Internet Scam Series - Browser safety or lack of!

Major Web browsers fail password protection tests (Source: Znet)

Disclaimer - this is not original material rather a copy of a znet blog but the information is too important and timely not to share just because I did not author - Ryan Naraine wrote the material and the link to the original post is shown at the bottom of this blog post.

That nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal data.

That’s the biggest takeaway from the results of this test which shows that all the major Web browsers — including IE, Firefox, Opera, Safari and Chrome — are vulnerable to a total of 20 vulnerabilities that could expose password-related information.  Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge.  They are:

1. The destination where passwords are sent is not checked.
2. The location where passwords are requested is not checked.
3. Invisible form elements can trigger password management.

Google’s shiny new Chrome browser was among the worst offenders.   According to the study,  Chrome’s password manager contains multiple unpatched issues that “form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”

Apple’s Safari for Windows browser was also failed a majority of the tests (click image for full version):

Technical details of the test, which was conducted by Chapin Information Services, can be found here.

Ryan Naraine is a security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Follow Ryan Naraine on Twitter

Source Link

Internet Scam Series – Using SSL to access secure websites

When you go to your bank or some other site requesting your user name and password sometime you will see https (hyper text transfer protocol secure) AKA SSL (Secure Socket Layer)  With the internet often you are going from one computer to another to another often connected through multiple nodes. With SSL the easiest way to explain it is you are creating a direct encrypted connection from your computer to that server. 

SSL and TLS (Transport Layer Security) are not separate protocols but a combination of normal and encrypted.  When you are on a secure site depending on your browser you will see a padlock or some other methods to indicate your using an encrypted site. While not totally safe and secure these site do provide a reasonable level of protection assuming a good enough cipher is used and that the server has a trusted and verified server. 

An https: URL may specify a TCP (Transmission Control Protocol) port; if it does not, the connection uses port 443 (unsecured HTTP typically uses port 80).

 

To prepare a web-server for accepting https connections the administrator must create a public key certificate signed by a certificate authority.

 

For Client/User authentication to restrict access to a web server to only authorized users the administrator creates certificates for each user which sometimes contain the name and e-mail address of the authorized user which are automatically checked each reconnect to verify the user's identity.

Internet Scam Series – Using the internet safely (Source – SEC)

How to Use the Internet to Invest Wisely

If you want to invest wisely and steer clear of frauds, you must get the facts. Never, ever, make an investment based solely on what you read in an online newsletter or bulletin board posting, especially if the investment involves a small, thinly-traded company that isn't well known. And don't even think about investing on your own in small companies that don't file regular reports with the SEC, unless you are willing to investigate each company thoroughly and to check the truth of every statement about the company. For instance, you'll need to:

• get financial statements from the company and be able to analyze them;
• verify the claims about new product developments or lucrative contracts;
• call every supplier or customer of the company and ask if they really do business with the company; and
• check out the people running the company and find out if they've ever made money for investors before.

And it doesn't stop there. For a more detailed list of questions you'll need to ask – and have answered – read Ask Questions. And always watch out for tell-tale signs of fraud.

Here's how you can use the internet to help you invest wisely:

Start With the SEC's EDGAR Database

The federal securities laws require many public companies to register with the SEC and file annual reports containing audited financial statements. For example, the following companies must file reports with the SEC:

• All U.S. companies with more than 500 investors and $10 million in net assets; and
• All companies that list their securities on The Nasdaq Stock Market or a major national stock exchange such as the New York Stock Exchange.

Anyone can access and download these reports from the SEC's EDGAR database for free. Before you invest in a company, check to see whether it's registered with the SEC and read its reports.

But some companies don't have to register their securities or file reports on EDGAR. For example, companies raising less than $5 million in a 12-month period may be exempt from registering the transaction under a rule known as "Regulation A." Instead, these companies must file a hard copy of the "offering circular" with the SEC containing financial statements and other information. Also, smaller companies raising less than one million dollars don't have to register with the SEC, but they must file a "Form D." Form D is a brief notice which includes the names and addresses of owners and stock promoters, but little other information. If you can't find a company on EDGAR, call the SEC at (202) 551-8090 to find out if the company filed an offering circular under Regulation A or a Form D. And be sure to request a copy.

The difference between investing in companies that register with the SEC and those that don't is like the difference between driving on a clear sunny day and driving at night without your headlights. You're asking for serious losses if you invest in small, thinly-traded companies that aren't widely known just by following the signs you read on Internet bulletin boards or online newsletters.

Contact Your State Securities Regulators

Don't stop with the SEC. You should always check with your state securities regulator, which you can find on the website of the North American Securities Administrators Association, to see if they have more information about the company and the people behind it. They can check the Central Registration Depository (CRD) and tell you whether the broker touting the stock or the broker's firm has a disciplinary history. They can also tell you whether they've cleared the offering for sale in your state.

Check with the Financial Industry Regulatory Authority (FINRA)

To check the disciplinary history of the broker or firm that's touting the stock, use FINRA's BrokerCheck website, or call FINRA's BrokerCheck Program hotline at (800) 289-9999.

Online Investment Fraud:
New Medium, Same Old Scam

The types of investment fraud seen online mirror the frauds perpetrated over the phone or through the mail. Remember that fraudsters can use a variety of Internet tools to spread false information, including bulletin boards, online newsletters, spam, or chat (including Internet Relay Chat or Web Page Chat). They can also build a glitzy, sophisticated web page. All of these tools cost very little money and can be found at the fingertips of fraudsters.

Consider all offers with skepticism. Investment frauds usually fit one of the following categories:

The "Pump And Dump" Scam

It's common to see messages posted online that urge readers to buy a stock quickly or tell you to sell before the price goes down. Often the writers will claim to have "inside" information about an impending development or to use an "infallible" combination of economic and stock market data to pick stocks. In reality, they may be insiders or paid promoters who stand to gain by selling their shares after the stock price is pumped up by gullible investors. Once these fraudsters sell their shares and stop hyping the stock, the price typically falls and investors lose their money. Fraudsters frequently use this ploy with small, thinly-traded companies because it's easier to manipulate a stock when there's little or no information available about the company.

The Pyramid

Be wary of messages that read: "How To Make Big Money From Your Home Computer!!!" One online promoter claimed that investors could "turn $5 into $60,000 in just three to six weeks." In reality, this program was nothing more than an electronic version of the classic "pyramid" scheme in which participants attempt to make money solely by recruiting new participants into the program.

The "Risk-Free" Fraud

"Exciting, Low-Risk Investment Opportunities" to participate in exotic-sounding investments – such as wireless cable projects, prime bank securities, and eel farms – have been offered through the Internet. But no investment is risk-free. And sometimes the investment products touted do not even exist – they're merely scams. Be wary of opportunities that promise spectacular profits or "guaranteed" returns. If the deal sounds too good to be true, then it probably is.

Off-shore Frauds

At one time, off-shore schemes targeting U.S. investors cost a great deal of money and were difficult to carry out. Conflicting time zones, differing currencies, and the high costs of international telephone calls and overnight mailings made it difficult for fraudsters to prey on U.S. residents. But the Internet has removed those obstacles. Be extra careful when considering any investment opportunity that comes from another country, because it's difficult for U.S. law enforcement agencies to investigate and prosecute foreign frauds.

The SEC Is Tracking Fraud

The SEC actively investigates allegations of Internet investment fraud and, in many cases, has taken quick action to stop scams. We've also coordinated with federal and state criminal authorities to put Internet fraudsters in jail. Here's a sampling of recent cases in which the SEC took action to fight Internet fraud:

Francis A. Tribble and Sloane Fitzgerald, Inc. sent more than six million unsolicited e-mails, built bogus web sites, and distributed an online newsletter over a ten-month period to promote two small, thinly traded "microcap" companies. Because they failed to tell investors that the companies they were touting had agreed to pay them in cash and securities, the SEC sued both Tribble and Sloane to stop them from violating the law again and imposed a $15,000 penalty on Tribble. Their massive spamming campaign triggered the largest number of complaints to the SEC's online Enforcement Complaint Center.

Charles O. Huttoe and twelve other defendants secretly distributed to friends and family nearly 42 million shares of Systems of Excellence Inc., known by its ticker symbol "SEXI." Huttoe drove up the price of SEXI shares through false press releases claiming non-existent multi-million dollar sales, an acquisition that had not occurred, and revenue projections that had no basis in reality. He also bribed co-defendant SGA Goldstar to tout SEXI to subscribers of SGA Goldstar's online "Whisper Stocks" newsletter. The SEC obtained court orders freezing Huttoe's assets and those of various others who participated in the scheme or who received fraud proceeds. Six people, including Huttoe and Theodore R. Melcher, Jr., the author of the online newsletter, were also convicted of criminal violations. Both Huttoe and Melcher were sentenced to federal prison. The SEC has thus far recovered approximately $11 million in illegal profits from the various defendants.

Matthew Bowin recruited investors for his company, Interactive Products and Services, in a direct public offering done entirely over the Internet. He raised $190,000 from 150 investors. But instead of using the money to build the company, Bowin pocketed the proceeds and bought groceries and stereo equipment. The SEC sued Bowin in a civil case, and the Santa Cruz, CA District Attorney's Office prosecuted him criminally. He was convicted of 54 felony counts and sentenced to 10 years in jail.

IVT Systems solicited investments to finance the construction of an ethanol plant in the Dominican Republic. The Internet solicitations promised a return of 50% or more with no reasonable basis for the prediction. Their literature contained lies about contracts with well known companies and omitted other important information for investors. After the SEC filed a complaint, they agreed to stop breaking the law.

Gene Block and Renate Haag were caught offering "prime bank" securities, a type of security that doesn't even exist. They collected over $3.5 million by promising to double investors' money in four months. The SEC has frozen their assets and stopped them from continuing their fraud.

Daniel Odulo was stopped from soliciting investors for a proposed eel farm. Odulo promised investors a "whopping 20% return," claiming that the investment was "low risk." When he was caught by the SEC, he consented to the court order stopping him from breaking the securities laws.

If you believe that you have been the victim of a securities-related fraud, through the Internet or otherwise, or if you believe that any person or entity may have violated or is currently violating the federal securities laws, you can submit a complaint using our online complaint form or email us at enforcement@sec.gov.

 

Source:  US Security and Exchange Commission

Internet Scam Series – Phishing

Ever get an email supposedly from a bank you do business with or one that you do not or a company you do business with stating your password has expired, please enter you old username and password and a new password to secure you account or something to that effect? 

How about am email to your PayPal account that takes you to a link that looks just like your real account? 

These and other things like it are called Phishing – pronounced fishing. A third party seeks to gain access to your account information so they can gain access to your fund and/or credit information either to deplete your funds or steal your identity. 

Technically this activity is defined as: a criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication 

Were many are mislead is it it not just by computer – you may get a phone call seeming perfectly legitimate requesting similar. This can occur using: 

•  Link manipulation
  
• Fiter evasion
  
• Website forgery
  
• Phone Phishing 
  

How do you protect yourself

• Never give out your credit card or bank information over the phone unless you called and verified who
• Never respond to a phone call or email with a link leading to a website requesting you change your account information
• Keep your antispyware software current and run weekly scans (min)
• Keep your antivirus software current and run weekly scans (min)
• Check the full header information of any email
• Call your bank or the business in question to verify call 

In January 2007, Jeffrey Brett Goodin of California became the first defendant convicted by a jury under the provisions of the CAN-SPAM Act of 2003. He was found guilty of sending thousands of e-mails to America Online users, while posing as AOL's billing department and is facing 101 years in Jail. 

If you want to learn more about Phishing here is a resource link

Internet Scam Series – Money / Dead Person or Relative

You are contacted and a distant relative died or they want you to act as a broker and you will receive some % of the money. In this scam there is usually a hacker off shore who asks you to set up an account and they steal money from someone else put in your account and ask you to wire or transfer the balance to them. You are then charged with quite a few crimes and since they are off shore they have the money and you are no where to be found. 

These emails often say UK but ironically Russia is the worst for this sort of Cyber Crime 

 

 

91 - 94 Shorts Gardens

Covent Garden, WC2H 9AA

London, United Kingdom.

 

In appreciation of your esteemed contact received through a reliable Source and the choice of your country. I wish to introduce myself. I am Mr. Tim Byuce, a solicitor at law. I am the personal attorney to Mr. Terrill Prue, An American, who was a contractor and a businessman here in London. 

On the 30th of April 2000, my client, his wife and their three children were involved in a car accident in which all occupants of the vehicle died. My client {Terrill} deposited as family belongings in a bank here in London, the sum of £20 Million British Pound, with the hope of transferring it to his country as soon as he is on leave. 

Since his death I have made several attempts to locate any of my clients extended relatives, but this attempt so far has been unsuccessful. 

After these several unsuccessful attempts, hence I contacted you. I have contacted you to assist in repatriating the money and property left behind by my client before they get confiscated or declared unserviceable by the Bank where the deposit was made. 

Now the Bank has issued me a notice to provide the next of kin or have the money confiscated within the next fourteen official working days. Since I have been unsuccessful in locating the relatives for over 2 years now. I seek your consent to present you as the next of kin of the deceased. All legal documents to aid your claim for this fund and to prove your relationship with the deceased will be arranged for. Your help will be appreciated with 30% of the total sum. 

All I require is your honest co-operation to enable us see this deal through. I guarantee that this will be executed under a legitimate arrangement that will protect you from any breach of the law. Please accept my apologies, keep my confidence and disregard this letter if you do not appreciate this proposition I have offered you. However, if you do please include your phone and fax number in your response for better communication. God bless you and your family. 

Best Regards, 

Tim Byuce. 

 

Yes, the above is an example of a real letter.

They will ask you to visit them in their country or they may ask you setup a bank account and give them the account number so they can transfer the fund, or another variant is they will ask you to put up good faith money promising your great returns.  Would not advise even bothering – either give to your lawyer to respond (if it is legal they will not have a problem) or just delete email.

Internet Scam Series – Russian Dating

Beware of these – typically how the scam works is she will claim to have meant you via social network or random email. She will either offer her email or if has access to yours send you a letter outlining her history and background. Also Sooner or later expect a picture. Once she gains your confidence she will morph her story to that of a challenge and her needing money for free herself from the situation – abusive marriage, boyfriend, school, debt, etc. 

There are variants of the scam but usually she tries to gain your confidence, promise her affection, marriage or sex (sometimes) but all sooner or later lead to a request for financial assistance. The types of scammers: 

1. Visa and Tickets Scammer
   
2. An Unscrupulous or Fake Marriage / Translation Agency
   
3. Vacation Hunters
   
4. Pro-Dater
   
5. Accommodation Scam
   
6. Bigger Better Deal (BBD) Hunter
   
7. Green Card Hunter / Gold Digger 
   

Once you sent the money and when there is no more to give they will disappear. (Note: This is a well know foreign scam but domestic versions of the scam also exist – lost child, money for medical aid, etc.) Below is a real letter sent to me as an example and beneath that links to resources to spot Russian dating scams. 

Hello my new friend!

Your electronic address to me a distance in agency of acquaintances! I hope that our correspondence will be nice for each of us! It’s first time for me when I decided to meet with the man through the Internet. May be you will have a question why I do so. I was disappointed in Russian men. I think most of them very false and deceptive. But I believe that everyone of us make its happiness yourself. I believe that one day I meet my love and I’ll love him forever. Now I want to tell you about myself. My name is Juliya. It’s very popular Russian name. 

I was born at 20th of March 1980. I was born in town Omsk, Russia and I live here all my life! It ` s very nice provincial town. 

It ` s not very big but very beautiful. I have never been abroad. And I even never been in other town of Russia. I want to travel and learn interesting things and parts of country and all world. 

And do you like traveling? Hope you understand my English. It’s not my native language. I learnt it in the school and University and now I learn it myself at home! At University I studied Economy and I have the diploma of Economist. I studied in Omsk State Technical University. But in our town it ` s very difficult to find a good job and I sell shoes in shoes shop. I like my work and I do it with pleasure. Where do you work? Do you like your work? I work five days in week. On Saturday and Sunday I do work at home, go for a walk, cook, read books and have a rest. Do you have hobby? Do you like reading books? I like Russian Classics such as Michael Bulgakov, Lev Tolstoy, Aleksandr Pushkin. Have you heard about it? Now I read very interesting book " Anna Karenina " written by Lev Tolstoy. I think that books teaches us how to live right and we can see very good advices there. Oh, I forgot about time, I don ` t have computer at my home and I write you from Internet Cafe. Tomorrow I’ll come to check my e-mail again. I hope to see letter from you soon!!!

P. S. Do you like my photo? Please send me your photos, I’ll be very glad to get them! 

Bye!!!

Your friend from Russia Juliya.

 

You get a letter like this. Soon the conversation will switch from dating to money and how they need help. They will ask you to send money and will never agree to meet will even talk about wanting to marry you and how special you are...avoid this scam also. Usually when you are sent the email a picture will be included....best to just delete email. 

• Russian Scam Resource link 1
  
• Russian Scam Resource link 2