The spirit of giving has hit Google. They are generously providing free Wi-Fi at 47 airports from November 10, 2009 to January 15, 2010. That's great, but there are a few precautions you should take to keep yourself safe.
Using the free service is simple. You simply select the free Wi-Fi and accept the terms of service and there's no need to give any form of payment. However, Google wants you to catch the giving spirit and give a donation to any of the three non-profit organizations [2] they've partnered with. But, donate [2]once you're using a secure Internet connection at home - not on the Wi-Fi network. In addition to providing free Wi-Fi, Google's having a photo contest. You could win a prize just for submitting a photo [3] of you using the free Wi-Fi.
You can take advantage of Google's generosity at one of the following 47 airports:
| Austin (AUS [5]) | Indianapolis (IND [6]) | Panama City, FL (PFN [7]) |
|
Baltimore (BWI [8]) |
Jacksonville, FL (JAX [9]) | Pittsburgh, PA (PIT [10]) |
| Billings (BIL [11]) | Kalamazoo (AZO [12]) | Portland, ME (PWM [13]) |
| Boston (BOS [14]) | Las Vegas (LAS [15]) | Sacramento (SMF [16]) |
| Bozeman (BZN [17]) | Louisville (SDF [18]) | San Antonio (SAT [19]) |
| Buffalo, NY (BUF [20]) | Madison (MSN [21]) | San Diego (SAN [22]) |
| Burbank (BUR [23]) | Memphis (MEM [24]) | San Jose (SJC [25]) |
|
Central Wisconsin (CWA [26]) |
Miami (MIA [27]) | Seattle (SEA [28])* |
| Charlotte, NC (CLT [29]) | Milwaukee (MKE [30]) | South Bend (SBN [31]) |
| Des Moines (DSM [32]) | Monterey (MRY [33]) | Spokane (GEG [34]) |
| El Paso (ELP [35]) | Nashville (BNA [36]) | St. Louis (STL [37]) |
| Fort Lauderdale (FLL [38]) | Newport News (PHF [39]) | State College (SCE [40]) |
| Fort Myers (RSW [41]) | Norfolk (ORF [42]) | Toledo (TOL [43]) |
| Greensboro (GSO [44]) | Oklahoma City (OKC [45]) | Travers City (TVC [46]) |
| Houston Hobby (HOU [47]) | Omaha (OMA [48]) | West Palm Beach (PBI [49]) |
| Houston Bush (IAH [50]) | Orlando (MCO [51]) |
*Seattle launches late November
Airport Wi-Fi - like other public hotspots - is not secure and you should avoid logging into your bank account or other sites with sensitive info. Wireless network security can be compromised and put your passwords and other data out in the air and available to a fellow traveler with the right hacking tools.
We don't mean to scare you out of using the Google's Wi-Fi gift but to educate you about the potential risks
Here are some tips on how to protect yourself when using any Wi-Fi connection:
This video from Forbes provides more details on what you should watch out for:
Check out Google's Free Wi-Fi for the Holidays [52] site and their FAQ page [53] for more details.
We've been educating you about phishing emails [56] for years and in trolling around your inbox, it’s not uncommon to come across one of those pesky emails just about every day. The easiest approach is to ignore it or mark it as spam and go on with your day. However, by taking just a minute or two to report it, you can help make the Internet a safer place for you and the rest of the world.
OpenDNS, the world’s largest, fastest-growing DNS service provider, launched PhishTank [57] in an effort to make the Internet a better place for all us.
Phishtank serves as a clearing house for data and information about phishing on the Internet and provides the information to developers and researchers to integrate anti-phishing data into their applications. Best of all, the Phishtank services are free!
Here are some statistics from October, 2009 to give you an idea of what kind of impact PhishTank has on scam emails:
Exercising a little philanthropy has never been easier:
As a side note, OpenDNS offers other services through innovative uses of the DNS. Some of these include free parental controls (porn filtering), phishing protection, and other advanced services for consumers and network administrators alike. Check out their free and deluxe plans here: http://www.opendns.com/start [60].
Facebook won a huge judgment from the spammer who already owes MySpace $234 million from an earlier suit.
Sanford Wallace [63] has been a known spammer since the 1990's and is one of the first to be crowned "Spam King". His most recent spamming scheme was sending phishing messages to Facebook users that contained links to phishing websites asking for login information. The information submitted was used by Wallace to spam the phishing victims' friends with the aim to pull in even more potential phishing victims. It's also believed that Wallace was paid to redirect Facebook users to money generating web sites.
"The record demonstrates that Wallace willfully violated the statutes in question with blatant disregard for the rights of Facebook and the thousands of Facebook users whose accounts were compromised by his conduct," Fogel said in his ruling.
Facebook sought $7 billion in damages, as allowed by the CAN-SPAM act and California business code. However, California federal judge Jeremy Fogel felt that was disproportionate to the actual damage caused by Wallace and awarded Facebook only $710,737,650 instead. Judge Fogel also turned Wallace over to the U.S. Attorney's Office to be prosecuted for criminal contempt and for willful violation of a temporary restraining order and injunction.
With Wallace possibly facing jail time and owing MySpace $234, it won't be easy for Facebook to collect its money. But at least the "Spam King" as been caught and may be taken off the grid for a time.
More information on Information Week [64]. Photo courtesy of Canadian Broadcasting Centre.
Lately I've received several "smishing" text messages on my phone and I finally captured the audio of a full phone interaction with their voice response system.
Here is the audio from a smishing phone call I recorded. Listen closely to see how they use fear to manipulate the victim into providing information.
Well, someone somewhere comes up with these cute names for things and "smishing" is no different. It's a play on the term "phishing", and the "Sm" part comes from SMS, which is the technical name for text messages on cell phones (Short Message Service). Did that make sense? If not, here's a description from the fount of all knowledge - Wikipedia:
Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system.
As you listened to the call, you should have noticed a few tactics scammers use to get your information:
In this call, they are trying to capture a credit card number, expiration date, PIN, and card security code. With this information they will attempt to make purchases online with your card, pull money from your account with an ATM, or possibly create a fake card containing your information.
It should be obvious to most people that these messages are scams. Unfortunately, the scammers just have to get a small percentage of people to fall for these messages to make it worth their time. Just like spam email, if a few people respond it will continue to be financially viable.
What complicates things a bit is some banks are now using text messages as a communication method for alerts or other information. In these alerts they'll often ask you to phone in to confirm a transaction or to alert you to a problem with your account.
If you're concerned at all about the origin of an alert, always call your bank directly using the phone number from a bank statement or official web site. Never call using the number provided in a text message.
Read more about about smishing tactics in this recent Yahoo article [67].
Did that get your attention? Scammers are hoping it will.
An ongoing strategy of scammers is to send out spam emails with shocking or titillating subject lines. They've decided the recent nomination of Barack Obama is a perfect topic and Symantec has reported [70] that emails are showing up that read something like this:
Subject: Breaking news
Barack Obama refused to be the president of the United States of America [71]
Yours Sincerely,
Cecily Lynn
Subject: What is going on with our country?
Obama has gone [71]
Yours faithfully,
Rodney Lynch
The link in the actual emails (we're not linking to anything in the examples above) point to the following site:
The site instantly attempts to bypass any browser security and install malware on your computer. If that fails, any link on the site will download and install malware software. The software is called W32.Waledac. Here's what it does, as described from the Symantec web site:
Rest assured that we detect this piece of malicious software under the name W32.Waledac. This particular piece of malware is capable, among other things, of:
- harvesting sensitive information on your computer
- turning your machine into a spam zombie
- establishing a back door on your computer that will allow it to be remotely accessed
Resist the Impulse to Click - scammers will try to provoke an emotional response in order to keep us from thinking about what we're doing. When you see an email like this, think for a moment if it's even reasonable. Ask why someone would send an email like this. What's the point?
Keep Your Software Up to Date - we've recently talked about keeping your Windows systems updated [72]. The same goes for browsers, email clients, or anti-virus software. If you're software is up-to-date, you're more likely to avoid being hurt by scams like this.
By the way, Obama certainly didn't refuse to be president. I watched the inauguration myself and my thoughts and prayers are with him. Whatever your political affiliation or citizenship, we should all hope and work for his success.
It's a new year and — what do you know — there's a new tactic in the endless quest for new and improved phishing schemes from scammers.
Researchers at Trusteer [75] recently released a security advisory detailing this new phishing technique. Rather than using email to lure unsuspecting victims into clicking over to a fake web site, this technique uses what Trusteer is calling "in-session" attacks. Here's a typical scenario:
That's it! Their login credentials are now in the hands of the scammers.
A few things have to be in place for this to work. First, the scammers need a compromised web server in order to install the malware. Fortunately, there are lots of those around. Second, the malware has to be able to determine which other sites the user has visited. This is possible based on a vulnerability in the JavaScript engine used by Internet Explorer, Firefox, Safari, and Chrome.
From Trusteer:
The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.
Well, the planets have to align a bit to pull this scam off and it's likely the JavaScript vulnerability will be patched in the near (hopefully) future.
Until then, Trusteer recommends the following preventative measures:
and most of all...
Learn more about this attack by downloading Trusteer's security advisory [78].
Whether you're a business traveler touching base with the home office or a vacationer catching up on some last-minute Christmas shopping during holiday travel, airport wireless networks are a welcome distraction during a layover.
But beware...
According to a recent article in Forbes [81], anyone who logs on using an airport wireless connection is instantly exposed to data and identity theft.
Forbes interviewed a so-called "white-hat hacker," working for AirTight Networks (which makes wireless security software and hardware,) and found that during AirTight's survey of 20 American airports, agents had identified serious security flaws in nearly every network. Some airports even allowed critical baggage handling and ticketing data to pass through their network unencrypted---a potential security risk in more than just the digital sense.
The purpose of the tests was to alert airports to the problem in the hopes that they would choose to hire AirTight as their security provider, but in the short term, let it stand as a warning to travelers: You are nowhere near as safe logging in at an airport hub as you are even at home. Even shopping malls and many universities provide more network protection to their users, and since there are currently no laws on the books that require airports to try any harder, don't expect any of this to change overnight.
Here's a quote from Forbes on how bad things are:They found rampant phony Wi-Fi hot spots created by phishers and, at several large airports, plenty of open or insecure networks run by critical operations such as baggage handling and ticketing. Almost all public networks allowed data such as user names and passwords to pass through the air unencrypted. Only 3% of people used something more secure.
Most security experts would recommend these four steps to relative safety on public wireless networks like those found in airports:
These steps won't guarantee you 100 percent safety, but it's a good start if you decide that uploading those Christmas photos to Flickr can't wait until tomorrow.
This video from Forbes provides more details on what you should watch out for:
Thanks to our friends at Kroll Fraud Solutions [84], we have some excellent 2008 tax season tips for avoiding identity theft:
The U.S. economy may not be the only beneficiary of the recently passed federal economic stimulus package – identity thieves are getting a boost, too. Why? In the wake of the recent IRS announcement that more than 130 million Americans will receive tax rebates this year, identity thieves are using the promise of extra cash to lure Americans into disclosing their sensitive personal information.
These “phishing” schemes can take a variety of forms, the most common of which involves an identity thief who calls or e-mails a consumer pretending to be an IRS employee. The consumer is promised a sizable rebate if they file their taxes early. All the caller needs in exchange is the consumer’s bank account number to deposit the check.
The bad news is that schemes like the one described above are common; the good news is that falling victim to one is avoidable – as long as consumers get smart on the facts and follow the proper precautions.
Below ID theft expert Brian Lapidus, chief operating officer of Kroll’s Fraud Solutions, offers some important advice that every consumer should know about protecting their personal information during tax season. At Kroll, Lapidus oversees a highly-skilled team that includes veteran licensed investigators who meet regularly with IRS agents to stay apprised of emergent tax fraud issues – bolstering the team’s specialized work supporting breach victims and restoring individuals' compromised identities to pre-theft status.
The Better Business Bureau of Chicago and Northern Illinois has released its top 10 scam list for 2007. Even though this is a regional list, it fits nicely with what we're seeing here at Fight Identity Theft:
Would-be victims receive a check in the mail, allegedly for winning a sweepstakes, lottery or promotion. The check supposedly covers taxes or other fees (see the text of the letter below). Here's how the scam works:
Here's a sample of a check one of our readers received in the mail. The scammers will often place a reputable company on the forged check:
These frequently will contact people by phone after they've filled out an online loan application or have found an advertisement in a local newspaper.
This is a similar scam to the check scam described above.
Offers that look for "shipping" or "billing managers," "payment processors" or anything with a financial sounding name very frequently turn out to be fraudulent listings that are, in actuality, looking for victims to commit money laundering.
Other bogus online employment offers request money for travel, work visas, etc. Some scammers don't ask for money, but instead ask for your personal info (name, DOB, SSN, address, mothers maiden name) in order to steal your identity or sell your info to someone that will.
Be extremely careful when dealing with online employment. Don't send money to anyone. Use a company's main number and then ask for your contact within the company vs. just dialing direct to the number you've been given in order to verify your contact really works at the company you're interested in.
Epidemic in proportion, these are very much like the fake check scams.
These usually are found in forms of online ads and typically in places such as Craigslist or other classified forums on the Internet.
Same kind of scam as #1 with a slight twist.
A check overpayment scam begins when a scam artist replies to the classified ad or auction posting and offers to purchase the item for sale with a check, then comes up with a reason for writing the check for more than the purchase price for the item. The scammer asks the consumer to wire back the difference after the check is deposited. Later, the scammer’s check bounces, leaving the consumer liable for the entire amount.
Scammers contact residents and offer them a desperate plan that is affordable and supposedly allows them to keep the home. Here's how it works:
The scammers will offer to lower your monthly mortgage payment while also promising that in a short time you can own your home free and clear of any debt. The con artist claims to offer or arrange for a new loan but instead tricks the homeowner into selling the home to the con artist or a third party and agreeing to either lease the home back or purchase it back on a land contract. The con artist or third party will pay off the existing mortgage or take out a loan. If the scammed homeowner lived in the home for a number of years, he or she likely built up and is surrendering significant equity. Equity is the market value of the home minus the value of all mortgages and other liens on the home. The con artist now owns the home and has stripped or taken the equity out of the scammed consumer's home.
Consumerlaw.org has a great pdf which covers this fraud in detail - http://www.consumerlaw.org/news/ForeclosureReportFinal.pdf [90]
People are solicited by mail or e-mail and told they can make thousands of dollars working from home by buying a special kit, book or tape collection.
An e-mail or letter is sent to the victim from someone claiming to be related to them, or from somebody that claims to know that the victim's distant relative is either very sick or has died and left inheritance money.
Generally, e-mails are sent from what looks like a legitimate bank or financial institution, asking for confirmation of account numbers and personal information.
- See some examples of a typical phishing email - Paypal phishing scam [91].
E-mails or letters are sent from someone claiming to be an official or agent from a foreign country, informing the recipient he or she is seeking a foreign company or individual into whose account they can deposit funds left over from government funds, a business bank transaction or a confiscated family inheritance.
- See some examples of a typical Nigerian Email Scam [92].
Recently, a new phishing [95]e-mail has been circulating. The e-mail is the IRS asking for donations to help the victims of the California wildfires. The e-mail is a scam. The IRS is not and never will ask for donations, let alone send out an e-mail asking for financial and personal information.
The e-mail seems real enough. It provides links to an IRS website. The website asks for personal and financial information in order to obtain the donation. It seems like a good thing to do. However, do not enter any personal or financial information, the website is not the real IRS website. The information that is asked for is what the scammers use to steal identities, open new lines of credit and ruin peoples’ credit and lives. If that weren't enough, the links and the e-mail are also thought to contain “malware and other malicious software.”
To protect yourself and help stop the phishing scam the IRS
“urged those who received the scam e-mail to help the IRS shut down the operation by forwarding it to phishing@irs.gov, using instructions found in "how to protect yourself from suspicious e-mails or phishing schemes" on the genuine IRS Web site, http://www.irs.gov [96].”
On a happier note, the IRS is doing their part to help the wildfire victims. They are extending payment and tax return filing deadlines for victims.
“As California taxpayers start the recovery process, the last thing they should worry about is meeting a tax deadline,” said IRS Acting Commissioner Linda Stiff. “The IRS offers many resources for disaster victims online at IRS.gov [97], over the phone and in person.”
If you would like to donate to the victims there are several ways in which you can. The LA Times wrote an article [98] with several suggestions of how to help the wildfire victims.
Read the AP's article [99] for all the details of the e-mail scam.
Links:
[1] http://www.fightidentitytheft.com/blog/airport-wi-fi-isnt-secure-even-if-google-makes-it-free
[2] http://www.freeholidaywifi.com/give-back/
[3] http://www.freeholidaywifi.com/photo-contest/
[4] http://www.fightidentitytheft.com/%20%20%20a.href%20%20%20
[5] http://www.google.com/search?q=AUS airport
[6] http://www.google.com/search?q=IND airport
[7] http://www.google.com/search?q=PFN airport
[8] http://www.google.com/search?q=BWI airport
[9] http://www.google.com/search?q=JAX airport
[10] http://www.google.com/search?q=PIT airport
[11] http://www.google.com/search?q=BIL airport
[12] http://www.google.com/search?q=AZO airport
[13] http://www.google.com/search?q=PWM airport
[14] http://www.google.com/search?q=BOS airport
[15] http://www.google.com/search?q=LAS airport
[16] http://www.google.com/search?q=SMF airport
[17] http://www.google.com/search?q=BZN airport
[18] http://www.google.com/search?q=SDF airport
[19] http://www.google.com/search?q=SAT airport
[20] http://www.google.com/search?q=BUF airport
[21] http://www.google.com/search?q=MSN airport
[22] http://www.google.com/search?q=SAN airport
[23] http://www.google.com/search?q=BUR airport
[24] http://www.google.com/search?q=MEM airport
[25] http://www.google.com/search?q=SJC airport
[26] http://www.google.com/search?q=CWA airport
[27] http://www.google.com/search?q=MIA airport
[28] http://www.google.com/search?q=SEA airport
[29] http://www.google.com/search?q=CLT airport
[30] http://www.google.com/search?q=MKE airport
[31] http://www.google.com/search?q=SBN airport
[32] http://www.google.com/search?q=DSM airport
[33] http://www.google.com/search?q=MRY airport
[34] http://www.google.com/search?q=GEG airport
[35] http://www.google.com/search?q=ELP airport
[36] http://www.google.com/search?q=BNA airport
[37] http://www.google.com/search?q=STL airport
[38] http://www.google.com/search?q=FLL airport
[39] http://www.google.com/search?q=PHF airport
[40] http://www.google.com/search?q=SCE airport
[41] http://www.google.com/search?q=RSW airport
[42] http://www.google.com/search?q=ORF airport
[43] http://www.google.com/search?q=TOL airport
[44] http://www.google.com/search?q=GSO airport
[45] http://www.google.com/search?q=OKC airport
[46] http://www.google.com/search?q=TVC airport
[47] http://www.google.com/search?q=HOU airport
[48] http://www.google.com/search?q=OMA airport
[49] http://www.google.com/search?q=PBI airport
[50] http://www.google.com/search?q=IAH airport
[51] http://www.google.com/search?q=MCO airport
[52] http://www.freeholidaywifi.com/
[53] http://www.freeholidaywifi.com/faq/
[54] http://www.fightidentitytheft.com/blog/airport-wi-fi-isnt-secure-even-if-google-makes-it-free#comments
[55] http://www.fightidentitytheft.com/blog/report-phishing-email-what-do-when-you-catch-phish
[56] http://fightidentitytheft.com/paypal_scam.html
[57] http://www.phishtank.com
[58] http://www.phishtank.com/register.php
[59] mailto:phish@phishtank.com
[60] http://www.opendns.com/start
[61] http://www.fightidentitytheft.com/blog/report-phishing-email-what-do-when-you-catch-phish#comments
[62] http://www.fightidentitytheft.com/blog/facebook-awarded-711-million-spam-king
[63] http://en.wikipedia.org/wiki/Sanford_Wallace
[64] http://www.informationweek.com/news/global-cio/security/showArticle.jhtml?articleID=221400140
[65] http://www.fightidentitytheft.com/blog/facebook-awarded-711-million-spam-king#comments
[66] http://www.fightidentitytheft.com/blog/smishing-scam-audio-sample
[67] http://tech.yahoo.com/blogs/null/139677
[68] http://www.fightidentitytheft.com/blog/smishing-scam-audio-sample#comments
[69] http://www.fightidentitytheft.com/blog/breaking-news-obama-refuses-be-president
[70] https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/136
[71] http://www.fightidentitytheft.com/categories/Phishing
[72] http://www.fightidentitytheft.com/blog/latest-worm-infects-9-million-pcs
[73] http://www.fightidentitytheft.com/blog/breaking-news-obama-refuses-be-president#comments
[74] http://www.fightidentitytheft.com/blog/new-phishing-technique-discovered-learn-how-it-works
[75] http://trusteer.com/
[76] http://www.webkinz.com
[77] http://www.fightidentitytheft.com/www.pogo.com
[78] http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf
[79] http://www.fightidentitytheft.com/blog/new-phishing-technique-discovered-learn-how-it-works#comments
[80] http://www.fightidentitytheft.com/blog/airport-wireless-network-not-as-safe-as-you-think
[81] http://www.forbes.com/forbes/2008/1208/052.html
[82] http://www.fightidentitytheft.com/blog/airport-wireless-network-not-as-safe-as-you-think#comments
[83] http://www.fightidentitytheft.com/blog/-2/keep-identity-thieves-at-bay-during-the-2008-tax-season
[84] http://www.krollfraudsolutions.com
[85] http://www.antiphishing.org/index.html
[86] http://www.irs.gov/individuals/article/0,,id=106778,00.html
[87] http://www.irs.gov/publications/p552/ar02.html#d0e617
[88] http://www.fightidentitytheft.com/blog/-2/keep-identity-thieves-at-bay-during-the-2008-tax-season#comments
[89] http://www.fightidentitytheft.com/blog/-2-2/top-10-scams-of-2007
[90] http://www.consumerlaw.org/news/ForeclosureReportFinal.pdf
[91] http://www.fightidentitytheft.com/sucker.html
[92] http://www.fightidentitytheft.com/internet_scam_nigerian.html
[93] http://www.fightidentitytheft.com/blog/-2-2/top-10-scams-of-2007#comments
[94] http://www.fightidentitytheft.com/blog/identity-theft/warning-the-irs-does-not-ask-for-donations
[95] http://www.fightidentitytheft.com/phishing-scams.html
[96] http://www.irs.gov/newsroom/article/0,,id=175392,00.html
[97] http://www.irs.gov/newsroom/article/0,,id=175158,00.html
[98] http://www.latimes.com/news/local/la-me-howtohelp24oct24,0,855524.story?coll=la-home-center
[99] http://news.yahoo.com/s/ap/20071102/ap_on_re_us/irs_scam
[100] http://www.fightidentitytheft.com/blog/identity-theft/warning-the-irs-does-not-ask-for-donations#comments
[101] http://www.fightidentitytheft.com/blog/categories/Phishing?page=1