Money! That’s what Flashback’s creators want (but they can’t get it)
A Flashback botnet of Macs could bring in up to ,000 per day, but it doesn't. Symantec has published a new report after having followed OSX.Flashback's advertising component for a few weeks, concluding that the creators have only garnered about ,000 in three weeks and have yet to figure out how to get the money into their bank accounts.
Symantec's original report from the end of April said that Flashback was capable of generating up to ,000 per day in ad clicks, primarily impacting Google and bringing in "untold sums of money for the Flashback gang." The ad-clicking component works by monitoring Web searches being performed in Safari, Chrome, and Firefox. It then bypasses Google's own advertising on the results page by substituting ads from various pay-per-click (PPC) services. When clicked, the PPC services would then pay fees to the Flashback team.
In its latest report, Symantec says that during a three-week period in April, the Flashback botnet managed to generate around 400,000 ad clicks out of roughly 10 million being displayed. That 4-percent conversion rate resulted in about ,000 worth of payouts to the Flashback creators—if the PPCs would actually pay them, that is. In a twist of schadenfreude, Symantec points out that collecting the money has been a problem.
Indian Supreme Court orders Pirate Bay, Pastebin blocks, gets DDoSed
An injunction issued by an Indian court in a copyright infringement case has forced Indian Internet service providers to block access to the video-sharing sites Vimeo and DailyMotion, Bittorrent-tracker The Pirate Bay, text-sharing site Pastebin and a number of other websites. In response, members of Anonymous mounted a denial of service attack on the websites of the Indian Supreme Court and the Indian National Congress political party. As of 2pm GMT, both sites are back up.
The temporary restraining order (PDF) was issued by The High Court of Judicature at Madras in response to a lawsuit by the Chennai, India based company Copyrightlabs (whose site appears to have been taken down for maintenance) over the sharing of the movie "3" online. It orders ISPs to stop sharing of the film "by copying, recording, reproducing, camcording or communicating, or allowing others to to communicate" the contents of the film in any form.
Meanwhile, the denial of service attack on The Pirate Bay Ars examined on May 17—which lasted for over a day—has ended. ZDNet reports that credit for the attack was claimed by a hacker going by the name Nyre. The hacker, who also claims to be a former supporter of Anonymous, posted his displeasure with the quality of porn on The Pirate Bay just before the DDoS attack started.
Best Buy’s surprisingly insecure approach to new PC setup
A basic rule of password-based security is "don't write down your password." A second rule might be "don't train people to write down passwords." And a third rule, which few follow, is "don't adopt password policies that lead to people writing their passwords down" (over-aggressive change requirements often have this effect, for instance).
Best Buy hasn't received the memo, apparently. This past Friday I came in contact with a surprisingly bad password policy in action as I shopped with my brother for his new computer in Scottsdale, Arizona. He had settled on an HP Windows 7 machine and was in the process of paying for it when a Best Buy employee handed him an 8.5” by 11” sheet of paper labeled “PC Recommendation Worksheet.”
Emblazoned with the familiar Best Buy and Geek Squad logos, one side contained a “new computer setup” form, where you can select antivirus software, Geek Squad tech support, data transfer services, Microsoft Office, and so forth. The other side had more of the same—along with a request for my brother’s e-mail and password, right below the fields for name, address, and phone number. Anyone reading this form would interpret it as a request for your e-mail address and e-mail password. And less-sophisticated users will fill it in, no questions asked. But we balked.
New fraud tools turn Pinterest scams into point-and-click exercise
With all the attention being showered on Pinterest lately, it was inevitable that criminals would figure out a way to cash in on the popular social-media pinup site. New point-and-click software available in underground markets does just that by helping even the most technically unsophisticated people prey on the gullibility of other users.
A couple of toolkits analyzed by McAfee researcher Hardik Shah allow users to generate fraudulent referral fees from Amazon, online survey services, and premium telephone numbers. They work by redirecting unwitting Pinterest users to links they didn't intend on visiting and can be set up by changing just a few lines of code.
"Such toolkits make it very easy for scammers to start their own scam sites and become functional cybercriminals with a minimum of skills and time," Shah wrote in a blog post that detailed his findings. "They need only change a couple of simple things, such as URLs, and they are ready to go. Almost all these steps—from creating mass Pinterest accounts to mass liking, commenting, and posting—have been automated."
How to harden your smartphone against stalkers—Android edition
Stalking via mobile phone has become a favorite activity of the mentally unhinged everywhere—jilted wives, jealous boyfriends, or any one person who cannot stop obsessing over another. Most smartphones today contain everything a stalker needs to keep solid tabs on their mark, and, in contrast to iPhones and iOS, the Android platform is much more open.
Android users can easily root their phones, sideload apps, and use all of Google's services to communicate reams of information. This flexibility is great when used for good, creative purposes. But it's also very easy to turn them around and use them against someone. A stalker can place an Android phone user in a compromised position simply by getting their Google account password or getting access to the phone itself, even for only a minute or two.
What follows is a guide to taking ownership of your Android phone aimed mostly at less savvy users, especially those who many have had their phone set up for them by someone else. Of course, it's a bad idea to let something as sensitive as a smartphone leave your sight for even a minute, as physical access gives malefactors a lot of leeway. Someone who is your friend now might not be your friend forever—according to a 2009 report from the Bureau of Justice Statistics, nearly 75 percent of stalking victims know their stalker in some capacity. Most people with smartphones rarely give what the phone is doing or information that it is communicating a second thought beyond e-mails and texts, playing a game or two, and making phone calls. But given how powerful smartphones are, it's important for every user to take ownership of their device and monitor it carefully—stalking doesn't always mean direct harassment.
Amnesty International malware attack: when bad things happen on good sites
Shattering the myth that only disreputable sites push malware, Amnesty International's UK website was recently compromised and used to install a notorious backdoor trojan that allows hackers to spy on political activists and government employees, security researchers said.
People visiting Amnesty.org.uk on Wednesday and Thursday were exposed to malicious code that exploited a now-patched vulnerability in Oracle's Java software framework, according to a blog post published Friday by Websense. End users who hadn't yet applied the patch were infected with Gh0stRat, a family of malware that siphons sensitive data from victims' machines and can also operate Web cams and microphones in real time. The trojan came to light in 2009 when researchers reported that it infiltrated government and private offices in 103 countries. That included computers belonging to the Dalai Lama.
The Java vulnerability targeted on the Amnesty International site has been used in the past to install malware on computers running both Microsoft Windows and Apple's OS X. Recently, similar espionage attacks have migrated to OS X, and the Flashback malware attack believed to have infected more than 500,000 Macs targeted the same bug. Based on the Websense post, however, it appears this week's attacks infected only Windows users.
HP loses hundreds of thousands of CA social services records—on microfiche
The California office of In-Home Supportive Services, which provides health support to elderly and disabled people, reported on Friday that the personal records of some 700,000 caregivers and care recipients were either lost or stolen.
But this data loss was not due to a server breach, or some complex phishing attack—instead, the Social Services office said that Hewlett Packard, which manages the data controlled by the office, notified the IHSS of the breach after a physical package containing microfiche with thousands of entries of payroll data went missing from a damaged package that HP had shipped by U.S. Postal Service to the State Compensation Insurance Fund in Riverside, CA.
As the package arrived damaged and incomplete, it’s unclear whether the information was lost or stolen, but the state has launched an internal investigation and notified law enforcement in the hopes of resolving the issue, according to the Los Angeles Times. "The possibly compromised information, dating from October to December 2011, for 375,000 workers included names, Social Security numbers and wages. For 326,000 recipients, state identification numbers may be at risk,” the LA Times reports. The In-Home Supportive Services office is also sending out hundreds of thousands of letters to potentially affected parties.
Bitcoins worth $87,000 plundered in brazen server breach
More than ,000 worth of the virtual currency known as Bitcoin was stolen after online bandits penetrated servers belonging to Bitcoinica, prompting its operators to temporarily shutter the trading platform to contain the damage.
Friday's theft came after hackers accessed Bitcoinica's production servers and depleted its online wallet of 18,547 BTC, as individual Bitcoin units are called, company officials said in a blog post published on Friday. It said the heist affected only a small fraction of Bitcoinica's overall bitcoin deposits and that all withdrawal requests will be honored once the platform reopens.
It was at least the second time in 10 weeks Bitcoinica has been stung by a computer intrusion that has cost it dearly. In early March, a security lapse at cloud services provider Linode allowed hackers to make off with about 0,000 worth of bitcoin after they gained unauthorized access to bitcoin wallets stored by Bitcoinica and seven other customers. Last June, an anonymous person claimed to have lost 0,000 worth of bitcoin to online thieves, but the claims were never independently verified.
My own private Internet: .secure TLD floated as bad-guy-free zone
A security researcher has won investments of more than million to incorporate a tightly policed section of the Internet reserved for banks, healthcare providers, and other groups that are regularly targeted in malware, phishing, and similar online attacks.
Alex Stamos, CTO of iSec Partners, said Internet addresses subscribing to the secure service would tentatively include the top-level-domain of .secure, which his new venture has applied to operate. Websites, mail servers, and other services using .secure addresses would first have to agree to abide by a stringent set of requirements, including offering end-to-end encryption of most traffic and to follow a strict code of conduct. Artemis Internet Inc., as the new venture is called, has received about .6 million in backing from its parent company, NCC Group, a UK-based provider of secure IT services.
Anonymity and the Internet's free-wheeling ways have been great for free speech and innovation, but they also open the door to impostors and website operators with poor security hygiene. With plans by the Internet Corporation for Assigned Names and Numbers to vastly expand the availability of top-level domains, security advocates have an opportunity to build the type of global network they've long dreamed of.
The IETF is in your Web, fixing your security
The Internet Engineering Task Force (IETF) has descended upon the City of Light this week to discuss ongoing work so the pipeline spewing out new RFCs and Internet standards doesn't stall. Probably close to a hundred working groups, covering topics from routing to various aspects of IPv6 (and even IPv4!) to Web security, will keep the some 1,300 participants busy throughout the week. Because eight groups meet in different rooms at any given time, different people work on different topics. Usually, one stands out. This time around, Web security seems to be in the air. The topic was discussed in the websec working group, but also in a panel during one of the few plenary sessions and in a lunchtime briefing by the Internet Society (ISOC).
Read the comments on this post