Don't let the spammers get you!!!!!

A few days back I helped an acquaintance help recover and secure his/her cracked yahoo account. The hack was typical ruse played by the spammer, after taking over the account the entire contact book was copied. Deleted the original contact book from the email account. Make a fake new account by adding a letter to the original account. Set up a filter to auto forward all mails received to this account, also set a filter to add a blind carbon copy to another account (This is done so just in case the original account is recovered ... via password recovery and secret question. to monitor what is going on by the cracker).

The person concerned was worried as all his/her contact were deleted from the account and he/she suspected it was a hack attempt by a business rival. I had to scan ,examine and check the laptop for any attempt of deliberate cracking. The initial scanning and testing showed that the laptop was not secure by any stretch of imagination.

Multiple and glaring security omission were noted. The OS was not patched with any service packs and hot-fixes released thereafter. The account in use was an administrator level account. The system did had antivirus software installed ... but it was something I would not recommend to anyone. It has a known poor detection rate and does not protect from any web attacks like script based worms, code injection etc. Worst of all it does not have a dedicated anti root kit and anti spyware component. To top this all multiple Service Packs and patches were missing from popular software like MS office, web browsers, browser addons, old java virtual machine. All in all the system was crying to be taken over sooner or later.

Now on the actual ruse played by the cracker. As mentioned the cracker deleted the original contact list. Before doing this the entire address book was sent a mail .... this mail is typical of the phishing attack we see these days. All the contact were told that the owner of the account was stranded in Spain and had his/her Visa taken away. He/she pleaded them to send him money via online transfer so he/she could be back into his/her hotel and get back home safely. The actual account holder had been getting concerning calls since early morning from people all over the world. Some had also fallen for the con and replied to the mail. 

The reply was auto forwarded to the fake email account and details was sent back of a temporary western union transfer account to wire the money. Even a contact number was given in the fake mail. (Do not call such numbers as they could be ISD calls/Premium rate numbers or and even a collect call. You may end up paying a large amount in call charges). Sadly in this case a few people did sent some money. (If you are in such a fix always make sure to contact the actual person on his/her known landline or cellphone) 

The victim was educated on how to secure his/her laptop and update the OS and other software's. Email account setting were restored to normal, password changed and make use of strong password and features like Secure Text/Picture of yahoo. Account logs were checked to find that the crackers first accessed the account from Kenya and later from Australia. (At this point it is not clear if they were the same person/group using proxy servers or working over the Internet.)  All spoofed emails/headers/IP address details were noted and saved. The victim was advised to contact people in his address book to not to respond to any such emails. File a cyber crime report with the local cyber crime cell, and submit the details as evidence.

Conclusion: The ruse played on the emotion of the people in the address book to skim off money via online transfer. The address book was deleted to avoid let the people know that the mail was fake. If you have been using an email account for a long time, it is a good idea to take a backup of your contacts. Check all filters/forwarding setting and make use of all security features possible. Use common sense and contact the person on a known number to confirm of any such event.

P.S --- Case of the Internet con to get a good job!!!!!

Received a similar mail today that tries to exploit on another human emotion. This one is pure con, and promised you a very lucrative job offer. No hackers or hi tech involved.. in fact the attachment it's self is a plain text file. No virus or trojan etc. 

MARUTI SUZUKI INDIA LTD (MSIL)
Head Office Maruti Suzuki,
India Limited Nelson Mandela Road,
Vasant Kunj, New Delhi-110070.

REF: "MARUTI SUZUKI" DIRECT RECRUITMENTS OFFER.
Your Resume has been shortlisted for our new plant.The Company selected 45 candidates list for Senior Engineer IT,Administration,Production,marketing and general service Departments, It is our pleasure to inform you that your Resume was selected as one of the 45 candidates shortlisted for the interview.

The Company SUZUKI is the best Manufacturing Car Company in India, The Company is recruiting the candidates for our new Plants in Delhi,Bangalore, Pune and Mumbai.Your interview will be held at The Company Corporate office in New Delhi on 23rd of November 2011,at 11.30 AM, you Will be pleased to know that the 45 candidates selected 34 candidates will be giving appointment,Meaning that your Application can progress to final stage. You will have to come to the Company corporate office in New
Delhi,your offer letter with Air Ticket will be sent to you by courier before date of interview.

The Company can offer you a salary with benefits for this post 62, 000/- to 200, 000/-P.M. + (HRA + D.A + Conveyance and other Company benefits.The designation and Job Location will be fixing by Company HRD. At time of final process.You have to come with photo-copies of all required documents.

REQUIRED DOCUMENTS BY THE COMPANY HRD.
======================================
1) Photo-copies of Qualification Documents.
2) Photo-copies of Experience Certificates (If any)
3) Photo-copies of Address Proof
4) Two Passport Size Photographs.
5) Mobile Number

Please note: All requirement should be sent to this email:
maruti_cars@hotmail.com

You have to deposit the (Cash) as an initial amount in favor of our company accountant name in charges to collect your payment department for Rs.16,200/- ( Sixteen Thousand two hundred rupees ) through any [STATE BANK OF INDIA] OR [AXIS BANK] Branch from your Home City to our Company accountant name in charges. Account NO:,which will be sent to you upon your response. This is a refundable interview security. Your offer letter with Air tickets will be sent to your Home Address by courier after
receiving the confirmation of interview security deposited in any of the STATE BANK OF INDIA OR AXIS BANK. This Company will pay all the expenditure to you at the time of face-to-face meeting with you in Company. The Job profile, salary offer, and date -time of interview will be mentioned in your offer letter. Your offer letter will dispatched very shortly after receiving your confirmation of cash deposited in STATE BANK OF INDIA OR AXIS BANK.We wish you the best of luck for the subsequent and remaining stage.The last date of security deposits in bank is 20th of November, 2011. You have to give the information after deposited the security amount in bank to the Company HRD-direct recruitment via email.Your Offer Letter with supporting document will be dispatched same time by courier to your postal address after receipt of security deposited confirmation in bank. The interview process and arrangement expenditure will be paid by SUZUKI COMPANY.Lodging, traveling and local conveyance actual will be paid by MARUTI SUZUKI COMPANY as per bills. The candidate has to deposit the initial refundable security as mentioned by HRD.NB: You are advice to reconfirm your mailing address and phone number in your reply.And 16,200/(Sixteen Thousand two hundred rupees) will be the refundable amount,as 200rupees will be deducted as bank charges for funds deposit and if you are been selected or not, still the amount will be refunded to you,as the amount is just to prove that you will be coming for the interview in order for us not to run at lost after sending you the air ticket Offer Letter and you don't show up on the day of interview.

Wishing you the best of luck.

Regards,
Shinzo Nakanishi
Chief Executive Officer, Managing Director,
MARUTI SUZUKI INDIA LTD (MSIL)
_____________________________________________________________________________

Conclusion: Now you have to use common sense, some of the details may be true. But how in the heaven I am being offered a job at MARUTI SUZUKI when I did not even apply. My CV is not even online at any job portals :P :P LOL. By reading the text marked in RED, it should be very clear that this is an attempt to rip you off the money and IS TOTALLY FAKE.  Do not send any details or the money to them. A company like MARUTI SUZUKI (automobile makers) will never use a Hotmail id to send you official emails from HR.

Gmail is not marking such mail as spam right now. If you happen to get such a mail, mark it as spam. Report to the company involved of the ongoing scam. Tell the world, your friends and your dog about this. Save them all :)

Be safe...

Quick and easy way to block ad's and spam in Fedora Linux

How many time we all wished that the web site or web page you where visiting would load up faster. Now a days no matter what site you visit blogs, news, forums, portals or generic web sites. They all are littered with all sorts of java scripts,flash animations, java applets, active-x controls and cross feeds via dynamic html/scripting to one or more advertising servers. If you have ever noticed the bottom of the web browser while opening any standard site such as Facebook, Orkut, BBC news etc, you will see the web browser trying to connect to many different sites and many many different sub domains.

Most of big sites pull content from many different sites and sub domains. At times the main site that you are trying to reach would not even load completely. All because of a slow ad server or sub domain from where it is pulling up the info or advertisement. To get out of this rut we have to refresh the page many times in hopes of the entire content being loaded. There are a few ways to get around this, today we will look at one such very easy way. This method has the added advantage that it blocks out known bad/evil domains that server Malware, Spyware and Spam. This also provides an extra layer of defense against all those hackers and script kiddies so eager to steal your data, cookies, web logins and your peace of mind in general.

Under most *nix like system the web address is first check against the HOST file. If a match is not found a DNS lookup is done for the IP address as the web browsers works on IP internally over HTTP/FTP(s). What we will do is use the host file to block unwanted domains and IP addresses.... Aha you say old trick what's so great about it.. well for starters we will use some bash script magic to automate this for us.  The list(s) comes from very well know sources like WOT/mvps.... so lets get to it. You will need the following tools installed (these are pre installed in Fedora) wget unzip dos2unix grep. If for some reason your system does not have any of these do a quick 'yum install' to install the missing tool. Copy and paste the code below and save as hostup.sh

****************
!/bin/bash
# uphosts - Hosts File Updater
# README:
#original script found at http://guide.debianizzati.org/index.php/UpHosts
#Bad hosts are blocked putting them in the hosts file as 0.0.0.0
# To add other sources script must be manually modified
# Permanent entries must be added to the original file
# THIS SCRIPT HAS NO WARRANTY !
# Thanks to:
# http://ubuntuedintorni.wordpress.com/2009/06/29/di-script-dns-e-file-host/
# http://hostsfile.mine.nu/downloads/updatehosts.sh.txt
# 20101216 Paolo
# has been modified to work under Fedora/RHE /CentOS
#-----------------------------------------------------------------------

HOSTSPATH="/tmp/hosts-`date +%s`"               # Temp directory
HOSTSFILE="/etc/hosts"                          # Hosts file
ORIGFILE="$HOSTSFILE.original"                  # Backup file

CONFDIR="$(dirname $(readlink -f $0))"  # Parent directory of the script
BLACKLIST="$CONFDIR/uphosts-blacklist"  # Local Blacklist
WHITELIST="$CONFDIR/uphosts-whitelist"  # Whitelist

PROXYUSER="" #PROXYUSER="--proxy-user=user.name"
PROXYPASS="" #PROXYPASS="--proxy-password='password"

DAYS="2" # Update frequency
#-----------------------------------------------------------------------
# Checks for root privileges
if [ "$(whoami)" != 'root' ] ; then
        echo "You need to be root to execute uphosts. Exiting!"
        exit 1
fi

# Checks required packages
ABORT=0
builtin type -P wget     &>/dev/null || { echo -n "wget is missing."; ABORT=1; }
builtin type -P unzip    &>/dev/null || { echo -n "unzip is missing."; ABORT=1; }
builtin type -P dos2unix  &>/dev/null || { echo -n "dos2unix is missing."; ABORT=1; }
builtin type -P grep     &>/dev/null || { echo -n "grep is missing."; ABORT=1; }

if [ $ABORT != 0 ] ; then
        echo " Exiting!"
        exit 2
fi

# Limits updates if uphosts is run often (i.e. at every if-up)
# If there is no original hosts file this is the first run on a fresh system, and update runs anyway
if [ -f "$ORIGFILE" ] && [ `find $HOSTSFILE -mtime -$DAYS` ] ; then
        echo "$HOSTSFILE is less than $DAYS days old. Exiting!"
        exit 3
fi
************
This script need Root to execute. Make the script executable by doing a #chmod +x ./hostup.sh
now run the script #./hostup.sh [You should see something like this]
Retrieving hphosts from http://support.it-mate.co.uk/downloads ... OK
Retrieving hphosts-partial from http://www.hosts-file.net ... OK
Retrieving mvps from http://www.mvps.org/winhelp2002 ... OK
Merging lists ... OK
Writing hosts file /etc/hosts ... OK
Update process complete - 134929 hosts blocked!

That's it and we are done. Enjoy a safer and fasted web experience.

P.S - In a perfect world I should have unlimited bandwidth and money ;) .... But alas though this method is great and saves a lot of pain and manual effort. It sometimes does block some sites and forums from loading properly.. if that is the case just open the hosts file in vi
#vi /etc/hosts and add a "#" to comment the site to unblock it. Do not forget to save the hosts file. Refresh the page in your browser.