We appear to be in the middle of a massive phishing attack, this time using Microsoft Outlook alert messages to lure unsuspecting users into clicking on a link — which ends up stealing banking info (and, assumably, draining users’ accounts). The new bogus Microsoft Outlook email attack follows similar such phishing attacks as the UPS “problems with your package” seen earlier. Of course, companies with robust fraud solution software have much less to worry about in the face of such blunt-force attacks, but sadly, not everyone has gotten on board with such innovative solutions. Today’s report, in fairly non-technical ... more

Network World has a good wrapup of the top 10 security-related stories of 2009 involving social networking sites such as Facebook and Twitter. Such stories illustrate the need for good web fraud prevention in the new world of social networking. Because social networks, while user-friendly and generally open to all, present unique challenges both to cybercriminals and the security industry devoted to defeating them. And keeping up with the online security stories about these networks is a big part of that. The full article is rather long, so I’ll cut this introduction short, in order to present it ... more

The do-it-yourself build-a-botnet kit called Zeus is, according to Damballa, responsible for one out of every ten botnets which exist today. This is likely due to two factors — ease of use/configuration, and price. The Zeus botnet kit sells for between $400 and $700, putting it at the low end of the market for such software. And since Zeus is targeted to this low end, it is easy to use and requires a minimum of technical knowledge to operate. Plus, it has plugins available for easy customization. All in all, a nightmare for those who combat ... more

The Waledac botnet, the “son of” the infamous Storm botnet, is now reportedly a lot bigger than anyone had thought. German researchers who infiltrated the botnet itself report back that the size and scope of the Waledac botnet is a lot bigger than anyone had previously estimated. Earlier estimates were that Waledac controlled no more than about 20,000 computers, but this estimate should be revised upwards, to the range of 50,000 to almost 400,000 botnets, according to the Germans. Dark Reading has the full story. It is a very detailed, and rather long piece, but one well ... more

Short post today, since New Year’s is upon us. PC World magazine has the best “end of the decade” list out that I’ve seen yet, which lists their “top 10 security nightmares,” and is well worth reading for those who want a look back. Remember, 10 years ago at this time, when we were all biting our knuckles over the whole Y2K bug scare? How times have changed! The full article is much too long to post here, and too long to even really do justice in excerpts, so I’ll just briefly list the headers they have for their top 10, and then wish everyone a happy new year! 1. Cyberwar 2. Malware Makes Strange Bedfellows 3. MySpace, Facebook, and Twitter Attacks 4. Organized Viruses and Organized Crime 5. Botnets 6. Albert Gonzales 7. Gone Phishing 8. Old Protocol, New Problem 9. Microsoft Patch Tuesdays 10. Paid Vulnerability Disclosure

A shocking — shocking! — story is making the rounds of the media currently, to the tune of: “spam actually works.” What a surprise! The notion that email scammers are actually making money at what they do, instead of clogging the pipeline of the world’s email just for fun (or for nefarious purposes, in the same way James Bond villains will occasionally hold the world hostage), is an absolute revelation in some circles, it appears. For anyone who has been living under a rock for the past… oh, two or three decades… here’s a newsflash: the spam fight ... more

The Mega-D botnet, at one point, was responsible for almost 12% of all spam, and infected over 250,000 computers worldwide. When it was taken down at the beginning of last month, MessageLabs reported it had shrunk to “less than 0.1 percent” of spam. This amazing feat was pulled off in the space of a few days, by a man who had prepared this botnet takedown for two years. PCWorld has the full story of Atif Mushtaq, and his valiant and successful fight to kill off one of the top 10 botnets in the world. It’s a fascinating ... more

The Wall Street Journal is reporting that Citigroup was the victim of a botnet attack this year which resulted in the theft of “tens of millions of dollars,” but SCMagazine is already refuting this with a vigorous denial by the bank. Of course, banks rarely wish to draw attention to such security breaches, since what all financial institutions fear is a withdrawal frenzy by their depositors. So one wonders whether the bank doth protest too much, in this case. Complicating the situation, the article ominously points out that the FBI has not officially commented on the subject, which might ... more

The Obama Administration has just announced the appointment of a “cyber-czar” to oversee federal cybersecurity across the entire national government, and his name is Howard A. Schmidt — who previously worked for the Bush Administration in a similar capacity. This is not entirely surprising, since combatting cyber-criminals is not exactly what you would call a “partisan” goal. No matter what party you hew towards, I think we can all agree that the protection of the American parts of the internet is a paramount federal concern — it’s just not a right/left sticking point, nor should it be. And ... more

As 2009 draws to a close, network security specialists are taking a look at what can be expected in the never-ending battle against botnets. On the rise next year, PC World predicts, will be attacks on file-sharing networks and partner programs. That last one is insidious, because the scam artists are finding new ways to almost legitimize the profits they are making online, by entering into some very grey areas which may not actually run afoul of the law. Of course, all good IT girls and boys should have already asked Santa to leave some robust bot detection ... more