The typo that can get you hacked

Here’s another reason to be extra careful about what you type into your web browser.

Cybersecurity firm Endgame has unearthed a new spin on the good old “typosquatting” scam — the practice of purchasing domain names similar to legitimate websites (Think Gooogle.com) in hopes that a small keyboard snafu nets hackers access to your computer.

The new scam aims to install malware on devices after users accidentally type “.om” instead of “.com” after popular urls. Endgame discovered the scheme after one of its employees mistakenly typed “Netflix.om” instead of Netflix.com when attempting to watch the latest season of House of Cards earlier this month.

Per a company blog post:

“He did not get a DNS resolution error, which would have indicated the domain he 

typed doesn’t exist. Instead, due to the registration of “netflix.om” by a malicious 

actor, the domain resolved successfully. His browser was immediately redirected 

several times, and eventually landed on a ‘Flash Updater’ page with all the usual 

annoying (and to an untrained user, terrifying) scareware pop-ups.”

After doing some more research, Endgame found the streaming service wasn’t the only popular url being “om’ed. Though some sites bearing that ending were legitimate, 319 .om domains appeared to have some type of scheme attached to them. (Fake Flash Updates, for instance, are commonly linked to a well-known malware named Genio that attaches itself to web browsers and mines for data.)

You can see a full list of the potentially dangerous domains here. It’s important to note you could also be in trouble if you typed the “c”, but misplaced the period. (Example: bestbuyc.om or cnnc.om.) This particular typosquatting game was easy for hackers to play, Endgame said, since “.om” is the country-specific domain name for Oman.

Protecting Yourself
Phishing and malware schemes are common attempts by scammers to get your personal information. For better Internet safety, it’s generally recommended you stick to trusted and encrypted websites (double-check, of course, the spelling of each address); refrain from clicking on links in unsolicited emails and keep your security software up to date.

It’s also good to monitor financial accounts regularly for fraud, and keep a close eye on your credit since a sudden drop in credit scores or unfamiliar line items on a credit report are signs identity theft is occurring. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.)  If have fallen victim to an Internet scam, you might also consider freezing your credit reports to keep new accounts from being opened in your name. And you can go here to learn what to do if you’ve already spotted identity theft on your credit report.

Most Small UK Businesses Have No Security Oversight

Smaller UK businesses typically don’t assign an employee to be responsible for information security education and implementation—and are becoming fraud victims as a result.

As detailed in its State of the Industry report, appropriately-named information destruction expert Shred-it has found that nearly half (46%) of small business owners have no employee responsible for managing data security issues internally. Even more concerning, more than a quarter (27%) of small businesses do not have information security policies and procedures in place at all.

And, a third of those who do have policies in place admit to never training their employees on their protocols.

If data security is not made a priority, businesses are left exposed to data breaches, fraud, heavy legal fines from the Information Commissioner’s Office (ICO) and other regulatory bodies, and loss of customers and business partners—all of which can cause irreversible damage.

Since April 2010, the ICO has issued over £7 million worth of fines to organizations that have experienced a data breach. Despite such high figures and the irreversible damage to a company’s reputation as a result of a breach, businesses are still not doing enough when it comes to data security, the report concluded.

In addition to appointing a data protection officer, companies can reduce the risk of workplace fraud by implementing a few best practices. For instance, surprise audits: Conduct unscheduled workplace audits to assess how employees process, store and destroy confidential information.

Frequent training on the risks of fraud and how to prevent it is also important, along with education about vulnerable areas in which to avoid leaving confidential information in the office and off-site.

Shred-it is also calling on the UK government to implement legislation to ensure all businesses have a dedicated employee responsible for raising awareness of the importance of data security, understanding changes to legislation and enforcing data security procedures in the workplace.

“There is a strong correlation between data security practices and data breaches. Introducing legislation which mandates an employee specifically responsible for raising awareness of data security in the workplace and implementing a ‘culture of security’, will help protect businesses  against fraud and help them avoid financial or legal penalties,” said Robert Guice, SVP, EMEA, Shred-it.

To ensure all companies in the UK follow similar standards in data protection compliance, Shred-it has also urged the government to introduce legislation which ensures organizations have dedicated employees responsible for managing and monitoring data security issues on a day-to-day basis.

Robin Williams goodbye video used as lure in social media scams

Within 48 hours of the news surrounding the death of actor and comedian Robin Williams, scammers honed in on the public’s interest and grief. There is currently a scam campaign circulating on Facebook claiming to be a goodbye video recorded by the actor just before his death.

Fake BBC news site with fake Robin Williams goodbye video

There is no video. Users that click on the link to the supposed video are taken to a fake BBC News website. As with many social scams, users are required to perform actions before they can view the content. In this case, users are instructed to share the video on Facebook before watching.

 Facebook share dialog with fake comments and shares

If a user clicks on the “Share on Facebook” button, they are prompted with a share dialog box. This box misleads users into believing this page has received millions of comments and shares but, actually, scammers have leveraged Facebook Open Graph metadata as a trick.  

Scam site asks users to install fake Facebook media plugin

After sharing the link to their Facebook friends, users won’t be presented with a video. Instead, they’ll be asked to install an application on their computer or to fill out a survey. Scammers operating these sites use affiliate programs to earn money for the completion of surveys and file downloads.

Symantec has alerted Facebook about this scam campaign and they are taking steps to block the offending URLs.

Over the years, scammers have used both real and fake celebrity deaths as a way to convince users to click on links and perform actions. From Amy Winehouse and Paul Walker to the fake deaths of Miley Cyrus and Will Smith, scammers are opportunistic and always looking for ways to capitalize.
 
Before you click on a link a friend may have shared on social media, follow these best practices:

• Be vigilant and skeptical when reading sensational stories on social media sites.
• Don’t install applications or do surveys in order to view gated content. It's a trick to put money in the pockets of scammers and your computer or device is at risk to malware.
• Visit trusted news sources for information. Instead of clicking on random links online, go directly to your trusted news source.
• Report suspicious content. Do your part by reporting these types of posts as spam.
  

Increase in Halloween malware attacks

There's an increase in the number of Trojans circulating in the pre-Halloween period this year, according to GFI Software. Eight of the top 10 threat detections currently spreading on the internet are Trojans, up from six during October last year.

Furthermore, three of the top 10 threat detections from last year’s Halloween season are still on the list, highlighting the lasting impact of this type of malware long after the holiday is over.

Consumers should be on the lookout for new iterations of the following common types of attack:

• Halloween Tweets, “likes” and posts on various social media sites that can be used to lure users to malicious websites.
• Search engine optimization (SEO) poisoning, in which links to malicious Web sites show up in search engine results for holiday items.
• Halloween-themed attachments posing as invitations, greeting cards or documents. Clicking on these creates a significant risk of downloading rogue security products or other malware.
• “Typo attacks” which take advantage of the increased Holiday traffic to commonly misspelled URLs. Malware writers set up spoofed infected sites and download locations to trap unsuspecting web users who misspell URLs and end up in the wrong place.
• Sites that offer contests attempting to get visitors to subscribe to questionable subscription services that are billed to their cell phone monthly.

Phishers prefer Paypal, Visa, eBay and Amex

Compared to the first half of 2009, the amount of phishing messages has remained relatively unchanged, although phishers have switched their focus to institutions that could bring them the most profit in the shortest timeframe. This is one of the results of BitDefender's malware and spam survey.

Primary targets are PayPal, Visa and eBay, followed by HSBC, American Express and Abbey Bank. Ally Bank and Bank of America rank last with a little over one percent of the total amount of phishing messages. These messages mostly target English-speaking computer users who are using the services of at least one of the institutions previously mentioned.

BitDefender Labs found that most web 2.0 phishing attempts in the first half of 2009 relied on social engineering schemes and speculated user naivety. The Twitter Porn Name scam is a good example. Users were invited to reveal their first pet name, as well as the first street on which they lived. These names are usually employed as backup/security questions. An e-crook possessing a person’s username along with these “clues” can easily retrieve a password that he or she can later employ to access the account and send spam, access transactions, or use the account in whatever way necessary to make a profit, including demanding a ransom for release of the hijacked account.

“2009 witnessed a wide range of security threats aiming at both end-users and at corporate networks,” Vâlceanu commented. “Extra caution and a highly-rated antimalware solution with antispam, antiphishing and antimalware modules are a must-have for anyone surfing the web in 2010.”

There's No Such Thing as a Free Movie

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.

Read on to see what new tricks these scammers have up their sleeves.

Email Scams Targeting Job Seekers

Email security firm Red Condor has issued a warning to email users about the latest email scams that are targeting people looking for employment.

Among the scams are emails that claim to be offering employment from legitimate companies such as Pepsi and Starbucks or that appear as messages from real job sites like CareerBuilder or Monster.com.

The fake employment offers frequently involve "payment processing" requests which give scammers an excuse to ask for a respondent's bank account information.

In addition to email spam, other scammers are using Craigslist to post fake job ads. When people respond to the ads, they receive an email reply that requires them to go to a "credit check" website to get their credit scores. The credit check link contains the scammer's affiliate, so when the victims pay for the credit check, the scammer gets a commission.

An email response to "Legal Secretary job posting" on craigslist email said, "Do not send me your info or report, I just want to make sure your score is above the 400 mark so check it and give me your exact score when you e-mail me your resume and references."

"Unfortunately, as with all phishing attacks, there is no legitimate employment offer coming, and victims have either given their personal information or money to unknown, deceitful sources," said Dr. Tom Steding, chief executive officer of Red Condor.

"Spammers are once again demonstrating that nothing is off limits as they focus their efforts on the millions of people that are unemployed and looking for work.

Simple steps to keep your identity safe online

June is Internet Safety Month, and simple identity theft protection steps such as shredding your mail and keeping careful tabs on your bank accounts and credit cards are essential first layers of protection against identity thieves. But there is an open door in many homes that is inviting criminals into personal information, and it is often left unprotected - the computer.

A recent study by online security provider Tiversa found more than 13 million online files have been breached over the last year, and P2P sharing services seem to be a popular way for criminals to get in.

There are steps consumers can take to reduce their risk for identity theft through the use of P2P file sharing services. LifeLock offers the following online safety tips:

* Install file-sharing software carefully, taking special note of default settings and permissions
placed on shared folders

* Use security software and make sure you keep it up-to-date. You can set most anti-virus and
anti-spyware protection programs to update automatically and regularly

* Be sure to close your connections when you are done with a file-sharing session. Closing the
window doesn't automatically close the connection, which could leave your computer's information vulnerable

* Maintain backups of all important documents. This will ensure your information is maintained
for your personal use should you need to delete it from your computer or any file

* Talk with your family about safe file-sharing practices, and create separate user accounts for
others who may use your computer. By separating accounts you can prevent others from
installing software on your computer that may expose your information

* Before providing personal information to your doctor, attorney, insurance company, employer
or anyone else make sure to ask for details on how they will keep this data secure

Identity theft is costing Americans more than $1.8 billion annually, according to the Federal Trade Commission, and the latest FTC reports show the number of identity theft complaints has grown by 80 percent since 2000. Among the forms of identity theft and fraud reported to the FTC in 2008 are credit card fraud, medical benefit fraud and falsified government or employment documents.