Phishing is alive and well. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

I wrote this article to help you help others. As it turns out, only a small number of people encountering phishing attempts report them. Here I will show you step by step how easy it is to report phishing attempts to minimize a thief’s ability to steal your friends’ and associates’ money and identities.

I received a phishing attempt this morning as you can see here:
It reads as follows:

Dear Customer,

BMO Bank of Montreal detected irregular activity on your Account on 23 January 2012. For your protection, you must verify this activity before you can continue using your BMO Bank of Montreal Account.

Click on the link below to access and verify your statement.

https://www1.bmo.com/cgi-bin/netbnx/NBmain?product=1 This instruction has been sent to all bank customers and is obligatory to follow.

Thank you
Customers Support Service
BMO Bank of Montreal.

The phishing technique is hidden, as usual. The URL shown above in the email is actually the correct URL. However, when clicked in the email itself, the link is to a phishing site at this URL:

http://chiron.mn/wp-content/plugins/akismet/NBmain.html

Usually this URL is shown if you rest your mouse on a URL (as in the screenshot above when I rested my mouse over it). Naturally I checked to see if this wasn’t already reported on StopBadware.org by using Google’s SafeBrowsing tool. The URL I used is:

http://www.google.com/safebrowsing/diagnostic?site=chiron.mn

You can use the URL above yourself and just replace chiron.mn with the site you are checking. If you see a long URL, the only portion that matters is what’s AFTER the http:// and BEFORE the next slash:

http://someurl.com/something/somethinglonger

You can try my posted URL above for yourself and I expect very shortly it should find and show the malware on this specific site I’m reporting here. However, on my first visit, this is what I found:

This means that StopBadware is not yet blocking this site for unsuspecting users, but the good news is anyone can help resolve that quickly. Here’s what I did immediately: I browsed to:

http://www.google.com/safebrowsing/report_phish/

And here’s how I completed the form (and ask you to do the same for any new phishing URLs you may encounter hidden in emails):

When you’ve completed the submission, you will see a confirmation, but note that the listing isn’t immediate. It takes some time for the phishing site to be verified by others.

Please note that like many phishing attempts they target people everywhere and with different banks. It so happened that I deal with this bank so I am a perfect target. The next one may be to you and your bank.

The best advice I’ve heard is from Brian Krebs:

Never install software you don’t seek out.

By extension the same goes for clicking links. If you are concerned about an email like this having some validity, then close your email program, launch your browser and go to your banking site by typing the URL, using your Bookmark/Favorites or whatever method you normally use. Avoid clicking on links in email.

Please help spread the word and educate everyone you know on the concept of Phishing.

P.S. Please note that all URLs in this article that are ‘clickable’ are safe. I have purposefully remove the click-ability on the bad ones.

In light of reduced SPAM as of late, I was somewhat surprised to see phishing and theft attempts as sophisticated as this come through to my inboxes today – at least one in each of my different email addresses, but all came from email accounts of friends on Facebook. I searched the major anti-virus and malware vendors as well as google and twitter and nothing turned up, so maybe I’m just one of the first to be hit. Here’s a message I received, and a similar one in each of my mailboxes:

A few other variations are as follows:

SUBJECT: Very good
BODY: Click here to read this message

SUBJECT: wooow
BODY: click here to see the attached video

In each case the “click here…” is hyperlinked to somethingrandom.l13.me and the URL also contains the actual email address of you, the recipient.

It appears the originator of this spam/phishing attack at the very least is validating email addresses of people opening the message.

I also tried checking Google’s SafeBrowsing service at this URL:

http://www.google.com/safebrowsing/diagnostic?site=l13.me

At the time of this writing, here is the result showing that it has not detected any malware on this site. I suspect this will change overnight:

In case some great SPAM researchers come across this article, here is the full RAW source (except my email address has been replaced with someone@notavaliddomain.ca):

Part 1 of 2:

Part 2 of 2:

If you choose to click on URL in the email itself, that’s when the spammer’s phishing attack begins, and will prompt you for your Windows Live username & password. Note that it is NOT live.com, however, which means you’re giving your username and password directly to the thief:

As you might expect, the domain itself (l13.me) was only registered a week ago, and has its real ownership disguised:

The same domain ownership disguise applies to videos4you.net where the phishing is actually hosted.

And finally, when I check to see where all the “click here to view this message” are being served from (somethingsomewhere.l13.me) they point to IP address 69.64.54.99 which is registered to Hosting Solutions International:

Naturally, I have advised the abuse email address of this clearly-malicious intent and hope to have a quick response. I don’t have any misgivings about how quickly the attacker can direct web traffic to a new host, or start generating spam with a newly-created domain elsewhere. The cat-and-mouse games just continue…

I just hope this anatomy of this particular SPAM message helps somebody somewhere avoid these types of traps, and perhaps we can all find a solution to cleaner and more productive email.

UPDATE #1:

IF you’re a victim, here is Microsoft’s article on what to do:

http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Victim

[this post is from Dennis Houseknecht, a Nerd in Virginia, USA]

‘Tis the season – well, almost. Gadgets and cool new technology are high on the wish lists of many shoppers. Here is a list of pitfalls and scams from McAfee that shoppers should be looking out for.

Some of them include mobile malware, phony Facebook promotions, phishing scams, holidays screensavers, coupon scams, mystery shopper scams, among others.

 Give you friends, family, and clients a early holiday gift and remind them that not everyone out there has that “holiday spirit”. The scammers, thieves, and hackers look forward to the holidays, too.

The 12 Scams of Christmas

‘Tis the season – well, almost. Gadgets and cool new technology are high on the wish lists of many shoppers. Here is a list of pitfalls and scams <http://www.net-security.org/secworld.php?id=11924>  from McAfee that shoppers should be looking out for.

Give you friends, family, and clients a early holiday gift and remind them that not everyone out there has that “holiday spirit”. The scammers, thieves, and hackers look forward to the holidays, too.

[this post is from Jonathan Arnoldussen, a Nerd in Lethbridge, Alberta]

This morning I received a phishing email supposedly from QuickBooks, warning me that I would no longer be able to access my QuickBooks without first downloading their new Intuit Security Tool. I see some of you smirking already, and you’re right – I wasn’t fooled for a moment. But think of how many non-techies WILL be fooled by such an email?

This email was sent from a hacked website, and it reminded me of how important it is for ALL our clients to have our Bronze NerdCare package in place with our Hack Detection. This was another dental website (hosted with GoDaddy) that was hacked, and they probably have NO idea! Protect your website with our hacking detection system!! Contact us to learn more!

For more information on Phishing and Spear Phishing to learn more about how to protect yourself and what to be aware of.

[this post from Dennis Houseknecht, a Nerd is West Virginia]

Think worms are the malware of yesteryear? Not so. A new worm has been spreading rapidly. This worm spreads via RDP (remote desktop connection).

This worm does not seem to be exploiting any new vulnerabilities in the RDP protocol. Rather, it gets its foothold in the internal network through other means, such as Adobe flash or Reader vulnerabilities or general phishing attacks.

Once inside the network, it infects other machines through the RDP protocol. It also goes outside the network and tries to find other networks that have RDP exposed to the outside and brute force the administrator passwords.

Prevention really is no different from the practices we have always recommended:

1. Keep the operating system and browser add-ons, such as Java, Adobe, etc. patched
2. Educate all users about the dangers of opening attachments and clicking links in ANY email – EVEN those that come (or appear to come) from friends, co-workers, or the boss.
3. Use strong passwords – on admin accounts, use VERY strong passwords
4. If possible, do not expose RDP to the internet, especially on its default port of 3389. If you are using Level Platforms for remote access, you DO NOT HAVE TO OPEN FIREWALL PORTS TO USE RDP. If you have port 3389 open through the firewall, you can assume that someone is trying to brute force the admin account all day, every day. This was true long before Morto came to town.
5. Disable RDP on machines that do not need to have it enabled.

Want to know if port 3389 is open on the firewall? Want to get weekly reports showing all open ports on the firewall? Want to get an alert any time there is a change in the open ports on the firewall? Nerds On Site offers SafetyNet, an automated port scanning service that does this. Contact us if you are interested in this service. There is a low monthly cost.

[this post is from Nerd Dennis Houseknecht]

High profile breaches do not necessarily result from sophisticated attacks. Many of them are the result of fairly simple social engineering or phishing attacks. These can usually be prevented by educating users and making them aware of these kinds of threats.

You would think that a major bank and credit card provider like Citigroup would have excellent security. After all, they have a lot at stake.

Recently, they lost MILLIONS of dollars as the result of a programming error that is in the OWASP top ten.

This is a well known vulnerability that is easily detected and fixed. A simple scan of the web application would literally have saved Citigroup millions. Go figure. Security is an investment, and sometimes a darned good one.

Many businesses invest in locks, security systems, and maybe even security guards. How much are they investing in protecting their valuable data?

Spear phishing” attacks such as the one that recently hit the Canadian federal government are on the rise. Invest 5 minutes to learn more about the risks of spear phishing and how best to protect yourself and your business.

According to the Waterloo Security website: “These attempts try to lure the victims to a fake web site set up by the criminals. The fake sites look authentic in order to convince the victim to offer personal information by way of a data entry form. For example, when they try to “log in”.

No legitimate institution will EVER ask for your login credentials or credit card information by email. So if you receive an email like that, it’s a scam, no matter how real it seems.

The only time you will receive emails from reputable companies, like banks, is when you have directly requested your password be reset. Those emails are ok, if you’re expecting them. If you’re not and you get one, delete it.

Phishing sites usually do not run on “known” bad URLs. According to this study, 76% of the phishing sites on the internet are being run from compromised servers. IE7, OpenDNS, and most UTMs maintain anti-phishing blacklists, but if phishing sites are free to move around on compromised servers that also house legitimate sites, anti-phishing blacklists are of limited value. AGAIN, AWARENESS AND EDUCATION ARE THE FIRST LINE OF DEFENSE. We also cannot depend upon AV software to protect the unwary. This book excerpt shows a phishing attack from August, 2008 that slipped a trojan past 34 of 37 popular AV software packages (including NOD32). AV is part of the arsenal against attacks, but it is far from bulletproof. If your doctor prescribes Lipitor for your high cholesterol, you should take it – but that does not guarantee that you will never have a heart attack (credit for that analogy goes to Scott Ledyard).

Dennis H in West Virginia, US

March 4, 2009