How to avoid being phished

You may've seen news this week about Hotmail, Yahoo Mail, and Gmail users' having their email addresses and passwords compromised in a huge phishing scam. The BBC reported seeing "two lists that detail more than 30,000 names and passwords." A phishing scam usually involves an email from what looks like a legitimate business telling you that you need to do something like "click here to confirm your account info"; clicking there takes the victim to an illegitimate (or criminal) site that steals your info. "There are simple ways to avoid becoming a victim or being further victimized," writes ConnectSafely co-director Larry Magid in CNET. He lists some tips that might be good to share with everyone at your house or school, looking for the "s" in "https://" that stands for "secure server," and not clicking but instead accessing your account by typing the URL of the company or bank in the email directly into your browser window, then logging in to see if there's a real update or instruction to customers. Also check out ConnectSafely's tips for creating strong passwords.

Social networkers' computer (in)security habits: Study

A small survey ("250 consumers") found that, while a majority of social networkers are "afflicted by Web-borne security problems," less than a third of them are doing anything about it, its press release said. The sample is small (more on that in a moment), but the results are suggestive of where social networkers run into trouble as far as computer security's concerned. More than a fifth (21%) of social site users "accept contact offerings [friend requests] from members they don't recognize"; 50+% "let acquaintances or roommates access social networks on their machines"; 64% "click on links [which can lead them to malicious sites] offered by community members or contacts"; 26% "share files within social networks." The study, sponsored by security firm AVG and CMO Council, also found that, in spite of that risky behavior, 64% infrequently or never change their passwords, 57% "infrequently or never" use privacy settings, and 90% "infrequently or never" let the site know they've had problems. Even so, nearly 20% "have experienced identity theft"; 47% have been "victims of malware infections"; and 55% have "seen phishing attacks." But besides the small sample and limited detail on the study, there's another important caveat: "To say that users of social-networking sites have been exposed to phishing and malware would be like saying that most people who eat spinach are likely to have had measles when they were children. There is a correlation, but no evidence of causality," ConnectSafely co-director Larry Magid, wrote in his CNET blog. See his blog for some good security advice, and check out ConnectSafely's tips for rock-solid passwords.

Scams aimed at social networkers

It's the digital version of boy-cries-wolf, and it's a shame, because social network sites via computer or cellphone are a great way to broadcast a friend's (or one's own) real call for help. I remember a story a year or so ago about a journalist who was jailed in Egypt, shortly thereafter to be released because his text messages mobilized friends to get the US Embassy involved. I'm sure most social networkers are smart enough to distinguish between real calls for help and what happened the other day to friends of Bryan Rutberg, though they were scammed pretty convincingly. MSNBC tells of how Bryan's profile was hacked so that a bulletin was sent to his friends saying he's been held up at gunpoint overseas and had no money to get home. Responses to test messages sent to the person posing as Bryan were convincing enough that one friend sent money. I would definitely not hurt to sit down with social networkers at your house and go over three solid tips for social-networking malware avoidance from ComputerWorld.

'Cyber Monday' alert!

Apparently today is the biggest online shopping day of the year, but everybody needs to be extra alert for spam and phishing scams right through the holidays (not to mention every day). The Monday after the US's Thanksgiving "consumers are expected to spend $821 million this year, up 12% from 2007," USATODAY reports. "But a wobbly economy, combined with a consumer thirst for too-good-to-be-true bargains, has motivated cybercrooks to unleash a torrent of spam, phishing scams and malicious software." USATODAY adds that last year, phishing attacks rose 300% on Thanksgiving, and worse is expected this year. It's an excellent opportunity to teach critical thinking. Help your kids understand that, online too, too good to be true is usually exactly that: not true, not a "deal." USATODAY cites security experts as urging users "to be wary of cut-rate deals from unfamiliar online merchants. They also suggest using multiple passwords when shopping and using the most up-to-date Web browsers and anti-virus software."

Fraud potential on social Web

Teens aren't the only people who need to watch what personal information they upload to social Web sites. "Nearly one in three [31%] social networkers on sites such as Facebook and Friends Reunited risk becoming victims of identity fraud because they are negligent with their personal details," reports the Motley Fool, "making them a prime target for phishing and other ID fraud." What happens is that phishers (online cons) send emails to they harvest from sites of all kinds (not just social-networking ones). The emails look like they're from a person's bank, Paypal, credit card company, or even a porn provider, and they try to trick victims into clicking to a Web site that can upload malicious code to your computer or further trick them into giving personal info like social security or credit card numbers. The Fool was citing research by Equifax, which also found that, "of the 739 people polled (a relatively small survey, but it still has some significant figures), 87% published their full names and 38% their dates of birth, with more than a quarter offering their education and work details." Three key take-aways would make for great family discussion: Everybody needs to 1) select the right privacy and safety features for their particular needs (e.g., only friends can view one's full profile); 2) be really careful about the links they click on in other social networkers' profiles (they could link to malicious sites); and 3) everybody needs to check out the providers of the widgets and other code they paste into their profiles (is the source legit or potentially malicious?). [See also network-security news site DarkReading.com's comparison of potential personal and network vulnerabilities in MySpace, Facebook, and LinkedIn.]

Facebook & ID theft

This is something for social networkers to be on the alert about: computer security and social engineering on social-networking sites (social engineering is what phishers and identity thieves use to trick people into making themselves and their devices vulnerable to hacks and ID theft). The latest warning signal concerns Facebook, which recently announced it's becoming a social-networking platform for all kinds of online services and widgets. "While thousands of applications being developed by third parties for Facebook users are enriching the social network's functionality, the Facebook Platform provides a perfect channel for distributing malicious software," CNET reports. To be fair, experts quoted in the article are talking more about the potential than actual attacks. And, "while Facebook third-party developers do not necessarily have access to Facebook members' personal details, whether users agree to install an application is ultimately a caveat emptor scenario" - meaning read the fine print before you agree to install stuff, people!

New phishing trick

Yet another indicator that we can never rely on technology alone to protect computers or kids. In this case, it’s a sneaky phishing scam to grab Net users’ social security and credit card numbers, among other sensitive info. The Register says it’s “able to spoof eBay, PayPal and other top Web destinations without triggering antiphishing filters in IE 7 or Norton 360.” It got this from a Londoner who “says he's been careful to practice good PC hygiene. He runs Norton 360 and uses the latest IE version, which Microsoft has taken pains to lock down with a variety of safety features, including one that alerts users when they visit many spoofed sites. He's also careful to examine the certificates that accompany financial sites he visits before logging in to them.” So this one surprised him. The Register heard from a security expert who “guesses those experiencing this attack have inadvertently installed an html injector. That means the victims' browsers are, in fact, visiting the PayPal website or other intended URL, but that a dll file that attaches itself to IE is managing to read and modify the html while in transit.” It helps to be a good speller and grammarian, because typos and bad grammar are frequent giveaways in phishers’ emails that otherwise look like Paypal or your bank.