Maximum PC scam RSS Feed

Major e-sellers Have Made Millions Scamming Customers

Bart Salisbury — Wed, 18 Nov 2009 15:06:56 -0600

Stuff like this is why we’re told to always be wary. Not just of strangers, it appears, but of friends as well. The Senate Committee on Commerce, Science and Transportation held a hearing on Tuesday, where it laid out the ‘questionable’ marketing practices of Vertrue, Webloyalty, and Affinion, web merchants that sign up users to “web loyalty programs,” to the tune of $9 to $12 a month, without the user being aware. How? By riding on the coattails of respected e-retailers such as Orbitz, Buy.com, Fandango, and Continental Airlines.

How’s the alleged scam work? At the end of a transaction at a legitimate web site a pop-up appears asking the user to enter an email address if they are interested in receiving cash back or a coupon. Simple enough, except buried in the fine print is enrollment in the web loyalty program, along with permission to charge the user’s credit card a monthly fee. Where’s the credit card information come from? The legitimate web site sells that information to the loyalty program. The user never knows about the transaction until a charge appears on their credit card statement. The user gets double-pwn3d: by the unscrupulous web loyalty program, and by a trusted merchant.

Overall, the Senate Committee estimates the three loyalty programs generated more than $1.4 billion from the scheme, with $792 million kicked back to the web retailers who provided the user’s credit card information. (Classmates.com, for example, raked in $70 million.)

It would be easy to lay the blame at the users feet: you really should read the fine print. (Although the vast majority of us never do.) But the Senate Committee reported that managers at Affinion, Vertrue and Webloyalty knew full well that people were completely unaware of what they were signing up for, and that their programs were specifically designed to mislead people. The ‘legitimate’ retailers who enabled this were also aware of what was going on, but turned a blind-eye because of the revenue it generated.

Webloyalty and Vertrue stated during the hearing they’ve changed their business practice, and now require additional information for enrollment. Others aren’t convinced, arguing that the only way to curb the practice is to make it illegal for retailers to sell customer’s personal information.

Image Credit: trochim/Flickr

Facebook Promises to Get Rid of Scam Adverts

Ryan Whitwam — Fri, 06 Nov 2009 21:05:57 -0600

Facebook is the king of social networking with more users than any other web 2.0 site. With all those users, it’s also an attractive place for scammers that want access to lots of eyeballs. After a few embarrassments, Facebook is promising to take a stronger stance against deceptive advertising.

Facebook has gotten a bit of a black eye in the press lately after some companies using the platform were accused of scamming users. These scams often come in the form of special offers and surveys within games. Facebook’s Nick Giano wrote in a blog post that the site was aware of the problem and was actively working on it.

Users of the site also encountered a rise in stimulus scam ads earlier in the year; Facebook notes that they were quickly removed from the site. Hopefully this new wave of scams can be dealt with in the same manner. Facebook claims that over 100 developer applications have already been removed or “brought into compliance" so far. Have you noticed any fishy behavior on Facebook?

Murphy's Law: C-Y-A on the WWW

David Murphy — Thu, 29 Oct 2009 12:15:44 -0500

What a wonderful world that open and closed platforms have created on the World Wide Web. I can have an untold number of features and applications inserted into my Web browser without having to lift much more than a finger to access them. I can take my favorite Web platforms and expand their usefulness by linking them to other Web-based services. I can even download a variant of my Web browser of choice that bridges the best of two worlds under one new roof: new innovations mixed with standard familiarity.

So, what happens when these architectures fight back?

It's a stupid thing to say on its face, because I don't believe that it's up to a particular program or application to breach your defenses and fight its way into your cyber-life. Most, if not all instances of malware, spoofing, and hijacking (to name a few) can be directly traced to user stupidity in some fashion. Either a person leaves the ol' back door unlocked, fails to frisk the guests as they enter the home, or actively invites a heap of trouble to come on over for a party.

Simplified examples, perhaps, but the underlying fact remains a constant: You are the gatekeeper for your PC. Unfortunately, as we begin to adopt an "everyone's allowed" mindset for Web integration, we're only making it easier for the bad guys to do what they do best. Unfriendly, if not downright hostile bits of malware can be pushed back with but a few simple changes in behavior--are you as security-focused as you should be in today's cross-platform world?

Who Is Your Daddy; What Does He Do?

There's an online network for everything nowadays. And with these online networks come a flurry of registration requests and data exchanges that you feel compelled to answer. I can't count the number of Twitter invites I receive on a daily basis--just for reference, I'm not @veronica or something, but I definitely get enough email to make for a bout of mindless follower-accepting during my lunch break. That's just one platform.

It almost seems silly to type this, as it should come as Web 101 for all but the most inexperienced of users, but I'll say it anyway: Do you always know what you're clicking on? There's a reason why most programs come with a little status bar or helpful pop-up whenever you mouse over a hyperlink. One of the easiest ways to detect a potential link spoof--like, say, one that's been placed in a seemingly innocuousTwitter invite--is to hover your mouse over the link.

If the hyperlink doesn't match up with the actual site in question (like http://208.348.142.555/takin/ur/password.html versus http://www.twitter.com), then you probably shouldn't click on that link. And if you can't detect that I'm being sarcastic, and you really shouldn't click on the link, then it's too late--you've probably already clicked on the link.

Of course, if you're lazy, you could try using a helpful utility to try and make this judgment for you. Firefox's LinkExtend extension aims to do just that--protect you from sites that are trying to steal data they shouldn't. You can also check out TrendProtect for a similar safeguard. Still, nothing is as foolproof as the ol' brain-box. Don't just click accept or ignore on everything that comes in your inbox. Look before you leap, as it were.

On Page Two: The API Skeleton Key to Your Front Door and Third-Party Malware on Your Favorite Web Sites!

Giving the Guard Dog a Bone

For all the successful, engaging Web communities and platforms out there, it seems that there are nearly ten times the third-party applications that tie into said original platforms via some authentication method or API. And that's awesome, right? With but the click of a mouse button, you can expand the functionality of a service you find useful with even more bells, whistles, and AJAX-themed applications. Provided you can still log into the service, that is, considering you've just given up your name and password to a complete stranger.

Huh? How do we make the jump from Facebook to #fail so quickly? It's all in the authentication--or lack thereof. Consider a site called TwitViewer. According to a number of Tweeted messages late this July, signing up for the third-party Twitviewer service would allow you to generate a photo-based graphic of the last 200 people to click on your Twitter feed. Sounds inocuous, if not downright fun, eh?

Wrong. The site's sole purpose was to yoink the name and password of your account, which you'd type into the site under the mistaken belief that you were signing up for a service. Twitviewer would then use your account to spam your followers with the "sign up for us!" message, and the entire process would start again with a new batch of suckers.

Every platform is different in the way it allows third-party applications to access its services. Once again, however, it's up to you and your juicy brain to separate the good from the bad. In the case of Twitviewer, there were a few warning flags to watch out for.

First up is the obvious issue that it's currently impossible for a third party to be able to provide you with a picture-themed list of the last 200 people that have checked out your Twitter page. That would require some kind of callback or script built into the core of the page itself, which isn't something that can be done via the Twitter API. Ask thyself--have you ever heard of any other third-party service that can perform this function?

But supposed you wanted to give Twitviewer the benefit of the doubt. That's fine. The larger, glaring red flag is the actual authentication method that's used to "give" Twitviewer access to your account. Twitter authenticates third-party API requests using OAuth, a protocol that keeps your actual login and password out of the equation by instead assigning specialized keys, or permissions, to these external services.

It's the best of both worlds: Your user name and password stays safe with Twitter, yet other sites can make use of all the different Twitter features surrounding your account. That in mind, a third-party site shouldn't give you a prompt to type in your name and password. It should feed you a link to the main Twitter domain itself, where you'll log in (or use your already logged-in account) to approve or deny the authentication request.

It's a sad world when one has to be reminded to not give out a user name and password to anyone who asks, but the Twitviewer issue fooled many a user and tech journalist--even those decently well-versed in common security practices.

But I Didn't Do Anything!

Here goes my paycheck. If you're running a modern Web browser, you should really be doing everything in your power to prohibit third-party plugins from pushing content to your system sans permission. For Firefox users, that means running some kind of Adblock or Noscript plugin, which gives you the ability to select certain types of Flash and JavaScript content to allow or deny.

Why is this a big deal? Just look at the recent Gawker issue, where users across Gawker's many Web sites were served up with malware via a hosted advertisement that flew under the parent company's ad-ops radar. Or, for that matter, check out the New York Times--same deal.

But even these extensions can only deliver so much peace of mind for Firefox users. If you're a fan of a particular site, say, Maximum PC, and you decide to add it to your white list, then you'll get hit with any malicious content hosted on the site--and it's no real fault of your own. Aside from keeping your system software fully patched and accepting any unwanted or strange-looking file download, there's not much else you can do on the protection side of things.

What's important from this entire exchange, however, is your changing mindset. And that's really what this entire article is about. Web platforms and associated sites push content at you from all different directions and sources. It's up to you to do what it takes to make sure that this transaction takes place because you want it to happen--you're giving permission for an action to occur. You're not just sitting back and accepting someone else's malicious invite.

This control can come in many forms: scanning Web links for legitimacy; ensuring that third-parties are only allowed to access your data using safe, prescribed methods; or locking the door to everyone before you let people in, as opposed to throwing a party for all and trying to boot out unwanted guests after-the-fact. These are all important techniques to keep in your pocket as you traverse the Web's many platforms. And as our data slowly becomes interconnected between these sites, it's even more critical to keep one weak link from opening up your entire Web world for disaster.

After all, malware can ruin anyone's day.

David Murphy (@ Acererak) is a technology journalist and former Maximum PC editor. He writes weekly columns about the wide world of open-source as well as weekly roundups of awesome, freebie software. Befriend him on Twitter, especially if you have an awesome app or game you're dying to recommend!

Nigerian Police Crack Down on Scammers, Shuts Down Hundreds of Websites

Paul Lilly — Fri, 23 Oct 2009 10:45:00 -0500

Nigeria has long been a hotbed for scams - either that, or we've all made a terrible mistake by not wiring over thousands of dollars to unknown recipients for a multi-million dollar payout down the line. Believe it or not, people still fall for it, so we're pleased as punch that Nigeria's anti-corruption police force has stepped up to the plate with some major busts.

"Over 800 fraudulent email addresses have been identified and shut down,"Economic and Financial Crimes Commission (EFCC) boss Farida Waziri said in a statement. "There have been 18 arrests of high profile syndicates operating cyber-crime organizations."

This doesn't mean you'll never see another Nigerian scam mail in your spam box, but hey, at least it's a start. And going forward, the EFCC feels pretty confident it can make a dent. Rather than rely on raiding cyber cafes and waiting for complaints to trickle in from the public, the EFCC said it is using smart technology in conjunction with Microsoft to actively track down fraudulent emails.

The EFCC hopes this is the just beginning. Working at full capacity, the crime unit believes it can forewarn about a quarter of a million potential victims within the next six months.

Image Credit: Flickr firoze shakir photographerno1

"iPod Mechanic" Behind Bars for iPod Scam

Paul Lilly — Wed, 26 Aug 2009 20:05:31 -0500

As another reminder that crime doesn't pay, 23-year-old Nicholas Woodhams, also known as the "iPod Mechanic," faces 13 months in prison after pleading guilty to mail fraud and money laundering charges. Woodhams was also ordered to pay $648,568 in restitution to Apple and $8,066.85 to the U.S. Postal Service, Arstechnica reports.

According to the lawsuit, Woodhams ran a scam of exploiting Apple's advance replacement system for the iPod shuffle and reselling them through his own website. He also allegedly exploited Apple's iPod Warranty Service Program to get Apple to repair out-of-warranty iPods.

Woodhams' scam proved rather lucrative, but it's all going back. In addition to the above jail time and fines, Woodhams must forfeit about $750,000 worth of criminally acquired assets, including his house in Michigan, an Audi S4, an Ariel Atom 2, a Honda motocyle, and over $500,000 in cash. Ouch.

Twitter Followers & Digg Votes for Sale – The Ugly Side of Social Networks

Justin Kerr — Sun, 05 Jul 2009 15:24:23 -0500

How much is a Twitter account or Digg vote worth? uSocial.net thinks they have the answer to that question with a recently announced new service that will sell social media accounts or votes to companies or individuals having trouble doing it the old fashioned way. $87 USD buys you (or your company) 1,000 followers added over 7 days, or as many as 100,000 over a one year period for $3,479. It turns out money really can make you popular both online, and in real life.

I have to admit however, I find it somewhat doubtful that companies would find these “purchased masses” very responsive, and in fact, uSocial itself claims “we'll Tweet our followers three times a day, every day for a month to go and check out links directly to the content that you'd like promoted.” This type of ad spam would have any normal user searching frantically for the unfollow button, but it certainly points out how modern social media is just as vulnerable to abuse as telephones, or the post office.

uSocial.net is also responsible for launching a program last year that allowed companies to buy votes on Digg and StumbleUpon. Both companies have issued cease-and-desist orders to uSocial, which according to a statement from Digg, have been ignored.

Is this the ugly side of social networking? Let us know what you think.

Spammers, Scammers Jump on the Swine Flu Hype-Wagon

Andy Salisbury — Wed, 29 Apr 2009 17:01:52 -0500

If you thought that the television news networks were the only ones trying to get the best out of a panic, you thought wrong. Those ever-persistent cretins that inhabit the Internet are fast at work, scheming their way to a quick buck, all thanks to the Swine Flu.

It looks like most Swine Flu related scams that have been circulating by means of email that typically contain a link to a phishing website, or have an attachment with malicious code. One such email features an Adobe PDF named “Swine influenza frequently asked questions.pdf,” according to representatives with Symantec. This PDF contains Bloodhount.Exploit.6, which is known to place InfoStealer code onto the victim’s computer.

So, aside from watching your real back, make sure to watch your virtual one as well. The Swine Flu is no joke, and neither is your personal information.

Image Credit: CNET

Latest Phishing Scam Preys on Surfers’ Morbid Curiosity

Pulkit Chandna — Fri, 09 Jan 2009 18:12:25 -0600

Internet shenanigans are keeping abreast with the latest developments around the world and using it to their advantage. An email doing the rounds around the internet hoodwinks the recipient into believing that it is from CNN. The clandestine email ostensibly contains a link to a “graphic” video of the ongoing Israel-Hamas conflict. However, the fake website contains a Trojan that betrays the user’s sensitive data, according to the RSA.

The author of the phishing attack has tried to make the website as plausible as possible. Upon visiting the link, the user is greeted with a message asking him to update his Adobe Flash Player. If the user lends his countenance to the download, a Trojan is downloaded instead of the latest version of Flash

Image Credit: Cnet