Google's free services are being heavily exploited by spammers to redirect visitors to sites touting knockoff designer drugs and scams, according to the latest rankings from Spamhaus.org, a group that tracks unsolicited commercial e-mail. Last month, Security Fix called attention to Microsoft's persistent ranking on Spamhaus's running list of the "Top 10 Worst Spam Service ISPs". Now that Microsoft has cleaned up its act, it appears the bad guys are moving on to Google, which is now ranked #4 on the list (#1 being the worst). "Microsoft got rid of the bad guys, and off they went to Google, which is now hosting a lot of the stuff that was on Microsoft's domains," said Richard Cox, Spamhaus's chief information officer. Other Internet providers, including Sprint and Verizon, currently round out the #8 and #10 slots on the Top 10 list, respectively. According to Spamhaus, spammers are using Google Documents to


01/05/2009

Phishers are trying to trick Twitter users into forking over their user names and passwords by sending tweets that direct users to fake Twitter login pages, security experts warn. Update, 7:31 p.m. ET: Twitter now says that in an unrelated incident, the Twitter accounts for president-elect Barack Obama and 33 other notables were compromised by an individual who hacked into some of the tools the company's support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. More on that incident from a new post on the Twitter blog. Original post: Blogger Chris Pirillo spotted the Twitter phishes on Jan. 3, after receiving a tweet that asked him to log in at a counterfeit Twitter site called "twitter.login-access.com" (it's probably best to avoid visiting this site, which is still active as of this writing.) Suspecting that


01/05/2009

It is said that any security system is only as strong as its weakest link. A team of researchers today proved that point yet again, showing the world how they could use known weaknesses in the encryption technology that protects online transactions to undermine the security around e-commerce. washingtonpost.com ran an in-depth story I wrote about their findings, along with a sidebar explaining the weakness in a bit more detail. Long story short: An international team of security experts (pictured at right, thanks to Alexander Klink) showed that they could undermine the system most of us rely on to secure our online transactions, so that even though the browser indicates your connection is encrypted (Web browser address starts with "https://") and vetted by a third party to be secure and authentic, it may in fact be controlled by an attacker offering up a counterfeit Web site designed to steal your


12/30/2008

Cyber crooks are once again blasting out fake holiday e-greeting cards in a bid their special kind of cheer. Also, there are signs that computer viruses may again be piggybacking on digital photo frames and other data storage devices that make popular holiday gifts. E-greeting scams are hardly new, but they tend to increase around major holidays, probably because consumers are more receptive to opening them at these times and because more people are home in front of their computers. Most of these e-greeting scams try to foist malicious software by claiming the recipient needs to install some application in order to view the card, such as Adobe's Flash Player. Almost invariably, the downloaded program isn't a legitimate add-on, but malware. According to Symantec, some of the fake e-card domains being used in this scam include (please don't visit any of these sites): * [http://]itsfatherchristmas.com * [http://]bestchristmascard.com * [http://]whitewhitechristmas.com *


12/26/2008

If you suspect or know your PC is infected with a virus, it's probably wise to avoid purchasing anything using that computer until you're sure the machine is clean. That includes additional anti-virus or security products. Chances are the malicious software on your machine includes built-in ability to steal user names, passwords and other sensitive data from infected hosts. Recently, I've heard from several people who used their credit or debit cards at the first sign of infection, to renew or upgrade their anti-virus protection when their existing software didn't work or failed to update. Also, in a Live Web chat a few weeks ago, one reader described how he "stupidly" went online and bought an anti-virus product after realizing he'd infected his machine with a DNS hijacker Trojan. Consumers can be forgiven for such goofs: After all, they paid for security software, they expect (rightly or wrongly) to be


12/22/2008

A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits. Recent reports by security firms Finjan, RSA, SecureWorks and Symantec have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else's identity was between $14 and $18 per victim. Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released today by researchers at the University


12/18/2008

Security Fix has often praised Mozilla for equipping its Firefox Web browser with a no-hassle system for automatically applying security updates. But for those users still browsing the Interwebs with anything less than Firefox 3, it's time to take note: Mozilla shipped its final update to Firefox 2 on Tuesday, and plans no further updates for this version. Put simply: If you want to keep using Firefox safely, you're going to need to upgrade to Firefox 3. The latest version of the popular browser received mixed reviews on its release, but Mozilla appears to have done a good job ironing out the kinks since then. Most notably, Firefox 3 consumes far less system memory than older releases. That said, there is a non-trivial chance that Mozilla may in fact ship another update to Firefox 2. A bug report filed Wednesday with Mozilla indicates the browser maker overlooked a security flaw


12/17/2008

Microsoft today issued an emergency update to plug a critical security hole present in all versions of its Internet Explorer Web browser, a flaw that hackers have been leveraging to steal data from millions of Windows users. The patch, which Microsoft dubbed MS08-078, fixes a security vulnerability that Microsoft says already has been used to attack more than 2 million Windows users. As Security Fix and other members of the tech community have chronicled, attackers have been busy compromising thousands of Web sites by seeding them with code that installs password-stealing software on computer systems of Web site visitors who use Internet Explorer. Microsoft estimated Monday that one in every 500 Windows users had been exposed to sites that try to exploit the flaw. Additionally, it said the number of victims was increasing at a rate of 50 percent daily. Vulnerability management company nCircle said Microsoft's decision to issue the


12/17/2008

Online bill pay giant CheckFree.com said the hijacking of its Web site this month affected an estimated 160,000 people, a disclosure that offers the most detailed account yet of the true size and scope of a brazen type of attack that experts say may become more common in 2009. In a filing with Wisconsin's Office of Privacy Protection, CheckFree said at least 160,000 people may have visited the site during the nine-hour period it was hijacked, which had redirected visitors to a site in Ukraine. An analysis of that Ukranian site indicated that it was trying to exploit known security flaws in Adobe Acrobat and Adobe Reader, in an attempt to install a variant of the the Gozi Trojan, which is among the most sophisticated password-stealing programs in use today. CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills


12/17/2008

Web security firm Websense is warning that scam artists have hijacked Google's sponsored links to spread rogue anti-virus software. While this type of attack is not new, I was amazed to find how deeply Google's ad program appears to be infested with this crud. Websense's alert shows how following sponsored links generated by searches for popular software titles may not be such a hot idea. Their investigation of the sites served up at those links took them through what appears to be a long and convoluted effort to trick visitors into installing bogus security software. Websense discovered the scam after searching for WinRAR, a popular tool used for archiving files and folders. Interestingly, when I searched for WinRAR just a few minutes ago, I found two different sponsored links to sites that offered up a version of the program that came with a malicious keystroke-logging program attached, according to a


12/16/2008