msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.

An anonymous reader writes with the question in the title: does your ISP do a decent job culling spam? The reason I'm asking is that my ISP is Verizon and the Verizon spam filter is next to useless. It only blocks 15% of spam while also blocking 5% of legitimate emails. I've tried calling Verizon support a couple of times and the experience is about as pleasant and productive as banging my head on a wall. At this point I think my best move is to change ISP, but before I go around changing my email address at probably dozens of web sites I'd like to be sure that a new ISP would actually be better.

An anonymous reader writes with a report from Help Net Security which assigns some numbers to the lucrative fraud-by-phone business in the U.S. -- and it's not just the most naive who are vulnerable. "Phone fraud continues to threaten enterprises across industries and borders, with the leading financial institutions' call centers exposed to more than $9 million to potential fraud each year," says the article. "Pindrop analyzed several million calls for threats, and found a 30 percent rise in enterprise attacks and more than 86.2 million attacks per month on U.S. consumers. Credit card issuers receive the highest rate of fraud attempts, with one in every 900 calls being fraudulent."

What's been your experience with fraudulent robocalls? I've been getting them on a near-daily basis -- fake credit card alerts, "computer support" malware-install attempts, and more -- for a few years now, which makes whitelisting seem attractive. ("Bridget from account services" has been robo-calling a lot lately, and each time she says it is my final notice.) My biggest worry is that the people behind these scams, like spammers, will hire copywriters who can fool many more people.

so.dan writes: The CTO of Fight for the Future — the non-profit activism group behind Battle for the Net, Blackout Congress, and Stop Fast Track — Jeff Lyon, is seeking advice regarding a problem with facing the website they created — stopfasttrack.com — to fight the secret Trans Pacific Partnership trade deal.

The site been blacklisted by Twitter, Facebook, and major email providers as malicious/spam. Over the last week, nobody has been able to post the website on social networks, or send any emails with their URL. Lyon has posted a summary of the relevant details on Reddit in the hope of obtaining useful feedback regarding what the cause might be. However, none of the answers there right now seem particularly useful, so I'm hoping the Slashdot community can help him out by posting here.

Lyon indicates that the blackout has occurred at a particularly crucial point in the campaign to kill the TPP, as most members of the House of Representatives would likely vote against it were it brought to a vote now, and as pro-TPP interests have started to escalate their lobbying efforts on the House to counteract what would otherwise be a no vote.

jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.

An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.

An anonymous reader writes: The BBC, BuzzFeed, NBC, The New York Times and National Geographic are among some of the publishers which will post news items directly to a Facebook user's timeline thanks to a new feature called Instant Articles. Chris Cox, Facebook’s chief product officer, says the program will allow publishers to “deliver fast, interactive articles while maintaining control of their content and business models.” Under the terms of the plan, publishers can sell and embed ads in the articles and keep the revenue, or allow Facebook to sell ads. Publishers will also be allowed to track data and traffic with their own analytics tools.

An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.

An anonymous reader writes: Software engineers suffer from a problem that most other industries wish they had: too much demand. There's a great story at the Atlantic entitled Imagine Getting 30 Job Offers a Month (It Isn't as Awesome as You Might Think). This is a problem that many engineers deal with: place your resume on a job board and proceed to be spammed multiple times per day for jobs in places that you would never go to (URGENT REQUIREMENT IN DETROIT!!!!!, etc). Google "recruiter spam" and there are many tales of engineers being overwhelmed by this. One engineer, fed up by a lack of a recruiting spam blackhole, set up NoRecruitingSpam.com with directions on how to stop this modern tech scourge. Have you been the victim of recruiting spam?

As GameSpot reports, Valve has implemented a policy that reduces the privileges of Steam users unless those users have spent $5 through the service. Along the same lines as suggestions to limit spam by imposing a small fee on emails, the move is intended to reduce resource abuse as a business model. From the article: "Malicious users often operate in the community on accounts which have not spent any money, reducing the individual risk of performing the actions they do," Valve said. "One of the best pieces of information we can compare between regular users and malicious users are their spending habits as typically the accounts being used have no investment in their longevity. Due to this being a common scenario we have decided to restrict certain community features until an account has met or exceeded $5.00 USD in Steam." Restricted actions include sending invites, opening group chats, and taking part in the Steam marketplace.

crazyhorse44 that the Federal Trade Commission announced this week that it is launching two new robocall contests challenging the public to develop a crowd-source honeypot and better analyze data from an existing honeypot. A honeypot is an information system that may be used by government, private and academic partners to lure and analyze robocalls. The challenges are part of the FTC's long-term multi-pronged effort to combat illegal robocallers and contestants of one of the challenges will compete for $25,000 in a top prize. As part of Robocalls: Humanity Strikes Back, the FTC is asking contestants to create a technical solution for consumers that will identify unwanted robocalls received on landlines or mobile phones, and block and forward those calls to a honeypot. A qualifying phase [launched Wednesday] and runs through June 15, 2015 at 10:00 p.m. ET; and a second and final phase concludes at DEF CON 23 on Aug. 9, 2015.

zentigger writes Canadians rejoice! It looks like the new anti-spam regulations might actually have some teeth! Today, the CRTC issued a $1.1 million fine to Compu-Finder for violating Canada's anti-spam legislation by sending commercial emails without consent, as well as messages in which the unsubscribe mechanisms did not function properly. Furthermore, an analysis of the complaints made to the Spam Reporting Centre of this industry sector shows that Compu-Finder accounts for 26% of all complaints submitted.

msm1267 (2804139) writes Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim's web traffic to a hacker-controlled webserver, usually through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email. Proofpoint reported on the latest iteration of this attack, based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country's largest telecommunications companies.

TechCurmudgeon sends this excerpt from an article at Wired: Aaron Foss won a $25,000 cash prize from the Federal Trade Commission for figuring out how eliminate all those annoying robocalls that dial into your phone from a world of sleazy marketers. ... Using a little telephone hackery, Foss found a way of blocking spammers while still allowing the emergency alert service and other legitimate entities to call in bulk. Basically, he re-routed all calls through a service that would check them against a whitelist of legitimate operations and a blacklist of spammers, and this little trick was so effective, he soon parlayed it into a modest business. Last year, his service, called Nomorobo, blocked 15.1 million robocalls.

itwbennett writes Fujitsu Laboratories is developing an enterprise tool that can identify and advise people who are more vulnerable to cyberattacks, based on certain traits. For example, the researchers found that users who are more comfortable taking risks are also more susceptible to virus infections, while those who are confident of their computer knowledge were at greater risk for data leaks. Rather than being like an antivirus program, the software is more like "an action log analysis than looks into the potential risks of a user," said a spokesman for the lab. "It judges risk based on human behavior and then assigns a security countermeasure for a given user."

samzenpus (5) writes "Alexander Stepanov is an award winning programmer who designed the C++ Standard Template Library. Daniel E. Rose is a programmer, research scientist, and is the Chief Scientist for Search at A9.com. In addition to working together, the duo have recently written a new book titled, From Mathematics to Generic Programming. Earlier this month you had a chance to ask the pair about their book, their work, or programming in general. Below you'll find the answers to those questions."

An anonymous reader writes There have been plenty of false rumors about cell phones being opened up to telemarketers, but now the FCC is actually considering it. From the article: "Consumers have long had the support of government to try to control these calls, chiefly through the Telephone Consumer Protection Act, which actually allows consumers to file lawsuits and collect penalties from companies that pepper them with robocalls or text messages they didn't agree to receive. But now the Federal Communications Commission is considering relaxing a key rule and allowing businesses to call or text your cellphones without authorization if they say they called a wrong number. The banking industry and collections industry are pushing for the change." In one case recently, AT&T called one person 53 times after he told them they had a wrong number...and ended up paying $45 million to settle the case. Around 40 million phone numbers are "recycled" each year in the U.S. Twice, I've had to dump a number and get a new one because I was getting so many debt collection calls looking for someone else. Apparently the FCC commissioners may not be aware of the magnitude of the "wrong number" debt collection calls and aren't aware that lots of people still have per-minute phone plans. Anyone can file comments on this proposal with the FCC.

HughPickens.com writes: It's common knowledge the NSA collects plenty of data on suspected terrorists as well as ordinary citizens, but the agency also has algorithms in place to filter out information that doesn't need to be collected or stored for further analysis, such as spam emails. Now Alice Truong reports that during operations in Afghanistan after 9/11, the U.S. was able to analyze laptops formerly owned by Taliban members. According to NSA officer Michael Wertheimer, they discovered an email written in English found on the computers contained a purposely spammy subject line: "CONSOLIDATE YOUR DEBT."

According to Wertheimer, the email was sent to and from nondescript addresses that were later confirmed to belong to combatants. "It is surely the case that the sender and receiver attempted to avoid allied collection of this operational message by triggering presumed "spam" filters (PDF)." From a surveillance perspective, Wertheimer writes that this highlights the importance of filtering algorithms. Implementing them makes parsing huge amounts of data easier, but it also presents opportunities for someone with a secret to figure out what type of information is being tossed out and exploit the loophole.

jfruh writes Since the middle of December, visitors to sites that run Google AdSense ads have intermittently found themselves redirected to other sites featuring spammy offerings for anti-aging and brain-enhancing products. While webmasters who have managed to figure out which advertisers are responsible could quash the attacks on their AdSense consoles, only now has Google itself managed to track down the villains and ban them from the service.

An anonymous reader writes Recent research has identified that only one in ten cloud apps are secure enough for enterprise use. According to a report from cloud experts Netskope, organizations are employing an average of over 600 business cloud apps, despite the majority of software posing a high risk of data leak. The company showed that 15% of logins for business apps used by organizations had been breached by hackers. Over 20% of businesses in the Netskope cloud actively used more than 1,000 cloud apps, and over 8% of files in corporate-sanctioned cloud storage apps were in violation of DLP policies, source code, and other policies surrounding confidential and sensitive data. Google Drive, Facebook, Youtube, Twitter and Gmail were among the apps investigated in the Netskope research.