Phishing for fun!

Posted by kent on July 2nd, 2009

Thanks for visiting the NextAdvisor Daily blog. You may want to subscribe to our RSS feed.

You've heard of the dangers of phishing (a method that hackers use to gain access to personal info through facsimile websites) but how good are you at spotting it? We've posted a number of pieces on the importance of looking out for "suspicious" urls. Here's your chance to put that knowledge to the test. The Anti-Phishing Phil game was developed at Carnegie Mellon University to educate Internet users on how to spot phishing urls. The game plays right in your web browser, just use your mouse and a few keys to control it. Click here to play.

Being smart about phishing is one way to help prevent computer viruses and personal information theft. Also, check out reviews on Internet security software and identity theft services to see how you can better protect yourself from online fraud.

• Facebook phishing scams increase risk of identity theft on the popular social network
• If I install Identity Guard, will it automatically uninstall Norton?
• Malicious hack impacts 2.2 million shortened URLs
• How to recover from a lost or stolen iPhone
• Your new Facebook friend just stole your identity

Scammers use online dating services to target potential victims

Posted by Caitlin on June 29th, 2009

Last week, guest expert Robert Siciliano discussed scammers who use Craigslist classified ads to target potential victims. Apparently, the same types of scammers also use online dating services to seek out gullible marks. A few days ago, Consumerist received a story from a reader who was contacted by a scammer on Match.com. The message is written in the grammatically incoherent style that tends to characterize foreign scammers. The scammer does not propose any financial transactions in this first message, he simply attempts to initiate contact and establish a relationship. However, he also assumes the name Sgt. Mark Edwards, which is commonly used in Nigerian 411 scams.

If you use Match.com or another online dating service, Robert Siciliano's advice about Craigslist scammers also applies. And if you get any messages from Sgt. Mark Edwards, consider yourself warned.

Of course, identity theft protection and Internet security software are excellent lines of defense against the cybercriminals who prey on users of Match.com, Craigslist, or any other online community.

• Vonage begins testing exciting new contact management and calling features
• How to set up automated online hard drive backups with Mozy
• Identity Theft Expert Answers: Robert Siciliano of IDTheftSecurity.com
• Fake Facebook profile page victim awarded $43,000 in damages
• Facebook phishing scams increase risk of identity theft on the popular social network

Microsoft Outlook phishing email

Posted by kent on June 25th, 2009

Trend Micro, a provider of online security, has alerted the web to a false email purporting to come from Microsoft, alerting users to a "Critical Update" to Outlook (Microsoft's email client). Their Malware Blog reports that:

All the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.

The actual source of the link reveals a bogus Microsoft domain (update.microsoft.com does appear in the url, but as a subdomain of an unknown website, which is a common phishing trick). So, if this email finds its way to your mailbox, send it to the trash. Legitimate patches and updates come from the Windows Update control panel (assuming you have it set up) or from Microsoft.com's update site.

To find out about Trend Micro's security software and how it compares to other offerings, check out our Internet security software reviews.

• Type carefully when looking for a free credit report
• Data Breach Alert: Health insurer exposes personal information of 128,000 customers
• Malicious hack impacts 2.2 million shortened URLs
• Vonage begins testing exciting new contact management and calling features
• How do I login to my Identity Guard account?

Don't be an accidental spammer!

Posted by Caitlin on June 22nd, 2009

An article in Saturday's New York Times highlights a common practice among websites with a social networking element. It's called contact scraping, and it occurs when the website prompts you to enter an email address and password. Then, all of your contacts receive emails inviting them to join the site.

Michael Argast, a security analyst for Internet security company Sophos, says that this practice is not new, but has become increasingly popular in the last three to six months. He explains that, "There are multiple shades of gray. Some social networking sites, like Facebook, are pretty straightforward in asking if you want to share information about your friends. Others are far less scrupulous."

The article's author describes her own experience with Tagged, a photo-sharing website. She received emails from two different contacts, requesting that she click to view photos they had posted on Tagged. When she clicked through, Tagged prompted her to enter her email address and password before viewing the photos. But as it turned out, there were no photos for her to view, and now the original email had been sent to all of her contacts. By taking advantage of the exiting connection between the author and her contacts, Tagged successfully increased its user population. The spam email asked recipients, "Is Alina your friend?" and discouraged them from disregarding the email by adding, "Please respond or Alina may think you said no," and including an image of a frowning face. The founder and chief executive of Tagged claims that a software glitch caused these unintended emails to be sent, but other websites have also been known to contact scrape without explicit permission from the user. The Times article mentions MyLife.com and DesktopDating.net.

The author acknowledges that unlike more nefarious spam, this is merely annoying and embarrassing. But in general, it is important for Internet users to be more vigilant regarding their email addresses and contact lists. Even when a social networking site clearly asks whether the user wishes to invite his or her contacts, many people aren't paying enough attention to notice this.

Whenever any website requests your email address and password, consider the consequences before blithely turning over this information. It may be used to spam your friends, or it may be saved and used to access your other personal data, putting you at risk for identity theft.

To avoid recieving unwanted emails like this, consider Internet security software that includes a robust spam filter. And to avoid unintentionally sending them, or exposing sensitive information that could be used against you, do not supply your name and password for a site such as Yahoo or Google to a third-party site, and don't use the same username and password for multiple websites.

• How do I login to my Identity Guard account?
• Data Breach Alert: Over 10 million eBay Korea users impacted in massive hack
• Type carefully when looking for a free credit report
• How to recover from a lost or stolen iPhone
• Vonage begins testing exciting new contact management and calling features

New iPhone firmware plugs security holes

Posted by kent on June 18th, 2009

It's pretty hard to avoid the news that Apple has released a new operating system for its popular iPhone. The 3.0 OS adds a host of much-touted features, such as copy-and-paste functionality, a phone-wide search capability, and an optional 'Find My iPhone' service. What's less publicized is that the update also plugs 46 security holes in the iPhone's OS. That's 46 reasons to upgrade right there (even though many users have reported issues with the update servers). As the once-humble cel phone starts working more and more like computer, it also starts to take on some of the computer's vulnerabilities to malicious code. The iPhone doesn't have third-party security options like your computer does (you can check out the best of those options here), so we're stuck with security patches and common sense to protect our iPhones from malicious code. Here are two things to keep in mind:

1) Be as smart with your iPhone as you are with your computer. Never open email attachments from unknown senders.

2) Think twice about the sites you visit. The beauty and danger of having the Internet in the palm of your hand is that you can go anywhere. Make sure those places look trustworthy when you see them in search results.

By the way, if you have Apple's $100-a-year MobileMe service and you're hoping to use the 'Find My iPhone' feature, make sure to turn it on first. It involves some settings on the phone itself. Best to do it now while it's still in your hands.

• VoIP comes to the iPhone
• Apple OKs VoIP over wifi for the iPhone
• How to recover from a lost or stolen iPhone
• Apple to offer new "Find My iPhone" feature for lost or stolen iPhones
• Reader Question: Is Vonage better than my cable company's phone service?

Q: What's worse than a tacky tie for Father's Day?

Posted by kent on June 17th, 2009

A: A malicious .exe file.

Father's Day is coming up, and web-connected children everywhere will be sending their fathers ecards instead of the paper variety. Electronic cards are quicker, easier, cheaper, and don't pose the risk of paper cuts. Actually, ecards are never actually sent. The ecard sits on a website, and the recipient is notified of its existence via an email that links to the ecard's location. Unfortunately, a number of fathers will be receiving ecard notifications sent, not by their well-meaning kids, but by malicious hackers.

These malicious email notifications may look completely legitimate, down to seemingly authentic graphics and email addresses from well-known sites like Hallmark or BlueMountain, but that doesn't mean they are. Here are some thinks to look out for:

1. Check to see if the notification mentions an actual recipient that you know. If it says that a "friend" or "loved one" has sent you an ecard, it's probably not real.

2. Look for inconsistencies, as in this real example: an email claimed to be from hallmark.com, but notified the recipient that the card was waiting at hallmark.co.uk. Also look for spelling and grammatical errors, since hackers spend more time writing code than they do on correct spelling.

3. The dead giveaway is usually the link. If you're suspicious, don't open the link. Instead, you should copy and paste it into a text pad (usually this is done with the right-click on your mouse). If the link points to anything other than what you think it should, don't open it. A nefarious link will often go to right to an .exe file, and ecards should never be .exe files.

It's important to point out that hackers change their methods often. Even an email notification that passes the above test could be a ploy. As always, we suggest having top-notch anti-virus software installed. You can always check out our Internet security reviews and comparison chart.

• Reader Question: What service is best for protecting my identity and monitoring my credit?
• Data Breach Alert: Theft puts 13,000 Pfizer employees at risk
• Malicious hack impacts 2.2 million shortened URLs
• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers
• ID theft hits a little too close to home

The most dangerous search terms…

Posted by Caitlin on June 11th, 2009

McAfee recently conducted a study to identify the most dangerous Internet search terms. Searches for these words are most likely to lead Internet users to pages containing malware. The study tested thousands of keywords using Google, Yahoo, AOL and Ask, and analyzed hundreds of thousands of web pages.

Searches for screensavers, free games, work from home opportunities, the Olympics, videos, celebrities, music and news were found to be the riskiest, in terms of exposure to viruses and hackers. As  far as specific terms, "word unscrambler," "lyrics," "myspace," "free music downloads," "phelps," "game cheats," "printable fill-in puzzles," "free ringtones" and "solitaire" were the most dangerous.

Google and other search engines seem trustworthy, but they can't weed out all the potentially dangerous web sites. For that, you need Internet security software. To learn more about McAfee and other anti-virus programs, see our reviews and comparison chart.

• Google "G Drive" online backup service rumored to be launching soon
• McAfee to partner with Mozy to offer online backup services
• Will Carbonite back up the music I downloaded from iTunes?
• What is the most recommended software?
• Facebook Identity Theft Protection Guide: 6 tips to protect your identity on Facebook

McAfee to partner with Mozy to offer online backup services

Posted by Joe on June 10th, 2009

McAfee, which received a five star rating in our comparison of Internet security software providers, is partnering with Mozy, a five star provider from our online backup service comparison, to offer online backup services.

According to McAfee officials, the service will cost $50 to $60 per month for unlimited data backup and will be targeted at consumers. The service is expected to be available to McAfee customers sometime before the end of 2009.

We recommend that most consumers simply sign up for the Mozy service directly versus waiting for the McAfee product to be released. NextAdvisor.com visitors receive a special 15% discount on an annual plan which means that an annual subscription of Mozy costs just $46.29 when you use the discount promo code "NEXT" during the online checkout process.

That being said, we do applaud McAfee for taking steps to increase awareness of the importance of data backup.

You can learn more about Mozy and other online back up services by visiting our reviews and comparison of online backup.

• Mozy online backup discount promo codes for March 2008
• Mozy discount promo code for April 2008
• Entrepreneur Magazine calls Carbonite an "essential" for any new business
• Mozy promotional discount code for April 2008
• Mozy 10% discount promotional from July 2008

Hackers gain access to sensitive data from 100,000 websites

Posted by Joe on June 9th, 2009

A UK-based web hosting company is reporting that data from as many as 100,000 websites hosted on it's servers was destroyed as a result of vulnerabilities in a software program used by many web hosts.

Hackers were able to gain very high levels of access to a large number of sites hosted at web host Vaserv.com by hacking a common software utility used by many such web hosting companies. Officials for the company estimated that about 50% of the impacted websites didn't not have any type of data backup and, therefore, are likely lost completely. Vaserv.com technicians are actively working to restore the remaining impacted websites.

It is also believed that hackers had direct access to sensitive personal information stored on Vaserv.com's servers. This data breach is likely to have worldwide impact given the international nature of the Internet and sheer number of websites impacted.

To learn more about how to protect your identity following such data breaches, visit our comparison and reviews of identity theft protection services. To get more details on steps you can take to prevent documents and files on your personal computer from falling victim to hackers and experiencing such data loss, visit our comparisons of Internet security software and online backup services.

• Data Breach Alert: Utah hospital loses thousands of patient records
• Mozy- if its good enough for the worlds largest corporations, its good enough for your laptop!
• Data Breach Alert: Theft puts 13,000 Pfizer employees at risk
• Is online data storage the secret to eliminating many data breaches?
• T-Mobile denies data breach despite hacker claims

Is SpyZooka spyware?

Posted by Caitlin on April 30th, 2009

The following post in our Reader Question series is an actual user submitted question. To maintain the integrity of the original question, we do not edit or change reader questions in any way.

Q: Last night, I purchased SpyZooka. I have run it five or six times. During this session on the internet, I have 27 oops messages. I've been on for about an hour now. Is SpyZooka spyware?

A: We have not yet reviewed SpyZooka at NextAdvisor.com, so we can't offer specific or detailed advice on this particular software or its features. However, SpyZooka does not appear to be a Trojan horse, delivering spyware to your computer. We were unable to find any reviews for SpyZooka in reputable publications, but it has received high praise from some consumers.

Supposedly, SpyZooka is adept at locating spyware and viruses that other Internet security programs miss, so it is possible that you have either stumbled on to some malware in the past day or so, or that SpyZooka is simply finding malware that has already been infecting your computer for some time.

While we do not have reason to believe that SpyZooka is malware in disguise, we are not particularly familiar with this software and cannot vouch for it emphatically. To learn more about the Internet security software that we have reviewed at NextAdvisor.com, see our reviews and comparison chart.

• Will online backup services also backup a virus or spyware?
• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers
• Identity Guard adds 30 day free trial and free ZoneAlarm software
• What is the most recommended software?
• What is a V-Portal adapter? Or is it simply the thing that makes the phone work?