Category Archives: Don’t Get Pwned

SCAM – $500 Gift Card for COLES – FREE

Posted on by
Reply

UPDATE: The purpose of this scam is to get people to fill out a survey. Every time the survey gets filled out the scammer gets paid a small fee. That’s the reason for all of this silliness.

There’s an Australia-specific scam doing the rounds of Facebook at the moment purporting to be giving away a Coles gift card with the text:

$500 Gift Card for COLES – FREE

If you click on the link you are taken to a page with the following text:

Step 1: You must share this page

Step 2:Click “Add Comment” & Type, Thanks! into the comments below

It is 100% certifiably undeniably a scam. Do not fall for it. If you fall for it and I know you don’t be surprised if I make fun of you the next time I see you.

The clues?

  • The countdown for the giveaway resets itself to 1300 every time you refresh the page.
  • Look at the punctuation and spelling… Doesn’t seem right does it? Certainly not like the work of a branch of the largest company in Australia.
  • The URL the link redirects you to when you click it is http://yeyenut.info/ and the link it asks you to share is http://toolapz.info/. Does this look legit to you? If yes, does it look legit AND even vaguely affiliated with Coles?
  • If you share the link and say “Thanks!” how is Coles going to find you if they aren’t your Facebook friend? Seriously, actually stop and think about it for a second.

There have been a few of these lately – No real purpose, benefit or threat to them which can be seen (although I’m keen to hear from anyone who has a different opinion here) but because of the lure of FREE STUFF they inevitably spread like wildfire.

Please, stop and think.

What’s your way of figuring out if something is a scam or not? Share below!

UPDATE: The purpose of this scam is to get people to fill out a survey. Every time the survey gets filled out the scammer gets paid a small fee. That’s the reason for all of this silliness.

SCAM: In Memory of Steve Jobs, we’re Giving Away 1000 iPad 2′s – NOT!

Posted on by
Reply

The text of this Facebook scam is as follows:

Title: In Memory of Steve Jobs, we’re Giving Away 1000 iPad 2′s

Link (DO NOT CLICK): http://promo-ipad.net/?801&fb_comment_id=fbc_10150343605577550_19262669_10150344652707550

URL: promo-ipad.net

Body Text: To celebrate the life of Steve, we have decided to give away 1000 iPad 2′s to honour Steve, who passed away earlier this week.

Fortunately it doesn’t seem to be malicious at this stage – The page you get taken to simply asks you to re-share the link on Facebook and put the text “Thank you Steve” in your status. It looks like an experiment to me, or a sort of guerrilla tribute to Steve Jobs.

That said, as this picks up momentum on Facebook and more people re-share it it’s quite possible that the author could pivot the scam into something more malicious. The tendency with scams is the more popular they are the more trusted they become, and the more popular they get as a result.

A few thoughts…

  • Steve Jobs died just over a week ago. They are giving away 1000 iPad’s. When I check they had 198 left… It’s been on 198 for a day now – Have they stopped giving them out? Forgotten perhaps? Or maybe the scammer is leverage the “scarcity principle” – If a person thinks that they are about to “miss out” they are far more likely to act without thinking things through.
  • The end date is October 16th 2011. It’s October 16th 2011 in the USA right now. See the above point.
  • How would those running the competition contact you to tell you that you’ve won? They aren’t your friends on Facebook – Are they? Or haven’t you thought this through?
  • Where is the competition disclosure statement required by law pretty much everywhere? For that matter – In which jurisdiction is this competition being held? If it was a legal competition this stuff would be there.
  • The landing page is copyrighted “Applepromo 2011″. Did anyone actually google “Applepromo” to see who they are or if they are in any way connected with Apple? I guess now that the phrase is in this post we’ll see!

You’ve been warned. Please think before you re-share this stuff. At best it’s a bit of a waste of time spent excited about something that will never happen. At worst it’s a pivot point into identity theft, viral infection, and a host of other fun things naughty people can do once they have your trust.

Is A 3 Year Old All That’s Between You And Pwned?

Posted on by
Reply

Here’s some food for thought… Would you trust a 3 year old:

  • …with access to your mortgage?
  • …to keep your house secure?
  • …with the security of your bank accounts?

Of course you wouldn’t.

Let me try another question then… Is your smartphone PIN access code the same as your:

  • …phone banking password for your mortgage?
  • …the alarm code on your front door?
  • …your ATM PIN number?

I know kids who’ve been able to memorize PINs and unlock their parents iPhones since they were very young. If, like for the majority of people, that PIN is “the normal PIN that they use for everything” then they are effectively trusting the keys to their kingdom to the discretion of a 3 year old. To get that PIN all I need to do is ask, watch the child unlock the phone, or hand them a phone and see what they punch in. It’s not that big a stretch, and as smartphones and tablets proliferate into education and childcare I suspect this will become a more relevant concern.

Some tips…

  1. Ideally, don’t reuse PINs AT ALL. Don’t have it so that all of the doors to your castle can be opened with the one key. That’s just unwise.
  2. If your absolutely MUST reuse PINs, keep “low security” and “high security” PINs separate. Don’t give your kids the keys to your castle. (I can’t think of a legitimate reason to justify this, but I know it will happen regardless).
  3. Don’t be paranoid, but be smart with the information you give you kids. The expression “like taking candy from a baby” exists for a reason.

Food for thought.

ALERT: Twitter Profile Views App Hijacks Twitter Accounts

Posted on by
Reply

The Twitter Profile Views App is doing the rounds hijacking Twitter accounts. It’s a similar bait to recent Facebook scam apps.

Steer clear of the following:

  • Seriously this amazing app will calculate your twitter views
  • I have had 15460 Twitter Profile Views since i registered in 2008 – See how many you have had here

Don’t get pwned.

ALERT: Trojan Email Spreading as Fake ATO Email

Posted on by
Reply

The bad guys are circulating the Zeus Trojan (a nasty piece of malicious software that you don’t want on your computer) via a fake email campaign pretending to be from the Australian Tax Office. The dodgy emails contain Trojan.Zbot malware within a zip file named ‘Restore your account’.

More information from ITNEWS.com.au.

Reiterating some basic email security tips:

  • Install some decent antivirus software and make sure it’s staying up to date.
  • Don’t open ANY KIND attachment that you weren’t expecting.
  • Stop and think – Does the email look “funny”?

Have you seen this scam email?

"While on Facebook, look at your URL address…" – Real Or Not?

Posted on by
Reply

I got asked about a status update which seem to be making the rounds of Facebook at the moment:

From various sources: While on Facebook, look at your URL address. If you see http: instead of https: then you don’t have a secure session and you can be hacked. Go to Account|Account Settings|Account Security and click Change. Check the first box. Otherwise FB defaults …to the non-secure setting. Copy and repost.

First of all, this is NOT a scam or a virus. It’s actually some pretty helpful information – If you follow the instructions in the status update it will force Facebook into HTTPS. HTTPS encrypts the data you send and receive from Facebook as it travels across the Internet, making it pretty difficult to intercept and read or otherwise modify to trick you into doing stuff.

HERE’S THE CATCH – These instructions will NOT protect from the following:

  • Having a dumb password and someone guessing it.
  • Having the same password as you use on you other account that got hacked the other day.
  • Falling for a Facebook scam (e.g. “Find out how who’s visited your profile recently”, etc…)
  • Having a virus on your computer that logs your keystrokes and captures your password.
  • Having a dumb password and som… Oh, I already said that.

I love when people take the initiative to post stuff like this – It really is a good thing. I just think it’s important to remind y’all that there is NO SILVER BULLET when it comes to not getting pwned.

Lost Your Phone? Ur Accounts Iz Pwned.

Posted on by
Reply

Most people I know have lost their mobile phone at some point. I have. Apart from the annoyance of losing your contacts, SMSs, and all that jazz, there is a very real security implication to what just happened that affects WAY more than just your phone.

Here’s a few nifty things a malicious individual could do with your phone:

  • If you have email set up, the can run a “Lost Password” routine on your Paypal, eBay, Facebook, Internet Banking, etc, etc, etc.
  • They could pretend to be you via email or SMS to “Socially Engineer” and defraud your friends and family.
  • If you’ve got an iPhone or Android, they could literally hack the phone to retrieve your passwords for Paypal, eBay, Facebook, Internet Banking, etc, etc, etc. Check out this post from PCWorld.
  • You know how banks have implemented that super cool SMS authorization when you transfer funds from your account? Oops.
  • Etc, etc, etc, etc, etc. I’ll revisit the post as I think up more.

The solution? Stop and think for a moment. If you lose your phone, cancel your SIM ASAP, then change your passwords and contact your family and friends to let them know.

Appfresh Helps Keep Your Apple OS X Apps Up To Date

Posted on by
Reply

I have a Mac. I love my Mac. I border on being evangelical about my Mac. But I digress…

I keep my Mac up to date with the latest Software Updates because, apart from (usually) making it run better and giving me access to the latest features, keeping your software up to date is important for not getting pwned.

Keeping Mac’s operating system (i.e. OS X) up to date is relatively easy, just run a “Software Update”.

What’s NOT as easy is keeping all of the OTHER apps on my computer up to date… Applications like Evernote, Cyberduck, Skype, VLC, Garagesale, and so on…

Enter Appfresh.

Appfresh runs through your Mac OS X computer, compiles a list of the software you have installed and the current version levels, and compares it to a list maintain by Appfresh. If a piece of software is out of date, it will automatically download the latest update and install it. Pretty cool.

I ran it on my Mac and, while there were a bunch of application that it “didn’t know”, it generally did a far better job than I would if left to do it manually.

I highly recommend you check it out. Keep in mind that the software is BETA, use at your own risk, etc etc…

Facebook Security – What Are You Really Sharing?

Posted on by
1

I’ve noticed a lot of people putting up quizzes on Facebook lately, I did one of my own as well (although I can’t seem to find it now…). I got to thinking the kind of information people put in a quiz…

  • What is the name of your childhood best friend?
  • Who is your favorite author?
  • What is the name of your first pet?

Do these sound like they are from a Facebook quiz? They do don’t they… the kind of semi-interesting semi-obscure mostly-harmless questions that people come up with on quizzes to sort out those who know them from those who don’t. Right?

Wrong.

These are security questions from a major internet transaction gateway which I’d guess about 50% of people reading this already use. Similar questions are asked by popular free internet email providers that probably more than 90% of you currently have.

Think about this from a security point of view… When you put together a quiz of Facebook you are deliberately posting the kind of information that you are probably ALREADY USING to secure some of your more sensitive internet based accounts.

Consider this scenario…

  1. EvilHacker trundles through Facebook and sees your profile (because you haven’t made it non-public… oops… or maybe you’ve got a massive friends list…)
  2. EvilHacker notices your quiz… EvilHacker works out the answers to your questions.
  3. EvilHacker sees your email address in your info.
  4. EvilHacker does the old Forgot Your Password? trick on your Hotmail/Gmail/Live account… He gets asked some weird question about your favorite author… Oops. Again.
  5. With access to your email address, EvilHacker sees that you use Paymate, Paypal, eBay, etc etc et al.
  6. Rinse, lather and repeat until you are utterly pwned.

Staying safe online is not just about using anti-virus- You gotta use your head too.

Not convinced? Try these…
http://www.wired.com/threatlevel/2008/09/palin-e-mail-ha/
http://www.wired.com/threatlevel/2008/09/group-posts-e-m/
http://www.huffingtonpost.com/2008/09/17/palins-email-account-hack_n_127184.html

ALERT – SMS Advanced Fee Fraud Scam In Australia

Posted on by
Reply

I, and a bunch of people I know, all received the same message this morning.

Here’s the body of the text:

Congratulations your mobile have won US¿9.8M for World Bank Award. To claim contact Mrs.Hahn Doyle via:wbre01 gala.net

This is pretty easy to spot as a scam. Here’s a few interesting things I noticed…

  • The SMS sender is “GMX”, which indicates that a computer to SMS program was used.
  • Everyone I know received the message at around 1000 AM AEDST.
  • Vodafone, Telstra and Optus were among the carriers that received it.
  • My current phone number is only a few months old, I am fairly fussy about who I give my number to, and still this managed to get sent to me which indicates the scammer may have had access to a list.
  • This type of fraud is usually initiated over email due to the low success rate. Perhaps the scammers thought that people would find it easier to trust an SMS…

It’s called “advanced fee fraud”.

If you were to email the address, the person on the other end would ask you to send them a small sum of money to establish the paperwork needed to transfer the funds, or something along those lines. It’s also called a “419 scam”, after the Nigerian police code for email fraud (Nigeria had a bad run of this type of fraud a little while back).

The sad thing is that BILLIONS of dollars are successfully scammed worldwide through advanced fee fraud every year, often from the elderly and those who are prone to being more simple in their allocation of trust. Perhaps it would pay to give Grandma a call and see how she’s going…

Suffice to say you shouldn’t email the address in the text (unless you are a 419baiter – In which case please let us know how you go…!).

If you have made contact and received a reply that sounds like the fraud I’m talking about, please contact Crimestoppers on 1800 333 000.

Did you receive this message today?