Category Archives: Phishing

The ‘Can You Hear Me?’ Scam (Or Maybe Not)

I’ve seen a few recent warnings about something many are referring to as the “Can You Hear Me?” Scam. Basically, someone will call, ask if you can hear them, wait for you to say “yes,” then hang up. Later, they make unauthorized charges to your credit card, and use the recording of you saying “yes” in court to “prove” you agreed to the charges.

Now, any reminder to NOT talk to strangers who call you on the phone or to engage with robocalls in any way is a good reminder, but if you’re like me, you might find a few holes in this specific warning.

For example, unless you have the weirdest credit card in the world and its number is “YES” for some reason, simply saying the word doesn’t automatically give the caller your card information. Despite the existence of Peanut Butter M&M’s, Gus’s World Famous Fried Chicken and the first Doc Watson album, magic isn’t actually real, and nobody can pull your credit card number out of your wallet simply by getting you to say “yes” one time. The scammer would have to already have this information before calling you.

Then, if they’ve already got your card information, why would they bother calling to trick you into appearing to agree to charges? In a vast majority of the cases I’ve seen, scammers aren’t interested in making their schemes complicated. They’re not going to use a recording of you saying “yes” in court because they’re never going to end up in court. If they have your card information, they’re just going to use it. They don’t need to track down a phone number associated with the card in order to get a “yes” they’re never going to need.

So this leaves us with…what, exactly? Is this a real scam? There do not appear to be any documented cases of “said yes/card was charged/disputed the charge/recording ‘proved’ I authorized the charge/no recourse.” But the calls appear to be actually happening, and you have to wonder: what are they up to?

It doesn’t matter. If you get a call and someone just says, “Can you hear me?” hang up. No matter what their intent, it’s not something you want to get involved in.

Even better, stop answering the phone every time it rings. Almost every phone scammer needs you to pick up the phone. If you don’t, you’ve already ruined their scheme. If you recognize a number, go ahead and pick it up, but let everyone else leave a message.

This may be just one of those stories that gets passed around on a better safe than sorry basis, but I like accuracy, and the story being shared by various online sources doesn’t add up. If you do get a call like this, just hang up. But consider letting all unfamiliar calls go to voicemail. It’s the safest method.

Sources:

  1. The Consumerist: If A Telemarketer Or Robocall Asks “Can You Hear Me?” Just Hang Up; It’s A Scam
  2. Snopes: ‘Can You Hear Me?’ Scam Warning

New phishing attack poses as PayPal email…

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.

How to spot a disguised link in an email message

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same:

2013-10-01-mouseover

Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.

Beware LinkedIn phishing emails

Here’s a screenshot of an email message I got the other day (click to enlarge):2012-10-17-fpu-01

There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:

  1. The yellow “Accept” button
  2. The white “Ignore Privately” button
  3. “Marva Leonard”
  4. “Unsubscribe”
  5. “Learn why we included this”

Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):

2012-10-17-fpu-031

I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.

If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.

Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:

2012-10-17-fpu-02

Unless you know who the message is from and what it contains, never click on that box.

FPU Noir: The Lost Messages on Facebook

BigComboTrailerNote: for maximum atmosphere, first scroll to the bottom of this post and play the YouTube video, and listen to the music while you read.

The night meowed at the window of the dingy third-floor office on the wrong side of town like a housecat left out in the rain, trying to draw my gaze from the hand of solitaire laid out on the desk between half-empty cups of cold coffee, old newspapers and an ashtray spilling over with stale butts. I glanced at the window and shuddered for some reason, then wondered who left all the spent Chesterfields there, seeing as how I don’t smoke. They made a good prop, though, so I returned to my cards. If I could just find the other red queen, I was set.

It was the kind of night that slithers through the gutters and alleyways, around garbage cans and dumpsters, up fire escapes and into the ventilation. It always finds a way in, always creeps up behind you, always gets you in the end. There was a knock at the door, and a woman entered.

She was one sad-luck dame by the look of her, all switchblade sadness and razor gloom, whatever that means. She was carrying a laptop computer (which seemed anachronistic given the setting, but this was the Fraud Prevention Unit, and these newfangled bean-counters were the rule these days).

She just stood there for a minute and looked unsure. “Are…are you the one they call ‘Sledge?'”

“That’s me,” I said. “Hank Sledge, Private Fraud Investigator.”

“Oh. I…oh.” She swayed on the spot, as if trying to decide something.

“C’mon, spill it, sister,” I spat.

“Well, it’s just…I got this email the other day and I don’t know what to do.”

I looked at the gray computer tucked under her arm. “And you figure some mug’s got you pegged as an easy mark? Toss that mill up here on the table. Let’s see what we got.”

She placed the laptop on the desk and hit the power button. It took a minute to start up, and the awkwardness hung in the air like burnt toast. “So…um…read any good books lately?” I started to say, but the machine was ready.

“This one right here,” she said, and I read the email.

The message said it was from Facebook, and if it was a ringer it was a darn good one. It went like this:

From: Facebook <notification+tnejvqakyz@notifierfacebook.com>
Subject: You have 3 lost messages on Facebook…

Facebook sent you a notification

You have 3 lost messages on Facebook, to recover a messages please follow the link below: http://www.facebook.com/profile.php?recover.messages=563f03b5d6f9

How to get back your lost messages on Facebook

At the bottom was a green button that said “Frequently Asked Questions.”

“Did you click on anything in this mess?” I said.

“No, I don’t think so.”

“You can’t think so. You either clicked or you didn’t. Think hard.”

“No, I didn’t. Jeez. Jerk.”

“Sorry ma’am. Hardboiled crime fiction. I have to talk to everybody that way.”

“Oh.'”

“Anyway,” I continued, “it’s good you didn’t click. This is a swindle through and through. See this?” I showed her the message header. “If it was from Facebook, it wouldn’t be coming from some ‘notifierfacebook.com’ domain.”

“And check this out.” I moused over the link. “It says ‘facebook.com,’ but it’s disguised. Every link in the message takes you to this weird ‘winesofworld.org’ website. Classic phishing message. These punks either want to infect your computer with malware or steal your password. There’s also the crummy English; see where it says, ‘to recover a messages?’ Makes no sense. Finally, there’s no such thing as ‘lost’ messages on Facebook.”

Her eyes were dinner plates. “So what do I do with it?”

“If I was you, lady, I’d drill it with my heater,” I spat.

“What?”

“Just delete it.”

“Oh,” she said, and snapped the laptop shut. “Okay, cool. Thanks. Nice hat, by the way.”

I nodded thanks as she disappeared out the door and went back to my game. Black eight to red nine. The card underneath was the queen of diamonds. “There’s my lady,” I murmured over the lonesome wail of a siren echoing across the night.

Craigslist phishing

I got this lovely message just the other day:

From: notice@craigslist.org
Subject: Confirmation for Posting ID #981651681

Confirmation for Posting ID #981651681

Your ad, titled “SONY PLAYSTATION 3 METAL GEAR SOLID 4 PS3 80GB BUNDLE!”, has been posted as follows:

http://singapore.craigslist.org/ele/981651681.html (electronics)

Posts will appear in the list of postings and in search results in about 15 minutes. If you are trouble finding them,
please check our help page at http://www.craigslist.org/about/help/where.html

Please login into your account if you need to edit of delete your posting:
http://accounts.craigslist.org/login

If you did not post this ad please change your account password asap:
http://accounts.craigslist.org/login/chgpwd

For your protection please check our list of common scams: htttp://www.craigslist.org/about/scams.html

Thanks for using craigslist!

The only problem is, all the links are disguised; they actually lead to a site hosted at cen.thegigabit.com. I guess you’re supposed to go, “Whoa! I’m not selling a Playstation! I gotta fix this now!” and start clicking.

Here’s the thing I don’t get: why are they trying to steal Craigslist passwords? To my knowledge, Craigslist isn’t like eBay where you pay through the site itself; don’t Craigslist buyers just contact the seller and arrange for payments on their own? Is it that difficult to just create a fake Craigslist account from which to run your cashier’s check and wire transfer scams?

I just don’t get it. Somebody fill me in if I’m wrong about this; I don’t use online classifieds at all, so I don’t know firsthand how it works.

Dumb Spam Time: Deactivation of Your Email Address

Here’s a message I got just the other day. It’s pretty goofy.

From: Tom Lavigne
To:  [blank]
Date: Wednesday, June 08, 2011 9:27:37 AM 
Subject: Deactivation of Your Email Address

THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM This message is sent automatically by the computer. If you are receiving this message it means that your email address has been queued for deactivation; this was as a result of a continuous error script (code:505)receiving from this email address. Click here and fill out the required field to resolve this problem Note: Failure to reset your email by ignoring this message or inputting wrong information will result to instant deactivation of this email address

Normally I include the email address when I paste these, but apparently Tom is a real person whose email address has been used without his authorization. I don’t want to make it look like some YMCA in Massachusetts is running a phishing scheme.

Anyway, let’s poke holes in it!

  1. Execrable grammar and usage. It used to be that tech people weren’t always the best writers (see also: any software manual written between 1980 and 1995 or so), but “will result to instant deactivation?” No.
  2. “Click here” links to a TinyURL site. Yeah, no.
  3. “This message is sent automatically by the computer.” Yeah. THE COMPUTER. Really? Really? No technical support team would ever use that sentence, because it makes zero sense.
  4. “Reset your email” also makes no sense. How do you reset an email? (You can, however, declare email bankruptcy).
  5. It’s asking you to click a hidden link and provide personal information. It might as well said, “Hi. This is a phishing attack. Can we have your password?”

App Store Scam targets iPhone and iPad users

If you’re an Apple iPhone or iPad user, be on the lookout for a recently discovered phishing scam, reported by security firm F-Secure.

It seems users of these devices are receiving emails informing them that their recent App Store purchase has been successfully cancelled. There is a link for order information, but it actually takes users to one of those pharmacy websites where they try to mine personal information.

The above linked article tells you more about it, and they make an excellent point: while the emails currently direct you to a drugstore site, which most savvy Internet users will reject right away, what if they decide to build an App Store lookalike page? Lots more people will be tricked.

There was one part of that made me laugh, though:

[T]he phony Apple AppStore message appears in email inboxes immediately after you purchase an app from Apple’s legitimate App Store. F-Secure is not sure how the scammers know you just bought something from the App Store.

Oh, I can tell you right now how they know you just made an App Store purchase: people who have iPhones and iPad always just made an App Store purchase. Do you have one of these devices? You’ve been to the App Store today, haven’t you? Come on, admit it!

Maybe I’m just jealous of your neat-o phone. Or maybe I’m not. I’ll never tell. Welcome to the Fraud Prevention Unit: your source for ambiguous digs at vast swathes of popular culture.

Email links: perhaps I’ve been too alarmist

I have mixed feeling about something I heard about at the credit union recently. It seems that some of our members have taken my advice about links in email messages deeply to heart, to the point that they’re afraid to click a link in any message (even an expected, monthly newsletter from us!).

On one hand, I’m thrilled that some people are listening and learning. The vast majority of the traffic for this site comes from search engines (an unintended result; the original idea was to specifically reach people in our geographic area), so it’s good to know that local folks are getting hip to the fraud prevention tip as well.

On the other hand, perhaps I’m fomenting paranoia and fear with all the dire warnings.

Here’s the deal: if you’re getting a regular email communiqué, such as a monthly electronic newsletter, from a trusted source, it’s okay to use the links contained therein. No scammer is going to go through the trouble of creating a monthly newsletter, with constantly-changing articles about the latest promotions and happenings at a financial institution, and place low-pressure, soft-sell links at the bottom of the page (which is exactly what REGIONAL sends out during the first week of each month).

What you want to be wary of is those unexpected messages that try to jolt you into acting without thinking; “YOUR ACCOUNT HAS BEEN SUSPENDED!” screams the message. “CLICK HERE TO VERIFY YOUR ACCOUNT!”

That’s the stuff you need to avoid—the unexpected, urgent-sounding message that addresses you as “Dear Customer” or “Dead Cardholder” or that contains poor spelling and/or grammar, and that instructs you to verify your personal information. If you’ve got an account at a bank, credit union or creditor, they already have your personal information. If they didn’t, you wouldn’t have an account.

NACHA Phishing Email

History sure is repeating itself an awful lot lately. In a similar vein to the FDIC Phishing Emails I wrote about the other day, now there are malicious messages that claim to be from NACHA, which contain links to what is very likely some form of virus or spyware.

NACHA is the National Automated Clearing House Association (not to be confused with NACHO, a tasty corn chip-based snack). The organization is involved in networks that handle ACH transactions for financial institutions across the country. Much of what NACHA does is regulatory rather than operational in nature.

Here’s a sample of the email:

From: Information
Sent: Thursday, July 22, 2010 8:27 AM
To: Doe, John
Subject: Unauthorized ACH Transaction

Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

Naturally, the link is fake. In this case it probably executes malicious code on your computer.

Add NACHA to the list with the FDIC and NCUA—none of these organizations ever contacts consumers directly. NACHA doesn’t even handle actual ACH transactions; they’re involved in the setup of the networks that handle them.

It’s important to get in the habit of ignoring email. Even when it’s not phishing or scams, ignoring email is a great way to save time (for example, I almost never open anything with “FW:” in the subject line, because they’re almost always dumb).

But when messages like this arrive, you must make sure to never click on the links, even “just to see.” While many phishing messages take you to pages designed to steal personal information, many (if not most) phishing websites now give you a one-two phishing/malware punch; if they can’t get you to enter your account numbers, at least they can hit your computer with some spyware, which will be loaded and executed before you can even blink.