The email says:

Australian Taxation Office informs you about the changes in the rules of submitting tax report.

Please, read about the changes to Click Here.

Important to know
We do not offer cashier services for tax payments or refunds. For further information on how to pay your taxes, see How to pay.
(http://www.ato.gov.au/content.asp?doc=/content/33696.htm) 

We are kindly asking you to keep to rules and terms of tax report submission to avoid penalty. 

Best regards,

Andrew Nichols
Australian Taxation Office

If you see this email, don’t click on the links. Delete it.

How can you be sure if it’s real or a scam?

Place the mouse pointer over the links, but don’t click. You should see the real address popup. If it looks dodgy then it’s probably a scam. See this screenshot,

This type of scam email is common. Always use this trick to judge if the email is legitimate or a scam.

• You receive an email telling you that a hotel has incorrectly charged your credit card
• The email also says that you should fill out an attached form for a refund (i.e. open an attachment and get some money)
• The attachment installs a fake antivirus program
• The fake antivirus program asks you to pay money to clean your PC (even though there’s really nothing wrong with it)

Hotel Renaissance Chicago made wrong transaction

Hotel Westin St. Francis made wrong transaction

Wrong transaction from your credit card in Woodrun V Townhomes

• a video of disgraced former International Monetary Fund Managing Director Dominique Strauss-Kahn and a hotel maid
• an X-rated video of celebrities Rihanna and Hayden Panettiere

These videos are not actual videos, but are links to a website that installs malware. Note that it affects both Windows and Mac computers. On Windows, the malware tells people to install a new version of Adobe Flash Player, but instead installs a fake antivirus program. On a Mac the malware brings up a fake security warning and asks people to install a fake “fix” to the problem. In both cases the malware then wreaks havoc with the computer, shows pornographic images, and asks the user to pay money to stop it happening. After (real) money is paid the malware remains. So overall it’s quite a nasty bit of work.

If you come across anything like this in Facebook please let the person who posted it know it’s malicious. The sooner they remove the post the less damage it will do.

If you see this on your browser, close the browser. Don’t click on any buttons. And most importantly, don’t panic. These scams are designed to scare you into making irrational decisions.

Below are screenshots of how it looks (click to enlarge the screenshots):

This type of scam happens on both Windows and Mac computers.

People have been posting notes on Facebook about something called “un named app”. It tells you to remove something from Facebook. It’s a hoax. Don’t believe what it says, don’t follow the instructions, and don’t pass it on.

Below are some quotes of the hoax:

ALERT >>>>> Has your facebook been running slow lately? Go to “Settings” and select “application settings”, change the dropdown box to “added to profile”. If you see one in there called “un named app” delete it… It’s an internal spybot. Pass it on

this is real.. i checked and found this app and deleted it… hopefully, my facebook will run better now.

Cannot believe how much quicker mine is running after doing this….

I don’t have this app on my Facebook account but if you do, don’t worry. It’s a normal part of Facebook and you shouldn’t delete it.

Now the second part of this hoax is a real trojan. If you go to Google and search for “facebook unnamed app” you’ll see quite a few results. Some of these results are fake antivirus programs.

A fake antivirus program is actually a trojan. It pretends to scan your PC and quietly installs malware in the background. It goes under the name of Security Tool, it has a fancy detection screen and everything. But it’s definitely bad.

The rule of thumb is that if a web page tells you that your PC might be infected, don’t trust it. Go and get your own antivirus program, not something that pops up on your screen (see here for a good free antivirus program).

There’s a lot to learn here. Basically, be careful who you trust. These days scammers have to trick you into installing malware and they’re good at it (it’s called social engineering).

1. You visit a web page that has been hacked. It’s an ordinary web page (such as a news site), nothing looks out of the ordinary.
2. A trojan is installed on your computer without your knowledge. It sits there on your PC waiting and watching.
3. You log onto your internet banking site. Everything still looks normal.
4. The trojan detects that you’ve logged into an internet banking site and it makes a transaction, transferring money from your account to the account of a money mule (more on this later).
5. When you look at your bank statement online, the trojan captures the network data and changes it to hide the transaction it made. The numbers it shows on the screen have been altered.

Step 5 is the sophisticated part of this attack. Normally you’d notice if money was transferred from your bank account without your approval, but the trojan hides this by showing you a fake statement on your screen. If you can’t see the money being taken from your account the criminals have more time to keep making withdrawals.

The amount of money it steals is different each time so that the bank’s anti-fraud detectors don’t see the pattern of theft.

More details here on this attack works.

So what’s a money mule?

Stealing money from people’s bank accounts is a big business. Criminals not only write sophisticated malware to carry out the transactions, they also recruit money mules to launder the money.

They place ads online offering jobs to desperate people. These jobs require no experience and you work from home (sound familiar?). People who sign up to these jobs receive money in their bank accounts, then they have to transfer it to someone else’s account. They do this willingly and are paid for it, but they usually don’t know that it’s part of a criminal organisation.

This is how the criminals receive their stolen money and cover their tracks. It’s a form of money laundering and is illegal. And to avoid a pattern detection they usually only use these money mules twice.

Here’s an example of a money mule job ad.

Lessons Learnt:

• Always use an antivirus program that not only scans your PC for malware, but also checks every web page you go to. Good antivirus programs cost money and it’s a good investment to protect your online security.
• Only use internet banking from a PC you trust.
• Always update your PC with the latest patches. For example, tomorrow there’ll be a large Windows update, you should install this as soon as possible (after you make a backup).
• Don’t trust job ads that promise the world for little to no effort.

• G Data
• Symantec
• Avast
• F-Secure
• BitDefender
• eScan
• ESET

Some people have been posting messages on Facebook saying:

to all those using FAN CHECK APPLICATION, please delete it & all its pictures, it contains a virus & takes 24-48 hours 2 infect everyone on your friends list please copy and paste 2 your status to let everyone know

Firstly, malicious Facebook apps do exist. The ones I know of are called Posts and Stream applications. They’re not viruses but they try to trick you into providing personal data (called phishing).

Secondly, Fan Check Virus doesn’t exist, but nevertheless there is a danger. What’s happening is that the virus writers have created web pages infected with real malware and fake antivirus programs.

So if you search for Fan Check Application on Google, you’re likely to end up on the infected web page looking for information, and that’s how your PC gets infected. Clever, right? So all the people writing about Fan Check haven’t done any research and are actually helping to spread the real malware.

There’s a video explaining more about it here.

And it seems this isn’t the first time this strategy was used. Another fake Facebook virus called Error Check System works in the same way, if you Google for information on it you’ll likely end up on a web site with a fake anti-virus product.

Not only does it install malware, it also asks you for your user ID and password.

Here are some tips to help you avoid this sort of scam:

• When you use any online banking service, look for the padlock icon in your browser. Then click on it, it needs to say your bank’s name, it’s full web address, and shouldn’t show any errors.
• If you receive an email from your bank, don’t click on any links. Instead, open a new web browser and type in your bank’s web address. This way you can’t be tricked into clicking the wrong link.
• Always be wary when you receive unsolicited emails. More often than not they’re scams.
• Use a good antivirus product

1. You click on a link to a web page. This web page has been hacked but you don’t know that.
2. A message comes up on your screen telling you that you might have malware on your PC.
3. You click on a button to start their scanning program. It pretends to do a scan of your PC. This fake program can be called AntiVirus2009, FileFixerPro, or FileFix Professional.
4. In the background it’s going through everything in your My Documents folder and encrypting all of the files. The encrypted files are now useless to you.
5. A message comes up asking you for $50 to get a program that will unencrypt your files.
6. If you pay, you may or may not receive a program that unencrypts them. The hackers would also then have your credit card details.

It’s a terrible situation to be in.

There are quite a few things you can do right now to prevent this from happening:

• Make a backup of your files. If you’ve never made a backup before then try to do it today, don’t waste time. If you ever lose your files, or you’re a victim of ransomware, you can just recover from your backup.
• When unexpected windows popup asking to do a scan of your PC, have a good think who’s asking. It’s an unsolicited request, so it’s probably a scam.
• Install a good anti-virus package. One that scans every web page you access.
• Start using one of the alternative web browsers, such as Chrome, Opera, FireFox, or Safari. These four browsers are better at detecting hacked web pages and at preventing malicious code from running. (They’re better than IE but not 100% safe).
• Keep reading Fraudo to stay on top of these scams. You can subscribe to the RSS feed or by email (the email option is on the top right corner of this page).

And if you’re unfortunate enough to have this happen to you, there’s a free tool that may be able to recover your files. I bolded the word may because the hacker’s technology is getting better all the time and if they did things right it would be impossible to unencrypt it without paying. But for now you can try the method shown on this page.

hey! check out this funny blog about you…
hxxp://t w i tter.access-logins..com

The link takes you to a page that looks a lot like the Twitter login page. If you try typing in your Twitter username and password it records it in a private database. Later someone will log into your Twitter account using your password and start sending out message like the one above.

Many people have one password for many sites, so once they have your Twitter account they could later try other services (e.g. Facebook).

If you use Twitter and see the above message just ignore it. Don’t click on the link.

Some web browsers (such as the latest version of FireFox and the latest version of Opera) will now detect this fake site and show you a large warning. A good antivirus package will also detect these sites and block them.

And if you think you’ve already fallen for this change your passwords.

Both emails contain a link you’re supposed to click on, however if you examine the link closely you’ll see they actually point to someone else’s site. This is sneaky and you really need to be aware how to distinguish real links from malicious ones like these.

In this case the link is displayed as: http://www.enom.com – but if you place the mouse pointer over the link and wait a second, you’ll see the real link displayed (depending on which browse and email client you’re using). In this case the link really points to httpz: // w ww.enom.com.com92. _biz  - See what they did there? They added a few characters to the end. This is enough to make it point to a completely different site. Even though is has part of eNom’s address in there, it’s different. (Note that I broke up the URL to stop you from accidently clicking on it).

The second email is similar, it really points to h ttp :/ / www. enom. comcom94._com – Again this is different, even though it has part of eNom’s address. Even one letter or number is enough to make it go somewhere else. (Again I broke up the address to stop you clicking on it).

How can they do this? Unfortunately at this time nobody stops scammers registering an address that is very similar to a legitimate address. It’s up to you to take care what you click on.

Another couple of tips to protect you from these tactics:

• Use a good antivirus package that checks every web page you load. These days they have a list of good and bad sites, and it’ll warn you if you’re going to a known “bad” site.
• If your web browser or email client doesn’t let you see the real link (by hovering the mouse pointer over the link) then upgrade to another browser or email client.
• Use some kind of spam filtering with your email. This is fairly common these days.
• Use an alternative browser, such as FireFox, Opera, Chrome, or Safari. This isn’t always enough these days, as we’ve seen with Flash malware. But it helps a little.

Below are the two emails. I’m putting them here so that people can search Google and get to this page to learn what they really are.

Email 1:

Dear eNom Customer, 

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable: 

* Main site 

* All web hosting services 

* Email services 

* Communication with the registry affecting new registrations, renewals, and transfers 

For access your account follow this link – http://www.enom.com 

The following services will not be affected and will continue to be fully operational: 

* DNS will resolve normally – although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period 

* Email forwarding and site redirection will operate normally 

We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience. 

Sincerely, 

eNom Tech Support

Second email:

Dear eNom Customer, 

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable: 

* Main site 

* All web hosting services 

* Email services 

* Communication with the registry affecting new registrations, renewals, and transfers 

For access your account follow this link – http://www.enom.com 

The following services will not be affected and will continue to be fully operational: 

* DNS will resolve normally – although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period 

* Email forwarding and site redirection will operate normally 

We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience. 

Sincerely, 

eNom Tech Support

However today there’s a malicious email being sent around that looks like it came from Microsoft (it’s actually fake). The email tells people about the patches and has a file attached. 

The attachment isn’t really a Microsoft update, it’s actually a trojan that installs something on your PC that lets hackers log into it, without you ever finding out. You really don’t want this kind of thing installed on your PC.

The email has a few features designed to convince people that it’s genuine, such as a PGP signature at the end, and the fake sender address.

The subject of the email is:

Security Update for OS Microsoft Windows

If you see this just delete it. You should also have a good spam filter for your inbox – email services such as Gmail do a good job of this. For businesses it’s a little more complicated and even more important. You should also invest in a good antivirus package, one that checks everything and downloads updates at least once a day.

And remember to never trust attachments you unexpectadly receive(you didn’t ask Microsoft to send you an attachment, so why would they really do this?)

XP Antivirus is a fake antivirus program

The road to XP Antivirus is:

1. A malicious ad appears on legitimate web sites. The operators of the web sites hosting this ad aren’t aware of what it is.
2. A message appears offering a product called XP Antivirus. The message reads:
• Attention! If your computer is infected, you could suffer data loss, erratic PC behaviour. PC freezes and creahes.

  Detect and remove viruses before they damage your computer!
  XP antivirus will perform a quick and 100% FREE scan of your computer for Viruses, Spyware and Adware.

  Do you want to install XP antivirus to scan your computer for malware now? (Recommended)

  (Note: I bolded the typo that appears in the original ad)

3. If you say ok then a fake anti virus program is installed.
4. The program then informs you about a large number of (untrue) malware on your computer
5. You’re then asked to pay to remove them

A few days ago I mentioned a similar scam for Macs called iMunizator. These things will never let up so take care who you trust. Don’t just run or install unknown programs on your computer.

Both 256MB and 1GB USB drives were infected with worms (W32.Fakerecy and W32.SillyFDC), and the worm can copy itself to all other mapped drives on your network.

This is particularly bad because IT technicians generally install these servers and generally have access to quite a few network drives.

HP’s software security response team admitted to the fault and has issued the following list of servers that shipped with the infected USB drive:

ProLiant BL20pG4; ProLiant BL25pG2
ProLiant BL45pG2
ProLiant BL260c
ProLiant BL460c; ProLiant BL465c; ProLiant BL465cG5; ProLiant BL480c
ProLiant BL680cG5; ProLiant BL685c; ProLiant BL685cG5
ProLiant DL120G5; ProLiant DL140G3; ProLiant DL145G3; ProLiant DL160G5;
ProLiant DL165G5; ProLiant DL180; ProLiant DL180G5; ProLiant DL185G5
ProLiant DL320G5; ProLiant DL320G5p; ProLiant DL320s; ProLiant DL360G5;
ProLiant DL365; ProLiant DL365G5; ProLiant DL380G5; ProLiant DL385G2;
ProLiant DL385G5
ProLiant DL580G4; ProLiant DL580G5; ProLiant DL585G2; ProLiant DL585G5
ProLiant ML110G4; ProLiant ML110G5; ProLiant ML115; ProLiant ML115G5;
ProLiant ML150G3; ProLiant Ml150G5
ProLiant ML310G4; ProLiant ML310G5; ProLiant ML350G5; ProLiant ML370G5
ProLiant ML570G4
IP Console Switch with virtual media
Server Console switch
Server Console Switch with virtual media
TFT7600 (USB Pass-through)
1U Rackmount Keyboard with USB

This kind of threat isn’t limited to HP customers. Any device you plug into a USB port can potentially carry malware. Therefore you should always have a good antivirus program running on your computers.

A while back we reported on similar incidents: Digital Picture Frames with malware, MP3 players sold with malware

Subject: PayPal Account Review Department

Dear PayPal customer,

We recently reviewed your account, and we suspect an unauthorized transaction on your account

Protecting your account is our primary concern. As a preventive measure we have temporary limited your access to sensitive information.

Paypal features. To ensure that your account is not compromised, simply hit “Resolution Center” to confirm your identity as member of Paypel.

• Login to your Paypal with your Paypal username and password.
• Confirm your identity as a card member of Paypal

Please confirm account information by clicking here Resolution Center and complete the “Steps to Remove Limitations.”

All typos and grammatical errors are from the original email.

If someone was to click on the link provided in the email they would be taken to a hacked copy of PayPal’s site and they’d be asked to provide their bank’s name, ATM PIN code, mother’s maiden name, birth date,and social security number. All very personal information that the real PayPal doesn’t need.

So avoid traps like these by never giving out sensitive information like the above, not trusting emails you didn’t ask for, and most of all use a good antivirus package that also scans web sites for attacks such as this. Also have a look at the new version of Haute we discussed recently, available for free.

There are thousands of phishing emails such as this and over time the quality of them gets better, such as the tax scams we wrote about earlier (Australian version here, US version here) and the student phishing attack last month.

It then suggests you try an antivirus program called Unigray. This is one of those fake antivirus programs that have been appearing lately. All it does is mess up your computer, and you’re asked to pay $39.90 for it.

So stay away from MonaRonaDona and Unigray. Use one of the popular antivirus packages (such as those you can buy in a computer shop).

When doing any taxes online please ensure the website is correct. See this earlier article on how to recognise deceptive domain names (URLs) and check for SSL certificates on the page (double click on the padlock icon in Internet Explorer, read who owns the site).

Good antivirus packages these days will also keep track of which web sites you go to and alert you if it’s a known fraud site. So it’s a good investment to purchase one.