As the average Internet user wises up to the the classic fraudster angles, criminals have to move to new targets. People are getting better at recognizing emails phishing for their Bank of America online banking credentials. We’ve all seen 419 scams in our inboxes, which are looking for you to front money for a bigger payout down the line (aka “advance fee fraud”).

As a result, the bad guys have had to turn their attention to new targets. In 2007, we saw attacks looking to get at employers’ Monster.com accounts, individuals’ MySpace and Facebook contacts as well as Salesforce credentials. There has also been a rise in classic phishing emails targeting smaller banks or banks in emerging economies, where the average end user isn’t as experienced at dealing with phish.

But in our hurry to stay on top of the latest trends, we can sometimes lose sight of the tried-and-true fraud techniques that still work.

And sometimes it’s easier to be fooled when the threat is directed at our employers.

I recently had the following two emails forwarded to me. Folks were asking: are these for real?

(more…)

Just like any normal Myspace user, I tend to browse my friends bulletins to see if there is anything of interest that might catch my eye. A Myspace bulletin is like an announcement message, it gets posted to all of your friends bulletin boards for them to see. So, a few days ago, I came across a bulletin from my Myspace “friend” and digg.com founder, Kevin Rose. (I don’t know Kevin, he’s my “friend” in the loosely connected, easily created Myspace way.)

The URL in the bulletin from Kevin takes you to hxxp://stalkertrack.com.

It’s highly unlikely that Kevin intended to send this bulletin. It should be noted that this was not an isolated incident.

This piqued my interest, so I decided to “digg” a little deeper to find out why a few web-savvy folks would openly give out their login credentials to a service that is not promoted or supported by Myspace itself, and is even actively discredited by the Myspace founders.

(more…)

Any IT Manager can tell you that the biggest bang for your budget dollar comes from training. Simply training your users some security 101 — don’t haphazardly double click on email attachments, pay attention to file extensions, don’t click on links in unsolicited emails and IMs, learn to recognize a phish — drastically reduces your attack surface. Even with the evolution of blended threats and with the steady stream of newly exploitable vulnerabilities announced each day, the single biggest threat propagation vector is still attachments on mass emails.

(more…)