My DigitalZone

Phishing is a general term associated with a fraudulent attempt to gain access to a person’s important personal information, such as credit card account numbers, user names, and password, and in some cases, the social security number. The number and variety of phishing attempt are increasing rapidly. Bad guys use emails to deliver an innocent-looking email with malicious contents. Sometimes, they use text messages asking for a person to call a certain phone number to obtain personal information.

The email/text message pretend to be from financial institutions (banks, credit unions, or credit card companies), PayPal

Obviously, emails and text messages appear to be from legitimate sources so the recipient think that they need to take some actions (click on a link in an email or call a certain phone number) to remedy the situation described in the email. Those situations include that:

• your account is being suspended;
• your account is being deactivated;
• unusual transaction on your account; or
• missing information on your account.

The above are examples of phishing attempts pretending to be a financial institution. There are some new varieties that pretend to be a package delivery companies, such as UPS, FedEx, or USPS.

Here’s an example email for the UPS case.

Sorry, we were not able to deliver postal package you sent on October the 19th in time because the recipient address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 6$ per day.

Your UPS

Apparently, we need to be able to distinguish the legitimate email from the bogus ones. Here are some basic rules to spot the bad ones.

• generic greetings
  Example: Dear XXXX Bank customer: (instead of Dear your_real_name
• legitimate-looking link in the body of the email
  The link may look legitimate but if you hover the mouse over it, the real link address is pointing to a different address.
• legitimate-looking attachment with “.zip” or “.doc” extension.
  Don’t be fooled. The only thing that the bad guys want is for you to click the link.Just one click on the fraudulent email will install and deploy some executable file that contain a trojan horse (a malicious program that opens a back door to your PC and steal your personal information by sending your keystrokes of your important user name and password.

So, the key is not to click a link in an email and do not click the attachment unless you are sure it is from a legitimate source. The Chase (credit card) site has an extensive example of fraudulent email here.

Like most of you, I use the internet online access to manage a lot of things, so I do receive many legitimate emails from them. I’ve make it a rule not to click any links in an email. When I receive an email about one of my account, I open up a new internet session and access it separately, not from the email.

Hope this helps you a bit.

Ah. The annoyance started about 30 min. ago. AVAST!, Malwarebyte’s excellent software for detecting/removing malware, started to detect tons of tons of trojans, especially Win32:Delf-MZG, like crazy. I took it seriously and started a full scan. Then, it recommended to do a memory scan after a reboot. I did it. I chose to remove all the suspicious ones. I think it detected over 30. Most of the files were audio/video-related. Some dlls for SUPER (video conversion software) and GoldWave (audio editor).

I took a note …. Win30: Delf-MZG…. did a google search after the reboot. It sounds like it’s the update from AVAST! has some problem. Some people started to discussed it about an hour ago over at Yahoo Answers, and one poster suggested to go to the AVAST user forum. Overall, it sounds like a lot of them are just false positives but I’ll keep an eye on it. I’m heading to the AVAST/Malware bytes’ site right now.

It’s really annoying. It’s happening for many people today, Dec. 2nd, 2009 at around 10 p.m., U.S. Central time.

Update
Guess it was too late. It looks like all of the alerts were false positive. See this. I tried to use GoldWave and Super but they didn’t work because I chose to delete suspicious files. The deleted files are not in the recycle bin, so I need to reinstall those programs. So far, my laptop itself is working fine.

So, ignore the AVAST warnings and take NO action. Do not choose to delete files!

When you lose an USB flash drive, what makes you worry is probably the data stored on the drive. The contents of the drive are priceless for some, depending on how they use the flash drive. There are two ways to secure the drive. One is to buy a flash drive with built-in security mechanism and the other is to use software to encrypt the content of the drive.

USB Flash Drives with Security Mechanism

• SanDisk 4GB Cruzer Micro USB Flash Drive with U3 This drive is getting excellent reviews. It features include:
  1. 4 GB capacity
  2. Retractable USB connector
  3. Brilliant amber LED
  4. U3 smart enabled
  5. Loaded with the following U3 programs: CruzerSync synchronization software, SignupShield password manager, SKYPE, and AVAST antivirus software
  6. Dimensions: 7.94mm x 20.6mm x 57.15mm (D x W x L)
  7. Hi-Speed USB 2.0 certified (backwards compatible with all USB 1.1 ports)
  8. Compatible with Windows 2000, SP4 and XP

  Even though the amazon site says “U3 functionality only supported on Windows 2000 (SP4 and later) & XP,” one reviewer says it works with Vista. It is very affordable as amazon.com sells it for $12.49.

• IronKey 4 GB Secure Hardware-Encrypted USB 2.0 Flash Drive This drive seems to be the one that’s built for security. It uses a hardware encrypted, military grade encryption to protect the data. The reviews are pretty good and the only drawback I see is it price, $127.47.
• Secure USB Memory Device by Fujitsu
  This is a new product developed by Fujitsu and I’m not sure if it’s in the market yet. According to the press release by Fujitsu on April 17, 2009,

  Fujitsu Laboratories Limited and Fujitsu Laboratories of America, Inc. today announced the development of two new technologies designed to prevent the unwanted disclosure of data from lost universal serial bus (USB) memory devices and prevent uploads to file-sharing networks: a USB memory device technology that after a fixed period of time automatically erases data stored on the USB memory, and a file redirect technology⁽¹⁾ which ensures that the data from the USB memory device can only be stored on a specified server. This creates a secure environment that protects confidential information and allows USB memory devices to be used as a convenient way to safely carry customer data back to one’s own company to manage the data.

  This sounds neat. This may not be for home/casual users but I can see that the corporate IT department may be interested in the product.

  • Encryption Software
    • TrueCrypt TrueCrypt is open source software that is popular to secure USB drives. It offers various encryption methods as you can see from this photo.

      
      

I spent half a day last weekend to help my friend to battle with a computer infected with trojans. Lots of them. They were persistent and difficult to remove. Malwares like AntiVirus 2008 or AntiVirus 2009 as described in this post were easier to remove compared with the ones I encountered last week. Basically, AntiVirus 2008 and AntiVirus 2009 are malware that uses scare tactics to make users to buy their own virus removal software. The ones I encountered at my friend’s house turned out to be a kind called “rootkit.”

According to wikipedia, “A rootkit is a software system that consists of a program, or combination of several programs, designed to hide or obscure the fact that a system has been compromised… An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system.” This is a serious threat.

The computer in question has a good working McAfee Virus scan and its On Access scan window keeps popping up saying that trojan was found and deleted. That’s how my friend found about their existence. The reason he asked my help was that it looks like it was catching the same gourp of files again and again, even though the virus scan said it had deleted them. Some of the files were in windows\system32\drivers. They were systemntmi.sys, amd64si.sys, i386si.sys, amd64si.sys, and lots of others.

So, there I was. Trying various other software. I tried Malwarebytes’ Anti-Malware. It found a bunch of infections. Like over 50. It said it had removed them. Reboot. Scanned again. Strange. It found them again. Removed. Reboot. I used Avast! Reboot. I used Trend Micro Rootkit Buster. Reboot. As I said earlier, the trojans were persistent. I decided to take a break at that point to do more research on the issue.

What I will do this weekend is to do an OS reinstall this weekend. As the wikipedia article says, “Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch.”

Oh well. I’m looking at two system restore projects within a week!

My friend’s Yahoo email password got stolen and her account was used to send spam emails. Cases like this seem to be increasing as you’ll find lots of hits on Google if you search for “stolen password.”

She didn’t know how her password got stolen. She only found that out because one of her friends had informed her about the spam email. When she checked the sent mail box, she saw the spam email she never sent. So, it means that somebody stole her password and used her account, rather than faking the email address.

I immediately asked her to change the password. She was lucky that the person who used her account didn’t change the password. If that was the case, she could’ve locked out of her email account.

I also asked her to check the detailed header of the spam email, and it turned out that the email was originating from China. (You can see the full header by clicking on “Full Headers” at the bottom of the mail in Classic Mail or at the upper-right part in the new Yahoo Mail.)

Her case was a good lesson for me. Changing passwords regularly and using complex passwords are easy ways to ensure more security but I wasn’t doing it as often as I should have been. From now on, I’ll be more careful about passwords.