The newest phishing attack to hit Twitter yesterday was a type of cyberscam called typo-squatting. This falls under a more generic term, cybersquatting. This attack took advantage of the similarities between a double v (tvvitter) and a w (twitter) to scam you into revealing your login information.Other typo-squatting simply takes advantage of the pay-per-click system to rack in money that should be coming to your organization. According to a recent independent report, cybersquatting increased by 248% in the past year.

Fairwinds Partners, an internet strategy consulting firm, estimates that a company such as Myspace, who has 5.94 % of its traffic being diverted to its top ten typo pages stands to “lose the marketing equivalent of between $400,000 and $700,000 each month”. Although the Anticybersquatting Consumer Protection Act (ACPA) was intended to protect against these scams, they are still common enough to present a real danger to customers and companies.

There are several ways that users can try to protect themselves against typo-squatting. Microsoft has suggested settings to enhance your browser. They have even developed a download called Typo-Patrol. More simply, you can avoid clicking on links to navigate to websites and type carefully each web address you visit. As an organization, there are several companies that will help you prosecute typo-squatters and monitor for cybersquatting. You may also may use the Uniform Domain-Name Dispute-Resolution Policy website to lodge a dispute. You may also wish to visit the Coalition Against Domain Name Abuse for more resources.

Today I was asked several times about social networking and job hunting. The question on everyone’s lips is, “What do I have to watch out for?”

Computerworld reports that one in five companies search social networking sites during the hiring process, although many experts believe that number is much higher. You may think that you’re immune because you don’t have any MySpace, Twitter or Facebook accounts- but read on and you will find that is far from the truth.

• Do a search on yourself. Try Google and Pipl. Search for the same items that appear on your resume and application- name, addresses, phone numbers, user names, email accounts and professional groups are all gateways to finding your profile

• Be aware of professional name squatting and company squatting. There are those who scoop up usernames and create profiles using professional information belonging to you. You can usually get access to these profiles, but at a cost. You do not have to buy the impostor login from the squatter, but be aware that if you found it while searching for information about you, your employer will see it too. There are plenty of online reputation management companies that will help you change the order of appearance of your legitimate profiles in search rankings, and even some that will help you reserve your name and user profile on multiple social networking sites for a small fee. Others still will help you create positive chatter to help drown out any negative or misleading pages.

• Even if you delete the profile, page or photos they may not be gone. Internet archives are still searchable. Photos can be especially difficult to delete entirely.

• Who you keep company with says a lot about you. Your profile might be clean and professional, but if your buddy has pictures of the two of you on your last pub crawl, it can damage your chances of landing the job. Use the privacy settings on your profiles wisely!

• Many people are transitioning between being laid off and job searching maybe angry about the economy and the way they were shown the door. Keep a lid on negative comments about your former employer, just as you would during an interview.

• Be careful of professional identity thieves. I don’t mean people who steal identities for a living, I mean people who troll profiles like LinkedIn to create fake resumes to get hired at companies using real information from other people. The more personal information available on your profiles and resumes the easier it will be for a person to commit identity theft, professional identity theft or gain access to your online profiles by correcting guessing your secret questions. Consider removing details like the names of companies, schools and organizations as well as dates and addresses. Change your profiles slightly to use generic terms such as “Privacy officer for major health organization in Silicon Valley” instead.

• Social networking has become popular way to search for jobs as well. There are classifieds on MySpace, and the ever popular Craigslist- but these are often full of scammers lurking in wait. Offers that sound too good to be true probably are. Stay aware from offers that involve wiring money, processing money orders or otherwise acting as a “broker” for transferring funds. Check the company out using Better Business Bureau, your local police, or other methods before proving any personal information such as date of birth, social security number or showing up for an interview

• If you are offering your services, be careful of people who may be looking for an excuse to come to your home to “case” it for a robbery later. Also watch out for offers to pay you more than what you asked.  You may cash the check, but once the bank processes the phony funds, you will be left holding the bag. Be careful in responding to emails about your job posting as they may be from bots used by spammers or scammers trying to verify that there is a person on the other end of the email.

Bottom line: beware of what you post, delete does not always mean gone forever, use your privacy settings, and be aware of intential and unintential impostors. The last is a warning for both employers and employees. This is why it is so important to know what comes up out there under your name and details- if there is a person sharing your name, area, and has a similar address you may want to directly address that issue in a cover letter or interview. Don’t worry about bringing it up- It shows that you care about your reputation, and that you’re tech saavy.

You’re in the scene- you’ve got the Facebook, MySpace, LinkedIn and Twitter accounts active and updated. You juggle to remember which friend requests have been added where, and then you suddenly decide to sign up for another social media site such as Yelp, Plaxo, Ning, FriendFeed, Orkut, or iLike. What a pain to add all those friends all over again! Then you see a advertisement for a wonderful service provided by the company- all you have to do is provide your email username and password, and all your friends will be automatically added to your social network. Sounds great, right?

Wrong. This leaves the door wide open for numerous types of fraud. Most people do not take the security precaution of creating different user names and passwords for the sites they visit. They may be handing over their address books, and financial and email accounts. You must also consider that a large database of user names and passwords are VERY attractive to potential hackers and identity thieves, and is much more likely to be targeted than individual accounts.

As reported on TechRadar, Twitter’s API lead Alex Payne said “We’ve always advised users to only give their passwords to websites they feel they can trust. Any website runs the risk of compromise, so giving out your credentials is always a gamble. There’s little risk in using a desktop Twitter client, but we’ve cautioned users against handing out their passwords to web-based services that are higher-value targets to attackers.”

Even if you trust the service not to delve into your personal information, you are providing a third party website with security information. A habit that identity theft and security professionals have been trying to break for years. As handing out your security information from one site to another site becomes commonplace, the easier it will become to convince users to continue the practice. As Jeremy Keith, technical director of user experience consultancy Clearleft points out, “…it teaches people how to be phished.”

There is always a security trade-off for convenience. Before you click on that free download, try the new service, or ask a computer to remember your password ask yourself- Is this worth it? Is the increased risk of attack and theft worth the convenience I am trading it for? Remember to use different usernames and passwords for your accounts, so that any single compromise does not result in total loss of your personal and finacial information. Never provide account information on a third party site, and be cautious of any requests for password or account information by email, website or phone.

An update to Microsoft’s Malware Protection Center’s Threat Research and Response Blog by Scott Molenkamp the details social networking malware being addressed by Microsoft in their March update to their free Malicious Software Removal Tool.

This is an update regarding the US-CERT alerting us to the Koobface malware, as posted in this blog on March 4th, 2009. The Microsoft Malware Protection Center has noted that the following websites appear to be the focus of this attack:

• bebo.com
• facebook.com
• friendster.com
• fubar.com
• hi5.com
• myspace.com
• myyearbook.com
• netlog.com
• tagged.com

According to Microsoft’s details on the Malicious Software Removal Tool, “The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed…

Because computers can appear to function normally when infected, Microsoft advises you to run this tool even if your computer seems to be fine. You should also use up-to-date antivirus software to help protect your computer from other malicious software. To download the latest version of this tool, please visit the Microsoft Download Center.”

Straight from their alerts page:

added March 4, 2009 at 11:53 am

“US-CERT is aware of public reports of malicious code spreading via popular social networking sites including myspace.com, facebook.com, hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. The reports indicate that the malware, named Koobface, is spreading through invitations from a user’s contact that include a link to view a video. If the users click on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update, it is malicious code.

Additionally, some of the reports indicate that there are multiple bogus Facebook applications being used to obtain users’ private information.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• Install antivirus software and keep the virus signature files up to date.
• Do not follow unsolicited links.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor’s website.
• Refer to the Staying Safe on Social Networking Sites document for more information on safe use of social networking sites.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks. “

This is a reminder to us all that while we may trust the websites themselves, the applications available for download or the media shared on these sites are not usually examined for malicious code. Even if you trust the “friend” who sent it to you, that person may not be in control of their own account.

~Rachel James, Intake Specialist

By Rachel James

A new method of scams, as described by this article, from IT World, called “Why you can’t trust ‘friends’ on Facebook”, is another example of the risks that social networking exposes us to:

Step 1: Request to be “friends” with a dozen strangers on MySpace . Let’s say half of them accept. Collect a list of all their friends.

Step 2: Go to Facebook and search for those six people. Let’s say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you’re already an established friend.

Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send “friend” requests to your victims on Facebook.

As a bonus, others who are friends of both your victims and your fake self will contact you to be friends and, of course, you’ll accept. In fact, Facebook itself will suggest you as a friend to those people.

(Think about the trust factor here. For these secondary victims, they not only feel they know you, but actually request “friend” status. They sought you out.)

Step 4: Now, you’re in business. You can ask things of these people that only friends dare ask.

“Let’s meet for drinks — bring your new car!”

“I’m in Nigeria on vacation, got robbed and need $500 to get home!”

by Rachel James, Intake Specialist

A recent study found that nearly 50 percent of Facebook users put enough info — things like birth date, hometown, family information and more — to aid ID thieves.

Social networking is everywhere. There are literally millions of members who are sharing details about their lives, their jobs and their personal information. With that many users to choose from, social networking sites are ripe for harvest in the hands of a clever identity thief.

One of the most innocent-looking attacks is to start a “survey” that asks all about your favorite things in order to give you some label regarding your personality type, or even what cartoon character you resemble most. The instructions typically require you to post your results and then forward it amongst your friends. Among these questions are popular security questions for accounts such as “What is your favorite pastime?”, “What town did you grow up in?”, “What is your favorite movie?”

In fact, these questions- which are often the key to gaining access to your accounts in the event you forget your password- are often built into the social networking site’s profile to help better match people to you with similar interests. Most people do not consider the risk that answering these questions posses, because they have probably long forgotten which security questions they placed for their email or bank accounts.

These questions are just the tip of the iceberg. People using Twitter have updated their location as “on vacation” only to come back to a home that has been ransacked and robbed. A recent study in the UK by the Information Commissioners Office showed that 2/3 of social networking users post their date of birth, ¼ post their job title and 1/10 post their home address.

So what are the biggest vulnerabilities?

·        95% of Facebook users run at least one application on their profile. These applications, despite being available for download directly from a social networking site, are by far and large not reviewed by staff at the company and often contain viruses or other malicious code

·        Use your privacy settings and only allow people to view your posts if you trust them and have met them in real life to verify that account is actually owned by them. If you get a friend request you think you recognize, call that person to verify it was really them

·        Don’t post your full name

·        Don’t post your address, phone number or where you work

·        Don’t post your salary range

·        Don’t use status or location updates

·        Don’t post the town you grew up in, or the schools that you went to

·        Emails or posts that request too much information should be considered suspicious and probably ignored. The person forwarding it to you might not even be aware that they might be aiding an identity thief.

·        Be careful of the pictures that you post of yourself, family, friends and activities. These pictures could be used to gain valuable information, or altered in a manner against your will. Fake IDs, stalking, or damage to reputation could occur.

·        Remember that even if you delete the post later, it is still “out there”. Other users may have a copy of the information still on their computers, and it may have been picked up by the various internet archives. Treat everything you post on the internet as though you can never take it back.

·        Now with more social networking sites employing classifieds sections, you must be wary of job offers or other scams in advertising. Remember that if it sounds too good to be true, it probably is.

·        Be sure your security software such as your firewall, anti-virus, spyware protection and internet browser are up to date and running. Updates often include security patches to address known vulnerabilities, so it is important to update as often as possible.

·        Use complex passwords, vary them and change them often. The password to your email, social networking sites, or blog should NEVER be the same as the passwords for your financial or personal information

·        When setting up accounts, do not ever use the “real” answer to a question. When asked for your favorite movie, respond with a password like 00Bond7 to make it easy to remember but hard to guess

·        Speak with children about the dangers of revealing personal information

If you are a user of any of the popular social networks, like Facebook and Myspace, be aware of the risks inherent in sharing certain kinds of personal information in these forums. This bulletin was just released on the US-CERT’s website:

US-CERT is aware of public reports of malware spreading via popular social networking sites. The reports indicate that this malware is spreading through spam email messages appearing to come from Myspace.com, Facebook.com, and Classmates.com. The email contains a message indicating that there is a YouTube video available and instructs the user to follow the link to view the video. If users click on this link, they will be prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update–it is malicious code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• Install antivirus software and keep the virus signatures up to date.
• Do not follow unsolicited links.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor’s website.
• Configure your web browser as described in the Securing Your Web Browser document.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.