Alert for businesses: beware of fake BBB complaint emails

January 18, 2013

I received an email recently that highlights the importance of business owners and employees being aware of various types of fraud activity:

From: Better Business Bureau <[redacted]@newyork.bbb.org>
Subject: Case #28475466
Owner/Manager

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.

In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by January 17, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,

BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region

There was a 102KB file attached to the message named “Complaint Case  #28475466.zip”. Except for the fact that it appeared to come from a Better Business Bureau office a thousand miles away, it looked pretty legitimate.

However, looks can be very deceiving.

According to a report from Cisco, the attachment is an executable file that contains malicious code. They don’t specify what that malware is, but given the nature of the message I would guess it’s designed to log keystrokes or use some other method to steal online banking credentials from businesses. Once they’ve got account numbers and passwords, they wire thousands of dollars out of payroll, expense and other accounts, then use their network of (unwitting and witting) money mules to launder the ill-gotten funds.

So here’s the lesson today: if you receive a message like the one above, do not under any circumstances open the attached file. If you think there might be a legitimate complaint from the Better Business Bureau, contact them directly. It’s a general rule, but in this case it applied more specifically to business owners and their employees.


How phishing and work-at-home schemes work together

November 4, 2009

I just read a really eye-opening report from the Internet Crime Complaint Center (IC3) about how phishing emails, fraudulent ACH transactions and work-at-home schemes can be connected.

It starts with a “spear-phishing” message. Spear-phishing is a targeting form of phishing, made to look like it comes from someone you know, possibly a friend or employer. This message, rather than the usual phishing angle (“click this link to verify your account information”) will either contain a malware-infected attachment, or will link to a website that infects the user’s computer with malware.

This malware includes a keylogger program, which sends a record of keystrokes back to whoever originated the scheme. Once the victim logs into one of their financial institution accounts, this information is relayed back to the crooks.

At this point, the crooks will use either wire or ACH transfers to remove money from the victim’s account. However, it doesn’t end here.

The next victims in the process are those who have fallen for some form of work-at-home scheme (usually “processing payments” or similar). The money stolen from the first victim is wired into an account held by the next victim, who then transfers it back to the criminals, thinking they are actually processing a “payment” from the original victim.

So, they’re not just logging keystrokes to steal money from one group, they’re using a second set of victims to launder the money for them.

It would be brilliant if it weren’t so slimy.

This got me thinking about US Surveys, Inc., whom I wrote about a couple months ago. In doing research on this obvious mystery shopper scam, I actually came across a few victims who, at least for their first “assignment,” had actually made around $100. “They wired $900 into my Citibank account, then had me wire $800 back to them.” It was only on their second “assignment,” when they were asked to wire their own money first, that they began to wise up.

I thought that was kind of weird at the time. Were they actually paying you the first time just to earn your trust? It seemed like an awfully big gamble, since people were realizing that it was a scam soon afterwards (not to mention the risk of someone just taking the $900 and running).

Now it makes sense. The initial $900 was probably money stolen from a spear-phishing victim. That $100 these people had made was their payoff for helping someone launder money. They weren’t being ripped off initially, but they were helping a criminal conceal the source of funds.

The second, “Now wire us your money first” assignment was probably just an attempt at an extra payoff on their way out the door; by that point, the original victim (whose money was being laundered in the first transaction) had most likely discovered the fraud and locked the account. Thieves have to move quickly from victim to victim these days.

What all this leads me to is the following:

  1. Keep your virus protection up-to-date
  2. Learn about different types of scams so you’ll know what to watch for
  3. Do not become involved in work-at-home schemes that involve “processing payments” or wire transfers; these are money laundering schemes; the only real ways to legitimately work at home are to start your own business, or to work for a company that allows telecommuting
  4. The multi-level integration of these different types of fraud is terribly sophisticated; this is organized crime
  5. Because of #4 above, your best bet is just to avoid, avoid, avoid. Lose any big ideas you might have about trying to “scam the scammers”
  6. If you are a victim of this type of crime, in addition to the standard credit locks and police reports, file a complaint with the IC3; your information could help federal law enforcement stop this type of crime in the future.

How to avoid spyware and adware

September 15, 2009

I’ve said before that I don’t have the tech chops to get into an extremely detailed description of computer security issues, but I think its important to at least understand the basics. The minutiae of VBS or C+ programming doesn’t matter for our purposes here much as the following facts:

  1. There is a lot of malicious software out there
  2. It is important to know how to recognize it and how to avoid it
  3. It is important to keep your security software updated, and to make sure it is legitimate software from a trusted source

Let’s dive right in. Warning: this is one of my longer posts.

Basic Definitions

Malware: This is sort of an “umbrella term” for software intended to harm your computer. It includes (but is not limited to) spyware, misleading adware, viruses, worms and trojan horses.

Spyware: This is a term for software that, in some form, sends information from your computer to another entity without your consent. This information can be anything from words typed into search engines (Google, e.g.), websites visited or even keystrokes. Spyware can pose a serious identity theft risk, as it can relay financial account information (account numbers and passwords) to a third party.

Adware: Adware is software that displays advertising in some form. Not all adware is necessarily malicious (the free version of the Eudora email client contains benign adware), but sometimes it is. Often, spyware and adware are bundled together.

How Spyware and Adware Infect Your Computer

Some spyware is intentional. Some companies install keyloggers on their computers to keep tabs on employee computer use. I’m just guessing, but I’ll bet every letter you type into an FBI computer is logged.

However, the spyware I’m talking about is the kind that installs itself on your computer without your knowledge or consent. These programs can install through a variety of channels. Some of them are:

Backdoor: These programs exploit “holes” in your web browser or computer’s security features. You can become infected simply by visiting a website that has been set up to install malware, and you probably won’t even know it at the time.

Piggybacking: Sometimes software you want is bundled with software you might not want. Adware often shows up in this form, but other malware uses this method as well. I mentioned the free Eudora email client earlier. This is pretty benign adware—in return for not paying for the full version of the software, you put up with some banner ads, from which the software company earns revenue. However, you’ve also got examples like Bonzi Buddy, which was designed to appeal to children (and secretly send information about their web browsing habits to a third party). Bad scene.

Trojan Horses: A trojan horse is software that poses as useful or desirable software, but is actually spyware, adware or other malware. Some of the most common examples right now are Fake Virus Scan Pop-Ups, which I talked about a couple weeks ago. While visiting a website, a window pops up with a frantic message telling you that your computer is infected with a virus, and to click “OK” to run a scan now. This downloads software, some of which may actually even look like a real virus scanner, that can wreak havoc on your computer, to say nothing of the financial threat it could pose if it contains some really nasty spyware. I want to touch on a few examples of trojan horse software here:

MS Antivirus: This is a fake virus scanner that can disable your real antivirus and anti-spyware programs. Other than that, it’s mostly just annoying, but turning off your security software opens the door to all kinds of other infections. MS Antivirus goes by about a million different names, and it is constantly being updated to evade detection by legitimate security software, which just illustrates the importance of keeping your antivirus software updated. Pay for the subscription. It is worth it.

No-Adware: This was a trojan horse designed to confuse you with a name similar to Ad-Aware, which is a legitimate product. No-Adware is supposedly no longer considered “rogue” software, but you know what? I still haven’t forgiven them.

Tattoodle: This is an application that usually gets installed (intentionally) through Facebook. I don’t know yet if it’s malicious or just annoying, but I don’t think I care: it changes your browser’s homepage, makes itself difficult to remove and its logo is designed to make you think it’s related to Google. If it looks like malware and acts like malware, I call it malware. Just my opinion.

What To Do About Spyware and Adware

Sometimes spyware doesn’t have a whole lot of symptoms. A sudden increase in popup advertisements, constant frantic popups that claim your computer is infected, or just a sudden decrease in system performance can all be signs of a malware infection. I suppose having your identity or financial account information stolen could also be signs, but we’re not going to let it get to that point, are we?

First and foremost, it is of vital importance to install good antivirus and anti-spyware software, and to keep this software updated, even if that means paying for a subscription every year. Second and also foremost, it is vital to make sure this software is the real thing. Here are what I think of as the “Big Three” real, actual, non-malware computer security programs, along with some other software:

Norton: This is what I use. It currently comes in three versions for home users—AntiVirus, Internet Security, and 360, which range in price from $39.99 to $69.99 (although I’m pretty sure 360 is normally $79.99). As with all security software, you also have to subscribe to the updates every year, but it is well worth it.

McAfee: The Pepsi to Norton’s Coke, McAfee is another good one. It’s not my favorite, but I think that has to do more with the look and feel of the software than its actual functionality. As of this writing, its home computer versions range from $29.99 to $39.99, so it’s definitely more of a “budget” option. It works fine, though.

Kaspersky: This one actually originates from Russia. It is excellent antivirus software, and I’m pretty sure at one point years ago it was absolutely free to download and update. Alas, you have to pay for it now; prices are similar to Norton, ranging from $39.95 to $79.95.

Spybot Search & Destroy: This is free software that I highly recommend. It is not a replacement for any of the three antivirus softwares above, as it only concentrates on spyware and adware, but it is a great little backup program to have on hand. You’d be surprised how much potentially harmful stuff slips past your antivirus software. Beware of trojan horses with similar names—only get it from the website I’ve linked here.

Ad-Aware: This is similar to Spybot Search & Destroy. There is a free version still available, but you can also buy software from their site. To be honest, I haven’t used this one in a long time. Again, beware of imitators.

One final word on avoidance: I think there are certain types of websites that tend to contain more malware than others. You’re mostly safe when it comes to the giant corporate sites like Amazon, but I would never suggest you stick only to huge corporate sites.  You miss out on the whole democratic, DIY side of the Internet if you do that.

However, any time you’re viewing sites that offer pirated software, movies or music, or sites that appeal to the…ahem…prurient interests, you’re going to run into a lot more malware, especially in the form of trojan horses, than you might otherwise. So my advice is to go forth and browse, have fun and don’t be afraid to venture outside the “mall,” but try to avoid the seedy side of town.


Follow

Get every new post delivered to your Inbox.

Join 196 other followers