Author Archive for Tracker
An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year. In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart. According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches. "Capital One was not willing to make good on our losses or attempt any type of settlement," said Happy McKnight, JM Test's controller.
Scam e-mail artists have launched a massive campaign to trick webmasters into giving up the credentials needed to administer their Web sites, targeting site owners at more than 90 online hosting providers. Experts say the attackers are attempting to build a distributed network of hacked sites through which to distribute their malicious software. The spam e-mails arrive addressed to users of some of the top Web hosting firms, from hostgator.com to yahoo.com and 50webs.com, and bear the same basic message: "Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details." Recipients who click the included link are brought to a Web site made to look like a cPanel page (cPanel is a widely used Web site administration software package). People who fall for the scam and provide their credentials are then forwarded on to the actual site of the Web hosting
Apple this week pushed an update for Leopard and Snow Leopard systems that plugs a large number of security holes in Apple's version of Java, a package installed by default on those Mac OS X systems that enables a number of multimedia Web applications. The new Java version fixes at least 14 vulnerabilities in the version designed for OS X 10.6 systems; the package put together for 10.5 Macs corrects more than two dozen security flaws. Mac users can grab the patches via Software Update or from Apple Downloads. The patch fun continues into Tuesday of next week, when both Microsoft and Adobe are scheduled to issue updates to plug security vulnerabilities of their own. Microsoft said Thursday that it plans to issue at least six security patches (each patch fixes at least one -- but often multiple -- security flaws). Half of those updates will carry a "critical" rating,
Featured Advertiser
 |
Scammers and spammers soon will have a tougher time masking links to their malicious Web sites using bit.ly, one of the more popular link-shortening services out there: The company said this week it is teaming with three security firms to warn users when a shortened link looks like it leads to badness. Criminals increasingly are abusing URL-shortening services to disguise the true destination of both phishing Web sites and those that host malicious software. Some of the most prolific and automated of these attacks take place on social media sites like Facebook and Twitter, networks that are far less useful and fun if users can't feel relatively comfortable clicking links. In response, bit.ly will by the end of the year be working with Sophos, Verisign and Websense to scrub some 40 million shortened links each day for those linking to malware, spam and phishing Web sites, the company said this
Pay-per-click revenue in the online advertising business may be diminishing for traditional media publishers, but thieves increasingly are earning five- to seven-digit returns when victims click on a booby-trapped link or attachment sent via e-mail. The latest victim to learn this was Nigel Parkinson, president of D.C.-based Parkinson Construction, a firm with an estimated $20 million in annual revenue that has worked on some of Washington's top gathering places, including the new D.C. Convention Center and the Nationals baseball stadium. Parkinson said he had an expensive crash course in computer security, when on Nov. 24, he clicked a link in an e-mail purporting to be from the Social Security Administration warning him about potential errors on his Social Security statement. Parkinson fell for the ruse and ended up downloading a copy of the Zeus Trojan, a prolific family of malicious software that criminal gangs have used to great effect to
E-mail scam artists are impersonating the Centers for Disease Control with a bogus e-mail that claims to offer information about a state-run vaccination program for the H1N1 "Swine Flu" contagion. This highly topical and plausible e-mail message directs recipients to a fake CDC Web site that tries to foist malicious software. Recipients who fall for the ruse and click the link are brought to a counterfeit CDC site that showcases a "Personal H1N1 Vaccination Profile" as an electronic document that supposedly contains the reader's name, contact details and medical data. Visitors are instructed to download their profile, which according to multiple sources is a malicious program (almost certainly a password stealer) that is hard to detect by the vast majority of anti-virus products on the market today.
A recent spam run that tries to distribute malicious software disguised as a DHL package tracking number contains a poorly hidden message that insults the Security Fix author by name. According to an analysis by security firm Sophos, the messages arrive as a "Dear Customer" notification stating that the courier company was unable to deliver a parcel to the recipient's address. The message urges recipients to click the attached "shipping label" for more information, and of course the attachment is a malicious program designed to steal the curious victim's passwords. Sophos said the tracking number cited in the messages appears to be a jumbled mush of letters, but closer inspection reveals an insult aimed at this author. (Suffice it to say, it is off-color enough that it cannot be repeated here.) Sophos's Graham Cluely writes: "I find it hard to believe that the hackers' choice of tracking reference number
It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies. On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm. The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had
Shopping online is a great way to save time and money, but those efficiencies quickly vanish for people who lack basic online shopping smarts. Take a few minutes to review these safe shopping tips: They may just save you a world of headache and financial pain. 1. Shop with a credit card, not a debit card. The banks are pushing more consumers toward debit cards with a bevy of awards programs because they can charge merchants higher fees than on credit card-based transactions, said Avivah Litan, a fraud analyst with Gartner Inc. But if your debit card number gets stolen, it might be somewhat more complicated to sort things out, especially if fraud causes overdrafts and bounced checks. 2. Keep track of your receipts. Some experts advise online shoppers to print out all receipts. That's fine, but a simpler and more "green" alternative to this important tip is to simply
These past few days have seen some notable cyber justice cases: Late Monday, Alan M. Ralsky -- a man dubbed the "Godfather of Spam" -- was sentenced to 51 months in prison. And on Friday, a California man pleaded guilty in a case involving the sale of counterfeit high-tech computer parts to the U.S. military. Ralsky, 64, of West Bloomfield, Mich., joined two co-conspirators in earning stiff prison sentences for long careers of blasting junk e-mail. Following more than four years in prison, Ralsky will be subject to five years of supervised release and will forfeit $250,000 the government seized from him in December 2007, the Justice Department said. According to the government, Ralsky was a top promoter of so-called pump-and-dump scams, schemes in which fraudsters buy up a bunch of low-priced microcap stock, blast out millions of spam e-mails touting it as a hot buy and then dump their
