Archive for the 'I got hacked/Phishing' Category
Farmers & Merchants Bank $50 survey scam

f-m bank email phishing site
Farmers & Merchants Bank is REAL, however there is a phishing email going around claiming to be from this financial organization.


Dear Customer,

You’ve been selected to take part in our quick and easy survey
In return we will credit $50.00 to your account – Just for your time!

Please spare two minutes of your time and take part in our online survey
so we can improve our services.
Don’t miss this chance to change something.

To continue click on the link below:

Copyright © Farmers & Merchants Bank

MESSAGE FROM Farmers & Merchants Bank

Information Security is a top priority of Farmers & Merchants Bank. You will never be asked to furnish personal information via an email or any other electronic means.

Some of our Customers have received e-mails asking them to complete a survey for a $50.00 credit and asks for your Credit Card Information including your Personal Identification Number. These e-mails are not from Farmers & Merchants Bank.

If you are ever asked to furnish personal information, please ignore the request and delete the email immediately. Farmers & Merchants Bank will never ask you for confidential information electronically.

If you have any questions, please contact us at 256-447-9041.

Google’s antiphishing plugin leaked passwords

A recent press release from web security provider Finjan Inc. has exposed a security flaw with Google’s antiphishing browser extension for the Firefox web browser. Apparently, the extension accidentally gathered some users’ e-mail addresses and passwords.

read more | digg story

The Fight Against Phishing- 44 Tips to Protect Yourself

Phishing costs businesses and consumers billions of dollars a year, even though only a small percentage of darts hit the target. Yes, even savvy Web users can get scammed. Here are 44 tips to make sure you don’t.

read more | digg story

Google Toolbars Phishing: How to avoid it phishermen

Phisherman are targeting Google software:

An Internet security specialist says a
new threat forces computers to install faked Google software via
Instant Messengers, which then goes phishing.

If you have been in a coma for the last few years, phishing involves
criminals setting up or send emails about fake sites that look exactly
like they came from legitamate sources.  These sites usually
attempt to collect personal information such as Login and Passwords of
oooh, I don't know… say a PayPal or bank

I get these phishing emails nearly everyday.  “How can you tell
its a phishing account?”  you ask.  Well for one of my email
accounts I don't even have a paypal account set up, and it receives
repeat emails about my “paypal” account is going to expire, or my
paypal account had someone added to it.  Another thing is that
they companies such as eBay, PayPal, and banks won't ask you to
login.  If they do, call the actual eBay service Rep and see what

Another thing you can do is click the “Show Original Message” button or
link on the opened email.  This will display the innerworkings of
the email.  It will display the IP address where the email
actually came from.  With you can determine the location
of any IP address.  And with a tool called SAM SPADE you can get
even more information on IP addresses and DNS names.  Doing a
simple “traceroute” command may also give IP address if all you have is
the DNS name and want the IP.

If you do go to the Phisher site,  first of all be careful, some
of these sites are exploit sites meaning if you system is not patched
and protected it could possibly load malicious code on your
system.  Once you get to the site Right-click and “View the page
Source” This will tell you what is really going on with the site in

read more | digg story

Anatomy of A PayPal Identity Theft Scam – The 7 Warning Signs

Paypal is becoming the online payment processor of choice for many users. Paypal allows virtually anyone to except credit card payments. Paypal is also a great way to send and receive electronic payments. Unfortunate fame has it's price and in the case of Paypal that means scam artists preying on the Paypal members

The Most common Paypal Scam Involves E-Mail, You will receive an E-mail from Someone claiming to be Paypal requesting you Verify your Information. That is Warning Sign 1 Paypal will never send you an E-Mail Requesting Your Personal Information

Often this E_mail will be sent to an E-Mail Address that is not the same one that Paypal has on File. That is Warning Sign 2

The Third Warning Sign is forged Headers (From Address). This is often hard to detect without knowledge of the Internet. Many Spam filters are now setup to block E-mail that has forged headers. Ask your E-mail provider how you can block Forged Headers.

The Fourth Warning Sign is the Greeting says something like Dear Paypal user or Paypal Member. Paypal knows who you are they will use the name you registered with.

The Fifth Warning Sign is the threat. The E_mail will threaten to suspend your account if you don't take immediate action.

The Sixth Warning Sign is a Non Secure Page. If you do click on the link in the E-Mail you will not be on a secure Page, No Https in the URL and no little Padlock in the lower left hand corner of your browser.

Bad Grammar or Misspelled words in the

If you receive an E-mail from Paypal with even 1 of these warning signs more likely then not it is a scam. Forward the E-Mail to Paypal and ask for assistance if you have any doubts.

Don't let these modern day thieves keep you from go about your every day life. Life is a risk the key of course is to do all you can to protect yourself and still enjoy life.

About The Author:
Mike Makler has been Marketing Online Since 2001 When he Built an Organization of over 100,000 Members

Get Mike's Newsletter:

More Articles by Mike:

Permission Based E_Mail Marketing Methods

Phishers target Yahoo! Photos

Phishing attacks that attempt to capture a user's Yahoo! ID and password by tricking the gullible into handing over their credentials to fake sign-in pages have been around for months if not years. Recently, though, these phishing sites have begun using alternative Yahoo! Sign In pages, such as Yahoo! Photos, net security firm Websense reports.

I get links to the these sites via email all the time.  It seems that if you place your on a website, these criminals have automated software that find these addresses and email you a false email from PayPal or Yahoo! or ebay or any other account that you might have digital cash in. 

Some of the emails they send look legit.  But if you look under the hood, you'll see that it goes to sites that have nothing to do with the company it claims to be from.  Typically, the address comes from outside the U.S. 

read more | digg story

Why Corporations Need to Worry About Phishing

Phishing is a relatively new form of online fraud that focuses on fooling the victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. Typically, the victim provides information into a form on the imposter site, which then relays the information to the fraudster.

To view examples of phishing emails go to:

* Citibank:
* US Bank:

Although this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing attacks increased by 4000%. Compounding the issue of increasing volume, response rates for phishing attacks are disturbingly high, sometimes as high as 5%, and are most effective against new internet users who are less sophisticated about spotting potential fraud in their inbox.

Corporations should be concerned with the following four issues:

* Protecting employees from fraud
* Reassuring and educating customers
* Protecting their brand
* Preventing network intrusions and dissemination of trade secrets

A failure to succeed in any of these areas could be catastrophic to a company’s ability to function in the marketplace. If employees are not protected, the company could be held accountable for not putting protections in place to prevent fraud. If a hacker impersonates a company, then the company’s reputation and brand may be tarnished or ruined because customers feel that they can no longer trust the organization with their sensitive information. And finally, the latest trend in phishing has been to socially engineer employees or business partners to divulge sensitive trade secrets to hackers. The implications of employee login information getting into the wrong hands could result in grave consequences once hackers are able to “log in” to an employee’s network account using VPN or PC Anywhere software.

Protecting Employees from Phishing

One of the best ways to protect employees from Phishing is to prevent spam from ever getting to the user’s inbox. Since most phishing attacks proliferate through unsolicited e-mail, spam filtering technologies can be very effective at preventing the majority of phishing attempts.

New technologies are also available to help prevent phishing. One such technology offered as a standard by Microsoft and supported by CipherTrust is the Sender ID Framework (SIDF), which prevents spammers from obfuscating their IP address by verifying the source of each email.

Of course, spam filtering and SIDF cannot solve the problem entirely. Many phishing attacks are actually sent on an individual basis to users not protected by cutting edge spam detection technologies. Other attacks are distributed through online email accounts such as Yahoo! Mail, Gmail, MSN, and others. In short, technology alone cannot solve the phishing problem. Employees must be educated about phishing and how to spot fraudulent emails and websites.

Reassuring and Educating Customers

Once a consumer receives a fraudulent email that appears to come from a trusted company, he or she may never trust that company’s email communications again. That is damage that is not easily undone. It is essential that organizations communicate openly and frequently about how customers can identify legitimate email communications, and the need to report fraudulent ones. For those organizations that frequently process consumer credit card transactions, it is recommended that a special section of the site be devoted to helping customers avoid fraud.

Companies that make efforts to educate their customers about phishing are much less attractive targets than those who make no efforts at all. Some examples of organizations that have developed extensive policies around this issue are:

* USBank
* Wells Fargo Bank
* Ebay and PayPal
* Citibank

Protecting the Company Brand

Each time a phishing attack is launched, a legitimate company’s trademark is tarnished and brand equity is eroded. The more attacks a company suffers, the less consumers feel they can trust the company’s legitimate email communications or websites. The value of this trust is difficult to quantify – at least until a company begins to lose customers. When customers no longer trust the company’s ability to protect their personal information, they often defect to competitors or opt to use more expensive commercial options such as telesales or retail locations.

Clearly, the goal is to convince the fraudsters that your customers will not fall for the scam. This is why having an obvious anti-phishing program that is public for all to see can be very effective. The fraudsters tend to follow the path of least resistance. Seeing that customers are well informed of how to avoid phishing attacks, the perpetrators simply turn their attention to other “softer” targets.

Preventing Network Intrusions and Dissemination of Trade Secrets Employees must be educated not only about phishing generally, but also about how fraudsters might use social engineering and other methods to entice employees to divulge sensitive information to hackers outside the organization.

With little knowledge of an organization’s business methods, hackers can easily distribute hundreds or even thousands of spoofed messages to an organization’s employees. The messages may ask for network passwords and usernames, or may attempt to fool employees into providing sensitive information to competitors.

It is important to properly train employees about what information is appropriate to share through email, and specifically what steps employees should take if they are unsure about the authenticity of a request for information.

Information gleaned by fraudsters from corporate networks can be used in a variety of nefarious ways. In the financial services industry, criminals can use credit cards to deduct money straight from accounts of unsuspecting victims. Many other organizations hold private healthcare information, or personal financial information that could be used by criminals to extort payoffs from corporations wishing to avoid the bad publicity of a security breach becoming public knowledge.

Though deflecting this attack does involve a significant amount of education, providing content filtering on outbound e-mail traffic can flag suspicious communications. Looking for these regular expressions, like social security numbers and account numbers, can prevent a simple deception from becoming a major liability issue.

What to Do If You Are the Victim of a Phishing Scam If you become aware of fraudsters imitating your organization to commit phishing fraud, you should:

* Immediately educate your customers on how they can correctly identify the phish

* Notify the authorities of your situation. Phishing Fraudsters may have violated all or some of the following Federal Laws:

— 18 U.S.C. 1028(a)(7) – Identity Theft
— 18 U.S.C. 1343 – Wire Fraud
— 18 U.S.C. 1029 – Credit-card Fraud
— 18 U.S.C. 1344 – Bank Fraud
— 18 U.S.C. 1030 (a)(4) – Computer Fraud
— 18 U.S.C. 1037 – CAN-SPAM Act
— 18 U.S.C. 1028(a)(5) – Damage to computer systems and files

* Prosecute the criminals – when Spammers use your trademarks to commit fraud, they are violating U.S. Trademark laws as well as anti-fraud laws. Your organization has the right to defend its mark in court.

If you find that you are personally the victim of a phishing scam, then you should identify what information was compromised and then:

* If the fraudster obtained your Bank Account, Credit, ATM or Debit Card information:

— Report the theft to your card issuer, and cancel the account

— Check your statements for any unauthorized charges and follow up with your financial institution regarding their procedures for minimizing your liability to the charges

* If the fraudster has obtained your personal identification information — Contact the credit reporting agencies:

* Experian

* Equifax

* Trans Union — Request that a fraud alert be placed on your record

— Request a copy of your credit report and follow up on any unauthorized credit inquiries

— Request that unauthorized credit inquiries be erased from your record

— Notify your bank of potential fraud

— File a police report with your local police department

— File a report with the Social Security Administration

— Notify the Department of Motor Vehicles and determine if an unauthorized driver’s license number has been issued in your name

— Notify the Federal Trade Commission (

— File a complaint with the Internet Fraud Complaint Center ( Additional Internet Fraud Sites:








Dr. Paul Judge is a noted scholar and entrepreneur. He is Chief Technology Officer at CipherTrust, the industry's largest provider of enterprise email security. The company’s flagship product, IronMail provides a best of breed defense against phishing attacks and other email-based threats. Learn more by visiting today.

Strategies To Protect Yourself Against Identity Theft

Identity theft is a serious crime that is growing each year. If you're a victim of identity theft you may spend months, even years, trying to repair a ruined credit history. A seriously damaged credit report can compromise your chances of getting a new job, a bank loan, insurance or even rental housing. It's even possible to be arrested for a crime you didn't commit if someone else has used your identity to break the law.

Unfortunately, many of the methods that thieves use to steal identities are beyond your control to guard against. Although it's rare, even store clerks have been known to use their position to pass along information to identity thieves. There are some measures you can take, however, that will make it harder for a thief to steal your identity.

Protect Your Credit Card Number When Making Purchases

After you make a purchase and your credit or debit card has been swiped through a credit card terminal, check to make sure that the printed receipt hides all but the last 4 digits of your credit card account number (usually there will be Xs in place of the first 12 digits). Some terminals still print receipts that show all 16 digits of an account number, and may even include the expiration date as well. After your card is swiped, you're permitted by law to hide the first 12 digits of your account number on the copy of the receipt that the vendor keeps. Use any marking pen that will do the job.

When you go to a restaurant, it's especially important to make sure that the first 12 digits of your credit card number are hidden on your receipt. You might be in the habit of signing it and then leaving the restaurant's copy on the table after your meal. An identity thief can easily steal the signed receipt before the waitperson comes back around to pick it up from the table. Don't take any chances.

Do You Really Need To Give Your Social Security Number?

Another important way that you can guard against identity theft is to avoid giving out your social security number unless it's absolutely required. Although you need to share your social security number when you apply for credit or for a bank account, sometimes a store or an organization will want to use it as an ID number, simply to identify you within their system. This is a common practice even though the law says that social security numbers aren't to be used as ID numbers. In these situations, use your judgment. There's usually an alternative if you ask.

Destroy Documents That Contain Sensitive Personal Information

Buy a paper shredder and use it to destroy documents you're throwing away which contain personal information such as credit card numbers, social security numbers, phone numbers and dates of birth. This is important to do both at home and at work. Identity thieves aren't above going through someone's trash to find valuable personal information that can help them obtain credit in your name.

If The Worst Happens

If you do become a victim of identity theft, take the following steps immediately:

  • Contact your credit card companies, close your accounts and ask to have new cards issued to you.
  • Place a fraud alert on your file with any one of the three major credit bureaus. The other two will be notified automatically.
  • File a police report. You may need it to show to creditors as proof of the crime.
  • File a complaint with the FTC, which maintains a database of identity theft cases used by law enforcement agencies for their investigations.
Spam and Phishing, Europe and the USA against the scourge

From the analysis of Trend Micro, a company that specializes in computer security, you can clearly see that the year 2004 was a record year for the distribution of computerized viruses: 30 attacks, 28 of which medium risk and two high risk. Three worms held the first position: Bagle, Mydoom and Netsky, which, together with their variants, were the cause of 25 of the registered attacks.

Email was the preferred channel of diffusion of the several black hat hackers, but others chose to channel illegally to create more, serious damage. The indiscriminate sending of email messages and/or newsletters, Spam, without the consent of the receiver, is illegal. In some countries (the most developed ones), the authorities established that: to send email published without the consent of the receiver is illegal. If this activity is done systematically for profit, you also violate a criminal norm and could be reported to the judicial authorities.

There are several sanctions, and in the worst case, imprisonment. The considerable damage that these activities have done to companies and people has been enormous moreover another tragedy called Phishing, the name given to the system that captures information, like passwords or other personal information, used by many criminal hackers and digital con artists pretend to be reliable people with a real need for information send false emails containing eBay, Pay Pal graphics and official logos and also offer Banking and Credit Card services, asking you to fill in a form enclose in the same email or on a web page with your personal data, and often with your passwords or Credit Card numbers. The form has nothing to do with the official organism imitated in the mail so the password or Credit Card number ends up in the data bank of the black hat who had sent the false email. The experts define this illegal practice as a form of “Social Engineering”.

The latest news reported on this issue is that in order to fight the main threats coming through the web: Spam and Phishing, Europe and the United States have promoted two very distinct initiatives that will start at the same time. The intention is to defeat that virtual monster that has caused damage worth millions of Euro year after year, and according to the experts, will involve a considerable number of people. “Safer Internet Plus” is the project carried forward in Europe. The main target of the project is to beat Spam. The American project on the other hand is called “Digital PhishNet” and is based on the collaboration of several institutions, such as the FBI and private companies. The target is to identify and to bring to justice those people responsible for online fraud, thanks above all to the technique of Phishing.

Computerized virus, means small programs able to change clone itself, self send in order to damage or make a network or a single machine vulnerable.

Spamming means the indiscriminate sending of email and/or newsletter messages, without the consent of the receiver.

According to the definition in “Wikipedia” the word Phishing is the capture of personal information, like passwords, personal information, the hacker hiding himself as a trustworthy person with a real need for that information. It is a form of “Social Engineering”.

Social Engineering is the most simple and reliable means of obtaining information that you could not learn otherwise for example username or even your personal data (address, telephone number, etc).

A Black Hat is a criminal hacker.

Hacking and Enlightenment: Ed and Me on hacking

This is my conversation with ED on my misuse of the word hacker on one of my website:

Whoa, whoa, ED…

I think my wording has completely miss led you.  Here is my feeling about hackers:

About Defcon13 and Hackers vs. “Security Pros”:

My discussion with Martin about hackers:

My thoughts on hacking and the non believers (at the bottom by Sun Tzu):

Dude, I love hackers.  I'd like to consider myself a hacker.. but I
don't feel worthy.  I've got the passion but I don't have the gift. 
I've already been to the Oracle (bad matrix joke).

Perhaps I should reword that article.  I believe in taking the
concept of hacking back to its original roots before it was hijacked by
the media.  I DO NOT want to contribute to that dogma.

The Phisher
used a combination of mail fraud and manipulated email and even set up
a server.  He probably got tons of money and merchandise from ebay

Like computer and/or telecommunication devices, I beleive ANY system
can be hacked.. email systems, smoke alarms in Delta air planes, bar
code readers, RFID's, FEDEX, all can be reprogrammed, streamlined,
reverse engineered,  exploited and manipulated for good or for evil

For me, that is what makes hacking so cool.  A true “hack” is done upon
gaining a new understanding of a given system.  Of course, some hacks
are discovered completely by accident, but the hacks that are done out
of understanding, is like a form of enlightenment. 

Check it out… Buddha hacked the Universe… (o.k. too much weed).

On 6/13/05, ed <> wrote:

hey rob,

this incident has absolutely nothing to do with hackers.  it's called “mail
fraud” and “wire fraud”.  what computer or telecommunications system was
“hacked” here?

call a spade a spade: the vast majority of hackers are not
thieves.  sure, a few are–but that's like calling all car
drivers “bank getaway car drivers.”

you're not helping to solve
the problem by blaming the wrong group of people.  you should
be blaming criminals, not hackers–who have nothing to do with your
unfortunate experience.



From: ME
Subject: Phisherprice: Phishing on Ebay During the Holidays
Date: 8 May 2005 16:13:28 -0700

hacker tried to get a free phone using a phishing technique that I had
never heard of.  The phisher used a Western Union Auction
Money order form (a fake number) and actually sent me the fedex lable
and had
fedex come to my house to pick up the phone.  Even though I didn't have the cash for the phone yet.

The Phishing exploit relies on the buyers greed and the feverish haste of holiday spending.

Here is the phishing exploit in detail: