Anti-Phishing Blog

Work at Home, Make Big Money

2009-06-09T07:08:00.001-07:00

You may have heard of the customer working from home doing payroll or some other tasks for extra money. They use an account with your bank as a part of their job. Certainly it could be a scam related money laundering.

Some work at home offers are just scams. In this example, unwilling participants who thought they were processing payroll for an international company were actually money mules. Funds went into an account, and back out. The money was actually being laundered. It was stolen.

Alexey Mineev, of Hampton, New Hampshire recently plead guilty to money laundering charges. He set up drop accounts that were used to receive and send monies that were stolen from brokerage accounts. Mineev could be sentenced to two years in prison, and a $40,000 fine. His plea agreement has him returning the $112,000 he made for his part in the scheme between July and December 2007.

Mineev, and his co-conspirators, Alexander Bobnev and Aleksey Volynskiy worked as a team. They would entice users to watch an online video that required a special codec to be installed, a screensaver or a security patch - which would actually be the delivery mechanism for a Trojan.

They could then monitor the users activities looking for passwords and other logon information for brokerage or bank accounts. Screenshots could be reviewed that also showed the balance in the user's account. Bobnev would review the accounts and Mineev and Volynskiy would move the funds through drop accounts. Once the funds left the U.S. they would be virtually impossible to recover. Western Union was often used to move the money out of the country.

Your customers need a constant reminder to keep their cyber-safeguards up. They need to protect themselves from Trojans. And still other customers need to be vigilant about who they work for and what jobs they may be doing. They could be money mules and not know it. We have read on the BOL threads where both of these customers could be at the same bank. The bank is certainly a loser in this situation.

2009-04-27T14:35:00.000-07:00

Possible Pandemic brings out Phishers

A pandemic triggered by the swine flu is causing panic for some. Others see this as an economic boost as they try to sell fake pharmaceuticals. There are a number of these phishing and spam emails being sent. Two of the more popular have a subject line of "First US swine flu victims!" and "Madonna caught swine flu!" according to Dave Marcus, director of security research at McAfee Inc.

Marcus said that about two percent of the spam today is on the flu. Some of these are out to sell phony or adulterated medications and some sites simply want to get the credit card number of anyone who falls for the pitch.

These are probably the same people who quickly register names of storms in hopes of taking advantage of the goodwill many people have when trying to help others. So it is no surprise to see this activity. But employees and customers alike need to realize that their own doctor and health system is where they need to go for information and assistance. Buying drugs based on an email is not the wisest choice someone could make. Not only may you not be protected after taking any medications bought from an unreliable source, but it just might make them sick.

Internet Crime Up in 2008

2009-04-01T07:57:00.000-07:00

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center, and the Bureau of Justice Assistance.

The IC3 recently reported that internet crime reports were up 33 percent in 2008. They reported 275,000 complaints in 2008 as compared to 207,000 in 2007. The dollars lost in these crimes in 2008 was $265 million. That amount is up only 11 percent over the prior year. Median losses were highest check fraud ($3,000), confidence fraud ($2,000), Nigerian letter fraud ($1,650).

The most common complaint received deals with nondelivery of merchandise (33%). Auction fraud (26%) and debit card fraud (9%) are ranked as second and third.

Men tend to lose more on internet scams than women. Men lose $1.69 for each dollar a woman loses. Men also place 55% of the complaints.

FBI Cyber Division Assistant Director Shawn Henry said, "This report illustrates that sophisticated computer fraud schemes continue to flourish as financial data migrates to the Internet. It also underscores the need for continued vigilance on the part of law enforcement, businesses, and the home computer user to be aware of these schemes and employ sound security procedures."

Scammers scam because scamming makes money

2009-03-27T10:12:00.000-07:00

Bankers need to be diligent in reminding customers to protect their computers. When surfing the web, they must do so with security in mind. Part of that security means knowing about their computers, and not falling for scams that try to manipulate them with fear.

One such scam uses a pop-up window that tells them their computer is infected with a virus. Coincidently this pop-up also has a link to a program that will solve the problem. Ultimately the scammer wants your customers credit card information. They think they are buying a useful, downloadable program. That isn't the scammers motivation though.

Recently Finjan's Malicious Code Research Center discovered an "affiliate network" that gets paid for these referrals such as via the pop-ups. They hack legitimate websites so that this pop-up will appear. The legitimate website is not aware at that time that they are being used.

The hacker is paid $.096 per referral, less than a dime. In their investigation though, Finjan found that in a 16 day period, 1.8 million referrals were made. The fees paid on 7,900 referrals would be $10,800 per day. Between 7 and 12 percent of the victims do install a useless or harmful program. They pay $50 for that. These fees can generate $172,000 in daily income. In addition, the consumers credit card is now compromised.

Criminals employ these scams because they work. Based on the above, they could make $2 million a year. The cost your customer pays can be much greater than $50 though, and you have a cost as well. Your bank will have to pay that customer back all or part of their loss.

We urge you to educate your customers so they don’t fall for these scams.

Phishing Phrom Business Phunds

2009-02-20T07:15:00.000-08:00

Phishing isn't always high tech. The SBA is warning small businesses NOT to respond to letters that claim to be from the SBA, requesting the bank account information of the business. The letter indicates this is for tax rebate qualification, but it is just a ploy to gain banking information and to steal funds.

The SBA news release is available here. Bankers may want to pass this information to their small business customers.

Ticket to Malware

2009-02-05T09:34:00.000-08:00

In Grand Forks, North Dakota, some people found parking tickets on their cars. Your first thought wouldn't be that this was an attempt to infect your computer with a Trojan, but it was.

The yellow fliers claimed to be tickets and included a web site link that had photographs depicting the traffic infraction. To see the photos you had to first download and install PictureSearchToolbar.exe. Since this is from law enforcement, it must be OK, right? Well it is a Trojan, called Vundo by Symantec and McAfee and Monder by Kapsersky Labs. It then has a pop-up window to sell "AntiVirus360" which is a fake anti virus program.

The moral of the story here may be to follow the traditional path. Why would law enforcement assume you had an internet connection, and why didn't the "ticket" look like a traditional ticket with the traditional manner of paying it or contesting it? We have to be skeptical in all areas now. Your windshield may protect you from bugs, but it won't do the same for your computer.

Cyber Security from US CERT

2009-01-28T11:11:00.000-08:00

Adding to the post below, I received the following cyber security tip from US CERT today, (United States Computer Emergency Readiness Team is a partnership between the Department of Homeland Security and the public and private sectors.)

Cyber Security Tip ST06-007
Defending Cell Phones and PDAs Against Attack

As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device.

What unique risks do cell phones and PDAs present?

Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:

* abuse your service - Most cell phone plans limit the number of text messages you can send and receive. If an attacker spams you with text messages, you may be charged additional fees. An attacker may also be able to infect your phone or PDA with malicious code that will allow them to use your service. Because the contract is in your name, you will be responsible for the charges.

* lure you to a malicious web site - While PDAs and cell phones that give you access to email are targets for standard phishing attacks, attackers are now sending text messages to cell phones. These messages, supposedly from a legitimate company, may try to convince you to visit a malicious site by claiming that there is a problem with your account or stating that you have been subscribed to a service. Once you visit the site, you may be lured into providing personal information or downloading a malicious file (see Avoiding Social Engineering and Phishing Attacks for more information).

* use your cell phone or PDA in an attack - Attackers who can gain control of your service may use your cell phone or PDA to attack others. Not only does this hide the real attacker's identity, it allows the attacker to increase the number of targets (see Understanding Denial-of-Service Attacks for more information).

* gain access to account information - In some areas, cell phones are becoming capable of performing certain transactions (from paying for parking or groceries to conducting larger financial transactions). An attacker who can gain access to a phone that is used for these types of transactions may be able to discover your account information and use or sell it.

What can you do to protect yourself?

* Follow general guidelines for protecting portable devices - Take precautions to secure your cell phone and PDA the same way you should secure your computer (see Cybersecurity for Electronic Devices and Protecting Portable Devices: Data Security for more information).

* Be careful about posting your cell phone number and email address - Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam (see Reducing Spam for more information). Cell phone numbers can be collected automatically, too. By limiting the number of people who have access to your information, you limit your risk of becoming a victim.

* Do not follow links sent in email or text messages - Be suspicious of URLs sent in unsolicited email or text messages. While the links may appear to be legitimate, they may actually direct you to a malicious web site.

* Be wary of downloadable software - There are many sites that offer games and other software you can download onto your cell phone or PDA. This software could include malicious code. Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a web site certificate (see Understanding Web Site Certificates for more information). If you do download a file from a web site, consider saving it to your computer and manually scanning it for viruses before opening it.

* Evaluate your security settings - Make sure that you take advantage of the security features offered on your device. Attackers may take advantage of Bluetooth connections to access or download information on your device. Disable Bluetooth when you are not using it to avoid unauthorized access (see Understanding Bluetooth Technology for more information).
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Phishing with Text

2009-01-28T08:00:00.000-08:00

Banks need to remind their customers that you do not contact them in emails or text messages, asking them to send you account numbers, debit card numbers and PINs over these unsecured channels. Phishing expeditions are continuing to thrive and now we see more and more attempts to gain information with text messaging.

Hello texting on your cell phone. Phishing expeditions are growing on cell phones as texting is becoming a common means of communication, and as many new cell phones were given as holiday gifts. Recently the Pittsburg, PA police department warned that customers in dozens of states are getting messages on their Sprint cellular phones from dozens of banks, asking for confidential information.

Customers need to be suspicious. Even if your caller ID tells them it is your bank calling or sending you a text message. "Spoofing" is a trick that allows the caller to contact you and make it appear as though it is your bank.

I recently read a news article where hackers in Asia were able to infect cell phones and initiate money transfers using those phones. In many areas of the world cell phones are used for banking where small purchases are made solely on the phone. This has not been popular in the U.S. But the message is the same, security and awareness are keys to protecting your customers.

If your customer has a question or receives a text message or email, they should be warned to call your bank using a known telephone number and not a "special one" provided in the message. Your bank then has to know where to send these calls for information. Infrastracture starts with you. Precautionary warnings should also appear predominantly on your web site as a constant reminder.

Scammers send these messages because when a small percentage of a very large number do respond, they get money, your money. Stop the crime before it starts.

Phishing with the web

2009-01-21T07:35:00.000-08:00

In-Session Phishing

A JavaScript vulnerability in most web browsers can be used for "in-session phishing," a new form of phishing attack that doesn't depend on email to deliver its lure to vulnerable phish. The trick uses a pop-up window that emulates a security alert and asks for password and login information.

Amit Klein, the chief technology officer at security vendor Trusteer, has notified browser makers of the flaw. The process to complete this in-session phishing includes hacking a site to enter HTML code that looks like a security warning. A JavaScript bug allows this pop-up to appear valid and legitimate to the web site. It has the user re-enter user names and passwords. Klein believes the hacker could write code that recognizes the user's location, and pops up the verification window to knowingly capture bank logon information.

Banks need to monitor their web sites, keep their systems updated, and continue to urge their users to keep their systems updated as well.

2008-11-11T17:12:00.000-08:00

What response rate is needed for spam to make money?

The Storm worm infected computers and converted them to botnets, used to send spam. Researchers have infiltrated the Storm network and assumed the role of spammers to measure their success.

It was estimated that if one in 12.5 million respondents buys the product, it can be profitable. The researchers used 75,000 compromised computers and sent nearly 350 million spam emails. In this test, only 28 sales resulted. This is less than .00001 percent. However, because only a small part of the Storm network was used they estimate that the Storm pharmacy campaign could produce $7,000 per day in sales. Researches estimate the Storm botnets could actually produce $3.5 million in sales annually.

More on the Storm worm can be found in the Tech Talk archives.

Your email subject line reads "We have hijacked your baby"

2008-09-04T08:18:00.000-07:00

What should you do when you get an email that says your child has been hijacked? We assume the poor grammar means kidnapped. And the email both asks for a $50,000 ransom, and has a picture of your child. The picture is the payload in this fraudulent spam message.

Sophos, an internet security firm, tells us they're seeing these messages and the picture has a Trojan horse designed to steal your personal, confidential information. Spammers and hackers have reached a new low. But users must beware. Keep the virus definitions up to date, and don't open the email attachments from people you don't know and don't expect. Especially in this case, watch for that subject line. It is a hoax.

75 Percent of Bank Websites have Security Flaws

2008-08-06T11:10:00.000-07:00

The University of Michigan surveyed more than 200 bank websites and found that 75 percent had a flaw that could contribute to a loss of money or identity.

While the survey was done in 2006, it is only recently being published. And these are not software patch issues. The problems identified involve the flow and design of the websites themselves. Issues could be that a secure log-on box is requesting information on an unsecure page. While they note that some of these problems may have been resolved, there are still many issues that place customers at risk today.

The study also uses FDIC reports that reflect a 150 percent increase in SARs filed for computer intrusion. At an estimated $30,000 loss per incident, this equates to a $16 million loss in the second quarter of 2007 (the period the FDIC reported on) alone.

The design flaws that the survey was looking for included:
* Placing secure login boxes on insecure pages
* Putting contact information and security advice on insecure pages
* Having a breach in the chain of trust
* Allowing inadequate user IDs and passwords
* E-mailing security-sensitive information insecurely

It may be time to review your website and see where you stand.

For more, read the article on the University of Michigan News Service.

FTC Settles "Wal-Mart Shopping Spree" for $28 Million

2008-05-16T07:46:00.000-07:00

Brian K. MacGregor was the architect of the "Wal-Mart Shopping Spree" scam and he is now paying the price. Several of his companies were involved in a scam where consumers were tricked into disclosing bank account information. The consumers were promised shopping sprees at Wal-Mart, Macy's, movie tickets or vouchers for free gas. Items were promised for free, but with a shipping and handling fee to be paid by the consumer. Some thought they were paying monthly fees for a program membership.

Macgregor violated the FTC Act and Telemarketing Sales Rules. As a consequence, a fine representing the money paid in the scheme, $28.2 Million is to be paid. The participants are also barred from participating in this type of activity in the future.

Consumers who had money taken by any of the corporate defendants without their express informed consent may send a letter to: Federal Trade Commission, attn.: Faye Chen Barnouw or Jennifer M. Brennan, 10877 Wilshire Blvd., Suite 700, Los Angeles, CA 90024. The letter should identify which company took money from them, include the dates and amounts of the withdrawals, and contain any supporting documentation. Consumers who have already sent this information to the FTC do not need to resubmit it. Consumers seeking more information about this case may call the case hotline number: 202-326-2090.

More information is available on the FTC web site.

Your Check is In the Mail

2008-04-30T12:06:00.000-07:00

The economic stimulus payments are starting to be sent. Email scams are frequent and it is worth reminding your customers of some facts. The IRS already has their information. There is no need to respond to any email requests for verification, or to direct deposit it versus sending a check. The IRS is using the same method of refunding for the stimulus payments as was selected by the taxpayer for any 2007 refund. If they opted for a check, a check will be sent to that address. If the taxpayer opted for direct deposit, that is where the stimulus payment will be sent.

Are your tellers and CSRs prepared to field your customers questions:

Will the bank tell me the money is in my account?
What if I have closed the account I had for my refund, but have a new account with you now?
How much am I getting?
When will my check be sent?

You should be prepared with resources and talk-offs for your staff.

Need to calculate your stimulus payment?
http://www.irs.gov/app/espc/

Want to know when payments are scheduled for delivery?
http://www.irs.gov/irs/article/0,,id=180250,00.html

Where the Phishing is Best

2008-04-07T14:45:00.000-07:00

Symantec, the security software company, released its, "The State of Phishing" report. In February, the most popular of attacks were seeking money through fraudulent tax refunds.

Also of note, 84 percent of fraud activity was directed at the finance industry. Key targets were banking sites and e-commerce in general. 13 percent was targeted at information services where sending spam was the desired use of that information.

On a brighter note, the number of unique sites used for phishing fell 1.8 percent in February 2008 as compared to the month before.

You have an IRS refund, and someone wants it.

2008-03-11T12:41:00.000-07:00

Even before the Economic Stimulus package was approved, scammers were sending emails wanting to verify consumers personal information to process their refunds. It is a scam and the emails are continuing to come.

The Federal Trade Commission has issued a warning to consumers advising them that the IRS and Social Security Administration do not collect refund or rebate information by telephone or email. This is a phishing attempt to get personal information over the phone or a phony website. This information could then be used to facilitate identity theft.

Urge your customers to keep their confidential information confidential. Consumers should not provide this information over the web and certainly not to someone who calls them. Even if the caller provides a number to call them back, consumers should verify that the number is correct. These scammers are known to provide fake call-back numbers that just ring in their offices, just like they'll provide false website addresses.

Watch Out for a Valentine's Day Storm

2008-02-13T23:09:00.000-08:00

The FBI issued a warning that the Storm Virus may be attached to to St. Valentine's Day e-cards. The reader will have a link to click and that will take them to a malicious site where the virus can infect the readers computer.

If you are not expecting an e-card or don't know the sender, don't open the card.

The FBI asks that if you have received this, or a similar e-mail, please file a complaint at www.ic3.gov.

CAN SPAM Enforcement

2008-01-04T16:52:00.000-08:00

You may not know the name Alan Ralsky or the names of the other ten defendants indicted with him, but there is a strong chance they know you...or at least your email address. Ralsky and ten others have been indicted in possibly the largest criminal spam and electronic fraud case in our history. They sent millions of spam messages every day including many of those pump and dump messages many of us received. This will represent enforcement of the CAN SPAM law as well as conspiracy, electronic mail fraud, mail fraud and wire fraud..

File Sharing Software - Tax Returns, Bank Statements and More

2007-11-14T19:22:00.000-08:00

Gregory Kopiloff recently pleaded guilty to one count each of mail fraud, accessing a protected computer without authorization to further fraud, and aggravated identity theft. He was using file sharing programs like Limewire to commit identity theft. Individuals have been prosecuted for using these programs to share copyrighted music and movies in the past, but this was the first case, the Justice Department said, where they were used for identity theft.

Using the file sharing programs, Kopiloff accessed confidential computer files including tax returns, credit reports, bank statements and student financial aid applications. He also used old school methods to to gain this information including stealing mail and dumpster diving.

Kopiloff will be sentenced January 28 and faces 20 years imprisonment and a $250,000 fine for the mail fraud charge, five years imprisonment and a $250,000 fine for accessing a protected computer. Aggravated identity theft carries a two year sentence, which can be served consecutively with his other penalties.

Phishing in the Little Ponds

2007-10-17T18:54:00.000-07:00

You might think that phishing only happens to the big nationwide and international banks where there is a big pool of users to increase the chances of getting results. Not always true.

Bank of the Cascades in Bend, OR has fallen victim to a phishing scam. Many of their customers are getting an offer to pay them $100 for clicking a survey link. In about ten days, early this month, 13 customers have fallen for this and provided confidential information to collect their money. The bank has replaced the $15,000 taken so far.

The bank has a warning on their homepage and a link to good information for internet banking customers so they can avoid a loss.

Are you prepared to react to a phishing attempt at your bank? What will you tell your customers, the press, post on your web site, and what information will you provide your CSRs to handle these issues? If you don't have a plan, there is no time like the present.

77 Arrests -- $2 Billion in Bad Checks

2007-10-04T20:33:00.000-07:00

The U.S. Postal Inspection Service said that 77 recent arrests are the result of and international crackdown on internet crime. Sixty arrests were made in the Netherlands, sixteen in Nigeria and one in Canada. Three of the suspects from the Netherlands and Nigeria were extradited to New York where they'll stand trial. U.S. authorities are seeking the extradition of five others. These arrests also netted more than $2.1 billion in fake checks that were destined for the financial industry. Susan Grant, vice president of the National Consumers League, said the average victim loses about $3,000 to $4,000 and is not aware they have liability when the U.S. financial system requires checks to be paid, even though the check may not have cleared yet.

"We shut down Internet cafes, we arrested scammers, and significantly disrupted the flow of fake checks into the United States," said Greg Campbell, U.S. Postal Inspection Service inspector in charge of global security.

Is CAN SPAM Effective?

2007-09-17T13:02:00.000-07:00

Recently FBI agent Thomas Grasso of the National Cyber-Forensics and Training Alliance, spoke at the Security Standard conference in Chicago. He said the FBI considers the CAN SPAM Act to be an effective tool in combating spam on the internet. He went on to say that even though a lot of spam originates outside of the U.S. our law enforcement agencies are now getting more cooperation from international law enforcement agencies.

Perhaps more cooperation is a key reason here as nobody saw the CAN SPAM Act as a silver bullet. It does help the prosecution of offenders in the U.S. but seems to be doing little to reduce spam in my in-box.

"There's a lot that's changed over the last 10 years," Grasso said. "It used to be if you trace an IP address back to Romania, you're not going to get somewhere with it. That's changed; we now have task forces working with these people overseas, and Eastern European police forces are aggressively going after this, because the problem is starting to affect them, too."

As to advice, Grosso was asked how Netizens should protect themselves. He said the cybercrimnals are getting through the firewalls and malware is being installed. "You need security solutions to be more comprehensive; you need to shore up the perimeter, but you need to worry about what's going on inside the network, too." And based on many press articles of late I'd agree. One recent survey showed many users felt they could connect any where and security was ITs job. That is a philosophy leading to failure. Security is everyone's job, from not sending confidential data through the wireless network at your local coffee shop to not using links from email sent to you by strangers.

Are You Ready for Some Football

2007-09-12T10:27:00.000-07:00

The NFL started the regular season last weekend and many fans got a "special" email offering information about the new season. By visiting a linked website they could get an online game tracker which provided the games scheduled, channels to view them and statistics. What the user would get would be malware.

This is the latest incarnation of the Storm Worm. With the Storm Worm on a machine, it can be used to send spam and participate in denial of service attacks without the owner's knowledge. Storm Worm is estimated to comprise 25 percent of all detected malware. Because this program can be updated routinely, even every 30 minutes, the program is difficult to detect or remove regardless of how recent virus protection programs were updated on that machine.

User education is the best remedy for this problem. Do not trust email links, especially from an unverified source. If you were not expecting a "greeting card from your neighbor" or a link to a breaking news story or an NFL game tracker, don't click the link.

Pump and Dumps Can Work - Regrettably

2007-08-13T06:38:00.000-07:00

Spam increased 445 percent for one day, according to Postini, a hosted e-mail filtering company. They monitored the volume and beginning August 7th and ending the 9th, they saw a huge increase which is attributed to a pump and dump scheme. Pump and dumps were discussed in my prior blog entry.

This attack had no virus. The goal seems to have been to get the stock value up for the company mentioned in the PDF attachment, Prime Time Group. The scheme seems to have worked as the value of Prime Time was up 60 percent on August 8th.

SophosLab detected 500 million of these emails. One thing that was different was the size of the PDF file. This one was 10 pages long. This may have been an attempt to thwart some spam filters looking for the traditionally smaller attachments spammers have been sending.

Consumer Report's 2007 study "State of the Net" projects that in the last two years U.S. consumers lost $7 Billion due to viruses, spyware and phishing schemes.

Are you seeing PDF Spam?

2007-08-10T15:48:00.000-07:00

Is there a correlation between all these spam emails you've been seeing that you have a greeting card from a "friend," "neighbor,", "mate," as well as others, and the increase in other spam emails? Some think so.

Sophos, a security firm which monitors this believes the increase is directly related. Spammers used to send text messages. Then filters were made to look for certain words, phrases, patterns or the frequency of use of certain words. The spam filters did their job. So the spammers started using pictures of their messages embedded in the email. This got it through the word filters. But eventually some filters were catching up to these methods and the success rate at trashing the messages was increasing. So the spammers have gone to attached PDF files. Many users receive valid PDF attachments so canceling all these could be detrimental to business.

Sophos believes there is a correlation between the increase in e-greeting card messages and the PDF (attachment) spam messages. Netizens read the email and go to a linked site for their bogus greeting card. There, they get infected with malicious software (malware) and are unaware they are now being used to help send all these spam messages.

So far, the attachment spam has not been infectious. It is a "pump and dump" maneuver to artificially inflate some stocks value. The companies are not the problem, it is the investors trying to make the profit on a sale. The Security and Exchange Commission appears worried about stock spam. It suspended trading on 35 companies that had been promoted in email messages, last March.

While the PDF attachments have not been found to be harmful, as with any attachment, if you are not expecting it, don't open it. And if you are not expecting an e-greeting or don't recognize the sender or the site, don't go there to open it. And as alway, keep your virus files and firewalls on and up to date.