Red means danger. And orange offers plenty of risk, too. (Click for a larger view of the map.)
(Credit: McAfee)You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world's riskiest domain.
McAfee's third annual "Mapping the Mal Web" report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.
The generic and widely used .com domain itself isn't much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC's health.
(Credit:
McAfee)
Romania (.ro) is tagged as the riskiest domain for malicious downloads, with 21 percent of its sites delivering payloads of viruses, spyware, and adware. The information (.info) domain is seen by McAfee as the most "spammy," with 17.2 percent of its sites generating junk mail.
On the positive side, the government (.gov) is the safest generic domain with essentially 0 percent risk, while Japan (.jp) proved the safest country domain with a rating of only 0.1 percent. Last year's riskiest domain, Hong Kong (.hk) dropped to 34th place with a risk rating of only 1.1 percent, which McAfee attributed to the country's aggressive steps to stop scam-related domain registrations.
(Credit:
McAfee)
"This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer," Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. "Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught."
Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That's up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.
McAfee noted that cybercriminals who create domains to scam people prefer registrars with cheap prices, volume discounts, and hefty refund policies. Crooks also like registrars with a "no questions asked" policy and that act slowly or not at all when informed of malicious domains.
Twitter and Facebook users were getting hit with scams on Monday.
Twitter users warned about direct messages that said, "I make money online with google. i learned how here [link]," according to Twitter users.
A Twitter representative said it was not a phishing scam because the site to which the spam links does not ask for a username and password, or look like a Twitter page.
"We're on it and fixing accounts as fast as possible," she wrote in an e-mail. "You can keep posted on known issues as well by checking in on the Twitter Status page."
On Facebook, meanwhile, people were seeing messages from friends that said, "just take a look at it and read it over and try it if you want [link]." The link goes to a site that appears to be hosting malware. Accounts that are generating the messages are likely compromised, and the owners should change their passwords immediately.
"We're aware of this campaign, and are blocking malicious URLs and resetting affected users' accounts," a Facebook representative said in an e-mail. "The link in the spam message is for a work-at-home scam, not a phishing site. We're still investigating, but it's likely people's accounts were compromised through a previous phishing scheme."
Twitter users warned about a "make money online with google" scam on Monday.
(Credit: Twitter Search)Updated at 3:39 p.m. PST with Facebook comment and at 2:15 p.m. PST with comment from Twitter.
On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.
In the latest scam being blasted to e-mail in-boxes, a legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system, said Fred Touchette, a senior security analyst at AppRiver. When the user clicks the "update" button in the e-mail, they are directed to a fake Facebook log-in screen where their user name is filled in and they are prompted to provide their password.
This is a screen shot of the message in the body of the fake Facebook e-mail.
(Credit: AppRiver)When they provider that information, victims are taken to a page that offers an "Update Tool," but that is actually the Zeus bank Trojan that is designed to steal financial and personal data, Touchette said.
Users of smart phones that have the Facebook app installed can also easily be duped because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon, he said. The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, he added.
There are likely to be a lot of victims given how many e-mails the scammers are sending. AppRiver has captured about 6 million e-mails in its filters and noticed that the messages were coming in at a rate of 30,000 a minute at one point, according to Touchette. That's about 10 times the usual botnet e-mail message rate, he said.
More details are on the AppRiver blog.
On Tuesday, researchers reported that a different botnet, Bredolab, was distributing fake "Facebook Password Reset Confirmation" e-mails that included a Trojan. As of late Wednesday night, security provider Cloudmark said it had seen more than 730,000 of the Bredolab-related e-mails.
To protect against such phishing attacks, people should be extremely cautious about clicking on links in e-mails and they can mouse over the link to see if the domain is a legitimate domain, Touchette said.
Meanwhile, Facebook users should easily be tipped off that the latest scam is just that, a scam, he said. "Facebook doesn't need all of its users to update their accounts in order for them to make changes to their site," he added.
If there is any question about the legitimacy of the e-mail or the link, users should close the e-mail and go directly to the site to check for important notices to customers, he said.
This is the prompt Facebook users get as part of the latest phishing scam. Downloading the "update tool" installs a Trojan.
(Credit: AppRiver)Microsoft on Wednesday said it is fixing a bug in Bing that allowed spammers to bypass spam filters and distribute malicious links.
Researchers at Webroot Software discovered a spam campaign earlier this week that used the search engine's own redirection mechanism and a link-shrinking technique to send people to spam Web pages, according to a post on the Webroot threat blog.
The problem is with how Bing formats links in RSS feeds. The redirect from Bing to the spam site is not obfuscated, allowing scammers to append anything to the end of the Bing redirect URL and thus trick spam filters, said Andrew Brandt, a threat researcher at Webroot.
In the specific case, Webroot examined an RSS feed in Bing with a link that bounced through MySpace's link shrinker and landed on the spam Web page that looked like a news site customized to the user's geolocation and which offered vague work-from-home jobs.
Asked for comment, a Microsoft representative said late on Wednesday: "We were testing new features to improve the search experience for our customers, and during our testing, we found a bug that was causing this issue. We are taking immediate action and expect a fix in the next 48 hours."
Meanwhile, a MySpace representative had this to say when asked for comment: "The security of our users is a top priority for MySpace. With thousands of link-shortening systems available on the Internet, similar to MySpace's MSPLinks, it is critical that sites like Bing employ security measures such as the prevention of URL redirection."
Most of what's new in AVG Free 9 is under the hood, with the security vendor talking up speedier scan times. There's also a new identity protection feature that's free to people in the United States.
Also in this slideshow, I show an easy way to keep the AVG security toolbar from repurposing your default new tab page.
There has been a marked increase in the amount of spam e-mails being sent from Yahoo, Gmail, and Hotmail accounts, according to analysts at Websense Security Labs.
Websense said on Thursday that personalized spam e-mails had been sent from the compromised accounts to all of each user's contacts. The e-mails contain links to fake shopping sites, intended to capture sensitive information from the reader.
Earlier this week, Microsoft acknowledged that 30,000 Hotmail accounts had breached, and suggested the passwords for the accounts had been obtained in a phishing scam.
However, some security experts believe that the password breach cannot be attributed to phishing. Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet UK on Friday that the information was likely to have been obtained through key logging.
"The quantity of people hit makes me think that it was key logging--the success rate for phishing is only about one in 1,000," said Shulman. "Secondly, when I went through the list of email account credentials...
Read more of "Hacked Web mail accounts used to send spam" on ZDNet UK.
The feature-rich versions of popular security program AVG have been updated, with AVG Technologies claiming faster scan times, faster boot times, and other under-the-hood improvements. While version 8 introduced a consolidated product line, making those features work better together takes the attention of AVG Internet Security 9 and AVG Anti-Virus 9.
AVG is making some bold claims for these updates. The company is touting scan times that are "up to 50 percent" faster, based on marking files safe until their file structure changes, and boot times that are "10 to 15 percent" faster. Memory usage is also expected to be "10 to 15 percent" better, as well. The built-in firewall, available only in the Internet Security version, uses a new database for automatically determining if certain programs are safe to access the Internet without user input. This trusted database, called TrustedDB by AVG, should be less intrusive by querying for user input 50 percent less often than in the previous version, says AVG. Also, the installation process has been shortened from 22 screens to 11.
There are few wholly new features available in version 9, but an interesting one is the Identity Theft Recovery Unit. Included in AVG Anti-Virus and AVG Free, but only for users in the United States, ITRU is a business partnership with Identity Guard which provides "consumer identity theft solutions." Accessible only from the browser toolbar, which only works in Firefox or Internet Explorer, the service provides "a dedicated identity theft recovery unit with fraud experts," to assist handling, getting and analysing a credit report, enrolling in credit file monitoring, and offering report-filing support.
In hands-on testing last week, I found AVG to be relatively easy to navigate around, although the interface could be simpler. When you click on one of the items in the main window, you must double-click on one of the features to access more information on it. A single click, or even a mouse-over pop-up, would make the experience faster. Before I even ran my first scan, AVG detected icons associated with Pidgin as threats.
AVG 9 looks very similar to AVG 8. Most of the changes are under the hood.
(Credit: Screenshot by Seth Rosenblatt/CNET)Double-checking them against Avira and McAfee revealed those detections as false positives, and when I finally ran the Fast Scan it took longer than 20 minutes. That doesn't compare favorably to competitors, some of which can complete a first Fast Scan in around 60 seconds. I was also surprised to find that Mozilla Thunderbird was not automatically approved to go through the firewall, despite the new firewall trusted database. While the installation process offers to install the browser toolbar for you, it doesn't seem possible to opt out during the installation and then install it later from the AVG interface, a strange oversight.
AVG Internet Security 9 is available for $49.99, and AVG Anti-Virus costs $34.99. Both come with a one-year license and a 30-day trial, although AVG Anti-Virus lacks the firewall, identity protection, antispam, and system tools that come in AVG Internet Security. Fans of the free version of AVG 9 will have to wait a bit longer, as AVG always delays the release of Free until after the full suites have been made public.
Facebook on Thursday said it had disabled six rogue apps that were stealing Facebook users' log-in credentials and spamming people, and within hours more appeared.
Five more of the apps appeared on Thursday, called "Friends," "Friends Gifts," "Matching," "Pok," and "Your Photos," according to an updated blog post by Trend Micro researcher Rik Ferguson.
By that night those new ones were disabled too. Facebook "will continue to ensure that all applications on Facebook Platform comply with Facebook policies," a spokeswoman for the company said.
According to Ferguson's post: "The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters' advertising returns."
He had discovered six rogue apps earlier in the week. One of those was disabled as of Wednesday, and later the other five from the first batch were disabled.
Before the apps were removed, victims had been receiving notifications that someone had commented on a post of theirs. The notifications contained links to a phishing site where users were prompted to provide their Facebook log-in credentials and then prompted to install one of the rogue apps, according to Ferguson. Once the app was installed, the victim's friends were spammed.
Updated at 10:44 p.m. PDT with Facebook disabling the five new apps and at 12:43 p.m. with discovery of five new rogue apps.
Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps are stealing log-in credentials and spamming victims' friends.
So far, six malicious applications have been identified: "Stream," "Posts," "Your Photos," "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik Ferguson.
As of Wednesday afternoon, all of the apps were live except for "Stream," he said in an e-mail.
The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called "sex sex sex and more sex!!!," which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn't appear to be malicious and may have been compromised somehow to begin the distribution of the spam, he said.
That first notification included hyperlinks that led to a phishing site on the "fucabook.com" domain, allegedly registered to someone in Armenia, he said. Once Ferguson gave up his credentials (for a Facebook account he uses for research purposes) he was directed to Facebook and to an application install screen for the app called "Posts."
He installed that app and immediately his friends were spammed with a bogus notification "Profile_name has sent you a message," with the hyperlink to the phishing site.
On Tuesday, the first couple of apps were sending notifications that hyperlinked to the fucabook phishing site but by Wednesday the destination had changed to a simple IP address rather than a domain name, he said. A JavaScript that pulls up Facebook bounces the browser around among any of the six rogue apps to get them widely installed and the cycle continues, he said.
All the apps look and act exactly the same and include ads.
"I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation," Ferguson wrote on his blog.
A Facebook spokeswoman said the company was looking into the matter and would provide more comment later.
Ferguson recommends that Internet users always check the URL displayed in the browser address bar before entering any sensitive information on a site and hover the mouse over a hyperlink to see the URL. Facebook users should also review their privacy settings regularly and delete any applications they no longer use, he said.
Spammers are hoping to rouse Obama critics to launch a cyber protest and to download malware onto their PCs in the process.
New spam is circulating that supposedly offers a way for people to use their computers to launch a denial-of-service attack on the Web site of President Obama, researchers said on Tuesday.
The e-mail message says: "If You dont like Obama come here, you can help to ddos his site with your installs."
The e-mail then provides a link to a Web site where visitors are offered money for installing the supposed denial-of-service (DoS) software, according to a blog posting on the site of e-mail security provider Proofpoint.
The spam site also tells visitors to come back and get updated versions of the purported denial of service software if their antivirus program is detecting it as malware and disabling it.
It's not clear whether the software does turn the computer into a DoS attacking zombie, or what it does, if anything. But it would be crazy to expose your computer like that, regardless of your political leanings.
