The alleged scammers are believed to have used phishing techniques to secure the login credentials for trusted users (often known as Power Sellers) on the auction site eBay. The gang then used these accounts to list and sell non-existent goods including Rolex watches, luxury cars and even a recreational aircraft.

Buyers, who believed that they were bidding on and buying genuine products, ended up handing over payments for goods that they never received, despite believing that they were buying from reputable traders.

Around 800 people, based across Western Europe, Scandinavia, New Zealand, the USA and Canada, are thought to have fallen victim to the scam, equating to around €800,000 (US$1million) in losses since 2006.

A joint FBI and Romanian Directorate for Investigating Organised Crime and Terrorism (DIICOT) investigation led to the execution of 101 search warrants and multiple arrests across Romania.

The OFT, a government department set up to safeguard consumer rights, will team up with Trading Standards after it was revealed that online scams and fraud cost UK internet users around £3bn a year.

The funding, which will be spread over a three year period, will be used to raise awareness of email phishing scams and fraudulent websites. Issues such as consumer rights, particularly when purchasing goods from overseas, as well as increased awareness of antivirus software programs will also form part of the strategy.

“Online consumer protection is a key priority for the OFT,” said Heather Clayton, senior director of OFT.

“The enforcement team will be looking at the activities of a wide range of commercial web sites, and taking action in cases where consumer rights are being abused.”

Recent research by the OFT last year found that 73% of adults had received a scam e-mail in the past year, with almost 10% of adults – more than four million people – in Britain said they had responded to a scam in their lives.

Almost a half of those who did respond to a scam had lost more than £50, while 5% admitted to losing more than £5,000.

“The internet is rapidly transforming the way we shop. It presents massive opportunities for consumers, but unfortunately it also harbours fraudsters who can leave consumers upset and out of pocket,” added the government’s Consumer Minister Kevin Brennan.

A recent security attack on Google and Google services, which it is claimed originated from China, has prompted the search engine giant to consider ending its activities in the country and now law firm Gipson Hoffman & Pancione, working on behalf of Solid Oak Software, has also reported being targeted.

The company is currently filing a lawsuit against the Chinese government after claiming that source code used in one of its software programmes has been stolen and be used in the government mandated Green Dam software that was included with all PCs sold in mainland China between July and August 2009. The software is used on all PCs in schools, internet cafes and public locations but home and business users are now no longer obliged to use the software. The lawsuit is worth around $2.2bn.

The company reported that employees were receiving emails, all of which carried Trojans, which were made to appear as if they were sent by other members of the firm.

The attack follows Google’s announcement on Tuesday that hackers it believed were acting on behalf of China attacked the defences of 34 large companies, including Google and Adobe. Google has since pledged to stop honouring the Chinese government’s demands to filter search results on Google.cn or pull out of China altogether, a market thought to be worth around $1bn.

According to new research from managed security firm Network Box into web-based security threats, more than 57% of all threats were phishing attacks, compared to 28.3% in November.

The firm’s analysis of web-based threats in December 2009 shows that just over 57 per cent of all threats were phishing attacks, compared to 28.3 per cent in November.

“The run up to Christmas is traditionally a time for hackers to strike the vulnerable. A higher proportion of shopping is done online, with more money spent than at any other time of year,” warned Network Box internet security analyst Simon Heron.

“Christmas offers rich pickings for phishers. This is likely to continue through the sales in January, and we urge online bargain hunters to be vigilant.”

The firm found that the Brazil was the greatest source of viruses and spam during that time, accounting for 20.9% of all viruses and 9.1% of all spam originated in December. The figure was up from 14% and 8% respectively in November.

The advice to users is to ensure that their antivirus software is fully updated.

The most common single password in the sample of 10,000 Live ID login credentials (the system used to login to services such as Hotmail) posted on a development website was “123456″, with others such as “password” and “123456789″ also common.

Of the 10,000 breached account details that were posted on PasteBin.com, “123456″ was found to be the password in 64 examples, according to Neil O’Neil from digital payments firm The Logic Group. Whilst the represents just 0.64% of the overall sample, the findings represent a worrying lack of password best practice. There were 18 uses of the second most popular password, “123456789″, in the list.

Further analysis also highlighted common themes in password structure, with names and birthdays used frequently. Other examples include “ibelongtogod” and “666666″.

As many as 42% of the passwords used only lowercase letters, 19% were purely numeric and only 6% mixed up alpha-numeric and other characters, according to a separate analysis of the data by web application security firm Acunetix.

O’Neil suggested that the breach highlighted severe flaws in online password security and recommended users to think more carefully about how they protect their accounts.

“It used to be that the best security advice was to never write down your password,” he said. “Today’s advice however is to choose complex passwords, write them down and then put them in your wallet.

“You know when your wallet is lost or stolen and therefore that you need to change your passwords. Three initials from your name and postcode will do the trick and will take a hacker weeks to crack. Using an old postcode adds another layer of protection.”

The list of details has since been removed from PasteBin although some experts claim that the data is still accessible to those, such as hackers, who will be determined to access it.

Douglas Havard, who is serving a six year prison sentence at Ranby Prison in Nottinghamshire for his part in a £6.5m ($10.38m) hacking and phishing scam, was asked to take over a project to create an internal TV station using the jail’s computer network.

The 27-year-old was, according to the Sunday Mirror, left unattended by guards despite being afforded access to the prison’s network. He went on to reset a series of passwords that locked out anybody else that attempted to use the system.

Prison bosses were forced to call in computer security consultants in order to fix the problem, with Harvard being put into segregation as punishment for the incident.

The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.

A Prison Service spokesman told the Sunday Mirror that the breach was being investigated, claiming: “Prisoners are not allowed unsupervised access to computers. The prisoner was not able to access records of any other prisoners.”

Phishers have long been trying to lure users to fake banking sites, designed to look like an exact replica of the targeted bank’s actual site, and attempting to prompt the user to disclose key information. Whilst advances in phishing protection measures found in many antivirus software packages and increased consumer knowledge have limited the success of phishing scams, online phishing scams are still a multi-billion dollar industry.

But in what seems to be the latest step in online banking fraud, findings from the RSA FraudAction Research Lab found that phishers are now utilising the power of ‘Live Chat’ instant messaging systems to get the information that they need.

Live Chat is a form of instant messaging used by a number of businesses that allow representatives to communicate directly with website visitors. The system is used predominantly for customer service purposes although there are no restrictions on how live chat software can be used.

In this example, RSA found that phishers behind a fake site were using live chat software to potential victims, posing as fraud prevention representatives.

The representative on the other end of the conversation will suggest at some abnormal activity on the account and request account information to address the supposed issue.

The advice to consumers is to remember that there is no reason why a bank or financial institution would ask for detailed security information regarding your account, other than login details and passwords that you have defined in order to access online banking services. These login details will not include information such as your mother’s maiden name or PIN. If you are asked to confirm these details either on a website or email, it is highly likely that the request is part of a part of a phishing scam.

Michael Sutton, vice president of security researcher Zscaler claimed that functionality found in the majority of web browsers, as well as most antivirus software packages, to protect users from phishing attacks was missing from the iPhone browser, despite a recent security update.

It is claimed that whilst the latest version of the iPhone software, version OS 3.1, comes with anti phishing measures that warn users when they come across a suspicious site, the feature failed to adequately warn researchers about known malicious websites. Researchers claimed that such sites were however blocked by the PC version of the Safari browser, the browser installed by default on the iPhone.

Sutton claimed that whilst the anti phishing measures are a welcome addition to the iPhone OS, the features simply do not work.

“Apple’s Safari web browser leverages Google’s SafeBrowsing initiative to block both malicious URLs and phishing sites,” said Sutton. “Not so for mobile Safari on the iPhone. Apple has only chosen to only target phishing sites on the iPhone.

“While Apple would likely argue that malicious content on websites target browser specific vulnerabilities, that is not much of an argument. Attacks that I refer to as naked browser attacks such as cross-site scripting, cross-site request forgery and clickjacking don’t discriminate – they impact all browsers equally.

“Moreover, past Apple vulnerabilities suggest that there is no shortage of code sharing between the iPhone OS and OS X. After all, the initial iPhone jailbreaks leveraged a known vulnerable TIFF rendering library. Beyond this, the phishing protection on the iPhone is ineffective.”

Sutton later claimed that having tested a variety of online/validated phishing sites that were identified by PhishTank, they were generally blocked by Safari but none were blocked by Safari Mobile.

“In fact, I have yet to identify a single phishing page blocked on the iPhone. What’s clear here is that the functionality for the iPhone is not equivalent to what is being employed by OS X. Why? Apple touts Mobile Safari as the killer app that finally makes surfing the web on a mobile device a realistic proposition and the numbers back up that claim. Surely I can be phished on the iPhone just as I can fall victim browsing the web on my laptop,” he questioned.

It also appears as though this is not the only threat to the users of these immensely popular sites. Facebook users who allow third-party applications to access their desktops could be at risk from phishing scams.

A rogue application called ‘sex sex sex and more sex!!!’ began sending out notification to users over the weekend, of which there were more than 287,000 users signed up.

Hyperlinks in the notifications redirected users to a malicious site which then pulled up the real Facebook login site in order to gain the user’s Facebook login details.

Many people use these social networking sites but are unaware of potentially threatening phishing scams.
Phishing is essentially email fraud, which sends out emails (or notifications in the case of Facebook) from legitimate looking sites such as banks. The sites that you are redirected to will often be set up to look very similar to the actual site itself.

Typically the aim of phishing is to trick the user into entering personal details, so in the case of a bank this would be login details, personal and financial information and passwords.

Phishing generally uses spam emails sent to thousands of people, in the hope that a few of those thousands will take the bait, so to speak, and enter the information that the scammer is ‘phishing’ for.
Legitimate companies will never email you to request your personal details, so it’s best to be suspicious of any emails that ask you to do so. If you submit this information after following a link, the phisher will be able to access your account and you will be vulnerable to identity theft as well as your money or personal information being stolen.

In order to avoid being caught by one of these phishing scams, you should avoid giving out any confidential information via emails, pop ups or instant messages. As mentioned previously, a legitimate site such as a bank, PayPal or Ebay will never ask you for your details via email.

Commonly many of the emails sent have bad spelling and grammar, so watch out for this even if the email directs you to somewhere that looks legitimate; after all, a professional organisation wouldn’t send out emails with misspellings.

If you are in doubt, it is best to contact the company directly where the email has supposed to have come from, in order to check if the request is legitimate.

You can also reduce the risk of phishing emails by keeping your antivirus and firewall software up to date. You can also set up a spam filter on your emails so that only ‘safe’ emails will be delivered to your inbox.

Brand protection agency Mark Monitor claims that there has been a marked increase in the number of phishing attacks masquerading as leading financial brands in an attempt to lure in customers who have been adversely affected by the financial crisis.

The survey found that fraudsters were increasingly targeting some of America’s leading financial institutions for issues such as refinancing, unemployment, remortgaging and property repossession.

The research found what Mark Monitor described as “profound levels of brand abuse” for financial brands, particularly with regards to phishing email scams.

The report found that a record 502 organizations were phished in the first three months of 2009, an increase of 24 percent from the same period last year. Of those, a total of 93 organizations were phished for the first time with 82% being financial brands.

But while financial services such as banks and other lenders remain a popular target, payment service providers, such as Paypal and Nochex, were the most phished category, making up 42% of total phish attacks.

Unsurprisingly, social networking scams such as those currently prevalent on Twitter and Facebook haven also increased. Social networking scams, which allow fraudsters to bypass the email filtering systems found in many antivirus software packages, increased by a massive 241% in the first three months of 2009 compared with the same period in 2008.

Frederick Felman, chief marketing officer at MarkMonitor, suggested that scammers would continue to target brands which offered them access to the most vulnerable users.

“Scammers are preying upon consumer hardship, demonstrating incredible creativity in combining technology, social engineering techniques and current events,” said Mr Felman. “In this digital age, as the Internet pervades business and leisure, scam artists and fraudsters are quick to profit at the expense of trusted brands across a wide spectrum of industries.”