baguznet blogs

Howdy All,

If you are PayPal users, please take note that PayPal is going to block your access to their website soon if you are browsing using old version of Internet Explorer or FireFox or any other browsers. The main reason is due to lack of security, specially related to Digital Certificate. Please read the article below taken from AccountantsWorld

PayPal To Block Older IE, Firefox Browsers From Site
CommwebNews.com via NewsEdge :

As part of an effort to combat phishing, PayPal plans to block older versions of Internet Explorer and Firefox and other “unsafe” browsers from accessing the online payment site.

In a paper released at an RSA security conference this month in San Francisco, PayPal said there is a significant number of site visitors using browsers as old as Internet Explorer versions 3 and 4, released in August 1996 and September 1997, respectively. Such “unsafe browsers” lack the latest technology for blocking phishing sites and do not support Extended Validation Certificates, which are digital certificates that establish Websites as trusted during online transactions.

Phishing is a deceptive practice used by Web criminals to acquire personal information, such as usernames, passwords and credit card details. Phishers often pose as legitimate businesses in emails to lure victims to fraudulent sites where they are asked to input their personal data. Phishers also use Websites with URLs similar to legitimate sites, hoping that a person will misspell the address and end up at the fraudulent site. PayPal is among the favorite targets of phishers, along with eBay and online banks.

“At PayPal, we are in the process of re-implementing controls, which will first warn our customers when logging in to PayPal from those browsers that we consider unsafe,” the eBay-owned payment service said. “Later, we plan on blocking customers from accessing the site from the most unsafe — usually the oldest — browsers.”

PayPal in February warned people that Apple’s Safari browser didn’t have the necessary security to protect Web users and recommended the latest versions of Microsoft’s Internet Explorer and Mozilla’s Firefox. Safari is the default browser in Apple Macintosh computers and in the iPhone smartphone.

To beef up its own security, PayPal this year acquired Fraud Sciences for $170 million in cash. PayPal planned to use the company’s online risk and security tools to enhance the fraud management systems of both PayPal and eBay. Fraud Sciences’ risk tools and analytics would be targeted at accelerating the development of advanced fraud detection tools, PayPal said.

<<CommwebNews.com — 04/21/08>>

So, make sure you update your browser version before you surf PayPal’s website

Howdy All,

Please be informed that the below article is copied from Network World for the purpose of to share the Warning Message to public. You may read the original article from here

By Robert McMillan , IDG News Service , 03/22/2008
Sponsored by:
Be extra careful when opening documents in Windows, especially if they are Word files.

Microsoft on Friday warned that cyber criminals may be taking advantage of an unpatched flaw in the Windows operating system to install malicious software on a victim’s PC.

The reported attack, now under investigation by Microsoft, involves a malicious Word document, but there may be other ways of exploiting the flaw, Microsoft said.

“Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources,” Microsoft said in a security advisory posted to its Web site late in the day.

The flaw lies in the Jet Database Engine that is used by a number of products including Microsoft Access. Microsoft is investigating whether other programs may also be exploited in this type of attack.

Although this kind of unpatched, “zero day” attack is always cause for concern, Microsoft downplayed the risk.

“At this time, we are aware only of targeted attacks that attempt to use this vulnerability,” the company said. “Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited.”

Following its usual policy, Microsoft didn’t say when — or if — it planned to patch the bug. But in a statement sent to the press, the company did not rule out the possibility of an emergency patch, released ahead of its next set of security updates, which are expected on April 8.

Users of many versions of Word, including Word 2007, 2003, 2002 and 2000 are at risk, unless they are running Windows Vista or Windows Server 2003, Service Pack 2. Those two operating systems include a newer version of the Jet Database Engine that does not have the bug, Microsoft said.

For the technically savvy: this means that PCs with a version of the Msjet40.dll that is lower than 4.0.9505.0 are vulnerable.

There have been other reports of attacks targeting this database software recently. In December, the US-CERT (United States Computer Emergency Readiness Team) warned that attackers were sending out malicious Microsoft Access Database (.mdb) files in a similar type of attack. Security experts speculated that this exploit could have been based on a publicly reported flaw in the Jet Database Engine.

The IDG News Service is a Network World affiliate.

Howdy All,

This morning I received a pishing email claimed as from HSBC but I know it is not from them as I never use my company’s email for any personal matters. As usual, I just have a check on the actual URL from the URL given by looking at it source. I share with you the content of the email that I received below. PLEASE DO NOT CLICK ON THE LINK GIVEN BELOW!!!

Dear HSBC bank customer,

We would like to inform you that we are currently carrying out scheduled maintenance.
In order to guarantee the high level of security to our business customers, we require you to complete “Business Internet Banking Form”.
Please complete BIB Form using the link below:

http://business.hsbc.com/system_directory/isa/file.aspx?session=49230617355387080224840852072630111989207537

Please do not respond to this e-mail.

Looking at the content it seems nothing wrong but wait, please look at the actual message when you view the source. The source will show you the actual URL set for the link given.

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML><HEAD>
<META http-equiv=Content-Type content=”text/html; charset=iso-8859-1″>
<META content=”MSHTML 6.00.2800.1141″ name=GENERATOR></HEAD>
<BODY>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”>Dear HSBC bank
customer,</FONT></P>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”>We would like to inform you
that we are currently carrying out scheduled maintenance.<BR>In order to
guarantee the high level of security to our business customers, we require you
to complete “Business Internet Banking Form”.<BR>Please complete BIB Form using
the link below: </FONT></P>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”><A
href=”http://business.hsbc.com.nuifjje.es/system_directory/isa/file.aspx?session=49230617355387080224840852072630111989207537″>http://business.hsbc.com/system_directory/isa/file.aspx?session=49230617355387080224840852072630111989207537</A></FONT></P>
<P><FONT face=”Geneva, Arial, Helvetica, san-serif”>Please do not respond to
this e-mail.<BR></FONT></P> 

Please look carefully at the full URL beginning from <A href=> tagging. It shows that the actual domain is not hsbc.com but instead nuifjje.es and of course, it is not a valid domain for HSBC. So it is definite not a valid email from HSBC but just a pishing email trying to steal HSBC customers’ personal information. Sometimes, it is an attempt to get you infected with some viruses, worms or trojan.

Howdy All,

In my previous posting, I informed everyone about the pishing email sent to people to steal their login info. This time, I received an email, sent to my company’s email, trying to steal the information. For me, I’m not worry about it since I do not have any account with Google but it is good to remind others. I share with you the content of the email that I received below. PLEASE DO NOT CLICK ON THE LINK GIVEN BELOW!!!

————————

Dear Google AdWords Customer!

In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information. Your account will be reactivated as soon as you haveentered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.

Sincerely,

The Google AdWords Team

————————

This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions after following the steps above, please visit the
Google AdWords Help Center at https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US to
find answers to frequently asked questions and a ‘contact us’ link near the bottom of the page.

————————

I know it is a pishing email because the link given is not pointing to the said URL as we see it but it is actually pointing to a sub-domain created similar as google’s sub-domain for a domain a country of China - fgreo3.cn

You can also verify the email by looking at the original message (its header parter specially), it is not from Google. Please see below

Return-path: <firewalker434@yahoo.com>
Received: from [92.112.35.159] ([92.112.35.159])
	by my.acctrak21.com (my.acctrak21.com)
	(MDaemon.PRO.v7.2.3.R)
	with ESMTP id md50001165699.msg
	for <abrahman@my.acctrak21.com>; Sat, 22 Mar 2008 21:01:39 +0800
Received: from [92.112.35.159] by e.mx.mail.yahoo.com; Sat, 22 Mar 2008 16:01:37 +0300
Date: Sat, 22 Mar 2008 16:01:37 +0300
From: “Google Adwords-noreply” <adwords-noreply@google.com>
X-Mailer: The Bat! (v3.62.03) Home
Reply-To: firewalker434@yahoo.com
X-Priority: 3 (Normal)
Message-ID: <048989728.86776683630043@yahoo.com>
To: abrahman@acctrak21.com
Subject: Please Update Your Billing Information
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary=”———-{nHEX}”
X-Lookup-Warning: MAIL lookup on firewalker434@yahoo.com does not match 92.112.35.159
X-MDRcpt-To: abrahman@acctrak21.com
X-Rcpt-To: abrahman@acctrak21.com
X-MDRemoteIP: 92.112.35.159
X-Return-Path: firewalker434@yahoo.com
X-MDaemon-Deliver-To: abrahman@my.acctrak21.com
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11)
X-Spam-Report:
	*  3.0 BAYES_60 BODY: Bayesian spam probability is 60 to 70%
	*      [score: 0.6079]
	*  0.1 HTML_MESSAGE BODY: HTML included in message
	*  0.1 HTML_TITLE_EMPTY BODY: HTML title contains no text
X-Spam-Status: No, hits=3.2 required=5.0 tests=BAYES_60,HTML_MESSAGE,
	HTML_TITLE_EMPTY autolearn=no version=2.64
X-Spam-Level: ***
X-Spam-Processed: my.acctrak21.com, Sat, 22 Mar 2008 21:01:44 +0800

————{nHEX}
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

————————

Dear Google AdWords Customer!

In order to update your billing information, please sign in
to your AdWords account at https://adwords.google.com, and update your
billing information. Your account will be reactivated as soon as you have
entered your payment details. Your ads will show immediately if you
decide to pay for clicks via credit or debit card. If you decide to pay
by direct debit, we may need to receive your signed debit authorization
before your ads start running, depending on your location. If you
choose bank transfer, your ads will show as soon as we receive your
first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with
the most effective advertising available.

Sincerely,

The Google AdWords Team

————————

This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions after following the steps above, please visit the
Google AdWords Help Center at
https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US to
find answers to frequently asked questions and a ‘contact us’ link near
the bottom of the page.

————————

————{nHEX}
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

<br>————————<br><br>Dear Google AdWords Customer!<br><br>In order to update your billing information, please sign in<br>to your AdWords account at <a href=”http://adwords.google.com.fgreo3.cn/select/Login/” target=”_blank”>https://adwords.google.com</a>, and update your<br>
billing information. Your account will be reactivated as soon as you have<br>entered your payment details. Your ads will show immediately if you<br>decide to pay for clicks via credit or debit card. If you decide to pay<br>
by direct debit, we may need to receive your signed debit authorization<br>before your ads start running, depending on your location. If you<br>choose bank transfer, your ads will show as soon as we receive your<br>first payment. (Payment options vary by location.)<br>
<br>Thank you for choosing AdWords. We look forward to providing you with<br>the most effective advertising available.<br><br>Sincerely,<br><br>The Google AdWords Team<br><br>————————<br><br>This message was sent from a notification-only email address that does<br>
not accept incoming email. Please do not reply to this message. If you<br>have any questions after following the steps above, please visit the<br>Google AdWords Help Center at<br><a href=”https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US” target=”_blank”>https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US</a> to<br>
find answers to frequently asked questions and a ‘contact us’ link near<br>the bottom of the page.<br><br>————————<br><br> <br></div><br>

</BODY></HTML>
————{nHEX}–

Can you see the email for return path? Google never practice such thing, in fact. I think I should report to you about this pishing email for their further action. Also, see the actual URL that appear at the last part of my quote? It is not going to google’s domain but somewhere else. So, the next time when you received such email, do not immediately click on it but have a check first to verify the email for safety reason.

Howdy All,

I just would like to let all of you know that there are attacks to Gmail users by sending a pishing email, claiming that the email is sent by Google. I share with you the content of the email that I received below. PLEASE DO NOT CLICK ON THE LINK GIVEN BELOW!!!

Dear members

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have acces and use of your Gmail and to ensure a safe Gmail experience. We require all flagged accounts to verify their information on file with us. This is the right link for update account page After you verify your information, your account shall be returned to good standing and you will continue to have full use of your account. Please note that if you don’t verify your ownership of account
in 2 x 24 hours we will block/ susspend your Gmail.

Thanks,

The Gmail Team

OK. How could I know it is not from Google? Very easy actually. First thing is I did not immediately click on the link provided, in fact, I just point the cursor on it and check what is the actual URL for the said link. And it is pointed to a domain us-gmail.com (you can see, it is not as the usual domain - gmail.com). Now, lets see the original message (Gmail has this feature, to view the original message. Using this you can see the detail for every section defined - header, body and footer.

Delivered-To: baguznet.com@gmail.com
Received: by 10.114.134.3 with SMTP id h3cs46696wad;
Thu, 6 Mar 2008 11:11:20 -0800 (PST)
Received: by 10.78.201.8 with SMTP id y8mr527386huf.18.1204830677972;
Thu, 06 Mar 2008 11:11:17 -0800 (PST)
Return-Path: <zeus@saturn.nswebhost.com>
Received: from saturn.nswebhost.com (saturn.nswebhost.com [66.246.72.132])
by mx.google.com with ESMTP id g11si4460827gve.6.2008.03.06.11.11.16;
Thu, 06 Mar 2008 11:11:17 -0800 (PST)
Received-SPF: pass (google.com: domain of zeus@saturn.nswebhost.com designates 66.246.72.132 as permitted sender) client-ip=66.246.72.132;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of zeus@saturn.nswebhost.com designates 66.246.72.132 as permitted sender) smtp.mail=zeus@saturn.nswebhost.com
Received: from zeus by saturn.nswebhost.com with local (Exim 4.68)
(envelope-from <zeus@saturn.nswebhost.com>)
id 1JXLMU-00077n-94
for baguznet.com@gmail.com; Thu, 06 Mar 2008 13:02:38 -0600
To: baguznet.com@gmail.com
Subject: Gmail is different. Here’s Our New Security Protector Please Update.
X-PHP-Script: zeusbiz.com/ok.php for 202.152.243.162
From: Gmail Team <Gmail Team <mail-noreply@google.com>>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1JXLMU-00077n-94@saturn.nswebhost.com>
Date: Thu, 06 Mar 2008 13:02:38 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - saturn.nswebhost.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [33405 1906] / [47 12]
X-AntiAbuse: Sender Address Domain - saturn.nswebhost.com

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />
<title>Untitled Document</title>
</head>

<body>
<p>Dear members</p>
<p>Your account has been randomly flagged in our system as a part of our routine <br />
security measures. This is a must to ensure that only you have acces and use <br />
of your Gmail and to ensure a safe Gmail experience. We require all <br />
flagged accounts to verify their information on file with us. This is the right <br />
link for <a href=”http://secure.us-gmail.com/”><strong>update account </strong></a>page After you verify your information, your account <br />
shall be returned to good standing and you will continue to have full use of <br />
your account.Please note that if you don’t verify your ownership of account <br />
in 2 x 24 hours we will block/ susspend your Gmail. </p>
<p>Thanks,</p>
<p>The Gmail Team </p>
</body>
</html>

Please look at the quote that I have bold. It indicates that the email is not originating from Google or Gmail team, instead it is a fake email from someone claiming to be from Gmail, or what we call as Pishing Email. The main reason of this is to steal your login information and hijack your account.

So, please be careful when ever you received an email claimed as from Google. DO NOT simply click on the link provided, have a check first, verify the message and confirm it before you take any further action.