On August 1st, US-CERT published an advisory titled, “TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations”. One of the vulnerabilities leveraged in these new phishing campaigns is a use-after-free (UAF) vulnerability in Adobe Flash (CVE-2015-5119). This vulnerability is particularly interesting because it was leaked as a result of the hack and subsequent dump of HackingTeam’s email and source code. What is interesting here is not the existence of the vulnerability, but how this case underlines the massively asymmetric situation that defenders find themselves in. Read more
We have discovered a new fraud trend taking place in Japan and China. The scheme consists of completely fake e-commerce sites, solely created with the intention of stealing credit card information from the buyers (victims). These sites don’t actually sell anything – they are designed for the sole purpose of capturing credit card data, to be used fraudulently elsewhere.
The following images capture different shopping sites, featuring products with a wide range of prices and brands, advertising different payment methods, including major credit cards like Visa and Mastercard, as well as alternative methods like Western Union.
Detect Safe Browsing (DSB), our secure browsing solution, now makes it even easier to defend users against the advanced malware that enables man-in-the-middle and man-in-the-browser attacks. Previous editions of Detect Safe Browsing enabled organizations to get real-time visibility into the security of the end-user device, including information on whether the device contained any malware that might give cybercriminals the ability to perform fraudulent transactions. Read more
According to a recent study, 62% of companies were subject to payments fraud in 2014, with 19% of organizations losing more than $250,000. In addition to tangible losses, there’s negative impact that can’t be measured including stockholder trust, employee morale and most importantly, the reputation of the company and its ability to gain and/or retain business. Read more
The e-mail reads, “Click here to download your report.” It appears to be from a credible source, but the link leads to a website created solely for the purpose of information theft. Cybers-cammers strike again using phishing e-mails to trick recipients into clicking on links and typing in their personal information. In most instances the user has no idea they have walked right into a trap. According to findings recently released by Intel Security, 97% of people globally are unable to correctly identify phishing e-mails. Read more
Fortune Magazine penned an article recently, on how banks are putting hacked credit cards on ‘watch lists’, rather than canceling them immediately, thereby helping banks (and therefore their end users), reduce the overall cost of fraud to an organization. Read more
For the greater part of 2015, both the FBI and the U.S. Secret Service have issued warnings that 2015 could be the year of Spear Phishing. Recently, the U.S. Secret Service issued a new bulletin, warning again that they are seeing a “significant increase in the frequency, sophistication, and fraud losses” associated with these new attacks. Read more
After much effort on behalf of a coalition of organizations and individuals to build security requirements around the generic top-level domain (gTLD) “.bank”, banks will be able to register their unique gTLD starting today (June 24). Now it’s up to the financial services institutions themselves to ensure that customers and organizations benefit from the domain, which advocates assert is more secure than .com. Read more
Last week, millions of government employees were probably quite nervous to hear that their personal data had been stolen by hackers (likely from China), who gained access to a trove of data from the Office of Personnel Management. This week, the same office is opening up even more government employees to more risk, based on their response to the breach. The OPM announced that they will notify all impacted individuals by email, which makes not only the affected individuals, but also anyone else who is worried that they might be affected, now a ripe target for a phishing attack.