socialengineering
Latest
Fifth 'Celebgate' account hijacker sentenced to 34 months in prison
The "celebgate" photo leaks might be years old by now, but that isn't stopping the courts from doling out stiff punishment for the account hijacks. A federal judge has sentenced Chris Brannan to 34 months in prison after he pleaded guilty to identity theft and unauthorized access charges. He admitted to compromising the iCloud, Facebook and Yahoo accounts of 200 targets through both phishing attacks as well as social engineering (where he researched targets to answer their security questions).
When your Uber driver is a spy
Like other migrating beasts, hackers travel huge distances for feeding, breeding, and breaking things every summer -- at Defcon in Las Vegas. The way they move about the city is driven primarily by the availability of free booze at corporate parties or the convenience of air-conditioned infosec habitats; the heat makes them torpid. As such, everyone takes taxis, Ubers, and Lyfts everywhere, day and night.
Your timely reminder: Not all hacking requires a computer
The public perception of hacking involves a shadowy figure in a hoodie hunched over a laptop, tapping furiously while a waterfall of glowing green text fills the screen. Also he's probably listening to industrial music. First off, that's a ridiculous caricature, and more important, not all intrusions are the result of someone banging away on a keyboard to "hack the network." Exploiting the vulnerabilities of a company can simply involve picking up a phone, chatting with a few people or memorizing a few tones.
Pros weigh in on phishing the White House
Just before Anthony Scaramucci's 15 minutes -- er, I mean 10 days -- of White House fame were up, a man in the UK (who imaginatively calls himself "Email Prankster") had some choice words with him via email. Nothing weird there you think? Except that he did it while posing as former White House Chief of Staff Reince Priebus. Not that getting "the Mooch's" metaphorical goat was expected to be difficult. Especially after he went ballistic on New Yorker reporter Ryan Lizza for merely mentioning his enemies. No, the remarkable thing was that Scaramucci was one of many the prankster fooled among Trump's totally cyber-savvy and not-chaotic White House cabinet of curiosities.
Google slaps 'repeat offender' tag on unsafe sites
Google is closing a loophole in its Safe Browsing search policy. While it already flags sites that violate its malware, phishing and other policies, bad actors can temporary halt those activities. Then, once the warnings are removed, they resume, and unsuspecting searchers are none the wiser. Starting today, however, Google is flagging such sites as "repeat offenders," and webmasters won't be able to appeal the warnings for 30 days.
Even Snapchat falls victim to phishing attempts
Snapchat bragged about its eight billion daily video views on Monday, but over the weekend something happened that the ephemeral social app is probably less enthusiastic to admit: it's just as susceptible to phishing attempts as anyone else. A post on the company's blog says that last Friday someone impersonating the ghostly app's CEO emailed the payroll department and requested and received information about some of its staff.
Google keeps you safe from sneaky download buttons on the web
For years now, Google's been working hard to make the internet less dangerous. That's why the company has announced a new feature to strengthen its Safe Browsing initiative. The goal with this one, Google says, is to protect users from deceptive embedded content on the web, such as sketchy advertising banners with fake download buttons. From here on out, if a site's trying to be sneaky, you'll see the warning pictured above.
Amazon accused of handing out its users' personal data
Eric Springer is not happy, mostly because he believes that Amazon let a nefarious type get at his account. In a blog over at Medium, Springer revealed that he was the victim of a "social engineering" hack that exposed his details to an unnamed third party. With just a rough idea of Springer's location and his email address, the attacker tricked a customer services rep to give up almost all of his personal information. The attacker was subsequently able to use this data to trick Springer's bank into sending out a copy of his credit card.
Fraudsters take advantage of banks' weak Apple Pay identity checks
A mobile payment system is only as secure as its weakest link... and in the case of Apple Pay, it's the banks' ability to verify who you are. The Guardian has learned that thieves are setting up iPhones with stolen IDs and taking advantage of lackadaisical identity checks (often just a part of the social security number) to provision victims' cards for Apple Pay. After that, it's open season -- crooks just have to claim that the legitimate card owner is on a trip to go on a shopping spree.
Want to hijack people's PCs? Pay them a few cents
Apparently, hackers wanting to control PCs are wasting their time with elaborate botnets and vulnerability exploits -- all they may really need is some pocket change. A study found that between 22 to 43 percent of people were willing to install unknown software on their PCs in return for payments ranging from a penny to a dollar, even when their OS flagged the app as a potential threat that required permission to run. While you might think that respondents would naturally be a bit suspicious, that wasn't usually the case. As researcher Nicolas Christin notes, just 17 people out of 965 were running virtual machines that limited the possible damage; only one person went in fully expecting trouble, according to exit surveys.
Trojan targets Linux desktop users, steals web banking info
Malware certainly exists for Linux, but it's more frequently targeted at servers than everyday PCs. Unfortunately, regular users now have more reason to worry: a rare instance of a Linux desktop trojan, Hand of Thief, has surfaced in the wild. The code swipes banking logins and other web sign-in details, creates a backdoor and prevents access to both antivirus tools and virtual machines. It's known to work with common browsers like Chrome and Firefox as well as 15 Linux distributions, including Debian, Fedora and Ubuntu. Thankfully, Hand of Thief is partly neutered by its limited attack methods; it relies on social engineering to fool victims into installing the software themselves. Even so, the trojan is a reminder that we shouldn't be complacent about security, regardless of which platform we use. [Thanks, Dreyer]
Amazon, Apple stop taking key account changes over the phone after identity breach
By now, you may have heard the story of the identity 'hack' perpetrated against Wired journalist Mat Honan. Using easily obtained data, an anonymous duo bluffed its way into changing his Amazon account, then his Apple iCloud account, then his Google account and ultimately the real target, Twitter. Both Amazon and Apple were docked for how easy it was to modify an account over the phone -- and, in close succession, have both put at least a momentary lockdown on the changes that led to Honan losing much of his digital presence and some irreplaceable photos. His own publication has reportedly confirmed a policy change at Amazon that prevents over-the-phone account changes. Apple hasn't been as direct about what's going on, but Wired believes there's been a 24-hour hold on phone-based Apple ID password resets while the company marshals its resources and decides how much extra strictness is required. Neither company has said much about the issue. Amazon has been silent, while Apple claims that some of its existing procedures weren't followed properly, regardless of any rules it might need to mend. However the companies address the problem, this is one of those moments where the lesson learned is more important than the outcome. Folks: if your accounts and your personal data matter to you, use truly secure passwords and back up your content. While Honan hints that he may have put at least some of the pieces back together, not everyone gets that second chance.
