social engineering

The 404 957: Where the world's gone sour (podcast)

Leaked from 404 Podcast 957:

A researcher shows how to "friend" anyone on Facebook within 24 hours. Online casino gaming might come to Facebook users in the U.K. Siri on the Apple iPhone 4S tells you where to dump a dead body and where to score condoms, but has no clue about women's health clinics. Capcom seriously announces a Sour Patch Kids game with Method Man. GamePro magazine will quit publishing.… Read more

Security researcher finds 'cookiejacking' risk in IE

A security researcher in Italy has discovered a flaw in Internet Explorer that he says could enable hackers to steal cookies from a PC and then log onto password-protected Web sites.

Referring to the exploit as "cookiejacking," Rosario Valotta claims that a zero-day vulnerability found in every version of Microsoft's IE under any version of Windows allows an attacker to hijack any cookie for any Web site.

Demonstrating his findings at security conferences this month in Switzerland and Amsterdam, Valotta acknowledges that to exploit the hole, the hacker must employ a bit of social engineering because the … Read more

Antivirus isn't dead--it's growing up

We've been hearing it for years: antivirus software is dead. But is it really? If so, it seems to have more lives than Richard Nixon.

Rather than being the industry's swan song, mobile devices could be its redemption opportunity.

The antivirus industry is in major transition as threats have evolved from being just the viruses and worms written to exploit holes in Windows that plagued computers in the 1990s to the exploits that target vulnerabilities in Web applications and end user gullibility today.

Many consumers fork over at least $40 for Norton AntiVirus or something similar, many more … Read more

Social Engineering 101 (Q&A)

One of the more interesting events at this year's Defcon hacker conference in Las Vegas late last month was a social-engineering contest that targeted big companies like Microsoft, Google, and Apple. Participants pretending to be headhunters and survey takers were able to trick employees at the companies into giving out information over the phone that if it landed in the wrong hands could be used to sneak malware onto machines at the company or otherwise get access to the company's data.

The contest proved a number of things. That it is easy for strangers to get potentially sensitive … Read more

For Kevin Mitnick, staying legal is job No. 1

Kevin Mitnick was eager to participate in a social-engineering contest at the Defcon hacker conference in Las Vegas last weekend and was told he would target Microsoft in the event.

He figured it would be fun to show off his schmoozing skills, which he so easily used to trick employees at tech companies in the 1990s into handing over passwords and other sensitive information, ultimately landing him in jail.

But when he called his attorney to run it past him, the response was "Are you crazy?!"

Mitnick's lawyer, who declined to be interviewed, advised his most famous … Read more

Contest finds workers at big firms handing data to hackers

LAS VEGAS--Hackers competing in a social engineering contest at the Defcon conference here on Friday were able to trick random employees at 10 major U.S. tech, oil, and retail companies into giving them sensitive information over the phone that could be used in targeted computer attacks on the companies.

"Every single company, if it was a security audit, would have failed," Christopher Hadnagy, operations manager for Offensive Security, a training and penetration testing company, told CNET after the first day of the contest, which wraps up Saturday and targets BP, Shell, Google, Proctor & Gamble, Microsoft, Apple, … Read more

Facebook attack tricks users into 'liking' malicious links

Another clickjacking scam has hit Facebook, tricking hundreds of thousands of users to post messages to their pages saying that they like the malicious link, security firm Sophos said on Tuesday.

Like most of these scams, this one relies on social engineering and piques the interest of prospective victims with messages like:

• "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

• "This man takes a picture of himself EVERYDAY for 8 YEARS!!"

• "The Prom Dress That Got This Girl Suspended From School."

• "This Girl Has An Interesting Way Of … Read more

Fake CNN site from phishing e-mail hides a Trojan

A new e-mail that is circulating looks like it comes from CNN and links to a fake CNN Web page offering "graphic" video related to the Israel-Hamas conflict but instead hosts a Trojan that steals sensitive data, RSA said on Thursday.

When someone clicks on the video link on the fake CNN site an error message pops up urging the visitor to download the latest version of Adobe Flash Player. Clicking on the download link installs an "SSL stealer" Trojan that captures financial and other sensitive information, RSA said in a blog.

The Trojan looks for … Read more

Worm uses familiar brands to lure people

On Tuesday security vendor WebSense issued an alert warning that holiday coupon e-mails from familiar companies may be malicious code in disguise, in this case a mass-mailing e-mail worm.

The warning cites one spoofed McDonald's e-mail that claims to present their latest discount menu, and asks the recipient to print out the attached coupon. A similar mailing pretending to be from Coca-Cola asks recipients to print out details about their new online game, and also offers recipients a chance to win Coca-Cola drinks for life. Websense says the attached zip file contains files named either coupon.exe or promotion.… Read more