NEWS - April 18, 2014

[Screenshot: Certificates Revoked per Day]

The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones.

The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with some stunning numbers that give us an idea of the price of a serious bug like this one.

Yesterday CloudFlare, which provides security for web sites, completed the process of revoking and replacing all of the SSL certificates for its customers, activity that forced issuer GlobalSign to update its Certificate Revocation List.

Continued: http://www.wired.com/2014/04/cost-of-heartbleed/

"A computer Trojan injects messages into Facebook to trick users into installing Android malware, researchers from ESET said"

Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.

Security researchers from antivirus vendor ESET have identified a new variant of a computer banking Trojan called Qadars that injects rogue JavaScript code into Facebook pages when opened in a browser from an infected system. The injected code generates a message instructing users to download and install Android malware that can steal authentication codes sent to their phones via SMS.

These man-in-the-browser attacks are known as webinjects and have long been used by computer Trojans to display rogue Web forms on online banking websites with the goal of collecting log-in credentials and other sensitive financial information from users.

Continued : http://www.computerworld.com/s/article/9247732/Android_trojan_app_targets_Facebook_users

@ ESET : Facebook Webinject Leads to iBanking Mobile Bot

Google Inc updated its terms of service on Monday, informing users that their incoming and outgoing emails are automatically analyzed by software to create targeted ads.

The revisions more explicitly spell out the manner in which Google software scans users' emails, both when messages are stored on Google's servers and when they are in transit, a controversial practice that has been at the heart of litigation.

Last month, a U.S. judge decided not to combine several lawsuits that accused Google of violating the privacy rights of hundreds of millions of email users into a single class action.

Users of Google's Gmail email service have accused the company of violating federal and state privacy and wiretapping laws by scanning their messages so it could compile secret profiles and target advertising. Google has argued that users implicitly consented to its activity, recognizing it as part of the email delivery process.

Continued : http://business.financialpost.com/2014/04/17/google-inc-gmail-scans/

Related: Google updates terms of service, includes word of user email scans

Malware peddlers have been spotted impersonating popular coffeehouse chain Starbucks in order to trick users into downloading a rootkit-equipped variant of the Zeus banking Trojan.

The attack starts with an email made to look like it was sent by the company: [Screenshot]

The criminals have used several tricks to make the potential victims believe the email is genuine and important enough to be perused immediately and the attachment downloaded and run: they included the company logo, the message was sent with the "High importance" option checked, they have offered something for free (a gift from an anonymous friend).

Still, they also made several mistakes, and discerning users will spot that the emails have not been sent from a legitimate-looking email address (Gmail and Yahoo mail accounts have been used in this particular case) and the attached "menu" is actually an executable instead of a PDF or text file.

Continued : http://www.net-security.org/malware_news.php?id=2753

"Malwarebytes Unpacked" Blog:

I was digging through some recent Steam related phish pages, and came across something I haven't seen before: a new way to steal Steam accounts while bypassing an additional security measure.

Typically a Steam phish page asks for username and password, like all phish attacks - often these can be foiled by enabling Steam Guard on your account.

What is Steam Guard?

When logging in on a PC you haven't used before, Steam Guard will pop a window asking for a verification code which will have been sent to your email address. Without the code, you can't log in. Scammers have come up with a somewhat novel way to try and get around this security measure.

How do they do it?

A potential victim will navigate to the phish page and enter their Username and Password.

At this point, they'll be greeted with the following pop-up box: [Screenshot]

Continued : http://blog.malwarebytes.org/fraud-scam/2014/04/phishers-bypass-steam-guard-protection/

Related:
Cybercriminals Can Hijack Steam Accounts with Steam Guard Enabled
Beware of clever phishing scam that bypasses Steam Guard

TrendLabs Security Intelligence Blog:

Facebook users are once again the target of a malicious scheme—this time in the form of a notification about "Facebook Chat".

The spammed notification pretends to come from the "official Facebook Chat Team." A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement. [Screenshot

The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer).

Continued: http://blog.trendmicro.com/trendlabs-security-intelligence/fake-facebook-chat-verification-used-for-spam/

A targeted attack against an unnamed organization exploited the Heartbleed OpenSSL vulnerability to hijack web sessions conducted over a virtual private network connection.

Incident response and forensics firm Mandiant shared some details on a recent investigation of an incident that began April 8, one day after Heartbleed was publicly disclosed. Mandiant said the attackers exploited the security vulnerability in OpenSSL running in the client's SSL VPN concentrator to remotely access active sessions.

This is just the latest in an escalating series of attacks leveraging Heartbleed, which is a problem in OpenSSL's heartbeat functionality, which if enabled, returns 64KB of memory in plaintext to any client or server requesting a connection. Already, there have been reports of attackers using Heartbleed to steal user names, session IDs, credentials and other data in plaintext. Late last week came the first reports of researchers piecing together enough information to successfully reproduce a private SSL key.

Continued : http://threatpost.com/targeted-attack-uses-heartbleed-to-hijack-vpn-sessions/105567

Related: Heartbleed maliciously exploited to hack network with multifactor authentication

"The free Nomorobo service and AT&T's Privacy Manager help reduce the number of nuisance calls that aren't blocked by the Do Not Call registry."

Sometimes it seems I should be answering my phone by asking, "What are you selling?" Even though our home and mobile numbers were added to the Federal Trade Commission's Do Not Call Registry as soon as we received them, the unsolicited nuisance calls persist.

That's because the government's registry blocks only telemarketers -- and not all of them. While most honest telemarketing firms honor people's wishes not to receive such calls, many ignore the requirement not to contact numbers on the list, as David Lazarus of the Los Angeles Times reported last July.

Also, the Do Not Call restrictions don't apply to charities, poll takers, and political groups. In addition, any company with whom you've done business is allowed to call you as long as 18 months after your last purchase, delivery, or payment, as the FTC's Do Not Call FAQ for Business indicates.

Continued : http://www.cnet.com/how-to/screen-unwanted-calls-without-one-at-a-time-blocking/