12 total posts
Heartbleed Bug Sends Bandwidth Costs Skyrocketing
[Screenshot: Certificates Revoked per Day]
The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones.
The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with some stunning numbers that give us an idea of the price of a serious bug like this one.
Yesterday CloudFlare, which provides security for web sites, completed the process of revoking and replacing all of the SSL certificates for its customers, activity that forced issuer GlobalSign to update its Certificate Revocation List.
Android trojan app targets Facebook users
"A computer Trojan injects messages into Facebook to trick users into installing Android malware, researchers from ESET said"
Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.
These man-in-the-browser attacks are known as webinjects and have long been used by computer Trojans to display rogue Web forms on online banking websites with the goal of collecting log-in credentials and other sensitive financial information from users.
Continued : http://www.computerworld.com/s/article/9247732/Android_trojan_app_targets_Facebook_users
@ ESET : Facebook Webinject Leads to iBanking Mobile Bot
Google to Gmail users: We scan all of your emails
Google Inc updated its terms of service on Monday, informing users that their incoming and outgoing emails are automatically analyzed by software to create targeted ads.
The revisions more explicitly spell out the manner in which Google software scans users' emails, both when messages are stored on Google's servers and when they are in transit, a controversial practice that has been at the heart of litigation.
Last month, a U.S. judge decided not to combine several lawsuits that accused Google of violating the privacy rights of hundreds of millions of email users into a single class action.
Users of Google's Gmail email service have accused the company of violating federal and state privacy and wiretapping laws by scanning their messages so it could compile secret profiles and target advertising. Google has argued that users implicitly consented to its activity, recognizing it as part of the email delivery process.
Continued : http://business.financialpost.com/2014/04/17/google-inc-gmail-scans/
Related: Google updates terms of service, includes word of user email scans
Zeus/rootkit combo delivered via Starbucks-themed emails
Malware peddlers have been spotted impersonating popular coffeehouse chain Starbucks in order to trick users into downloading a rootkit-equipped variant of the Zeus banking Trojan.
The attack starts with an email made to look like it was sent by the company: [Screenshot]
The criminals have used several tricks to make the potential victims believe the email is genuine and important enough to be perused immediately and the attachment downloaded and run: they included the company logo, the message was sent with the "High importance" option checked, they have offered something for free (a gift from an anonymous friend).
Still, they also made several mistakes, and discerning users will spot that the emails have not been sent from a legitimate-looking email address (Gmail and Yahoo mail accounts have been used in this particular case) and the attached "menu" is actually an executable instead of a PDF or text file.
Continued : http://www.net-security.org/malware_news.php?id=2753
Trend Micro releases free Heartbleed scanners for Android,
Trend Micro has announced the availability of two free scanners for the Heartbleed bug, meant for Google Chrome and Android. The first, a browser add-on, allows users to enter and check any specific URL.
The second, an Android app, is a little more advanced. It checks whether your device or apps are directly affected by the bug, or whether any installed apps access a cloud service which is still vulnerable.
If there are any problems, you'll be informed. Highlighting any affected app displays more details, including the name of the vulnerable server.
If you don't plan on using the app for a while then you can wait, and scan again later. But there's also an Uninstall button to remove it right away.
Continued : http://betanews.com/2014/04/18/trend-micro-releases-free-heartbleed-scanners-for-android-chrome/
Fake Facebook Chat Verification Used for Spam
TrendLabs Security Intelligence Blog:
Facebook users are once again the target of a malicious scheme—this time in the form of a notification about "Facebook Chat".
The spammed notification pretends to come from the "official Facebook Chat Team." A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement. [Screenshot
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer).
Screen unwanted calls without one-at-a-time blocking
"The free Nomorobo service and AT&T's Privacy Manager help reduce the number of nuisance calls that aren't blocked by the Do Not Call registry."
Sometimes it seems I should be answering my phone by asking, "What are you selling?" Even though our home and mobile numbers were added to the Federal Trade Commission's Do Not Call Registry as soon as we received them, the unsolicited nuisance calls persist.
That's because the government's registry blocks only telemarketers -- and not all of them. While most honest telemarketing firms honor people's wishes not to receive such calls, many ignore the requirement not to contact numbers on the list, as David Lazarus of the Los Angeles Times reported last July.
Also, the Do Not Call restrictions don't apply to charities, poll takers, and political groups. In addition, any company with whom you've done business is allowed to call you as long as 18 months after your last purchase, delivery, or payment, as the FTC's Do Not Call FAQ for Business indicates.
Continued : http://www.cnet.com/how-to/screen-unwanted-calls-without-one-at-a-time-blocking/
Scam Easter Basket Packed with Fake Vouchers, Viagra and ...
... Religious Fraud
Bitdefender's "HOT for Security" Blog:
Cyber-criminals are hiding dangerous goodies among the Easter eggs and chocolate bunnies that users are hoping for, warns antivirus software provider Bitdefender.
The increasing wave of dangerous spam hitting the US, the UK and other countries these days invades users' inboxes with offers for fake vouchers, personal loans, replica watches and dubious candy surveys. Personalized Easter baskets, bunnies, and gifts are also packed with dangerous fraudulent links. [Screenshot]
Fake Viagra shops and religious scams are also included in this year's Easter scam basket. Users are invited to discover God's plan with their life in one moment and are tempted with holiday Viagra offers the next.
Continued : http://www.hotforsecurity.com/blog/scam-easter-basket-packed-with-fake-vouchers-viagra-and-religious-fraud-2-8427.html
Related: Dangerous spam targets Brits with fake Easter offers