NEWS - September 18, 2012

Virgin Mobile U.S. promises its customers that it uses "standard industry practices" to protect its customers' personal data - but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber's account, see who they call and text, register a different phone on the account and even purchase a new iPhone.

That's according to developer Kevin Burke, who discovered the flaws on his own account in August and notified the company, only to be told that the company had no intention of fixing its systems. Virgin Mobile U.S. serves millions of customers through pre-paid plans and is a wholly owned subsidiary of Sprint.

Virgin Mobile U.S. account security uses a customer's phone number as the account name, which is very guessable, and then requires a 6-digit PIN as the password — which only provides a million possible passwords. Even worse, the site allows as many password guesses as one likes — something Burke confirmed by writing a short script to guess his own password in a day.

Once an unauthorized user is in, they can change read a customer's communication logs, register a different phone to lock the customer out and read their text messages, change their address and order a new phone with the credit card on file. They can also lock a user out by changing the PIN and e-mail address on the account — without notification to the previous address.

Continued : http://www.wired.com/threatlevel/2012/09/virgin-mobile/

Also: Virgin Mobile USA user accounts vulnerable to brute-force attack

The Grum botnet, which Dutch authorities and security researchers knocked offline earlier this summer, made a second, unsuccessful attempt at a comeback over the weekend when the bot herders stood up two new command-and-control servers in Turkey. The revival was short-lived however, and both C&Cs now are offline.

Grum at one time was one of the larger spam botnets on the Web, accounting for a huge percentage of worldwide spam during its heyday. As most large, noisy botnets do, Grum attracted the attention of security researchers and law enforcement. In June, authorities in the Netherlands, in a joint operation with security researchers from FireEye, located and disabled four Grum C&C servers being hosted in that country. There were two other C&Cs in use by the botnet at the time, one in Russia and the other in Panama.

Those servers were taken offline a few days after the initial Grum takedown, and all seemed right with the world. However, within a week, the bot herders were able to bring up a new set of C&C servers in Ukraine. Those were quickly taken down, as well, after researchers discussed the issue with the ISP that was providing hosting services. Strike two.

Now, the bot herders have swung and missed a third time, in this instance barely getting the servers up and running before they were yanked offline.

Continued : https://threatpost.com/en_us/blogs/grum-botnet-attempts-another-comeback-fails-again-091812

Imagine you are at work. You are rattling through your email. And in your inbox, sitting quietly, is a message with the word "sexy" in the title...

Do you open it? (probably not, as you wouldn't likely be a reader of Naked Security)

But what about others in your organisation? Do you think they might be tempted?

More than 6100 government workers in Taiwan's New Taipei faced this exact scenario. According to Time.com, they each received an email message with the following subject line:

"Justin Lee's sex videos, download it, quick"

For those, like me, who aren't aware, Justin Lee is hailed by many as one of Taiwan's richest playboys.

He has recently been in the press for leaked videos and photos of him engaged in "private" activities with models and celebrities.

A quick search on Google for the phrase "Justin Lee Taiwan" finds a myriad of images: [Screenshot]

Continued : http://nakedsecurity.sophos.com/2012/09/18/would-you-open-a-sexy-email-sitting-in-your-business-inbox/

Fake PayPal notifications about a bogus refund are hitting inboxes around the world, trying to trick users into following the offered link and supposedly log into their accounts in order to receive it: [Screenshot]

Unfortunately for those who fall for the ruse, the link will take them to a page that looks like PayPal's login page, but is actually a fake one mimicking PayPal's, and all the information submitted into it gets forwarded directly to the phishers behind this scheme, who can then use it to hijack the victim's PayPal and probably even gain entrance to other online accounts.

"PayPal is a favorite target of phishers, probably because PayPal does conduct so much of its business via email," points out Hoax-Slayer.

Continued : http://www.net-security.org/secworld.php?id=13615

Also: Phishing Scam: PayPal Apologizes for Mistake Caused by System Errors