Cyber Crimes

With an estimated 3.7 billion phishing emails sent in the past year it is no surprise that phishers have set their sights on Twitter. The latest phishing scam sweeping the ‘Net' is a spam campaign designed to look like legitimate Twitter notifications.

The emails take many forms: Some resemble messages from Twitter customer support claiming that the site has detected an attempt to steal the receiver's Twitter password. Others claim that the recipient has changed the e-mail address associated with their account and ask them to confirm. The links in these emails lead either to a downloadable "secure module" which the emails claim will protect the account but is actually malware or to a phishing site designed to steal the user's account information. Online pharmacy spammers have also taken to Twitter-formatted emails to advertise non-FDA approved pills.

Those these scams don't seem very threatening at first (I mean, how much damage can some do with 140 characters?) but the repercussions having your Twitter account hacked are HUGE! Many people use the same password they use for Twitter for many other online sites; from Facebook to online banking, people just aren't taking necessary precautions with their passwords. So, if you enter your account information into phishing site and you use the same password for Twitter as sites like Facebook or your email that may house more personal information, the scammer can potentially get into your other accounts.

These scams, discovered by Trend Micro, are easily avoidable if you are aware of them and know what a legitimate Twitter email does and does not contain.*

• Twitter does not send links to "secure modules".

• Twitter emails request confirmations include the new account information.

• Twitter emails do no describe or promote new services or products.

* Twitter email specifications via Trend Micro

Before you get hacked, consider taking these precautions:

• Always read emails completely and thoroughly before clinking though the links. It can take a while for news of the latest scam to reach your ears so keeping a vigilant eye on all your emails is a must!

• Use different, high quality, passwords for Twitter, Facebook, your email, and your online banking account. Secure passwords contain a random series of lower and upper case letters, numbers, and approved symbols. Such passwords should be more than 8 characters in length

• Consider and Identity Protection service. Investing in and identity protection service, such as Intelius IdentityProtect, can prevent a scammer that acquires your information from using it. This useful advantage could save you tons of time and money.

Think ‘tabnabbing’ sounds like the latest prank involving filing supplies and the office clown? Think again.  Tabnabbing (also referred to as tabnapping) is a new type of phishing attack that is sweeping the internet.  Most phishing scams rely on you clicking on an imbedded link or downloading a file you find in a suspect email, sketchy website or a pop up window.  Tabnabbing occurs in the background after your focus shifts away from a malicious or compromised site.   

“What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise,” Said Aza Raskin, Firefox's creative lead who identified the attack.  “Most people keep multiple tabs open, often for long periods.”

This attack uses JavaScript to discretely change the contents of an open but not active tab in your browser to look like the log-in screen of a bank, credit card company, popular retail site, social networking site or email provider.  This page transformation only occurs after the page becomes “inactive” while a victim moves to another tab or open program. The scammers are relying on users thinking they left a login page tab open.   

"When they click back to the fake tab, they'll see the standard Gmail log-in page, assume they've been logged out, and provide their credentials to log in," says Raskin.

Raskin was able to recreate “tabnabbing” on his own blog to show users what to look for.  You can try it here. After clicking the link, open a new tab, or simply click away from the page for a few seconds and then go back to the original tab.  While the URL hasn’t changed, the original blog content you saw only moments ago has been replaced with what appears to be a Gmail login page.  In this case the Gmail login page is just an image; however, in the case of an actual tabnabbing attack the page will be a functional login form.

In an actual attack after the user enters their login information, it’s sent it back to the attacker, and then the victim redirected back to the site they think they are logging into. This often goes completely
undetected because often the victim was never logged out in the first place, and it will simply appear as if the login was successful, never realizing that they just handed over the all credentials the attacker needed to access their account.   

It is even possible for attackers to detect which sites are in your history as well as what sites you are currently logged into and then customize the fake page to resemble a site you often use or are currently logged into, making this form of attack extremely effective and difficult to detect.  All major browsers are susceptible to this attack.  

Here’s what to watch for and how to avoid a potential tabnabbing attack and keep your identity, information, and login credentials safe:

Don't log-in on a tab that you haven't opened yourself. Since the tabnabbing tactic banks on you trusting that you opened the tab -- and that the site simply timed out -- the best defense is this offensive move. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab.

Enable browser settings and filters that will alert you to potential attacks. For Internet Explorer (IE) use SmartScreen. In Firefox and Chrome it's called "Phishing and Malware Protection;" Safari doesn't give it a name, but offers a setting that reads, "Warn when visiting a fraudulent website" in the Security section of its Preferences settings.

Look at the URL in your browser's address bar before filing in any form or giving out any personal information and verify the URL matches the login page. If there’s a discrepancy, close the tab
immediately.

Use a password manager. Third-party browser password managers like RoboForm for Windows or 1Password for Mac link saved log-in usernames and passwords to a specific URL. When you save the username and password on the log-in page of the legitimate site, the password manager won't auto enter the username and password into a non-matching URL which should alert you to a possible tabnabbing attempt.

For more info on avoiding Tabnapping read ComputerWorld’s How to Foil Web Browser Tabnapping.

Mobile phone usage is growing rapidly and, according to Security Expert Robert Siciliano, cyber criminals are expected to pay more attention to the mobile sector as this trend continues to grow. From bulky bricks, to today's mini-computers, the cell phone has certainly evolved.

As Smartphones features continue to replace activities once reserved for our work or personal our computers, the data contained on our Smartphones becomes more valuable. The consequences of a cyber criminal accessing this information can be devastating. Though it was just last November that the first malicious malware hit the iPhone such viruses have now become mainstream as evidenced by anti-virus vendors like McAfee introducing an anti-malware solution for Smartphones. If you've ever accessed an online profile via a phone's internet connection then you have risked giving third parties access to your personal information. Imagine: Your identity could be stolen, you could be locked out of all of your accounts, account or financial data accessed, confidential business emails could be leaked, or your phone could even be used to spy on you.

In a recent study compilation by cellphones.org, sources indicated that 55% of Smartphone users believe that the individual is responsible for the security of their own phone. The fact is, no matter whose responsibility Smartphone security is, it is up to the individual to protect themselves. Bellow you will find tips on how to prevent cyber criminals from accessing your BlackBerry or iPhone.

BlackBerry:

The Blackberry is easily the most popular Smartphone on the market and, according to cellphones.org, the most ‘natively' secure. Just by having a Blackberry, you are one step ahead but that doesn't mean you don't still have to enable your security settings.

• Enable your password. Under General Settings set your password to ‘on' and select a secure password. You may also want to limit the number of password attempts. Test to make sure that your password works by locking your phone to confirm.

• Encrypt your data. Under Content Protection settings, enable encryption. Then, under ‘Strength' select either ‘stronger' or ‘strongest'. Though ‘strongest' is the most secure, ‘stronger' has faster encryption/decryption. Under the Content Protection settings you will also have the option to encrypt your address book.

• When visiting password protected internet sites do not save your passwords to the browser. Anyone who finds your phone and manages to unlock it will then have access to all of your account data and your identity will be stolen. It may be annoying to have to enter your password every time but the extra 30 seconds is certainly worth avoiding identity theft.

iPhone:

The iPhone, which has captured over 25% of the Smartphone market, the second highest share in the industry, has notoriously poor encryption capabilities. As such, enabling the included security features and adding apps that allow you to secure your information is key to being a ‘safe' iPhone owner.

• Enable the Pass code Lock and Auto-Lock. Go into your phones General Settings and set the 4-digit phone pass code to something that you will remember but is not ‘significant' to you. That means no birth dates, no anniversary dates, no children's ages. Then, go back into General Settings and set the Auto-Lock. Although you can choose from 1 min to 5min, the quicker your phone locks the safer it is from those who might be tempted to tamper with it while you aren't looking.

• Turn your Bluetooth off unless you are using it. Bluetooth allows you to easily connect to a hands-free head set or to send files from your phone to a computer. However, this also works the other way. A tech savvy hacker with a laptop can easily hack your phone from the Bluetooth connection if it's on.

• Download Simple Vault 1.2. Simple vault adds a second layer of protection to your iPhone by allowing you to password protect each of your apps. It also allows you to store your sensitive information right on your phone, unlike other security apps which send it to you over the internet when you access it

General:

• Whenever possible, wait till you get to your computer on a secured network before accessing sensitive information. When responding to important work emails or checking your bank account balance it really is best to wait until you can access this information from a secure network. Anti-virus and anti-malware software as well encryption capabilities for computers are miles ahead than what is currently available for phones. So ask yourself before you enter your credit card number to that online store: Is it worth identity theft for me to do this now or can it wait till I get back to the office/home?

• Consider investing in an Identity Protection service. This way, even if your Smartphone is compromised you won't be risking your identity.

Do you talk to your kids about cyber safety? This is an issue that many parents overlook as it was not a topic of conversation when they were growing up. Nonetheless it is a topic that we encourage you to discuss with your kids.

Cyberbullying

Schools, parents, and teachers are being faced with the issue of cyberbullying for the first time. Bullying has always been a problem, but the onslaught of virtual communications such as text messages, emails and instant messages has given way to a whole new form of bullying. There have been numerous stories in the news recently of children falling victim to cyberbullying. The state of New Hampshire is currently in the process of passing a bill which will give schools the authority to address cyberbullying if it has an impact on the educational environment. If the bill passes, many states will likely follow New Hampshire's lead.

• Monitor your children's online activity. Know which sites they are visiting and who they are talking to.

• In many cases parents are unaware that their child is being picked on online, talking to your kids about cyberbullying and encourage them to talk to you if they feel they are falling victim to a cyberbully.

• Be aware that children and adults may have more than one profile on social sites such as facebook.com or myspace.com. As a condition for allowing them online access, ask them to share their online profiles with you.

• If you suspect that your child is hiding something from you, ask them to show you the most recent pictures they posted from their phone to their Facebook profile after they attend special events like a school dance, concert or party. Most likely they will post to their most active profile.

• Establish limits for online use. If your child knows you're around or if they can only use the internet for a limited amount of time each day they will be less likely to put themselves in situations that make them vulnerable to cyberbullying.

• Review your child's browsing history or set up parental controls that only allow your children to visit approved sites.

While computers have become a main staple in the curriculum of schools in the United States, a study recently released by the National Cyber Security Alliance (NCSA) and supported by Microsoft Corp., revealed that less than 1/4 of teachers in the U.S. have spent more than six hours teaching cyber ethics, safety, or security in the last year.

As a parent you cannot depend upon your child's school to teach them about cyber safety. If internet safety and security is part of the curriculum, sit down with your kids and ask them to tell you what they have learned. If you feel that the school has missed some important points, this is your opportunity to bridge the gap.

As a parent you are raising a new technology driven generation of computer savvy Americans and it is up to us to make sure that they have the knowledge needed to remain safe while using these skills. In each of these cases the most effective defense is having an open dialog with your kids. This will make them more likely to come to you if a problem should arise.

What do you do to protect your kids online?

Comment below or send us a tweet @Inteliusgal