Monday, August 08, 2011

Internet Security - email "send money" scam: how it happened, possible solutions

Some self help information/reference pages --
eMail Rumors, Chain Letter Fraud, Electronic Ephemera, Hoaxes, Jokes, Myths, Urban Legends:
What's spam & how to reduce it:
Some free utilities to help keep PCs clean from infections:  

IMPORTANT: At the bottom of this message, below the 'navy blue' horizontal break line, is copy of a message that I sent out a couple of years ago as a reminder that you usually should use the 'blind carbon copy' feature in your email program to conceal  email addresses from recipients other than the principal one.   I usually send email showing only my name as the principal recipient unless it's being sent to a public email address such as government, etc.  ...all other recipients' email addresses, I put in the "blind carbon copy" email field.  (As I did with this message to you.)  This helps to reduce exposing email addresses to scammers who "harvest" email addresses from email address books, by installing infections in your PCs or 'break-in' to web-mail accounts, in order to collect email address that they'll then use to generate spam. -- rfh


     A new crop of an old telephone & email scam is popping up again. 
     People are again receiving emails that appear to have been sent from the email account of a friend, co-worker, relative, etc. that asks for help for the (fake) sender who's allegedly stranded somewhere and needs money to escape from the 'predicament.' 
     The email will appear to have been legitimately sent from an email account of someone you know.  Usually it appears real; however, it is not.   Below is some information about this type of Internet scam.   Note that it is usually sent via some "web-based" email account  such as Yahoo, AOL, GMail, Hotmail, or via any one of many other remotely hosted email services in which your email password, address book, and personal login name are remotely stored.
     Unlike local PC email programs such as MS Outlook or Outlook Express which require the criminal to hack into your network and then into your PC to obtain addresses from your local email program, many of these fake, scam emails are sent from an online web-based account which has been hacked/broken into by the crook(s).
     Conventional PC based antivirus and PC firewalls are unable to protect your web-based email accounts.
     An excerpt from an FBI article (the complete article is further down):
     "If you have been a victim of this type of scam or any other Cyber crime, you can report it to the IC3 website at www.IC3.gov. The IC3 complaint database links complaints for potential referral to the appropriate law enforcement agency for case consideration.  Complaint information is also used to identity emerging trends and patterns." -- rfh 

1st article source: http://kadansky.com/files/newsletters/2011/2011_05_18p.html
Practical Computer Advice
from Martin Kadansky
Volume 5 Issue 5 May 2011
In This Issue
The "mugged in London" scam - Prevent thieves from breaking into your email account [example]
An email claiming [example], "I'm in London, I've been mugged, and I need your help" is not a new scam, but its power to fool other people stems from the thieves sending messages from your address to people you know. Here's my advice on how to deal with it if it's already happened to you (or someone you know), and also how to prevent it from happening in the first place.

The "mugged in London" scam - Prevent thieves from breaking into your email account

It starts with an email from a friend or colleague asking, "When did you go to London? That's terrible! Are you OK? How can we help?" Since you are not currently on a trip to London, you send a confused reply asking what they're talking about. Over the next few days and weeks you get similar concerned messages from a growing but odd assortment of friends, some of whom forward to you the email they originally received. It's apparently from you, claiming to be stuck in London after being robbed, and asking for money to enable you to get home. Of course, you never sent it.

This is just one example of a wide variety of scams that have been around for a long time. Unfortunately, the internet enables modern thieves to pull this off more efficiently than ever before.

How did this happen?
Email scams aren't new. It's easy for almost anyone to send an email that's been faked to say it's "From" your email address, but that type of scammer sends messages to millions of randomly stolen or made-up addresses.

What's different about this particular "London" scam (and others like it) is that the scammer has broken into your email account, gotten into your online Address Book, and then (if your Address Book isn't empty) sent those fake messages to your friends and colleagues. Because of their relationship with you, your friends are more likely than random strangers to be tricked by these messages (sent from your actual account, but not written by you) into sending money to the thieves.

And, if some of your friends reply with cautious skepticism, clever scammers may also read through your stored email messages, learn more about you, and use that information to send convincing replies, which may improve their chances of conning more of your friends into sending money.

Background
When it comes to your email account, there are generally two ways you can use it:
  • You can use "email client software" on your computer to compose, send, receive, and store your email messages and manage your Address Book. Common email programs include Outlook Express, Windows Mail, Outlook, Thunderbird, and Eudora on Windows, and Apple Mail, Thunderbird, Eudora, and Entourage on Macintosh. This method stores your messages and Address Book on your computer's hard drive, not on the internet, which means that the only way a thief could get access to this information would be to gain access to your computer.
  • You can use "webmail" (web-based email) to access your email account using your email server's web page, e.g., www.gmail.com for a Gmail account, www.comcast.net for Comcast, www.verizon.net for Verizon, www.aol.com for AOL, etc. In this case you would use a web browser (or special software like America Online or AOL Desktop) to access your email account via the internet. Common web browsers include Internet Explorer, Firefox, and Google Chrome on Windows, and Safari, Firefox, and Chrome on Macintosh. This method stores your messages and Address Book on your email server on the internet, not on your computer, which means that if a thief acquired your email address and account password, they would have full access to your account.
Security Implications Here's what all this means:
  • If you're using an email client program on your computer (Outlook Express, etc.), since your email messages and Address Book are stored on your computer's hard drive, it's less likely (but not impossible) that this type of scam will affect you.
  • However, if you use webmail, i.e., your email messages and Address Book are stored on your email server on the internet "in the cloud" (i.e., not on your computer). You are at a much higher risk for this type of scam. See below for my advice on reducing this risk.
On the other hand, your friends and colleagues who receive one of these "I'm in London" emails are not at risk of having their accounts broken into just because of the message they received from "you." If this scam has already occurred, i.e., if your online email account has already been compromised, follow these steps immediately If you have already been targeted by such a scam, here's what you should do right away:
  • Immediately change your email account password. Choose a new password that you've never used before, and make it a "strong" password, i.e., at least 8 characters long using a combination of uppercase letters, lowercase letters, digits, and (if permitted) punctuation. Avoid using a single word or anything resembling personal information about you, including names, dates, and street addresses. Although passwords like "HEkd83;Bzi3q" technically fit the bill, I recommend the more manageable approach of combining a few words with digits and punctuation, e.g., "Agnostic23!Sprinter47" or "Ag23nostic!Sprint47er" is even better.
  • If you use any other computers (laptops and netbooks) or devices (smartphones, iPads, etc.) to access your email, don't forget to update your email password in those devices as well.
  • Have your computer thoroughly scanned for infections, since one of the many methods they may have used to get your password is a "password-stealing" or "keystroke-logging" infection. You should not only scan for viruses, but alsoscan for other types of infections (worms, trojan horses, spyware, etc.).
  • After that, if any infections were found and removed, change your email password again (and update your other computers and devices, again), since a password-stealing infection may have seen you change your password before that infection was removed.
Check your email account for sabotage In recent weeks I have not only had a number of clients experience this scam, but a few have also had their email accounts sabotaged. Thus, I strongly recommend that you also check all of your online email account settings:
  • Look for any "reply-to" address the thieves may have set. For example, if your email address is "johnsmith@gmail.com," the thieves may have set a "reply-to" address in your account, for example "johnnsmith@gmail.com" (note the extra letter in the middle), which cleverly prevents anyone to whom you send an email from successfully replying back to you, further isolating you from your friends.
  • Look for any "alternate email addresses" the thieves may have set, especially ones that will permit them to "reset" your password. I've seen such scammers add their email addresses into compromised accounts, giving them the ability to change your password in the future even after you've changed it to something else, locking you out of your account.
  • Similarly, look for any changes to your "security questions" or any other settings related to changing your password.
  • Review all other settings, looking for anything suspicious.
This should keep the thieves out of your online email account. Also, if they didn't keep a copy of your Address Book then the fake messages will probably stop, but you can't be sure of that. I have also seen malicious destruction of account information, including:
  • The online email Address Book was completely wiped out. Without a backup copy, it might be possible to partially reconstruct it by "harvesting" the email addresses from the remaining messages in the Inbox and Sent folders.
  • Some or all email messages were deleted from the online Inbox or Sent folders.
No notice of potential breach or suspicious behavior Given this need for security, I find it particularly surprising that most online email systems give you no notice (nor even the option to be notified) when someone:
  • Tries to log in but uses the wrong password
  • Successfully changes the password
  • Sets a "reply-to" address
  • Changes a security question
  • Deletes the entire Address Book
Any one of these could serve as an "early warning" that someone is trying to break into (or has already broken into) your account. Sadly, many other online systems that are more security-conscious, including many online banking, credit card, and investment house systems also lack the ability to warn you. A few systems (PayPal, Facebook, LogMeIn) do give some notice, but overall the concept is sorely lacking. If this scam has not affected you, follow these steps as soon as you can Even if you haven't been a victim of this type of scam, I strongly suggest that you:
  • Change your online email account password to a "strong" one as I suggest above. Don't forget to update your email software, web browser, or smartphone with this new password.
  • Have your computer thoroughly scanned for infections (not just viruses, butall types of infections), since today's infection may lead to tomorrow's broken-into email account.
  • If you use webmail, make a backup copy of your online Address Book. Look for an "export" function that will create a text file containing a copy of your Address Book that you can store on your hard drive for safekeeping.
  • Review your email account's "security questions" that permit you (or a thief) to reset your password, and strongly consider changing them to have thewrong answers, so a thief who has researched your life won't be able to break in, even if they find out "the street you grew up on" or "the college you attended." Note these "wrong answers" on your password chart, since you probably won't remember them.
  • If you use a wireless network, make sure it's using the highest level of security. See "Wireless is always better, right?" (http://www.kadansky.com/files/newsletters/2010/2010_01_27.html) for more info.
I never type a password, so my email account must not have one This is a common myth. All email accounts have passwords. I guarantee you that yours has one. If you aren't required to type it in every time, that is a convenienceprovided to you by the software on your computer:
  • If you're using email client software, whoever set it up probably typed in your password at the time, and your email software has been using it "behind the scenes" to send and receive your messages ever since.
  • If you're using webmail, your web browser may have been set to remember your password and type it for you when you sign in.
  • When you check your email using your smartphone, the phone probably has your password stored along with your other email settings.
How did they get my email password? There are an ever-increasing number of methods thieves can use to get your password:
  • You've used the same password for many accounts over many years, and you've accidentally revealed it.
  • You've used a common password like "1234," "password," "1111," etc.
  • You've used a simple password based on personal information like your name, birthday, home address, college, etc.
  • You've used answers to your password-reset security questions that are easily researched online, including your mother's maiden name, the college you attended, etc.
  • You've been tricked into revealing your password via a "phishing" web site, email, Facebook message, etc.
  • You've been tricked you into granting access directly into your online email account to a thief (e.g., "third-party access privileges" on Gmail).
  • Someone looked over your shoulder when you signed into your account in a public place like Starbucks.
  • Someone electronically "observed" you signing in and stole your password when your computer was on an insecure wireless network.
  • Your computer has a password-stealing or keystroke-logging infection, which was either delivered by a virus or which you were tricked into downloading and installing.
  • Your computer has a physical key-logging device plugged into its keyboard or USB port.
  • You've lost or misplaced your password chart, or someone has stolen it.
  • Your employer's corporate email system was broken into.
  • "Slow brute force": Since many online email systems are designed to "lock you out" after a small number of failed password guesses within a given period of time (just like an ATM machine will "eat your card" after a few failed PIN entries), some modern thieves now use "slow brute force," where they try one password guess per day on your account along with millions of other accounts that day. Over time (perhaps after hundreds or thousands of days) they may eventually hit upon your password and get in.
And, since social networking sites like Facebook, Twitter, LinkedIn are growing in popularity and messaging abilities, scammers and thieves are quite active on those sites, too, so all of this advice applies to those passwords as well. Real-world versions of this scam This general type of scam long predates the internet. Imagine receiving a phone call from someone claiming to be a relative in trouble and needing money. They may have researched you in advance to find out that you have a nephew named Charles, or use generic opening ploys like "Hi Auntie, I need your help!" and trick you into revealing information they can use to further manipulate you. The best defense is to remain skeptical, ask questions that only the real person would know that are not public knowledge, and to delay sending any money until you contact other friends or family who are likely to have up-to-date information on the person and their actual whereabouts. Conclusions
  • Your most valuable password is the one protecting your email account and your Address Book.
  • The power of this scam comes from the real-life relationships you have with the people in your Address book. Ironically, your closest friends and family probably know when you're traveling and when you're at home, so they're presumably less likely to be fooled. It's your other contacts that don't know your travel plans or habits but who care about your safety and well-being who are more likely to be taken in.
  • Any information you store online ("in the cloud") is only as secure as the password protecting it. You should choose a strong password, and take all reasonable measures to keep that password secure.
  • Gently warn your friends and colleagues about this potential scam.
Where to go from here More on this scam:
More on "strong passwords":
If you're confused or frustrated by something on your computer, I like to say, "You can do it!" You might just need a little encouragement, or information, or change of perspective, and that's where I come in.
How to contact me:
email: martin@kadansky.com
phone: (617) 484-6657
web: http://www.kadansky.com

On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to martin@kadansky.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter

Did you miss a previous issue? You can find it in my newsletter archive:http://www.kadansky.com/newsletter

Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.

Copyright (C) 2011 Kadansky Consulting, Inc. All rights reserved.

I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.




Claims of Being Stranded Swindle Consumers Out of Thousands of Dollars
07/01/10—The IC3 continues to receive reports of individuals' e-mail or social networking accounts being compromised and used in a social engineering scam to swindle consumers out of thousands of dollars. Portraying to be the victim, the hacker uses the victim's account to send a notice to their contacts. The notice claims the victim is in immediate need of money due to being robbed of their credit cards, passport, money, and cell phone; leaving them stranded in London or some other location. Some claim they only have a few days to pay their hotel bill and promise to reimburse upon their return home. A sense of urgency to help their friend/contact may cause the recipient to fail to validate the claim, increasing the likelihood of them falling for this scam.
If you receive a similar notice and are not sure it is a scam, you should always verify the information before sending any money.
If you have been a victim of this type of scam or any other Cyber crime, you can report it to the IC3 website at www.IC3.gov. The IC3 complaint database links complaints for potential referral to the appropriate law enforcement agency for case consideration. Complaint information is also used to identity emerging trends and patterns.

Commentary:
©iStockphoto.com/ Art Wager
Stranded
Beware of scam emails that falsely claim that a friend is stranded in a foreign country and needs your help
Imagine that you receive an email from a friend or colleague claiming that he or she is stranded in a foreign country and desperately needs your help to get home. The email originates from the friend's real webmail account and may even include the same email signature that your friend usually uses when emailing you. Thus, you might be inclined to believe that the email was legitimate, at least at first glance. However, the emails are a clever scheme by Internet criminals designed to trick people into sending them money. This scam has two distinct steps. The first step requires the scammers to hack into a random webmail account. There are various ways that the scammers manage to achieve this, including using a webmail phishing scam attack. In such attacks, the scammers will send out large numbers of bogus emails that try to fool users into providing their webmail account login details. Unfortunately, at least a few of the recipients of such phishing emails will fall for the ruse and submit their webmail details to the scammers. Armed with these details, the scammers can then login to the compromised accounts and begin part two of their nefarious scheme. Once they have hacked into an account, the scammers can then send an email with the false claims about being stranded and in need of money to all the email addresses included in the account's address book. Since the messages are being sent from the hacking victim's own webmail address and are likely to include his or her real name and email signature, at least a few recipients are likely to believe the claims in the email. Of course, many will quickly realize that something is not right. They may know for a fact that their friend has not travelled overseas as claimed or they may suspect a fraud attempt. But even if only one contact in a large address book falls for the ruse and sends money in the belief that he is helping a friend in dire need, the scheme will well and truly pay off for the scammers. I have seen many different versions of these scam attempts. Names and other details differ depending on who's webmail account the scammers have hijacked, as do the countries where the "friend" is supposedly stranded. The amounts of money requested in the messages may also differ. But, in spite of such superficial differences, all such messages are versions of the same basic scam. Sadly, many people have become victims of this scam and lost money to these criminals. Be wary of any email that you receive that asks you to wire money, even if the message appears to come from a friend. Moreover, users of webmail should make sure that their account details are as secure as possible, and be wary of possible phishing scams designed to steal their webmail account details. Many people may have several webmail accounts, some of which are not often used. Thus it is a good idea to check all webmail accounts regularly to ensure that they have not been compromised.

Status: Emails are designed to trick recipients into sending money to Internet criminals Example:(Submitted, June 2009)
Dear Friend, How are you doing? Hope all is well with you and everybody?  I am sorry I didn't inform you about my traveling to England for a business trip and right now, i am stranded here and need to get back to Australia without delay. I need a favor from you because I was robbed on my way back to my hotel suite' The robbers carted away with my bag containing my wallet,phone,flight ticket and other valuables. I will like you to lend me the sum of $3,500 US Dollars or any amount you can afford as half bread is better than none so that i can sort out my hotel bills and get myself back to Australia. I promise to pay you back with an extra $1,000 US Dollars as soon as i return home in a few days time so kindly let me know if you can be of help. I was told the fastest and safest way to receive money in seconds is through western union {since that is what works here}.So if you can be of help,you can send the money using the details below: Reciever Name: [Removed] Address : [Removed] To get a list of western union money transfer agents close to you,go to the link below and enter your full address: www.westernunion.com/info/agentLocatorLookup.asp Please,as soon as you send the money, i will like you to send an email with the transaction code i will need to pick up the money. I will be back here in couples of hours to get the transfer details, please do it without delay so I can get back to Australia. After I receive the money, i will email you on the arrangements to get back home. Thanks once again and i will really appreciate if you can be of help. Love [Name removed]

Original Message From: rfh  Sent: Friday, April 03, 2009 Subject: Use BCC field when addressing mass mail
There are exceptions to this rule, obviously; however, in most emailings using the BCC (blind carbon copy) is best for everyone.
Remember, before forwarding emaildelete prior email recipients addresses/email names and previous senders' names/addresses.

Use BCC field when addressing mass mail
PLEASE READ and become a better E-mail user.
This information is intended not only to make you a neater "E-mailer" but one that is more considerate and more thoughtful...  Your friends will be thankful.
Would you write your friends' phone numbers on the walls of public places?  If you answer no, then why would you share their private E-mail addresses with a group of strangers, many of whom will CARELESSLY forward the same addresses to even more strangers?  Don't do it!  Instead, use the BCC feature of your E-mail program.
BCC means Blind Carbon Copy.  It is a way of addressing mail to more than one person so that everyone's address is not displayed for all to see.  Every E-mail program (including the free, web-based E-mail services) allow you to address messages using BCC, in other words, to "BCC" one or more recipients.  Some require that you provide at least ONE address in the TO: field. If this is the case, place YOUR OWN address in the TO: field and all your recipients' addresses in the BCC field.
WHY:
  • Using BCC protects your recipients' E-mail addresses from being spread to strangers.
  • Using BCC helps prevent SPAM (Unsolicited Commercial E-mail)
  • When using BCC, messages will be easier on your readers because they will contain less text to look at. A "cleaner" message is easier to read.
  • Messages will require less bandwidth and will download faster.
  • Using BCC shows your consideration of others by not publishing hundreds of your friends' addresses to strangers and potentially, SPAMMERS or maybe even stalkers.

HOW:
  • In most email clients, the BCC feature is very apparent and obvious.
  • While in a new message in AOL's web mail, click BCC.
  • In Gmail and Yahoo Mail!, click add BCC.
  • In Hotmail, click Show Cc & Bcc.
  • In Outlook and Outlook express, it's not so obvious but turning it on is a one-time event.
    To activate the BCC field in Outlook Express, create a new message and choose View, All Headers.
  • To activate the BCC field in MS-Outlook, create a new message and choose View, BCC.

  • Lotus Notes - the BCC field is right there. Nothing to "turn on", no hoops to jump through, just use it!

  • What else am I missing? Submissions are requested. Of course your email address is safe with me. I'm the anti-spammer!
Related Links

Actual Stories (yeah, right!):

Resources/The Truth - (there's help out there; SEEK IT.)


1 comment:

  1. Hi there would you mind sharing which blog platform you're working with?
    I'm planning to start my own blog in the near future but
    I'm having a hard time making a decision between BlogEngine/Wordpress/B2evolution and Drupal.

    The reason I ask is because your design seems different then most blogs and I'm
    looking for something unique. P.S My apologies for being off-topic but I had to ask!


    my blog post Buy instant income

    ReplyDelete

Please, avoid posting advertisements. Content comments are welcomed, including anonymous. Posts with profanity will not be published.