Scam

With an estimated 3.7 billion phishing emails sent in the past year it is no surprise that phishers have set their sights on Twitter. The latest phishing scam sweeping the ‘Net' is a spam campaign designed to look like legitimate Twitter notifications.

The emails take many forms: Some resemble messages from Twitter customer support claiming that the site has detected an attempt to steal the receiver's Twitter password. Others claim that the recipient has changed the e-mail address associated with their account and ask them to confirm. The links in these emails lead either to a downloadable "secure module" which the emails claim will protect the account but is actually malware or to a phishing site designed to steal the user's account information. Online pharmacy spammers have also taken to Twitter-formatted emails to advertise non-FDA approved pills.

Those these scams don't seem very threatening at first (I mean, how much damage can some do with 140 characters?) but the repercussions having your Twitter account hacked are HUGE! Many people use the same password they use for Twitter for many other online sites; from Facebook to online banking, people just aren't taking necessary precautions with their passwords. So, if you enter your account information into phishing site and you use the same password for Twitter as sites like Facebook or your email that may house more personal information, the scammer can potentially get into your other accounts.

These scams, discovered by Trend Micro, are easily avoidable if you are aware of them and know what a legitimate Twitter email does and does not contain.*

• Twitter does not send links to "secure modules".

• Twitter emails request confirmations include the new account information.

• Twitter emails do no describe or promote new services or products.

* Twitter email specifications via Trend Micro

Before you get hacked, consider taking these precautions:

• Always read emails completely and thoroughly before clinking though the links. It can take a while for news of the latest scam to reach your ears so keeping a vigilant eye on all your emails is a must!

• Use different, high quality, passwords for Twitter, Facebook, your email, and your online banking account. Secure passwords contain a random series of lower and upper case letters, numbers, and approved symbols. Such passwords should be more than 8 characters in length

• Consider and Identity Protection service. Investing in and identity protection service, such as Intelius IdentityProtect, can prevent a scammer that acquires your information from using it. This useful advantage could save you tons of time and money.

Think ‘tabnabbing’ sounds like the latest prank involving filing supplies and the office clown? Think again.  Tabnabbing (also referred to as tabnapping) is a new type of phishing attack that is sweeping the internet.  Most phishing scams rely on you clicking on an imbedded link or downloading a file you find in a suspect email, sketchy website or a pop up window.  Tabnabbing occurs in the background after your focus shifts away from a malicious or compromised site.   

“What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise,” Said Aza Raskin, Firefox's creative lead who identified the attack.  “Most people keep multiple tabs open, often for long periods.”

This attack uses JavaScript to discretely change the contents of an open but not active tab in your browser to look like the log-in screen of a bank, credit card company, popular retail site, social networking site or email provider.  This page transformation only occurs after the page becomes “inactive” while a victim moves to another tab or open program. The scammers are relying on users thinking they left a login page tab open.   

"When they click back to the fake tab, they'll see the standard Gmail log-in page, assume they've been logged out, and provide their credentials to log in," says Raskin.

Raskin was able to recreate “tabnabbing” on his own blog to show users what to look for.  You can try it here. After clicking the link, open a new tab, or simply click away from the page for a few seconds and then go back to the original tab.  While the URL hasn’t changed, the original blog content you saw only moments ago has been replaced with what appears to be a Gmail login page.  In this case the Gmail login page is just an image; however, in the case of an actual tabnabbing attack the page will be a functional login form.

In an actual attack after the user enters their login information, it’s sent it back to the attacker, and then the victim redirected back to the site they think they are logging into. This often goes completely
undetected because often the victim was never logged out in the first place, and it will simply appear as if the login was successful, never realizing that they just handed over the all credentials the attacker needed to access their account.   

It is even possible for attackers to detect which sites are in your history as well as what sites you are currently logged into and then customize the fake page to resemble a site you often use or are currently logged into, making this form of attack extremely effective and difficult to detect.  All major browsers are susceptible to this attack.  

Here’s what to watch for and how to avoid a potential tabnabbing attack and keep your identity, information, and login credentials safe:

Don't log-in on a tab that you haven't opened yourself. Since the tabnabbing tactic banks on you trusting that you opened the tab -- and that the site simply timed out -- the best defense is this offensive move. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab.

Enable browser settings and filters that will alert you to potential attacks. For Internet Explorer (IE) use SmartScreen. In Firefox and Chrome it's called "Phishing and Malware Protection;" Safari doesn't give it a name, but offers a setting that reads, "Warn when visiting a fraudulent website" in the Security section of its Preferences settings.

Look at the URL in your browser's address bar before filing in any form or giving out any personal information and verify the URL matches the login page. If there’s a discrepancy, close the tab
immediately.

Use a password manager. Third-party browser password managers like RoboForm for Windows or 1Password for Mac link saved log-in usernames and passwords to a specific URL. When you save the username and password on the log-in page of the legitimate site, the password manager won't auto enter the username and password into a non-matching URL which should alert you to a possible tabnabbing attempt.

For more info on avoiding Tabnapping read ComputerWorld’s How to Foil Web Browser Tabnapping.

Online classifieds like Craigslist, eBay and Bonanzle are great places to find anything from a new apartment or sold out concert tickets, to gently used furniture or hard to find collectibles. In my case, I was desperately trying to find tickets to the sold out David Sedaris show in Seattle for my mom for Mother's Day. Lucky for me a Craigslist seller had just what I needed, four tickets, center section, eleven rows from the stage. Bingo!

I love Craigslist; I've used it to find apartments, tickets, art supplies, even my car, and thankfully I've always had positive experiences. It's only been the last couple of years that I've given much thought to meeting up with total strangers in pursuit of a deal. I've changed my ways after reading some of the recent headlines and now take steps to avoid putting myself in potentially dangerous situations. The buzz surrounding the recent murder of a Washington man over the diamond ring he listed on Craigslist made me want to share my tips for a safe and successful private transaction for whatever online classified you use.

• If possible, meet the seller in a public place, like a coffee shop, mall, grocery store or other highly trafficked location.

• If it is not possible to meet in a public place, for example, if you are looking at renting a condo or apartment, ask for a first and last name, phone number, address, and email address. In my most recent experience, I had to meet the seller at his house. Using the address he gave me, I ran an Intelius People Search by Address and a Property Report and was able to verify the seller's address and phone number. In this particular case, I took it a step further and ran a consumer background check on the seller to see if he had a criminal or civil judgment record. Fortunately, he checked out.

• Make sure the information the seller provides checks out. A Reverse Phone Lookup is a quick and inexpensive way to get more information about the seller and make sure the information they provide is consistent.

• Consider bringing a buddy, especially if you're unable to meet the seller in a public place.

• Tell a close friend or relative what you are doing, where you are going and leave the seller's information with someone else when you go to meet the seller. Arrange to call that person by a certain time to let them know the transaction went smoothly.

• If possible, do not enter a seller's home or vehicle. Wait outside, even if they insist that you come inside. Obviously, if you are buying a car or renting a place, you will have to go inside but make sure you bring a friend or relative.

• Only carry the exact amount of cash agreed upon for the sale and leave your purse or wallet in the car.

• Trust your gut. If something seems off or makes you uncomfortable, listen to your intuition and bail. If it sounds too good to be true, it probably is.

• Avoid sellers that can't meet face-to-face. NEVER wire funds via Western Union, MoneyGram or any other wire service and NEVER give out financial information like account numbers, social security number, and eBay or PayPal logins.

By simply taking the above precautions I was able to stay safe when purchasing an item from a private, unknown seller. Now I have great tickets, an online purchasing strategy, and an Intelius success story!

What do you do to keep safe when buying things posted in the classifieds, on EBay, or on Craigslist? Post your tips bellow to help us protect consumers!

Phase One of the 2010 Census wrapped up on April 1st with the final receipt of mail-in forms. Phase Two is set to begin on May 1st, with nearly 700,000 temporary census workers across the United States going door-to-door in an attempt to collect Data on the 28% of American households whose mail-in forms were not received by the deadline. The second phase of the census could open the door for potential scammers to pose as census data collectors and go door-to-door "phishing" for your private information.

How to recognize a REAL census worker:

• Census workers will show up by themselves, wearing a clearly marked identification badge (containing their name and photo, a Department of Commerce watermark, and an expiration date). Each Census worker will be issued a briefcase clearly marked with the 2010 Census Logo.

• Census workers are trained to ask only the 10 questions of the official census form. An official Census worker will never ask you for your full social security, a cash donation, passwords, pin codes, or bank account information.

• The Census worker will fill out the official Census form with you in person.

• Census workers are trained to respond to households where English is a second language by asking you to identify the primary language of the household. They will then leave, and someone fluent in the primary language will return to complete the census information in the primary language.

• A Census worker will never ask to enter your home.

• The Census Bureau does not conduct any of its research via email. If you receive an email regarding the Census, do not open any attachments.

• If you completed and sent the mail-in form prior to the April 16th deadline then you should not receive a visit in Phase Two.

• You should receive a mailing notifying you that in the next couple of days you will be visited by a Census worker. If you receive a visit from a Census worker but did not receive a mailing from the Census Bureau verify the visitor's identity before providing any information.

• If you are unsure if the visitor at your door is legitimate, call the Census Bureau at 1-800-562-5721 to verify. You can also ask the visitor for the local office's phone number and supervisor's name for extra security.

• If the ‘Census Worker' at your door does not adhere to the above code, don't talk to them and contact your local Census Bureau office.

You think you've verified that the Census Worker at your door is real. Now what?

• Never invite the Census worker inside your home. Step outside to talk to them, closing the door behind you.

• If you must go inside, for any reason during your Census visit, close and lock the door behind you, leaving the Census worker outside. It isn't rude, it's safe.

• Do not offer the Census worker any information not explicitly asked for on the Census form.

• Do not suggest to the Census worker that you are home alone. Always suggest that there is someone else in the house. If you live alone, pretend you have a friend over.

Most grandparents would stop at nothing to help one of their grandchildren in a time of need. The love and concern a grandparent has for their grandchildren is exactly what con-artists are banking on in the recent surge of scams targeting grandparents.

These scammers, posing as a grandchild in need, call seniors and ask that they write a check or wire money to help get them out of trouble or jail. Preying off a grandparent's concern, these professional scammers are very persuasive and have already contacted seniors across the country and have conned some out of thousands of dollars.

A similar scam has recently taken to the web. Scammers are now scouring the social networking site, Facebook, looking for people who either appear to be grandparents or those who are actually making status updates or posting pictures of their grandchildren. Using information they see on their profiles, these con-artists message unsuspecting grandparents telling them that they are in desperate need of help and ask them to wire money.

However, there are ways to avoid being duped by these scammers; here are some tips on how to handle a potentially fraudulent phone call or Facebook message.

1. Be cautious. Every grandparent wants to help their grandchildren, but make sure they understand that if they receive a call, or any type of online communication, asking for money it could be a scam.

2. Confirm the truth. If a grandparent receives a request for money over the phone or on a social networking site, they should verify the situation with the grandchild's parents, even if the grandchild asks them not to.

3. Ask personal questions. To help verify the identity of the caller ask personal questions that only a grandchild or family member can answer.

4. Know their number. Have a comprehensive list of family phone numbers on hand. If a call seems suspicious, immediately call the grandchild in need at their home or on their cell. If the call is from an unfamiliar phone number, doing a Reverse Phone search or Reverse Cell Phone Directory lookup might be a good idea.

5. Call the police. If a call seems like a potential scam, make sure to contact the police immediately with a detailed description of the interaction.