archives
October 2009

Hmmm, Phishing Works

Specifically spear-phishing, where the target is deliberately selected, as opposed to a random untargeted attack. An article at Dark Reading.com discusses the entirely unsurprising results of a test that concluded that the iPhone, BlackBerry, and Palm have essentially no protection against spear-phishing attacks. http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?articleID=221100150&cid=nl_DR_WEEKLY_T LinkedIn was used as the service to send a fake invitation

False Positives: A Round of Applause…

The anti-malware industry isn't a suitable environment for the thin-skinned. We get used to receiving "more kicks than ha'pence" (see http://www.virusbtn.com/spambulletin/archive/2006/11/vb200611-OK).. In particular, I've grown accustomed to the fact that many people expect all the following from an AV product: Absolute Protection Absolute Convenience Absolutely no  False Positives Absolutely no charge False positives (FPs) are

Banks and Credit Card Companies are Funding Cybercrime

For many years banks and credit card vendors have accepted that there will be some amount of fraud and built those costs in to the operational model. The thinking goes that if the loss is small enough then it isn’t worth pursuing so they simply pass the cost on to the public through fee structures,

Halloween: There’s Something Scary In Your Search Engine

We told you to watch out, didn't we? (see Randy's blog at http://www.eset.com/threat-center/blog/2009/10/23/this-is-the-funniest-video-ever). But it's not just Michael Myers, zombies and vampires you need to watch out for. It's also Funny Halloween Costumes, Harvey Milk, Pumpkin Carving Stencils, candy, Pokemon, and McDonalds Monopoly online. Yes, the fake/rogue AV gang have started on their Halloween special,

Fake Anti-Malware: Blurring the Boundaries

It won’t come as a surprise to regular readers of this blog that there’s a lot of fake/rogue anti-malware about. (see http://www.eset.com/threat-center/blog/category/fake-anti-malware-fake-software). However, a report released at RSA Europe goes some way towards quantifying that threat, and has created something of a stir in the media. That’s to be expected: journalists tend to love facts and figures. Anti-malware

A Phish or a Real Email

One of the problems about trying to teach people to avoid Phishing attacks is that the banks often use the exact same tactics that the phishers use. It is mind-numbingly stupid of them to do so, but still we see emails from banks that contain links in them. As a rule I tell people not

THIS IS THE FUNNIEST VIDEO EVER!!!!!!

  Oh brother, don’t tell me you fell for that one! All capital letters, lots of exclamation marks, the classic signs of bad news. Yeah, Halloween is around the corner and it is about time for the fake e-cards to make their rounds and the emails with links to “videos” that are not really videos

Fake Windows Update

[Update: I notice that at about the same time that I posted this, Sophos also flagged a blog reporting a somewhat similar fake update for Microsoft Outlook/Outlook Express (KB910721). The message is a lot different and links to a different site pretending to be Microsoft’s update site, but is clearly not to be trusted. So the

You’ve Got Bot!!!

  Comcast has announced that they are trialing a new service that alerts users when their computers are infected. You can read about it here: http://news.cnet.com/8301-27080_3-10370996-245.html. Essentially what happens is that when Comcast notices traffic that looks like bot related traffic they will pop up a message on the subscriber’s computer that indicates there is

National Cyber Security Month

  October is National Cyber Security month. Groups like the National Cyber Security Alliance are promoting awareness of cyber security. On Tuesday at 11 AM Eastern Daylight Time (8 AM PDT and 4 PM GMT) Department of Homeland Defense Secretary Janet Napolitano will be giving a speech that will be broadcast live at www.dhs.gov.  

Extended Validation SSL

  We received and interesting comment in reply to the blog post http://www.eset.com/threat-center/blog/2009/10/13/phishing-the-fbi-and-terror. Joseph A’Deo, who apparently works for Verisign, mentioned the use of extended validation SSL (EV SSL). I am sure that some of you are familiar with EV SSL. Some of you have seen the results of it and perhaps not noticed. Some

Antivirus? Who Needs It?

I came across an interesting article today on "Breaking the conventional scheme of infection" at the evil fingers blog site. Actually, it’s by my colleague in Argentinia, ESET Latin America Security Analyst, Jorge Mieres, but I didn’t realize that at first. (The original blog is in Spanish, and if your command of that language is

So What Is AMTSO Compliance?

The AMTSO (Anti-Malware Testing Standards Organization) meeting in Prague, which took place at the beginning of this week, proved to be rather more exciting than you might expect from a group with the word "Standards" in its name. One of the issues that caused particularly lively debate centred around the question of what constitutes AMTSO

Windows, Online Banking, and Phishing

Yesterday I posted a blog about the Director of the FBI claiming to no longer use online banking at all because he almost feel for a phishing attack. A response to the blog suggested not using Windows for online banking and linked to Brian Krebs http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html and Michael Horowitz http://blogs.computerworld.com/14806/crimeware_gets_worse_how_to_avoid_being_robbed_by_your_pc Both of these articles discuss

Phishing, the FBI, and Terror

In a recent speech given by Robert S. Mueller, III, Director of the FBI, he claimed that he had almost been the victim of a phishing attack targeting his bank account. Mueller went on to say that at his wife insistence he has since given up on-line banking. The article I saw was http://www.eweek.com/c/a/Security/FBI-Director-Nearly-Hooked-in-Phishing-Scam-Swears-Off-Online-Banking-616671/. It’s

Requests for Support

One of the less obvious tasks associated with blogging is that every so often we have to find time to go through the comments that have been posted to our blogs. Inevitably, some are examples of blog spam that have slipped through our filters. Some are comments to blogs we posted long ago, and while

The Truth About Cybercrime

I was quoted last month in an article at PC Retail (http://www.pcr-online.biz/features/305/The-truth-about-cyber-crime), which is nice. However, I just came across the notes I made at the time of the original enquiry/interview, most of which wasn’t used, so here are my full responses to the questions Andrew Wooden asked, in case they’re of interest. (Actually, they’re slightly expanded and I’ve

We’re going on a job hunt…

English Version of HTTPS video

As promised earlier (see http://www.eset.com/threat-center/blog/2009/10/07/https-revisited-spanish-video) an English version of ESET Latin-America’s demonstration video of a phishing attack using HTTPS is now available at http://www.eset-la.com/centro-amenazas/videos/phishing-https-english/.  Those earlier blogs again: http://www.eset.com/threat-center/blog/2009/10/06/ssl-to-certify-web-security-is-not-to-guarantee-it  http://www.eset.com/threat-center/blog/2009/10/04/truth-fiction-and-https   Thanks, Sebastián! David Harley BA CISSP FBCS CITP Director of Malware Intelligence ESET LLC ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog ESET Threatblog notifications on Twitter:

HTTPS revisited – Spanish video

Further to our blogs on HTTPS and SSL certificate issues – see http://www.eset.com/threat-center/blog/2009/10/06/ssl-to-certify-web-security-is-not-to-guarantee-it and http://www.eset.com/threat-center/blog/2009/10/04/truth-fiction-and-https – Sebastián Bortnik has been talking to us today about a video that ESET Latin-America have put together demonstrating a phishing attack using HTTPS. If your Spanish is better than mine, you can check it out here. However, we’ve been working on an

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.