed my problem. I haven’t played World of Warcraft or logged into any of my sites in case there was also a password stealer installed. In fact I’m writing this from my wife’s laptop which is on my network but doesn’t have any write permissions from network users.

Reboot has completed and now comes time to test this. I sure hope it works because I’m posting the results regardless of the outcome. First I will launch Firefox. This isn’t my main browser but I have a script blocking extension in it which has alerted me to some of the redirects and blocked them. My first search “malware forums” brings up plenty of results and the first result I click on, Majorgeeks.com, goes where it should. But this was what happened before. The first result I clicked on would work but all the results I clicked on after would be hijcked… Awww a new window just opened to www.searchfindsite.com which doesn’t look good. !@#$@#$ I just tried another result from google and was redirected to findservicesonline.com and I see that malwarebytes.com didn’t clean it this one up. It did find and remove some items that spybot s&d didn’t but I still have the hijacked search results. And my quest continues. When I do find a way to remove this, I will post about it.

If you know of some good malware removal tools, please leave me a comment. I’m going to try a couple of others I have and let you know what I find.

Turns out many people are still falling for this scam. I had to clean my parents computer up, from one of these. Try doing it over VNC, and you may have your patience tested like I did. Anyways, the old folks aren’t the only ones falling for this, and now their is a new variation. Spware Protect 2009, is the new breed of scareware. Not only does it con you by getting you to install it, it actually does damage to get you to “purchase” it for $49.99 and install a trojan downloader. Meanwhile it increases the pop ups telling you how infected your computer is. So you order the program with your credit card and guess what, you just gave them your credit card number, no hacking needed. A local electronics store, with the initials RS, got hit by it and from what I could get out of them, sounds like the whole corp has been infected through their network.

Since I first found out about this last week, I’ve found out that it’s now also being installed by the conficker virus. At first I was thinking, wouldn’t people be suspicious if there was a new piece of software, on their computer? I sure as hell would. Then I started thinking about it, in a corporate situation. Some poor schmuck, in accounting or where ever, could think it was installed by their IT Dept. So the keylogger installed would run until the computer crashed. The one good thing is, the domain that was selling Spyware Protect 2009 is gone. Keep an eye out for variations with new names and the same or slightly modified interface.

-Your friendly neighborhood PC Cybertek

There’s no need to try and figure out what’s safe or real and what has more sinister plans in mind. The good folks at dshield.org have been keeping an updated list of third party information on conficker. Here you can find plenty of free conficker detection and removal tools, general information and the microsoft patch. That should help keep you updated, safe and informed.

I’ve also found out about one other real neat way of detecting it, but it’s for more advanced users, so I’m going to make a seperate post about it.

You can see what happens when someone guesses an easy password and gets into a router, and the lsessons learned, here.

Owen Walker, an 18 year old from Whitianga, New Zealand, is suspected of creating malicious software that took control of over a million computers. The FBI also believes AKILL, Walker’s online handle or nick name, is “the ringleader of an elite international botnet coding group” and has caused “more than $25 million in economic loss”. If evidence is found that warrants charges, Walker could be charged either in New Zealand or extradited and charged in the United States.

So far eight others, here in the U.S., have been charged in relation to the FBI’s investigation of Walker’s software. Three of them have been sentenced with jail terms of 12 to 47 months.

Botnets are comprised of computers which have been infected with malicious software. These computers are also known as “zombies” and can be used to for various illegal activities. Some “zombies” are used for phishing scams, identify theft, spam, network attacks, and scanning for vulnerable computers and websites which they can then install the botnet software on. People who contol these botnets are known as bot herders. Some bot herders have control of millions of computers. Currently it is estimated that there are approximately 150 million botnet infected computers.