If an unauthorised party has logged into your Facebook account, then you’re far from alone.

New official statistics revealed by the social networking giant reveal that 0.06% of the more than billion logins that they have each day are compromised.

Put another way, that’s more than 600,000 per day – or, if you really like to make your mind melt, one every 140 milliseconds. (By comparison, a blink of the eye takes 300-400 milliseconds)

The statistic was revealed in an infographic published alongside an official Facebook blog post trumpeting new security features introduced by the firm.

The new security features include Trusted friends (called “Guardian angels” in the infographic).

Facebook says that you will be able to nominate three to five “trusted” friends who can help you if you have a problem accessing your account – if, for instance, someone else has changed its password and locked you out of your email account. The idea is that if you need to login to Facebook but can’t access your email account, Facebook will send codes to your friends that they can pass on to you.

(BTW, nice middle names you’re using there, Facebook)

None of your friends on their own has enough information to access your account, as they are only sent a single code. But, of course, if your “trusted” friends turned out to be untrustworthy and banded together they would – between them – be able to access your account. So you best be sure that you keep a close eye on who your trusted friends are (especially if you’re prone to falling out, or they think practical jokes are amusing), and be pretty confident that they are taking their own computer security seriously.

Oh, and it might be an idea to remind yourself what the word “friend” actually means, as history has shown that many Facebook users have a very different idea of what a “friend” is from the rest of the world.

Another thought occurs to me – if a bad guy has taken over your Facebook and email account, isn’t it likely that he will also change who your trusted friends are at the same time? Wouldn’t that make the whole security measure kinda pointless?

Another new announcement is App Passwords - meaning that you will no longer have to log into Facebook apps with the same credentials that you use for your Facebook account. It’s certainly a good idea not to use your Facebook password with anybody other than Facebook – so it’s good to hear that Facebook will be offering this new privacy option.

However, it’s not hard to predict that the only people who might use such a feature might be those who are already very aware of privacy issues, rather than the great unwashed majority on Facebook.

Facebook’s infographic is too long and thin to properly embed on the Naked Security site, so here’s a link to where you can download a version for yourself.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks.

Source :- http://nakedsecurity.sophos.com

Related articles

• Facebook Says 600,000 Accounts Compromised Per Day (mashable.com)
• 600,000 + Facebook Accounts Get Hacked Daily (escapistmagazine.com)

Image via Wikipedia

One of the topics I frequently get asked about by customers when they visit SophosLabs, is what do we do about the hoards of legitimate web sites that we see getting hit with malware? How do we go about alerting them to the problem? How can we help to get things cleaned up quickly thereby reducing risk for users?

Sophos customers can take advantage of our WebAlert service, but this is not relevant to non-customers.

Web security is a topic that affects us all. The web has become the predominant way in which malware is delivered nowadays. Thanks to techniques such as black hat search engine optimisation (SEO) or drive-by download attacks, failings in the security of a single site or hosting provider can expose many innocent users to malware. Improving the process by which the bad stuff gets reported and cleaned up is in all of our interests.

I am pleased to have been involved in a great initiative over the last few months, coordinated by the folks at StopBadware. They put together a working group in order to thrash out a process for reporting malicious URLs. I am happy to say that a few days ago the final version of Best Practices for Reporting Badware URLs was published.

Hopefully the initiative will facilitate communication between the parties that discover the bad stuff, and those in a position to do something about it, mitigating the effects of malicious URLs.

More information about the initiative can be found on the StopBadware blog, in their press release, or you can dive straight into the report here.

Source:- http://nakedsecurity.sophos.com

Related articles

• Best practices for reporting malicious URLs (nakedsecurity.sophos.com)
• Stopping Badware (blacknight.com)
• Sophos: New malicious URLs appear every half-second (thetechherald.com)
• Google warns on ‘unsafe’ websites (firstrate.co.nz)

This weekend we saw another spate of Facebook messages claiming to link to a BBC News report of the death of Lady Gaga.

Of course, the claims are untrue – and Lady Gaga is still alive.

But that isn’t stopping Facebook scammers from creating money-making websites that claim that the eccentric pop star has been found dead in her hotel room, and tricking Facebook users into sharing the links.

BREAKING: Lady Gaga Found Dead in Hotel Room mjide35w
[LINK]
This is the most awful day in US history

You would think that the scammers would show a little more imagination – rather than using the same disguises time and time again. But, hey, if the scam is working for them – why change it?

Clicking on the link will take you a third-party website, posing as a BBC News online report, which attempts to trick you into clicking on what appears to be a video thumbnail.

In the above screenshot you can see that Sophos Anti-Virus (in this case, ourfree anti-virus for Mac users) has correctly warned about the webpage and prevented you from being clickjacked.

We’ve seen scams very much like this, many times before.

Facebook could do a much better job, in my opinion, at helping users avoid falling for tricks like this and clean-up a lot of the mischievous pages and dangerous links on its network.

For instance, a quick search of “Lady Gaga dead” finds a number of Facebook pages attempting to spread the rumour of the artist’s demise.

Some of which have clearly been created with a scam in mind, like this following clickjacking example:

Watch out if you try to play the video as this is a clickjacking scam which attempts to silently say you “Like” the page when you click with your mouse.

If you’ve been hit by scams like this, remove the messages and likes from your Facebook page – and warn your friends not to click on the offending links. Clearly, Facebook needs to work much harder to prevent attacks like this from reoccurring and spreading so rapidly.

Source :- http://nakedsecurity.sophos.com

Related articles

• Lady Gaga is still not dead – stop falling for Facebook scams (nakedsecurity.sophos.com)
• BREAKING: Lady Gaga Found Dead in Hotel Room (Facebook scam) (zdnet.com)
• Facebook Scammers Post Links To Fake Story About Lady Gaga’s Death (lezgetreal.com)
• Lady Gaga found dead in hotel room? Beware Facebook clickjacking scam (nakedsecurity.sophos.com)
• ‘Breaking: Lady Gaga Found Dead in Hotel Room’ scam spreading on Facebook (zdnet.com)
• Lady Gaga (happynesstips.wordpress.com)

Image via Wikipedia

As many North Americans return to their offices after a long Labor Day weekend, they may find something unpleasant in their email inboxes.

A malware campaign has been widely distributed over the last couple of days, using a wide variety of different subject lines and attachment names.

There’s one thing in common between all the emails, however. All of the emails use sleazy slutty language to trick red-blooded men (we assume) into open the attached file.

The many different messages claim to come from what some would euphemistically describe as online “dating” websites. Typically the emails will claim to contain photos of a young woman in her twenties, who isn’t fussy about what kind of man she would like to hook up with (some say ages “between 21-99″ are fine).

As mentioned above, the subject lines and attached filenames can vary widely – but there’s definitely a theme..

Sophos detects the earlier attacks as malware designed to infect Windows computers: Mal/BredoZp-B, Troj/Agent-TFW and Mal/BredoZp-ET.

And here are some examples of the latest instances we have seen, which Sophos detects proactively as Mal/Zbot-CX.

If you make the mistake of opening the attached ZIP file, and running the files within, and you’re *not* protected by Sophos, you could be infecting your computer with a Trojan horse.

Once infected, your computer could allow a remote hacker to stealing information from your PC – all because you thought some sleazy slutty photographs of a young woman had fallen in your lap.

Social engineering tricks continue to fool users into making poor decisions – remember to always think with your head, not with your trousers.

Source :- http://nakedsecurity.sophos.com

Related articles

• Sleazy slutty emails bombard inboxes, carrying malware (nakedsecurity.sophos.com)
• Inter-company invoice emails carry malware (nakedsecurity.sophos.com)
• Malware Watch: FDIC and Western Union themed emails lead to malware (zdnet.com)
• FDIC notification malware attack spammed out (nakedsecurity.sophos.com)
• Western Union money transfer email disguises Trojan attack (nakedsecurity.sophos.com)
• How a free breakfast day at McDonalds can lead to malware danger (blogoholic.in)

Image by bbwbryant via Flickr

Der Spiegel is reporting that WikiLeaks has had… wait for it… a data leakage accident. You might think, “So what? The data has already been leaked!”

Unfortunately, that isn’t quite as clear as it seems. WikiLeaks goes to great lengths to protect both their sources and potential informants by redacting their details from the data before publication.

Last summer Daniel Domscheit-Berg had a dispute with Julian Assange and departed with a chunk of the WikiLeaks staff to form OpenLeaks.

In the process Domscheit-Berg was reported to have taken data from a server containing the 250,000+ leaked diplomatic cables in encrypted form and left Assange without access to the contents.

Assange had shared the passphrase to decrypt the cables with an external source as a protective measure and expected the source to keep the key secret.

In November of 2010 Domscheit-Berg returned the files to WikiLeaks. This prompted WikiLeaks supporters to make the contents available in a public archive.

Apparently they didn’t notice that the archive included a hidden directory that contained the encrypted file with the cables, and accidentally made the file public.

Assange’s external source, not knowing the file was accessible to the public, for some reason publicly disclosed the key this spring.

The result? The uncensored cables are now publicly downloadable and could blow the cover of American informants around the world.

The lesson? Well, even if you are in the business of leaking secrets, you need to keep secrets. I wonder if Julian sees the irony in this incident.

WikiLeaks Twitter feed has posted a message stating “There has been no ‘leak at WikiLeaks’. The issue relates to a mainstream media partner and a malicious individual.”

If, like WikiLeaks, you need to keep secrets, consider downloading Sophos free e-book, Data Leakage for Dummies.

Source :- http://nakedsecurity.sophos.com

Related articles

• WikiLeaks suffers its own data loss incident (nakedsecurity.sophos.com)
• WikiLeaks Leak of the Day (geeks.thedailywh.at)
• Leak From WikiLeaks Endangers US Sources (newser.com)
• WikiLeaks getting leaky, names of sources accidentally loosed online (digitaltrends.com)
• WikiLeaks Springs a Leak: Full Database of Diplomatic Cables Appears Online (wired.com)
• WikiLeaks Springs New Leak, Further Calling Into Question Motives Of Julian Assange (mediaite.com)

It turned out that many websites (CNN, BBC, NPR, CNET, Forbes, the Daily Mail, Mashable, the Daily Telegraph are just a handful) had been duped in recent days by supposed research from AptiQuant showing that users of Internet Explorer scored lower than average in IQ tests.

A claim like that is obviously going to be essential reading for anyone with a technical bent, and it was unsurprising to see so many websites report the story.

Of course, when many people read the story they probably thought – as I did – that the research was bound to be a bit shonky. You can, after all, easily mislead people with statistics or use a biased sample to get the results you want.

But, fascinatingly, it wasn’t just the research that was utterly bogus – it was the company behind the research too. Because AptiQuant didn’t really exist.

Sure, I discovered that its website existed (albeit a WHOIS search revealed it was only registered as a domain since mid-July, which seemed odd for a company which claimed to have been in operation for some years). But it transpired that it had also copied content (such as the images of staff members) from a legitimate psychometric testing company called Central Test.

I even went onto Google Maps’ Street view mode to look up AptiQuant’s alleged street address in Vancouver, but found no sign of an office. I was even planning to ask one of my colleagues in Sophos’s Vancouver office to do a drive-by to see if they could raise anyone at AptiQuant after my phone calls went unanswered.

It seemed clear to me that the skeptics were right – the research and the firm were fictitious.

The only question left was why was someone doing this?

Could it be maybe a publicity stunt for someone? After all, we recently saw an online dating site claim to have had a virus attack purely to drum up new business.

Or perhaps it was someone with a grudge against Internet Explorer, or dirty guerilla tactics by a rival web browser firm?

Maybe it was performance art?

Nothing seemed to make sense.

Then I thought – hang on, everyone is downloading a PDF of this so-called research.. What if the PDF was infected by malware? That would be an ingenious way to spread malicious code.

After all, we do see a lot of attacks spread via boobytrapped Adobe PDF files that exploit vulnerabilities on users’ unpatched computers.

But a quick check by the experts in SophosLabs found nothing obviously dangerous in the PDF.

This evening, to some relief, the truth has come out.

AptiQuant’s website has been updated with an admission that it was a hoax, and an explanation that the stunt was motivated by frustration at Internet Explorer’s infamously poor compatibility with web standards.

Various news agencies are left with egg on their face for feverishly reporting the story without applying the right level of skepticism, and the hoaxers are no doubt delighted that their real shopping comparison website has received some publicity.

Me? I’m not going to be visiting the shopping comparison website that appears to be behind the hoax.

For one thing, I am suspicious of any site that so strongly recommends I install a Facebook app to win a laptop. Why would I want to grant them access to so much of my Facebook profile and personal information?

If there’s an important lesson to learn from this story, and it’s an important one for everyone who is serious about computer security, it’s this: Don’t believe everything you read on the internet.

Source :- http://nakedsecurity.sophos.com

Related articles

• Internet Explorer IQ Story Was A Hoax [Corrections] (gawker.com)
• Internet Explorer users have low IQ? Media hoaxed by bogus research (nakedsecurity.sophos.com)
• Internet Explorer users aren’t stupid after all, IQ study was an elaborate hoax (geek.com)
• Internet Explorer IQ study was a hoax (seattlepi.com)
• ‘Internet Explorer users are dumber’ story was a hoax (thenextweb.com)
• It’s official: Journos are dumb as a bag of IE users (go.theregister.com)

Image via CrunchBase

Article from Sophos authored by Chester Wisniewski

Google‘s new “Plus” social networking service attracted more than 10 million users within a week of its public beta. That is a remarkable number of people signing up for an unfinished social network when the field of options is already quite crowded.

Why would so many people flock to Google+? The one thing almost everyone that I know references is privacy and control, or at least the hope that it might achieve that end.

Twitter users are happy with the openness of Twitter… You know what it does: It broadcasts your messages to the world in bite-size chunks. No hidden agenda, no surprises… It’s public.

LinkedIn is great for professional networking, again mostly public. I don’t use it to share links of cats playing keyboards or cool movie quizzes. For many of us, aside from finding employment, it is a way to stay in touch with people we’ve worked with in the past.

Facebook? Well, it started out as something exclusive and private, then became open and not so private. Nearly everyone who cares about being social is on there, so it continues to march along 500 million users strong.

Why do we need an alternative to Facebook? Much of it started with comments Mark Zuckerberg made in January of 2010. He stated:

“A lot of companies would be trapped by the conventions and their legacies of what they’ve built, doing a privacy change – doing a privacy change for 350 million users is not the kind of thing that a lot of companies would do. But we viewed that as a really important thing, to always keep a beginner’s mind and what would we do if we were starting the company now and we decided that these would be the social norms now and we just went for it.”

Many are uncomfortable with Facebook’s privacy controls, the wishy-washy attitude toward changes and the attitude their CEO has towards privacy in general.

This is where Google had a golden opportunity to provide something that could scale to the same heights and remedy the grievances many have with Facebook.

When you first logged in, you could see how it was intended to be a blend of public and private, and enjoy the ease with which you were invited to privately share things, just within your Circles.

Last week Google began suspending accounts of people who used pseudonyms, which they considered a breach of the Google+ common name policy.

What they seemed to have missed is that the very foundation of privacy is identity. Simply knowing my postal code or birth date is meaningless without a name to associate it with.

By requiring people to only use their real names, unless they just happen to be a celebrity, they have eliminated the ability for people to be private in any meaningful way.

It’s important to remember that it’s a social network. Google will not be issuing passports like the nation of Facebook.

Google suggests your pseudonyms could go in the optional Nicknames field, which you can choose to make searchable and public.

This solves Google’s problem, but erodes privacy even further by associating your “real” name with your pseudonym. I believe this is actually destructive to privacy, not helpful.

I hope Google reconsiders their current policy, as this makes them just another also-ran in the social networking game. You don’t need to bully people into disclosing personal information to stop spammers and impersonators.

My advice to Google? Get your lawyers and your programming gurus together and see if you can create a place that is safe for all of us to share in ways we are comfortable with. If you can do that, you have a good chance at being a leader rather than a Facebook wannabe.

Related articles

• Google+ misses an opportunity – Privacy is an important part of openness (nakedsecurity.sophos.com)
• Google+ Identity Crisis: What’s at Stake With Real Names and Privacy (wired.com)
• Morton Fox: Complaints Mount Over Google+ Account Deletions | PCWorld (pcworld.com)
• Don’t Look For Me On Facebook, I’ve Moved To Google+ (singularityhub.com)
• The Microsoft Update: Why I was banned on Google+ (and how I redeemed myself) (mbcalyn.wordpress.com)
• Quick Hits: Google Acquires Facial Recognition Technology (michaelfertik.com)

Image via Wikipedia

It sometimes feels like the number of scams spreading across Facebook is never ending. Here is the latest one that was brought to my attention by members of Sophos’s Facebook page:

Boy reaction after his Ex girlfriend posted on his wall
[LINK]
lol What true pain both are having at this moment.

It’s another survey scam, of course, which earns commission for the folks who created the webpages and kicked off the campaign in the first place.

If you do make the mistake of clicking on the link you will be taken to a webpage which appears to contain a YouTube video and some rather sleazy advertising.

Watch out, though, if you try to play the video as this is a clickjacking scam which attempts to silently say you “Like” the page when you click with your mouse.

Users who have installed a browser add-on such a NoScript for Firefox will see a message warning them of the peril of being clickjacked.

If you’ve been hit by a scam like this, remove the messages and likes from your Facebook page – and warn your friends not to click on the offending links. Clearly there’s much more work which needs to be done by Facebook to prevent these sorts of messages spreading so rapidly.

Source :- http://nakedsecurity.sophos.com

Related articles

• ‘Boy reaction after his Ex girlfriend posted’ clickjacking Facebook scam (nakedsecurity.sophos.com)
• Baby Born amazing effect? No, another Facebook likejacking scam (blogoholic.in)
• World funniest condom commercial? Facebook hit by viral likejacking attack (blogoholic.in)
• Facebook comment-jacking? OMG! I Can’t believe JUSTIN Bieber did THIS to a girl (pratyushkp.wordpress.com)
• Hottest & Funniest Golf Course Video scam spreads virally on Facebook – beware! (blogoholic.in)

Image by bradlauster via Flickr

If you’re the sort of person who wakes up in the morning, and the first thing you long for is a McDonalds‘ breakfast – but if you are, you might just be exactly what malware authors are looking for.

Researchers at SophosLabs have seen a malicious email that has been spammed out across the world in the last couple of days pretending to come from McDonalds.

The email claims that the fast-food giant is offering free breakfasts in each and every of their many thousands of restaurants around the globe. Chances are that there are many people who would love the prospect of munching on a McDonalds first thing in the morning.

Part of the email reads as follows:

McDonalds invites you to The Free Breakfast Day which will take place on 26 June, 2011, in every cafe of ours.

Free Day’s menu!
- Ranch Snack Wrap (Crispy)
- Chicken Selects Premium Breast Strips
- Premium Caesar Salad with Grilled Chicken
- Strawberry Triple Thick Shake
- McCafe Hot Chocolate

Print the invitation card attached to the letter and show it at the cash desk of any of our restaurants.

But beware! There is no such thing as a free lunch.. breakfast.

The attached file is, of course, malicious. Sophos detects the ZIP file as Troj/BredoZp-DV and the Invitation_Card.exe file contained within as the Troj/Bredo-HU Trojan horse.

In an attempt to fool computer users into believing the file is safe, the EXE file has a Word icon.

Don’t forget – you should always be suspicious of unsolicited attachments sent to you via email!

Source :- http://nakedsecurity.sophos.com

Related articles

• How a free breakfast day at McDonalds can lead to malware danger (nakedsecurity.sophos.com)
• ‘Seriously McDonalds’ Hoax Pic Angers Internet, McDonald’s (gizmodo.com.au)
• Look Around Before Hotboxing in a McDonald’s Drive-Thru [Oops] (gawker.com)
• FBI says you’ve been visiting illegal websites? It’s a malware attack (pratyushkp.wordpress.com)
• McDonald’s In Trouble For Something They Didn’t Even Do (wycd.radio.com)
• Coupon Trade Lawton Tuesday 6/21 at McDonald’s on Cache (charitybeginssavingathome.wordpress.com)

Image by Getty Images via @daylife

Warnings are being posted across Facebook, warning users to beware messages from friends that invite them to “Visit the New Facebook”.

Although these messages are being shared by Facebook users with the best of intentions, the warning about the risk of being locked out of your own Facebook account may in fact be more of a nuisance than the alleged hacker attack itself.

Here’s a typical message seen on Facebook:

PLEASE RE-POST FOR EVERYONE!!!!!!!!!THIS NOTICE IS DIRECTED TO EVERYONE WHO HAS A PAGE ON FACEBOOK: IF SOME PEOPLE IN YOUR PROFILE OR YOUR FRIENDS SEND YOU A LINK WITH WORDS "VISIT THE NEW FACEBOOK ' DO NOT OPEN! IF YOU OPEN IT YOU CAN SAY GOODBYE TO YOUR PAGE. IT'S A HACKER WHO STEALS YOUR DETAILS AND REMOVES YOU FROM YOUR OWN PAGE. COPY AND SPREAD THE WORD

However, Sophos researchers have found no evidence that the threat is real. We simply haven’t managed to uncover any reports of any users hit by such an attack.

As such, it appears that this is just the latest chainletter spreading across the social network. We’ve certainly seen plenty of similar examples of hoaxes spread by well-intentioned people in the past.

Remember, a genuine alert would be likely to contain a link to a legitimate security firm’s website – detailing the true nature of the threat.

Remember to always get your computer security advice from a computer security company. Friends may be well-intentioned in passing on warnings, but it’s always good to check your facts before forwarding them any further.

Source :- http://nakedsecurity.sophos.com

Related articles

• Visit the New Facebook? Hacker warning spreads like wildfire on social network (pratyushkp.wordpress.com)
• Jason Allen / Amy Allen virus hoax spreads on Facebook (blogoholic.in)
• Visit the New Facebook? Hacker warning spreads like wildfire on social network (blogoholic.in)
• Facebook phishing: Can you spot the difference? (blogoholic.in)
• Facebook Dislike button spreads fast, but is a fake – watch out! (pratyushkp.wordpress.com)
• Spam from your Facebook account? Malware attack poses as official warning (pratyushkp.wordpress.com)
• Rihanna and Hayden Panettiere sex video spreads Mac malware on Facebook (blogoholic.in)
• Dad catches daughters on webcam: Beware viral Facebook video link (pratyushkp.wordpress.com)
• Hottest & Funniest Golf Course Video scam spreads virally on Facebook – beware! (blogoholic.in)