hertenberger.co.za

Another one in the “good enough to believe” department. Take care not to click on this link, and if you do, DO NOT enter any of your Google account details.

The mail is purportedly sent from the Google accounts team, wishing to inform you that they will be doing some routine server maintenance.

The link provided in the mail looks valid, as does the sender account (Gmail Team) As with other scams of this kind, the frontend interface is increasingly sophisticated and copied from the actual Google accounts page.

The actual URL of the page points to supplyurdemand.com/catalog/images/gmail.services/Login.htm. Clicking on any of the links takes you to the actual Google link. Entering your account details will undoubtedly capture them in the database of the phisher an provide easy access to your mail and other private information. A test with a dummy account shows that you may not even know that you’ve been had: if your browser has stored the cookie associated with your last succesful logon to Google‘s mail, for example, you’ll simply be transferred there without a hitch. And none the wiser.

Again: never provide log on details regardless how convinced you may be that you should provide log on details for the benefit of any institution. If you haven’t changed your Google accounts password in some time, now’s a good time to do that. If you’ve accidentally fallen for this trick, you may be able to save yourself by having your password changed through actual verification with Google.

By providing your logon credentials to this version of the ABSA banking site you’re likely to reduce your banking charges quite significantly. Once the scum behind the email address onirekedouglasdale@webmail.co.za gets hold of your logon details, there’ll be little in the way of cash left in your account to charge banking fees on…

Documenting these scams is a bit boring, since they all rely on the same mechanisms: an end-user’s blind trust in technology, the promise of quick and easy transactions and an ability to dupe many people by showing them something that looks just like the real thing. I add this one here simply because it adds another twist to the usual provide your password routine. Played through, the spoof site indicates that an RVN (one-time password) has been sent to the user and that that message may, or may not, arrive due to an apparent system congestion.

The obvious play is that the RVN is never sent, requiring the user to click on a link to the actual ABSA site to retrieve a valid RVN.

I assume onirekedouglasdale@webmail.co.za next sends an email to the user requesting confirmation of the true RVN. Since an RVN is valid for a reasonable time period and because the user has already been duped once into providing personal data, it’s no stretch to believe that the RVN may well be sent to the scammer.

Like most modern scamming methods, the fake website looks like the real thing. A few things to notice: the address indicated in the browser is http://207.204.1.180/log/, not https://ib.absa.co.za/ib/ib.jsp. The image for some embedded content in the logon button indicates that something is amiss.

The message at the bottom right indicates system downtime scheduled for November 2009, most likely the time the real ABSA site was initially scraped and deployed for the fakery.

The site is not yet marked as a scam in Firefox, but has been reported to ABSA. Regardless of whether or not this site is blocked, continued vigilance is an absolute key in online system use. The sophistication of such enterprises is on the increase. Take care, check at least twice before entering anything into any website and as always, contact the organization if you have any doubts.

One way of verifying the veracity of the site is to initially enter incorrect logon credentials on purpose. Since a fake website can’t tell you whether or not your user name and password isn’t valid, the lack of an error message is one indication that may be used as a protective measure.

I join a long list of Twitter users whose accounts have been compromised. In the past few hours, I have seemingly been recommending a source of cool ringtones to all and sundry.

Pardon the intrusion…my password has been set to a more secure one and I trust that’ll be the end of that.

Brief tip: if you need ringtones, make your own

With three big South African banks already the target of online phishing scams I’ve come across in my spam mail, Standard Bank rounds out the collection of four banks whose customers are requested to log in and update personal details.

Of the four scam sites I’ve seen, the spoof of the ABSA Internet banking site is without doubt the most convincing, with only the URL a giveaway. For the rest, it looks identical and would fool a vast majority of unwary users. The fake Standard Bank runs a close second, though some careless HTML breaks some of the design and damages some of the graphics on the site. For the rest, it looks very convincing.

The ridiculous URL, http://www.tigerbasketball.org/templates/madeyourweb/signonmenu.htm, relates in no way to Standard Bank and may indicate how brazen and confident scammers are becoming – it takes only a few victims to make a phishing attack worthwhile.

The proliferation of phishing scams is increasing by leaps and bounds, as is the first-glance trust one may place in certain emails and websites that mimic services provided by real corporations. About two weeks ago, I received an email prompting me to enter my FNB account details. Today’s email from ABSA’s Online Account Directives is similar, but leads to a website that is an absolute dead ringer for the real thing.

Once again: the first thing to tip you off to the fact that this is a scam is the simple fact that no financial institution will ever request you to enter or update any information in this way. Still unsure? Pick up the telephone and call the call centre to find out whether or not a communication of this nature could be legitimate. In any case, I advise you not to react but simply to turf the email into your trash can and report it to the bank. In my case, GMail already completed the first step.

But since I enjoy sifting through my trash…I had a look at where the URL in the mail links. Even the mail is convincing, including a logo and various other details that make it look official. The URL in the mail does not, of course, link anywhere near the actual ABSA online banking website, a website you would generally not access directly but rather click on a link on the actual ABSA home page. The fraudster who has compiled this email has made use of the same trick the FNB email employed: spell out the URL to dupe the user into believing the actual text leads to the real website. Clicking on the URL leads to the following address: http://64.23.6.160/Renew/Main.html instead of the official https://ib.absa.co.za/ib/ib.jsp.

The fake website is absolutely indistinguishable from the real thing:

The only clue to indicate that the website is not the real ABSA online banking portal is the URL displayed in the address bar of the browser:

This is one scam that will catch many victims. As with the FNB scam, Firefox blocks access to the site whereas Internet Explorer does not.

Click with care and don’t divulge information anywhere without taking precautions.

Kaspersky Labs have issued a work-around and a fix for the google.com access denied issue I ran into this morning – trying to browse to various Google domains results in this error message being displayed:

An update to the virus database and/or an update to the currently running program version is supposed to fix the issue.

You know you’re in trouble when your anti-virus application decides you should no longer have access to the evil website Google. I’ve never, ever seen this message displayed before, not even when visiting rather dubious torrent search engines…

This is one of those typical occurrences with computers where I, the user, made no changes to anything and have to try and understand and solve the issue at hand. www.google.co.za works fine, so I’m not sure what Kaspersky is on about. Since this happened on G2S running Vista I’ll forgive Kaspersky and see whether a reboot will fix this rather odd warning…

…the reboot doesn’t fix it, so I’ve hard-fixed the issue for now by adding http://www.google.com* as a trusted site.

Could this problem be due to an error in a Kaspersky update, I wonder?

This type of problem worries me, especially since Apple has apparently stated that they recommend Mac users install and use not one, but multiple anti-virus packages to ensure attackers have more hurdles to cross. The relevant knowledge base article has since disappeared…

The last thing I want is for my Mac to be burdened with a layer of software that causes my pleasant user experience to be disrupted. Let’s leave that to Windows!

Microsoft has issued a critical security vulnerability bulletin that includes a patch for the Windows family of products to prevent remote code execution.

The vulnerability has been reported to exist in the Server service and could allow remote code execution if an affected system received a specially crafted RPC request. It is also possible that the vulnerability could allow arbitrary code to run without authentication.

This is basically a loophole a worm could exploit to run malicious code and spread to other systems. As always, keep your anti-virus software up to date, be sure to stay behind a firewall and watch where you’re travelling to on the Interweb! Or run Linux. Of course, a worm can get through on a LAN, too.

Microsoft recommends that the patch be applied immediately. A list to specific patches for various Windows releases is provided here.

Not Vista I must confess that I quite like Microsoft‘s latest OS and do think some of the criticism it has received is perhaps unfair. Of course there are a number of things about Vista that get on my nerves, but overall it does the job. Late last week I was about to order a MacBook (something I’m still considering) after Vista on G2S started misbehaving.

Constant crashes in the Explorer, hanging and many blue screens had me on the verge of tearing out my hair. The first thing to criticize: Vista, of course. Though it had been rather stable throughout and I’ve had very few issues. I run avast! and keep the virus database updated and am generally careful about what I run and where I click. Obviously, something had slipped through the cracks. The first clue was a small Internet Explorer window launching every now and then. The most irritating was an absolute inability to reach websites when using a proxy.

Suddenly, avast! found a trace of something unwanted, but all tries at deleting or quarantining the file failed. I booted into safe mode and opened a command prompt, then deleted the DLL identified by avast! Of course that didn’t change things – after the next reboot into normal mode, the virus scanner identified a differently named DLL. Time for some manual intervention! Open a command prompt and launch MSCONFIG. Select the Startup tab and have a look at the entries…

Even a non-geek should see an entry that simply doesn’t look right. In this case, the program named BM63df8f5e.

Unselect the box for this bug to run at system startup, then open the registry editor. In the MSCONFIG entry for BM63df8f5e, some parameters are provided for RUNDLL32.EXE. One of them is another oddly-named DLL. Open the registry editor and search for that DLL. True enough, my problems with network access through proxies was confirmed by the registry entry I found:

Delete that key without thought and reboot. Suddenly, things work so much better!

Germany introduced a very restrictive law this past weekend. According to section 202c of German computer crime law, just the possession of certain software utilities and code can land the owner in jail. Of course, the distribution, coding, development and sale of such software is also forbidden. The introduction of the law has prompted a number of sites dealing in such software to either modify their sites or move their base of operations to locations outside of Germany.

The problem is that a number of system administrators rely on ‘hacking’ tools not for purposes of evil, but rather to test security and investigate potential vulnerabilities. Windows may not have a pre-installed library of software that could be categorized as hacking tools under this law. But Linux certainly contains a vast library of modules and software packages that land squarely in the illegal pool… It’ll be interesting to see how Linux distributions respond to the requirements of this new law. If you have the inclination, the text of section 202c may be found here (PDF link).