Archive | Internet/Information Security RSS feed for this section

A New Scam To Steal Your Gmail Info + Caphaw Trojan Found in Youtube Ads

23 Mar

Warning: If you receive an email with the subject “Documents,” and it directs you to a webpage that looks like a Google Drive sign-in page, do not enter your information. It’s likely a new phishing scam, in which a thief creates a fake portal that asks for people’s private information and then steals it. (Netflix recently faced a similar issue.)
This one uses a fake Google Drive landing page to get your Gmail address and password, cyber security company Symantec’s official blog reported last Thursday. You’re meant to think that the documents you’ll be viewing are on Google Docs and that you need to sign in to see them. Remember, though, it’s all a scam.
If you were to put your Gmail address and password in the fake login, your credentials would be stolen, but you’d be taken to a real document on Google Docs, so you might not even know you’d been scammed, Symantec says.
As always, the easiest way to protect yourself from phishing scams is to not click on unknown links and not open emails from unknown senders. Also, don’t type your password anywhere that you’re not 100 percent sure is real.


Looks so scary, doesn’t it? The two log-in pages look identical to me on the The Huffington Post link! Also earlier last month, Youtube ads have security leaks, too!!!

The malware being served is a Caphaw banking Trojan.  Emsisoft detects Trojans from this family as Trojan.Win32.Caphaw.
The attackers are infecting Youtube users through third-party Youtube ads, using the drive-by download technique.
Further investigation has revealed that the ad network serving the Caphaw malware is also hosting the Styx exploit kit.  An exploit kit is a toolkit hackers can purchase ready-made and then place on malicious websites to automatically target common vulnerabilities present on un-updated computers.  The Styx exploit kit targets Java vulnerabilities in particular.  Research indicates that in this attack Styx is being used to target CVE-2013-2460.
The Caphaw Trojan allows attackers remote control of your PC.  With such control, attackers may directly access your files, monitor your Internet usage, or use your PC for any number of malicious activities.


So, if you have clicked on any Youtube Ads since February, make sure you scan your computer with an anti-virus program specifically detecting Trojan virus!! And if you recently logged on to Google through a suspicious email request, it is strongly recommended to change your Google password immediately!! After all, passwords are the first line of defense to Internet security. Also keep in mind that it is important to remember any email containing attachments, links, or requests to share files should be carefully examined before you click. Emails are common vectors for malware, and messages from anyone but trusted co-workers, family members, or friends should automatically raise suspicion! If you suspect your trusted ones’ accounts are/seem hacked, make sure you duly inform them!



Does Someone Know & Tell Me How to Unblock It, Please~~~

20 Mar

Before I went to bed around 9 hours ago, I was happily accessing my account and replying to my (potential) clients’ emails. 8 hours later after I got up, I haven’t been able to log on my work email account again~~~~ Why not? Who the heck knows why~~~ >_<”

See the image I’ve been told:



I really feel hapless & dunno what to do now~~ 😥


What If a Password Didn’t Contain Words?

10 Apr

I’m back from a spring break! Haven’t updated anything here for a month! Here are what’s new:

#1. I’m finally baptised…well, after nearly one year’s investigating…=.=a Speaking of which, I should update the About page later.

#2. I met my best high school friend (and her boyfriend) in Macao! We were supposed to meet in Hong Kong but hmm, well, things got changed. ^^!

#3. MLB Season 2013 has started! I haven’t got time to blog on Yankees yet! >_<‘

Here is a quick look! Besides two dominant starts by Andy Pettitte, who has got 2 wins and sub-2 ERA, replacement players like Hafner, Boesch, Vermon Wells  have been doing so well that you can’t help but wonder how amazing Cashman’s acumen was to look for backup players in Spring Training when sluggers like Texeirei and Granderson unexpectedly and unfortunately injured!!!


Back to the title, here is an interesting article on if your passwords should be controlled by your mind, not by words!

Researchers at UC  Berkeley’s School of Information announced that they are working on  technology that reads your mind to open your email account, buy an app on  iTunes, and check your bank balance. Security  researchers determined that electroencephalograms (EEGs) are a reliable-enough  indicator of individuality to substitute for a password. Also, there are now  relatively inexpensive Bluetooth devices that measure your EEG and connect to  your computer without any brain implants.

Marvelous, isn’t it? Like telepathy? XD~


Scammers Striking at the Gas Pump

3 Jul


Be very aware of this kind of credit card/debit card information stealing!

Thieves are ‘skimming’ credit card and debit card numbers using devices planted in card readers at the pumps. The fraud is high-tech and hard to detect.

Gas stations are proving to be a weak link in efforts to combat debit and credit card fraud. Outdated technology and poor security allow criminals to install skimmers that capture account numbers and PINs. If you swipe your card at a compromised pump, the captured information can be used to create a clone of your card that can be sold to other criminals or taken on fraudulent shopping sprees.

Security experts said the size of the fraud wasn’t surprising. What was unusual was that a ringleader was actually caught, since so much of this type of crime goes unprosecuted.


So, think twice before swiping your card, online or brick and mortar.


Related entries:


Dictionaries Attack! Hackers Use Dictionaries to Guess Your Passwords

9 Jun


Should I be gloating that I am not a LinkedIn or Facebook user? 😛


“If you are one of the 161 million members of LinkedIn, you were probably rankled by the news earlier this week that millions of their passwords had been hacked and published online – especially if you also use your LinkedIn password for your Facebook, e-mail or bank account. One way hackers fish out passwords is by using a dictionary attack (a name that brings shame to the honorable profession of lexicography). What is a dictionary attack? How can a benign book of meanings be used to uncover passwords?

With a smart algorithm and a dictionary, hackers are finding it surprisingly easy to guess passwords. And we have no one to blame but ourselves. In a recent study at Cambridge University, computer scientist Joseph Bonnea analyzed 70 million passwords from Yahoo! users. (Don’t worry, he didn’t steal them. The passwords were separated from their usernames.) Bonnea used the passwords to test possible hacking attempts. He found that using the 1,000 most common words in the dictionary an algorithm could correctly guess the passwords of up to 10% of the users. Turns out that many of us choose passwords that are relatively easy to remember and based on common words, and hackers can guess your password using a database of words (usually a dictionary of some sort).”


Related entry: