Don’t Trust Padlock and HTTPS on Detecting Phishing Websites

Recently, they are reports of phishing websites are using Digital Certificate and this is alarm for all of us. Initially, I always tell users that for well-known websites including banks and where you need to enter data, make sure it has Digital Certificate, it is little padlock on the top of browser saying that your connection is encrypted and because purchase Digital Certificate used to be expensive and required difficult validations, most phishing websites are gone without Digital Certificate and it was good sign to spot phishing. So, if you visit your online banking website and it doesn’t have nice padlock icon on the top of browser and you didn’t see it start with HTTPS then it is definitely phishing and it is remaining the easy way to spot phishing. But I should express that even if website has padlock icon and start with HTTPS, you should still check the URL and make sure it is really your banking and trusted website. Because phishing websites are able to get Digital Certificate and it means when you visit their websites, they have HTTPS and padlock.

Security professionals are fighting with phishing and we have advance technologies to detect and block phishing websites, but you will need to be extra careful. One good practice would be making sure you type the address of your trusted websites including banks, money transfer, email, etc. correctly and when you visit it and make sure it is really the correct one, then add it to favorite so next time when want to visit your bank, don’t search for it and just click on it from favorite. Even if bank send you email don’t click on the link inside it and use the favorite to access your trusted websites. This is new challenge for our cyberspace and I am already start working on solution for this problem while other security researchers doing the same thing and soon I will share my outcome with industry and you will see inside your browser. Meanwhile, if you ever come across any phishing website, use Report unsafe website option in Internet Explorer or Microsoft Edge and report it.


How to Detect Scams in Public Forms?

Cybercriminals using new ways to steal data, one of the ways I have been seen recently is using public form creating tools like Google Form or Microsoft Form. While using these technologies are very productive and helpful and you don’t have to be expert to create a form and share it online, these could be used for crime purposes. It is always good idea to use these forms for good purposes, for one example I have been using Microsoft Form to organize conferences. In this case instead of asking users to send their name and details by email which would take long time to put them into Excel file and keep track of who is attending or buy a domain and then SSL and create a form which is costly and time consuming, I could just login with my Microsoft Account and create a form easily and quickly, it gives me a website with SSL and good security and I just share it with my community members or those who wanted to attend my conference and they fill up their data, this platform put them all into a nice Excel and I will just save the Excel file and use it for the event to keep track of who is attending and who is not and I could send reminder to email list before event. Meanwhile, I could share feedbacks to the team through the Feedback interface and ask them to make it better.

However, cybercriminals also using this for criminal purposes, in this case they easily create a form in Google or Microsoft Form or other online Form creators, these forms come from reputable domains like Microsoft or Google and they have SSL and in this case user won’t get suspicious but they are asking for information which they shouldn’t ask for and in this case, you should report them as abuse , so Microsoft or Google will take action against them (if it is valid abuse) and you could protect millions of users. They have option at the end of the page to report abuse.

However, the main question is how do we spot abuse? Someone might have posted a form which is valid and legitimate while others might post a form which is real abuse, you will see public forms like Google or Microsoft form as abuse/scam if it has the following conditions:

  • It is asking you about anything related to password: Like enter password, save password, password recovery, etc.
  • It is asking about banking and credit card information: If it asked you to enter your credit card details on a simple textbox, then it is fraud for sure.
  • It is asking irrelevant information: Let say you are attempting to register for a conference , asking for your name, email, phone number and address might be valid, but if they are asking more private information like date of birth, city where you born, your first school, are not valid required information, unless they are related like asking for school when you are organizing educational event and you get such data for statistics.
  • It is claiming to be from Microsoft or Google: because they are using valid Google and Microsoft domain and it has their logo, some people might get fooled that it is coming from these companies, if you see any public form where it has Report Abuse option and claim to be from Microsoft or Google, it is scam.

Therefore, it is always good idea to use public form and you could trust them generally, as I said it is being used for conference, public events and even celebrations, but you have to make sure you are using valid one and don’t fall in trap of scam and make sure report scammers.

Report Technical Support Scammers to Microsoft

Many people fall into a trap of someone calling them and claim to be from Microsoft or Microsoft partner and asking users to grand them remote access to their PCs or trick them by asking them to look into event viewer or system log and charge them for providing service to them. It wasn’t very easy to take legal action against these people, because scammers and victims might live in different countries and working with police departments across different countries is not an easy task. There are many ways to help people to protect themselves. One way was helping them to identify scams and taking actions when they fall into such scam like the post about Hello, I am from Microsoft???!!!!!!!! and in most cases they have to report this to their bank to stop transaction from their account or get refund if they proof the fraud case and also reporting to local authorities in charge of fraud in the country to take legal action.

It was a good way to protecting people, however you could report such a scam easier by reporting directly to Microsoft. If you ever receive a call from someone claiming to be from Microsoft or Microsoft partners, then take a note of all information of scammer like the name, company they claim to be from what they ask you to do. Make sure do NOT share any information or details with them. A good strategy is to just listen to them and take a note and NEVER share anything not even your name or the PC which you are using.

Then you could visit Microsoft’s report scam website and report it. Then you should fill up the form carefully and provide as much as information as you can. Make sure write details as accurate as possible, because your report will be used for investigating the scam and could help many people who might fell into the same scam from the same company. This is a big step to fight against these scammers and good news is you could easily report such scam. In the past people facing such scam but they don’t where to report and now you could just report it directly to Microsoft.

I have your phone number

Some of you might received an call from someone that claim to be from Microsoft or Microsoft Partner or Support Team or other title and then tell you that your PC has some problems and try to proof it and after that ask you to do something to fix it. First thing is that how they find your number? There are several ways to find your number and it is something possible to do, but important thing is to prevent this from happening in future. These are some possibility that they could get your number:


1) You post your number in a website that is publicly available, for example you want to sell something through internet and you will probably post picture of it and some specification and also you will post your number there and will ask that if anyone interested call me. Because it is public, everyone could see your phone number and in some cases they might need to create an account to do see your number which doing this is not something difficult.


2) From chat-room conversation, if you are chatting in public chat-room, every one would see what you post and if you post your phone number it could be visible.


3) If someone hack into your system or your account and if your phone number been store somewhere in your email or in your PC (depend on whether they hacked into your PC or Account), then they have your phone number.


4) It is possible that a website that you been registered been hacked. It could be a simple forum website or any other website that required membership. If you entered your phone number there and it been hacked, then they have your phone number.


5) You received an email from somewhere that ask you to send back your detail including your phone number or give you a link to a website for registration and ask you to enter your phone number, the website might claim to be from trusted source such as your bank or some trustworthy service but they are not.


6) It is possible that your friend get hacked and he or she already store your phone number in account or PC and after been hacked your account been compromised.


These were some examples; there are several ways that people could gain unauthorized access to your phone number. There are some ways that you could protect yourself:

1) Do NOT enter your phone number just everywhere.

2) check trustworthy of website that you are going to register.

3) Use strong password and always protect your PC with update operating system, firewall and Anti-Virus.

4) It is good idea to search your phone number using search engines and if it appears in any website try to remove them, if you don’t have access to the website contact their administrator or support.

5) It is good idea to recommend your friends about protect their PC and Accounts. If their account or PC been hacked some of your information might be exposing, those which are between you and your friends.

6) If you received a call from someone who claims to be from Microsoft or Support, it means they found your phone number. Do NOT call the number, instead take a note of date and time that your received the call and then look into what kind of legal action you could take or where you could report. The method of reporting is different in each country.




Detecting scams

Scams are big issues in security. They could come in many different ways, such as email, SMS, IM, etc. There are easy ways you could protect yourselves against scams. In order to do that, first you should have technology to help you. In case of email scam, most of emailing software such as Microsoft Office Outlook and webmail such as Windows Live Mail come with Anti-Spam technology that detect and block spam and scams. Therefore, first step is that check your email service provider and email software and make sure you have Anti-Spam and it is running , doing some search in help area of your email provider such as Windows Live Mail or email software such as Microsoft Office Outlook help would give you the answer. Technologies itself could protect you a lot but , as a user you should take some additional steps for example it might be a case that Anti-Spam was off or miss spam that is scam. Note here that spam and scam are different things, spam might not be scam, and it might be advertisement and might not threat anything, just something useless. But scams are more dangerous, because they would get something from you. However, Anti-Spam Technology would also be able to detect most of the scams and could detect and block them. In case of SMS scamming, there are some software that have capability to detect SMS spam and scam, however, if you know how to identify scam, then you could delete it. In case of IM such as Windows Live Messenger, Yahoo Messenger…, you would be able to block scammer by their username and report them. As you can see there are technologies that would help you and many of you already have them. However, knowing how to identify scam would help you in cases that you are not sure whether something is scam or not. To identify scam, if you see one of these behaviors in an email then it is scam:

1)      Asking for personal detail: If you receive an email that asks you to give your personal detail including name, IC number, social security number… it is mostly scam. Note that there might be a case that someone who is trusted ask you for these detail, for example you might ask one of your family member to apply for something on your behalf and need these details to do that. But in that case makes sure you already confirm this issue before communicate by email.

2)      Giving you surprise or threat: Scammers, in order to convince users will try to give them a shocking news or threat. For example email that said you have won a huge amount of money. And also might ask that we are going to shut down your email or bank account within a few hours and to prevent it give your full detail. If you seen an email that surprise you or scares you, before doing any action try to do confirmation , for example if it is from bank visit bank website and see if it is true. In most of these cases, these are scams.

3)      Something comes from no where: Scams might be like a story from someone who you don’t know that ask for help or ask you some methods that give you large number of money and you don’t have any idea about it. Such as lottery scam emails. If you haven’t participated in lottery, you won’t win lottery. If you don’t know the person, they won’t offer you large number of money.

4)      Ask to send password or password recovery question: In many of cases of scam, they might ask you to provide you with your password or questions that might lead to access your email. For example when you setup your email, there might be question like what was your first phone number. These questions might lead to discover your password and access your account. Companies will never ask for such detail and if they do, you have to ask them to change their policy.

5)      Your friends act weird: Sometimes, you might received and email from your trusted friend or someone who you know with his or her email address and it ask you something strange like I am out of country and I lost all of my money and send this amount to my account. Before doing any action try thinking that will your friend do such thing? Is this realistic? And try to contact your friend first, before reply or do any action.

These are some of common ways to detect scam; however formula for scam is that every strange email would give possibility of scam. And behavior of scams will go beyond these. Now, let see how to deal with scam. Firstly, if it is in email then you could mark it as scam, phishing, junk; it is only a click or right click and easy step to do. Also, you would be able to report it, depend on your country and location there some Anti-fraud departments that deal with scam. By doing some search you could find how to report these in your country.





Safer online banking

Are among the people who have face to an issue that their bank account been hacked and some money been stolen from there? If yes, then reading this might help you to do correct action. And if no, it is still good idea to read this that it might help you someday or if someone that you know face to this issue then this could help.

Using internet banking and credit card are useful things. You could just sit in front of your PC and order something and it will come to your home. Or you want send money to someone, instead of going to the bank and wait there and fill up forms, you could just use your PC and transfer money using internet. These are very interesting and useful things. But using internet to buy and sell and doing online banking also has its own threats and you should know them and learn how you can protect yourself against them. Like normal banking, you have to be careful and be caution when you bring money to bank or try to deliver money to someone. For example, you never take money in your hand and walk all the ways to the bank, because if bad guys see you money they will stole it. In online world, if you are not careful enough, someone would steal your money. Let’s talk about security in online world, in order to protect your account or credit card; you have to protect your PC first. You will use that to transfer money or buy something online you are using that PC. And in order to protect PC, make sure your Windows is Genuine and update and you are having Anti-Virus and Firewall is on and everything in your system is update. Another thing that you should be careful is that; make sure your browser would have Anti-Phishing technology. Some bad guys, you design a fake webpage to trick you in order to login to the website similar to your bank account but it is NOT. And in this case Anti-Phishing will help you to protect yourself, also make sure it is on. In Microsoft Internet Explorer 7 and later on including Internet Explorer 8 and upcoming version of Internet Explorer 9, you have Phishing filter. In Internet Explorer 7, it called Anti-Phishing but in Internet Explorer 8 and Internet Explorer 9, it calls SmartScreen Filter, it is Anti-Phishing and Anti-Malware (block website that contain Virus, Worm, Trojan, and Spyware …). In the other word, when a website asks you to enter banking information makes sure your will see that the website starts with: HTTPS instead of HTTP, without ‘s’. Also it would have padlock icon like image below:



If the status bar is green then it more secure website but if it is not, it still might be secure. But most importantly is whenever you login to a website it contain both https and padlock. This is applying when you want to enter sensitive information such as bank login page or credit card number or other sensitive information. Another good practice is that if your use Internet Explorer 8 and later version such as upcoming version of Internet Explorer 9, then you have feature called InPrivate Browsing. You could access it by press CTRL+SHIFT+P in your browser or by going to safety menu and chose InPrivate Browsing. It will helps you that once your close your browser that running as InPrivate everything about session would be removed and also many of things will not store in first place. If you notice, when you logout from banking website it will ask to remove browser history, but if you login with InPrivate mode, then you don’t need to delete history. Just close the browser.


You could learn more about online shopping in Internet Explorer by visiting their website .Also do NOT enter your information on any computer. The best idea is that when you want to setup online banking account or any bank account, ask bank itself that how can you protect yourself against online threats. The security in online banking is big issue for banks themselves and therefore they are the best to help you. But if you ever find out that someone stole money from your credit card or bank account then follows these steps:

1)      Call to the bank that your account or credit card belongs to and tell them about issue with detail as much as possible and ask bank to help you with process.


2)      Report issue with department in charge in your country such as police or anti-fraud departments.


3)      Try to list down last place that you use credit card or website that enter information and see if you remember something suspicious.


Some best practice for online banking and using credit card:


1)      Don’t enter your information just anywhere or in any PCs.


2)      Always record down your bank phone number both for local contact and oversee contact in your contact list and always have other contact information such as your bank email account with you.


3)      If you travel oversee, see if your bank has any department there, that in case of emergency be able to contact them and also try to know about their local department in charge of handle online banking issues.


 4)     Take note and know about Anti-Fraud and online safety department in your country,



Hello, I am from Microsoft ???!!!!!!!!

Some of you might received a call from someone who claim to be from Microsoft and he or she might told you that your PC is infected with virus or it is slow and then ask you to do something and might also ask to give your credit card number or personal information. In one word this is fraud and these calls are NOT from Microsoft. Let discuss how to detect them and then how to protect ourselves. Firstly, Microsoft will NEVER call you unless you ask them to do. If you open support request in Microsoft website or in your online form for registering Microsoft seminar you chose Microsoft to call you to inform you about new products and promotion and other cases like these then they will NOT call you.  Let see how we can determine whether call is from Microsoft or it is a fraud. When Microsoft calls you and asks to help you about Virus or other Technical problem remember these notes:

1)      In support cases you always have a support ID which indentifies that call is from Microsoft or not. When you fill support case or call Microsoft to get support then they will give you a support ID which is usually a number. You could check your support ID with support agent to make sure that call is from Microsoft.


2)      When you start a support case, and then make sure you provide some information and also your name. Then when someone calls from Microsoft would have called you by name. In these fraud cases, they probably won’t know your name and they might call you by” hello there”, “hi”, “hey there” and these not by name. If someone called from Microsoft then will call you by name and NOT only “hello” and “hi”.



3)      If you don’t call Microsoft for help, they won’t call you to help you. Microsoft might call you about new product or event or registration if you register for event, in these cases, these are only give you information and nothing about your computer problems and it is only possible if you give permission to call you before.

If you already received such fraud calls, then you could do these actions:

1)      If you already given your credit card number then contact your bank and tell them you are victim of fraud.


2)      If you already given your personal information, then try to contact department in charge of fraud in your country for help.



3)      You also might consider contacting your phone service provider (the company that provides you phone line or mobile line) and tell them about this.


If you received these calls, first make sure they are fraud and DO NOT accidently hang call on real Microsoft support. To do that think whether you called or ask support from Microsoft or NOT or may be your friend fill up support for you. And verify support ID with support agent (support ID that you have should be match by support ID that agent will tell you, support ID will give to you when you contact Microsoft for first time for request support. Make sure support agent give it to you NOT you). Note that this is in support case for promotion and other Microsoft calls there is NO support case. They you should hang on the phone if you realize that it is fraud and DO NOT give your credit card number.

This type of fraud will not only limit to Microsoft, there are possibility that people might contact you on behalf of other companies or even government agency. Therefore, you must be careful in all cases and DO NOT provides your personal information to them. Depend on country that you live; you might have Anti-Fraud organization that deal with these cases, try to find them and report these kind of fraud to them.