I am quite surprised at how inventive people can be when it comes to the thinking up weak passwords. The obviously weak combinations like ’1234′ or ‘qwerty’ along with names and phone numbers are quite common parts of passwords.
The story begins with me fighting a familiar piece of malware, Bicololo, which is spyware designed to steal the identity from users of Russian social networks. A routine task you might say. This time the authors were less cautious with settings on their rogue servers, so I managed to get hundreds of freshly-stolen credentials. What to do with them? The first thing I tried was contacting support of the affected social network to get users warned and passwords reset. Unfortunately, my effort met no success there; they did not even bother to answer my mail! So instead of getting to warn hundreds of innocent users on the Russian social network, I used this unique opportunity to analyze the habits users have regarding their passwords and share it with our AVAST readers.
Once I cleaned up the data, I received about 850 unique combinations of username-password pairs. This is not enough variants for the results to be widely representative. The data was obtained from a rather specific group of (less experienced) users whose lack of knowledge allowed their computers to be infected. I expect the general reality to be a bit better than my results. Though my findings are not scientifically-correct, they can give us some insight into the problem and show us examples we should avoid while choosing our passwords. Read more…
A low-tech type of identity theft is threatening Facebook users in South Africa. Facebook “cloning” has been around for years, but has had a revival this past week. We learned about it in a personal way – the brother of an Avast colleague, Richard B. from South Africa, had his profile cloned and notified Richard.
The way it works is that a cybercrook copies the victim’s profile photos, then uses them to create fake accounts. Then, using the victim’s details, a friendship request is sent to friends. The clue that something fishy is happening comes when you receive the request, but thought you had already ‘friended’ that person. One Facebook user explained in an article on ENCA.com that he received a friendship request from his sister while she was sitting next to him.
Cloned accounts can be used to send spam messages, initiate scams, and possibly steal personal information that could be used for more serious identity theft. In the recent cases, there are reports that once the request has been accepted, the scammer starts soliciting money from ‘friends’.
It can also be used for social media sabotage. An experiment conducted in 2011 showed that the implications of this type of social engineering range from mere trickery to damaging reputations. You see, through the ‘trusted friends’ password recovery feature, it is possible that someone can reset your password and gain access to your account.
Check privacy settings and be cautious about who you friend and what you share. This video explains about the recent attacks and how to avoid your profile being cloned.
edit: changed image
How’s this for a good phishing scam? Everything seems legit:
1. From email is “email@example.com”
2. No misspelled words and has decent grammar (however, some punctuation inconsistency)
3. Copyright (c) symbol next to the university name
4. Gmail did not filter it as spam, but left it in my normal inbox
Yes, if I had ever attended that particular university, I might have fallen for it.
PLEASE NOTE: University of Texas has nothing to do with this email.
It’s that time of year again for Americans. You have received your W-2 and are eager to file your tax return, especially if you anticipate a refund. Every year, the Internal Revenue Service (IRS) warns taxpayers to beware of phishing scams used by con artists to steal your identity, cash, and sense of security. This year is no different.
Phishing takes many forms, but usually involves unsolicited email or messages via social media and a fake website that poses as a legitimate site. The danger is that if you follow the link the scammers provide, you could end up with a malware infection, such as a Trojan that logs your keystrokes and allows a hacker to gain access to your bank accounts, or you could provide valuable personal and financial information that exposes you to identity theft. Here are some recent examples:
Classic phish: Last tax season, a bogus email warned recipients they would be penalized up to $10,000 for not filing their taxes by a false deadline of January 31st. They were instructed to follow a link which went to a phony site that appeared to be the official IRS website. They were asked to provide personal or financial information that could be used by scammers and identity thieves.
Don’t be misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. Read more…
Question of the Week: I’m a gamer who also banks and shops online. Am I at risk for identity theft?
Your activities online can potentially make you more vulnerable to identity theft. How many times a month do you access your bank account online? How many email addresses do you have? Do you like to try previews of new games? These questions can help you determine your exposure to identity theft.
According to the Federal Trade Commission, it takes people an average of six months and 200 hours to recover from identity theft.
StaySafeOnline, the organization behind National Cyber Security Awareness Month, of which Avast is a proud champion, has an Online Identity Risk Calculator that can help you know if you’re at risk. Players answer some questions to find their personal identity risk score and get practical tips on keeping their online identity protected. Play now!
Cybersecurity begins with STOP. THINK. CONNECT. These three simple steps are the starting point for staying safer and more secure online.
- STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems. An obvious step is to install antivirus protection. For the risk averse, we suggest avast! Internet Security with SafeZone, an isolated environment that keeps your sensitive transactions private.
- THINK: Take a moment to be certain the digital path ahead is clear. Watch for warning signs and consider how your online actions could impact your safety or your family’s.
- CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.
Avast Software is proud to be a champion that supports National Cyber Security Awareness Month with news and tips on how, together, we can make a safer digital society.
Recently, we’ve noticed that there are too many legitimate domains popping up in our url filters with malware. At first we thought we had a huge false-positive (FP) problem, but after analysis we found a pattern.
All of the referring links came from the Russian Odnoklassniki server, which is a quite-popular Russian social network. Users of that network are getting fake messages with links to photos.
As we have recently mentioned on our blog, October is National Cyber Security Awareness Month. And I’m sure we will post more to raise awareness of the risks you personally face, the risks to the institutions you do business with, and to the government itself.
Today, though, I want you to start to broaden your outlook on this issue. While you are getting acquainted with new threats like nation-state funded attacks, cyber-terrorism, and hactivism, I’d also ask you to look at some of the things our legislatures have been proposing in the name of cybersecurity. This includes early efforts to protect critical industry sectors our energy grid or banking systems against cyberattack, and requirements that we move beyond passwords when we access Web sites where we perform transactions or access personal data. As all these initiatives come with costs, none have universal support. But some cybersecurity proposals have generated more controversy than others, including: like the SOPA and PIPA bills that coddled the media industry by conflating digital piracy with cybersecurity and whose proposed remedies would have create a regime of censorship, or the federal development and control of a so-called “Internet Kill Switch“.
There will continue to be a lot going on here legislatively, and anything that changes the government’s role in the Internet will affect you as well. So let’s make also do our job as responsible, informed citizens. Let’s make October National Cybersecurity Policy Awareness Month. Let’s get educated, and involved.
I’ve kept a NETWORKWORLD.com article open in my web browser for the last 9 days, hoping to have time to read it. Today I finally did read it, and it’s worth sharing. And, it was actually short enough that I could’ve read it 9 days ago.
Among the largest data breaches you’ll find: credit card companies, government agencies, utility companies, universities, and hospitals.
Read more here, initial data courtesy of Identity Theft Resource Center: http://www.networkworld.com/slideshow/52525
If your organization needs great network security, take a look at our new line of avast! Endpoint Protection.
An estimated $465 billion will be spent this holiday season. A big chunk of a family’s expenses come from holiday travel. The American Automobile Association (AAA) projects that U.S. travel during the Christmas and New Year’s holiday weekends will increase 1.4 percent from 2010 to the highest level in five years. Cybercrooks create new travel scams and recycle tried-and-true ones to help relieve you of some holiday cash. Here’s a run-down on some popular travel scams, and what you can do to avoid them, while you prepare to visit Grandma or go skiing this Christmas.
Gasoline Rebate Card
Eighty-three million travelers will take to the open road rather than fly the friendly skies this holiday season, and they’re all looking for the cheapest gas station. The average nationwide price of regular gasoline has increased 6.2 percent to $3.264 a gallon this week, according to AAA data. Attractive offers for free gasoline vouchers and rebates are sent to mailboxes, email accounts and offered by telemarketers. The idea is that you activate your account on the phone or through online registration, sometimes pay a registration fee (red flag!), buy a certain amount of gas from a certain brand, then send in the receipts within a certain time, and supposedly get rewarded for following directions well with a gift card for free gasoline. Only it doesn’t work that way. Consumers never receive the gift cards and have willingly given away personal information. Read more…
The holiday season brings a flurry of email scams to inboxes everywhere. Be aware of these popular ones, so the CyberGrinches don’t steal your Christmas.
The six weeks between Thanksgiving and New Year’s is the traditional “giving season” in the United States. According to a recent holiday giving survey, the average holiday donation this year will be $281. People who give online said they would contribute even more, an average of $378, and scammers are out to get a portion of that. Read more…