Monthly Archive for January, 2009
A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today. If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported. Robert Baldwin, Heartland's president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments. Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach. Baldwin said it would be unfair to mention any one of his company's customers. "No merchant of ours represents even [one-tenth
A popular Web site that helps connect young women with so-called "Sugar Daddies" has fixed a major security hole that - apparently since its inception two years ago -- allowed anyone with a Web browser to view the private negotiations between site members. This discovery highlights the potential privacy pitfalls of placing too much personal information online, and fully trusting social networking sites. Most online communities, such as Facebook, provide residents a way to keep their public and private online personas separate. In many cases, when a breach between those two worlds occurs, it's because the user misconfigured or misunderstood their privacy settings, as I've documented with users of Google's Calendar service. But when the social networking community itself is responsible for the misconfiguration, the results could be disastrous and long-lasting. Seekingarrangement.com, an adult social networking site that boasts some 300,000 registered users, contained a weakness that allowed anyone to
A sneaky computer worm that uses a virtual Swiss army knife of attack techniques has infected millions of Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn. Also, while infected PCs could be used for a variety of criminal purposes -- from relaying spam to hosting scam Web sites -- there are signs that this whole mess may be an attempt to further spread so-called "scareware," which uses fake security alerts to frighten consumers into purchasing bogus computer security software. The worm, called "Downadup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems. According to estimates from Finnish anti-virus maker F-Secure Corp., the worm has infected between 2.4 million and 8.9 million computers during the last four days alone. If accurate, those are fairly staggering numbers for a worm that first surfaced in
Microsoft today issued a critical software update to plug at least three security holes in its Windows operating systems. The patch, which applies to all supported versions of Windows, is available from the Microsoft Update Web site, or via Automatic Updates. All three security vulnerabilities relate to a weakness in the "Server Message Block" (SMB) protocol, a component of Windows used to provide shared access to files, printers, and other communications over a network. Blueprints showing would-be attackers how to exploit one of the flaws were posted online back in October; Microsoft said the other two vulnerabilities were privately reported. SMB threats can generally be stopped by a decent firewall, as they rely on the attacker or malicious software having direct access to a network hosting vulnerable systems. However, businesses typically test patches before deploying them to make sure they don't interfere with custom software, and in the meantime infected
The close of 2008 sounded the death knell for some of the most notorious spam networks on the planet. But already several new breeds of spam botnets -- massive groups of hacked PCs used for spamming -- have risen from the ashes, employing a mix of old and new tricks to all but ensure a steady flow of spam into e-mail boxes everywhere for many months to come. * In September, the shuttering of Northern California based host Atrivo/Intercage was the final nail in the coffin for the Storm worm, widely considered one of the most ingenious spam botnets ever created. * In November, the unplugging of Silicon Valley hosting provider McColo -- a network experts say absorbed many of the refugees from Atrivo's shutdown -- spelled the beginning of the end for "Srizbi," which was until recently considered the most massive spam botnet with an estimated 450,000 infected computers.
Security experts advise consumers to keep a close eye on their bank and credit card statements, and for good reason: Small, unauthorized charges often are the first sign that thieves have made off with your account number and are getting ready to sell it to other crooks or use it to rack up thousands of dollars in fraudulent purchases. The Boston Globe writes this week about one such scam, which shows up on consumer accounts as 25-cent charges to a mysterious company called Adele Services, supposedly in New York. From that piece: Two theories of what is going on have advanced on message boards and among consumer advocates: Someone is trying to find out whether an illegally obtained credit card number will work before making a bigger charge, or they're trying to rip off tiny amounts from tons of people. The latter theory has more credibility at the moment. The
Most people are proud to say they would never fall for a phishing scam, that they would never give their personal and financial information away at fake banking sites, just because someone asked them to in an e-mail. But how many people will use that same common sense when a too-good-to-be-true bargain presents itself at a no-name online electronics shop? A slew of fake electronics sites, some of them apparently being promoted by major online search engines and comparison-shopping sites, have been swindling consumers out of cash and credit card numbers for several weeks. The Web sites are confusingly named after legitimate electronics and clothing shops in the United States. All say they accept major credit cards and PayPal, and some carry seals boasting that they are "hacker safe." But customers who order something from these sites soon find their accounts charged increasing amounts for unauthorized transactions. Regina Arndt, owner
Google's free services are being heavily exploited by spammers to redirect visitors to sites touting knockoff designer drugs and scams, according to the latest rankings from Spamhaus.org, a group that tracks unsolicited commercial e-mail. Last month, Security Fix called attention to Microsoft's persistent ranking on Spamhaus's running list of the "Top 10 Worst Spam Service ISPs". Now that Microsoft has cleaned up its act, it appears the bad guys are moving on to Google, which is now ranked #4 on the list (#1 being the worst). "Microsoft got rid of the bad guys, and off they went to Google, which is now hosting a lot of the stuff that was on Microsoft's domains," said Richard Cox, Spamhaus's chief information officer. Other Internet providers, including Sprint and Verizon, currently round out the #8 and #10 slots on the Top 10 list, respectively. According to Spamhaus, spammers are using Google Documents to
Phishers are trying to trick Twitter users into forking over their user names and passwords by sending tweets that direct users to fake Twitter login pages, security experts warn. Update, 7:31 p.m. ET: Twitter now says that in an unrelated incident, the Twitter accounts for president-elect Barack Obama and 33 other notables were compromised by an individual who hacked into some of the tools the company's support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. More on that incident from a new post on the Twitter blog. Original post: Blogger Chris Pirillo spotted the Twitter phishes on Jan. 3, after receiving a tweet that asked him to log in at a counterfeit Twitter site called "twitter.login-access.com" (it's probably best to avoid visiting this site, which is still active as of this writing.) Suspecting that
