scam alert « Tech – for Everyone

New Rogue Uses Fake PC Magazine Review

Yesterday, the good folks at BleepingComputer posted removal instructions for a rogue antivirus (please see, Internet Plague – Rogue Antivirus) that is demonstrating a new behavior…

Quote: “Anti-virus-1 is a new rogue anti-spyware program from the same family as Antivirus 2010 and Antivirus 360. This program is promoted primarily through two methods. The first is through the use of advertisements that pretend to be online anti-malware scanners. These advertisements go through what appears to be a scan of your machine and then when finished, state that your computer is infected and that you should download Anti-virus-1 to protect yourself.

Remember, though, that this is just an advertisement and it has no way of knowing what is running on your computer. The second method that is used to promote this rogue is through the use of Trojans. When certain Trojans are installed on your computer they will display security alerts stating that your computer is infected or that you have some other security risk. When you click on these alerts, it will download and install Anti-virus-1 onto your computer…”

But that is not the new part, the new behavior adds entries to your HOSTS file so that if you go to any of a number of technology sites, including pcmag.com, you are instead brought to their site and are shown the malware author’s content. This content includes a doctored PCMag review of their fake anti-malware product.

For more on the story, click here.
And for removal instructions, click here.

A big tip of my geek hat to BleepingComputer.

Share this post :

February 19, 2009 Posted by techpaul | advice, anti-spyware, antivirus, computers, cyber crime, Internet scam, News, phraud, security, tech | alert, anti-virus-1, antivirus 1, antivirus 2010, antivirus 360, cyber crime, fake, fake reviews, hosts file, how to, how to remove rogue anti-spyware, infection, malicious, malware, neil rubenking, new, pcmag.com, rogue antivirus, rogue software, scam alert, software, techniques, techpaul, threat, trojan | 6 Comments

CATEGORY "A" WINNER,PLEASE CONTACT US‏

Once Again– I’m A Millionaire! In the span of 48 hours, I have won $3,825,900…

CATEGORY "A" WINNER,PLEASE CONTACT US‏

From:
Mrs.Dayzers Loterij (dayzersloterij.coordinator@yahoo.com.hk¹)

Medium risk You may not know this sender.Mark as safe|Mark as unsafe

Sent: Thu 1/15/09 8:44 PM

AWARD WINNING NOTICE
Ref No.17/324/113
Batch No.448/1803734
Ticket/Series No.RJ975489
Amount Won: $2,500,000.00 USD

Attn: Lucky Winner,

Upon the conclusion of our recent e-lottery draws, your email address was selected from an exclusive list of 1,00,000 email addresses generated from an internet resource database.

You are therefore to receive a cash prize of $2,500,000.00. (Two Million Five Hundred Thousand United States Dollars) .

To file for the processing of your prize sum payment, you are advised to contact our Certified and Accredited claims agent for category "A" winners with the information below:

*************************************
Name: Mr.Hugh Gareth
Email:dayzersloterij08@yahoo.com.cn²
Phone:+31-626-429-963
Fax: +31-847-393-086
*************************************

You are advice to provide him with the following information:

Names:
Telephone/Fax number:
Nationality:
Age:
Occupation:

NOTE: Ensure to quote your Reference Numbers in all your communication with your claims agent.All winnings must be claimed not later than 14 days, thereafter unclaimed funds would be included in the next stake. Remember to quote your reference information in all correspondence.

Sincerely Yours,
Mrs.Dayzers Loterij
http://www.lotto.nl³
Lottery Coordinator.
Thank you and congratulations!!!

¹ is the domain “Hong Kong”.
² is the domain “China”
³ is the domain “Netherlands”

Today’s free link: The Animal Rescue Site has an agreement with charitably-minded advertisers, where they will donate money for food for sheltered animals.. for each click of the “click to give” button.

January 16, 2009 Posted by techpaul | advice, cyber crime, e-mail, Internet scam | Lottery, Mr. Hugh Gareth, Mrs. Dayzers Loterij, scam alert, scam lottery | Leave a comment

Once Again– I’m A Millionaire!

You know, I never could have predicted – when I was a lad – that when I grew up I would get a million bucks/Euros in the mail… much less, 2-to-3 times a week!

Ref No : ESE/WIN/008/02/10/MA‏

From:	Max Raster (Max.Raster@t-online.de)
	You may not know this sender.Mark as safe\|Mark as unsafe
Sent:	Wed 1/14/09 9:00 PM
To:	max.raster@t-online.de

Ref No : ESE/WIN/008/02/10/MA
Batch No: EULO/1007/444/606/08
Lucky Numbers: 8-17-28-31-55 [09]
PROMOTION DATE: 2ND JANUARY 2009

Your email address has won 1,000,000.00 (One Million Euro) in the ESPANA EURO MILLION PROMOTION. The Promotion is a joint Euro/America private lottery registered and organized in accordance with the World Lottery regulation act.

We the National Lottery organizing committee are pleased to officially notify you of the status of your email application. An official notification of winning is hereby issued to you as your email promotion ticket randomly drew for the Lucky Numbers: 8-17-28-31-55 [09] Bonus Ball which selected your email as the 2ND winner of our lottery program you have consequently won the lottery program in the first batch. You have been awarded a cash prize of 1,000,000.00 (One Million Euro)

Pretty good grammar in this one.. maybe it’s legit? Woman Bilked Of $400K By Nigerian Internet Scam and http://www.consumerfraudreporting.org/lotteryscamnamesE.php

Today’s free link: Folks, please read Bill Mullins article Jealous? Cyber-crooks Have Your Number

Share this post :

January 14, 2009 Posted by techpaul | advice, computers, cyber crime, Internet scam | 914 scam, alert, espana euro million promotion, internet scams, latest, lotto, max raster, nigerian, phraud, scam, scam alert, spam | 2 Comments

New Infected Attachment Scam

Subject: funds wired into your account are stolen
From: investigation@fdic.gov

Dear bank account owner,

Funds wired into your account are stolen from innocent account holders through Identity Theft. Please check your account statement (the statement is attached to this letter) and contact your bank account manager.

Federal Deposit Insurance Corporation

POP QUIZ: What’s wrong with this picture? (multiple choice)
a: It came on a Sunday, and the Gov’t doesn’t work on Sundays.
b: There’s no such thing as “innocent” account holders.
c: dot exe’s are “executables” (aka “scripts” and “programs”) and make things happen on machines.. maybe bad things.

Answer: C

Folks, this is a really old attack method, and it preys upon the fact that users are unobservant (won’t notice the .exe) and uneducated (don’t know what a .exe is).

Sadly, those two facts really don’t change. And so someone is trying this old trick again. The attachment “statement.exe” is a “downloader virus“.
Open the attachment and be “pwn3d“.

Today’s free link(s):
* Top 10 things you should do to your computer–updated
* Internet and System Security – Common Sense Tips

Share this post :

October 9, 2008 Posted by techpaul | advice, computers, cyber crime, e-mail, hackers, Internet scam, News, PC, Phishing, spam and junk mail, tech | .exe, alert, attachment, cyber crime, infected, investigation@fdic.gov, scam, scam alert, statement.exe | 7 Comments

Miss Osh Diaz– scam alert

Immediately delete (unopened) any e-mail from “Miss Osh Diaz”.

It is just a new (to me) variant on the Nigerian scam.

August 9, 2008 Posted by techpaul | advice, cyber crime, e-mail, Internet scam, Phishing, phraud, security, spam and junk mail | scam alert | 2 Comments

Some not so friendly advice*

This story opens gently enough. It begins with a friendly and helpful Comment posted on a friendly and helpful blog.

Someone had written to share “the results of their work”, which he said “solved his security problems.” He was talking about viruses and spyware, and other malware, and he said his method “covers 99.8%! of all known threats.”
He posted his advice/Comment on an article about How To prevent the dangers posed by spyware (and also warns about “rogue” anti-spyware programs). He signed himself “Spycrasher”.

So far, this all sounds pretty good, doesn’t it? 99.8% effective certainly sounds good.

As you have probably deduced, Dear Reader, the “friendly and helpful blog” in question was this one. Tech–for Everyone, like most blogs, provides readers the opportunity to respond, ask a question, or just “put in their two cents”, simply by clicking on “Comments” at the bottom of the article. And also like most blogs, I have the ability to “moderate” which comments get posted and which don’t– for instance, Comments containing offensive language will not be published.
Spycrasher’s 99.8%- effective security solution will NOT be seen here.

But.. maybe you’re a little curious as to what it was. And.. maybe, why I deleted it. (Take another peek at today’s title..) “Spycrasher’s” comment said to use three particular anti-spyware programs– in tandem– and he provided download links. (This, alone, triggers red flags.) He mentioned two tools I was not familiar with, and one rather well-known program.

* Hyperlinks are always suspicious (and blocked as a matter of policy), and the first thing I checked was, did the links point to legitimate websites..? Or would clicking on them take you to a poisoned webpage (which could infect your machine) or a pharming site.
No problem there. The links he provided did indeed point to real websites.

* The next thing was to check out the unknown programs themselves. No self-respecting and legitimate tech writer will advocate something they have not used, and tested, themselves. Period.
In my initial research of the first program (XoftSpy-SE), I found a wide range of reviews and comments.. from “this is rogue” to “this is the best thing since sliced bread”, and I learned that the program was “for pay”.
I don’t promote “for pay” software here (but do provide a daily free download), nor, even potentially rogue app’s; and so I stopped right there. I would not allow Spycrasher’s Comment.

* Being the gentleman that I am, I decided to write Spycrasher and thank him for his submission, and explain why I had moderated it. But before I did, I wanted to get a feel for where he was coming from.. so I ran a Whois on his IP…

Now, I gotta tell you.. it is very rare for ARIN to come back with a “no match found”. Very, very strange.

So I traced him.

New York >London >Amsterdam >Berlin >Warsaw…
And then he disappears into a virtual private network somewhere in the Ukraine.
Odd.

* So I used a search engine to find instances of the word “Spycrasher”… and he came up a lot. Spycrasher likes to post in various forums. Quite a few of them, actually. Like, practically all of them.
And he posts a lot of Comments there.
* Guess what? They are all identical to the the one he posted (I should say “pasted”) on mine.. right down to the ‘wink’ smiley ;-).

Very.. odd.

Tip of the day: Be very leery of hyperlinks, folks.. and please understand: not every innocent looking thing you see on the Internet is in fact “friendly and helpful”. There are people whose full-time job it is to try to trick you, and seduce you into doing something you normally wouldn’t.
I am very sad to say.

[note to bloggers/forum moderators/webmasters: you may want to search your published pages for instances of “Spycrasher”, and delete this guy.]

Today’s free link: I am going to repost a program here today, because I have it on every single one of my (Windows) machines, and I think you should too. ThreatFire (originally named “CyberHawk”) is a free, behavior-based anti-malware application. I use it as a supplement to my antivirus and other anti-spyware tools. Heuristic tools like ThreatFire are your only defense against “zero day” exploits.

Share this post :

July 2, 2008 Posted by techpaul | advice, computers, tech | blogging, comment spam, Ex-Soviet, fraud, hackers, hyperlinks, Internet scammers, RegistryCleaner2008.exe, rogue anti-spyware, scam alert, Spycrasher, UniGrey Antivirus | 2 Comments

Every good story needs a villain