Phishing Page

What is it?

We have all read about phishing trojans, but many of you probably do not know what they are or how they work. I came across one over the weekend while backing up a client’s website. My anti virus system prevented me from downloading the backup to my computer and warned me that one was present. As I was concerned about the security of this particular website I took it apart to find out where it was, and what it was doing.

Phishing

Phishing refers to a form of identity theft, it is where credentials like a user name and password are compromised, often without your knowledge. Other than reading about them, I had not come across one before. This one relates to stealing the credentials to access someones email address and email password.

I turned off my anti-virus (not recommended if you do not know the risks) and downloaded the zipped folder containing the files into a special area on my computer and then inspected the files. Two files contained code, one was a web page. Only one of the files was being flagged as the one containing the Phishing Trojan, the file contents were very simple, they packaged up the information and sent out an email to two recipients.  Continue reading Phishing Page

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Two Scams to be aware of…..

I have come across two scams this week targeting small regional charities, one about domain registration, I came across several years ago, but it looks like it is still going on. The first is encouraging you to call a premium rate number.

Scam #1  Contact me message

You all have forms on your websites, and you usually get legitimate enquiries on these forms. Do however check the contents in a message and if the only way you can contact someone is via a premium rate number then don’t bother calling. If the content is virtually non existent like this one below, it is encouraging you to call a premium rate number. In this particular case I checked the number through a web search. This individual is sending messages to websites through contact forms.  So if 10 people call back then that is £1+ they have made depending on how long they keep you on the phone, you would not know what their premium rate is prior to calling.

If you are not sure, type in the following into a Google Search form:  who called me 08712771062  (Obviously substitute the number you wish to check. In this particular case it took me to this page: http://who-called.co.uk/Number/08712771062 if you read the reported cases there, you can see the depth of the scam and other people’s comments.

Normally anyone contacting your organisation will provide more information in the form for you to process and not leave a short message like this.

Scam #2  About your domain name

In many cases I am looking after your domain names, so if you get anything like this send it to me, it is a bit more subtle than the previous one. In general domain names are registered to organisations and that registered information can be located on the internet. So a determined third party can find it and then contact you. This is how the domain scam works: Continue reading Two Scams to be aware of…..

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Obfuscated links – take care

One of the websites I look after was taking content provided by third parties and adding it into the website. I was working my way through some posts when I came across a strange looking link hidden under an innocent looking title.

The editor in this case had just cut and paste everything, and had not tested it. There were two cases, one went to a newsletter mailing website and then was diverted to the actual site. In this case the actual site was simply a holding page, and the fact that the link went to that site via a third party meant it was logged. Of course we do not know what else happened on the way.  The link text contained Yurts for Life, but the link was actually going to here:

http://manorfarm.us10.list-manage1.com/track/click=eea270f45b87b007e97fa644b&id=ebeb93cbe5&e=c391a34f71  

Which is not going to Yurts for Life. The behaviour of the link when clicked went somewhere, then to somewhere else.

The link was provided in good faith, however if nobody checks these things it can be simply passed down the chain. In this case it is probably completely innocent, however what if it wasn’t?  Would you know; the fact you have put this on your site, exposes it to all of your visitors.

Test it when you publish it

Continue reading Obfuscated links – take care

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Phishing Example

A client sent me an email about  someone claiming to be a supplier of services aggressively demanding payment or if the payment demand was not met further action would be taken. They asked if it was genuine. The problem with many of these is they may appear to be credible, and that is what the scammers behind these things try to do.

See the image below and what to do to check for yourself:

Continue reading Phishing Example

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

You don’t want one of these….

I was passed the following message in a text file from a small regional charity. It was on the start up screen when the computer was turned on.

ATTENTION!
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.49965 BTC (bitcoins).
Please follow this manual:1. Create Bitcoin wallet here: https://blockchain.info/wallet/new2. Buy 0.49965 BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins3. Send 0.49965 BTC to this Bitcoin address:1FkFRVWCvTyimcAAxq19dhYGspQ4KaeoabL4. Open one of the following links in your browser to download decryptor:

http://tt-metall.ru/counter/?a=1FkFRVWCvTyimcAAxq19tidShQ4KaeoabL
http://technocooks.com/counter/?a=1FkFRVWCvTyimcAAxqsHyiLppQ4KaeoabL
http://projectdare.co.uk/counter/?a=1FkFRVWCvTyimcAAxq19ssHppQ4KaeoabL
http://grutorax.com.br/counter/?a=1FkFRVWCvTyimcAAxq19mITppQ4KaeoabL
http://www.wordbaasoverdebal.nl/counter/?a=1FkFRVWCvTyimcAAxq13SDppQ4KaeoabL

5. Run decryptor to restore your files.

PLEASE REMEMBER:

– If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
– Nobody can help you except us.
– It`s useless to reinstall Windows, update antivirus software, etc.
– Your files can be decrypted only after you make payment.
– You can find this manual on your desktop (DECRYPT.txt)

(In the above example I have edited all of the links to make them void just in case anyone was curious to take a look and land in more trouble.) 

Is it real what should I do?

First, tell your manager. It may represent a risk to the office and everything connected to the local area network.

Continue reading You don’t want one of these….

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Problems sending mail to BT (British Telecom) addresses?

Are you affected?

Are you the problem?

If you are sending out bulk emails (emails with lots of addresses in the header) then your mail may be the reason why a server is blacklisted. This area is a major problem because most mail is junk mail. Some speculate that as much as 80% of mail is junk mail or spam. Service providers use various methods of identifying rogue sources of mail, these systems are automated and do not always get it right.

You may be aware of BT related problems on a number of occasions over the past year. BT are now more helpfully providing a link in their mail rejection notice to some guidance on best practice for creating bulk emails.

You can read about it here: BT Best Practices for Bulk Mail.  Continue reading Problems sending mail to BT (British Telecom) addresses?

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Facebook Likes

There appears to be a scam, well, several of them because I have seen this before, where you can buy your friends. The facebook like, when it came out a few years ago was often prized, it is a measure of how popular your site is. For a small regional charity with around 250 visits a month, having 30-50 likes is important as this helps to propagate your site among other local people.

However don’t get too focused on it. I keep seeing mails like this one below.


Contact Us

On: Apr 19, 2016 @ 11:23 PM
IP: 45.40.34.110

  • Name: Donna
  • Contact Number: http://nft.lol/7uzt
  • Email Address: wifjgjglyx@gmail.com
  • I wish to contact you about:
  • Your message: Did you just create your new Facebook page? Do you want your page to look a little more “established”? I found a service that can help you with that. They can send organic and 100% real likes and followers to your social pages and you can try before you buy with their free trial. Their service is completely safe and they send all likes to your page naturally and over time so nobody will suspect that you bought them. Try their service for free here: http://janluetzzler.de/3vm2

Continue reading Facebook Likes

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Email and Blacklists

Bounce back messages

If you try to send an email and you get a message back to indicate that it could not be sent, you may find that either your domain name or the destination domain name is blacklisted.

Blacklist checkers independently identify spam sources on the internet. These are servers where bulk (meaning hundreds or thousands of) unsolicited mails are sent from. Usually from a hacker or someone that is manipulating an account on the server. It does not necessarily mean that the spam has originated from your account.

The black list records where a server has been independently identified as a spam mail source. Somewhere in the mail path between the sender and recipient a process is checking that the mail has come from or is going to a spam source. The message you get back is often cryptic. One of the first things to do is check whether the problem is at your end, not necessarily your domain, but the server your domain is running from. You can do that using a Black List Check.

If your domain name is ok, check the domain name of the person you are trying to send to.

Black List Check

I came across a useful tool for checking to see if your domain is listed on a blacklist. You can go to here to check:

http://www.inmotionhosting.com/support/tools/blacklist-check

If you find your domain name is listed on a blacklist please bring it to my attention by going to contact us

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Managing mail continued….

I mentioned a month ago that I had turned on Spam Assassin in the hosting for my personal email account. This continues to work very well, reducing the burden of filtering out spam messages. It is not 100% foolproof, but it does catch a lot of them.

I use four mechanisms now.

1). Turn on Spam Assassin in the control panel.

2). Create an account filter (affects all mail coming into your domain), to automatically delete mail that achieves 7 plus symbols in the spam bar (it is written like this +++++++). Anything scoring 7 or more is definitely spam.

3). Create a second account filter that will send any messages scoring 5 plus symbols in the spam bar (it is written like this +++++) to a specially created account called suspectspam@[mydomain.org.uk]. So all of this suspected spam is sent to a specific mail account that you can periodically check.  5 + symbols generally means highly likely to be spam.

4). In my Outlook account I use ESET Smart Security. For things that escape the spam filter but are clearly spam (I get a lot of pretend newsletters), these are detected and moved automatically.

These four steps have made processing email a lot easier. If this is of interest I can write a short tutorial on it, it is easy to set up. Let me know by making a comment below.

Additionally

If you use the filtering facilities in your hosting control panel, you can also trap and redirect certain forms of email. This can be quite a powerful tool as well.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Scam for .org users

22nd November 2015

I received this message this morning. (I removed the full domain name)


Domain Notification: MARK WINGROVE This is your Final Notice of Domain Listing – xxxxx.ORG

Requested Reply Before: November 23,2015

PART I: REVIEW SOLICITATION

Attn: MARK WINGROVE

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration and save.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web. Continue reading Scam for .org users

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail