Small-time phisher arrested; targeted Notre Dame credit union

Francisc A. Wonerth was arrested in Fullerton, CA when police discovered he was driving a stolen car. In the car, they found a number of magnetic cards that had been re-coded to acts as Notre Dame Federal Credit Union (NDFCU) bank cards. This led to the discovery that Wonerth had been phishing for account information from NDFCU customers. NDFCU president Leo Ditchcreek said that some 60 accounts had been compromised.

Police are still investigating. Remaining questions include the issue of how Wonerth acquired his email list in the first place.

Full story in the ND Observer: NDFCU's scammer identified.

Security issue: phishers now targetting domain registrars

This is an issue of some concern and should be watched carefully: phishers are now trying to get passwords of domain registrants. Currently, correspondents inform me that GoDaddy is the target, but there's no reason to think the phishers won't expand to other registrars.

Normally, phishers go after bank accounts or other financial information, or sometimes the online accounts of users so that they may send spam.

It's not known precisely why phishers are after domain registration information, but the possibilities are chilling. The most obvious danger is that the phishers might be trying to simply steal domains — recall the sex.com and races.com fiascoes.

One worst-case scenario which has been suggested is this: If a phisher were to successfully hijack the domain registration of a bank or credit union, they could surreptitiously redirect the domain name to their own servers and conduct a man-in-the-middle attack without the bank even realizing it's happening.

Dear GoDaddy Customer,

GoDaddy Customer Support Team requests you to complete GoDaddy Customer Online Form.

This procedure is obligatory for all customers of GoDaddy.

Please click hyperlink below to access GoDaddy Customer Online Form.

http://myaccount.session-47175729.godaddy.com/AccountConfirmation/account.aspx

Please do not respond to this email.

This mail generated by an automated service.

Copyright © 1999 - 2007 GoDaddy.com, Inc. All rights reserved.

Of course, the link provided actually goes to the phishing site, not to GoDaddy.

Phisher Jeffrey Goodin sentenced to 70 months

In January I reported that Jeffrey Goodin had been convicted under CAN-SPAM. It is believed this is the first person every convicted in a jury trial for CAN-SPAM violations.

Yesterday, LawFuel Newswire reported that Goodin has been sentenced to 70 months in the federal slammer. In addition, he's being ordered to pay over $1 million to the victims of his phishing schemes, most of it to Earthlink.

After being indicted, Goodin harassed an individual who had been cooperating the authorities. While waiting for trial, Goodin failed to appear at a hearing, causing the FBI to track him down under a failure-to-appear warrant.

See articles in LawFuel and Information Week for more details.

More on the BBB and IRS phishes

Analyst Joe Stewart informs me that these are being sent by at least two different groups, using two different approaches. His analysis of the BBB phish describes the phish in detail. In short, the trojan connects to Internet Explorer and steals everything it can get ahold of. Over 145 Mb of data has been collected from over 1400 victims so far.

National Spam News

I haven't done a news roundup in quite a while, and I have a lot of catching up to do. Are you sitting comfortably? Good, let us begin.

Good article in Slashdot today, bemoaning the fact that the latest Ameritrade leak has gotten no attention from the mainstream press. California law requires them to notify their California customers of a potential security breach. Have they done so? Were customer account ids and passwords also leaked? Ameritrade isn't saying. So far, all they've said is that they take these things seriously. The article suggests some security techniques that Ameritrade should implement to track the source of the leak.

There have been a lot of "greeting card" spams lately. I'll bet you've gotten some yourself. Remember: if the subject line doesn't identify who the card is from, then it's spam. Anyway, Trend Micro reports that these spams are also carrying malware as part of the payload.

Robert Soloway isn't the only one with legal problems this week. TG Daily and other sources report that Microsoft has filed suit against three John Does for sending pump-n-dump spam through their Hotmail service.

The BBC reports that internet service provider Tiscali is now caught up in a serious battle with their spammers. Spam coming from Tiscali has become serious enough that many other ISPs are refusing email from Tiscali, which is seriously impacting their customers. Tiscali has long been plagued with 419 scammers, which they managed to bring under control about 6-8 months ago. It now seems that another house-cleaning has begun.

There is some speculation that Tiscali's problems might be caused by spambots inside their network. See my recent article on this subject.

Ben Edelman reports that spyware is still stealing referal fees. As usual, his claims come with a detailed and in-depth analysis.

The Seattle Times reports that Nigerian 419 scammers are now inviting suckers to get puppies out of the country instead of money. Some people have paid more than $1500 to adopt a valuable dog from Nigeria.

Don't click on links from the Better Business Bureau

The Register reports that there is a new round of highly-targeted phishing going around, disguised as a letter from the Better Business Bureau. The email is sent to high-level executives, and according to the article, over 1400 of them have been tricked into sending sensitive information to the phishers. The executive is told that there's been a complaint, and they should click on a link to read it. The link actually installs malicious spyware which then forwards everything it can get its hands on to a website controlled by the attackers.

The Better Business Bureau has issued a warning about the attack.

By the way, the spyware works by attaching itself to — wait for it — Internet Explorer. Please, people, what have I told you about installing Firefox? Friends don't let friends run IE or Outlook.

Sanford Wallace sued again — this time by MySpace

I've been very busy of late, with a lot of catching up to do, but this one is just too juicy to wait:

Sanford Wallace, the original mass email spammer (and junk faxer and purveyor of spyware) is now being sued by MySpace for phishing and spamming. MySpace is claiming violations of CAN-SPAM, and the California anti-spam and anti-phishing laws.

More coverage from Digitial Media Wire. Press release can be seen on BusinessWire.

New phish on the block — fake MoneyBookers email

OK, one I hadn't seen before: Email from "moneybookers.com" tells me to click on a link to receive my $300. No indication as to who the money is from. Obfuscated URL. Wants a copy of my passport and my personal banking information. Puh-leeze.

Now, there is a real moneybookers.com, but they're in London and the URL in the email leads you to Bolivia. I'll forward the spam onto the real MoneyBookers, but dollars to donuts they already know.

If you're reading this now, you're probably not the kind of person to fall for this, but for the love of all that's holy, please get on the horn to your Uncle Charlie in Peoria, or your cousins back in the old country, or whichever one of your relatives always falls for this stuff, and warn them about this before they start digging through their stuff looking for their passport. Tell them: Strangers are not sending you money out of the blue.

Change the password to your home router

New theoretical attack described in Computer Business Review: A phisher loads malicous javascript onto a web site. The javascript connects to your house router using the default IP address and default password, which you were too lazy to change. The javascript configures the router to use the phisher's own dns servers. Later, when you try to connect to your bank, you get connected to the phishing site instead, and there's no way to tell the difference.

The attack hasn't been seen in the wild yet, but it's only a matter of time. Save yourself a lot of hassle now, and secure your routers.

For more on the story, see Drive-By Pharming Attack Could Hit Home Networks.

Beware of new scam telling you that you need to download new software to access your gmail account

This has been circulating for the last few days. A message (in Portugese) entitled "Privacy matters" tells you that you need to download new software if you want to keep accessing your gmail or orkut account. The message is a hoax. Please don't click on the links it contains.