Alert for businesses: beware of fake BBB complaint emails

January 18, 2013

I received an email recently that highlights the importance of business owners and employees being aware of various types of fraud activity:

From: Better Business Bureau <[redacted]@newyork.bbb.org>
Subject: Case #28475466
Owner/Manager

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.

In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by January 17, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,

BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region

There was a 102KB file attached to the message named “Complaint Case  #28475466.zip”. Except for the fact that it appeared to come from a Better Business Bureau office a thousand miles away, it looked pretty legitimate.

However, looks can be very deceiving.

According to a report from Cisco, the attachment is an executable file that contains malicious code. They don’t specify what that malware is, but given the nature of the message I would guess it’s designed to log keystrokes or use some other method to steal online banking credentials from businesses. Once they’ve got account numbers and passwords, they wire thousands of dollars out of payroll, expense and other accounts, then use their network of (unwitting and witting) money mules to launder the ill-gotten funds.

So here’s the lesson today: if you receive a message like the one above, do not under any circumstances open the attached file. If you think there might be a legitimate complaint from the Better Business Bureau, contact them directly. It’s a general rule, but in this case it applied more specifically to business owners and their employees.

1 Comment | Fraud | Tagged: , , , , , , | Permalink
Posted by Clint

Beware LinkedIn phishing emails

October 17, 2012

Here’s a screenshot of an email message I got the other day (click to enlarge):

There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:

  1. The yellow “Accept” button
  2. The white “Ignore Privately” button
  3. “Marva Leonard”
  4. “Unsubscribe”
  5. “Learn why we included this”

Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):

I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.

If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.

Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:

Unless you know who the message is from and what it contains, never click on that box.

Comments Off | Phishing | Tagged: , , , , | Permalink
Posted by Clint

Email Scam/Malware Alert: “Corporate eFax message”

October 4, 2012

I received this message yesterday afternoon (links have been removed, but are shown in blue):

*   *   *

From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages

Fax Message [Caller-ID: 680-973-3656]

You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.

* The reference number for this fax is min1_20121003222219.1055179.

View this fax using your PDF reader.

Click here to view this message

Please visit http://www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home | Contact | Login

© 2011 j2 Global Communications, Inc. All rights reserved.

eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

*   *   *

eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?

By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.

In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!

  1. min1_20121003222219.1055179: http://www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
  2. Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
  3. http://www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
  4. Home: egelisanfen.com/v2WPTAhV/index.html
  5. Contact: christianharfouche.net/Q1uRBnn/index.html
  6. Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
  7. eFax® Customer Agreement: happlications.com/phjbPEB/index.html

You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”

Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.

Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.

Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.

1 Comment | Malware | Tagged: , , , , , , , , , , | Permalink
Posted by Clint

What to do about DNSChanger

July 6, 2012

It’s a long, long story. It starts with the arrest in November 2011 of six Estonian cybercriminals who managed to infect millions of computers with malicious software known as DNSChanger.

This malware would compromise search results, direct infected PCs to rogue websites, compromise antivirus software and insert rogue advertisements into legitimate pages. These guys made a load of money before they were nabbed.

However, even after the arrests, plenty of computers remained infected. The FBI set up temporary servers for infected PCs, but those will be coming down on July 9, 2012. In other words, if your computer or router is infected, you won’t be able to connect to the Internet, starting Monday.

(“Five Years” by David Bowie just popped into my head, but in this case, you’ve got about three days.)

The first thing you need to do is check to see of your machine is infected. The DNSChanger Working Group provides a list of sites that check your computer here. If it says you’re good to go, no additional action is required.

However, if you get a red light, you’ll have to fix your computer. The DCWG provides instructions here, along with links to tools that specifically remove the malware, but you may need to take your PC to a professional computer repair shop.

I’ve heard that about 70,000 computers are still infected (this one’s clean!), so it’s not as if the entire Internet is going to die on Monday (as some of the jumpier news sources have implied), but you still don’t want to find yourself unable to connect and cut off from solutions to the infection.

Comments Off | Computer Security | Tagged: , , , | Permalink
Posted by Clint

How to make sure you’ve got the latest version of Java (Windows users)

July 6, 2012

According to the excellent website Krebs on Security, a new Java exploit is set to go completely mushroom cloud on computers worldwide with outdated Java installations within the next few days.

The BlackHole Exploit Kit is used by cybercriminals for purposes various and nefarious, and is currently the most common web threat around. However, we won’t go into too much detail here about the malware itself. Instead, let’s talk about how to keep your Windows-based computer safe.

The first thing you need to do is find out if you have Java installed on your computer at all, and which version you’ve got. The easiest way to accomplish this task is to visit java.com and click the “Do I hava Java?” link. This takes you to a page with a big “Verify Java version” button:

Click the button and the site will tell you if you’ve got the recommended version of Java installed, which currently (as of July 6, 2012) is either Version 6 update 33, or Version 7 update 5. If it tells you to update, follow the on-screen instructions.

(If your computer is set up like mine, your web browser will ask you for permission to run the Java content on this page. At this point, you’ll know you’ve got it installed, but you still need to verify which version you’ve got. Click the “Run this time” button when prompted, and it will let you know if you have the recommended version.)

What if the site says you don’t have Java installed? Should you install it?

Naturally, the java.com website will suggest you do, but if you’ve been using your computer without it so far, I’d recommend not installing it at all. Java is currently the most popular channel through which exploits like the BlackHole pack are used, and new security holes are discovered all the time. If you’ve come this far without Java, there’s really no good reason to install it.

If you’ve got Java installed and want to keep it (there are still some websites that rely on it), make sure you’ve got the software set to check for updates at least once a week, but I recommend taking it a step further and checking daily. Here’s how.

1. Click the “Start” button, then select “Control Panel.”

2. Find the “Java” icon in the Control Panel window and double-click it.

3. Click the “Update” tab, then the “Advanced” version.

4. Select “Daily” and check what time of day it will check. I left mine on 11:00 PM. Click “OK.”

5. Click “Apply” and “OK.” You’re done!

Note: if the updater detects that a new version of Java is available, most of the time you’ll have to manually install the update. Your computer will prompt you when it’s time.

Comments Off | Computer Security | Tagged: , , , , , , | Permalink
Posted by Clint

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 165 other followers