The practice of trying to trick someone into giving out their personal information, such as bank account, social security number, even your name and address, is called phishing. The goal of phishing is identity theft.

I received this e-mail last night. First lets, take a look at the e-mail itself and then I will point out some items of interest and common techniques used by phishers. And finally, what you can do to help in the fight against phishers.

Subject Notification from Billing Department
Sender Paypal
Date Fri 10:00

Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently
contacted you after noticing an issue on your account. We requested information from you for the
following reason:

We have reason to believe that your account was accessed by a third party. We have limited
access to sensitive PayPal account features in case your account has been accessed by an
unauthorized third party. We understand that having limited access can be an inconvenience, but
protecting your account is our primary concern.

Case ID Number: PP-308-080-099

This is a second reminder to log in as soon as possible, to your PayPal account at
https://www.paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 .

Be sure to log in securely by opening the provided PayPal link. Once you log in,
you will be provided with steps to restore your account access. We appreciate your
understanding as we work to ensure account safety.

In accordance with PayPal’s User Agreement, your account access will remain limited until the
issue has been resolved. Unfortunately, if access to your account remains limited for an extended
period of time, it may result in further limitations or eventual account closure. We encourage you
to log in to your PayPal account as soon as possible to help avoid this.

We thank you for your prompt attention to this matter. Please understand that this is a security
measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

—————————————————————-

PayPal Email ID PP638

// Limited Account – Please Restore Your Account Access

Let’s start at the top. First it says the sender is Paypal. On closer inspection you will find it claims to be from noreplay@sec.mail.com which is actually mail.com a place where anyone can set up a free e-mail account. This is your first clue, but don’t assume just because an e-mail says it is from, let’s say paypal.com, it really is. The sender e-mail is easily spoofed to say anything.

The second clue is the link they provide. What you see in my post is the way it looked in the e-mail. However, that is not where you would go if you clicked on the link in that e-mail. If you placed your mouse over the link, you would see paypal.com, however this was also spoofed. The actual link went to mail.empl.hu, BTW; I have already reported this site but when I checked the domain registration, this domain was registered back in Feb. 2010 and chances are it could remain active. Phishing sites registered in the U.S. are usually shut down fast, but when they are registered in other countries, it can be much harder or next to imposable to get the registrar to disable the domain name.

I don’t suggest try the following, but I went to the site to see how good of a fake it was. Many times the fake site will have errors like bad grammar. This site is a very good fake, or was. I reported it earlier and will tell you how to do the same at the end of this article, it appears to have been taken down already. Anyways, this site was an actual clone of the paypal site. When I inspected the source code of it, while it was still operating, all of the links except the login, were actually paypal’s. They copied the Paypal page and only modified the login page. So if you clicked on anything other than login, you would end up back at the real Paypal site. The site is down now so I don’t know what would happen if I tried the to login. One technique I have used in the past is to use a made up e-mail and password. Most likely, what would happen would be it would let me in, even though my user name and password was not real, they would not know this. The owner of this site would then have captured the account name and password. And more than likely I would have either been redirected to the real Paypal site or they would have set up another page with something like, we suspect fraudulent activity on your account and we need you to enter your account information. Then you would be asked to enter all your account information like full name, address, phone number, and social security number. Then you may get a message thanking you for the information and your account has been verified. At this point you have just had your identity stolen. You have just handed over all your account and identity information to the crooks.

However, just by “logging in” you have given them enough information to get into your account. Keep in mind that just visiting a site like this exposes you to fraud. When you visit a phishing site, they may try to attack your computer by installing software on to your computer with out your knowledge. This software, which I call malware but is also referred to as crimeware, can run on your computer without your knowledge and logs all you keystrokes. If you go to any website and type in your name and password, it has just been captured and uploaded some place that the crooks can access it.

Now I would also like to point out something in the content of this e-mail. One of the common tricks used by phishers is to tell you that you will lose access if you don’t respond immediately. They will either tell you to click on a link in the e-mail, or reply to the e-mail or call a phone number. If you receive an e-mail asking you to verify your account, unless you requested it by clicking on a I lost my password link at the site before hand, do not respond to it, do not click on any link it contains, do not open an attachment, do not call any phone number it contains. Banks will never send out an e-mail requesting this information. If you still think it may be a real request, contact them yourself directly. Do not use the information in the e-mail to contact them. Look up their phone number yourself, or get it from a directory assistance. Do not reply to the email, create a new e-mail and type in the e-mail address yourself if you already know it. Or open a new browser window and type in the address yourself if you know it and if you don’t, use a search engine. What you are trying to avoid is using any part of the email you received. That includes phone numbers, links, or replying to the e-mail.

And now you should report it. You can do some good and help other from falling victim to a phishing scam and it’s very easy. Just forward a copy of the suspected e-mail to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org You can also visit US-CERT & Anti-Phishing Working Group. You can also do a search for report phishing if you would like to find other places to report it to. I reported the example in this article to US-CERT and antiphishing.org before I started writing this and the site was down before I wrote half this article.

Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

If you follow this blog, you know that I did an article on the first stable release of Namp http://www.pccybertek.com/2010/01/nmap-5-20-released yesterday. Now that it has been out for a week, Fydor has already released another update, Namp 5.21 which is also a stable
release and not a beta. It’s mainly just a bug fix release. So I have updated the download section here with a link to the 5.21 release, which is on the right column about 3/4 of the way down the page. My download link is directly to the file on the insecure.org website or you can go to the Nmap download page yourself.

But I don’t want to just tell you about the update, I’d like to offer you some more since you took the time to stop by here. So here is a link to Iron Geek’s Baisc Nmap Tutorial video. And if already know the basics and would like to move on to some more advanced lesson, here is Iron Geek’s Nmap Video Tutorial 2: Port Scan Boogaloo Happy port knocking.

Some how this one slipped by me because it was published by Adobe on the 19th.

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided above.

This update resolves a buffer overflow vulnerability that could potentially lead to code execution (CVE-2009-4002).

This update resolves multiple integer overflow vulnerabilities that could potentially lead to code execution (CVE-2009-4003).

Download Adobe Shockwave Player version 11.5.6.606  here

You can find out which version you have by going here Test Adobe Shockwave Player

So much for the internal workings, now lets move on to some of the cool upgrades.  There are 31 new Nmap Scripting Engine (NSE) scripts which brings the total up to 80. These NSE scripts are one of my favorite features of Nmap. These scripts allow me to run Nmap in ways I never even thought about. I’m one of those people who learns better by example so the included scripts helps me to have a better understanding of how to write my own NSE scripts. Check out the complete list of NSE scripts.

There has also been an increase in the OS fingerprints, thanks to user submitted fingerprints and many corrections. Some of the more interesting new fingerprints include Google’s Android Linux (for smart phones), Mac OS X 10.6 (Snow Leopard), The Chumby (an internet radio player), a bunch of printers and routers for a total of 1349 fingerprints. This is including the 40 new vendors, 342 new fingerprints and 81 corrections.

Speaking of databases, the OS detection has seen some real growth. Thanks to user submissions, 2,576 of them since Feb. 2009, more than a thousand signatures have been added. That many users submissions shows the kind of community support Nmap has earned.

Nmap started out as a command line tool. But don’t let that scare you away from trying it out if you never have before. There is also a GUI (graphical user interface) called Zenmap that comes packaged with it. Zenmap has also seen improvements. You can now filter the results in Zenmap. So say you have performed a scan and have a lot of results but you just need to see the computers running Linux or a particular service like IIS. You can now apply a filter to your scan results and just have a list of  those machines which are running it.

These are just a few of the improvements made to Nmap since version 5.00 and you can get a complete list of the changes since 5.00 from the release notes. Or just download it and give it a try. There is a release for just about any OS you have. If you work with networks at all, you owe it to yourself to give Nmap a try.

There are still a couple days before Adobe releases a patch, which will finally be released on Jan 12. Adobe suggests you disable Java support until then. This is not the first time this has happened. What I’m suggesting is that even after this is patched, just keep Java disabled. If you open a PDF file that requires Java support, you could always turn it back on. With so many exploits in the wild, and how long it takes for the anti virus vendors to discover them, this one won’t be fixed for almost a month since it was first disclosed publicly, it’s better safe than sorry. Just disable Java support for good. Here’s how to disable Java support in Adobe Acrobat Reader

quoted from Adobe.com

SOLUTION

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:

All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
Acrobat 9.2 running on Windows Vista SP1 or Windows 7
Acrobat and Adobe Reader 9.2 running on Windows XP SP3
Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.

Watch your docs and surf safe

I found out that I was infected by this Fake Adobe Flash Player

While that website does tell you how to figure out if you have it or not, it doesn’t really tell you how to remove it, unless you buy their program. So I’m currently in the process of removing it. If you do have it, you’ll want to stop it right now! I’ve found that by going into Firefox’s extensions (Tools -> Addons -> extensions) you can disable Adobe Player 0.2 and restart Firefox. After doing this, I no longer got the warning for NOD 32 that it’s blocking the connection that msjupdate site, which I don’t know why it hasn’t been shut down yet.
I found socks.exe was running and when I looked for that file, I found it in my Windows/system folder with a creation date of 09-09-09, so I stopped socks.exe and renamed it socks.bak I would have deleted it but just in case it wasn’t installed by this Trojan, I figure it’s better to rename it. If some legit program I have starts complaining that socks.exe is missing, I can always rename it back to socks.exe

Once I’ve figured out how to completely remove it, I will update this post. In the meantime, disabling it will work. It’s after 3AM and I should have been in bed hours ago, but this was too important not to immediately warn you about it and give you at least a way of stopping it until I can post removal instructions.

I didn’t bother looking up what this patch is for, but not long ago there was a new exploit floating around so I imagine this is what it’s for.

Yes, that’s right. The essential network scanner, nmap, has made it to version 5. If you are unfamiliar with nmap, it’s a must have tool for anyone who does anything with networks. It’s the greatest port scanner around. And you can get it for just about any OS. But nmap is much more than just a port scanner. It can be used for more than just seeing what ports are open. You can also use it for its OS detection, among other things, and you can even use it to find the conficker virus on remote computers. It’s available as a command line tool and for those who prefer a gui, it also comes with zenmap which is a graphical front end for it.

My thanks to Fydor and the nmap development team for constantly updating this awesome tool and never being satisfied with the status quo. Now let me quote insecure.org

July 16, 2009 — Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this.

Considering all the changes, we consider this the most important Nmap release since 1997, and we recommend that all current users upgrade.

You can find a list of the changes here and be sure to download it.