Don't go phishing

If anyone claiming to be your ISP or bank or credit card company or church or bookclub or any organization/club asks you to confirm your e-mail and other identifying information, don't do it. We at the osu dot edu domain have been phished lately. They are trying to steal our identity, so don't reply. The one I got looked "phishy" simply because the sentence construction and capitalization was so odd--I hoped we weren't employing such poorly trained staff at our OIT. But another librarian got a better one and checked; this is what she was told:

A large number of Ohio State e-mail addresses have recently been recipients of phishing scam e-mails, asking for their password in order to prevent the account from being removed.

These messages are a scam, and were NOT sent by the Office of Information Technology or anyone else within The Ohio State University. **Do NOT reply to this message**.

Once again, these messages are a scam, and were NOT sent by the Office of Information Technology or anyone else within The Ohio State University. Do not reply. If you have already replied, go to our Account Management web site (https://acctmgt.service.ohio-state.edu) and change your password immediately.

Our network security team is aware of this issue, and since it was sent they have been working with the other Internet Service Providers involved to ensure the situation gets dealt with as quickly as possible.

For more information on Phishing, see:
http://buckeyesecure.osu.edu/SafeComputing/IDTPhish

Our network security team has already taken steps to disable this account and contact the user for further investigation. We apologize for any inconvenience this has caused.

If you have any more questions or concerns, please feel free to contact us
at 8help@osu.edu or by phone at (614) 688-Help (4357).

Phishing Scams

Have you been getting e-mail from Google reporting you need to download something? Or something from your bank about updating your account? Google doesn’t send those and neither do banks. Ignore them. The messages from the phony Google vary (many domain names), but all tell you that you won’t be able to log in to Google if you don’t comply. Often you can tell right away it is a bogus site, says Dennis at Almost a Newsletter by lightly passing the cursor over the link, but sometimes the crooks are really clever. For more details on the Google, bank, and career sites phishing problem, Dennis suggests Gary Warner’s CyberCrime blog.

I get a lot of e-mail about my debt. Those automatically go in the trash through the filter (I don’t have any debt so I know they are phishing, nor do I have accounts at those banks). Some days I get about 50 messages about "returned, or non-deliverable e-mail." Those are also trashed. Then I’ll get a run of items all in Russian. Trash ‘em. Don’t get caught in the phisher’s net.

After finishing the item at Gary's blog about Google I looked at some other entries and found his a fascinating source. Thank you, Dennis, for the link. Between the porn peddlers and the scammers, the internet has really become a cesspool. I'm beginning to think that those of us who use it for fun or legitimate information are becoming the minority.

I’ve been following Dennis' newsletter for years from back in the 90s when I had a real web site and needed help with code. He’s upbeat, helpful and offers a lot of free tips (but you will want to buy a subscription or his e-books if you do this for a living).

Hackers hit Oak Ridge

I've lost track of how many times my information has been stolen at Ohio State and the state of Ohio. Sometimes, I don't even know why the information was in the database that was hacked. I surely don't know why an intern was carrying around an unsecured laptop in his car. A recent report on 60 minutes said credit card information is being stolen from retail stores because they're using insecure wireless networks. But even smart, techie people can be fooled, particularly by "phishing," so don't open those attachments.

"Employing a highly targeted social-engineering trick, hackers were able to gain access to a database at the Oak Ridge National Laboratory -- one of the United States' biggest nuclear facilities -- containing information on people who visited during the past several years. Since the lab handles nuclear material, it collects quite a bit of personal data on visitors, including their Social Security numbers. The bad guys sent e-mails that appeared to be either an invitation to a scientific seminar or a Federal Trade Commission complaint. In both cases, users were prompted to open attachments. Despite the fact that this place employs some of the smartest people in the country, 11 staffers opened the attachments, and the hackers got in. Worse yet, the attack may have been part of a larger coordinated effort -- investigators are looking into that possibility." from TechNewsWorld

The Oak Ridge site posts this warning--and I'd call 15 years a bit more than "several":

The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory.

No classified information was lost; however, visitor personal information may have been stolen. If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event.