Geek News: Latest Technology, Product Reviews, Gadgets and Tech Podcast News for Geeks


Tag: phishing

Epsilon Risks Downplayed

Posted by Andrew at 5:32 PM on April 11, 2011

The theft of names and email addresses from Epsilon has reached across the Atlantic. Last week I received notification from two UK companies, one of which is a household and high street name, Marks and Spencer, the other is Crucial UK, who will be familiar to almost anyone who has bought computer memory. I’ve included the content from both of the organisations.

Marks and Spencer
We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation.
We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk.
We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result. We apologise for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Crucial UK
On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.
We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.
For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

I think both of these responses are poor. For one, it’s fairly clear that they’re variations on a pre-prepared statement, probably from Epsilon.

Second, they seem to think that spam email is the worst thing that is likely to happen, without really emphasising that the spam email is likely to be targetted directly at the individual and purport to come from the company (spearphishing in the parlance). Most phishing email is pretty poor, but occasionally you get the odd one that is convincing. Knowing that someone uses a particular website is gold and makes it worth putting together a good phishing email and complementary website.

Finally, hacking an account at either of these sites has become much easier. Both M&S and Crucial use the email address as the login name – knowing that you have a valid login name is half the battle when trying to break in. Let’s face it, time and time again, surveys show that passwords are often easily guessed.

M&S and Crucial, here’s what I want you to do.

i) Delete all credit card information from any affected account or reassure us that you don’t hold that information.

ii) Create a secondary security feature on all affected accounts that uses information that wasn’t disclosed, e.g. post code from postal address. This will become part of the login process.

iii) Monitor logins for suspicious activity, particularly ones that fail the new security feature.

iv) Recommend that people ensure that they have strong passwords on their accounts and give guidance on what a strong password is.

v) Sack Epsilon as your email distribution provider.

What do you think? Has the response from the companies affected been satisfactory? Let me know.

Shut that Forum down (or clean it up)

Posted by J Powers at 2:07 AM on November 23, 2009

Before I got into blogging and podcasting, I ran a few internet forums. It was easy – setup a YABB (Yet Another Bulletin Board System) forum and let the minions have at. I had some pretty interesting forums in my day, and with it, a lot of controversy. Still, I kept things cleaned and tidy. Spammers were dealt with quickly and swiftly.

I still have one forum running. It’s more of a homage to those days, if anything. There are some that still come on to talk, so I keep it going.

Recently I have seen a lot of forums that have not been touched by a human. The story is the same – the forum owner pretty much abandons it, but keeps the registration simple. Within a couple months, the first spammer shows up. Maybe it’s a post about male growth pills. Maybe it’s about meeting up with girls. Nonetheless, it’s a spammer doing what they do best.

Now normally I wouldn’t care two hoots if you left your forum to deteriorate like an old shack in the middle of the woods. However, the spam starts to grow, and with it malware. Links to websites of naked girls are really sites that try to infect your computer. Links to cool videos turn out to be phishing schemes linking to misleading login pages.

Bottom line – you are infecting computers and allowing people to be swindled out of money.

We as a web community should be aware of what we do. After all, if you do own a house, you want to make sure that it is continually stable in it’s structure. When the power goes down, if the roof leaks, if the basement grows mold – you fix it. That should be the same mentality of a website.

Simple checks of your web domain(s) can keep things running smoothly. Forums that have been over run should be shut down or cleaned up. Deleting forum spam is an important part of being a webmaster.

Even newer websites should have some precautions taken. If you have a blog, make it so comments are moderated first. Install Akismet to block some of the malfeasance. Tie down some areas, including the registrations, so people don’t have to read or accidentally get malware or phished.

Part of keeping the bad stuff off the internet is to make sure the hackers and phishers don’t have a place to put their information – on your dime. And if you don’t have the time or energy to maintain a website, then either lock it down and clean it up or shut it off.

It’s ok to loose interest in something. Heck, I do that all the time. However, you should also clean up your mess you left behind. Otherwise, good people could be swindled out of $250,000 because they think they won a lottery. Good people could loose out just trying to find out about the new miracle male enhancement pill. Most important, you might just get blocked by Google, anti-viral programs, reporting services that keep an eye on the web and a lot more.

You never know when someone gets hit with hacking. Heck, it might even be your family or friends that get affected and infected. You don’t want that, do you?

Banking Online can it be trusted?

Posted by geeknews at 3:04 PM on July 11, 2006

For a long time now anytime a email comes in that says anything about banking I delete it. Recently a bank I do business with started sending e-mails informing me of special offers which as a consumer was worth investigating. But to be honest with you I don’t trust any of the e-mail, as it is to hard to determine what is real, and what is fake. The scam artist have gotten a lot better at phishing sites, I don’t do business with Citibank which has been a long known target of phishers have really taken some of the scams to the next level.

I think from now on, that my credit card account, and other types of bills that I review normally online is going to stop. If I want info on an account I am just gonna pick up the phone, as I find myself triple checking to make sure I have entered the domain name correctly.

With the way stuff is hacking our PC’s these days how long before someone hacks our bookmarks or redirects or machines on purpose. It’s a crazy world out there. [blog.washingtonpost.com]

Google Safe Browsing Firefox Extension

Posted by geeknews at 10:01 AM on December 15, 2005

Firefox has released an extension that you should load. This extension will help you when you are are surfing the web and are directed to a website that may not be who or what it appears. Phishing has been going on for a while and people are usually sucked in when they get a e-mail that tells them to visit a site which turns out to be a front for a major identity theft ring. This is a good one and I actually tested it today and it works as advertised. [Google]

Gmail Scam Used by Phishers to Gather Personal Data

Posted by geeknews at 10:28 AM on September 23, 2004

Internet e-mail scammers are using the popularity and allure of Google’s Gmail service to phish for personal data, including e-mail addresses and passwords. Gmail e-mail accounts are one of the most coveted holdings for hip and techie Internet users. A quick eBay search proves the popularity of invitations to join Google’s upcoming e-mail service that offers 1GB of mail storage.

The current Gmail phish reads “The Gmail Team is proud to announce that we are offering Gmail free invitation packages to the existing Gmail account holders. By now you probably know the key ways in which Gmail differs from traditional webmail services. Searching instead of filing. A free gigabyte of storage. Messages displayed in context as conversations. Just fill in the form below to claim your free invitation package.”

Dave’s Opinion
Phishing, commonly used via e-mail and the web involve conning unwary users into releasing private data. The cons are best known for their attempts to garner AOL, Citibank, and eBay login usernames and passwords; however, there seems to be no end to how the cons can be applied.

Call for Comments
What do you think? Leave your comments below.

References
Gmail
Google