Don't Fall for Cell Phone Text Message Scam

Several cell phone carriers, including AT&T and Nextel/Sprint have reported a phishing scam involving text messages sent to customer cellular phones.

Customers are receiving text messages directing them to call a toll-free number to correct an account problem. Callers are prompted to enter their credit card number, which is then obviously captured for malicious reasons.

I wouldn't be surprised if this phishing scheme uses the credit card numbers for fraudulent purposes immediately, before card holders get wise and report the issue to their credit card issuers.

You've been warned.

Image via Wikimedia Commons

More Webmail Passwords Leaked

Reports are surfacing that other webmail providers, such as Google's Gmail, Yahoo Mail, and AOL have also been compromised by a widespread phishing scheme that has resulted in email account passwords being posted online.

Earlier this week, Microsoft's Hotmail was the culprit, as detailed here.

The BBC is reporting as many as 30,000 accounts are impacted industry-wide. Google claims that only 500 users were affected, and that forced password resets were implemented on those accounts. No word yet as to how AOL and Yahoo are dealing with this mini-crisis.

If this truly is resultant from a phishing scheme, it seriously calls into question just what service providers can do to protect users who are unable to protect themselves. Passwords have long outlived their usefulness as authentication components, and as more people create scores of online accounts for banking, social networking, gaming, and other purposes, chances increase that they use the same poorly-crafted passwords across multiple sites.

Short of giving RSA SecureID tokens to everyone, moving to graphical password images or biometric authentication seems the most reasonable alternative. Smart cards would never work, and the logistics required would be staggering.

Authentication via a series of questions that only the user would know might also be a workable approach, although out-of-wallet authentication has been hampered by the bad guys getting LEXUS-NEXIS accounts of their own to be able to research and provide the types of information required for authentication.

Dummy up, people.

Microsoft Outlook Phishing

TrendMicro has details of an organized phishing scheme that's targeting Microsoft Outlook users.

Via their TrendLabs Malware Blog, samples are provided of a phishing email that encourages Outlook users to click on a link to reconfigure Outlook. The link takes users to a phishing website where critical email account information can be harvested for later use.

As Trend points out, simply having a user's email address and password isn't as desirable as having the actual mail server configuration data. I'll bet dollars to doughnuts that some of the compromised accounts will be used to crank out spam.

Once again I implore you to never click on links embedded in emails unless you are absolutely, positively certain of its origin - even if it claims to be from Microsoft.