Fraudulent spam

• Phishing
• Extorting money via spam
  • Nigerian email fraud
  • Fake lottery wins
  • "Mistakes" in payment systems, "magic purses", code generators
  • Casinos with holes
  • Tempting quick profits
  • Blackmail
  • Sending text messages to short codes
• Conclusion

Kaspersky Lab experts refer to spam as anonymous unsolicited mass mailings. Most of these mailings are adverts, although several categories of spam serve other purposes. “Non-advertising” spam includes one of the most dangerous types of spam – fraudulent messages.

State-of-the-art spam technologies allow spammers to send emails containing fake messages, insert fake sender addresses and use infected machines to send out spam. Unsurprisingly, the use of spam to trick users, as well as the ability to conceal such activity, attracts cybercriminals and fraudsters of all types.

The anonymity of spam, i.e., the inability to easily detect those initiating mass mailings, means that cybercriminals can act with impunity, further contributing to the criminalization of spam. The services offered by spammers are actively used by sellers of counterfeit and fake products, those offering illegal services and virus writers.

This article describes fraudulent spam messages that are sent with the aim of stealing a user’s money or gaining access to personal information which can be used for the same purpose.

Phishing

Phishing is the term used for the most hostile type of fraudulent spam.

Phishing messages are used by spammers to obtain personal data – user logins, passwords, credit card numbers and PINs – with the aim of stealing money. Most often, phishing attacks target clients of online banking and e-pay systems.

Phishing messages imitate the correspondence of legitimate organizations (banks, financial companies, or payment systems). Unlike legitimate messages, however, phishing messages usually encourage recipients to “confirm” their personal data on some pretext or other. These messages contain a link to a fake page where users are asked to enter their personal data, which will then fall into the hands of criminals. The fake page is usually an exact copy of the official site of the organization that supposedly sent the message (the sender’s address is also false) so that users do not suspect anything.

In some cases after the user enters his data the browser redirects to the genuine site, making it even more unlikely that the victim will suspect anything is wrong.

Another variant of phishing entails an imitation web page using vulnerabilities in the software installed on a user’s computer to download a Trojan program, which then collects various data (e.g., passwords for bank accounts) and passes it on to its "owner". In addition, a machine that is infected in this way may become part of a zombie network and used for cyber attacks or sending spam.

To deceive those users who not only pay attention to the design of the page but to the addresses of the sites they visit, spammers mask the URLs making them look as close to the original as possible. Phishing started with the registration of domain names similar to the domain names of the targeted sites on free web hosting services, but over time more sophisticated methods have emerged.

The message below addressed to PayPal clients is an example of the most common tactic of masking.

Only a very attentive user who places the cursor over the link contained in the message will notice that it in fact leads to a phishing site. The link looks very similar to the address of the legitimate site but the domain is different - client-confirmation.com.

In this particular instance the “wrong” address can be viewed by positioning the cursor over the link contained in the message. More advanced users will be able to recognize the illegitimate link before clicking on it.

As well as contrived tricks of this sort, there are more primitive methods of deceiving users. For instance, when a user receives a message sent on behalf of the site administration or technical support service asking him on some pretext or other to immediately send the password to his account to the address indicated in the message. The user is warned that if he fails to do so, his account will be terminated.

Phishers on the Russian-language Internet use this trick to access users’ email accounts. Control over a user’s email enables cybercriminals to gain access to the victim’s personal data on other Internet services by requesting new passwords for those services.

TRANSLATION:

Hello!

Due to updates carried out to our databases we request that you repeat the authorization process for our mail server to avoid losing your mail account. We apologize for any inconvenience!

Authorization

Enter your password and click “answer”

The password must be entered exactly as it was at registration, using capital or small letters in the same register that was used during registration (if your keyboard was switched to Russian or CapsLock was turned on, use the same regime or select from the following combinations [Rus], [CapsLock], [CapsLock + Rus] as well as various Russian language codes)

If you have additional Mail. Ru
1999-2008, Mail.Ru Registration User community

Another widespread method of collecting email passwords is to send out messages with offers to take advantage of a “vulnerability in the password backup system” which can be used to find out another user’s password. To access another user’s account the recipient of the spam message has to send the victim’s login and his own password to a specified address and in a certain format. It goes without saying that the would-be “hunter” becomes the victim of cybercriminals when he falls for a dubious offer of this kind.

However, over time users have learnt that respectable organizations never ask them for their passwords, so the effectiveness of these tricks has declined. Spammers have had to become more inventive when masking fake messages, and as a result it has become more difficult for recipients to distinguish them from legitimate messages.

In general, phishing attacks target Western online payment systems and online banks with large numbers of clients. However, phishers are currently targeting online banks on the Russian-language Internet.

A phishing attack that targeted Alfa Bank clients is the most typical illustration of the above. The cybercriminals used the standard scheme: they sent messages that appeared to be from the bank administration containing a link to the fake site, where the user was asked to enter his login and password to access the Internet banking system. The layout of the page looked just like Alfa Bank’s home page. The cybercriminals had another surprise in store for any users careless enough to click on the link – a malicious program that downloaded to the victim’s computer. The same method was used to attack the WebMoney and Yandex.Money systems. Citibank was also targeted by phishing attacks.

Cybercriminals have also tried on a number of occasions to gain access to email accounts by pretending to be from the Russian email system administration and asking users for their logins and passwords.

Extorting money via spam

In addition to phishing, cybercriminals make use of lots of other tricks to catch out hapless users. More often than not spammers play upon the victim’s naivety, greed and love for freebies, though this is typical of all conmen. To achieve their goals cybercriminals have come up with various techniques. We will look at the most popular methods in more detail.

Nigerian email fraud

As the name suggests, this technique was developed by Nigerian cybercriminals, although it is now being used by others all over the world.

The classical Nigerian scam usually follows the same scenario: spammers send messages on behalf of a representative of a wealthy family (usually African) deposed after either a civil war, coup d'etat, economic crisis or political repressions. These messages are usually written in bad English asking a recipient to assist in retrieving a large sum of money by making a money transfer from one bank account to another. In return the sender offers a share of the money, usually a percentage of the transferred sum. In the course of the “rescue mission” a voluntary (but by no means disinterested) assistant is needed to pay certain fees (to cover the costs of the money transfer or legal fees, etc.). The sum is relatively small compared to the supposed payoff, but after the transaction all contact with the “widow of the deposed dictator” or the “son of the late deposed prime minister” is lost. Sometimes the victim is kept waiting for the promised money transfer, with further requests for more money to overcome unforeseen problems.

In some cases the sender introduces himself as a high-ranking corrupt government official, who has embezzled funds and is now on remand so cannot take his money out of the country. In order to make a wire transfer he needs access to a bank account. The recipient is offered a percentage for his assistance, but when the cybercriminal gets control of the account he steals all the money from it.

The stories used by Nigerian scammers are so creative that they were even awarded the 2005 Anti-Nobel prize in Literature! Russia too has been affected by these types of scams. In 2005, typical Nigerian scam messages were sent in English on behalf of the relatives and friends of the deposed oligarch Mikhail Khodorkovsy. That was the only distinctly Russian aspect to the scam; the rest did not differ from the usual tactics.

Dear Friend,

I am Lagutin Yuriy and I represent Mr. Mikhail Khordokovsky the former C.E.O of Yukos Oil Company in Russia. I have a very sensitive and confidential brief from this top (Oligarch) to ask for your partnership in re-profiling funds over US$450 million. I will give the details, but in summary, the funds are coming via Bank Menatep. This is a legitimate transaction. You will be paid 4% for your "Management Fees".

If you are interested, please write back by email and provide me with your confidential telephone number, fax number and email address and I will provide further details and instructions. Please keep this confidential; we can't afford more political problems. Finally, please note that this must be concluded within two weeks. Please write back promptly.

Write me back. I look forward to it.

Regards,

Lagutin Yuriy

There is also a romantic variant of the Nigerian scam involving messages from brides in exotic countries with a photo of a pretty African lady attached. Generally, scammers target users registered on online dating sites. If a potential victim gets involved in correspondence, he is offered a touching story worthy of a soap opera: my relatives were killed; I am not allowed to leave the country; I am in fact a rich heiress… In the third message the girl is already swearing her undying love, asking the “hero” to help her leave the country with her millions and get a generous reward. However, this romantic story is a mask for the standard Nigerian fraud technique. Needless to say, the “assistant” has to pay some preliminary costs that can amount to thousands and even tens of thousand dollars. To make it more convincing, “a pastor” or “an attorney” participates in the deal. The final stage of the affair includes forged papers.

Fake lottery wins

This type of scam is similar to the Nigerian email fraud. Recipients get fake notifications stating that they have won a lottery that draws winners at random from email addresses or telephone numbers, and are offered “free” presents as a prize. To make the message look more convincing the scammers may add a photo of the prize, a lottery ticket number, a certificate of registration/license and other fake information. As in the previous case, to receive the prize the recipient has to make a money transfer to the account indicated in the message.

There were also Russian-language versions of such messages. The text in these messages was translated from the English-language originals using an online translator.

Recipients of such notifications must clearly understand that participation in any lottery is impossible without the user’s consent. If you have not given your consent (and more often than not, you know nothing about the lottery you have supposedly won), you are most likely being targeted by conmen who are trying to extort money from you and other Internet users.

"Mistakes" in payment systems, "magic purses", code generators

This type of spam informs the recipient about a vulnerability discovered in a payment system, which makes it possible to derive a profit. The spammers describe the vulnerability and offer a method for obtaining money, which generally includes sending a certain sum to the “magic purse”. A user is offered a payment of more than double the transferred sum. Needless to say, the “magic purse” belongs to cybercriminals and the user will never see either his money or the promised payment. Moreover, the victims are hardly likely to report the scam to law enforcement agencies.

Yet another freebie type of fraud is the offer of credit card generators - systems for skimming money from other people’s accounts. The key point here is to make those users that can’t resist a freebie to enter their credit card/epay number and password to activate the program. Such programs usually have to be paid for, but the user is informed that 1-3 accounts can be skimmed for free. While the user is trying to steal from someone else’s account, the data he has entered is passed to cybercriminals, who use it to access his account.

The scheme which cybercriminals use when offering card generators to pay for mobile or Internet services is the same as the previous one, but in this case the code of a non-activated card has to be entered into a “card generator”. This code will become a sort of model for “multiplication”. As in the case with credit cards, the entered data becomes the property of the cybercriminals and the program imitates the calculating process. While a victim is waiting for the results, the cybercriminals are paying their bills using the victim’s “master” card.

Casinos with holes

Another type of scam sees users receiving a message with the following content: “After long hours of playing we have discovered a hole in the script, which makes it possible to win in an online casino. Surprisingly, the administrators have not noticed it yet!” There then comes a detailed description of the “winning” strategy and the link to the casino site. The reason for these messages has nothing to do with altruism, and the “hole in the script” does not exist. The fraudulent scheme works as follows: the user follows the link in the message and enters the casino site and the spammer gets a share of whatever the victim loses. Other messages contain an offer to download (sometimes to buy) and install a program, which makes it possible to use the vulnerability. The program turns out to be spyware, however.

Tempting quick profits

These scam messages usually begin by stating: “This is not spam. This is a profitable proposition, which is difficult to decline. This message is sent to you only once and if you ignore it you will regret the lost opportunity for the rest of your life”. The scheme described further in the text is nothing more than a financial pyramid: the user has to pay the author of the message (the curator) a certain sum of money and then forward this message to someone else, receiving the same sum from each addressee plus part of the profit from the “subordinates” on a lower level. This scheme promises each participant a fabulous income, but he only ends up losing money.

Job offers are a more effective way of extorting money. The scammers pretend to be employers and promise “potential employees” a high income for doing nothing in particular. Qualifications are not required, and after establishing contact with a potential victim, the scammers ask him to pay some startup costs for more detailed information and postal expenses. A user is encouraged to do this as quickly as possible because the vacancy may be occupied by someone else.

Sometimes scammers carry out targeted attacks, sending out “attractive offers” to the addresses of users registered on job search sites. Applicants are offered jobs in a real international company engaged in gold or diamond mining, manufacturing of medical equipment, the production of chemicals and vaccines, investment banking or the construction business, with options on a contract. The job that is offered is usually related to the applicant’s sphere of activity and requires his professionalism and experience. But inevitably there are “administrative expenses” and the victim’s money ends up in the scammer’s pocket.

Subject: Prospective Employee

Attn: Prospective Employee,

Spiralnergy Exploration, UK is an oil and gas exploration and production company based in United Kingdom.

The Company's producing properties and Exploration activities are focused on the UK Central North Sea.

The goal of Spiralnergy Exploration in the near term is to achieve oil production from its interests in the North Sea while carrying out an active exploration /development program on both its own properties and in various joint venture opportunities currently being considered by the Company.

Spiralnergy Exploration, UK hereby inform that, you have been shortlisted as one of the personnel/expatriate for our upcoming project schedule to commence March, 2008.

The project involves the construction of a new LPG(Liquefied Petroleum Gas ) Plant and Oil Wells at UK Central North Sea, UK.

You are hereby require to send your detailed resume and application via fax or email attachment to us in not later than 5(five) days of receiving this email.

All resumes/application should be in MS Word format.

Thanks for your interest.

William Peters {Address}, UK

This email and any attachments to it contain information that is confidential and may be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information contained in it is strictly prohibited and may be unlawful. If you have received this email in error, please return it to the sender (Spiralnergy Exploration) and delete the email from your records.

Blackmail

To extort money spammers not only use attractive offers but threats as well. Most often the threats are along the lines of: we will only stop sending spam if you pay us. But there are also more frightening variants like messages from a “killer” who wants money in exchange for the victim’s life.

Subject: BE WARNED!!!

HELLO
I am very sorry for you Xxxxxx, is a pity that this is how your life is going to end as soon as you don't comply. As you can see there is no need of introducing myself to you because I don't have any business with you, my duty as I am mailing you now is just to KILL you and I have to do it as I have already been paid for that. Someone you call a friend wants you Dead by all means, and the person have spent a lot of money on this, the person also came to us and told me that he wanted you dead and he provided us with your name ,picture and other necessary information's we needed about you. So I sent my boys to track you down and they have carried out the necessary investigation needed for the operation on you, and they have done that but I told them not to kill you that I will like to contact you and see if your life is Important to you or not since their findings shows that you are innocent. I called my client back and ask him of your email address which I didn't tell him what I wanted to do with it and he gave it to me and I am using it to contact you now. As I am writing to you now my men are monitoring you and they are telling me everything about you. Now do you want to LIVE OR DIE? As someone has paid us to kill you. Get back to me now if you are ready to pay some fees to spare your life, $4,000 is all you need to spend You will first of all pay $2,000 then I will send a tape to you which i recorded every discusion in made with the person who wanted you dead and as soon as you get the tape, you will pay the remaining $2,000. If you are not ready for my help, then I will carry on with my job straight-up. WARNING: DO NOT THINK OF CONTACTING THE POLICE OR EVEN TELLING ANYONE
BECAUSE I WILL KNOW.REMEMBER, SOMEONE WHO KNOWS YOU VERY WELL WANT YOU DEAD! I WILL EXTEND IT TO YOUR FAMILY, INCASE I NOTICE SOMETHING FUNNY. DO NOT COME OUT ONCE IT IS 7:PM UNTILL I MAKE OUT TIME TO SEE YOU AND GIVE YOU THE TAPE OF MY DISCUSSION WITH THE PERSON WHO WANT YOU DEADTHEN YOU CAN USE IT TO TAKE ANY LEGAL ACTION. GOOD LUCK AS I AWAIT YOUR REPLY EMAIL:donwilliam1@gmail.com

Sending text messages to short codes

The Russian Internet has recently been the site of more than just classic ploys from the Western segment of the Internet. Malicious users have successfully developed new means of swindling money out of Russian-speaking users. For example, fraud in which text messages are sent to short codes is currently very common on the Russian Internet. Short codes are leased out by cellular operators and people are charged money when they send a message to these numbers. Most of the money taken from mobile accounts in payment for texts sent to short codes is passed to the party leasing the code.

To achieve their goals scammers try different tricks, from offering free Internet access and all types of prizes, to direct threats of blocking a user’s mail box if he does not send an SMS message.

TRANSLATION:

Dear MAIL.ru user!
We are notifying you that this morning, 6 April 2008, a spam mailing was sent from your email account.
Your email will be blocked for 24 hours in order to investigate the circumstances. If you did not send the spam mailing and you do not want your email to be blocked, send an SMS to the number 1171 with the code =vips 1
The mail.ru robot will record your telephone number, whereupon you will be sent further instructions in an SMS message.

Otherwise, your account will be blocked by the anti-spam system.
We suggest you make your password more secure by changing it.v Note! A fee of 2.9 rubles, including tax, is charged for the SMS.
There is no need to reply to any replies because they are sent by the robot!

Best regards,
Mail.ru Support Service

In one such mass mailing the recipients were even offered the option of unsubscribing from future mailings. The spammer assured them that he wanted to be a “law-abiding citizen” and, referring to the Russian Law on Advertising which came into force on July 1, 2007, he asked users to withdraw their addresses from spammer databases by sending a “free” SMS message. The spammer stated that after sending the SMS message users would get a link to the web page where they could find the spammer databases and delete their email details from them. Needless to say, the actual goal had nothing to do with abiding by the law.

More complex combinations may only involve a link to a special website, where a user (who is already involved in the process of receiving a prize, for example) is asked to send an SMS message to a short code. Such a long and sophisticated scheme is aimed at catching out even the most vigilant users.

Conclusion

Kaspersky Lab’s classification system assigns spam messages to the “Computer fraud” category, whose share amounted to 7% of the total quantity of spam in 2007. In the first quarter of 2008 this figure plummeted to 2.5%.

Though the share of fraudulent messages in the total amount of spam has declined, fraudulent spam is getting more and more hostile: spammers are honing their skills and carrying out targeted attacks. So as not to fall victim to “well-wishers” offering fast and easy ways of enrichment, email users simply have to be careful, though it can be difficult to detect more sophisticated spammer tricks. As for phishing, this type of fraud requires software protection methods.

To be on the safe side, users should not believe the “good intentions” of spammers and install software which provides reliable protection from spam, phishing and malicious programs. Though these recommendations may seem trivial, adhering to them will save both the data on your computer and your money.

Read more »

Internet fraud for dummies: practical advice for protecting yourself against online scam

Internet fraud has been around for just about as long as the Internet itself. Each year, cybercriminals come up with new techniques and tactics designed to fool their potential victims. This article will examine different types of fraud and what you can do to protect yourself against them.

There is one thing in particular that sets fraud apart from other Internet threats like viruses, Trojans, spyware, SMS blockers, spam, etc: the target of the cybercriminals is not a computer, whose security has to be circumvented, but a human who, as we all know, has his/her own weaknesses. That is why no program can ever provide users with 100% protection; the users themselves have to take a proactive stance in ensuring their own online security.

We have already addressed the technical aspects of fraud and typical fraud schemes employed by cybercriminals in a previous article. However, simply knowing how fraud and scams work isn't always enough – this article offers some simple rules that can help users avoid many of the traps on the Internet.

Types of fraud

Phishing

Phishing emails include fake notifications from banks, e-payment systems, and email providers, social networks, online games, etc. The aim of these emails is to obtain a user’s confidential data (username, password, etc.). Bank phishing is one of the most commonplace tactics aimed at gaining access to your online bank account, or your e-payment account details. Once a malicious user gets ahold of your login and password, he has access to your account.

 

Phishers are skilled at creating authentic-looking emails which are disguised as official emails from various organizations. In particular, they use organizations’ official logos and copy the overall style of legitimate correspondence. As a rule, the email will suggest that the recipient click on a link in order to enter their personal information (usually the suggestion claims that recent measures were allegedly taken by the company’s administration to improve website security, and state that the user needs to log in again). When a user clicks on the link, he is taken to a fraudulent website that looks just like the official site where he can enter his username and password; the data is then sent to the cybercriminals. Quite often, these fraudulent sites contain exploits that install spyware on a victim computer. So even if you don’t enter your username or password and you just click on the link out of curiosity, you may still inadvertently download malware to your computer that could subsequently steal a range of personal data.

How to recognize a phishing email

Example 1. You receive an email from a bank, e-payment system, or email provider. If you do not use the services of said bank, e-payment system or email provider, then the email is definitely fraudulent — just delete it.

 

Example 2. You receive an email from a bank, e-payment system, or email provider where you do have an account. In this case, read the text carefully: if the email asks you to enter your login or password, then the email is fraudulent. Legitimate companies and organizations do not ask users to log in in this manner.

 

There is another simple way to tell a fake email from an authentic email: hover the mouse cursor over the link. In the lower left hand of the browser, you will see the actual URL of the address that you will be taken to if you click on the link. Look at it carefully: the second-tier domain (the part of the address that directly precedes the slash) should belong to the organization sending the email.

For example, an email from PayPal will have a link as follows: http://anything.paypal.com/anything

But links like those below and any other links that have something other than “paypal.com” directly before the backslash are fraudulent.

http://paypal.confirmation.com/anything,
http://anything.pay-pal.com/anything,
http://anything.paypal.com.anything.com/anything

 

Also beware of emails with attachments. These emails may not only be phishing emails designed to obtain your confidential data, but the attachment itself may be malicious.

 

If you have any doubts at all, go to the official site yourself. Do not use the link in the email, but enter the official site address manually in your browser. That way, you can guarantee your own security, avoid visiting a fraudulent site, and check out the information you need on the official website.

 

Bear in mind that scammers aren’t only interested in your online bank account or e-payment account. They are interested in any personal information, which is why phishers also target email systems, social networking sites, online games, and really any system that requires a login and password.

Phishing: social networks

Do you have an account on Facebook, Twitter, Orkut, LinkedIn, or any other popular social network? If so, you already know what their official email notifications look like.

However — fake notifications can look almost exactly the same. These fake emails are designed to steal your personal data and gain access to your social network account. The scheme is much like the bank phishing schemes described above: you receive a notification allegedly sent from a social network claiming that someone left you a message or wants to add you as a friend, or that you need to update your account information. You click on a link, but instead of taking you to the official site, you are led to a fraudulent website that looks exactly like the real thing. Then you enter your login and password, which are sent to the scammers, before you are redirected to the official website.

 

Fake social network notifications may not ask you to enter your username or password and the email may look 100% genuine except for the links. Take a very close look at the actual address of the site that you are being led to.

Quite often scammers name their counterfeit sites in a way which is very similar to the original name, i.e.: http://fasebook.com/ instead of http://facebook.com/

 

Phishing: online games

Even free online games frequently feature certain elements that users may pay money for: special gear, items, an original avatar etc. in addition to other additional bonuses. And where ever there is money, you are sure to find fraud not far behind. The scheme is pretty standard: trick users into visiting a bogus website. Just like with other types of phishing, the address of the fake site may be very similar to the official website’s address.

 

Only a very detail-oriented user will notice that the domain name of the suggested site contains the extra letter “I” in worlidofwarcraft.com. However, users who are familiar with phishing will immediately recognize the trap: real emails will never ask users to follow a link to enter their password!

In order to attract users’ attention, scammers sometimes come up with more clever tactics. You may be asked to be a beta-tester for a new game, or receive an offer for something free — just follow the link! However, if you do, you could fall into their trap and end up on a bogus website, where malicious users will attempt to steal your personal data. You could also end up on an infected site that will download all sorts of malware to your computer.

 

 

The best way of protecting yourself — just like with other types of phishing scams — is not to click on any links, and not to enter any personal data. You can always go directly to the official site and bypass any fraudulent links.

Other types of phishing

There are many different types of phishing — scammers create bogus emails for all kinds of Internet resources that require a username and password. Services like hosting, online magazines, etc. can all be targeted; cybercriminals generally look to copy a well known online resource that is trusted by users.

 

The email above is rather interesting: the scammers here are using boilerplate which is genuinely used by Skype, but obviously hope that recipients don’t read the fine print, which clearly reads: “Skype staff will NEVER ask you for your password via email.”

Other traditional types of fraud

The saying “knowledge is power” holds true for protecting yourself against online fraud. Sometimes all you really need to know are the different tactics that cybercriminals use in order to see when someone is trying to trick you. The most prevalent types of fraud are covered below.

• Fake notifications about lottery winnings .
  These are emails that tell you that you have allegedly won the lottery. The scammer ultimately wants to trick you into getting some of your money by demanding payment in returned for winnings being "transferred".
   
• 419 emails, or Nigerian scam emails .
  These are emails that ask you to transfer money to a remote country, more often than not one located in Africa, in return for the promise of high interest payments. Later, the scammers will ask for the number of your account allegedly in order to transfer your share of the money. However, instead of transferring money to your account, they actually withdraw funds from your account. There is also another variation of this scam where the scammers may ask you to send some funds, allegedly for the purpose of paying for legal services or transportation. After the money is sent, they simply cut off all contact with the victim, who is left waiting for the promised millions in cash.
  There is still another, more dangerous variation in which the scammers use your account in such a way that you are the one who is actually guilty (under their guidance) of committing money laundering. These victims can actually end up in jail instead of the true criminals.
   
• Pyramid schemes and easy money In these schemes, potential victims are asked to invest a small sum of money in order to receive high returns later on. But in fact, victims typically don’t receive anything at all.
   
  In this email, the recipient is urged to pay a fee to participate in an allegedly lucrative project
• Online panhandling
  This type of fraud includes emails that are meant to look as though they come from charity organizations or the needy. In fact, these emails are often outright fabrications, or contain links to actual organizations and funds, but the payment details given ensure that funds transferred end up with the scammers.
   
  In this email, the recipient is asked to donate money to help support orphanages in northern Russia via an e-payment system (two different e-payment system accounts are named). The scammers attempt to pull at the heartstrings of their potential victims by ending their message with: “P.S. Children without parents are in great need of our assistance.”
  Always remember: charities do not send out spam — they have other methods for securing funds. If you still want to verify the information in a similar type of email, find the address of the organization that is named, called them directly, and find out how you can make a donation that way.
• Text message fraud using spam
  This type of fraud involves emails that use various tactics to try to persuade users to send a text message to a short number. This type of scam also includes emails containing links to websites where users are asked to send a text message to a short number as payment for an alleged service. Whatever the conmen are promising, you will end up paying $10, or more, for nothing at all.
  What should you do? Start by deleting the emails you get with special offers that involve money which are sent by people you don’t know, such as:

  • offers to make easy money (get-rich-quick schemes, help transferring money, high-return investments)
  • requests to help someone with a donation of money (for treatment, a poor Nigerian beauty, etc.);
  • any “winnings”;
  • offers for free software, movies, etc.
  
  

  Recognizing the technical signs of fraud

  There will, of course, be types of fraud that are not addressed in this article. Sometimes, we can recognize fraud based on not necessarily on the information contained in an email, but on how it's written and laid out. That’s why we will also address some of the technical signs of fraud. Once you know them, you will have no problem recognizing legitimate emails from fraudulent emails.
  The following signs indirectly confirm that an email originates with cybercriminals:
  The “To:” field contains a name other than your own:
  this means that this is a mass mailing where the “To” field is not real or is selected randomly.
  
  
   
  There is an unfamiliar address in the “From” field:
  this means that the email did not come from the organization being impersonated. Bear in mind, that no major organization is going to be sending out emails from a free email client.
  
  
   
  Some of the words are CAPITALIZED:
  this is one of the tactics spammers use in order to attract users’ attention.
  
  
  Some of the words are distorted (‘Lloan’ instead of ‘loan,’ or ‘Youwon’ instead of ‘You won’):
  this is a spammer tactic used to get around anti-spam filters.
  
  
  The link does not match the address of the organization’s official site:
  as described above, this is a sure sign that someone is trying to lure you onto a fraudulent website.
  
  
  An impersonal greeting (Dear Friend, Dear Customer, Dear Subscriber, Hello!):
  this type of greeting means that the sender doesn’t know your name, and that the email is simply a mass mailing.
  
  

  A little about social engineering

  As we all know, the weakest link in protection against any form of fraud, including Internet fraud, is the human factor. There are no technological methods that can protect us if we are careless. Let us take a closer look at the human weaknesses targeted most frequently by scammers.

  Greed

  Greed is one of the main aspects of human nature that conmen take advantage of.
  Easy money, lottery winnings, or abusing e-payment or other systems — all of these scams are designed in the same way, on the principle of “give us a little money first, and you’ll get millions later.” Of course, there is no “later.” Just bear that in mind and don’t let yourself get fooled.

  Fear

  Cybercriminals also exploit another human weakness: fear. Messages such as: “Click on this link or your account will be blocked,” “if you don’t send a text message to this number 10 minutes after reading this email, your email account will be deleted,” and other similar threats are meant to play on fear and provoke users into doing certain things immediately, without thinking twice.
  Always keep in mind that no provider will block your account in this manner. As we have already mentioned above, no provider will ever ask you to click on a link in an email to enter your personal data. As a rule of thumb, no legitimate service will try to rush you to do anything. Any emails that try to scare the recipient or convey a sense of urgency can be dismissed as fraudulent.
  
  

  Naïveté / a desire to help / gullibility

  Unfortunately, scammers also try to take advantage of our good nature.
  Always remind yourself that any requests for assistance that come in the form of spam are fake. If you really want to make a contribution, there are dedicated channels which can be used for this purpose — and they never send out spam.
  
  

  Curiosity

  Remarkably, people sometimes send money to scammers out of curiosity. Even if we do not fully understand what is being said in the email, and we don’t really expect to get one hundred thousand million dollars, sometimes we just wonder what might happen if we click on that link — what’s that? How does it work? What will happen?
  Want to know what happens? You will lose your money – that’s it!
  
  

  Carelessness

  Typically, the pace of life on the Internet is faster than our off-screen lives. Like Caesar, we often do seven things at once: work, check our mail, read the news, chat on IM, listen to music, etc. As a result, we become a bit scattered and inattentive — which could cause us to believe a fraudulent email is legitimate, even though a careful reading would immediately expose it as a scam.
  Don’t rush to take action. First take the time to think, and read the email once more.
  
  

  Security on the Internet: the rules

  It is important to remember that in addition to fraud, there are many other types of threat — namely a wide range of malicious programs that are capable of stealing your passwords, usernames, credit card information, and other personal information — without any obvious scammer involvement, such as phishing emails.

  Internet users should follow these simple rules to protect themselves:

  • Use an antivirus program:
    
    modern antivirus programs that are updated regularly will provide reliable protection against a number of different Internet threats.
  • Download updates regularly:
    
    program updates patch vulnerabilities that can be exploited by cybercriminals.
  • Don’t leave your personal data on open resources:
    
    the data you leave on the Internet is collected by robots that report back to cybercriminals, who may later use your data for their own purposes (for example, sending more spam to your email address).
  • Do not download anything from unknown websites:
    
    there is a high probability that whatever program, book, or movie you are downloading will be accompanied by malware.
  • Do not click on any links in suspected spam emails:
    
    these links often lead to fraudulent sites or sites infected with malicious programs.
  • Do not open email attachments if you have any doubts at all about the sender:
    
    there is a high probability that the attachment will contain a malicious program (even if it is a Word document).
  • Do not attempt to “unsubscribe” from spam (especially if the spam email has an “unsubscribe” link): 
    
    this will not help you get rid of spam — instead, it could actually increase the volume of spam sent your way. There are two possibilities here: your address could be added to a database of people who really do want to read the emails and, correspondingly, in the future you will get more spam. Or, if you click on the alleged “unsubscribe” link, you may be taken to an infected site and end up with malware on your computer.
  • Do not fall for any seemingly very attractive offers, particularly if they promise easy money:
    
    these offers are really ploys, either to take your money, or to manipulate you into taking unlawful action for which you could be held criminally liable.
  
  

  A few words in conclusion

  Fraud will always exist. It can be found everywhere across the spaces of the Internet: in email, on social networks, and on various and sundry websites. Over the years, cybercriminals have invented new tactics, but the scams are ultimately the same. Only users themselves can guarantee their own protection in the virtual space. We hope that you find the advice and information in this article helpful.

Read more »

What if my computer is infected?

Unfortunately, it may happen occasionally that the antivirus installed in your computer with its latest updates is incapable of detecting a new virus, worm or a Trojan. Sadly but true: no antivirus protection software gives you a 100% guarantee of complete security. If your computer does get infected, you need to determine the fact of infection, identify the infected file and send it to the vendor whose product missed the malicious program and failed to protect your computer.

However, users on their own are typically unable to detect that their computer got infected unless aided by antivirus solutions. Many worms and Trojans typically do not reveal their presence in any way. By way of exception, some Trojans do inform the user directly that their computer has been infected – they may encrypt the user’s personal files so as to demand a ransom for the decryption utility. However, a Trojan typically installs itself secretly in the system, often employs special disguising methods and also covertly does its activity. So, the fact of infection can be detected by indirect evidence only.

Symptoms of infection

An increase in the outgoing web traffic is the general indication of an infection; this applies to both individual computers and corporate networks. If no users are working in the Internet in a specific time period (e.g. at night), but the web traffic continues, this could mean that somebody or someone else is active on the system, and most probably that is a malicious activity. In a firewall is configured in the system, attempts by unknown applications to establish Internet connections may be indicative of an infection. Numerous advertisement windows popping up while visiting web-sites may signal that an adware in present in the system. If a computer freezes or crashes frequently, this may be also related to a malware activity. Such malfunctions are more often accounted for by hardware or software malfunctions rather than a virus activity. However, if similar symptoms simultaneously occur on multiple or numerous computers on the network, accompanied by a dramatic increase in the internal traffic, this is very likely caused by a network worm or a backdoor Trojan spreading across the network.

An infection may be also indirectly evidenced by non-computer related symptoms, such as bills for telephone calls that nobody made or SMS messages that nobody sent. Such facts may indicate that a phone Trojan is active in the computer or the cell phone. If unauthorized access has been gained to your personal bank account or your credit card has bee used without your authorization, this may signal that a spyware has intruded into your system.

What to do

The first thing to do is make sure that the antivirus database is up-to-date and scan your computer. If this does not help, antivirus solutions from other vendors may do the job. Many manufacturers of anti-virus solutions offer free versions of their products for trial or one-time scanning – we recommend you to run one of these products on your machine. If it detects a virus or a Trojan, make sure you send a copy of the infected file to the manufacturer of the antivirus solution that failed to detect it. This will help this vendor faster develop protection against this threat and protect other users running this antivirus from getting infected.

If an alternative antivirus does not detect any malware, it is recommended that you disconnect your computer from the Internet or a local network, disable Wi-Fi connection and the modem, if any, before you start looking for the infected file(s). Do not use the network unless critically needed. Do not use web payment systems or internet banking services under any circumstances. Avoid referring to any personal or confidential data; do not use any web-based services that require your screen name and password.

How do I find an infected file?

Detecting a virus or Trojan in your computer in some cases may be a complex problem requiring a technical qualification; however, in other cases that may be a pretty straightforward task – this all depends on the degree of the malware complexity and the methods used to hide the malicious code embedded into the system. In the difficult cases when special methods (e.g. rootkit technologies) are employed to disguise and conceal the malicious code in the system, a non-professional may be unable to track down the infected file. This problem may require special utilities or actions, like connecting the hard disk to another computer or booting the system from a CD. However, if a regular worm or simple Trojan is around, you may be able to track it down using fairly simple methods.

The vast majority of worms and Trojan need to take control when the system starts. There are two basic ways for that:

• A link to the infected file is written to the autorun keys of the Windows registry;
• The infected file is copied to an autorun folder in Windows.

The most common autorun folders in Windows 2000 and XP are as follows:

%Documents and Settings%\%user name%\Start Menu\Programs\Startup\
%Documents and Settings%\All Users\Start Menu\Programs\Startup\

There are quite a number of autorun keys in the system register, the most popular keys include Run, RunService, RunOnce и RunServiceOnce, located in the following register folders:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\]

Most probably, a search at the above locations will yield several keys with names that don’t reveal much information, and paths to the executable files. Special attention should be paid to the files located in the Windows system catalog or root directory. Remember names of these files, you will need them in the further analysis.

Writing to the following key is also common:

[HKEY_CLASSES_ROOT\exefile\shell\open\command\]

The default value of this key is “%1" %*”.

Windows’ system (and system 32) catalog and root directory are the most convenient place to set worms and Trojans. This is due to 2 facts: the contents of these catalogs are not shown in the Explorer by default, and these catalogs host a great number of different system files, functions of which are completely unknown to a lay user. Even an experienced user will probably find it difficult to tell if a file called winkrnl386.exe is part of the operating system or foreign to it.

It is recommended to use any file manager that can sort file by creation/modification date, and sort the files located within the above catalogs. This will display all recently created and modified files at the top of the catalog – these very files will be of interest to the researcher. If any of these files are identical to those occurring in the autorun keys, this is the first wake-up call.

Advanced users can also check the open network ports using netstat, the standard utility. It is recommended to set up a firewall and scan the processes engaged in network activities. It is also recommended to check the list of active processes using dedicated utilities with advanced functionalities rather than the standard Windows utilities – many Trojans successfully avoid being detected by standard Windows utilities.

However, no universal advice can be given for all occasions. Advanced worms and Trojans occur every now then that are quite difficult to track down. In this case, it is best to consult the support service of the IT security vendor that released your antivirus client, a company offering IT assistance services, or ask for help at specialized web forums. Such web resources include www.virusinfo.info and anti-malware.ru (Russian language), and www.rootkit.com and www.gmer.net (English). Similar forums designed to assist users are also run by many antivirus companies.

Read more »