My smart mom put down the mouse, picked up the phone, and called me. When I connected remotely, I found this screen:

Since she does run Microsoft Security Essentials (MSE), it was very tempting to click on the Clean computer button. But that “Message from webpage” popup concerned me—that is basically saying that the web page is telling the browser to display a message—not the way MSE would present an alert. (Now that I read the “Message from webpage” more carefully, I see that there is a grammatical error as well. The next day I realized there is also a grammatical error and a misspelling in the “Microsoft Security Essentials Alert” as well.)

The other clue was that the web site shown in the status bar referred to consumption of alcoholic beverages—not exactly the public utility. (In fairness to the utility, I was unable to duplicate the phony messages when I visited their site, so the messages might have come from another site she had visited previously.)

I started a Safe Mode reboot via LogMeIn. When that didn’t “take” after a couple minutes, I did a hard reboot using another remote control tool. You could accomplish the same thing by unplugging your computer and plugging it back in.

I logged in to Safe Mode with Networking, started Microsoft Security Essentials and checked its History. Sure enough, no viruses found today, so the message above was fake. Virus signatures had been updated earlier today. I started a full system scan.

If in Doubt, Cut the Power

The hardest part about phony virus messages is noticing that they are “off” in some way before you click on them. Obviously, if you get a message purportedly from AVG but you run MSE, it’s phony. In this case, the fake message matched the real anti-virus program, so it was less obvious.

If you’re not sure where a message comes from, don’t click anywhere on the web page. You might be safe closing the entire browser, but I would recommend just cutting power to your computer, getting into Safe Mode, and running a virus scan. Or call someone to check it for you.

Good job, mom!

The Skype community is full of reports of this error. One post gave me the clue I needed:  “I am not so sure that Skype’s password reset facility is capable of handling anything but passwords associated with SKYPE IDs.”

Sure enough, by switching first to Sign in with … Microsoft account, I was directed to the Windows Live password reset page. Once reset there, I could log on to Skype with the Microsoft account.

In fact, I may not have forgotten my password after all. Silly me, I was using the Skype logon screen to log on to Skype instead of first going to the Microsoft logon screen.

Bottom Line

Ex-Messenger users must click click on Microsoft account before attempting to log on or reset their password.

The Story in Pictures

The screen shots below document the issue and solution.

When you start Skype, you’ll probably get this blue logon screen:

If you click Problems signing in on the screen above, you are directed to the Skype password reset page:

You’ll get an email, but when you click on the link in the email, or even when you enter the code manually, you’ll get the message “Sorry that password token is not recognized”:

If you try enough times, you’ll get another message that you won’t be able to try again for another 24 hours:

The solution is to first click on Microsoft account:

Then click on Can’t access your account:

You’ll get this recommendation:

Visit account.live.com/password/reset, enter your Windows Live ID (the one you have from Microsoft Messenger), and enter the annoying Captcha phrase. If it works, you’ll see options for resetting your password:

Follow the remaining prompts to log in to Windows Live in the browser. After that you should be able to log on to Skype with the Windows Live ID.

Just remember, if you’re on the blue Skype logon screen, click on Microsoft account first to get to the Microsoft logon screen.

If a signed email comes in but you have not yet trusted the signing Certification Authority, you’ll see this in the email header in Outlook 2010:

If you click on the exclamation point “button,” a dialog asks if you want to trust the sending authority:

In this case, I know the person who sent the message, I know that he works for the government, and so I am inclined to believe this this certificate comes from a legitimate Department of Defense Certification Authority. When I click Trust, I get another confirmation dialog:

After clicking Yes, the Signed By line appears with the sender’s email address in the header, and the button has become a small certificate icon. (I’ve removed the sender’s name for privacy.)

What Does It Mean?

A valid email signature means that the sender digitally signed the email, i.e. it is highly likely that it is really from this person and is not a spoofed email. Could it be from someone who slipped into my friend’s office while he was out getting coffee? Yes, if my friend didn’t lock his workstation. Could it be from some random spammer who wants to look like a Navy sender? Not likely.

Google Drive

The “drive” is a special folder on your PC. You can even put it on a mapped network drive. Nice if you are connected to a server.

Google Drive displays PDFs as fairly large thumbnails (shown original size here):

When you click to open, the PDF displays quickly in some special Google viewer.

PDF files are indexed, you can search for a word and find a file.

Google’s Terms of Service are the scariest thing about the product. While they say that the user retains ownership of the user’s intellectual property, the terms go on to contradict that by saying Google can do whatever they want with users’ content, including publish it and display it publically:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. [emphasis mine]

I don’t see any assurance that they will not take my private PDF documents and publish them. Not sure why they would, but why claim that they have a right to?

SkyDrive

The “drive” is a special folder on your PC, but you cannot put it on a network drive.

You can optionally tell SkyDrive to give you web access to all the files on your PC. It will text, call, or email a code to your known contact points which you must enter to get access. (That’s in addition to your Windows Live logon to SkyDrive). Once you’re in, you can browse local drives (including your DVD drive) and mapped network drives. Pretty amazing, but maybe too much access from a browser. I’d probably turn that off and use other remote access methods if I need to get to my whole computer.

SkyDrive displays PDF files as big orange blocks with no thumbnails (original size):

When you click to open, the PDF displays in Adobe’s browser plugin.

The text in PDFs is not indexed, so you can’t search through them.

The Windows Live Services Agreement is much less intrusive than Google’s:

3.3. What does Microsoft do with my content? When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services. … When processing your content, Microsoft takes steps to help preserve your privacy.

Microsoft claims no rights to publish, publically display, or create derivative works of user content.

Conclusion

For now, Google Drive is the superior service for storing and accessing PDF files, but their overly broad terms of service make me nervous. (By the way, the same terms apply to all Google services, so they could publish your GMail too.)

Don’t click on the links, and don’t right-click to download pictures.

I checked one of the links at www.virustotal.com and it came back clean. So I used an isolated test machine to view the link. Here is what it showed:

The HTML behind this page looked clean. So at this point it looks like this is in “proof-of-concept” phase, where the spammer is just sending out the phony bills, testing which links get the most clicks, etc. Or it could be that it serves different content to different browsers so that it might send malicious code to a cell phone, for example, but not to a PC. Of course at any time, they could change the web site to host viruses or phishing pages, so don’t click on the links!

By the way, localdialogue.info is registered in Indonesia and is currently hosted by Hostgator in Houston, TX (IP 50.116.87.87). The email appears to have come from Saudi Arabia (IP 2.91.63.25).

To see if your computer is infected, visit www.dns-ok.us.

If you are infected, run a removal tool. There is a list here: www.dcwg.org/fix.

To read more about DNSChanger, see this PCWorld article.

GoldLink to 3CX links your GoldMine CRM software with your 3CX phone system. You can auto-dial outbound calls, find GoldMine records of callers based on CallerID, add history items for each each inbound and outbound call, and even add links to recordings made by 3CX.

For more information or to download a free trial, visit the MCB GoldLink to 3CX product page.

Don’t open the attachment! It’s a virus.

Virus Confirmation

There are several grammatical errors in the email which should make one suspicious. Plus I doubt that the USPS would send an email with zip file attachments. In fact, the USPS has a prominent warning about these emails on their home page that links to this PDF document:

As usual, the icon for the extracted file is disguised to look like a document (in this case PDF), but if you turn off “Hide extensions of known file types” in Windows Explorer > Tools > Folder Options > View, you’ll see that it is actually an executable (.exe) file:

Fortunately, a day and a half after receiving the email, 27 of 42 anti-virus engines are detecting the attachment as a virus, according to VirusTotal:

Microsoft Security Essentials, updated 4/19/2012, catches this one:

Microsoft Security Essentials is free for home use and for small businesses with up to 10 PCs.

The main message here is to install the appropriate patches for your computer. These are detailed here. If you turn on Automatic Updates, or check for updates from Windows Update, you’ll automatically get the patches you need.

There are additional precautions you can take, most notably requiring Network Level Authentication if you are running Windows Vista/Server 2008, or Windows 7/Server 2008 R2. Note that this will prevent Windows XP clients from connecting by default, but if you are running XP SP3 (and you should be) you can quickly enable connection to NLA-protected computers by following this article.

Confused or unsure about whether your systems are vulnerable? Feel free to ask general questions in the comments below, or contact MCB Systems to arrange for a consultation.

How to tell? Without clicking, hover your mouse over the link. A little popup should show you where the link really points to, i.e. what web site would open if you click on it. If the real link points to a site other than LinkedIn, don’t click on it!

This one’s even easier, as it tells you exactly what the link should be. Since actual link does not match the link shown, you know it’s bogus:

Of course the other clue is that I’ve never heard of these supposed senders.

I’ve gotten three of these in the last five days so they must be on a run.

Second Line of Defense:  Updates

Some sites can load a virus on your computer just by browsing the site, so your best defense is to avoid those sites entirely.

However anyone can land on a malicious site. At that point, your next-best defense is to have a computer that is completely up to date:

• All Windows updates applied (turn on Automatic Updates).
• All Adobe Reader and Flash Player updates applied.
• All Java updates applied.
• All browser updates applied.
• Anti-virus program installed and updated daily.

Most viruses will try to exploit vulnerabilities in one of the above. Even if you land on a malicious site, by keeping everything fully updated, you greatly reduce the chance that a virus will succeed in infecting your computer.

If you open the zip file to see the “invoice,” you’ll see what looks like a a PDF file:

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

Another clue:  the subject line refers to USPS but the body refers to FedEx.

This virus bypassed the VIPRE anti-virus on my computer. www.virustotal.com shows that only 2 of 43 engines currently recognize it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment! In fact, I’d say just don’t open attachments from anyone unless you personally know the sender (e.g. a friend or colleague) and you are expecting them to send you a file. Big companies are not just not sending email with attachments.

I immediately called US Bank’s fraud department and closed the card. They told me that the transactions were “card present” transactions, meaning someone had created a fake card with my card number.

Slow, Uninformative Alerts

The only reason I discovered this fraud was that I had an alert configured on my checking account to email me on debits over $50. However, I didn’t receive the alert about the first transaction until the following morning, and the alert didn’t tell me who had made the charge. I had to log on to online banking to confirm it was fraudulent; that’s when I saw that two additional transactions were pending.

If I had received an alert within a few minutes of the first transaction (as I do when I use my Capital One and Chase credit cards), I could have shut down the card immediately and avoided the additional transactions. US Bank has the data:  you can see the pending transactions if you log on to online banking. So why not send out alerts immediately?

Over the next few days, I asked four or five representatives why US Bank does not send alerts promptly. I received various answers, e.g. alerts are batched and only sent three times a day, you can log in to online banking to see if there are pending transactions, a check card is different from a credit card because transactions are authorized before they are charged, they are looking into faster alerting systems, and they can’t tell me to rely on alerts because then they would be liable if an alert didn’t go out in a timely fashion.

Fast Alerts – The Big Secret

What no one told me is that US Bank does offer near-instant alerts if you know how to configure them.

It’s simple, really:  in addition to the (slow) checking account alerts, in online banking, add alerts to your Check Card:

You’ll have several categories to choose from. I’ve now configured them all:

I set up my Transaction Dollar Amount alert to email me on any transaction over $1. Yes I get a few extra emails that way; big deal, I just delete them. At least I’ll know if someone besides me starts charging even small stuff on my card:

That’s it! Once configured, when you make a purchase (whether using the check card as a debit card with PIN or as a VISA card), within a few minutes, you should see an email like this listing both the vendor and the amount:

My hunch is that these Check Card alerts are tied directly to the VISA transaction clearing system, so just as with other credit cards, they are sent almost instantly.

Of course, it’s possible that the alerts may sometimes be slow or even fail, but at least this gives you a fighting chance to find out quickly if your Check Card is ever compromised.

Update January 26, 2011

In the last week or two, there have been a few cases where the Check Card alerts were not processed as promptly as they used to be. For example, a charge I made at 9pm didn’t email until 10:30am the next day. Still, it makes sense to define all possible alerts so you have the best chance of being notified when someone besides you is using your card.

If you open the zip file, you’ll see what looks like a Word document:

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

The scary thing is that this virus was delivered directly to my Outlook inbox. It got past Forefront security on Office 365, and my up-to-date VIPRE anti-virus does not flag it as a virus. When I submitted it to www.virustotal.com, only 1 of 42 engines currently recognized it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment!

Update January 16 and 19, 2012:  Several people have asked how to remove this virus, the main effect of which is apparently to hide (but not delete) files on your computer. Thanks to the several posters who have offered suggestions. For example, see these comments below:

• December 16, 2011 – Susan Green
• December 16, 2011 – Michael
• January 6, 2012 – Teresa
• January 16, 2012 – Shea
• January 19, 2012 – Bob
• January 19, 2012 – Mark

Use these procedures at your own risk! If you’re not comfortable with the procedures and especially if you don’t have a good backup of your files, find a professional to help.

You install a small piece of software on your laptop or phone. If you lose the device, log in to the Prey web site and change the device’s status to Missing. The software will capture a screen shot, webcam shot, geographical location (using GPS or WiFi triangulation), and a bunch of system and network info. You can even sound a loud siren through the speakers if you think the device is nearby. I tested it on a laptop and it geo-located it within one house!

Up to three devices are free; Pro plans are available. Works with Windows, Mac, and Android.

I read about Prey in the article 4 simple steps to bulletproof laptop security. Besides, theft and loss recovery, the article also describes strong passwords, fingerprint readers, and full-disk encryption, all of which I’m already using.

Contact MCB Systems if you’d like to beef up laptop security in your environment.

Clue #1:  Random Redirects

Every so often while browsing the site, I wind up on another site. The site I was referred to was designed to look like a legitimate web page, but it’s actually a search page. For example, this site below might at first glance appear to be ancestry.com, but it’s spelled an-test-ry, and the URL at the top actually comes from searchmagna.com:

At one point, even though the main dmachoice.org site was displayed, I got a pop-up asking if I really wanted to leave a Home Income Profits site:

This led to other popups, which I know can lead to virus downloads, so I went to Task Manager and killed firefox.exe.

Clue #2:  Loading Data from Third-Party Sites

I started watching where dmachoice.org was pulling data from as the page loaded. Here you see a live capture of the Firefox status area site as it accesses sites like js.users.51.la, www.searchnut.com, 205.209.161.4, etc.:

Sometimes I saw references to sites for legitimate businesses (like thrifty.com and 1800flowers.com) that have no business on the dmachoice.org site.

Clue #3:  Check Sources of Media on Page

Firefox has a very useful feature that lets you review all the sources of media on a page. Right-click on the page and select View Page Info. You’ll see a dialog like this:

Scrolling down the list of media, after several legitimate images from the dmachoice.org site, there are lots of additional images from sites like ajiang.net, 51.la, and searchnut.com. With help from Whois lookups at www.iptools.com, we can see that the first two are registered in China and the last in Grand Cayman. Note the “Associated Text” from icon.ajiang.net is an Asian script, and references 51.la, the next site loaded.

SSL is Not Enough

It’s worth noting that although the main dmachoice.org site is SSL-encrypted (begins with https://), it still pulls data from non-secure sites.

To its credit, Internet Explorer 8 asks before loading unencrypted data and gives you the option to suppress it:

If you accept the default answer (“Yes”), IE does not load data from the third-party sites. (If those sites were also https:// sites, it might still load them.)

Firefox also warns about mixed content by default, but it only warns once, and it does not give the option of suppressing the non-secure content. If you accept the defaults of this warning, you’ll immediately start downloading the extra content, and you’ll never see the warning again:

In Firefox 4, the only way to re-enable the warning is through an advanced about:config process (see Firefox question 826495). Here is what it looks like after clicking OK on the warning:

Why the Hack?

So why has the site been hacked? What are the hackers gaining from it? My guess is that they are paid for referrals. By hijacking a busy site and forcing users to jump to other sites (or maybe just by referencing the other sites), they get advertising revenue.

Of course if they have full access to the site, they could also be harvesting user names and passwords as users log in, or potentially download the entire DMA database. Since the DMA is the main association used by consumers to set postal mail preferences, their database is no doubt quite large. The hackers could also set up the site to download viruses to user computers in addition to referring visitors to other sites.

I contacted the DMA by email and phone before writing this article but have so far not heard a response.

The ruling held that the bank was not responsible for detecting the fraud because the bank had the legally-required password policy in place. (See this article for details.)

Whether or not that ruling stands, it does highlight the additional risk of using online banking as a business. I certainly like the convenience of online banking and Bill Pay, both as one who sends and one who receives funds. However if you haven’t already, you may want to clarify/update your online banking policies. Here are some questions that come to mind:

1. What kind of liability does your bank assume in online banking transactions? According to this article, “businesses do not have the same legal protections against online banking fraud that consumers enjoy.”
2. Who at your company has access to online banking? What can they do? What computer are they using when they do it? Computers on an MCB Proactive Care plan all have a current anti-virus program installed, but no anti-virus program is foolproof—there is no guarantee that a computer will never be infected.
3. Do you have a separate account for use with online banking? One suggestion is to limit exposure by only keeping the minimum funds required in a separate account used for Bill Pay. Obviously that account should not have automatic overdraft links to the primary account or to a line of credit.
4. Have you set up alerts to get an email for any transaction over a certain amount? That’s not perfect protection (hackers with access to the account could turn off alerts), but it’s one more way to try to monitor activity so you can notify the bank immediately of suspicious activity.
5. When you log on to online banking, do not allow the browser to store your password. Type the password each time.
6. If all of that still seems too risky, you could always go back to plain old checks! If you do that but retain online banking (for reviewing statements etc.), make sure no one can turn on Bill Pay with just a few mouse clicks.

As with so much in our modern world, additional convenience carries additional risk. In this case, the risk is greater than one might think at first.

I was inspired to suggest a paragraph for the section on interruptions (below). I emailed it to the book’s feedback address. A short while later I got a thank-you from Jason Fried, co-author and co-founder of 37signals. Wow, that’s pretty lean when the co-founder is still reading random email feedback. Plus it’s a simple example of acting like a human, letting people know you hear them. These guys might be for real.

Filter

Everyone is inundated daily with information. Emails, flyers, magazines, phone calls. Delete, delete, delete. 95% of the stuff you get won’t help your business. Set up a spam filter. Unsubscribe from email lists (you can always visit a web site if you need info). Save a tree: call catalog companies and ask to be removed. Ask business telemarketers to remove your name. Keep the recycle bin next to the mailbox and dump stuff before it ever gets to your desk. Have a favorite trade magazine? Scan the table of contents. If something looks interesting, hold on to it for a few days. If it’s still interesting, read it, else toss it (pack rats, file it so you can toss it later). You may wind up with a desk so clean that you have to do some real work.

This July 2010 article from the The Guardian (UK) goes into detail about the history and purpose of the scam. The article discusses callers claiming to be from Microsoft, controlling your PC, and demanding immediate payment. But that could easily morph:

• Callers might claim to be from Microsoft or another tech company (real or fake), or may not say a company name at all.
• Callers will invariably request that you connect to a web site from your computer. They may give you a code to enter. This can instantly give them access to the entire machine. Or they may just advise you to download and install a program, which is actually a virus or spyware.
• Callers may or may not ask for payment.

Microsoft has a whole page on scams that use its company name. Regarding this scam, they say, “If you receive an unsolicited call from someone claiming to be from Microsoft Tech Support, hang up. We do not make these kinds of calls.”

Note that remote control is a legitimate tech support method, but you should only grant that to someone you know (like MCB Systems) or a technician whom you have called. If you see someone typing or moving the mouse and you didn’t authorize it, unplug the network cable or just turn off your computer until it can be scanned for malware.