The practice of trying to trick someone into giving out their personal information, such as bank account, social security number, even your name and address, is called phishing. The goal of phishing is identity theft.

I received this e-mail last night. First lets, take a look at the e-mail itself and then I will point out some items of interest and common techniques used by phishers. And finally, what you can do to help in the fight against phishers.

Subject Notification from Billing Department
Sender Paypal
Date Fri 10:00

Dear PayPal Member,

As part of our security measures, we regularly screen activity in the PayPal system. We recently
contacted you after noticing an issue on your account. We requested information from you for the
following reason:

We have reason to believe that your account was accessed by a third party. We have limited
access to sensitive PayPal account features in case your account has been accessed by an
unauthorized third party. We understand that having limited access can be an inconvenience, but
protecting your account is our primary concern.

Case ID Number: PP-308-080-099

This is a second reminder to log in as soon as possible, to your PayPal account at
https://www.paypal.com/cgi-bin/webscr?cmd=_home-general&nav=0 .

Be sure to log in securely by opening the provided PayPal link. Once you log in,
you will be provided with steps to restore your account access. We appreciate your
understanding as we work to ensure account safety.

In accordance with PayPal’s User Agreement, your account access will remain limited until the
issue has been resolved. Unfortunately, if access to your account remains limited for an extended
period of time, it may result in further limitations or eventual account closure. We encourage you
to log in to your PayPal account as soon as possible to help avoid this.

We thank you for your prompt attention to this matter. Please understand that this is a security
measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely,
PayPal Account Review Department

—————————————————————-

PayPal Email ID PP638

// Limited Account – Please Restore Your Account Access

Let’s start at the top. First it says the sender is Paypal. On closer inspection you will find it claims to be from noreplay@sec.mail.com which is actually mail.com a place where anyone can set up a free e-mail account. This is your first clue, but don’t assume just because an e-mail says it is from, let’s say paypal.com, it really is. The sender e-mail is easily spoofed to say anything.

The second clue is the link they provide. What you see in my post is the way it looked in the e-mail. However, that is not where you would go if you clicked on the link in that e-mail. If you placed your mouse over the link, you would see paypal.com, however this was also spoofed. The actual link went to mail.empl.hu, BTW; I have already reported this site but when I checked the domain registration, this domain was registered back in Feb. 2010 and chances are it could remain active. Phishing sites registered in the U.S. are usually shut down fast, but when they are registered in other countries, it can be much harder or next to imposable to get the registrar to disable the domain name.

I don’t suggest try the following, but I went to the site to see how good of a fake it was. Many times the fake site will have errors like bad grammar. This site is a very good fake, or was. I reported it earlier and will tell you how to do the same at the end of this article, it appears to have been taken down already. Anyways, this site was an actual clone of the paypal site. When I inspected the source code of it, while it was still operating, all of the links except the login, were actually paypal’s. They copied the Paypal page and only modified the login page. So if you clicked on anything other than login, you would end up back at the real Paypal site. The site is down now so I don’t know what would happen if I tried the to login. One technique I have used in the past is to use a made up e-mail and password. Most likely, what would happen would be it would let me in, even though my user name and password was not real, they would not know this. The owner of this site would then have captured the account name and password. And more than likely I would have either been redirected to the real Paypal site or they would have set up another page with something like, we suspect fraudulent activity on your account and we need you to enter your account information. Then you would be asked to enter all your account information like full name, address, phone number, and social security number. Then you may get a message thanking you for the information and your account has been verified. At this point you have just had your identity stolen. You have just handed over all your account and identity information to the crooks.

However, just by “logging in” you have given them enough information to get into your account. Keep in mind that just visiting a site like this exposes you to fraud. When you visit a phishing site, they may try to attack your computer by installing software on to your computer with out your knowledge. This software, which I call malware but is also referred to as crimeware, can run on your computer without your knowledge and logs all you keystrokes. If you go to any website and type in your name and password, it has just been captured and uploaded some place that the crooks can access it.

Now I would also like to point out something in the content of this e-mail. One of the common tricks used by phishers is to tell you that you will lose access if you don’t respond immediately. They will either tell you to click on a link in the e-mail, or reply to the e-mail or call a phone number. If you receive an e-mail asking you to verify your account, unless you requested it by clicking on a I lost my password link at the site before hand, do not respond to it, do not click on any link it contains, do not open an attachment, do not call any phone number it contains. Banks will never send out an e-mail requesting this information. If you still think it may be a real request, contact them yourself directly. Do not use the information in the e-mail to contact them. Look up their phone number yourself, or get it from a directory assistance. Do not reply to the email, create a new e-mail and type in the e-mail address yourself if you already know it. Or open a new browser window and type in the address yourself if you know it and if you don’t, use a search engine. What you are trying to avoid is using any part of the email you received. That includes phone numbers, links, or replying to the e-mail.

And now you should report it. You can do some good and help other from falling victim to a phishing scam and it’s very easy. Just forward a copy of the suspected e-mail to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org You can also visit US-CERT & Anti-Phishing Working Group. You can also do a search for report phishing if you would like to find other places to report it to. I reported the example in this article to US-CERT and antiphishing.org before I started writing this and the site was down before I wrote half this article.

The first one I have a feeling might trick a few people. It claims to be from the iTunes Store..

From: iTunes Store [certificate@itunes.com]
Subject: Thank you for buying iTunes Gift Certificate!

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00 You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

The payload is in the attachment iTunes_certificate_497.zip which contains the file iTunes_certificate_497.exe
ESET NOD32 identifies this as Win32/Oficla.GT trojan

Next up, are 3 variations of the, we missed you and couldn’t deliver something scam.

From: DHL Support Kimberly Parsons [delivery@dhl-usa.com]
Subject: DHL delivery problem Nr22755.

Hello!

We were not able to deliver the postal package sent on the 8th of March in time because the addressee’s address is not correct.
Please print out the invoice copy attached and collect the package at our department.

DHL Customer Services.

From: DHL Manager Javier Stratton [courier@dhl-usa.com]
Subject: DHL delivery problem Nr00684.

Dear customer!

We were not able to deliver the postal package which was sent on the 21st of February in time because the addressee’s address is wrong.
Please print out the invoice copy attached and collect the package at our office.

DHL Express Services.

From: Service Manager Chandra Morales [manager@ups.com]
Subject: UPS Delivery Problem NR 52979.

Dear customer!

We failed to deliver postal package which was sent on the 15th of February in time because the recipient’s address is erroneous.
Please print out the invoice copy attached and collect the package at our department.

DHL Customer Services.

The attachments for these were:
DHL_invoice_6817.zip which is Win32/Oficla.GQ trojan
DHL_invoice_2817.zip which also is Win32/Oficla.GQ trojan
UPS_invoice_5978.zip – which is a variant of Win32/Injector.BNG trojan

Remember to keep an eye out for fake Mother’s day scams too.

Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

Well I just looked at my page stats and I see I’m getting close to the 1000 again. So when I get home tonight I’m going to post at least one new article. It’s one I have been saving or I should say it’s an answer to a previous problem I had been working on and talked about here. The search results redirection malware that I was trying to remove. I found something that got rid of it! Anyways, I don’t want to say too much right now or else I won’t have anything to write about now will I.

Sorry for slacking off. Two years or so ago I wasn’t even getting 100 page views a day, much less 100 visitors. When my traffic started climbing every month by like 50%, I guess I got spoiled. And when it peaked in December, I should have been ready for the decline. It was just nice to know that people were actually reading what I put on here. And now that I see that’s happening again, I’ll get back to work. Thanks for stopping by

-Chris / PC CyberTek

It seems that using hardware video acceleration was the culprit. Once I disabled it, everything worked fine. This is easy to do. Just right mouse click on the video that is playing. Then a window should open that says Adobe Flash Player Settings. Select settings and then uncheck the box that says enable hardware settings. If you don’t have that option, you may need to click on the icon at the bottom right of that window. It looks like a monitor with a paintbrush. And that’s it. Your videos should now play in full screen mode without the video freezing.

My next download was AdAware. Also one of my old standbys. After a couple of hours of scanning, it didn’t find anything. Even though it wasn’t finished I had hoped that after a couple hours it would have found something, anything. Then I thought there must be some other tools out there these days. There was one more on my old reliable but I’ll skip that for now since I didn’t get it. I figured I should find some malware related forums and update my knowledge on what’s out there these days. I don’t mind getting my hands dirty and digging through registry keys and directories. Which, I didn’t mention, but had already gone through the auto start and run registry keys and files that were created around the time my hijacking took place. In my search I came across the Malwarebytes users support forum. After reading a couple of posts I realized this was a good place for finding out about new malware and removal techniques as well as the program Malwarebytes. Since I haven’t tried it before and the forum, which is a forum that was created by users/fans of Malwarebytes, spoke so highly of it, I downloaded and installed it and started a complete scan. In a couple of minutes it had found 2 infections. I let it scan my system, which scanned 653800 objects and took 6 hours 28 minutes for the full scan. The scan just completed and found 35 infected objects. A quick view of the results shows me several registry files and the rest are files, non of which are cookies. Since I ran Spybot S&D earlier and deleted the cookies it found, I can’t say if cookies would have been part of the results. With the exception of a couple of false positives, some of my security tools, the results are looking very promising. One item I see right of the back is svchost.exe which is in my /Local Settings/Temp/ which is defiantly bad. This is something pretending to be a legit windows service but it doesn’t belong here. There are also a couple of registry keys listed as Trojan.BHO which, even though I forgot to mention I did run earlier, Hijackthis didn’t identify. Now I unchecked the couple of false positives, and told Malwarebytes to delete the rest and save a log file. After this I’m told it needs to reboot. No problem, I expected that. Windows is rebooting and I’m anxiously waiting to see if this fixed my problem. I haven’t played World of Warcraft or logged into any of my sites in case there was also a password stealer installed. In fact I’m writing this from my wife’s laptop which is on my network but doesn’t have any write permissions from network users.

Reboot has completed and now comes time to test this. I sure hope it works because I’m posting the results regardless of the outcome. First I will launch Firefox. This isn’t my main browser but I have a script blocking extension in it which has alerted me to some of the redirects and blocked them. My first search “malware forums” brings up plenty of results and the first result I click on, Majorgeeks.com, goes where it should. But this was what happened before. The first result I clicked on would work but all the results I clicked on after would be hijcked… Awww a new window just opened to www.searchfindsite.com which doesn’t look good. !@#$@#$ I just tried another result from google and was redirected to findservicesonline.com and I see that malwarebytes.com didn’t clean it this one up. It did find and remove some items that spybot s&d didn’t but I still have the hijacked search results. And my quest continues. When I do find a way to remove this, I will post about it.

If you know of some good malware removal tools, please leave me a comment. I’m going to try a couple of others I have and let you know what I find.

First we have this one from “UPS”

From: UPS Manager Romeo Law [delivery@ups.com]

Subject:  UPS Delivery Problem NR 08488.

Dear customer!

We failed to deliver the package sent on the 6th of January in time because the recipient’s address is incorrect.

Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Dear customer!
We failed to deliver the package sent on the 6th of January in time

because the recipient’s address is incorrect.Please print out the invoice copy attached and collect the package at our office.
United Parcel Service of America.

attachment: UPS_invoice_NR34587.zip

NOD32 identifies the virus in this attachment as virus Win32/Oficla.CX trojan. A couple of ways you can tell this is fake, besides the attached virus are; why would UPS wait a couple of weeks to notify you of this? Do they really sign their e-mail United Parcel Service of America? They tell you to pick it up at the office but there is no address or contact info for the office. Just thought I’d point this out.

Next we have one from DHL:

From: Manager Gabrielle Bird [customer@dhl.com]

Subject: DHL Office. Get your parcel NR.4486

Hello!

The courier service was not able to deliver your parcel at your address.

Cause: Mistake in address

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Global Forwarding Services.

attachments: DHL_label_Nr2385.zip > ZIP > DHL_label_Nr2385.exe

ESET-NOD32 Identifies the virus in this attachment as Win32/TrojanDownloader.Bredolab.BE trojan

In case you don’t know this already, never run an .exe file you get in e-mail. Nothing good ever comes from running an .exe you received in e-mail.

Watch out for these or variants of them.

If you follow this blog, you know that I did an article on the first stable release of Namp http://www.pccybertek.com/2010/01/nmap-5-20-released yesterday. Now that it has been out for a week, Fydor has already released another update, Namp 5.21 which is also a stable
release and not a beta. It’s mainly just a bug fix release. So I have updated the download section here with a link to the 5.21 release, which is on the right column about 3/4 of the way down the page. My download link is directly to the file on the insecure.org website or you can go to the Nmap download page yourself.

But I don’t want to just tell you about the update, I’d like to offer you some more since you took the time to stop by here. So here is a link to Iron Geek’s Baisc Nmap Tutorial video. And if already know the basics and would like to move on to some more advanced lesson, here is Iron Geek’s Nmap Video Tutorial 2: Port Scan Boogaloo Happy port knocking.

Some how this one slipped by me because it was published by Adobe on the 19th.

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided above.

This update resolves a buffer overflow vulnerability that could potentially lead to code execution (CVE-2009-4002).

This update resolves multiple integer overflow vulnerabilities that could potentially lead to code execution (CVE-2009-4003).

Download Adobe Shockwave Player version 11.5.6.606  here

You can find out which version you have by going here Test Adobe Shockwave Player