More Phishing… Don’t Fall for It!

by ssh on August 19, 2010

This morning I was scrambling with a bit of last minute packing before heading out for a few days at a business event in Clearwater Beach, Florida. I grabbed my various electronic devices, and quickly checked my email. When I did, I saw this email with the subject, “Account Re-Activation (Please Reply)”

Dear Webmail Account Users,

This is to inform you that we are having congestion's due to the anonymous
registration of webmail accounts so we are shutting down some email
accounts and your account is among those to be deleted, so we like to know
if you still want this account on our e-mail database/mail server.

To enable us upgrade you account and give you the best of our services
please you must reply to this mail and Re- confirms your login information
to avoid interruption.

Full Name: ...............................
Full Email Login: ......................
Password: ................................
Current Password: ...................

After following the instructions in the sheet, your account will not be
interrupted and will continue as normal because series of maintenance
process need to be carried out on your mailbox.

Warning code:.....VX2G99AAJ

Failure to do this will automatically render your e-mail account
deactivated from our e-mail database/mail server. To enable us upgrade
your email account, please do reply to this mail.

Webmail Regional Mail server Technical Support.

It was obvious to me that this is a “phishing” email, but people fall for these expeditions every day. Help people by showing them why email like this is a scam designed to steal their email credentials. What do you see in this?

Here are a few of the things I see…

First, and foremost, it asks for my account information in the plain text of an email. That’s what got me thinking: do people actually fall for this? They must!

Never email a password to anyone. Ever.

What else do I see in this? Well, it’s not written to me personally, but to a generic title. Any real business with my account information would auto-fill my name, at least.

How about a webmail company who doesn’t ask me to login to my account to make a change? Or at least to use a web page for this interaction?

Of course, the mistakes in the English in the email are keys, too. As are the “From:” address and header, which I haven’t included here.

What do you see? How will you warn your friends?

{ 0 comments }

Facebook’s Security Mess

by ssh on August 18, 2010

Last week I was sitting in my office working away on a client’s iPhone app when my iPhone’s text message bell alert rang. I picked up my phone to see my daughter’s text message: “Free iPad event?” After an exchange, I learned that my Facebook account had sent her an event request with a link to a rogue quiz site that was offering quizzes for the amazingly low price of $19.99 a month. I also started getting emails from other friends who were getting the invitation from me.

So, I got mad.

First, I deleted the event. Then, I posted to my wall about it. And then, I went on the warpath.

You see, I am very careful about my Facebook account. While I explore aspects of Facebook as part of my research for clients, I am aware of the dangers and am diligent in working through the possible issues. But, I got caught. So, I went looking for the source of the issue.

The first thing I learned is that I am not alone. There is even a Facebook group that has grown up to oppose it. But, no one seemed to know how it was done, so I began to investigate.

Given the invitation text and the targets, I figured out that it had to have come from an application with access to my account. I dug through my entire list of applications, eliminating many that were either old or that I don’t use. But, it’s important to understand that Facebook makes this process far more painful than it needs to be. If only Facebook would make a note on the wall posts, event invites, and other items noting what application was used to create it, we could track down the reprobates who build these cheap cheats. Twitter even does it:

Twitter displays the source of the Tweet below the text

So Twitter, with its informal nature, trumps Facebook in one of the most important aspects of security: transparency.

In my next few posts, I’ll outline what you can do to scrub your Facebook account in a way that will make it much more hardened against this kind of attack. However, with the limited transparency of Facebook’s system right now, there is only so much you can do.

{ 2 comments }

How You Can Change the World

August 17, 2010

It’s been beautiful here in Boulder for the past week. Cool in the evenings, sunny during the day, with the occasional thunderstorm to brighten up the afternoon. During this week, I’ve had a great exchange with Stephanie George, my brilliant friend who helps businesses to see their current business situation through objective eyes, offering business [...]

Read the full article →

What Should the Government Do?

August 16, 2010

This morning, one of my good friends–a brilliant and insightful business analyst you should know–asked me what I thought about the latest McKinsey Quarterly newsletter article entitled, “Where are the jobs.” Given the questions that I have had on this, I’ll share my thoughts that came from my response to her: he key job growth [...]

Read the full article →

More on the Remedy for the “Hireless” Recovery

August 15, 2010

There are a number of very specific reasons that this worldwide economic situation persists, primarily, as I wrote earlier, due to the very poor decisions and lack of clarity from politicians. While we do live in a worldwide economy, the United States remains that primary engine of that economy. For that reason, what happens in the [...]

Read the full article →

The Value of Decisiveness

August 14, 2010

Earlier this past week I was in my home office working on a new iPhone app for a client when my phone rang. On the other end of the line was a northeastern accent that I recognized right away. Last winter, this friend and I had spent the better part of a day skiing around [...]

Read the full article →

How My iPad Makes Reading Better

August 13, 2010

As I sat finishing breakfast at our kitchen table yesterday morning with the Colorado sun filling the back yard and the kids enjoying their last few days of “freedom” before they head back to school next week, I caught up on my news reading using my iPad. I use Feeddler, an RSS (Real Simple Syndication) reader [...]

Read the full article →

A Further Analysis of Network Neutrality

August 12, 2010

Earlier this week, you may have read my post on Why “Net Neutrality” is Wrong. In it, I illustrated the reasons for network management control of the network, and also mentioned how most of the politicians involved just don’t get it (and believe me, I got email about the video linked to my “idiot politicians” [...]

Read the full article →

iOS Update Fixes PDF Vulnerability

August 12, 2010

I wrote earlier about the PDF vulnerability in iOS that impacts every iPhone, iPod Touch, and iPad. Yesterday, Apple made an update available to fix the vulnerability. If you own an iOS device, be sure to update it as soon as you can. If you don’t see the update as soon as you plug your [...]

Read the full article →

TripIt for Travel Gets Gmail

August 11, 2010

This morning, travel itinerary site TripIt launched a new integration with Gmail. Now, instead of forwarding your itinerary messages to plans@tripit.com as you have done in the past, TripIt will scan your mailbox for you and import those items into your TripIt account. To create the link, login to your TripIt account and look in [...]

Read the full article →

← Previous Entries