December, 2008

On December 17th, Microsoft released an emergency security patch for all versions of Internet Explorer. The patch is considered a critical fix for a current security flaw that has believed to have infected over 2 million computers.

The following version of Internet Explorer are affected:

• Internet Explorer 5.01
• Internet Explorer 6
• Internet Explorer 7

How Serious is the Flaw?

The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information. Definitely not a hole you want left unpatched for an extended period of time especially if you have been doing a lot of holiday shopping over the Internet.

Steps To Secure Internet Explorer

First, download the appropriate Microsoft security patch at the Microsoft Update site as well as at the Microsoft Download Center. It is always the best policy to obtain any hardware or software patches directly from the hardware or software vendor’s website instead of some unknown third party website. An unknown third party website purporting a hot patch fix is more likely than not also including unwanted extra baggage in their download in the form of malware resulting in ironically making your system even less secure than before.

After successfully applying the IE security patch, update the virus definitions on your antivirus software on your system. The virus definition date should be December 17th or later. Then run a full virus scan on your system to make sure nothing sneaked in during the period before you applied the security patch. If your virus scan comes back clean, then you can go on the Internet with confidence to finish any last minute holiday shopping.

More technical details are available on the Microsoft Technet website.

Selling puppies via Craigslist - or any classified ad - can be hazardous to your bank account.

Janet from New York sent us this story about a response to an ad she placed in an online classifieds web site. Here's how it went down:

You have received a reply to your pet ad.

Hello,

I am Dan and am writing you because am much interested in your puppy for sale on the classified ads. Kindly email me the details with the actual price and the health condition of the pup. Hope the pup is still in a good state. Looking forwarding to hearing from you soon. Have a nice day.

Mr Dan

Not a bad start. His english isn't great, but that's okay. Here's Janet's reply:

Hi Dan,

I have two puppies left. The boy and the black and white girl. They are very healthy and quite active. They are $475 each. They will have their first 5way shot and have been dewormed. You can visit them if you like. They are available to leave the nest anywhere from the 19th to the 22nd. On the 22nd they will be 8weeks old.

Let me know. Don't worry about their health. I am taking good care of them. They will also come with papers.

Thanks,

Janet

A reasonable response and the price seems right (okay, I don't know anything about puppies, but I'm guessing these are pretty nice for $475 each). Here's where things turn south...

Hello

Thanks for your email. I'm okay with price of the female puppy for $475. I will be making the payment via Certified Check drawn from a United State of America bank. I will making a dual payment which will cover the payment of the puppy and little part of the shipping of the puppy to its final destination.

Furthermore, as soon as you receive payment, you need cash to deduct the money for the puppy and wire the rest to the shipper who will be available for pickup at your end. In addition, you need to deduct $90
for more proper vaccination, Purina puppy chow and vet check before the pickup. Get back to me with the below information in order to get the payment mailed:

Name to be on the check:
Address to be mailed to ( No P.O Box Please)
Phone Number(s) I can possible reach on ( Morning/Day/Evening)

I just had to let you know how lucky the pup is going to be because the pup is coming to a good home with a spacious fence yard and tender care of family of two kids and Pet Lover.. I will be happy to send you pictures of the puppy development. The shipper will be taking good of him by giving a good hospitality and making a sound delivery to me.

Moreso, I will be glad if you can scan a copy of the AKC registration document and other paperworks for me, i.e if available. Get back to me as soon as the possible so I can effect the payment.Thanks and I look forward to reading from you.

Regards,

~Pups are my World~

Janet could sense that something was very wrong here. What were the warning signs?

• Payment via check. - in an online transaction, a check should be considered worthless. Scammers are experts in creating forged checks. Your bank will initially accept the check, but will later discover that it's a forgery and will remove the funds from your account.
• Extra payment - this is a huge warning sign. Any time a buyer wants to send you more money than you're asking for, alarm bells should go off. They're hoping you will deposit the "extra money" in your bank account and then wire your money to an accomplice. Not only will you not get paid for your merchandise, you'll actually end up paying them money. Getting scammed twice instead of once is not fun.
• Payment via wire - thieves love being paid via wire because it's almost impossible to track and recover the money. Never pay by wire.
• The use of emotion - the scammers play on the sellers feelings by talking about how they'll care for the puppy, take pictures of the puppy, put the puppy in a nice, big, safe, fenced yard, etc. Emotion is a powerful tool in distracting you as they steal your money.

This story had a happy ending. Janet sensed that something was wrong and didn't send the scammers anything. We're sharing the story here with the hope of educating other people placed in the same situation.

NOTE:This is our first in an on-going series of stories direct from visitors of Fight Identity Theft. If you'd like to submit your story, go to our contact page and select "I'd like to share my story."

According to investigative reporters for WirtschaftsWoche, 21 million Germans have had their personal information stolen along with their bank account and bank code numbers. The thieves are offering to sell the data for 12 million euros (about 15.3 million dollars). It is believed the scammers gathered the data by using employees at financial institution call centers.

Could this happen in the U.S.?

It certainly could. Privacy laws throughout Europe are generally tighter than U.S. laws and Germany is among the tightest. Low employee morale, caused by a deteriorating job market and chaos within the financial sector makes crimes like this more likely. I'm sure it's tempting for employees to grab whatever data they can as they're shown the door or maybe they're just looking to add to a mediocre salary. Whatever the reason, it may be time to buckle up and prepare for a bumpy ride.

What could criminals do with this data? Make bank withdrawals.

Criminals can use the bank account info to make withdrawals - either big or small. A .57 cent bank withdrawal from 21 million accounts still ads up to... ummm... let me get my calculator out... $11.97 million dollars. And that's this month, and next month, and the next month, etc. until they're caught or they decide to make a big withdrawal and run.

Here's their strategy, detailed in an IT World article:

Although banking passwords were apparently not included on the CD, criminals would be able to use this data to withdraw funds from a victim's account, said Thierry Zoller, an independent security consultant based in Luxembourg.

Scammers could use this type of information to initiate a large number of debits from German banks, making each withdrawal small in hopes that it would not be noticed by the victim, he said.

This is why carefully checking your bank records is important. If you see a unexplained entry - even if it's small - you should track it down until you understand where it came from. Otherwise you might unexpectedly see a much bigger withdrawal from the same source somewhere down the line.

More about this story at the WirtschaftsWoche in English and German.

You can also find coverage at The Register, and IT World.