Improved OnGuardOnLine Site Teaches Cyber Safety to the Average Person

One of the better places for the average person to learn about the sometimes murky waters of the Internet is free and sponsored by the Federal Trade Commission. Although OnGuardOnline.gov and AlertaEnLinea.gov, its Spanish-language counterpart have been around for awhile -- some new and exciting improvements have been made to the site with a just released Web 2.0 redesign.

The new and improved site allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while learning how to avoid becoming an Internet crime statistic.

Articles and games covering sixteen topics -- including social networking, phishing, email scams and laptop security; plenty of buttons and banners you can post on your blog or website; free publications consumers and organizations can order; and links to the OnGuard Online partners from the public and private sector.

I should add that a lot of good people from both the government and private sectors have given resources and their valuable time to assist the Federal Trade Commission with this site. Industry and government partners -- include the U.S. Department of Justice, Office of Justice Programs, Department of Homeland Security, Internal Revenue Service, United States Postal Inspection Service, Department of Commerce, Technology Administration, Securities and Exchange Commission, National Cyber Security Alliance, Anti-Phishing Working Group, i-SAFE, AARP, National Consumers League, Direct Marketing Association, WiredSafety.org, The SANS Institute, The National Association of Attorneys General, Better Business Bureau, NetFamilyNews, CompTIA, National Crime Prevention Council, Association of College Unions International, and the Latinos in Information Sciences and Technology Association.

In my opinion, this represents a valuable partnership in dealing with the ever growing problem of crime on the Internet. This also represents a very credible collaboration of resources and industry experts (my humble opinion).

There is also a lot of material that businesses and organizations can use to educate their people with. Frequently, I get approached on this subject and I will continue to recommend this site as a valuable resource. Of course, the benefits for the individual person wanting to protect themselves, or become more knowledgeable are there (free for the taking), also.

If you are one of those businesses or organizations wanting additional matertials, you can get free OnGuard Online publications. For 50 or more copies, visit ftc.gov/bulkorder. If you need less than 50 copies, call 1-877-FTC-HELP.

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

On his birthday, Uriel Maimon of RSA reflected about a lot of personal things (as most of us do), as well as, how spam and phishing are becoming more sophisticated and dangerous.

One major player in the spam and phishing game are known as the "Rock Phish." In his birthday post, Uriel gives us a little historical perspective on the group:

The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.

Apparently, the Rock Phish are now setting up a double whammy for anyone foolish enough to click on a socially engineered link received in a spam e-mail. Counting on the fact that a lot more people go to phishing sites than will actually type in their personal details, the Rock Phish are loading the sites with crimeware that steals personal information, automatically.

More specifically, Uriel describes the phenomenon of "drive by infection" as when:

This is done via a technique called "drive-by infection", wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman).

Even worse, it appears that the Rock Phish make this easy for any criminal to mount a pretty sophisticated phising expedition by selling all the "tackle" necessary to do it for a measly $700.00.

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

For the less technically inclined, the Zeus Kit offers a lot of operational capabilities for the information thief. Some of these capabilities are "the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs," according to Uriel.

There is little doubt that the criminal groups like the Rock Phish are making the Internet more dangerous all the time. So far as getting infected while "driving by" a site, Websense announced today that a mass attack via malicious JavaScript injection is infecting thousands of trusted sites, including government ones. According to report released today, this activity has exploded by a "factor of ten."

Sophos also mentioned in it's Q1 Security Threat Report that they are finding infected web pages at a rate of one every five seconds.

In simple terms, all the average web surfer has to do is visit one of these sites to become infected and have all their information stolen from them.

It's probably a good time to make sure you've updated the protection on your computer and to just say delete to any spam getting past whatever filer you are currently using. By the way, has anyone noticed besides me that more and more spam has been getting past these filters in the past couple of weeks?

Blog post at RSA by Uriel Malmon, here.

By the way, I noticed that despite a lot of us commenting on this great post, no one bothered to wish him a Happy Birthday. The post has a lot of good information on it and it would be nice to thank him for educating the rest of us.

The Dirty Dozen Tax Scams of 2008

The IRS has been in the news recently because it's name has been impersonated (spoofed) to phish personal and financial information from people tricked into believing the IRS was going to send them money.

Another recent phishing lure spoofing the IRS name was the upcoming economic stimulus package being promised to the tax paying public. In this case, (too good to be true) promises of money were being sent out by spam spewing zombie computers before the details were finalized in the halls of Congress.

These spam spewing zombie computers are part of a botnet. Botnets are controlled by bot-herders, who are known to rent their services to a wide variety of Internet misfits. Bot-herders often use their botnets to commit criminal activity themselves, also.

Zombie computers are created after their owner clicks on a link in a spam e-mail containing malicious software engineered to take control of their system. In the recent past, there have even been examples of malware being injected into a system after just visiting an infected site.

Please note that most of these phishing ploys are designed to clean out your bank account, run up your credit cards, and or allow a criminal to use your good name to obtain additional lines of credit. The fact that they often turn your computer into a zombie is considered an add-on value to the criminal, who can then use your system to deliver spam (scams) to other unsuspecting people.

Today, the IRS issued it's yearly Dirty Dozen Tax Schemes. Since Internet scammers have been so fond of using the IRS's name, I thought this would be a good subject to blog about.

Please note that from time to time, I get anonymous inquiries about where to report tax fraud in the comments section. I've included information oh how to do this at the bottom if this post.

The IRS is sometimes willing to pay a reward for information leading to the successful resolution of an investigation. Your identity is protected if you choose to remain anonymous, also.

From the press release:

The Internal Revenue Service today issued its 2008 list of the 12 most egregious tax schemes and scams, highlighted by Internet phishing scams and several frivolous tax arguments.

Topping this year’s list of scams is phishing, which encompasses numerous Internet-based ploys to steal financial information from taxpayers. New to the “Dirty Dozen” this year is a scheme, which IRS auditors discovered, that relates to unreasonable and/or excessive fuel tax credit claims.

Here is the Dirty Dozen hot off the official press release:

1. Phishing

Phishing is a tactic used by Internet-based thieves to trick unsuspecting victims into revealing personal information they can then use to access the victims’ financial accounts. These criminals use the information obtained to empty the victims’ bank accounts, run up credit card charges and apply for loans or credit in the victims’ names. Phishing scams often take the form of an e-mail that appears to come from a legitimate source. Some scam e-mails falsely claim to come from the IRS. To date, taxpayers have forwarded more than 33,000 of these scam e-mails, reflecting more than 1,500 different schemes, to the IRS. The IRS never uses e-mail to contact taxpayers about their tax issues. Taxpayers who receive unsolicited e-mail that claims to be from the IRS can forward the message to a special electronic mailbox, phishing@irs.gov, using instructions contained in an article titled “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes.” Remember: the only official IRS Web site is located at www.irs.gov.

2. Scams Related to the Economic Stimulus Payment

Some scam artists are trying to trick individuals into revealing personal financial information that can be used to access their financial accounts by making promises relating to the economic stimulus payment, often called a “rebate.” To obtain the payment, eligible individuals in most cases will not have to do anything more than file a 2007 federal tax return. But some criminals posing as IRS representatives are trying to trick taxpayers into revealing their personal financial information by falsely telling them they must provide information to get a payment. For instance, a potential victim is told by phone or e-mail that he or she is eligible for a rebate but must provide a bank account number (or similar information) to get the payment. If the target is unwilling, the victim is then told that he cannot receive the rebate unless the information is provided. Individuals should remember that the only way to get a stimulus payment is to file a 2007 tax return. The IRS urges taxpayers to be extra-vigilant. The IRS will not contact taxpayers by phone or e-mail about their stimulus payment.

3. Frivolous Arguments

Promoters of frivolous schemes encourage people to make unreasonable and unfounded claims to avoid paying the taxes they owe. Most recently, the IRS expanded its list of frivolous legal positions that taxpayers should stay away from. Taxpayers who file a tax return or make a submission based on one of these positions on the list are subject to a $5,000 penalty. The most recent update of the list of frivolous positions includes: misinterpretation of the 9th Amendment to the U.S. Constitution regarding objections to military spending, erroneous claims that taxes are owed only by persons with a fiduciary relationship to the United States, a nonexistent “Mariner’s Tax Deduction” related to invalid deductions for meals and the misuse of the fuel tax credit (see below). The complete list of frivolous arguments is on the IRS Web site at IRS.gov.

4. Fuel Tax Credit Scams

The IRS is receiving claims for the fuel tax credit that are unreasonable. Some taxpayers, such as farmers who use fuel for off-highway business purposes, may be eligible for the fuel tax credit. But some individuals are claiming the tax credit for nontaxable uses of fuel when their occupation or income level makes the claim unreasonable. Fraud involving the fuel tax credit was recently added to the list of frivolous tax claims, potentially subjecting those who improperly claim the credit to a $5,000 penalty.

5. Hiding Income Offshore

Individuals continue to try to avoid paying U.S.taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore debit cards, credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance plans. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions.

6. Abusive Retirement Plans
The IRS continues to uncover abuses in retirement plan arrangements, including Roth Individual Retirement Arrangements (IRAs). The IRS is looking for transactions that taxpayers are using to avoid the limitations on contributions to Roth IRAs. Taxpayers should be wary of advisers who encourage them to shift appreciated assets into Roth IRAs or companies owned by their Roth IRAs at less than fair market value. In one variation of the scheme, a promoter has the taxpayer move a highly appreciated asset into a Roth IRA at cost value, which is below annual contribution limits even though the fair market value far exceeds the amount allowed.

7. Zero Wages

Filing a phony wage- or income-related information return to replace a legitimate information return has been used as an illegal method to lower the amount of taxes owed. Typically, a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 is used as a way to improperly reduce taxable income to zero. The taxpayer also may submit a statement rebutting wages and taxes reported by a payer to the IRS. Sometimes fraudsters even include an explanation on their Form 4852 that cites statutory language on the definition of wages or may include some reference to a paying company that refuses to issue a corrected Form W-2 for fear of IRS retaliation. Taxpayers should resist any temptation to participate in any of the variations of this scheme.

8. False Claims for Refund and Requests for Abatement

This scam involves a request for abatement of previously assessed tax using Form 843, “Claim for Refund and Request for Abatement.” Many individuals who try this have not previously filed tax returns. The tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses Form 843 to list reasons for the request. Often, one of the reasons given is "Failed to properly compute and/or calculate Section 83-Property Transferred in Connection with Performance of Service."

9. Return Preparer Fraud

Dishonest tax return preparers can cause many problems for taxpayers who fall victim to their schemes. These scam artists make their money by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Some preparers promote the filing of fraudulent claims for refunds on items such as fuel tax credits to recover taxes paid in prior years. Taxpayers should choose carefully when hiring a tax preparer, especially one who promises something that seems too good to be true.

10. Diguised Corporate Ownership

Some people are going as far as forming domestic shell corporations in certain states for the purpose of disguising the ownership of a business or financial activity. Once formed, these anonymous entities can be used to facilitate underreporting of income, non-filing of tax returns, engaging in listed transactions, money laundering, financial crimes and even terrorist financing. The IRS is working with state authorities to identify these entities and to bring the owners of these entities into compliance.

11. Misuse of Trusts

For years, unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

12. Abuse of Charitable Organizations and Deductions

The IRS continues to observe the misuse of tax-exempt organizations. Misuse includes arrangements to improperly shield income or assets from taxation, attempts by donors to maintain control over donated assets or income from donated property and overvaluation of contributed property. In addition, IRS examiners are seeing an upturn in instances where taxpayers try to disguise private tuition payments as contributions to charitable or religious organizations.

As promised above, here is how you can report one of these scams:

Suspected tax fraud can be reported to the IRS using IRS Form 3949-A, Information Referral. Form 3949-A is available for download from the IRS Web site at IRS.gov. The completed form or a letter detailing the alleged fraudulent activity should be addressed to the Internal Revenue Service, Fresno, CA 93888. The mailing should include specific information about who is being reported, the activity being reported, how the activity became known, when the alleged violation took place, the amount of money involved and any other information that might be helpful in an investigation. The person filing the report is not required to self-identify, although it is helpful to do so. The identity of the person filing the report can be kept confidential.

Whistleblowers also could provide allegations of fraud to the IRS and may be eligible for a reward by filing Form 211, Application for Award for Original Information, and following the procedures outlined in Notice 2008-4, Claims Submitted to the IRS Whistleblower Office under Section 7623.

Full press release on the 2008 Dirty Dozen Scams, here.

The IRS must be a great lure to go phishing and vishing with!

It should be no surprise that scam artists, fraudsters and other internet misfits are trying to cash in on the economic stimulus package being proposed by the powers that be in Washington.

The odd thing is the come-on, a tax rebate, hasn't even been approved yet.

The most accurate information I could find on this latest trend was from the IRS, who is being impersonated once again. They've gained considerable experience with this type of scam recently with their name being used (frequently) as a fake "badge of authority" (lure) to trick people into becoming an identity theft statistic.

From the IRS site (published on January 30th):

The Internal Revenue Service today warned taxpayers to beware of several current e-mail and telephone scams that use the IRS name as a lure. The IRS expects such scams to continue through the end of tax return filing season and beyond.

The IRS cautioned taxpayers to be on the lookout for scams involving proposed advance payment checks. Although the government has not yet enacted an economic stimulus package in which the IRS would provide advance payments, known informally as rebates to many Americans, a scam which uses the proposed rebates as bait has already cropped up.

The goal of the scams is to trick people into revealing personal and financial information, such as Social Security, bank account or credit card numbers, which the scammers can use to commit identity theft.

The bottom line is that the IRS is not going to send you an e-mail, or call you on the telephone asking for personal information.

Trust me, they already have it if you are due to receive money from them!

Variations of the recent scams include a tax rebate phone call, refund spam e-mail, audit e-mail (besides money fear is a common lure), changes to tax law e-mail, and a telephone scam claiming the IRS has sent a paper check and needs to verify your banking information.

So far as the e-mails, they sometimes contain links that load malicious software (designed to steal more information). Although not mentioned in the IRS release, a new phenomenon called "drive by pharming" was recently seen in the wild (on the Internet).

Here is what I wrote about "drive by pharming" in a previous post:

"Pharming (pronounced farming) is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software," according to Wikipedia.

Spam e-mail is becoming more dangerous all the time. Most of these lead to fake websites, or blogs that can download malware on a system by merely visiting them.

So far as the surge in using the telephone to scam information, often referred to as vishing -- VoIP technology (super cheap long distance) has made this easy to do. From what I hear, a lot of it is being done across International borders, which makes prosecution difficult, also.

The IRS release warns that the caller might sound foreign. This is a good tip, but with call centers being outsourced all over the world, it's becoming pretty common to speak to someone on the telephone with an accent.

The safest bet is to give out no personal information to anyone, no matter how official they might seem when they it solicit via telephone, or over the Internet.

The press release does offer resources to report any suspected scams. Please note, that paragraph one is an extremely good tip!

Anyone wishing to access the IRS Web site should initiate contact by typing the IRS.gov address into their Internet address window, rather than clicking on a link in an e-mail or opening an attachment.

Those who have received a questionable e-mail claiming to come from the IRS may forward it to a mailbox the IRS has established to receive such e-mails, phishing@irs.gov, using instructions contained in an article titled “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes.” Following the instructions will help the IRS track the suspicious e-mail to its origins and shut down the scam. Find the article by visiting IRS.gov and entering the words “suspicious e-mails” into the search box in the upper right corner of the front page.

I know a lot of us simply hit delete when we see this stuff, but if it didn't work, the phishermen wouldn't keep doing it. We should all consider reporting it a "act of kindness" towards those, who might fall for this.

The people at the IRS fighting this could certainly use the HELP! It might eventually lead to the people behind this being held accountable.

Those who have received a questionable telephone call that claims to come from the IRS may also use the phishing@irs.gov mailbox to notify the IRS of the scam.

IRS release, here.

Previous posts about the IRS being used as a lure from this blog, here.

Symantec reports sighting drive-by pharming in the wild

We hear a lot about phishing, but we don't see a whole lot written about pharming. According to a blog post on Symantec's blog by Zulfikar Ramzan, we might start seeing pharming mentioned a lot more than it has been in the past.

According to Zuftikar, the first instances of drive by pharming are being seen in the wild (on the Internet). This means a computer can be infected by merely viewing a e-mail, or website without clicking on a attachment, or link.

"Pharming (pronounced farming) is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software," according to Wikipedia.

In Zuftikar's own words:

In a previous blog entry posted almost a year ago, I talked about the concept of a drive-by pharming attack. With this sort of attack, all a victim would have to do to be susceptible is simply view the attacker’s malicious HTML or JavaScript code, which could be placed on a Web page or embedded in an email. The attacker’s malicious code could change the DNS server settings on the victim’s home broadband router (whether or not it’s a wireless router). From then on, all future DNS requests would be resolved by the attacker’s DNS server, which meant that the attacker effectively could control the victim’s Internet connection.

Here is a further description of the activity seen in the wild, which reveals how deceptive (not to mention deadly) this type of pharming attack could be:

In one real-life variant that we observed, the attackers embedded the malicious code inside an email that claimed it had an e-card waiting for you at the Web site gusanito.com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site.

Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen.

Please note that many users fail to change preset (factory) passwords, which leaves hardware vulnerable to being compromised. These preset passwords aren't very difficult for those with malicious intent to get their greedy paws on. I've even run into preset passwords on technical manuals posted on the Internet.

What is SCARY in this instance is that the specific router targeted in this attack didn't need a password to compromise the system.

Quite simply, the router didn't authenticate the request.

The malicious code which makes this attack possible can be inserted on the inside of a e-mail message, or directly off a web page. It isn't necessary to click on something to start the execution (pardon the pun) process.

Once this occurs, the hacker controls your router and can send you anywhere they want to.

Zuftikar offers a lot of sound recommendations on how to protect yourself from pharming attacks.

Note that he still recommends changing the factory preset passwords on any router you might own. The problem in the instance observed occurred with a particular type (brand) of router.

To view these recommendations, I recommend you read his interesting post, which can be seen, here.