Skip to Content

Free TUAW iPhone app -- try it now!
AOL Tech

phishing posts

Filed under: Security

Phishing for the fail whale -- watch out, Twitterers!


Courtesy of Twitter.

Warning! There's a Twitter phish-fest going on at the moment. Hopefully you'll read this before you become an ill-fated Twit...!

If you receive a DM that looks something like this:
hi. this you on here? http://blogger.djh****.com
Do not use the link!

It will redirect you to a copycat Twitter log-in page, and then forward you to a fake fail whale -- and then later, when you least expect it, your account will have its avatar replaced with a naked girl that seems to be enjoying a deliciously unsymbolic and in-your-face penis. You will then, unwittingly, tell your friends all about fantastic dating websites that you've had a lot of success with recently. I think you'll all agree that's a fate even worse than a celebrity not responding to your well-thought-out and poignant tweet.

[via Sophos]

Filed under: Security, E-mail

Gmail, Hotmail, AOL and Yahoo! users fall victim to phishing scheme

Over 30,000 email addresses have been compromised, with their login info posted online, in the past few days. The BBC has apparently seen the list, and it includes Hotmail, AOL, Yahoo and Gmail users. None of those companies are to blame, though, because the owners of the email addresses got caught in a phishing scam. In case you're not already in the habit of making sure you're not giving your login info to fake websites that are made to look real ones, this is a good reminder to start.

Gmail is dealing with its share of the stolen accounts by forcing password resets, and a spokesperson at Google said there was no breach in Gmail security. This comes right on the heels of a possibly-related Hotmail-only phishing attack that hit 10,000 accounts earlier this week. To be safe, make sure you use a different password for each service you sign up for (the BBC says 40% of Internet users have the same password for everything), and if you click on a link in your email, make sure you're on a legitimate website before you sign in.

[via Mashable]

Filed under: Security, News, web 2.0

Did you realize some Facebook apps are being used to steal your data?


Phishing [Wikipedia] is nothing new. The bad guys have been spamming our inboxes for a long, long time hoping we'll click on some bogus link and provide them with important personal info like usernames, passwords, and credit card numbers.

Attacks like this rarely limit themselves to one avenue. So where do the bad guys go to find victims when they're not busy spamming? Why, the world's number one social networking site, of course!

Yep. Facebook, with its millions of users and juicy apps platform make it the perfect place for this type of vermin to set up shop. Trend Micro has found several phishing scams before that lured people to fake (but convincing) Facebook sites to harvest data. Now, however, they're doing it to you from the inside.

Trend researchers have discovered three applications so far that run on the Facebook apps platform. They can post notifications to your timeline, just like any legitimate app. The actual phishing is still done off-site, but the look is very, very convincing and you're returned to your Facebook profile afterward. It looks innocent enough, but once you've entered your credentials there's no telling what someone has planned for them.

Read more →

Filed under: Social Software, web 2.0, Microblogging

Twitter begins filtering malicious URLs - what took so long?


Earlier this week, the folks over at Sunbelt noted that Twitter was working on a new feature. While there's nothing posted to blog.twitter.com about the development, it's no secret that their developers have started giving the bird to malicious links.

As of now, Twitter's blocking powers are pretty limited. On a good note, the services appears to be tied in to Google's Safe Browsing service.

However, only bit.ly short URLs are supported - the other 30million providers are not. Furthermore, URLs which lack http:// or have are posted as downloadsquad.com (without the www.) are not checked. Sunbelt also points out that Twitter doesn't currently utilize Stopbadware.org's database of nearly half a million malicious URLs.

Ok, so it's not much, but it's a start. When you look at Twitter's popularity and the number of users (or bots) using the service to spread links to "questionable" websites, there's no denying this is a good thing. Since it doesn't take much more expertise than that posessed by a bored highschool programming student to spread a worm on Twitter, countermeasures are clearly necessary.

Hopefully they'll continue working to improve link filtering. No, Twitter isn't a security company, but this should be a very high priority. If Twitter really does want to be the "pulse of the Internet" as noted in those riveting leaked docs, they're going to have to make sure the circulatory system stays relatively disease-free.

Filed under: Security, Web services, web 2.0

Phishing scam hits Twitter. Don't get sucked in!


Phishers are up to the same old tricks, with a new target: your Twitter password. Several Twitter users received a direct message today that included a Blogspot link purporting to be about "a funny blog about you!" They clicked on it and found themselves redirected to a spoofed Twitter login page that grabs passwords and may use your account to propagate the phishing messages to more users.

To be safe, don't click on suspicious links, even though they're coming from people you follow on Twitter, and don't compulsively enter your login info without checking to make sure you're actually on a Twitter.com domain. This scam is particularly tricky because of the nature of direct messages, which have to come from people you've allowed to contact you. The Twitter Eng and Ops teams are aware of the problem, according to a tweet from Twitter's Biz Stone, and a warning message has been added on the Twitter homepage.

Filed under: Web services, Google, Googleholic, web 2.0

Googleholic for July 8, 2008

Welcome to Googleholic, your bi-weekly fix for everything Google!

In this edition:

  • Gmail fights PayPal and eBay phishers
  • Protocol Buffers go open source
  • Walking directions for Google Maps
  • YouTube Screening Room, round two
  • Viacom v. YouTube and what it means for your privacy

Read more →

Filed under: Fun, Internet, Security, Mozilla, Freeware, Browser Tips, web 2.0

Firefox add-on stops accidental MySpace encounters: it's actually useful!

amionmyspace.com?
Have you ever accidentally visited MySpace? Yeah, we probably have too, though, it was never a noticeable problem. In fact, we can't even remember it happening, but it seems like it has to have happened... right?

Well, this Firefox add-on promises to detect MySpace in Firefox, and provide a pop-up menu to stop unsuspecting web-browsers from hitting up the social network. The plug-in is obviously a joke, but we found a great use for it anyway -- avoiding phishing.

It's called AmIOnMySpace.com? and it can be used to detect the real MySpace site. If for any reason the message doesn't pop-up upon first visiting the social network, you're not on the real site. The biggest problem with using this as a way of avoiding phishing sites is that it doesn't alert users when leaving MySpace, so it's still possible to get attacked from within.

[via Digg]

Filed under: Internet, Security

Senate to outlaw phishing (again) while stripping away domain privacy

Say goodbye to phishing. Again.Despite the fact that phishing is already illegal, some senators felt that it needed to be made a little more illegal. A bill (PDF) introduced by three senators including, of "series of tubes" fame, Alaskan Senator Ted Stevens, seeks to outlaw phishing all over again, as well as make it illegal for people to mask or hide their private information if they own domain names.

Specifically, if the bill passes, any domain that is used for any "commercial activity" must have the correct contact information available of the owner. So, technically, this could mean that even an anonymous blog running ads to pay for its servers, could potentially be at risk of breaking the law if they don't cough up the information.

Besides the fact that this is almost no different than trying to introduce a new bill that will fine people for speeding on the road, this bill appears to be a self-serving tool so that someone can say that they tried to crack down on phishing and Internet fraud and add that they have fought the good fight. Way to look out for the people.

Or maybe we're wrong, and doubling up legislation to make extra sure that it is illegal is a good idea - especially while stripping away more layers of privacy.

[via Techdirt]

Filed under: Security

Six steps to securing your computer, or your family's

Face it, as a geek you get asked all the time to fix this, or reload that. We're always looking for ways to streamline that process, educate our family or friends and leave more time for ourselves to play World of Warcraft read.

Michael Wales put together an excellent 6 step security briefing that even your mom can understand. Covering the basics like Phishing, Antivirus, Automatic Updates and Spyware, it's sure to clear up some of the glassy-eyed looks you get when you try and explain how those pop-ups keep appearing.

Filed under: Internet, Security

Twenty years for a phisher

phishing scamWhat's better than spam? How about seeing a man found guilty of operating a phishing scheme face 101 years in prison? A 45 year old man in California was recently found guilty of posing as AOL's billing department and tricking people into giving him their credit card information, by using hacked Earthlink accounts and fraudulent web pages. Under the glorious Can-Spam Act, this guy has been convicted on multiple counts including wire fraud, and misuse of AOL trademark. So if you have noticed a little decrease in the amount of spam in your inbox, most likely it stems from cases like this. The government taking spam issues extremely seriously and laying down the law, it seems as though fewer and fewer spammers and phishers are in operation. Look out for final sentencing information that will be announced on June 11th for this case.

Filed under: Security, Web services, Social Software

Phishing's new target: MySpace

MySpace PhishingThought phishing was just a problem for banks and PayPal, did you? Well, it's entered a new territory: MySpace. And it's got some new tricks up its sleeve. MySpace's iconic Tom Anderson has made a post describing the new attacks that con users into divulging their MySpace username and password. What's interesting about the attacks is that, unlike most phishing sites that must exist on a site other than the official site and whose fake URLs need a keen eye to be identified), these exploit MySpace's customization features to make an ordinary profile at profile.myspace.com look exactly like the official login page. You can see a screenshot of one such phishing profile here. You'll notice that the URL begins with profile.myspace.com rather than the legitimate login.myspace.com, but the page is otherwise indistinguishable from an ordinary MySpace login prompt.

So what are evil phishers using those passwords it collects for? Spamming, of course. Once a phisher has a user's login info they use them to post spam comments and send spam bulletins to that user's friends. How original.

Anderson's advice to MySpace users is that whenever they see a login form they should go to www.myspace.com instead of entering their username and password, which is, in my opinion, no solution at all. It just compounds MySpace's already-jarring interface problems. By allowing arbitrary CSS in MySpace profiles, MySpace has created a huge problem for itself that's going to take a very creative solution.

Filed under: Internet, Security, E-mail, Web services

PhishTank: Open phishing site database

PhishTank

This week the folks behind OpenDNS launched PhishTank, a new database for tracking and defending against phishing sites. It's a pretty slick-looking site that allows you to submit suspected phishing sites, verify (or not) sites that other people have submitted. What really sets PhishTank apart, though, is that the database is totally open via a free API. This is intended to allow developers to build anti-phishing tools into their own programs and web apps at no cost. I've really been enjoying OpenDNS over the past few months, so I hope PhishTank will become as mature and useful.

[Via Paul Stamatiou]

Filed under: Internet, Security

Phishing, fighting it, and Netcraft's toolbar

nEtcraft's anti-phishingBrian Krebs of the Washington Post writes about how Banks and other financial institutions are stopping phishers by disallowing the use of their logo and website images via a white-listing technology for outgoing image links. This forces phishers to actually do some work if they want to duplicate the website, since the bank swaps the real images with a fraud warning image. The phishing site thinks it has displayed the image, but it has been duped into using an image that alerts consumers not to use the site. Pretty smart of banks, don't you think? Brian also mentions Netcraft's anti-phishing toolbar, and its near-flawless detection of phishing sites. Personally, I haven't used it, but wanted to see if you had heard of it, and if it is any good. Brian seems to think so.

Filed under: Internet, Security, Windows

IE7 vs. Firefox 2: Which is more secure?

Firefox 2 vs. IE7 securityBoth Firefox 2 and Internet Explorer 7, both in beta, are being positioned by their makers as the most secure web browsers for Windows, but which is really the best? ZDNet's Ed Bott has written an in-depth comparison of the two browsers' security features, which covers not only code vulnerabilities, but phishing and malware as well. Bott doesn't indicate a clear winner, instead concluding that "Both IE7 and Firefox 2 add extra layers of protection and provide additional information to users to help them make intelligent decisions. In the final analysis, though, no browser can force a user to make smart or sane decisions. They can only point the right way." The article, which includes a big screenshot gallery of the browsers' screenshot features, is definitely worth a read if you're following this second round of the browser war, of if you're just trying to figure out what browser to recommend to your mom (mine uses Firefox).

Filed under: Internet, Web services, Freeware

OpenDNS: Teaching the DNS dog new tricks

OpenDNSEvery one of use uses DNS every time we connect to the internet, yet it's been decades since anyone has made any improvements to the end-user experience. In case you're scratching your head (or saying, "DNS? Isn't that the thing that happens when Internet Explorer can't connect?"), DNS is the system that, among other things, translates the addresses you type into your browser into the IP numbers that let your computer to connect to web (or e-mail, or IM, etc.) servers. So how can such a basic service be improved for the end-user? Direct your gaze toward OpenDNS, which adds some features to DNS that immediately make the lives of users easier. In particular, it adds phishing protection and address spell-checking to every web site request your browser makes, without you having to install any software. All you have to do is configure your browser or OS to point to OpenDNS' DNS servers, and the next time an email points you to a phishing site, OpenDNS will block it, and the next time you accidentally type downloadsquad.cmo, OpenDNS will automatically direct you to .com. On top of that, OpenDNS claims to be faster than other DNS servers. On top of that, you can configure which features you want to use (e.g. if you don't want phishing protection, turn it off) without even registering. It's also totally free to use--OpenDNS makes money by placing advertisements on those typo pages. WordPress developer Matt Mullenweg wrote a mini-review of the service and says it's "a great idea, well-executed" and "invisible in all the right ways." I'm sold.

Featured Time Waster

Graveyard Shift - zombie-busting Time Waster

With Halloween fast approaching, it's a great time to get in some practice defending your territory against zombies. In Graveyard Shift, you take aim at zombies and other creepy-crawlies, blasting them into splatters of cartoony green guts. It's a casual first-person shooter, and it's very easy to get the hang of - use the mouse to aim, click to fire. Graveyard Shift has at least 15 levels, and it might even have some secret stages I haven't unlocked yet. They key to getting good at Graveyard Shift is learning to use ...

View more Time Wasters

Featured Galleries

Defective by Design, London: Protest Pictures
Microsoft Security Essentials
Chromium Pre-Alpha on CrunchBang Linux
Safari 4 Beta
10 Firefox themes that don't suck
IE8 RC1
Download Squad at the Crunchies After-Party
Download Squad at the Crunchies
WordPress 2.7
Cooking Mama: Mama Kills Animals
Windows 7 Hands On
Comodo Internet Security
Android First-look: Amazon.com MP3 Store
Android First-look: Twitroid
Google Reader Android
Android Hands-On
Twine 1.0
Photoshop Express Beta
Mozilla Birthday Cake
Palm stuff
Adobe Lightroom 1.1

 


Follow us on Twitter!

Flickr Pool

www.flickr.com

More Tech Coverage

AOL Radio