Screen grab of the phony Xbox Live page. (Click to enlarge.)

If you’ve got an Xbox, or are planning to buy one this holiday season, you should know that Xbox is the latest platform to be victimized by phishers, according to security software maker F-Secure.

Victims are first conned by a YouTube video claiming to give away free Xbox Live memberships and Microsoft points (which are the equivalent of money in the Xbox world). You’re told to go to a Web site where you have to enter, of course, your Xbox Live gamer tag, password, and e-mail address. F-Secure’s blog points out that, while the Web site looks authentic, it’s got a country code from East Timor.

If you know anything about phishing, you know what happens next—your Xbox identity is up for sale. The more software you’ve got on your Live account, and the higher your gamerscore, the more valuable your Xbox identity. Don’t be taken in by phony deals, and never give away your password to an unknown Web site.

Think you can spot a cleverly disguised phishing scam? Take our quiz and find out. —Donna Tapellini

Google Social Search explained. (Click to watch video.)

To the delight of social media stalkers (and the dismay of digital hermits and job applicants), this week Google launched a new, experimental search option that can crawl through your vast online social network to help you find content from friends and contacts. Google Social Search is explained on the official Google blog (and in the video below):

To find personal content, Google looks first to your Google Profile, where you can add information about yourself and indicate to which networks you belong, from Twitter to Picasa. It also—at your discretion—will delve into your Gmail contacts and the blogs you follow on Google Reader.

Helpful, yes. But privacy issues have already been raised.  Google’s Matt Cutts, in an introductory video, stresses that it’s your choice as to whether or not your content is crawled and surfaced. He also attempts to cut the privacy argument off at the pass:

“Once you’ve created a Google Profile and added links to your various online social services, you’ve signaled a very clear choice that you’re comfortable with the world knowing that information, including that you’re part of the other social networks you listed.”

Thoughts? Is Google simply providing a useful extra search tool, or does the new feature skirt too close to home? (For safe surfing tips, be sure to check out our Guide to Online Security.)

I'm now participating in the experiment at Google Labs to check out the social search's functionality for myself. If you're interested (you'll need a Google/Gmail account), sign up here. —Nick K. Mandle

This is the text message some spammer/phisher sent to my cell phone today. Has anyone else gotten one of these SMS messages? (Click to enlarge.)
[PHOTO: P. Eng, Consumer Reports]

I almost fell for a rather clever phishing message sent to my cell phone, not my computer's e-mail inbox. A text message from "Unknown" popped up on my cell phone, warning me that my "Card" with Chase had been deactivated. To reactivate it, all I had to do was call the toll-free number listed in the message. (See image at right.)

Because I have several accounts with Chase—and I do take advantage of "Chase Mobile Banking"—I nearly pressed the "Call" button to reactivate my card.

But on closer look, I realized this was a scam. Here's what tipped me off:

• The "Unknown" sender. All the previous official alerts from Chase to my cell phone were clearly identified by a specific ID number clearly linked to "Chase" in my phone's address book.
• The "Card starting with..." text. Most banks use "Your account ending with..." not, "starting with."
• The improper capitalization. "...has been Deactivated."
• The incorrect account number. I don't have any Chase accounts starting with 511182.

Thankfully, I didn’t press the "Call" button on my cell phone. But I did phone Chase's official customer service line (1-800-436-7927) and was quickly connected with the Chase bank's online fraud and security center. The Chase representative told me the bank is aware of these phishing text messages, but the version of the phish they had on record had a different toll-free number. They noted the details of the phishing message I received and said they'd monitor my Chase accounts for any suspicious activity since this appeared to be a "new type of fraudulent e-mail."

(Click to enlarge.)

It may be a tad early to start your holiday shopping, but there’s a good chance you’ve at least been thinking about it. Maybe you’ve had a big-ticket gift—like a new TV or home theater—in mind for a while now, but are putting off the purchase till November or December. If it’s sales you’re waiting for, you probably know what you want and how much you’re willing to pay. On the other hand, you might just a teeny bit leery of throwing so much cash at something you know very little about. Which is better: a plasma or LCD TV? Should you upgrade to a Blu-ray player or stick with standard-def DVDs?

If you find yourself in need of expert advice, consider the newest edition of the Consumer Reports Electronics Buying Guide. Inside you’ll find a wealth of information on everything from televisions and computers to smart phones, GPS units, and much more. For each product, the Consumer Reports editors walk you through the basics, explaining what’s available, which features matter, brand profiles, and offering tried-and-true shopping tips.

In addition to product information, the guide offers advice on how to shop smarter, including:

• Netting the best deals online, and protecting yourself when you shop on the Web


• When to repair and when to replace a broken item


• How to haggle effectively


• Finding the best electronics retailer based on our comprehensive annual survey


• How to save—and what to be wary of—with refurbished or open-box products on store shelves


• Where to get free office software, free computer security programs, and more useful freeware

More than 100 people have been charged with identity theft and other computer-related crimes in a joint investigation by U.S. and Egyptian law-enforcement agencies.

Operation Phish Phry uncovered an international conspiracy that was allegedly using phishing tactics to steal personal information from account holders at American financial institutions. The investigation was conducted on the U.S. end by the FBI, the United States Attorney's Office, and the Electronic Crimes Task Force in Los Angeles.

The indictment charges that cyberthieves located in Egypt used classic phishing tactics to direct victims to phony Web sites, where they entered passwords, account numbers, and other data. That info was used to hack into accounts at two banks. Money was transferred from the compromised accounts to fraudulent accounts created by "runners" recruited by the U.S.-based co-conspirators.

Fifty-three defendants were charged in the United States with conspiracy to commit bank fraud and wire fraud; 47 more were charged in Egypt.

Remember never to access a financial account online by clicking on a Web link embedded in an e-mail. For more security advice, take a look at our Guide to Online Security. —Donna Tapellini

Phones need to make it relatively easy to back up the data they carry, preferably locally to your computer, and cell phone owners should take advantage of those methods.

Those are among the lessons of the past weekend's T-Mobile sidekick incident, in which Microsoft irreparably wiped out the contacts, call history, and other data for an specified number of Sidekick owners.

Yesterday, T-Mobile said that Microsoft—whose operating system, with the now-ironic name of "Danger," developed a glitch that caused the mishap—was still working to retrieve data from affected Sidekicks. Meanwhile, sales of the popular smart phone have seemingly been halted. (T-Mobile's Web site was this morning listing Sidekick models as "temporarily out of stock.") T-Mobile also said those whose data proved irretrievable would receive a $100 gift certificate to apply against their monthly service charges or any other T-Mobile expense.

The company has also posted tips on how at least some Sidekick owners might be able to recover some of their data, even as the T-Mobile/Microsoft data-recovery efforts continue. The tips include ways you might be able to retrieve old messages containing contacts or obtain contact information that was sent via vCards, electronics business cards that are sometimes attached to e-mails.

T-Mobile has also warned Sidekick owners not to allow their phone to lose power as Microsoft struggles to retrieve data.

You’ve got one less excuse for leaving your computer unprotected against viruses and spyware: Microsoft recently added its new software package, Security Essentials, to the list of free antivirus tools available for download online.

We gave Security Essentials a preliminary test run on several PCs here in our labs. The program installed in less than a minute on the typical PCs we tried, appears to use relatively few system resources, and has reasonable default settings. It’s compatible with Windows XP or later.

The user interface is deceptively simple, which is a good thing. The program automatically updates itself, and performs a quick scan every Sunday night by default, though you can change that and other settings.

If you have antivirus software already, there's no need to change. If you decide to make the switch to Security Essentials, be sure to uninstall your old antivirus program first. Security Essentials disables Windows Defender if it finds it, since they duplicate anti-spyware tasks, and since running two real-time anti-spyware programs can lead to problems.

The number of hijacked social networking accounts is on the rise, according to a warning issued by the FBI this week. (For free advice on how to protect yourself online, see our Online Security Guide.)

The warning addresses one of the more popular online scams, perpetrated on sites like Facebook and Myspace: Criminals plant malicious software on a victim’s computer, hijack their social networking account, then use the account to send emergency distress messages, for example claiming they are in legal or medical peril, requesting money from their social network contacts.

The FBI’s announcement also describes several other online scams, such as spamming to promote phishing sites and distributing malicious software via social-networking “applications.”

One of the best ways to protect yourself against malicious software is to use an effective security software suite. Our Ratings of security software (available to subscribers) provide recommendations on which products offer the best protection.

If you’re looking for a free antivirus, be aware that Microsoft has just released its own called Microsoft Security Essentials. We haven’t tested it yet; we will be posting more details on this product in this blog very shortly.

For the rest of October, which is National Cyber Security Awareness Month, we’ll continue to post the latest news and advice about online security. —Jeff Fox

Last week, my colleague, Jeff Fox, was perusing the New York Times online when a window popped up warning him (and many others) that his computer was “at risk” and in need of immediate protection. The window looked legitimate, very similar to his own security software. But Jeff knew better. From years covering all the nasty maladies that can infect a computer, he recognized the popup as a “malvertisement.” He immediately closed his browser and, to be safe, ran a virus and spyware scan of his hard drive. Had he followed the popup’s prompt, seeking protection, he might have exposed his computer to an online attack.

So-called malvertisers have become adroit at smuggling their software into online ads, where they can entice or frighten users into following harmful links in hopes of remedying a supposed problem with their computer. The tactic NYTimes.com readers saw—a malvertisement warning them of infection—is known as “scareware,” as it hopes to snare less savvy folks than Mr. Fox. (Another coworker mentioned to me recently that his elderly father, unaware of such ploys, is notorious for clicking on malvertisements, which infect his computer.)

Perhaps in response to the attack on such a well-trafficked, reputable site as NYTimes.com, Microsoft last week filed five lawsuits against alleged malvertisers. Although the guilty individuals remain anonymous, Microsoft hopes that the suits, which are directed at several front companies (named Soft Solutions, Direct Ad, qiweroqw.com, ITmeter INC. and ote2008.info) will uncover the culprits.

To protect yourself, be vigilant. Be wary of any popup windows that look fishy, especially if they appear alarmist. When closing such a window, carefully click the “X” in the corner and not anywhere inside the window itself. Sometimes the popups make it exceedingly difficult for you to get rid of them. In those frustrating cases, it’s best to quit your entire browser.

For more on staying safe online and avoiding clever tricks like malvertising, see our free Online Security Guide. —Nick K. Mandle

[PHOTO: Courtesy of Mirko Macari]

In a previous post, I explained how, according to a recent study [PDF], social networks like Facebook and Myspace are leaking the personal information of their users to third-party tracking sites. If you use a social network, here are some ways to protect your privacy:

1. Carefully limit the information you post on any social network to just what’s necessary to interact with friends. Don’t list your address, phone number, birthday, or other sensitive information.


2. Familiarize yourself with the social network’s privacy controls and use them as vigorously as necessary to restrict access to your information to just your known circle of friends. You can usually find those controls by signing in and by accessing the service’s “account settings” screen.


3. Use your browser’s security settings to reduce your exposure to tracking sites. For example, you might configure the browser to refuse third-party cookies. The aforementioned study provides more details on ways to protect yourself via your browser, although the protection those afford isn’t foolproof.

Use our other advice on how protect yourself online. For tips, including ways to avoid identity theft, see our free online security guide.

How much personal information do you post on the social networks you use? Is that affected by security concerns? And have you used the service’s privacy controls to block unwanted access? Tell us about your experiences in the space below. —Jeff Fox