Cyber Thieves have sent spam emails to MobileMe users which appear to come from Apple but are actually spoofs directing those who click on links within to a fake site designed to look like Apple’s. Unsuspecting users who follow the email link and enter their information in the fake ‘Apple’ web page will soon regret it.

Those who do follow the link will be directed to a site asking for credit card information “To correct a credit card problem”. This information can in turn be used to make fraudulent purchases. You can see the spoofed email here.

The email is sent with a spoofed sender address of noreply@me.com. It appears that the email actually originates from gamma.oxyhosts.com, a server operated by a web hosting organization in the UK. According to AppleInsider “The email contains formatting errors that should immediately tip off users, and directs to a sketchy URL: http.apple-billing.me.uk.”

Apple may find this URL sketchy; but to many consumers it may seem legit. I have certainly seen legitimate URLs that appear sketchier than this; and spoofed ones that appear more valid in contrast. Also, while the average iPhone user is arguably tech savvy; they may not be extremely well versed in spoofed email addresses and URL’s and how to identify them.

In an attempt to mitigate any damage caused by the email; Apple has sent out official MobileMe notices pointing out formatting errors in the fake email as well as other key deviations from standard Apple emails to be on the lookout for. As with any browser, mobile or otherwise, users should be cautious of emails or other communications asking for sensitive information.  

Below some basic tips for ANY mobile browser user to be aware of:

1)    Be cautious and suspicious of any unsolicited email-based requests for Personally Identifying Information (PII)

2)    If you do receive an email like this, don’t click on any links! Instead, go to your providers billing site directly. I would advise deleting the original email as well-better safe than sorry

Remember the classic “Nigerian 419” scam; where a rich Prince or Bank Executive from a foreign country just needed your banking information to facilitate a transfer of funds? In exchange for your help, you would receive a percentage of those funds; Gratis. And just like that, you could make a profit. Unfortunately, the only ones profiting were the thieves, who would use the banking information given to them to drain the funds from your account and disappear.

Hopefully, you didn’t fall for this scam, but thousands of would-be Good Samaritans and those hoping to make a quick profit did-some of them even went to Nigeria to meet the ‘Prince’ or ‘Bank Executive’ themselves. More on this here.

A disturbing new spin on the classic “Nigerian 419” scam has emerged recently. You may be too savvy to fall for the Prince, but what if you received word that one of your own friends or loved ones was in danger and needed your help and funds immediately? Many of us, no matter how aware we may be, would do anything to help our loved ones in a time of need. In fact, a recent article by Bob Sullivan of The Red Tape Chronicles highlights just such a scenario:

One evening, Bryan Rutberg’s daughter ran into his bedroom asking why he’d changed his Facebook status to read “BRYAN IS IN URGENT NEED OF HELP!!!.”  Initially, Bryan let this go, until his wife woke him to ask him what was wrong. By this time the incident had his attention and soon, he realized his Facebook account had been hacked. Friends began to call incessantly-several of them had received an email stating that Bryan had been held up at gunpoint while travelling abroad and needed cash to return home.  One concerned friend even wired $1,200.00 to London via Western Union.

Bryan began an urgent search for a way to reach Facebook and stop the hackers. But by this time the hackers had managed to lock Bryan out of his own account. They had changed his username and password so that he couldn’t access his Facebook page. Because of this, he couldn’t remove the ominous status message or contact his friends to let them know this was a scam. The hackers had even “de-friended,” his wife, so he was unable to post a message in her account alerting his friends to the situation and let them know he was really safe at home.  Eventually, he was able to get his account deactivated; but not before his friend had lost a considerable amount of money, not to mention the time it took for Bryan to sort out the mess. “It was all over by Thursday (the next day) but not without a hell of a lot of drama” he said. By then, one concerned colleague had even called Microsoft to warn the firm that Rutberg was in trouble.

Bryan and his friend who wired the money were both educated Microsoft employees; which speaks to the fact that anyone can fall victim to new and increasingly sophisticated attacks. Bryan was the victim of a newer, more precise version of the “Nigerian 419” scam.  Instead of sending out millions of spam messages in the hopes of fooling a small percentage of recipients, Cyber Thieves are getting much more personal in their attacks, using social networking sites like Facebook and MySpace to victimize users. In Bryan’s case, criminals were able to steal his Facebook password, steal his Facebook identity, and change his status to make it seem he was in trouble and needed help.

What can you do to protect yourself from social networking scams? A few basic precautions are as follows:

·      Change your password regularly, be sure that it is unique and preferably alphanumeric

·      It’s not a good idea to have the same password for more than one account

·      Be very cautious of any friend or contact asking for money or for personally identifying information. If you do receive such a request, call the person and verify their request over the phone

·    Have more than one email address, in case one address is hacked or compromised 

If you feel that your Facebook identity has been compromised, Facebook has established a link to report the abuse. Note: It’s difficult to find navigating Facebook’s home page; so keep this link handy. http://www.facebook.com/help/contact.php?show_form=account_compromised

by Doug Pollack

The Santa Fe Group, an industry consortium, announced today an identity crime victims’ bill of rights that proposes the rights that should be provided to all individuals and recommending an approach to legislation for adopting this bill of rights.

“The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available at http://santa-fe-group.com/whitepapers/register.php.”

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:

• Assessment of the nature and extent of the crime that removes the procedural ‘Catch-22s’ when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

“The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts (www.idexpertscorp.com).

‘Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,’ said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. ‘We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.’”

The Santa Fe Group, ID Experts and other members of the Vendor Council will be holding meetings in Washington, DC later this spring in order to drum up support for this concept and related legislation.

From the IT World

Yet another reason to be wary of information, notices, and applications you receive from social networking sites. A Facebook application is making its way through users by sending a bogus notification that says a friend cannot read your profile. Clicking on the recommended “Error Check System” application results in a trojan that will send the spam to everyone you know, and the same false notification error.

Further, Googling “Error Check System” results in a search page returned that produces a link that will initiate a fake virus scan to try to fool you into installing malware which is disguised as anti-virus software.Even searching for more information about this malware can result in more malware being added to your system.

by Doug Pollack

The VA this week announced that they will pay up to $20 million to veterans whose personal information was exposed in 2006 when a laptop was lost by an employee of Unisys, a government contractor that was handling claims processing for them.

USA Today reported that while the laptop was later recovered, it had personal information such as social security numbers for over 26 million veterans and active duty troops. This exemplifies a growing trend in data breaches in that almost half of the data breaches reported in 2008 were caused by so-called “3rd parties”, outside information agencies, facilities, integrators and consultants who are entrusted with personal data from their corporate and government clients.

Given this trend, organizations must look harder at how they certify and validate the security and privacy policies of 3rd parties to whom they entrust information on their customers, patients and constituents.

by Doug Pollack

Network World recently published an article titled “Federal Workers Notified after SRA Virus Breach” about SRA, a 6,600 person federal government contractor, who recently reported a data breach.The breach was caused by a virus in their computer systems that exposed personal information including employee names, addresses, Social Security numbers, dates of birth and healthcare provider information as communicated by the company said in a notification posted at the Maryland Attorney General’s Web site.

“The breach is embarrassing for SRA, a 6,600-employee technology consulting company that sells cybersecurity and privacy services to the federal government. The company wouldn’t say which federal agencies were affected by the breach, but in U.S. Securities and Exchange Commission filings it lists intelligence agencies and those such as the U.S. Department of Defense, the U.S. Department of Homeland Security and the U.S. National Guard among its clients.”

While unfortunate for SRA and the federal workers whose personal information was compromised, this continues to provide a wake up call for organizations of all sizes that current security approaches and technologies are not a guarantee against the eventuality of a data breach. Organizations are increasingly turning to an outside privacy risk assessment to get an independent view as to their real risks of data breach.