Phishing

Phishers are posing as Facebook security on chat

Scammers are posing as Facebook security in chat sessions to try to trick people into providing their credit card information, Kaspersky Lab warned today.

"This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing Web site. It will reuse the stolen information and login to the compromised account and change both profile picture and name," writes David Jacoby, a Kaspersky Lab Expert, in a blog post.

"The profile picture will be changed to the Facebook logo and the name will be translated to 'Facebook Security'," … Read more

Americans more susceptible to online scams than believed, study finds

Last May, long before the iPhone 4S was released, a bunch of Facebook users got tricked into spreading spam by clicking on a link attached to this headline: "First Exposure: Apple iPhone 5."

People who normally ignore all the other scams involving purported free software or naked celebrity photos clicked that fake news link and even completed a captcha on a second site, which reposted the scam to their own Facebook stream. That probably says more about how fanatical people are about Apple products than anything else. But it did raise the question--what does it take to lure … Read more

Yahoo awarded $610 million from lottery spammers

A judge has awarded Yahoo $610 million in a lawsuit against spammers who sent e-mails to people falsely telling them they had won a lottery prize from Yahoo.

The federal district court judge in New York ordered defendants, whom Yahoo did not identify, on Monday to pay Yahoo $27 million for trademark infringement, $583 million for violating the Can-Spam Act, and an unreleased sum for attorney's fees.

Yahoo filed the lawsuit in 2008, alleging that spammers were using the fake lottery e-mails to defraud people. The messages were designed to trick recipients into providing their bank and other information … Read more

Google, Microsoft, Yahoo, AOL join Agari anti-phishing service

The major Web-based e-mail providers are joining forces with an anti-fraud startup, which is launching tomorrow, to help keep phishing messages out of peoples' inboxes.

Google, Microsoft, Yahoo, and AOL are providing metadata from messages that get delivered to their customers to Palo Alto, Calif.-based Agari so it can be used to look for patterns that indicate phishing attacks. Agari collects data from about 1.5 billion messages a day and analyzes them in a cloud-based infrastructure, according to Agari CEO Patrick Peterson.

The company aggregates and analyzes the data and provides it to about 50 e-commerce, financial services … Read more

Facebook stops 600,000 suspicious log-ins a day

Facebook released an infographic blog post yesterday that says about 600,000 log-ins per day are compromised. That's given some the false impression that there are that many accounts compromised every day.

I asked Facebook to elaborate and was provided with this statement:

While Facebook does block (approximately) 600,000 log-ins per day, it is not that these Facebook accounts are compromised on Facebook, and certainly not that they're 'hacked' as some have written. There may be compromised accounts that appear on Facebook, but more often than not they are compromised off of Facebook--they use the same password … Read more

Facebook account hijacked? Get a little help from your friends

Facebook is set to announce new security features today that will let people set passwords for third-party apps and get help from friends when they can't get into their account.

When hackers hijack accounts, the first thing they typically do is change passwords so legitimate account holders can't get back in. Instead of going through the rigamarole of verifying that you are the legitimate account owner, Facebook will now let friends vouch for you.

The new Trusted Friends feature, which like App Passwords will available for "testing" in coming weeks, lets you select three to five … Read more

Phony Netflix Android app steals account data

It looks like a legitimate Netflix app, but it's not. There's an Android app circulating that looks very much like the real Netflix mobile app, but it's actually a Trojan that steals account information.

The fake app, which was found on an online user forum, sends the user's log-in information to a remote server and displays a message saying there is an incompatibility issue with the hardware and then attempts to uninstall itself, according to a Symantec blog post.

The server that was receiving the stolen log-in data appeared to be offline today, Symantec said.

With … Read more

Facebook adds WebSense safe browsing to its defenses

Facebook is adding a Websense Web link blacklist service to its arsenal of defenses designed to protect users from clicking on links that lead to sites hosting malware.

The social-networking site will be using Websense ThreatSeeker Cloud service, which warns people when they click on a link on Facebook that could be malicious, the companies announced today. Facebook will start rolling out the service today.

The partnership follows one that Facebook announced in May with the free Web of Trust safe surfing service. Facebook also has its own blacklist. The larger the pool of blacklists the better the chances users … Read more

Android could allow mobile ad or phishing pop-ups

LAS VEGAS--Researchers have discovered what they say is a design flaw in Android that could be used by criminals to steal data via phishing or by advertisers to bring annoying pop-up ads to phones.

Developers can create apps that appear to be innocuous but which can display a fake bank app log-in page, for instance, when the user is using the legitimate bank app, Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave, said ahead of his presentation on the research at the DefCon hacker conference today.

Currently, apps that want to communicate with the user while a … Read more

Phishing attack nets Tumblr logins

For the past few days users of microblogging site Tumblr have been targeted with phishing scams that require people to type in their login credentials to see adult content, GFI Labs warned today.

"The data we saw contained 8,200 lines of text stretched across 304 pages of Microsoft Word, and even accounting for the inevitable duplicates and fake data that's still quite the goldmine of pilfered login credentials," the post says.

The attack displays pages of Tumblr users whose accounts have been compromised and converted into fake login pages and the Web addresses are redistributed, the … Read more