The practice of trying to trick someone into giving out their personal information, such as bank account, social security number, even your name and address, is called phishing. The goal of phishing is identity theft.

I received this e-mail last night. First lets, take a look at the e-mail itself and then I will point out some items of interest and common techniques used by phishers. And finally, what you can do to help in the fight against phishers.

Subject Notification from Billing Department
Sender Paypal
Date Fri 10:00

Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently
contacted you after noticing an issue on your account. We requested information from you for the
following reason:

We have reason to believe that your account was accessed by a third party. We have limited
access to sensitive PayPal account features in case your account has been accessed by an
unauthorized third party. We understand that having limited access can be an inconvenience, but
protecting your account is our primary concern.

Case ID Number: PP-308-080-099

This is a second reminder to log in as soon as possible, to your PayPal account at
https://www.paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 .

Be sure to log in securely by opening the provided PayPal link. Once you log in,
you will be provided with steps to restore your account access. We appreciate your
understanding as we work to ensure account safety.

In accordance with PayPal’s User Agreement, your account access will remain limited until the
issue has been resolved. Unfortunately, if access to your account remains limited for an extended
period of time, it may result in further limitations or eventual account closure. We encourage you
to log in to your PayPal account as soon as possible to help avoid this.

We thank you for your prompt attention to this matter. Please understand that this is a security
measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

—————————————————————-

PayPal Email ID PP638

// Limited Account – Please Restore Your Account Access

Let’s start at the top. First it says the sender is Paypal. On closer inspection you will find it claims to be from noreplay@sec.mail.com which is actually mail.com a place where anyone can set up a free e-mail account. This is your first clue, but don’t assume just because an e-mail says it is from, let’s say paypal.com, it really is. The sender e-mail is easily spoofed to say anything.

The second clue is the link they provide. What you see in my post is the way it looked in the e-mail. However, that is not where you would go if you clicked on the link in that e-mail. If you placed your mouse over the link, you would see paypal.com, however this was also spoofed. The actual link went to mail.empl.hu, BTW; I have already reported this site but when I checked the domain registration, this domain was registered back in Feb. 2010 and chances are it could remain active. Phishing sites registered in the U.S. are usually shut down fast, but when they are registered in other countries, it can be much harder or next to imposable to get the registrar to disable the domain name.

I don’t suggest try the following, but I went to the site to see how good of a fake it was. Many times the fake site will have errors like bad grammar. This site is a very good fake, or was. I reported it earlier and will tell you how to do the same at the end of this article, it appears to have been taken down already. Anyways, this site was an actual clone of the paypal site. When I inspected the source code of it, while it was still operating, all of the links except the login, were actually paypal’s. They copied the Paypal page and only modified the login page. So if you clicked on anything other than login, you would end up back at the real Paypal site. The site is down now so I don’t know what would happen if I tried the to login. One technique I have used in the past is to use a made up e-mail and password. Most likely, what would happen would be it would let me in, even though my user name and password was not real, they would not know this. The owner of this site would then have captured the account name and password. And more than likely I would have either been redirected to the real Paypal site or they would have set up another page with something like, we suspect fraudulent activity on your account and we need you to enter your account information. Then you would be asked to enter all your account information like full name, address, phone number, and social security number. Then you may get a message thanking you for the information and your account has been verified. At this point you have just had your identity stolen. You have just handed over all your account and identity information to the crooks.

However, just by “logging in” you have given them enough information to get into your account. Keep in mind that just visiting a site like this exposes you to fraud. When you visit a phishing site, they may try to attack your computer by installing software on to your computer with out your knowledge. This software, which I call malware but is also referred to as crimeware, can run on your computer without your knowledge and logs all you keystrokes. If you go to any website and type in your name and password, it has just been captured and uploaded some place that the crooks can access it.

Now I would also like to point out something in the content of this e-mail. One of the common tricks used by phishers is to tell you that you will lose access if you don’t respond immediately. They will either tell you to click on a link in the e-mail, or reply to the e-mail or call a phone number. If you receive an e-mail asking you to verify your account, unless you requested it by clicking on a I lost my password link at the site before hand, do not respond to it, do not click on any link it contains, do not open an attachment, do not call any phone number it contains. Banks will never send out an e-mail requesting this information. If you still think it may be a real request, contact them yourself directly. Do not use the information in the e-mail to contact them. Look up their phone number yourself, or get it from a directory assistance. Do not reply to the email, create a new e-mail and type in the e-mail address yourself if you already know it. Or open a new browser window and type in the address yourself if you know it and if you don’t, use a search engine. What you are trying to avoid is using any part of the email you received. That includes phone numbers, links, or replying to the e-mail.

And now you should report it. You can do some good and help other from falling victim to a phishing scam and it’s very easy. Just forward a copy of the suspected e-mail to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org You can also visit US-CERT & Anti-Phishing Working Group. You can also do a search for report phishing if you would like to find other places to report it to. I reported the example in this article to US-CERT and antiphishing.org before I started writing this and the site was down before I wrote half this article.

Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

First we have this one from “UPS”

From: UPS Manager Romeo Law [delivery@ups.com]

Subject:  UPS Delivery Problem NR 08488.

Dear customer!

We failed to deliver the package sent on the 6th of January in time because the recipient’s address is incorrect.

Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Dear customer!
We failed to deliver the package sent on the 6th of January in time

because the recipient’s address is incorrect.Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.

attachment: UPS_invoice_NR34587.zip

NOD32 identifies the virus in this attachment as virus Win32/Oficla.CX trojan. A couple of ways you can tell this is fake, besides the attached virus are; why would UPS wait a couple of weeks to notify you of this? Do they really sign their e-mail United Parcel Service of America? They tell you to pick it up at the office but there is no address or contact info for the office. Just thought I’d point this out.

Next we have one from DHL:

From: Manager Gabrielle Bird [customer@dhl.com]

Subject: DHL Office. Get your parcel NR.4486

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Global Forwarding Services.

attachments: DHL_label_Nr2385.zip > ZIP > DHL_label_Nr2385.exe

ESET-NOD32 Identifies the virus in this attachment as Win32/TrojanDownloader.Bredolab.BE trojan

In case you don’t know this already, never run an .exe file you get in e-mail. Nothing good ever comes from running an .exe you received in e-mail.

Watch out for these or variants of them.

Over on a google forum is a link to my first post on removing Fast Browser Search from Firefox. So I subscribed to that thread and today when I checked my e-mail, I found this in it, how to remove Fast Browser Search from IE7 & IE8

Re: [Web Search Help] How do I remove “Fast Browser Search”?

Inbox X

Reply

|
Google Help
to me

show details Oct 14 (9 days ago)

from Google Help
to
date Wed, Oct 14, 2009 at 12:35 AM
subject Re: [Web Search Help] How do I remove “Fast Browser Search”?
mailed-by confucius.bounces.google.com
signed-by google.com

hide details Oct 14 (9 days ago)

Kundan555 has posted an answer to the question “How do I remove “Fast Browser Search”?”:

PLEASE FOLLOW THE INSTRUCTIONS AND RESOLVE THE ISSUE FOR IE8 AND IE7.

=================================================================

Please uninstall fast browser from the program and features in vista and, add and remove program in XP. Then

To fix the new tab issue you need to be comfortable using regedit. Run regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs

under Tabs, clear the fastwebsearch junk and input the following as value data:

res://ieframe.dll/tabswelcome.htm or any entry related with fastbrowser listed over there.

close and restart IE.

I have been unable to verify this, however my knowledge of the registry tells me this could fix it and would be worth trying. Just be CAREFUL any time you run regedit. Messing around in the registry could really bork your system.

Here’s the links to my other Fast Browser Search removal posts

http://www.pccybertek.com/2009/08/my-web-tattoo-fast-browser-search-search-gurad-plus-uninstall-removal/

http://www.pccybertek.com/2009/08/more-my-web-tatto-removal-information/

http://www.pccybertek.com/2009/07/removing-my-web-tattoo-phone-number/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-removal-update/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-remove-part-1/

http://www.pccybertek.com/2009/05/remove-fast-browser-search/

The story thus far. For some reason I decided to install web tattoo. I knew it was probably going to install something else. Rule #1 – Programs on the internet that claim to be free, especially add-ons for social sites, aren’t really free. I just figured I could uninstall whatever it slipped in. After I uninstalled Web Tattoo, from FireFox and using add and remove programs in the windows control panel, and it was still redirecting my traffic to Fast Browser Search, I’d just remove it with Spybot or Ad-Aware or Hi-Jack This and remove it from the registry. However, none of these detected it and I couldn’t find any sign of it in the registry. Then I did a search on the internet and couldn’t find anything about removing it either. So I did some thinking and figured out how to remove it. Seeing how there was such a lack of articles dealing with this pest, I figured it would be the perfect thing for my blog. So I wrote this article on how I removed it from FireFox .

Next thing I know there’s a spike in the traffic coming to my little unknown blog. I was happy to learn that referrers were search engine results for “fast browser remove” and other similar queries. All of them looking for a way to take out this blasted thing. For a short time, my blog was on the first page in google if you were searching for a way to remove it. This got me pretty jazzed. I’ve had this blog for a couple years but never had much traffic before. After a couple weeks, the traffic to that article I wrote started tapering off. I was no longer in the first page or two when people searched for it. Then all the sudden it spiked again. Turns out someone on a google forum had Fast Browser Search take over their browser. Next thing I know I’m getting a ton of hits again, this time all comming from this post. Now if the people this helped would just click on my google adds, I could earn a couple cents in this tough economy

There was only one problem. My article only covered how to remove it from FireFox. Turns out there are plenty of people with Internet Explorer who have been attacked by this scourge known as Fast Browser Search. So here is what I’m going to do. Initially I was going to install Windows XP on a virtual Machine. But this would take quite some time and work before I could deliberately infect myself with Fast Browser Search. So I decided to take a short cut. After I’m done writing this, I’m going to create a new user account in windows, head over to Facebook and install Web Tattoo while using Internet Explorer. Then I’m going to figure out how to remove it and write part 2 of this article. So check back in a day or so, hopefully it won’t take me longer than that to figure out. If you would like to show some appreciation, click on my google adds, or leave me a reply. I love getting replies and hearing from you.

Turns out many people are still falling for this scam. I had to clean my parents computer up, from one of these. Try doing it over VNC, and you may have your patience tested like I did. Anyways, the old folks aren’t the only ones falling for this, and now their is a new variation. Spware Protect 2009, is the new breed of scareware. Not only does it con you by getting you to install it, it actually does damage to get you to “purchase” it for $49.99 and install a trojan downloader. Meanwhile it increases the pop ups telling you how infected your computer is. So you order the program with your credit card and guess what, you just gave them your credit card number, no hacking needed. A local electronics store, with the initials RS, got hit by it and from what I could get out of them, sounds like the whole corp has been infected through their network.

Since I first found out about this last week, I’ve found out that it’s now also being installed by the conficker virus. At first I was thinking, wouldn’t people be suspicious if there was a new piece of software, on their computer? I sure as hell would. Then I started thinking about it, in a corporate situation. Some poor schmuck, in accounting or where ever, could think it was installed by their IT Dept. So the keylogger installed would run until the computer crashed. The one good thing is, the domain that was selling Spyware Protect 2009 is gone. Keep an eye out for variations with new names and the same or slightly modified interface.

-Your friendly neighborhood PC Cybertek

Phishing is what they call those e-mails that attempt to trick you into giving up personal information, usually financial, which is then used to steal your identity and rape your bank account and or credit cards.

The latest one, I have seen, is using some old tricks but with new bait. The e-mail appears to come from Google’s Adsense program. It warns you that you will not receive any more payments, unless you update your information. Which you can do with the link provided in said e-mail.

To the average user, everything might look ok at first glance. However, if you try to reply to the e-mail, it will bounce back. If you click on the Google AdSense link that is provided, you will most likely end up at a domain that has google and adsense in it. But on closer inspection you will see there is more to the domain, like a .tw or other domain. Don’t be fooled by how the page looks like the real thing.

So if you get one of these e-mails, don’t click on it. And if you do have a Google Adsense or any other account, that you have received an e-mail informing you that it needs updating, never click on the link in the e-mail. It’s very easy to forge a link in any e-mail and is common in phishing scams. Type the address directly into your browser, or use google or some other search engine to find it for you.

Stay tuned for an article on how to spot phishing scams.