This is why I don’t use ad-blocking plugins: so I can point out stuff like this

February 12, 2014

Today I checked out the weather forecast at Weather.com, mostly to confirm my suspicions that yes, this winter is going to be eternal and that it’s never going to rise above four degrees for the rest of my life.

(Okay, the actual forecast wasn’t that bad, and it’s actually going to get a little warmer very soon, but still.)

I noticed this banner ad in the right-side column where Weather.com usually puts them (among other locations):

2014-02-12-junkware

Looks important, don’it? Like your security software is telling you something is wrong, right?

Yeah, well, it’s not. It’s an advertisement. Good thing the ONLY indication is the little Google AdWords logo in the upper right corner, eh?

Now, I don’t know exactly what this advertisement leads to, but as far as I’m concerned, they’re using deception to trick people into clicking on it. That makes me think of ransomware, because it’s almost the exact technique used by makers of that type of malicious software. Click on it and you may find your computer locked down until you pay $80 or more to some crook.

I wish I could issue “just never click on anything” as a general rule, but it’s sort of hard to use the Internet without clicking on something now and then. I would suggest this, though: if you see an ad like this on a major website, click on that little triangle AdWords logo (click carefully…you don’t want to click on the ad itself!) and use the submission form to tell Google about it. Google’s AdWords system is great because it allows access to online advertising for businesses of all sizes, but that wide-openness also means a lot of scammers get their greasy little banner ads through. It’s like those “work at home” scans in the old print newspapers, only a couple hundred million times larger in scope.


2 people are not spying on you

August 13, 2013

Have you seen this (or something similar) show up on a website lately?

I said DON'T click on it!

If you use MyFitnessPal, WeightWatchers Online, YouTube, or any of about a million other sites, chances are that you have.

Here are some things about which you can rest assured:

  • It’s just a stupid banner advertisement
  • It seems to be showing up a lot more often since this whole mess with the NSA started and got everyone paranoid about their online privacy
  • Nobody is spying on you*
  • It probably leads to a website that will infect your computer with spyware, at which point someone will be spying on you
  • Even if it doesn’t, you don’t want what they’re selling
  • It tells EVERYONE they have “2 people” spying on them
  • YouTube, MyFitnessPal, WeightWatchers, etc., have no way of knowing whether anyone is spying on you or not
  • Do not click on it, whatever you do

*Actually, there might be people spying on you. I mean, I have no idea who’s reading this. Spies do exist, right? You might be involved in all kinds of international espionage, sabotage, subterfuge, the works. You might be tuning in to those weird “numbers stations” every night and actually have the key to decode them for all I know. But in that case, you’d probably say, “Two? Ha! More like two hundred!” if you saw this particular ad.


Alert for businesses: beware of fake BBB complaint emails

January 18, 2013

I received an email recently that highlights the importance of business owners and employees being aware of various types of fraud activity:

From: Better Business Bureau <[redacted]@newyork.bbb.org>
Subject: Case #28475466
Owner/Manager

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.

In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by January 17, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,

BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region

There was a 102KB file attached to the message named “Complaint Case  #28475466.zip”. Except for the fact that it appeared to come from a Better Business Bureau office a thousand miles away, it looked pretty legitimate.

However, looks can be very deceiving.

According to a report from Cisco, the attachment is an executable file that contains malicious code. They don’t specify what that malware is, but given the nature of the message I would guess it’s designed to log keystrokes or use some other method to steal online banking credentials from businesses. Once they’ve got account numbers and passwords, they wire thousands of dollars out of payroll, expense and other accounts, then use their network of (unwitting and witting) money mules to launder the ill-gotten funds.

So here’s the lesson today: if you receive a message like the one above, do not under any circumstances open the attached file. If you think there might be a legitimate complaint from the Better Business Bureau, contact them directly. It’s a general rule, but in this case it applied more specifically to business owners and their employees.


Beware LinkedIn phishing emails

October 17, 2012

Here’s a screenshot of an email message I got the other day (click to enlarge):

There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:

  1. The yellow “Accept” button
  2. The white “Ignore Privately” button
  3. “Marva Leonard”
  4. “Unsubscribe”
  5. “Learn why we included this”

Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):

I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.

If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.

Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:

Unless you know who the message is from and what it contains, never click on that box.


Email Scam/Malware Alert: “Corporate eFax message”

October 4, 2012

I received this message yesterday afternoon (links have been removed, but are shown in blue):

*   *   *

From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages

Fax Message [Caller-ID: 680-973-3656]

You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.

* The reference number for this fax is min1_20121003222219.1055179.

View this fax using your PDF reader.

Click here to view this message

Please visit http://www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home | Contact | Login

© 2011 j2 Global Communications, Inc. All rights reserved.

eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

*   *   *

eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?

By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.

In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!

  1. min1_20121003222219.1055179: http://www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
  2. Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
  3. http://www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
  4. Home: egelisanfen.com/v2WPTAhV/index.html
  5. Contact: christianharfouche.net/Q1uRBnn/index.html
  6. Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
  7. eFax® Customer Agreement: happlications.com/phjbPEB/index.html

You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”

Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.

Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.

Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.


Follow

Get every new post delivered to your Inbox.

Join 196 other followers