Jargon watch: smishing and vishing

Smishing: phishing with SMSes. Vishing: phishing with voice-response systems. A pair of Romanian hackers have been extradited to the U.S. after allegedly bilking unwitting victims out of more than $18 million in an elaborate voice- and SMS-phishing (i.e., vishing/smishing) scheme. [Tara Seals/Threatpost] (via Beyond the Beyond) Read the rest

Spam was nearly dead, then it became an essential tool for crime and came roaring back

In the early 2000s, a mix of legislative action, vigorous prosecution and advanced countermeasures looked set to kill spam: the terrible economics of mass-scale marketing could easily be disrupted by even moderately effective curbs. Read the rest

Unknown hackers have gained near-total control over some US power generation companies

Hacker takeovers of power infrastructure have been seen in Ukraine (where they are reliably attributed to Russian state actors), but now the US power-grid has been compromised by hackers of unknown origin, who have "switch-flipping" control -- that is, they can just turn it all off. Read the rest

How a fishing guide's WordPress site became home to half a million fraudulent pages

Ned Desmond shares the scary story of how a small site he managed that advertised fishing expeditions ended up with 565,192 scam pages. He also suggests five ways to avoid the same fate. Read the rest

Amnesty: hackers spent months building personas used to phish Qatari labor activists

In a new report, Amnesty International summarizes the security research they did on the victims of a sophisticated phishing attack aimed at Qatari labor activists, dubbed "Operation Kingphish." Read the rest

It turns out that halfway clever phishing attacks really, really work

A new phishing attack hops from one Gmail account to the next by searching through compromised users' previous emails for messages with attachments, then replies them from the compromised account, replacing the link to the attachment with a lookalike that sends you to a fake Google login page (they use some trickery to hide the fake in the location bar); the attackers stand by and if you enter your login/pass, they immediately seize control of your account and attack your friends. Read the rest

12 days of two-factor authentication: this Xmas, give yourself the gift of opsec

The Electronic Frontier Foundation has launched a new series, 12 Days of 2FA, in which every installment explains how to turn on two-factor authentication for a range of online services and platforms. Read the rest

Whaling: phishing for executives and celebrities

A fraudster's term of art, "whaling" refers to phishing attempts targeted at "C-level corporate executives, politicians and celebrities" -- it's a play on "phishing" (attacks that trick users into downloading dangerous files or visiting attack sites by impersonating known sources) and "whales" (a term of art from casinos, referring to high-stakes gamblers). Read the rest

Researchers learn about wire-fraud scam after Nigerian scammers infect themselves with their own malware

In Wire Wire: A West African Cyber Threat, researchers from Secureworks reveal their findings from monitoring a Nigerian bank-fraud ring whose members had unwittingly infected themselves with their own malware, which captured their keystrokes and files and uploaded them to a file-server from which the researchers were able to monitor their activities and methodologies. Read the rest

EFF and partners reveal Kazakh government phished journalists, opposition politicians

At Defcon, researchers from the Electronic Frontier Foundation, First Look Media and Amnesty International, revealed their findings on a major phishing attack through which the government of Kazakhstan was able to hack opposition journalists and arrange for an opposition politician's extradition from exile in Italy to Kazakhstan. Read the rest

Iranians connected to phishing attempt on tortured Syrian activist

Former Syrian National Council vice-president Nour Al-Ameer fled to Turkey after being arrested and tortured by the Assad regime -- that's when someone attempted to phish her and steal her identity with a fake Powerpoint attachment purporting to be about the crimes of the Assad regime. Read the rest

Phishing for Bitcoin with fake 0-days

Arriving in my inbox at a steady clip this morning: a series of phishing emails aimed at Bitcoiners, promising that the sender has found a bug in "the Bitcoin client" and promising "Pay 0.07 BTC today, get 10 BTC for 15 hours." Read the rest

Phishers trick Mattel into transferring $3M to a Chinese bank

Last spring, in the chaos following the firing of Mattel's CEO (who presided over a disastrous slide in Barbie sales), a Mattel finance executive got an email from his new boss, replacement CEO Christopher Sinclair, ordering the transfer of $3 million to a new Chinese supplier. Read the rest

Security-conscious darkweb crime marketplaces institute world-leading authentication practices

If you are a seller on Alphabay -- a darkweb site that sells "drugs, stolen data and hacking tools," you'll have to use two-factor authentication (based on PGP/GPG) for all your logins. Read the rest

US Embassy staffer ran a sextortion racket from work computer for 2 years

Michael C Ford has been sentenced to four years and nine months in prison, having pleaded guilty to running a sextortion/phishing operation from his work computer at the US embassy in London for two years. Read the rest

Phishers make off with W2 tax forms for several thousand Seagate employees

Seagate has emailed its employees and ex-employees to warn them that someone in the company sent their W2 tax data to a criminal who pulled off a successful phishing fraud. Read the rest

Spear phishers with suspected ties to Russian government spoof fake EFF domain, attack White House

The spear-phishing attempt appears to be part of "Pawn Storm," a massive attack that's been underway across the net for more than a month, and involved a rare zero-day (previously unknown) Java exploit. Read the rest

More posts