It’s not surprising that scared people are the most vulnerable to attacker’s traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how ‘Ransomware’ works – scare tactics with a convenient way to buy yourself out of the predicament at the end.
When we look closer at the scam, we find that the Ransomware is focused only on the victim’s browser and fortunately, not as they claim, on the data stored inside the victim’s computer. Here are several points that work together to scare the victim:
- The headline of the webpage: “FBI. ATTENTION! Your browser has been blocked…”. This is the part of the attack that tries to scare visitors as much as possible.
- The name of the page, “gov.cybercrimescenter.com”, tries to convince visitors they are on a legitimate website which belongs to the government.
- A countdown timer starts on 48 hours and counts down the time before “legal steps” starts.
These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it’s better to take a deep breath before reacting. You know you didn’t watch the movies mentioned on the page, and of course, you didn’t store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?
They say that you can never have too much good advice. So in addition to the excellent set of Safe Holiday Shopping Tips we provided last week, here are three more simple rules of the road for safe and worry-free online experience this holiday season.
1. You can do more online and through mobile; just don’t do it differently. Doing more of what you normally do isn’t as much a risk as doing different things than you normally do. Try not to change your actual behavior, even though you’re doing more shopping and browsing online and through mobile. The less you stray from your normal habits, then the less likely you’ll encounter malicious sites, apps, or messages, and the less you’ll fall victim to fraud and other scams.
2. Scrutinize unusual messages. Be wary when receiving unsolicited or odd messages – even from people you know – and be especially wary if you do decide to act on them. Just like email viruses used to troll your address books, today’s malware will access your social networks. An odd message through your social network may well mean that your friend has been hacked. There will be plenty of scams and attacks that purport to be great last-minute deals, fake holiday cards that ask you to forward along to all your Facebook friends, confirmations or verifications for transactions you never made, and even fake warning messages about scams to avoid. All of these are just different attempts to get you to click on a link.
3. Don’t log in on a page you got to from an outside link. If a message takes you to a login page for a service that you use, look closely at the URL before entering your credentials. Better yet: just go to the site using your bookmarks or standard “www.xyz.com” address rather than signing in on the page you got to from a link.
Black Friday offers deep discounts and enticing deals, but holiday shoppers who venture out into the cold, dark night must have brave hearts, steely resolve, and pointed elbows. Far away from the crowds of frenzied shoppers, those of us who prefer to shop online, wearing our fluffy bathrobes and drinking hot chocolate, face our own set of dangers.
Here are some online shopping tips to help you remain safe and secure:
Choosing the Merchant
- Stick with what you know – Use websites that you know are legitimate. If you visit an unfamiliar one, check the avast! WebRep rating to make sure it’s trustworthy. A quick search for reviews, complaints, or scams related to the site will help you too.
- Make sure the site is secure – Look for the closed padlock icon on your browser’s address bar or a URL address that begins with shttp or https. This indicates that the purchase is encrypted or secured. Read more…
With Hurricane Sandy bearing down on the northeast United States, the potential is high for cybercrooks to release a wave of scams and malware related to the storm. If the past repeats itself, Facebook postings, tweets, emails, and websites claiming to have exclusive video or pleading for donations for disaster relief efforts will appear shortly after the storm hits. These messages often include malicious code that attempt to infect computers with viruses, spyware, or Trojan horses.
After hurricanes Katrina and Rita hit the Gulf Coast in 2005, the FBI, the Justice Department, and the Federal Trade Commission formed the Hurricane Katrina Fraud Task Force to battle the massive surge of scams that came with it. The American Red Cross reported at least 15 fake websites that were designed to look like legitimate Red Cross appeals for donations to relief efforts. These actually proved to be phishing attacks, which directed users to a malicious server that collected credit card numbers, PayPal passwords and other personal information.
When donating, make sure you donate directly to reputable charitable organizations. Ask for a physical address and a phone number of the charity – if the charity is authentic, they will willingly give you this information. As always, do not respond to an unsolicited email of any sort.
Germany leads EU in unpronounceable consumer protection
Germany has become the first country to enact a new EU law to protect online consumers against new types of fraud. One visible change will be a “Zahlungspflichtig bestellen” button on internet sites which translates into “order with an obligation to pay” button.
The law is designed to combat internet “subscription traps”, sites that lure consumers with a free offer but actually sign them up for a service where the real costs are hidden and conditions can be misleading if not fraudulent. By late 2012, customers at German ecommerce sites will have to click a button labeled “zahlungspflichtig bestellen” to complete their online purchases instead of the current “anmeldung” (registration) button.
The “Button Law” adopted by the German Bundestag is a result from EU Directive 2011/83/EU on consumer rights. And, it might be used as a model for the other EU countries to copy as the 2013 deadline on the consumer rights Directive approaches. Since Germany is the largest economy in the European Union, this new law might just have a knock-on impact on consumer rights that goes outside of the country’s borders. Read more…
There seems to be a playbook of standard hacker tactics after a celebrity death or an event of worldwide interest like earthquakes or tsunamis. Hours after the announcement of pop diva Whitney Houston’s death, scammers had already devised schemes to prey on fans seeking information – appearing to recycle those used after the deaths of Michael Jackson and Steve Jobs.
A Facebook message, claiming to link to a video of Whitney Houston’s autopsy, takes the user to a page with an embedded YouTube video. When you try to play it, a pop-up message appears instructing the user to update their copy of Adobe’s Flash from a bogus site. The video scam has become viral. Read more…
Dear Miss Deborah,
Three months ago, I started chatting with a guy I met online, and we really hit it off – we have so much in common! He looks quite handsome in the photos he sent. He sent me flowers and a sweet teddy bear. Isn’t that romantic? We haven’t met yet, because he is actually supervising a construction project in an African country, but we will when he gets back. I can’t wait.
Yesterday, I got a message from him explaining how he is unable to cash his checks and asking if I could wire him money so he could come home. I’m starting to like him more each day, and I want to meet him. What should I do? Risk rejection or send him the money?
Single and looking again
Turns out that the popular online shoe and clothing retailer was attacked by cybercriminals who gained access to parts of the internal network through one of the servers in Kentucky. One Sunday, Tony Hsieh, CEO of Amazon-owned Zappos wrote on the company blog that 24+ million customers were affected, but critical credit card and other payment data was not affected or accessed. The hackers failed to get payment card numbers, because that data is encrypted, as required by the Payment Card Industry Data Security Standard.
The company sent an email to every one of their customers explaining the situation including what information was stolen: Customer name, email address, billing and shipping addresses, phone number, the last four digits of customers’ credit card number, and/or cryptographically scrambled passwords.
Zappos took swift action by expiring and resetting passwords, and they set up a password change webpage for customers to create new ones. “We also recommend that you change your password on any other web site where you use the same or a similar password,” the email sent to affected customers states.
As a result of stolen credentials, phishing attacks that try to steal sensitive information like social security numbers or lead you to a website that attempts to install a virus, are more likely. “As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail,” the blog statement says. “Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.”
avast! EasyPass is a fast, easy way to manage all your passwords. avast! EasyPass generates strong, unique passwords for every site you visit – with just one click. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords. Learn more about avast! EasyPass.
Yes, most of us complain about all the seemingly unnecessary changes that Facebook initiates far more often than we’d like (just about the time we figure out how to navigate everything)… but it’s good to remember that Facebook is a free service. Of course some will argue that nothing is really ‘free’, but at least +140 million active avast! Community members know differently.
Some of you will remember the days of Rolodex. Mine was typically overfilled with business cards and scraps of paper – taped, glued, or even stapled in place. Sometimes a few ‘creative’ oversized business cards or paper scraps would clog up the ‘machine’, and maintaining changes to phone numbers, addresses, and job titles was always a major problem.
So Facebook, for me, was a welcome change. All my contacts keep their own info updated, and I can find them at any time via the search box. And my Facebook account serves 4 key purposes:
In 2010, AVAST noticed that the majority of malware infections were occurring via infected websites, rather than from malicious email, which had previously been the main culprit.
But good criminals go where they are least expected.
A couple weeks ago I posted an example of a type of phishing email that I’ve since learned is called ‘vishing‘, as it uses voice (VoIP, telephone) as an agent in the scam process. (It reminds me of a public payphone I had to use in Mexico about 10 years ago, which billed me something around $80 for a five-minute call.) Read more…