10 total posts
Phishing Your Employees 101
A new open source toolkit makes it ridiculously simple to set up phishing Web sites and lures. The software was designed to help companies test the phishing awareness of their employees, but as with most security tools, this one could be abused by miscreants to launch malicious attacks.
The Simple Phishing Toolkit includes a site scraper that can clone any Web page — such as a corporate Intranet or Webmail login page — with a single click, and ships with an easy-to-use phishing lure creator.
An education package is bundled with the toolkit that allows administrators to record various metrics about how recipients respond, such as whether a link was clicked, the date and time the link was followed, and the user's Internet address, browser and operating system. Lists of targets to receive the phishing lure can be loaded into the toolkit via a spreadsheet file.
The makers of the software, two longtime system administrators who asked to be identified only by their first names so as not to jeopardize their day jobs, say they created it to help companies educate employees about the dangers of phishing scams. [Screenshot]
"The whole concept with this project started out with the discussion of, "Hey, wouldn't it be great if we could phish ourselves in a safe manner,'" said Will, one of the toolkit's co-developers. "It seems like in every organization there is always a short list of people we know are phishable, who keep falling for the same thing every six to eight weeks, and some of this stuff is pretty lame."
Continued : http://krebsonsecurity.com/2012/01/phishing-your-employees-101/
Web Gang Operating in the Open
Five men believed to be responsible for spreading a notorious computer worm on Facebook and other social networks — and pocketing several million dollars from online schemes — are hiding in plain sight in St. Petersburg, Russia, according to investigators at Facebook and several independent computer security researchers.
The men live comfortable lives in St. Petersburg — and have frolicked on luxury vacations in places like Monte Carlo, Bali and, earlier this month, Turkey, according to photographs posted on social network sites — even though their identities have been known for years to Facebook, computer security investigators and law enforcement officials.
One member of the group, which is popularly known as the Koobface gang, has regularly broadcast the coordinates of its offices by checking in on Foursquare, a location-based social network, and posting the news to Twitter. Photographs on Foursquare also show other suspected members of the group working on Macs in a loftlike room that looks like offices used by tech start-ups in cities around the world.
Beginning in July 2008, the Koobface gang aimed at Web users with invitations to watch a funny or sexy video. Those curious enough to click the link got a message to update their computer's Flash software, which begins the download of the Koobface malware. Victims' computers are drafted into a "botnet," or network of infected PCs, and are sent official-looking advertisements of fake antivirus software and their Web searches are also hijacked and the clicks delivered to unscrupulous marketers. The group made money from people who bought the bogus software and from unsuspecting advertisers.
Continued : http://www.nytimes.com/2012/01/17/technology/koobface-gang-uses-facebook-to-spread-powerful-worm.html?_r=1
Exclusive: How 5 members of Koobface gang were unmasked
"Exclusive: How five members of the Koobface malware gang were unmasked"
According to the New York Times, Facebook is making public the names of the people it believes are responsible for the Koobface worm: a botnet which has helped its creators earn millions of dollars every year by compromising computers. [Screenshot]
The five men are named as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk, and Stanislav Avdeiko, and are said to be involved in the Koobface malware gang, which has blighted millions of computer users.
Naked Security has great pleasure in being able to tell the in-depth story of how these individuals were identified as part of the Koobface gang, in a detailed investigation conducted by independent researcher Jan Dromer, and Dirk Kollberg of SophosLabs between early October 2009 and February 2010.
Read: The Koobface malware gang - exposed!
(Not familiar with Koobface? Here's some background information you may find handy to read first.)
The names uncovered by the researchers are the same as those announced today.
It's an incredible detective story of tireless investigation, which involved scouring the internet, searching company records and taking advantage of schoolboy social networking errors made by the suspected criminals, their friends and family.
Continued : http://nakedsecurity.sophos.com/2012/01/17/how-koobface-malware-gang-unmasked/
Stop Online Piracy Act dead in the water, claims opponent
Controversial online copyright enforcement bill the Stop Online Piracy Act may be stalled in the US House of Representatives as lawmakers try to iron out a compromise, an opponent of the legislation said.
Representative Darrell Issa said he's been assured by House Majority Leader Eric Cantor that SOPA will not move forward unless consensus is reached.
"Majority Leader Cantor has assured me that we will continue to work to address outstanding concerns and work to build consensus prior to any anti-piracy legislation coming before the House for a vote," Issa said. "The voice of the Internet community has been heard. Much more education for Members of Congress about the workings of the Internet is essential if anti-piracy legislation is to be workable and achieve broad appeal."
A spokeswoman for Cantor declined to comment. A spokeswoman for Representative Lamar Smith, chief sponsor of SOPA, said she does not believe Cantor has made a public comment about delaying SOPA.
Continued : http://news.techworld.com/security/3330471/stop-online-piracy-act-dead-in-water-claims-opponent/
Optical transaction signing device limits ebanking fraud
SafeNet announced the eToken 3500, an electronic signing and strong authentication token-based device that will enable financial services organizations to achieve risk mitigation and usability when securing ebanking applications.
The device uses an optical sensor to read financial transaction data from a Web browser, generating a unique electronic signature that validates each transaction, reducing threats such as Man-in-the-Browser (MitB) and Man-in-the-Middle (MitM), in which hackers hijack legitimate user identities during a transaction and redirect funds.
Additionally, the optical features of the device scan the transaction data automatically, eliminating the need for manual inputs, which simplify the electronic signing process for the user while reducing errors.
Financial institutions have to manage heavy volumes of high-risk transactions on a daily basis. The rising tide of cyber threats, as well as increased regulatory pressures, has necessitated a new approach to online transaction protection. Additional validation, to ensure that each transaction is authorized by a legitimate customer, can contribute significantly to reducing online banking fraud.
Continued : http://www.net-security.org/secworld.php?id=12223
WhatsApp Demands Money from Customers Who Don't Spam, Hoax
The latest scam post that circulates on social networking websites claims that WhatsApp Messenger's providers are planning to set a fee for using their app, urging readers to send messages to friends in order to become a so-called "frequent user."
"Hallo everybody. WhatsApp is going to cost us money soon. The only way that it will stay free is if you are a frequent user i.e. you have at least 10 people you are chatting with.
"To become a frequent user send this message to 10 people who receive it (2 ticks) and your WhatsApp logo should turn Red to indicate a frequent user," reads the hoax provided by Hoax Slayer.
A number of versions are hitting social media sites, all of them falsely reporting that the cross-platform mobile messaging app will no longer be free of charge.
These types of hoax messages aren't doing anyone any good and users can be certain that they're not helping if they spam their friends.
WhatsApp's developers learned of the scam and issued an official warning on the company's blog to make sure their customers don't fall for the spammy campaign.
Continued : http://news.softpedia.com/news/WhatsApp-Demands-Money-from-Customers-Who-Don-t-Spam-Hoax-246727.shtml
The Zappos Breach and Textual Password Based Authentication
From the Kaspersky Labs Weblog:
Following their major database breach, Zappos leadership is doing the right thing by what seems to be quickly and clearly communicating what data was accessed and what was not - there are no unexplained delays or confusion on their part about the event. It's like another Aurora moment in my book, when Google extraordinarily opened up about their breach while the other 30-odd Aurora-breached major corporations did the opposite, aggressively maintaining NDA's to hide their Aurora incidents and hide their heads in the sand. Zappos reset 24 million customers' passwords and emailed all of them about the problem last night. [Screenshot]
Zappos also sent all 24 million users a concise email explaining "We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password," while "THE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED." All of this has been discussed and should be standard, timely stuff for notifications. But there remain a couple interesting points.
Continued : http://www.securelist.com/en/blog/208193346/The_Zappos_Breach_and_Textual_Password_Based_Authentication
Related: Zappos Latest Company Hit by Data Breach
Fake Browser Plug-in—A New Vehicle for Scammers
Symantec Security Response Blog:
Facebook scams have become a common propagation vector for scammers to earn commissions. But once in a while, something interesting happens that makes security researchers sit up and take notice. One such case is a scam that is currently fooling victims into downloading a fake browser plug-in. The scenario is very simple: the victim is lured into watching some video; but instead of asking the victim to share/like the video, (which we have seen in many scams) the scammers present the victim with a fake plug-in download image, which is required to see the video. One such case is described below. [Screenshot]
The fake screen is nothing but an image that has been loaded from another site through an iframe. The iframe that loads the fake contents can be seen below: [Screenshot]
Upon visiting the iframe-loaded site we are presented with the following image: [Screenshot]
Once the victim clicks on the image, the User-Agent info is retrieved and accordingly, the fake plug-in is downloaded. Currently only Mozilla Firefox and Google Chrome plug-ins are being used. Below is the script that is responsible for retrieving the plug-in: [Screenshot]
Continued : http://www.symantec.com/connect/blogs/fake-browser-plug-new-vehicle-scammers
Olympics volunteers urged not to blab online
Volunteers at this year's Olympics should not "get involved in detailed discussion about the games online", according to guildelines issued by organisers, a report says.
A spokesman for the London Organising Committee (LOCOG) told Out-Law.com that the volunteers, known as 'Games Makers', would be advised to go through official channels before commenting in the media, though they would not be forced to do so.
The spokesman rejected claims that the organisation had banned volunteers from making unapproved comments. He said LOCOG had issued the volunteers with "guidelines" about their interaction with the media and their use of social media during the Games with the intention of helping those inexperienced in media-handling from being "tricked".
The guidelines include a "what to do and what not to do" section, according to a report by the BBC. Volunteers are told "not to disclose their location; not to post a picture or video of LOCOG backstage areas closed to the public; not to disclose breaking news about an athlete; not to tell their social network about a visiting VIP, eg an athlete, celebrity or dignitary; not to get involved in detailed discussion about the Games online," the report said. The volunteers are allowed to 'retweet' official London 2012 messages, it said.
Continued : http://www.theregister.co.uk/2012/01/17/olympics_guidelines/
Also: Olympics 'Games Makers' Advised Not to Give Details Online