Firefox

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 66

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
Businesses

How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com) 179

Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive: The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...

Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.

The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Security

New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com) 151

An anonymous reader quotes Engadget: You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
Security

Chinese 'Fireball' Malware Infects Nearly 250 Million Computers Worldwide (thehackernews.com) 66

Check Point researchers have discovered a massive malware campaign, dubbed Fireball, that has already infected more than 250 million computers across the world, including Windows and Mac OS. The Fireball malware "is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data," reports The Hacker News. From the report: Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers. While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide. Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com). "It's important to remember that when a user installs freeware, additional malware isn't necessarily dropped at the same time," researchers said. "Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors."
Communications

FCC Suspends Net Neutrality Comments, As Chairman Pai Mocks 'Mean Tweets' (gizmodo.com) 184

An anonymous reader writes:Thursday the FCC stopped accepting comments as part of long-standing rules "to provide FCC decision-makers with a period of repose during which they can reflect on the upcoming items" before their May 18th meeting. Techdirt wondered if this time to reflect would mean less lobbying from FCC Chairman Ajit Pai, but on Friday Pai recorded a Jimmy Kimmel-style video mocking mean tweets, with responses Gizmodo called "appalling" and implying "that anyone who opposes his cash grab for corporations is a moron."

Meanwhile, Wednesday The Consumerist reported the FCC's sole Democrat "is deploying some scorched-earth Microsoft Word table-making to use FCC Chair Ajit Pai's own words against him." (In 2014 Pai wrote "A dispute this fundamental is not for us five, unelected individuals to decide... We should also engage computer scientists, technologists, and other technical experts to tell us how they see the Internet's infrastructure and consumers' online experience evolving.") But Pai seemed to be mostly sticking to friendlier audiences, appearing with conservative podcasters from the Taxpayer Protection Alliance, the AEI think tank and The Daily Beast.

The Verge reports the flood of fake comments opposing Net Neutrality may have used names and addresses from a breach of 1.4 billion personal information records from marketing company River City Media. Reached on Facebook Messenger, one woman whose named was used "said she hadn't submitted any comments, didn't live at that address anymore and didn't even know what net neutrality is, let alone oppose it."

Techdirt adds "If you do still feel the need to comment, the EFF is doing what the FCC itself should do and has set up its own page at DearFCC.org to hold any comments."
Spam

Nuisance Call Firm Keurboom Hit With Record Fine (bbc.com) 81

An anonymous reader writes: A cold-calling firm has been fined a record $515,000 by the Information Commissioner's Office (ICO) for making almost 100 million nuisance calls. Keurboom Communications called people, sometimes at night, to see if they were eligible for road-accident or PPI compensation, the ICO said. It breached privacy laws by calling people without their consent. The company has since gone into liquidation but the ICO said it was committed to recovering the fine. It said it had received more than 1,000 complaints about automated calls from the Bedfordshire-registered company. The ICO said Keurboom Communications called some people repeatedly and during unsocial hours. It also hid its identity so that people would find it harder to complain. "The unprecedented scale of its campaign and Keurboom's failure to co-operate with our investigation has resulted in the largest fine issued by the Information Commissioner for nuisance calls," said Steve Eckersley, head of enforcement at the ICO.
Advertising

39 Years Ago The World's First Spam Was Sent (mercurynews.com) 60

An anonymous reader write: Wednesday was the 39th anniversary of the world's first spam, sent by Gary Thuerk, a marketer for Massachusetts' Digital Equipment Corporation in 1978 to over 300 users on Arpanet. It was written in all capital letters, and its body began with 273 more email addresses that wouldn't fit in the header. The DEC marketer "was reportedly trying to flag the attention of the burgeoning California tech community," reports the San Jose Mercury News. The message touted two demonstrations of the DECSYSTEM-20, a PDP-10 mainframe computer.

An official at the Defense Communication Agency immediately called it "a flagrant violation of the use of Arpanet as the network is to be used for official U.S. government business only," adding "Appropriate action is being taken to preclude its occurence again." But at the time a 24-year-old Richard Stallman -- then a graduate student at MIT -- claimed he wouldn't have reminded receiving the message...until someone forwarded him a copy. Stallman then responded "I eat my words... Nobody should be allowed to send a message with a header that long, no matter what it is about."
The article reports that today the spam industry earns about $200 million each year, while $20 billion is spent trying to block spam. And the New York Times even has a quote from the DEC employee who sent that first spam. "People either say, 'Wow! You sent the first spam!' or they act like I gave them cooties."
Security

Security Researcher and Alleged Spam Operator To Square Off In Court In Ugly Lawsuit (bleepingcomputer.com) 56

An anonymous reader writes: River City Media, the company accused of running a huge spam operation, has filed a lawsuit against the security researcher and the journalist who exposed their activities. In a ludicrous lawsuit complaint, the company claims the security researcher didn't just stumble upon its unprotected Rsync server, but "perpetrated a coordinated, months-long cyberattack," during which it skirted firewall rules to access its server, used a VPN to disguise his identity, deleted critical files, and published his findings to make a name for himself as an elite security researcher. The company claims the researcher accessed Dropbox and HipChat logs, and even its PayPal account, from where it used funds to purchase various domains. The only evidence the company has is that the person who purchased the domains used a ProtonMail email, just like the researcher, who also uses a ProtonMail email. Remind you, this is the same security researcher, Chris Vickery, who discovered a Reuters database of supposed terrorism suspects, national voter databases for various U.S. states and Mexico, and various other companies.
AI

Tiny Changes Can Cause An AI To Fail (bbc.com) 237

Luthair writes: According to the BBC there is growing concern in the machine learning community that as their algorithms are deployed in the real world they can be easily confused by knowledgeable attackers. These algorithms don't process information in the same way humans do, a small sticker placed strategically on a sign could render it invisible to a self driving car.
The article points out that a sticker on a stop sign "is enough for the car to 'see' the stop sign as something completely different from a stop sign," while researchers have created an online collection of images which currently fool AI systems. "In one project, published in October, researchers at Carnegie Mellon University built a pair of glasses that can subtly mislead a facial recognition system -- making the computer confuse actress Reese Witherspoon for Russell Crowe."

One computer academic says that unlike a spam-blocker, "if you're relying on the vision system in a self-driving car to know where to go and not crash into anything, then the stakes are much higher," adding ominously that "The only way to completely avoid this is to have a perfect model that is right all the time." Although on the plus side, "If you're some political dissident inside a repressive regime and you want to be able to conduct activities without being targeted, being able to avoid automated surveillance techniques based on machine learning would be a positive use."
Facebook

Facebook Targets 30,000 Fake France Accounts Before Election (go.com) 112

An anonymous reader quotes a report from ABC News: Facebook says it has targeted 30,000 fake accounts linked to France ahead of the country's presidential election, as part of a worldwide effort against misinformation. The company said Thursday it's trying to "reduce the spread of material generated through inauthentic activity, including spam, misinformation, or other deceptive content that is often shared by creators of fake accounts." It said its efforts "enabled us to take action" against the French accounts and that it is removing sites with the highest traffic. Facebook and French media are also running fact-checking programs in France to combat misleading information, especially around the campaign for the two-round April 23-May 7 presidential election. European authorities have also pressured Facebook and Twitter to remove extremist propaganda or other postings that violate European hate speech or other laws.
Spam

Airline Fined For Sending 3.3 Million Unwanted Emails (bbc.com) 18

The airline Flybe has been fined 70,000 pound ($87,000) for sending more than 3.3 million marketing emails to people who had opted out of receiving them. From a report on BBC: The emails, sent in August 2016, advised people to amend out-of-date personal information and update their marketing preferences. They also gave people the chance to enter a prize draw. But the regulator said Flybe should have obtained people's consent before sending the emails. "Sending emails to determine whether people want to receive marketing, without the right consent, is still marketing, and it is against the law," said Steve Eckersley, head of enforcement at the Information Commissioner's Office. "In Flybe's case, the company deliberately contacted people who had already opted out of emails from them."
Communications

T-Mobile Kicks Off Industry Robocall War With Network-Level Blocking and ID Tools (venturebeat.com) 76

T-Mobile is among the first U.S. telecom companies to announce plans to thwart pesky robocallers. From a report on VentureBeat: The move represents part of an industry-wide Robocall Strike Force set up by the Federal Communications Commission (FCC) last year to combat the 2 billion-plus automated calls U.S. consumers deal with each month. Other key members of the group include Apple, Google, Microsoft, and Verizon. T-Mobile's announcement comes 24 hours after the FCC voted to approve a new rule that would allow telecom companies to block robocallers who use fake caller ID numbers to conceal their true location and identity. From a report on WashingtonPost: The Federal Communications Commission on Thursday proposed new rules (PDF) that would allow phone companies to target and block robo-calls coming from what appear to be illegitimate or unassigned phone numbers. The rules could help cut down on the roughly 2.4 billion automated calls that go out each month -- many of them fraudulent, according to FCC Chairman Ajit Pai. "Robo-calls are the No. 1 consumer complaint to the FCC from members of the American public," he said, vowing to halt people who, in some cases, pretend to be tax officials demanding payments from consumers, or, in other cases, ask leading questions that prompt consumers to give up personal information as part of an identity theft scam.
Communications

Could We Eliminate Spam With DMARC? (zdnet.com) 124

An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing.
Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.
Google

Google Tells Army of 'Quality Raters' To Flag Holocaust Denial (theguardian.com) 429

Google is using a 10,000-strong army of independent contractors to flag "offensive or upsetting" content, in order to ensure that queries like "did the Holocaust happen" don't push users to misinformation, propaganda and hate speech. From a report on The Guardian: The review of search terms is being done by the company's "quality raters", a little-known corps of worldwide contractors that Google uses to assess the quality of its systems. The raters are given searches based on real queries to conduct, and are asked to score the results on whether they meet the needs of users. These contractors, introduced to the company's review process in 2013, work from a huge manual describing every potential problem they could find with a given search query: whether or not it meets the user's expectations, whether the result offered is low or high quality, and whether it's spam, porn or illegal. In a new update to the rating system, rolled out on Tuesday, Google introduced another flag raters could use: the "upsetting-offensive" mark.
Security

Huge Database Leak Reveals 1.37 Billion Email Addresses and Exposes Illegal Spam Operation (betanews.com) 141

One of the largest spam operations in the world has exposed its entire operation to the public, leaking its database of 1.37bn email addresses thanks to a faulty backup. From a report: A faulty backup has inadvertently exposed the entire working database of notorious spam operator River City Media (RCM). In all, the database contains more than 1.37 billion email addresses, and for some records there are additional details such as names, real-world addresses, and IP addresses. It's a situation that's described as "a tangible threat to online privacy and security." Details about the leak come courtesy of Chris Vickery from macOS security firm MacKeeper who -- with a team of helpers -- has been investigating since January. River City Media's database ended up online thanks to incorrectly-configured Rsync backups. In the words of Vickery: "Chances are you, or at least someone you know, is affected." The leaked, and unprotected, database is what's behind the sending of over a billion spam emails every day -- helped, as Vickery points out, by "a lot of automation, years of research, and fair bit of illegal hacking techniques." But it's more than a database that has leaked -- it's River City Media's entire operation.
Spam

Exploit that Caused iPhones To Repeatedly Dial 911 Reveals Grave Cybersecurity Threat, Say Experts (9to5mac.com) 71

Ben Lovejoy, writing for 9to5Mac: We reported back in October on an iOS exploit that caused iPhones to repeatedly dial 911 without user intervention. It was said then that the volume of calls meant one 911 center was in 'immediate danger' of losing service, while two other centers had been at risk -- but a full investigation has now concluded that the incident was much more serious than it appeared at the time. It was initially thought that a few hundred calls were generated in a short time, but investigators now believe that one tweeted link that activated the exploit was clicked on 117,502 times, each click triggering a 911 call. The WSJ reports that law-enforcement officials and 911 experts fear that a targeted attack using the same technique could prove devastating. Of the 6,500 911 call centers nationwide, just 420 are believed to have implemented a cybersecurity program designed to protect them from this kind of attack.
Google

Is Google's Comment Filtering Tool 'Vanishing' Legitimate Comments? (vortex.com) 101

Slashdot reader Lauren Weinstein writes: Google has announced (with considerable fanfare) public access to their new "Perspective" comment filtering system API, which uses Google's machine learning/AI system to determine which comments on a site shouldn't be displayed due to perceived high spam/toxicity scores. It's a fascinating effort. And if you run a website that supports comments, I urge you not to put this Google service into production, at least for now.

The bottom line is that I view Google's spam detection systems as currently too prone to false positives -- thereby enabling a form of algorithm-driven "censorship" (for lack of a better word in this specific context) -- especially by "lazy" sites that might accept Google's determinations of comment scoring as gospel... as someone who deals with significant numbers of comments filtered by Google every day -- I have nearly 400K followers on Google Plus -- I can tell you with considerable confidence that the problem isn't "spam" comments that are being missed, it's completely legitimate non-spam, non-toxic comments that are inappropriately marked as spam and hidden by Google.

Lauren is also collecting noteworthy experiences for a white paper about "the perceived overall state of Google (and its parent corporation Alphabet, Inc.)" to better understand how internet companies are now impacting our lives in unanticipated ways. He's inviting people to share their recent experiences with "specific Google services (including everything from Search to Gmail to YouTube and beyond), accounts, privacy, security, interactions, legal or copyright issues -- essentially anything positive, negative, or neutral that you are free to impart to me, that you believe might be of interest."
Botnet

World's Largest Spam Botnet Adds DDoS Feature (bleepingcomputer.com) 26

An anonymous reader writes from a report via BleepingComputer: Necurs, the world's largest spam botnet with nearly five million infected bots, of which one million are active each day, has added a new module that can be used for launching DDoS attacks. The sheer size of the Necurs botnet, even in its worst days, dwarfs all of today's IoT botnets. The largest IoT botnet ever observed was Mirai Botnet #14 that managed to rack up around 400,000 bots towards the end of 2016 (albeit the owner of that botnet has now been arrested). If this new feature were to ever be used, a Necurs DDoS attack would easily break every DDoS record there is. Fortunately, no such attack has been seen until now. Until now, the Necurs botnet has been seen spreading the Dridex banking trojan and the Locky ransomware. According to industry experts, there's a low chance we'd see the Necurs botnet engage in DDoS attacks because the criminal group behind the botnet is already making too much money to risk exposing their full infrastructure in DDoS attacks.
Spam

Spammer Faces Decades In Prison For Sending More Than 1 Million Spam Emails (suntimes.com) 146

mi quotes a report from Chicago Sun-Times: A man has been indicted on federal fraud charges for allegedly sending more than a million spam emails. The indictment charges 36-year-old Michael Persaud of Scottsdale, Arizona, with 10 counts of wire fraud and seeks the forfeiture of four computers, according to a statement from the U.S. attorney's office. The indictment was returned Dec. 9, 2016, and was unsealed after Persaud was arrested last month in Arizona. Between 2012 and 2015, Persaud used multiple IP addresses and domains to send spam emails over at least nine networks, including several servers in Chicago, according to the indictment. He sent more than a million spam emails to people in the U.S. and abroad, using false names to register domains and creating fraudulent "from address" fields to conceal the fact that he was the one sending the emails. Each count carries a maximum sentence of 20 years in prison.
mi leaves us with some rather unpleasant imagery, writing: "Personally, I wish [the sentence] carried removal of 1 square millimeter of skin for each message instead."
Botnet

Programmer Develops Phone Bot To Target Windows Support Scammers (onthewire.io) 97

Trailrunner7 quotes a report from On the Wire: The man who developed a bot that frustrates and annoys robocallers is planning to take on the infamous Windows support scam callers head-on. Roger Anderson last year debuted his Jolly Roger bot, a system that intercepts robocalls and puts the caller into a never-ending loop of pre-recorded phrases designed to waste their time. Anderson built the system as a way to protect his own landlines from annoying telemarketers and it worked so well that he later expanded it into a service for both consumers and businesses. Users can send telemarketing calls to the Jolly Roger bot and listen in while it chats inanely with the caller. Now, Anderson is targeting the huge business that is the Windows fake support scam. This one takes a variety of forms, often with a pre-recorded message informing the victim that technicians have detected that his computer has a virus and that he will be connected to a Windows support specialist to help fix it. The callers have no affiliation with Microsoft and no way of detecting any malware on a target's machine. It's just a scare tactic to intimidate victims into paying a fee to remove the nonexistent malware, and sometimes the scammers get victims to install other unwanted apps on their PCs, as well. Anderson plans to turn the tables on these scammers and unleash his bots on their call centers. "I'm getting ready for a major initiative to shut down Windows Support. It's like wack-a-mole, but I'm getting close to going nuclear on them. As fast as you can report fake 'you have a virus call this number now' messages to me, I will be able to hit them with thousands of calls from bots," Andrew said in a post Tuesday.

Slashdot Top Deals