I’d recently discovered a mailbox that I had left unattended for several years.  It had no anti-spam tool monitoring it, so it was mostly filled with really obvious spam messages and phishing attempts – email scams where people try to fool you into putting in your financial information into a site that looks like a legitimate banking site.

I found this message particularly amusing and thought I would share:

The email wants me to believe that Bank of America is giving me $30,000 in a lottery I never signed up for, never identifies me by name, and wants me to become a Western Union “Active Member.” (The message was sent in 2007, otherwise the Bank of the America reference would clearly be even less believable.)  All I have to do is send $400 to a Western Union in Phoenix, Arizona.  Phoenix isn’t even the corporate headquarters for Western Union.  Couldn’t they have thought of something more clever than that?  It seems pretty lazy.  It made me wonder how many people might have actually fallen for it.

Meanwhile, Microsoft recently published a study showing that the public estimates of losses due to phishing may be over-exaggerated by as much as a factor of 50.  In fact, most phishers may ultimately become victims themselves.  In the study, the researchers concluded that:

One explanation of the thriving trade in phishing-related services … is that phishers with more experience prey upon those with less. That is, those who have tried phishing and found it unprofitable or marginally profitable find it better to sell services to those who haven’t reached that conclusion yet.

So the big fish eat the little fish, just like in the sea.  Nice.

UPDATE:

I just took a peek at the Western Union website.  Maybe this type of scam is more prevalent than I thought.  Front and center on their online transfers page is a very clear and stern warning:

Protect Yourself from Fraud Don’t Send Money

• To someone who you don’t know
• To claim lottery or prize winnings
• Based on a promise to receive a large amount of money
• Because you were "guaranteed" a credit card or loan
• In response to an Internet or phone offer that you aren’t sure is honest

It’s really surprising that people actually need to be warned that they shouldn’t send money to claim a lottery or prize winnings.

[Microsoft Phishing Study c/o InformationWeek]

Well, it just so happens that Symantec announced the beginning of a beta program for their new bilkoid engine, dubbed GoEverywhere.  Symantec is positioning GoEverywhere as a SaaS web security proxy solution.  There aren’t many details posted yet on their beta site, but GoEverywhere looks like a giant single-sign on web proxy that allows customers to stitch together web applications from several locations and include SSO, dual factor security, etc.

This doesn’t look quite as strong as the solution that BEA had, AquaLogic Ensemble.  It looks like GoEverywhere relies on a bunch of IFRAMEs to stitch together multiple sites onto one page.  BEA AquaLogic Ensemble, now Oracle WebCenter Ensemble, can perform the same type of functionality, but does it without using IFRAMEs.

It’s interesting to see Symantec position GoEverywhere as a security tool first and foremost.  This makes sense for Symantec, since their reputation is web security tools.  It’s also ironic, I think, that most Ensemble customers were also interested in Ensemble for the same reasons: web security (and policies, single sign-on, etc.), and less so about mashing up pieces of disparate applications.  Does this mean that mashups are really dead?  If so, long live the bilkoid.

MySpace is now following Facebook’s example, and has blocked access from Power.com for almost the exact same reasons.

Power.com failed to do a few key things that would’ve saved themselves from this embarrassing situation, both technical and non-technical:

• First, Power.com really should’ve engaged with the social networking sites they wanted to support as business partners first, rather than trying to go the renegade route and writing their own interfaces.
• Assuming that worked, they should’ve worked with those sites to come up with solutions for single sign-on rather than storing user credentials in their own database – storing the user credentials puts undue responsibility on Power.com to keep additional sensitive data secured.
• If the partnering approach didn’t work, and companies like Facebook ignored Power.com’s requests, Power.com could’ve used the opportunity as a way to promote the idea of the "openness of social networks" and pointed out how companies want to monopolize your social data, etc.  Instead they’re now going to need to fight the possible misconception that they are just a rogue site that shouldn’t be trusted with user credentials.

As someone that uses a lot of emerging social networking sites, I would love to have something that gives me a single dashboard to all of them.  So I would like to see the idea of Power.com succeed.  But having them be an aggregator means they must be trusted to perform that function securely.

So why does the recent news about Twitter, LinkedIn and Facebook all suffering malware and/or phishing schemes matter?  It’s a sign that each has hit that crucial point where they are widely enough used and recognized to be targets in the first place.  If they were just small services that hardly anyone used, they probably wouldn’t be targets for virus writers at all.  By no means do I intend to imply that Twitter, LinkedIn and Facebook are necessarily equal to PCs in terms of quality.  But in terms of maturity, they all are relatively young and relatively untested services, so it’s not too surprising that these types of attacks could be launched so easily.

It’s probably the start to a year of two things:  1.) more attacks on these services will probably happen over the next year, with many malware and virus writers using them as a platform for propagation, and 2.) more companies may ultimately decide to limit or entirely shut off access to the services.  Both of them are truly unfortunate, but distinct possibilities, especially given that the reaction was exactly the same after instant messaging services such as Yahoo and MSN Messenger were being used to spread viruses as well.

Twitter

A few celebrity accounts may have gotten caught with the password phishing scheme, including Rick Sanchez of CNN, whose feed included a recent update: "i am high on crack right now and might not be coming into work today".

Other accounts include Fox News and Britney Spears as well, who also had bogus posts to their Twitter feeds.

Is it time for two factor authentication on popular social networking sites?  How about a fingerprint scan plus an RSA token key?  Anyone? Anyone? No? Bad idea? Okay, maybe you’re right.

Update #1: Twitter later announced in a separate update on their blog that the issue with the celebrity accounts being hacked (33 in all) was the act of a single individual, and not related to the phishing scam that was happening earlier.  According to the Twitter blog, the hacker took advantage of support tools that are intended to allow support engineers to help people who have forgotten their passwords.  They’ve since shut down the tools, and are taking the security breach "seriously."

Having both issues arise in such a short period of time is an unfortunate series of PR setbacks for Twitter, especially since they are still in the process of looking for a Product Manager to help them build a plan to become profitable.  As ReadWriteWeb posited earlier today, who would want to pay for a service which appears to be insecure and vulnerable to phishing attacks and backdoor account hijacking?

Update #2: CNN has additional coverage of the security issues and password phishing at Twitter, including commentary regarding Rick Sanchez’s account being compromised.  Rick’s account has been restored, and he will continue to use it as a way to communicate with viewers.

[Twitter Blog, c/o CNET News]

In case you haven’t noticed Firefox telling you that you need to update to 3.0.5, you probably should do so soon.  Firefox 3.0.5 fixes several security bugs in Firefox, including a few XSS (Cross-Site Scripting) and JavaScript privilege escalation bugs.

According to security researchers at Secunia:

1. Errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code.
2. An error when processing the “persist” XUL attribute can be exploited to bypass cookie settings and uniquely identify a user in subsequent browsing sessions.
3. Multiple errors can be exploited to bypass the same-origin policy, disclose sensitive information, and execute JavaScript code with chrome privileges.

Maybe this is yet another opportunity for Google to promote Chrome?

[c/o CNET News]

If switching to an alternate OS isn’t feasible, here are 5 easy ways to make your Windows installations less virus and spyware-prone.  (If you’re still using Windows XP like me, you can also read my post on 10 cool free tools to make Windows XP look modern.)

Keep in mind that this post is meant for the less security-minded folks amongst us – if you’re a technology expert, this advice may potentially read as me preaching to the choir.  If not, hopefully some of this advice will come in handy.

1.) If you don’t have an antivirus software, use ClamWin.

ClamWin is an open-source antivirus program.  It’s not quite as powerful as the commercial antivirus solutions out there (Symantec Antivirus or McAfee Antivirus), but the fact that it’s free makes it appealing to those of us on a tight budget.

If you can afford to drop a few bucks on a better solution, having more than one antivirus program is actually best, since occasionally some viruses, especially new variants of old viruses, can sometimes slip past detection, and others will actually target and disable specific commercial antivirus programs.

2.) Make sure Windows Automatic Updates are on.

Microsoft has detailed instructions on how to do this.  Setting Windows to “Automatically Download and Apply Updates” can be annoying if you don’t like to have your machine randomly stop and tell you it needs to reboot, but at least setting it to tell you when updates are available for download is advisable.

3.) Use Microsoft Windows Defender (or something equivalent).

Windows Defender is a free tool from Microsoft for Windows XP and Vista that works like AdAware and SpyBot Search and Destroy to prevent your machine from becoming infected with Spyware, Adware or Malware.  Windows Defender tends to be less aggressive than AdAware or SpyBot, which can sometimes intrude on legitimate Windows activity.  However, if you don’t mind their intrusiveness, AdAware and SpyBot are good tools for avoiding and removing spyware.

Windows Defender is installed by default with Windows Vista, but did not originally ship with Windows XP.  If you have Windows XP, you’ll need to download Windows Defender from Microsoft.  Both the Vista and XP versions of Windows Defender needs to pick up regular updates through Microsoft Windows Update.

4.) Switch to Firefox.

Seriously. Just do it today.  If you’re reading this in Internet Explorer, go to getfirefox.com now and download it.  It’s easy to install, you can migrate all of your bookmarks, all of your favorite websites support it, and yes Firefox has the Google Toolbar too.  If you want ultimate security and you don’t mind selectively allowing JavaScript, the NoScript add-on for Firefox will keep you much more secure.

If you don’t like Firefox, go try Google Chrome, or even Apple Safari (yes, it works on Windows).

5.) Back up your system often to more than one external drive.

This piece of advice is probably most often given, and equally as often ignored.  External hard drives are dirt cheap for the protection they provide to your personal data, regardless of whether your machine gets hit by a virus or a catastrophic act of a supreme being.  As a general rule, you should always have two forms of backups.  This can be achieved by either using least two different drives in case one fails, or to also use optical media (DVD or CD-ROM) to back up the really important stuff (like those family photos, or your MP3 collection) and store them somewhere safe in another location (away from any heat or light sources, heh).  It’s also not a bad idea to use something like Flickr or Microsoft SkyDrive as an alternative storage spot.

Typically Microsoft releases patches every Tuesday, but this patch was deemed critical enough to be released ahead of next week’s cycle, especially given the amount of bad press that Internet Explorer has gotten lately regarding the flaw.

As best I can determine, reports of the vulnerability started to surface sometime around the beginning of December.  ZDNet’s article first published the flaw affecting hacked Chinese language websites on December 9th, 2008.

You may have heard it described earlier this week as a zero day flaw in Internet Explorer.  For the uninitiated, a zero day flaw is simply any critical patch which is known to the general public, but as of yet un-patched.

Original vulnerability report and technical details at CVE: CVE-2008-4844.

Patch details from Microsoft: MS08-078.

This could be a good opportunity for Google to promote Chrome as an alternative.

When we charged them up in the newsroom, we found one of the $20 Blackberry phones contained more than 50 phone numbers for people connected with the McCain-Palin campaign, as well as hundreds of emails from early September until a few days after election night.

It probably didn’t include anything that we’d all suspect (like campaign staffers exchanging emails about Palin’s $150,000+ shopping spree), but it may offer insight into the final moments of the campaign.

It is rather ironic that they’d forget to wipe the device clean, given that a McCain’s advisor claimed McCain was responsible for inventing the BlackBerry.

Read the full article at MyFox Washington DC.