Archive for the ‘phishing scams’ tag
We’ve known for a while that spam was jumping on the Pinterest train. Now McAfee is sending out an official warning to keep an eye out for fraudulent pins.
According to McAfee hackers have created entire toolkits that make it fast and easy to deploy new spam campaigns on the social network. Pinterest displays “pins,” or images taken from around the Web to a “board.” These images are outbound links to various websites and are ripe for being exploited.
“These tools are so easy that many require only the attacker or scammer to change a couple of lines of code in the available kit,” said McAfee senior research engineer Hardik Shah in a blog post. “They can literally start a new Pinterest scam within minutes!”
These toolkits come with software to “mass-like” pins, an account create, the ability to mass-follow people, tools for automated commenting and more.Indeed, Toolkits have been behind much of the malware distribution in 2011. They allow hackers and scammers alike to automate the process of creating unwanted content (see: Internet-crap), and distributing it.
We found a scam on Pinterest in early March that showed a picture of a Cheesecake Factory coupon, promising free gift cards to all users. Often scams are touted as a “Pinterest special,” available only for users of this special, new social site. And because it is a special, new social site, people believe the fake offer. Many of these scams will ask a user to re-pin the image first (broadening the circle of lies) and will then prompt him to take a survey. It falls in line with phishing scams, as opposed to malware attacks.
McAfee warns that if a website asks you to re-pin before delivering the content, it’s most likely a scam. The security firm also makes the point that Pinterest users should beware of affiliate link spam. This is where scammers lure bystanders to an Amazon page that is associated with the scammer’s account. When a person subsequently buys something on Amazon, the company pays a commission to the scammer.
Beware of pins that lead you to website that masquerade as Pinterest as well. These will try to push the same, “You won this contest!” type of pin, and they are generally fake.
Filed under: security
We knew it wouldn’t be long before Pinterest, the image-based social network, would attract spammers. We spotted a new scam on the site today, luring users to click for coupons to popular stores.
Pinterest is growing rapidly with an estimated 13 million users since its birth in the last 10 months. The site allows you to grab images from the web using the “pin it” bookmark tool, which then publishes the image to your Pinterest “board.” A board is a collection of images associated with a particular theme such as recipes. The pins often entice people to click through to the original website to, for instance, get a recipe, or purchase a shirt. For this reason, it is a scamming petri dish, that is just starting to be used.
While surfing Pinterest last night, I saw the above image, a coupon offer for the Cheesecake Factory. It is set up to look like a promotion exclusively for members of the growing social network. Many businesses try to entice new customers with customized promotions, but this simply looks scam-y. Security company Trend Micro noticed a few of its own fake-promos, including Starbucks and Coach handbags.
According to Trend Micro, the images lead to a survey site, which first prompts you to re-pin the image to get the coupon code. It is not yet known whether the image downloads any malware to the victim’s computer. This falls more in line with a phishing scam, promising discounts for personal information.
Pinterest, which has only developed an iOS application, is also the subject of an Android app scam. According to GottaBeMobile, cyber criminals have created a fake Pinterest Android app, which really takes you to a mobile website and serve up malicious advertisements.
We have reached out to Pinterest and Google for comment and will update the post upon hearing back.
Starbucks screenshot via Trend Micro
If you were asked what it would take to get Google, Microsoft, Yahoo, Aol and other to come together, agree on something and work together to accomplish something that would benefit most of the online world, what would it be? That is a pretty short list of option for sure but one thing has worked: a push to eliminate phishing scams in the e-mail space.
According to Wired
On Monday, Google, Facebook, Microsoft, Yahoo!, and eleven others outfits announced they had formed a new alliance to combat phishing — a way of fooling email and web users into providing sensitive information, including credit card numbers. The alliance is known as Domain-based Message Authentication, Reporting and Conformance, DMARC for short, and the aim of this sprawling alliance is to lay down new email standards that help stop the nefarious practice.
“One of the worst experiences for a user is being phished,” Adam Dawes, a Google product manager and DMARC representative, tells Wired. “The best way to protect them is to make sure the email never reaches the spam folder at all.”
These scams can create some very serious issues for companies or all shapes and sizes. Of course, the most popular are banks. Raise your hand if you ever received an e-mail that really tried to look like it came from a bank, maybe even your bank, and it asked for updated information. If you haven’t raised your hand you’re either a liar or, well, something else.
The experienced online user looks at these things and wonders “How would anyone fall for this nonsense?”. Of course, you need to say that with a ridiculous amount of arrogance since you cannot relate to a commoner who is outside the Internet space. Well, it must work enough times to make it worth while for anyone to continue to run the scams, right? Otherwise, why would you need this coalition of competitors to come together and try to put an end to this online menace.
Other players in this group include PayPal and Facebook. No matter who is involved it’s an important issue and one that will hopefully protect more companies moving forward. There are limits, however.
PayPal’s (Brett) McDowell reiterates that the goal of DMARC — at least for the moment — is to defend legitimate domains, not to address what’s sometimes called “typo-phishing,” where scammers use something that looks like a common domain but is actually a slightly different spelling.
“Domain-based phishing cannot happen when both parties deploy DMARC,” he says.
As a marketer in the online world, just knowing search, social and mobile aren’t nearly enough these days. You better be thinking about security in everything you do. Are you?
Facebook has teamed up with the Washington Attorney General to put real resources toward getting rid of spam on the social network — starting with a lawsuit.
“Security is an arms race, and that’s why Facebook is committed to constantly improving our consumer safeguards while pursuing and supporting civil and criminal consequences for bad actors,” Facebook general counsel Ted Ullyot said in a statement.
The two have filed lawsuits against affiliate network Adscend Media, which Facebook says is known to support “clickjacking” schemes, and other forms of tricking users into giving up personally identifiable information or money.
Clickjacking schemes involve hiding code in a link, or under a picture in the browser that otherwise would be a normal click-through point. In Facebook’s case, this exists as enticing links to see a weird video, or find out what cool thing happened on your birthday. The code in the link, however, executes a download or may redirect a user to an undesirable website. Other scams include creating a fan page that lures users into accessing a web page and inputting personal information or signing up for a scam. This kind of spam is more in line with phishing scams.
Another scam involves making the like button invisible in the browser. A scammer can then overlay the like button with a photo that calls for the user to click on it. Once clicked, the photo actually activates the like button, sending the liked page to that person’s newsfeed in an attempt to attract more people to the scam.
Assistant Attorney General Paula Selis explained in the statement that money from Adscend Media “lined the pockets” of these scammers with up to $1.2 million a month.
Facebook has sued and succeeded before. Two years ago, Facebook took “spam king” Stanford Wallace to court where a judge ruled he had to pay $711 million in reparations. Facebook also took Philip Porembski to court for spamming, resulting in a similar judgment of $360.5 million.
Lookout, a company that offers security services for a number of smartphones, has raised $40 million in new funding led by Andreessen Horowitz. Current investors Khosla Ventures, Accel Partners and Index Ventures also participated in the round. Andreessen Horowitz’s Jeff Jordan from will join the company’s Board of Directors. This brings Lookout’s total funding to $75 million.
The fact is that as more and more consumers adopt smartphones (a number in the billions by 2015, according to Gartner), these devices are at risk for mobile app malware, phishing scams, drive-by downloads and malicious sites on mobile browsers. Similar to the way consumers protect their computers, there is a need for an application that protects smartphones. Lookout has basically dominated this market with an easy to use offering.
For background, Lookout’s web-based, cloud-connected applications for Android, Windows Mobile and BlackBerry phones help users from losing their phones and identifies and block threats on a consumer’s phone. Users simply download the software to a device, and it will act as a tracking application, data backup and a virus protector much like security software downloaded to a computer.
Lookout also offers a mobile browsing application that will automatically check every website a user visits, from an app, email, or browser on a mobile phone, to prevent phishing sites from stealing personal data and malware from being installed on a device. It promises the same sort of security that many browsers offer on the desktop (but enhanced for mobile devices).
In the past year, Lookout has grown to 12 million users, and is now adding 1 million users a month. Lookout’s app is actually powered by Lookout’s Mobile Threat Network, which constantly analyzes global threat data to identify and quickly block new threats with over-the-air app updates. Threat detection that would have taken days now happens in minutes; effectively protecting users before they even know a threat exists.
The Mobile Threat Network is powered by a dataset of over 700,000 mobile applications that grows daily as more applications are added to app stores around the world. On average more than 1000 apps are added to the Mobile Threat Network daily.
The company has been able to tap into an enterprise business by offering this threat network through an API. Basically, Lookout’s Mobile Security API can extend its protection available to any app store or download site.
Verizon was the first carrier to use the Mobile Security API to provide customers with V CAST Apps with real-time protection against threats to the applications they download from Verizon’s mobile storefront. The API works on the backend of the App Store, to determine if any apps contain malware or other security threats. Sprint, and T-Mobile are also using Lookout’s API. And considering that three of the top four U.S. carriers are now using lookout, perhaps the fourth (AT&T) will join soon.
Jordan says of the investment: Mobile is rapidly becoming the dominant computing platform and as users do more with these devices, security is essential to keep them safe…Lookout understood from the beginning that mobile security would require a dramatically different approach. By moving security detection and analysis to the cloud, they have delivered a great user experience while building the fastest and most robust security infrastructure. Its tremendous growth is a testament to its success.
Khosla Ventures’ Vinod Khosla mentioned Lookout on stage last week at TechCrunch Disrupt, as one of his more exciting companies he’s invested in. He said…”if you don’t have it, download it…Two years ago we invested one or two million dollars…Now they have eleven million users, they are scaling rapidly, we are happy to keep investing.”
John Hering, CEO and co-founder of Lookout, tells us in an interview (you can watch below) that the new funding will be used to expand to international markets, for product development, hiring and to develop similar carrier partnerships outside of the U.S. “The goal now is how do we get to 100 million users,” says Hering. And he believes that can happen soon.
“We’re orders of magnitude bigger than our competitors including Symantec, McAfee, and our growth in revenue is substantial,” he explains. “We are generating real revenue from consumers and the enterprise.” Hering declined to reveal revenue for the company. He added that Lookout will be announcing a number of new operator partnerships in the future.
Tee Morris, well known author/podcaster/blogger and more, starts with his computer locked and a screenshot with some humor about scanning his fingerprint, voiceprint, height, weight and more humor. After some biological deposits, he is allowed in his computer. His point is how we are fighting against being active in social media without revealing too much information.
Passwords was the first forefront in his fast (30 minute) session. The bother of strong, unique and hard to guess passwords versus usability for the average user. The butterfly growth effect:
- social bookmarking
- social networking
When is information too much information. How much is too much is the question we need to ask ourselves.
What is social media up against in common attacks? Denial of Service (DOS), phishing scams, spammers, SQL injections, XSS.
So what do we expect from our vendors of the software? Updates, security patches and even plug-in updates. Privacy filters and application management. Overall what we need from any vendor, common sense.
User error was hitting the timeline of this blast session. The rest of the session had to move to the outside error.