General discussion

NEWS - April 05, 2010

Whole Foods working to curb Facebook-based scam

Upscale grocery conglomerate Whole Foods Market said Friday that it is continuing to clamp down on a series of Facebook-based scams that entice users with a purported $500 gift card from the Austin, Texas-based supermarket chain.

The scam has been spreading virally through Facebook via "fan pages" with names like "Whole Foods Market Free $500 Gift Card Limited - first 12,000 fans only" and "Whole Foods FREE $500 Gift Card! Only Available for 36 hours!" The fan page asks Facebook users to add it as a fan, thus pushing awareness of the page through those users' Facebook networks, and then asks them to fill out a credit assessment and other forms that request personal information. The scam then uses a form of malware to crash users' computers and the information they have entered is left vulnerable.

Continued here:

Also See: Facebook users warned of Whole Foods gift card scam

Discussion is locked

Reply to: NEWS - April 05, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 05, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
New version of Foxit closes executable security hole

Responding to the exploit developed by PDF security specialist Didier Stevens, Foxit has closed the pertinent security hole with the new version of Foxit Reader. Stevens' code, which is only available as a demo(direct download) version, exploits the ability of PDF readers to trigger the execution of non-PDF code, as described in the PDF specification. In previous versions of Foxit Reader, this process was started without giving users any warning.

Continued here:

- Collapse -
iPad jailbreaking meets Dr. Who and Inspector Gadget

From the ESET Threat Blog:

Barely two days after the iPad hit the Apple retail shelves, the first stories about iPad jailbreaking have appeared.

I commented over at Mac Virus that:

"?even in the absence of known issues like those I blogged about ad nauseam in another blog, a viable iPad jailbreak does open up similar possibilities for the promotion of malicious apps. I guess we?ll see whether the bad guys see iPad users as a fat enough target once the market (and the exploits) have had time to mature"

Minutes after I posted that, Aryeh flagged a site that is offering to give away 25 iPads a week. Since I can't seem to get past the "free survey" popup, I'm not sure if this is extreme adware, a gimme-your-data scam, or an attempt to distribute malware, but I'm guessing that not many respondents will ever see a free iPad.

This is probably a good time to point out that (irrespective of how imminent iPad-specific threats may or may not be), a sexy new gadget gives lots of opportunities for scams and threatware that use it to pique the interest of potential victims.

Continued here:

- Collapse -
Spotting the scams

From SophosLabs Blog:

Earlier on today I came across an advert (within a Twitpic page) enticing users to click through to a web site in order to enter a competition to win an Apple iPhone. [...]

Clicking on the ad takes you to a simple ?spot the difference? quiz on the competition web site.[...]

Clearly not too challenging a quiz. And very forgiving - if incorrect, the user is simply prompted for the right answer. [...]

Anyway, back to the point. Is this a scam? In this particular case, no, I do not believe so. The competition appears to be legitimate, and is hosted by a known company with something of a history in this area.

However, for every legitimate competition out there, there will be numerous others with more sinister data-gathering motives. And it is virtually impossible for typical users to distinguish between them (providing a subtle touch of irony given the ?Spot the Difference? competition theme). The fact that a site looks professional with slick graphics means absolutely nothing.

Continued here:

- Collapse -
Affiliate Programs Rising Cause of Fraud and Abuse

From the Threat Center Live Blog:

What happens when you offer up money to anyone who can drive traffic to your website? Hackers, scammers, spammers and fraudsters come to your aid. That?s the case with online movie site, which offers 30% of each sale and 5% of rebills paid via anonymous means to anyone who refers paying customers to the site. And is just one of many.

In general, it works like this: a person signs up as an affiliate and is given a code. If someone goes to the website with the proper code embedded in the URL, then a cookie is set and if that person later buys something on the site, the affiliate gets a piece of the transaction. Outside of the shadows this means others are encouraged to setup ads or to refer friends to the site. But on bigger scales, this can be big money, so the established cyber criminal community gets in on the action ? not always by breaking the law, but certainly using shady means to drive customers to these websites.

Continued here:

- Collapse -
Virus Scanners for Virus Authors

From Krebs On Security:

The very first entry I posted at Krebs on Security, Virus Scanners for Virus Authors, introduced readers to two services that let virus writers upload their creations to see how well they are detected by numerous commercial anti-virus scanners. In this follow-up post, I take you inside of a pair of similar services that allow customers to periodically scan a malware sample and receive alerts via instant message or e-mail when a new anti-virus product begins to detect the submission as malicious.

While there are free services like VirusTotal and Jotti that will let visitors upload a suspicious file and scan it against dozens of commercial anti-virus tools, the reports produced by the scans are shared with all of the participating anti-virus makers so that those vendors can incorporate detection for newly discovered malware into their products. While virus writers probably would love to use such services to fine-tune the stealth of their malware, they may not want their unique malware samples broadly shared among the anti-virus community before the malware has even had a chance to infect PCs.

Continued here:

- Collapse -
Google rolls out privacy reset for Buzz social network

Google has said that it will begin to roll out a privacy reset for its controversial social network Buzz.

The search giant will ask all its users to confirm or change their privacy settings, starting on 5 April.

The firm was forced to make a series of changes to Buzz just days after launch, following a backlash from users worried about privacy intrusions.

Last month, US Congress members urged regulators to investigate the service and the private information it exposed.

The latest tweaks will also show every aspect of a user's profile, from public settings to the websites users are connected to, and who they are following or being followed by.

Continued here:

- Collapse -
Ruling suggests limits on employer access to personal e-mail
Ruling suggests limits on employer's access to personal e-mail

"There can be a legitimate expectation of privacy, New Jersey judge rules"

Can employers read an employee's personal e-mail composed and sent via a corporate computer, and does the employer own that e-mail? Especially if it's an e-mail to a lawyer, which raises special questions of client-attorney privilege that invoke confidentiality?

There's often the assumption that all e-mail that employees write on company computers is under the ownership of the company, which when storing it can read it at any time, and companies typically spell out what they consider their rights in a formal corporate policy. But in a legal case that came to it under appeal, the New Jersey Supreme Court last week decided an employee should have had an expectation of e-mail privacy and confidentiality because she used a personal Webmail account, in this case Yahoo, not the corporate e-mail system.

Continued here:

CNET Forums

Forum Info