Online scam artists send e-cards to get unsuspecting users to click on links, disclose personal information, and download potentially dangerous software.

`Tis the season to start receiving greeting cards, and a growing number of them, conveniently, will come via the Internet.

There’s only one problem: Some of the e-mails saying that you have an e-greeting card from a friend or family member may instead be from a scam artist intent on obtaining your Social Security number, credit card data or even brokerage account information.

“People like receiving greeting cards this time of year, and they are likely to click on these greetings” if they are in their e-mail inbox, said Stu Elefant, senior product manager for McAfee Inc., an Internet security firm that markets products that detect unsafe Web sites or e-mail. “There is more cybercrime because peoples’ defenses are down. They are in a more trusting mood, thanks to the holidays, and they are looking online for bargains.”

That is an irresistible mix for increasingly clever cybercrooks as they realize more people than ever will shop online this holiday season, as well as seek to save postage–and time–by e-mailing holiday greeting cards.

Online shopping is already off to a fast start.

“Online sales are up 23 percent, about $6.35 billion, so far this year versus a year ago,” said Gian Fulgoni, the Chicago-based chairman of ComScore Networks Inc., which tracks Web activity. His figures are from Nov. 1-19 and will be updated Sunday to reflect this weekend’s frenzied shopping.

Holiday cybershopping will steadily increase over the next few weeks, with Monday slated as one of the busiest Internet shopping days during the holiday period as people use downtime at work to shop online.

Overall, Fulgoni estimates that $24 billion will be spent online this year during November and December, which should account for about 7 percent of all retail activity.

“That’s probably up a full percentage point over last year,” he said.

Indeed, more people than ever are comfortable shopping online these days, with 91 percent of adults saying they use the Web to shop, according to a survey released Friday from Harris Interactive and Check Point Software Technologies.

But as more people turn to the Internet for at least some of their holiday purchases–or simply for comparison shopping–more crooks, too, are tracking their movements.

The average loss per “phishing” scam grew from $257 in 2005 to $1,244 in 2006, according to a November report from Internet research firm Gartner Inc. Losses stemming from such attacks reached more than $2.8 billion this year, Gartner found.

In Australia, a scam was uncovered in late October by Exploit Prevention Labs that was perpetrated through e-greeting cards. According to a TechNewsWorld story, accounts at nearly every Australian bank were affected when a major cybercrime group used fake Yahoo greeting cards to infect computers with malicious software that tracked keystrokes on PCs. This so-called “keylogger” software was used to steal credit card numbers, bank account user names and passwords.

Yahoo did not return messages Friday for comment.

Researchers with Exploit Prevention Labs added that the e-card spammers were also targeting computer users in North America, according to TechNewsWorld.

Indeed, since early fall, numerous computer users across the U.S. and in Chicago have noted a marked increase in e-card-based spam e-mail. The subject line typically reads, “You’ve received a greeting from a family member” or “You’ve received an animated postcard.”

The text inside these “phishing” e-mail messages asks people to “click here” to see the card. Phishing scams are an attempt to trick people into revealing personal information. If they click on these links, they could unwittingly be downloading software that could be used to separate users from their hard-earned holiday bonuses.

Elefant warns people to exercise extreme caution when e-greeting cards enter your inbox and to open messages only from people you know. If you have any doubt, he warned, don’t open the message.

The number of e-greetings sent this time of year typically doubles compared with the rest of the year. In October, for instance, visits to sites managed by American Greetings, where there are e-cards for holidays or birthdays, increased 66 percent over September, according to ComScore figures. That was the second-highest traffic increase for any Web site in October, ComScore reported.

Crooks are exploiting what security professionals like to call “social engineering,” Elefant said. Because humans are social beings, they’re more likely to open an e-mail they think is from a friend or family member than something unfamiliar.

“Social engineering is more prevalent this time of year because people want to click on an Internet greeting card or get a better deal at a store online. So it’s more prevalent this time of year, and this year it’s more prevalent than anytime it’s ever been.”

People also are helping the crooks more than before.

The growth of social networking sites like Facebook, MySpace and even YouTube are helping cybercriminals target computer users.

“There’s more personal information about people online at these sites,” Elefant said. At YouTube, for instance, many people who post videos also include a picture of themselves along with other personal information, such as an e-mail address.

A crook may then send a message to that user and write, “Hey, I saw your video at YouTube about skateboarding. If you want a new skateboard, come check out the deals at my site.”

Elefant said this is a common technique used by sexual predators but increasingly is being used for financial scams.

Another reason for the online crime wave, according to the Harris survey, is that few people adequately secure their computers. The survey found that 74 percent of people do not install a hardware firewall and 53 percent don’t use a software firewall. Only 22 percent have installed a proper suite of security software, according to the survey.

How to avoid online scams

- Purchase items through well-known retailers you can contact via phone if necessary.

- Check for a little yellow lock at the bottom right corner of your browser window when making a purchase. This indicates a secure transaction.

- Check bank and credit card statements frequently for suspicious transactions.

- Never give out personal financial information in response to an e-mail, including charity donations. Contact a charity directly on how to make an online donation.

- Do not click on links to Web sites embedded in e-mails. These links can direct a user to a phony e-commerce site that looks like a legitimate site.

- Use a separate e-mail account for online shopping. You can get free e-mail accounts through Google, Microsoft and Yahoo.

- Make sure your security software is up to date. If you use Wi-Fi, make sure your wireless network is secure.

- If you think you are the victim of a “phishing” scam or online identity theft, go to the Federal Trade Commission’s help site at www.consumer.gov/idtheft.

Article written by Eric Benderoff

Q What is the right age for my children to have their own MySpace profiles? How would you recommend monitoring their Web pages?

A MySpace has more than 40 million members and gets about 15 percent of all the Internet hits in the country, so caution is advised. Officially a child has to be 14 to have a private MySpace page – meaning they have to invite ‘‘friends” to join their site. This does offer some control over who has access to your children’s profiles.

How mature are your children and do you have a good honest relationship with them? It is important to explain the dangers of putting information on the Internet for the world to see; there are many predators out there. Be sure your children are cautious when setting up a MySpace profile: They will be asked for all sorts of personal information that could be used for other purposes. How about just using a first name or nickname?

    Have your computer in a common area where you can monitor what is being exchanged on the Web site. Give constant reminders that your children’s online friends may not be who they seem. You can be invited onto your children’s sites and periodically ask your children to see their profiles. Of course, your children may set up multiple profiles under different names, so you may not be able to see everything they are doing online.

    Have you actually been to MySpace.com yet? Although people argue that this is a good vehicle for keeping in touch with peers, I am appalled at some of the stuff I’ve seen there. Why not set up your own profile so you can see firsthand what is going on and discuss your concerns and rules with your children.

Kids used to hang out in vacant lots, then in malls and now, online.

BeNetSafe helps you to be a better parent by lovingly and effectively “chaperoning” your children online, just as you always have, offline.

BeNetSafe will monitor your child’s information on the Internet and provide you with detailed reports and feedback alerting you to potentially dangerous and risky behavior.

I just recieved some more info about the MY SPACE dangers. I found out exactly how thieves are locating houses by using MY SPACE combined with a second awful site.When you sign up for “Your Space” you enter the following information:
Name, Age, City & State, Zodiac Sign, height, build, children’s info, hobbies, marital status and occupation. You may think that this information is innocent but it is not AT ALL.

There is another web site called “zabba.com” this site is a free search engine used to locate addresses & phone numbers (Even Unlisted #’s!) of anybody worldwide! All the person needs is your name. If they can enter your city as well it will help narrow down the amount of people they have to search through. However, since YOU listed your birthdate or age or your zodiac sign on MY SPACE, finding out which “Bob Jones” you are will be a breeze.

Once they have determined your address they cross reference this with your occupation listed on MY SPACE. If you are a “Hot Single, Night Shift Bartender at Lucky’s” they all ready know when you are not going to be home.

Parents are even using MY SPACE as a way to show friends their pictures of their lovely children – BAD IDEA. Any thieves or predators can now stalk your family from the privacy of their own home.
If “Your Space” says you “have two sons – ages 4 and 8 who are honor roll students at Parker Elementary”, this tells thieves that when you are not home, nor are they.
You can even reverse the rolls – parents, your children can say, “My mom works at the dentist office and my dad works at ford”.

Here’s a little more IMPORTANT, IMPORTANT about Zabba.com
whether it is cross referenced with MY SPACE or not, you can use it to find out some ones name, address, phone number, PARENTS NAMES, MOTHERS MAIDEN NAME, GRANDPARENTS ans every place your family has lived. This is very scary. I didn’t believe it. I entered my name and EVERYTHING listed appeared. Even how many criminal violations I have had (traffic tix).

I want to see if there is a way to get removed from the list. I was told that if you sign up for things on the internet you MUST read the fine print before you submit your info. I was told that sites can sell your presoanl information to third parites, zabba.com could easily be buying this info.
If you are interested in seeing EXACTLY what I have been talking about, I went to MY SPACE and found a perfect example of a profile. Here’s the link (Please copy and paste the entire link into your browser.):

http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=47386876  

******This is 29 year old woman. She innocently posted many pics of her children, husband to be and her self. She EVEN writes: “I spend my weekends watching my kids play soccer, basketball or baseball. I like to talk on the phone to anyone who will listen. I love to lay in bed all day on a Sunday and watch MTV with Mike.”

If anybody has more information about zabba.com or MY SPACE plase send it to me.

HERE’S THE LINK, try it for yourself:
http://www.melissadata.com/cgi-bin/peoplefinder.asp

Over a million MySpace users have been exposed to spyware that exploits a Windows vulnerability through a banner ad on the site, the BBC reported on Friday.

Those using Internet Explorer that has not been patched against the Windows Meta File (WMF) vulnerability could be exposed to spyware and adware.

The vulnerability in the way WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via e-mails or instant messages, or via Web sites.

Reports suggest the advert has been running for approximately a week.

Security firm iDefense detected computer servers being used to log how many times adware was installed from the advert, according to the Washington Post.

Over one million installations of the adware were logged before the servers were shut down.

“This is a criminal act,” said Hemanshu Nigam, MySpace chief security officer, according to reports. “This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours.”

“We are working to have these ad networks remove this ad so that they do not appear on our site,” Nigam said.

As many as one million computers may have been infected with adware through an advertisement running on MySpace and other websites. The DeckOutYourDeck.com advertisement subversively installed 5 adware programs, and reportedly relayed Internet activities to a website in Turkey.

MySpace has since started to remove the ads, which effected PCs running Firefox versions earlier than 1.5 and Windows users without a recent security patch for image files. There is no word about a removal tool as yet.

Just last week MySpace was hit by a Flash worm. The sad truth is where there is a volume of people, there will be malicious folks looking for ways to exploit their computers.

A blog entry on the ChaseandSam.com website noted the MySpace issue, where an embedded Flash file caused problems for MySpace users.

Signed in users on MySpace who visit a profile that already has the malicious code infecting it will in turn have their profiles infected. Everyone who arrives at an infected page will be redirected to another blog containing a rant about the 9/11 attacks.

The ChaseandSam site listed a safe link to the Flash file exploiting the MySpace code. Since MySpace allows its users to embed code to display content, it was a trivial matter for the attacker to place the code on a profile and wait for people to stumble across it.

While the embedding feature makes it easy for MySpace users to share audio and video content, it appears the site could be more rigorous in assessing embedded code placed on profiles.

Kinematic, a user on the Digg news site, posted an assessment of the code used by the attacker. A Flash file performing the redirect would be encountered first.

Then the landing page would fire up another Flash file, retrievecookie.swf. The ActionScript in that file would then pull up a blog post from elsewhere on MySpace, and evaluate that code.

In doing so, the attack would grab the visitor’s MySpace token and hash code. Kinematic commented that the hash code is supposed to be a security measure. Like the token, the hash code is also in the URL, a helpful condition for the attacker’s code.

After that, the visitor’s profile gets modified, and the next person to visit the profile while logged in to MySpace likewise gets infected. Fortunately, the code can be removed from the profile. The post on the ChaseandSam website shows how to find the offending code in the profile to get rid of it.

Be careful, MySpacers. That video you want to watch on your friend’s profile may contain spyware.

One such video, called “Friends play a hilarious practical joke,” has been spreading across MySpace.

With just a few clicks agreeing to download the “Zango Search Assistant,” you will begin to see alot of  of pop-up ads forcing your computer to slow down and become cluttered with spyware.

The adware, produced by Bellevue, Wash.-based Zango, presents you with a pop-up window of fine print explaining the end user license agreement (EULA). Once you click, though, the pop-ups begin.

Your clicks will download a “Zango Search Assistant,” which, according to tiny text in the pop-up, “will show you a limited number of ads that pop up on your screen in a separate browser.”

Zango makes money by partnering with webmasters who post videos on their sites.

  After a security researcher said Monday that MySpace users were spreading adware through  the social networking service to ring up ad fees from Zango, the Bellevue, Wash. marketing company admitted one of its own developers had set up the MySpace profiles.

Zango, however, said the developer was acting without approval and in ignorance of the company’s “hands-off” policy regarding MySpace.

Chris Boyd, the director of malware research for security vendor FaceTime, said he found a pair of MySpace profiles tagged “Zango,” the new name for the controversial adware maker 180solutions. And each profile pushed adware. One of the profiles used video to entice MySpace visitors to download Zango Assistant and Search Toolbar, which users had to accept if they wanted to view the clips.

“Just who is pimping these things?” Boyd asked, then pointed out Myspace Graphics Help, a site that included copy-and-paste code to add Zango-distributed videos; the code, says the Myspace Graphics site, can be added to MySpace profiles or comments. Anyone who clicks on a MySpace-placed video created by such code, of course, must download Zango’s adware to watch the clip.

The profiles were a mistake, countered a Zango spokesman Monday. According to Zango’s Steve Stratz, the two spotted by Boyd were created by a company developer based in its Montreal office. (In April 2005, Zango, formerly 180solutions, acquired Montreal-based CDT, at that time one of its largest adware-distributing partners.)

“Those two test accounts were actually created by one of our developers who was exploring possible opportunities, but he didn’t realize it was Zango business practice not to target MySpace,” said Stratz. “He should not have been doing this, and we want to tell MySpace that we didn’t mean to target them.” The developer, said Stratz, would soon be deleting the profiles.

Boyd took Zango to task nonetheless.

“This is a relatively new viral approach,” said Boyd. “We’ve seen spam and porn bots on MySpace before, but not adware from a quote-legitimate-unquote adware company,” he said.

Boyd’s contention was that unscrupulous Zango partners are getting MySpace users — many of whom are teenagers — to do their dirty work by spreading the necessary ad-tracking and ad-displaying software.

“Pasting the code for the [video] into the MySpace profile and having it autoplay when you visit the page is enough to have the [Zango] license prompt appear,” said Boyd. “Easy as pie.”

But although a Zango EULA (end-users license agreement) pops up on coded MySpace profiles, it’s too easy for users to assume the dialog’s from MySpace, not an adware vendor, argued Boyd. He found more than two dozen sites similar to Myspace Graphics and “I didn’t see one actually mention the fact that in return for these [video clips], you’d be pimping Zango.”

Zango, however, countered that its license agreement “could not be any clearer” and that it would be obvious to anyone that the download was not originating with MySpace.

Zango, which until early June was called 180solutions, has spent months cleaning up its distribution network — in the past it blamed “rogue” distributors for installing its software without users’ permission — and to be a better Internet citizen.

Then Zango’s vice president of business development, York Baur, said that “we’ve fixed [those] problems to the extent they can be fixed. This [business] model works, and we’re very proud of the model we’ve built.”

Stan Monlux, senior director of business development, weighed in Monday on the MySpace issue by denying that the network’s accounts were allowed to register as partners — and thus receive payments — and arguing that it wasn’t up to Zango to police the sharing of its content.

It appears that MySpace finally tightened up security and no longer allows bulletin posts from outside of the MySpace domain. A great move if you ask us, this will keep alot of unwanted SPAM bulletiins created from unknowing MySpace users.