Categories
End User scams

Obnoxious PPI pests move into sms

I’ve had a few calls from pests lying to me that could recover mis-sold Payment Protection Insurance (PPI). I know they are lying because I have never taken this sort of insurance out.

Today I received a text message from 07879989478 saying:

“Records passed to us show you’re entitled to a refund approximately £2130 in compensation from mis-selling of PPI on your credit card or loan. Reply INFO or stop”

I wouldn’t dare risk replying and am going to see if I can find out who owns the number. It is almost certainly an anonymous PAYG job but I quite like the idea of an expose.

Lets see how I get on.

tata

Categories
End User scams

Consumer Advice Bureau – Asian branch

Just took a call from a mobile number on my mobile. It was an Indian sounding lady representing the Consumer Advice Bureau. She wasn’t trying to take money off me or sell me anything or any scam like that which is a nice change. So many of these cold calls are from dodgy sources.

Anyway she was calling to advise me that I could save 70% on any payments I made on unsecured loans thanks to new government legislation. Yay.

Categories
Business dns internet scams security surveillance & privacy

Nominet – judge and jury of the world wide web?

We, the world, are still finding our feet on the internet, or more accurately the world wide web. The www is a great place to be and at the same time full of pitfalls and nasties. Much like real, physical life really. I taught my kids not to take sweeties from strangers – that applies on or offline.  In recent years I’ve added “don’t click on links you aren’t sure of” and probably a few other words of advice specific to tinterweb.

That’s a piece of wisdom relating to the www that had he but known it shows Charles Darwin’s theory of evolution in action. Survival of the fittest and all that.

It isn’t just the consumer that is still trying to understand the landscape of the www. Government is, business is, as I said we all are.

The good folks at .uk registry Nominet are also trying to understand where they fit into all this. Nominet has come under scrutiny in recent years over its corporate governance.

Categories
End User scams

Pre recorded phone message scam on mobile

I just got a pre-recorded message spam on my mobile phone trying to sell me some kind of insurance or other %^&*.  Aaaaaargh. The number was of course withheld.

This is a public statement concerning the despicable nature of people that perpetrate this type of intrusive scam. You are in the same category as ACSLaw in terms of low life.

Rant over – if anyone else wants to get it off their chest here I will authorise all comments unless you swear too much and I find it overly offensive.

 

Categories
End User internet online safety scams security

Internet scam awareness

I’m very proud of my wife. She got one of those phishing calls yesterday saying that a problem had been reported with a virus on her PC.

She is one of least technically savvy people going but told the caller (who was, from his accent, not from ’round here) where to go without batting an eyelid.

She said we have Radio 4 to thank as she had heard an item regarding such scams on the Today programme sometime recently. Good old Radio4, good old Mrs Davies.

Categories
Cloud End User online safety scams

Phishing – direct mail style

Just received my first ever phishing attempt via direct mail! With a second class stamp on it:) The only means of contact are a  ymail address and two Chinese telephone numbers, one of which is a fax line.

The funny thing is if I had received this letter ten years ago I might not have been so certain it was a scam but because it is such a common feature of email spam nowadays I know to just bin it. I wonder what he return on investment is – we are talking an envelope, a sheet of A4 paper, some ink and a stamp. It’s a lot more expensive to do it this way than to send out millions of emails.

I’m not going to reveal anymore details though. The writer has asked me to keep this totally confidential:)

PS the header photo was taken at dawn on the breakwater at Peel in the Isle of Man. Regular readers will know that I am the Mayor of Peel breakwater.

Categories
End User online safety scams security

Phishing by”Microsoft” engineers

I’m getting reports of increased levels of phishing attempts on broadband customers. People get a call from someone purporting to either work for Microsoft or on their behalf. The flavour of the calls go something like this:

  • “We are working on a password security breach”
  • “We are working with Microsoft and your ISP to increase your broadband speeds
  • “We have identified a problem with one of your servers and can fix it for £250”

By and large they want you to click on a link and then of course “you’ve been had”. Unfortunately as in many aspects of life on the internet the only real way to avoid being had is by being internet savvy. There is no quick fix.

Categories
Business dns Regs scams security

Nominet and the pseudo-judicial roles of ISPs

I met with the Police Central eCrime Unit last year as part on an ISPA group that wanted to understand the issues that police have in fighting internet related crime and to see whether there is anything that we could do to help.

The police’s biggest problem is the speed that things can happen at over the internet versus the amount of time it takes the judicial system to crank their mechanical organisational cogs. PCEU staff can, for example, be following a suspect criminal, either physically or electronically, and sometimes have very little time to pounce. A gang might be planning a fraud using online resources – facebook pages, gmail, skype etc. Access via a service provider to look at these resources takes a court order (RIPA) which takes time to organise and by the time it has been effected the crooks are often long gone.

If the police did not require judicial consent to access these data then the whole process could be speeded up and more criminals prevented from harming us. The problem is that even if it was clear to everyone concerned that providing the police with what they ask for was the right thing to do the act of doing so puts the ISP in breach of data protection laws. If the suspect criminal happens to be innocent (or otherwise) this potentially leaves the ISP open to legal action. We can’t have ISPs being asked to perform the role of the judiciary because they don’t have the same legal protection or training.

Now enter Nominet stage right. I have coincidentally just written about Nominet after attending the .uk registrar’s recent 25th birthday party. Nominet is proposing to change its

Categories
End User mobile connectivity scams security

sms #phishing

Had a couple of sms phishing attempts in the last couple of days:

“FREEMSG: Our records indicate you may be entitled to 3750 pounds for the Accident you had. To claim for free reply with YES to this msg.  To opt out text STOP.”

The each appear to come from a different mobile number.  Needless to say anyone getting one of these should just delete them.  I wouldn’t reply STOP. I don’t think there is anything we can do other than deleting them.  Unless you start gettign a lot of these message s it is probably too small a problem for the networks to take onboard. 

I wouldn’t be tempted to reply STOP.

Categories
End User scams security

New phishing attempt doing the rounds under guise of HMRC

It amuses me more than anything to see phishing attempts hit my inbox though it does worry me that I will one day have this uncontrollable urge to click on the link provided.

Today’s, looking as if it had come in from Her Majesty’s Customs and Revenue, was mildly believable.  It is after all coming up to that time of year where we have to think about tax returns.

The message read:
Taxpayer ID: trefd-00000159883557UK
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on HM Revenue and Customs (HMRC) website (click on the link below):

We caught this spam but it did attempt to get delivered to many Timico employees. For the safety of the reader I haven’t reproduced the link but I’d be mildly interested in a straw poll to see how many people got the email. And how many actually responded to it!

That’s not my taxpayer ID by the way 🙂

Categories
Business scams

Phorm fails

I read on Monday that BT had abandoned Phorm. I didn’t consider this worth commenting on. Today I see that Talk Talk has also dropped the behavioural advertising company.

From a consumer’s perspective I say hooray. As an ISP I don’t have a big enough business to make the Phorm business model work so I haven’t had the moral dilemma myself.  Apparently BT has said it has nothing to do with the furore over privacy rights but I doubt that anyone believes this.

Phorm is now having to say that it is concentrating on faster moving markets such as Korea and talks about live trials with Korea Telecom.  All I can say is that for it to work Korea Telecom has to have a thicker skin than any western based ISP.  Perhaps there isn’t the same privacy rights activity  in Asia.

Categories
End User internet scams security

Email scams

I went in to BBC Radio Lincolnshire this morning, as is my occasional wont, this time to talk about email scams. I am not particularly a security expert but I guess being in the ISP game I would get more exposure to this than your average Radio Lincolnshire listener.

It was all about phishing emails from people after your bank account details, and especially spoof emails notionally from people you know. As a bit of background research I googled “how to hack MSN” and I was astounded to find 952,000 websites on the subject.

Similarly there was plenty on Twitter and no doubt there will be stuff out there on Facebook and others. I didn’t follow more than a couple of links and the first article had already been removed. It does certainly highlight the vulnerabilities of the web.

I get phishing email daily, mostly caught in my spam quarantine folder, and all of which get ignored/deleted. I do get some very genuine looking spam though appearing to come from reputable contacts.  In one example a business partner of Timico’s had its contact databased copied a number of years ago.  I still get spam appearing to come from this partner.  There is nothing they can do about it. The data is gone.

I have never personally met someone who has been caught out by one of these phishing attempts. Not that is until last night when a friend rang me up and during the conversation mentioned that it had only just happened to him. He was busy and stupidly responded to an email and typed in his bank account details!

Luckily for him the bank spotted an unusual transaction and refunded the cash after calling him to check. It just goes to show how easily it can happen – to the unwary.

Categories
End User scams security

Phishing

As I’m sure most of you know Phishing is a scam whereby unfriendly persons try to coax confidential account details out of individuals so that they can attempt to steal things. We are talking bank account information, network logons etc.

Well this morning Timico was subjected to a phishing attack and many users were sent an email purporting to be from the company asking for username and password logons for their network and email accounts. It was a very poor attempt using the typical poor grammar of the criminal mind. The notional email address of the perpetrator was also left in full view.

I am not aware of anyone from Timico daft enough to respond to this but I thought it worth a blog post to show others the type of attack to be wary of. Internet users beware.

I do seem to get a wealth of material to blog about at Timico.

Categories
Business scams security

Top Ten Security Risks For Business

These are the risks as seen by Timico engineers in their travels around our customer base together with a few of my own real world observations.

This list is not authoritative but it should be insightful and if you are the owner or IT manager of a small or medium sized business then you could do worse than read it. Some of the points, such as updating your virus scanner, might appear to be obvious but believe me they represent real world scenarios.

 

1.       Poor wireless network setup

 

Do you really want someone sat outside your office using your wireless network and gaining access to your internal servers?

 

A business needs to set up WPA-PSK or WPA-RADIUS.  WEP is simply not good enough, and by attacking a connected WEP client the key can be broken within minutes by a novice.

 

When WEP keys are broken all traffic on the air can be decrypted, so plaintext authentication to web servers without HTTPS is visible.  Even  more alarming, is that an attacker can then create their own access point which looks exactly the same as the customers access point, and  then tell a client to reconnect.  Then any number of man-in-the-middle attacks can be done, including intercepting HTTPS traffic to an online banking site for instance.  Users tend to ignore invalid certificate warnings.

 

2.       Default passwords left on devices (switches and routers)

 

Even my kids know that “admin” and “password” are the logons to try first if you don’t know or have forgotten a username and password. So do the crooks.

 

3.       No security patches applied to external facing servers

 

These security patches are issued because businesses have had experience of servers being hacked by unfriendly agents.

 

4.       No web or e-mail filtering (content, anti-virus, phishing, and spam)

 

I was in a queue at the support desk at PC World. In front of me someone was complaining that their PC had ground to a halt. They had so many viruses on it a complete OS reload was required. They had not been using anti-virus software.

 

Also my wife has anti virus/spam on her PC. Her SPAM is filtered into a separate folder and when I looked recently there were 8,500 SPAM emails in this folder (8 weeks worth!). Her personal email doesn’t go through the Timico Mailsafe service so all mail is delivered and she relies on the PC based anti-SPAM solution to protect her. Many small businesses in particular complain about the amount of SPAM being delivered. If they don’t  have a local filter then this SPAM is going to appear in their inbox. SPAM filtering is therefore a massive productivity tool. It stops you having to delete the unwanted mails yourself.

 

5.       Anti-virus not updating.

 

You probably haven’t updated your subscription.

 

6.       Upset employees causing damage

 

Whilst there isn’t much you can do about this you can take steps to mitigate against potential problems – access lists for key network elements and password changes when someone leaves the business.

 

7.       Laptop being stolen with no disk encryption

 

Witness the high profile cases there have been in the UK this year: loss of social security data of millions of people, bank account personal details, national security/military  related information. Big potatoes compared to your own company data but do you really want lose a laptop with all your customer contact details on it.

 

8.       Poor firewall rules setup

 

If you don’t tie down your firewall to allow your very specific traffic i/o requirements then it can be easy for your network to be compromised without you knowing anything about it. Note it is a good idea to have firewalls on workstations configured to reduce risk of data theft in the event of a network breach.  Regular security auditing is also a good idea if the resources are available. Servers should have firewalls configured to prevent external access to non-public services such as remote desktop or ssh.  A secure VPN connection to the internal network should be established first by remote workers before using such services.

 

9.       Poor VPN security

 

Old clients using out of date protocols and short and easy to guess passwords are typical issues here. The use of security tokens is recommended for authenticating to privileged networks remotely.

 

10.       Poor or no password policy

 

For example, users never having to change their password. It is a pain in the neck to have to change a password regularly, especially when people today have many accounts that are password protected.  However changing important passwords on a regular basis is an essential security mechanism. Also who do you trust with your passwords?

 

Categories
Business scams

More phishing – lobster, crab, kipper, oysters, cod, haddock

 

Categories
End User scams

Phishing

Sorry – it’s not what you think. That should have read fishing. The quayside Whitby. I’ll talk about phishing another time.