Football star David Beckham is the latest victim of a worrying scam by online fraudsters using the popular social networking phenomenon, Twitter, as a vehicle for spam advertising.
According to Candid Wueest, senior threat researcher at Symantec, the fraudsters create a fake Twitter account, often in the name of a celebrity, and then attempt to become followers of legitimate Twitter account holders.
“In this case, the false David – an online Chinese retailer – followed over a thousand accounts with a single common link – the account name contains the word ‘candid’.
“The credibility of the fake account is bolstered by other fraudulent accounts linking back to it and by cross-following legitimate Twitter accounts, which have been hacked,” he says.
Wueest confirms that this type of malicious activity is fast becoming common practice and adds that the rogue tweets often include short links pointing to infected websites.
“This proves that spammers are keeping abreast of new technologies. Twitter users are advised to carefully check out the details of all prospective followers and never to respond to ‘suspicious’ direct messages,” he says.
Peter G Rae
So, I was one of the tens of thousands who were stuck overseas due to the now infamous volcanic ash cloud. I got back at the weekend after an uneventful trip – ok, so it was a week later than expected, but it all worked out. However… while away I started to receive interesting SMS messages from my bank – but from different numbers! In essence they were offering to increase overdraft limits to help me cover any potential costs while being stranded. Or were they…
As with the post on credit card companies – the problem is not who you are (hopefully you know), but on who is purporting to be on the other end of the phone. Was it really my bank, or some enterprising cyber-criminals who were making the most of a bad situation? In this case, it could well have been both – one genuine message and then several copycat ones. There was no indication that they even knew who I was – no personalization in any way.
So… the moral of the story remains the same, if someone contacts you and says they are from the bank or a credit card company a little healthy paranoia is a good thing – take their name and department and say you will call them back on a number you have. Take your bank’s main number on holiday - preferably not the ‘freephone’ one as that probably won’t work abroad. And of course don’t use numbers given in text messages or any they may give you…
OK so I’ve worked for Symantec for quite a while now and I know that there are lots and lots of bad guys trying to fleece you and scam you, and I am fully prepared to accept I am as a result even more skeptical about any emails or calls I get. But I had a call last week from my credit card company which made me think.
It seems that my monthly statement was lost somehow and as a result I didn’t made a payment last month – now quite apart from the questionable customer service given this is the first time I’ve ever missed a payment, and it was just one month – I received a call from a call centre asking me to give them my bank account details so I could make the payment over the phone.
So if you got a similar call would you go ahead and give your details? They seemed to know who I was and had my account details and obviously my phone number….. But they seemed genuinely confused when I suggested that they might be scammers and how did I know they were from my credit card company at all? They simply couldn’t handle this line of questioning.
I even spoke to the ‘team leader’ and she just didn’t get it either!
So my advice is always, do not EVER respond to an un-solicited phone call or email asking for your bank details. ALWAYS question who it is who is contacting you and whether they are who they say they are. NEVER send or give your details to anyone until you have confirmed who they are. Be SKEPTICAL and yes a little PARANOID about any online or on the phone transactions because there are really bad people out there in the Underground Economy trying to scam and steal from you!
Oh and yes I did make my payment in the end, but I did it online via my banking site protected by the Norton 360 I run on my home PC. I’ll also be looking for a new credit card company who understand customer service and security!
As the country gears up to the impending General Election the question of what role social media will play in targeting the increasingly web savvy population is growing in importance. Of course this isn’t a war that will be fought and won solely online, but there is no denying that with projects such as WebCameron and the Labour YouTube channel the battle lines are being drawn both on and offline.
The victory of President Obama was credited in part to his presence on and use of social media tools such as Twitter, and although as David Worsfold points out, it will have an impact on the UK campaigns, it is unlikely to play a pivotal role.
Using social media for any campaign throws up a host of potential security issues as we covered in our Security Response blog back in September. Of course, many users will be well versed in social media and know to only click on links from trusted sources but there is likely to be an influx of new users who trial social media on the back of these high profile campaigns.
Cyber criminals are getting increasingly savvy and are able sometimes able to infiltrate official streams in order to trick users into clicking on malicious links. It is vital that both veteran social media users and newbies understand the risks as well as the benefits in order to get the most out of web in what is set to be one of the hardest fought elections in recent times.
It is certainly powerful stuff to see on national TV the perpetrator of a diabolical scam running in terror when confronted by a BBC camera crew – http://news.bbc.co.uk/1/hi/uk/8517243.stm after they traced him to Spain.
Allegedly, according to the BBC, this ‘gentleman’ was involved in yet another of the numerous scams and hoaxes trying to get well intentioned people to give their hard earned money to what they think it a worthy charity – in this case to support the needy in Haiti following the disastrous earthquake last month – but actually it is going to criminals.
But as we have warned repeatedly, this sort of scam is all too common. Whether it be the death of a well-known celebrity, like Michael Jackson last year; or rumours of the death or injury of a star like Johnny Depp earlier this year; or indeed the outpouring of support when the poorest in the world suffer disasters like in Haiti; criminals are all to quick to capitalise and scam or con the unwary.
Indeed just this week, in the latest Symantec Spam and Phishing Report, we highlighted that spammers were using the Haiti disaster to scam people within 24hours of the news breaking. They started with ’419 type spam’, asking users to donate money to a charity. When users send their donation, the money disappears into an offshore bank account.
Then we saw spammers taking advantage of this tragedy to deliver malware. They sent out links to apparent video footage regarding the tragedy to lure people in, but when the user clicks on the link to view the video, a Trojan is downloaded instead.
- Avoid clicking on suspicious links in email or instant messages as these may be links to spoofed, or fake, Web sites.
- Never fill out forms in messages that ask for personal or financial information or passwords. A reputable charitable organization is unlikely to ask for your personal details via email. When in doubt, contact the organization in question via an independent, trusted mechanism, such as a verified telephone number, or a known Inter-net address that you type into a new browser window (do not click or cut and paste from a link in the message).
So the new head of MI6 has been caught on a Social Networking site – just being himself. What’s wrong with that you may well ask… well, apparently it’s all to do with national security. Whether it is, or not, I leave to you but there is a lesson in here for all of us. I have written before on pictures on Social Networking sites causing security issues - but this is really about privacy and not putting too much personal data on the net which can be used to your detriment.
So, yet again, this is a time to review what is out there and whether you want it to be. Not just what you, or your spouse, have published – but what friends have as well. Your on-line reputation is up to you – others can influence it, but you need to keep an eye on it. What you post today could effect you tomorrow, or next year or in ten years time.
(By the way… if you do find something you are not happy about – then it could be tough to get rid of, but it has to be worth a try…)
A hack of the console of Twitter has been reported, enabling the attacker to have access to celebrity accounts (and the rest of our less celebrity accounts as well). However, what this really brings to the fore is that if you can gain access to the root of the application, the administrator, then all the data held there is within your grasp. OK, so it should be tougher to get access at this level but if you do, then you have absolute control. Of course, the assumption is that the administrator is ‘good’, but what if they weren’t? We have seen cases where phone records of celebrities have been examined and sold by system administrators – so there is a need for more security and a separation of administrator and data with much greater auditing and analysis of the associated log files.
While we are on the subject… what if the database held biometric information… and the hacker had replaced a celebrities information with their own? They could have become, in the eyes of a machine, that person. The introduction of chip and pin has reduced fraud – but it has also enabled impersonation… it seems that people frequently give their PINs to other people in order to get cash from cashpoints… or pay for groceries. As far as the person at the till in concerned, the person has paid – end of story. Not even a brief check that the name matches the person on the other side of the counter… as we trust more and more to technology, we assume the integrity of the system and the administrator.
Quis custodiet ipsos custodes?
… but only if you click on this link.
Yes folks, it’s that time of year again when the phishers are out in force playing on the heart strings – Valentine’s Day. You would have thought that, by now, people wouldn’t click on links or open attachments from those who they don’t know, but they do. It’s even worse on Valentine’s Day, when half the fun is not knowing who your secret admirer is… with good old ‘snail mail’ there is something exciting about looking at the post mark and trying to decipher the writing – it’s a little different in the electronic world. The bits (ones and zeros) could have come from anywhere and by anyone – so if you get an electronic Valentine’s message, don’t open it… and if the person who sent it asks whether you got it… just say “I would have thought I was worth a stamp!”
(While I’m here… the other side of this is impersonation, which in this case could lead to some general mischief making… so if you get a ‘strange’ email, IM, text message or post on your social networking site from someone you know saying something you didn’t expect – don’t jump to the wrong conclusion… it might just be a friend-of-a-friend playing a prank! It’s tough to decipher hand writing to figure out who really sent what, its nigh on impossible to do the same on the Internet.)