Information Protection and Security

Phony LinkedIn invitation from 'Bill Gates' lands in smartphone inboxes.
Article link

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.
Article link

The Federal Deposit Insurance Corporation (FDIC) has become aware of e-mails appearing to be sent from the FDIC that are asking recipients to download and open a "personal FDIC insurance file" to check their deposit insurance coverage. These e-mails are fraudulent and were not sent by the FDIC. The FDIC is attempting to identify the source of the e-mails and disrupt the transmission.

Currently, the subject line of the fraudulent e-mails includes the wording "check your Bank Deposit Insurance Coverage." The e-mails state: "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets."

The e-mails ask recipients to "visit the official FDIC website" by clicking on a hyperlink provided, which appears to be related to the FDIC and directs recipients to a fraudulent Web site. The Web site includes hyperlinks that appear to open forms. However, it is believed that clicking on the hyperlinks will cause an unknown executable file to be downloaded. While the FDIC is working with the United States Computer Emergency Readiness Team (US-CERT) to determine the exact effects of the executable file, recipients should consider the intent of the software as a malicious attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to online banking services or to conduct identity theft. Financial institutions and consumers should NOT access the Web site or download the executable files provided on the Web site.

Information about counterfeit items, cyber-fraud incidents and other fraudulent activity may be forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550 17th Street, N.W., Room F-3054, Washington, D.C. 20429, or transmitted electronically to alert@fdic.gov. Information related to federal deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed at http://www2.fdic.gov/starsmail/index.asp.

For your reference, FDIC Special Alerts may be accessed from the FDIC's website atwww.fdic.gov/news/news/SpecialAlert/2009/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.

Distribution: All FDIC-Insured Institutions

Note: Paper copies of FDIC Special Alerts may be obtained through the FDIC's Public Information Center, 1-877-275-3342 or 703-562-2200.

Last Updated 10/27/2009 communications@fdic.gov

 Yesterday I received a "hot tip" from a friend in the form of an email offering a free laptop from Sony-Ericsson if I forwarded the offer to 8 people on my address list.  I'd get even a better laptop if I sent it to 20.  Too good to be true, right?  Right!  A quick visit to snopes.com answered my question and straightened out my friend.  Not only was there no laptop, but the person's name on the offer never existed.  It was a pretty picture of a nice laptop!  Urban legends, they're also in email.  Check before you send, or you might be sorry!  Stop. Think. Secure IT!

 A new email scam has been reported offering a free laptop to people for forwarding the email.  Sony Ericsson made no such offer, the email address is bogus and the company has no one by that name offering the laptops.
Article link

Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.

A triple-payload e-mail attack that uses a fake shipping confirmation notice with a supposed attached label is making the rounds, according to Webroot.
Article link

Phishing scam may also have breached e-mail services offered by Google and Yahoo.
Article link

Complaints about phishing have been coming in for a couple of years.  Most of us know what phishing is, and when something sounds like it's too good to be true, it probably is.  

"Apart from accessing the user's Webmail accounts, e-mail addresses are commonly used to log into social networking sites,” Wood said. “So with a successful phishing attack, the bad guys not only gain access to an individual's e-mail account, but also a variety of other sites that may be linked to that account. People should be advised not to share the same password for these sites and should change their passwords at least every 90 days."