Help | Contact | Forum | Affiliates | Press
Purchase
Download
Features
Screenshots
Demo
The cybercrooks attempting to defeat CAPTCHAs are no longer just traditional junk-mailers who want to get around the test to send spam. In a recent study, security researchers have discovered that criminals are also using circumvention techniques in attacks that harvest financial or personal data. A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is commonly used to distinguish human users from computer automated applications, thus helping to prevent automated tools from abusing online services, such as webmail accounts. Hackers have developed numerous methods to bypass CAPTCHAs, including computer-assisted tools and crowd-sourcing, creating a cat-and-mouse game between miscreants and CAPTCHA providers such as Google and others. Junk mailers, for example, are interested in defeating CAPTCHA challenges in order to establish webmail accounts for subsequent spam runs. Last weekend spammers managed to spam the UK's open data website by circumventing its CAPTCHA gateway in a slightly more sophisticated variant of the same play. How do they do it? Hackers are using computer-assisted tools based on optical character recognition or machine learning technologies as well as tools which outsource CAPTCHA-breaking to modern day sweatshops, typically located in India. More recently miscreants have begun hoodwinking naive users into being a part of the crowd sourced for CAPTCHA solutions. These crowd-sourcing techniques sometimes pose as CAPTCHA-busting games that reward players. Some CAPTCHA-busting sites offer free porn as an incentive.
LinkedIn is far from the only company to suffer a massive data breach, but the company's response to the incident is unique — in all the wrong ways. First, a short timeline: On June 6, the passwords of more than 6.4 million LinkedIn users hit a Russian Web forum after a reported hack. After repeatedly issuing statements saying nothing was wrong — and prompting widespread criticism from security experts — LinkedIn finally admitted late in the day that the security breach was real. To alert its millions of potentially compromised members, LinkedIn issued a list of security steps to help users from having their accounts hijacked. LinkedIn said affected users would receive an email from LinkedIn on how to reset their passwords. [LinkedIn, eHarmony Don't Take Your Security Seriously] Those emails have set off another series of problems. About a quarter of a million of the legitimate LinkedIn email alerts ended up in spam folders, according to Computerworld. Andrew Conway, a researcher at the security firm Cloudmark, told Computerworld that LinkedIn's emails weren't the problem — they were all addressed to the recipient by name and contained no links — it was that those recipients were expecting spam, and ready to delete it when it came. "Part of the problem is that people are used to getting email that they don't want from LinkedIn, and rather than unsubscribe, some of them just mark it as spam and hope that it will go away," Conway said.
Cyber-scammers are gearing up for Father's Day this Sunday with a new spam campaign promising dads a box of premium cigars. Sophos researchers have intercepted a large number of "Buy your Dad a cigar" spam over the past few days, Graham Cluley, a senior technology consultant at Sophos, wrote on Naked Security. The spam campaign offers 12 premium cigars, a lighter, and a cutter for just $19.95. When the unsuspecting recipients click on the link in the email message, thinking they have found the perfect gift for dad, they are routed to gambling websites, Cluley said. As spam campaigns go, this is pretty generic. There is an offer that sounds too good to be true: as any cigar connoisseur knows, 12 premium cigars would never be available for just $20. It's unsolicited, as you've probably not signed up with sites asking for deals about cigars. And it claims to come from a Philip@givefather.com at an unknown company, Qualitycigars.com. See those red flags? "You shouldn't click on links in unsolicited emails, and you should never consider purchasing products promoted to you via spam messages," Cluley warned.
Reddit is well within their rights to ban high-quality domains that break reddit’s rules, regardless of the quality of the content of those sites. A website isn’t a democracy and it isn’t bound by the First Amendment. Suffice to say, I disagree with Forbes contributor, Greg Voakes, that any of this qualifies as censorship or the website equivalent of a “police state.” Granted, at first glance I thought the ban of sites like The Atlantic was overly harsh. But it only takes a quick look at the history of what’s actually going on with this ban to understand why it makes sense, and why it may be the only option reddit has. For one thing, the banned sites have been caught red-handed, spamming their own content to reddit to drive traffic (and boy, does reddit drive traffic.) The Daily Dot exposed the reddit spamming carried out by The Atlantic back in April. Now, I’m a big fan of The Atlantic - and yes, I’ve written several pieces for their online magazine – but posting large amounts of your own content to reddit is clearly against the rules, whether or not that content is top-notch.
LinkedIn is far from the only company to suffer a massive data breach, but the company's response to the incident is unique — in all the wrong ways. First, a short timeline: On June 6, the passwords of more than 6.4 million LinkedIn users hit a Russian Web forum after a reported hack. After repeatedly issuing statements saying nothing was wrong — and prompting widespread criticism from security experts — LinkedIn finally admitted late in the day that the security breach was real. To alert its millions of potentially compromised members, LinkedIn issued a list of security steps to help users from having their accounts hijacked. LinkedIn said affected users would receive an email from LinkedIn on how to reset their passwords. [LinkedIn, eHarmony Don't Take Your Security Seriously] Those emails have set off another series of problems. About a quarter of a million of the legitimate LinkedIn email alerts ended up in spam folders, according to Computerworld. Andrew Conway, a researcher at the security firm Cloudmark, told Computerworld that LinkedIn's emails weren't the problem — they were all addressed to the recipient by name and contained no links — it was that those recipients were expecting spam, and ready to delete it when it came. "Part of the problem is that people are used to getting email that they don't want from LinkedIn, and rather than unsubscribe, some of them just mark it as spam and hope that it will go away," Conway said.
KUALA LUMPUR, June 13 — Have you been receiving spam emails lately related to the plight of Indian Malaysians and the lack of attention from Pakatan Rakyat (PR)? How about Malaysia’s rise in the world competitive index by Swiss global business school IMD? These emails appear to be from Barisan Nasional (BN) supporters who have been increasing their online activity in a battle with PR for voters’ hearts and minds. The Malaysian Insider has received a number of spam emails written by BN supporters eager to stake a claim in cyberspace, as intense speculation over the date of the next general election continues. Most of the spam emails touch on the Indian community, featuring titles such as “Malaysian Indian Welfare Association holds protest against Selangor government” and “Betrayal and opportunism: the tales of the 3 newest Indian champions”. “Now that it is apparent that the Indians are fed-up with them and are choosing to once again place their faith in Najib Razak’s BN, the wounded Pakatan has launched a series of targeted attacks,” claims an email titled “Desperate to regain Indian support, Pakatan starts lying about BN.” The email accused PR of belittling “the concrete efforts taken by the Najib administration, they (PR) also spread malicious and dangerous lies.”
The Flame espionage malware that infected Iranian computers has initiated a self-destruct command that removes all traces of itself on infected machines that receive the instruction, researchers said. The 20-megabyte piece of malware already had a self-destruct module known as SUICIDE that removed all files and folders associated with Flame, but the purging command observed by Symantec researchers instead relied on a file called browse23.ocx that did much the same thing. The removal tool, which researchers from Kaspersky Lab briefly documented last month, was downloaded from a command and control server still under the control of Flame attackers to several machines in a honeypot. White hats monitored the activities of the sophisticated malware, which is also known as Flamer and sKyWIper. "This command was designed to completely remove Flamer," Symantec researchers wrote in a blog post. "The Flamer attackers were still in control of at least a few C&C;servers, which allowed them to communicate with a specific set of compromised computers." As a result, the compromised computers in the honeypot deleted at least 163 files and four folders belonging to the sprawling set of modular code. The self-destruct mechanism then overwrote the disk with random characters to prevent researchers from studying the files.
The deluge of spam dropped on members of LinkedIn (NYSE: LNKD) last week perhaps could have been expected after a data breach at the site exposed 6.5 million of their passwords. Those messages, though, are more likely to harm members unaffected by the breach than those victimized by it. That's because members who had their passwords compromised also had them wiped by LinkedIn. To reset those passwords, they have to go through a two-part process. They have to respond to a message from LinkedIn informing them that their password has been compromised. Then they receive a message from LinkedIn with a reset link. If a spammer sends a bogus password reset request to an affected member before they receive a message from LinkedIn and they're fooled into giving the spammer a username and password, the password won't work because it has been suspended by LinkedIn. That's not the case with an unaffected account, though. A spammer who teases a password from one of those members will have a password that can be used to compromise the account. Some of the spam campaigns attempt to emulate the LinkedIn reset process, explained Eset Senior Researcher Cameron Camp. "They say, 'Your password has been compromised. Click on this link here,' and when you do you're sent to places where you have to enter your user name and password to LinkedIn, which allows them to gather user names and passwords from people who are not affected by the breach," he told TechNewsWorld.
The folks behind that nasty Flame trojan that burned its way through the Middle East aren't the kind to brag -- the malware's manufacturers apparently started dousing their own fire last week. According to Symantec reports, several compromised machines retrieved a file named browse32.ocx from Flame controlled servers, which promptly removed all traces of the malware from the infected systems. Although the attackers seem spooked, Microsoft isn't taking any chances, and has issued a fix to its Windows Server Update Services to block future attacks. The update hopes to protect networked machines from a similar attack by requiring HTTPS inspection servers to funnel Windows update traffic through an exception rule, bypassing its inspection. The attackers? "They're trying to cover their tracks in any way they can," Victor Thakur, principal security response manager at Symantec told the LA Times, "They know they're being watched." Check out the source link below for the Symantec's run down of the trojan's retreat.
If you want to get your malicious software loaded onto 1,000 U.S. computers, it will cost you about $100 (or a dime each) on the black market. Getting your malware on 1,000 machines in Asian countries will cost you only $5. These infected computers – collectively known as botnets – can be used to send spam, steal passwords or other private information and hack into corporate computer systems. Researchers estimate that 5 million computers around the world were infected just in the first quarter of 2012. With infections perennially hard to stop, especially on computers with outdated software or lacking in antivirus protection, one key front in the war against botnets involves enlisting millions of average people – hapless owners of infected computers – to take action by cleaning their machines and keeping them up to date. Even if the government or industry wanted to bypass these users, it couldn’t. That’s because in the United States, and many other places, private machines can’t be touched without a court order. “There is a fundamental conundrum in the fact that we can identify literally millions of compromised machines that we are not in a position to do much about with regard to cleanup,” says Stefan Savage, a computer security researcher at the University of California, San Diego. Last week, the White House and major computer and Internet companies that make up the Industry Botnet Group – a partnership formed last year – pledged to step up industry action against botnets. The new effort includes increased coordination between industry and government, progress toward information sharing between Internet service providers and financial institutions, and a Keep a Clean Machine campaign to step up consumer education. All of this is voluntary.
