If the smartphones of ESET bloggers are any indication, scams executed via SMS text, known as smishing or SMS phishing, are on the rise. I don't do a lot of texting, which makes a smish easy to spot on my phone, but I just read an amazing statistic from a Pew report: Users 18 to 24 years send or receive an average of 109.5 SMS texts sent per day. With this flurry of micro-sized messages, it’s easy to understand why users might not check closely before clicking on a convincing-sounding link on a text that looks like it might have come from a friend or legitimate company. When you do, your troubles may just be beginning.

Sending messages designed to trick the recipients into clicking on a deceptive link was once reserved for fake but real-looking scam emails trying to fool users into visiting malicious sites on their PC, but scammers have realized there are (on average) far fewer protections on smartphones, and no small number of potential victims.

It had to happen, just a few years back you only used your mobile phone to make calls, but now it’s become much more. For everything from surfing the web, to sending emails, viewing videos and listening to music, your mobile device is more like a computer that just happens to make phone calls. It also happens to contain a lot of your personal information, making it readily available.

If a scammer can trick you into visiting a malicious site that attempts to get you to install malicious snooping or premium-rate SMS apps which may be wrapped around legit apps, that may just be the beginning of trouble. Many users wouldn’t notice an app silently sending premium-rate SMS texts to some far-flung country, until they got the bill. But things can get dicey when you try to convince your cell provider to reverse the charges. And the app you downloaded may look and function the same as the legitimate app by the same name, so you’d be none-the-wiser, at least at first.

In our example above you can see the domain name looks legit, until you realize that the end of the URL belongs to a website very different from Wal-Mart. But if you’re in a hurry would you spot this?

Of course, one thing we should note in this example: it’s extremely unlikely that Wal-Mart has suddenly decided to dole out $1000 gift cards to a lucky few. This one even creates a fake sense of urgency by claiming you’d better act before the remaining 161 are claimed. Sound fishy (pun intended), but hey, these things propagate because similar SMSishing campaigns worked, and the numbers seem to be growing. With falling rates for sending SMS texts these days, and an increasing number of target smartphones, there is an attractive and target-rich environment for cyber-scammers.

Defending Against Smish

So what can you do to protect yourself? The first thing I suggest is restricting your mobile app downloading to the official marketplace for your device, not some third party website. The official marketplace portals, such as Google play for Android, increasingly have scanners in place to detect and remove malicious or scam apps, giving you a margin of safety.

Also, in the same way it’s not a good idea to just click on email links without thinking, you should think twice about clicking on SMS text links before you do. It’s easy enough to open a link in your mobile browser and navigate directly to the website in question – without following the link.

You might also want to lock down your device using its security setttings or even install security software that can spot scams before you fall for them. If you beef up your security on the device, it will help reduce the access potential scammers have to your personal information, and make you a tougher target to exploit – via SMSishing or any of a variety of other scams that are targeting mobile devices.

FYI: ESET Mobile Security for Android is now available through the Google play store.

View original post here:
SMSmishing (SMS Text Phishing) – how to spot and avoid scams

Google Drive is a place where you can create, share, collaborate, and keep all of your stuff. Whether you’re working with a friend on a joint research project, planning a wedding with your fianc

Proliferation

ZeroAccess is one of the most talked and blogged [1], [2] about rootkits in recent times. It is also one of the most complex and highly prevalent rootkits we have encountered and which is still continuing to evolve. The ZeroAccess rootkit is distributed via both social engineering as well as exploitation. A recent blog post by our colleagues at McAfee, describes some of the odd methods this rootkit adopts to get installed on machines without getting noticed.

One of the goals of this rootkit is to create a powerful peer-to-peer botnet, which is capable of downloading additional malware on the infected system. This botnet is reportedely [3] involved in clickfraud, downloading rogue antivirus applications, and generating spam.

This Google map of the United States shows McAfee VirusScan consumer nodes reporting unique ZeroAccess detection over the past week.

Our consumer data for the past month shows close to 4,000 unique systems detecting ZeroAccess daily. And the trend is continuing upward.

Installation

In my recent analysis of this rootkit , I was looking to understand the initial installation mechanism. The installation of ZeroAccess involves overwriting a legitimate driver on disk with the malicious rootkit driver. Usually Step 1 varies in different variants i.e. some variants would directly overwrite a legitimate driver and some others would first inject the malicious code in trusted processes like explorer.exe and then, from the injected code, overwrite the driver (this is done to bypass various security products and to make analysis more challenging). During Step 1, the original driver code is kept in memory. The driver, which is overwritten in Step 2, is randomly selected (details here [1]), in our discussion below we assume CDROM.sys is being overwritten. Step 2 to Step 8 are fairly static in variants of ZeroAccess. Once the driver is overwritten by malicious code it is loaded in kernel space. The first task of the kernel mode code is to ensure that it sets up the malware to survive reboots and to forge the view of overwritten driver (CDROM.sys).

Lets move on to see how this scheme works in Step 5 – Step 8. In Step 5,  ZeroAccess intercepts disk i/o by hooking DeviceExtension->LowerDeviceObject field in the driverdisk DEVICE_OBJECT. So now any disk i/o would go through rootkit’s malicious routine. In Step 6, the kernel mode code has the access to clean image of CDROM.sys driver stored in memory and to survive reboots it flushes the file using ZwFlushVirtualMemory API to disk. The request to flush the clean image is interestingly sent to the file CDROM.sys, which at first glance looks counter intuitive. Why would the rootkit want to the write clean image to the file it just infected in Step 2?  Looking more closely, the rootkit actually uses its disk i/o redirection framework. So, when this request to store the clean image of file on disk traverses through the virtual driver stack shown in Step 7, it is encrypted and redirected ( Step 8 ) to the rootkits “protected” folder that it created in Step 3, instead of going to the actual CDROM.sys.

We recently highlighted a security walkthrough on Pinterest.com, the pinboard style sharing website that’s taking the social media by storm. Since then, they’ve continued to grow, and continued to have accompanying growing pains common in organizations with rapid growth. Here we highlight ways they are adapting, changes they are making, and what it means to you.

First, we note that Pinterest, by one account, drives more referral traffic than Twitter, no small feat. We also read that traffic spiked 52 percent between January and February, from 11.7 million unique visitors to 17.8 million, according to a comScore report. On its meteoric rise, it has faced issues ranging from copyright problems to fake gift card scams, and now we are seeing cybercrooks focus squarely on the platform as a delivery method for their scams to potential new/unfamiliar audiences.

The gift card scams start by purporting to offer free goods or services, ranging from coffee gift cards to free iPads. We’ve seen this before with more traditional web-based scams, but here the scam is tailored to Pinterest, coaxing the user to click on the pinned entry and visit endless survey websites before getting the alleged gift card. The twist is that scammers add a step required to “get your free gift card” that includes you re-pinning the original scam, thereby spreading it in your name, seeming to be coming from you instead of the original scammer. From there, some users are encouraged as a final step before getting the gift card, to install software, which would guarantee a steady supply of pop-up ads and other potentially unwanted applications, or worse. While Pinterest has attempted to crack down on these scams, and users become familiar to them and get wise, still the scams are propagating.

Then, there is the issue of copyright. While not strictly a security issue, still users could become exposed to potential violation of copyright of a given work, to the chagrin of more than a few users. It seems that a user is expected to comply with the copyright of a photo they post, for example. But what happens when that same image gets re-pinned, possibly extending its exposure far beyond the scope of the original copyright, a burden which the old terms of service attempted to place on the original poster? That (and other related) policy has been updated with the recently release updated Terms of Service, which you can read here.

Now we see Pinterest has produced an API interface for other apps to interact with the service, so we’ll wait and see if this exposes new security risks or exploits. To address this, other services have enlisted a paid bounty program to reward researchers for finding and reporting issues rather than exploit them, which seems to be effective at Facebook and Google for some time now. Hopefully Pinterest will consider some such program, or crowd-sourced variations, which will beef up the number of security specialists watching for problems – hopefully before they happen.

In the meantime, many users have been caught off guard by the amount of their Facebook information (since you are required to use either Facebook or Twitter account to sign up for Pinterest) which seems to “magically” appear on Pinterest, when they login to the site, especially pins from users whose names are familiar – from the Facebook friend list. One way to ensure that a minimum of information is cross-shared (if you are predisposed to restrict it for security reasons, to protect data sprawl, or otherwise) is to restrict your sharing settings in you Pinterest settings page. By ratcheting these down, you can exercise more control over what portion of your friends’ information that may ooze over to Pinterest, for uses they see fit.

We’ll continue to keep an eye on the security stance of the service as it continues to expand. But the usual advice applies: watch for offers that look “too good to be true”, and use a more minimalist approach to sharing and cross-sharing across your friends/contacts from various social media. You’ll be glad you did, and so will your friends, whose information may be more well-protected against data sprawl, and its accompanying problems.

Go here to read the rest:
Pinterest security update

This week, the AVG Mobilation™ research team found new malware named ‘Crazy vampire’ in China.

The application is malicious modified version of a calendar application in which the developer added malicious code, changed the name, icon, sign, and UI.

The aim of the malware is to target Chinese users and get them to upgrade to the Premium service of the infected application.

Monday, the FTC released a report publishing principles and recommendations for consumer privacy. The report, “Protecting Consumer Privacy in an Era of Rapid Change” (summary and full report[PDF]) provides what the FTC considers best business practices around privacy. These best practices are not regulations, but they are intended to serve as guidelines for legislators in drafting privacy regulations. And they can also serve as a framework for the federal government’s own privacy policies and personal data practices.

At the core of the report, and in broader privacy circles, we see discussions center around three foundational elements of privacy: knowledge, consent, and control.

1. Knowledge. The collection and use of information should be transparent. Consumers should know what is being collected, how it is being collected, how it is being used, and how it is being shared.
2. Consent. Consumers should be presented with a mechanism for agreeing to these practices. The recommendations did not mandate an “opt-in” versus “opt-out” approach: whether the default policy if the consumers don’t take any specific action would be not to collect (“opt-in”) or to collect (“opt-out”). But the report does advance the notion that it is insufficient for organizations to provide an all or nothing approach, where conditions on use of a service or product requires you to submit to full data collection.
3. Control. Consumers should have choices as to whether and to what degree, to participate in data collection, and how that data could be used; and companies should make those choices simple for consumers to understand and to execute.

Consumer attitudes about privacy and data collection is undergoing a fundamental change, driven by online data collection practices. Historically in the US, businesses have traditionally been given broad latitude in their actions as long as they are not fraudulent or deceptive. However, we’re witnessing a full 180-degree turn in consumer attitudes, which is what’s behind the FTC’s actions. Consumer concern over personal data collection and use by businesses is reaching critical mass, and it’s driven by concern over Internet powerhouses such as Google and Facebook, mobile carriers and ISPs, and  the shadow worlds of online advertising networks and data brokers. Restraints on businesses over their privacy practices are inevitable.

Unfortunately, not all the consumer privacy news these days is good. More about that in my next post.

Read the original:
Privacy Gains: The FTC Begins Move To Protect Consumers Online

I recently bumped into a colleague who mentioned his 20-something daughter regularly changes her online screen names to essentially prevent herself from building a long-standing reputation online. Her profile picture on Facebook, for instance, is deliberately obscure and not searchable using her full name.

Do you use Google? These days the question sounds almost absurd. If you use the Internet, or an iPhone, or an Android phone, or a Kindle or an iPad, then of course you use Google in some shape or form. And if you take a keen interest in how your personal information is used, you probably know that on March 1, 2012, the world's largest collector of personal data, Google, changed the way it uses information about you. But how big of a deal is this? And what, if anything, should you be doing differently today to protect data that Google may be collecting about you?

Let's start answering those questions by picturing just how much data about its users Google has the potential to tap. The infographic on the right is titled: “Google Data Mining Bonanza.” It shows some, but not all, of the different “pools” of data that Google could potentially access in order to build a picture of you and your interests as you use different Google services.

Just to be clear, I'm not saying that Google is actively mining all this data to create detailed profiles of people that are shared inappropriately with third parties. But I am saying that the changes Google made on March 1 have raised numerous questions to which I have not yet found answers, and I'm not exactly new to Internet privacy (I wrote a book about it 10 years ago).

The most visible sign of those March 1 changes is a “unified privacy policy” that combines over 60 separate privacy policies for different Google services into one. There is much to be said for the benefits of a unified privacy policy, but applying one retroactively is problematic. That's why the folks who first thought about privacy and computer-based information systems chose, as the first privacy principle: Notice/Consent.

To its credit, Google gave plenty of Notice of the March 1 changes, but when you first signed up for something like Gmail I'm guessing you did not give informed consent to what Google is doing with your data today. And millions of users of those scores of Google services have time and data invested in them which make withholding consent, where that is an option, problematic to say the least.

Take Google's Gmail for example, which I started using in 2005. (Google claims there are now 350 million active Gmail users.) Even though I don't use Gmail for all my email, there are currently more than 47,000 messages in my Gmail Inbox. You could draw a fairly detailed picture of the last 7 years of my life from that lot.

How about Google Search? A quick back-of-the-envelope calculation tells me it is quite possible that I've performed more than 47,000 searches via Google in the same time period. What a picture those search terms could paint! And if it's moving pictures you want, consider the YouTube videos that I have uploaded, commented on, searched for and watched.

Not that I think I am personally of great interest to Google or the world in general, the point is I am valuable to Google as a potential clicker of online advertisements; and Google has found that my value increases each time the company can pipe another source of data about me into the ad targeting mix. Like a lot of people, including many fans of Google, I am now wondering what could happen to my “pooled” Google data.

So what are my options if I want to cut back on Google's use of data about me? The place to start, a place you should visit even if you're not that bothered about what Google does with data about you, is the Dashboard.

The Google Dashboard

You need to be signed into Google to see your information on the Dashboard and you might be surprised at just how much information that is. I counted 32 different entries plus a note that says “15 additional products are not yet available in this dashboard.” (It would be nice to know what those are so I will keeping checking back.) Below you can see the top of my Google Dashboard, with some of my personal information blacked out.

The first thing on the Dashboard that caught my interest was the entry titled: “Websites authorized to access the account.” When I clicked on this link, lo and behold there were some surprises, including connect.thedailyshow.com and socialize.cnet.com.

No offense to Jon Stewart or The Daily Show or CNET but I don't recalling giving them special access to my Google account, so I used the Revoke Access link to remove them, leaving just the Google Mail Notifier and Google Calendar.

While revoking access was easy, this page could do a lot better job of explaining what exactly access means, and what the implications of adding or revoking access might be. The same page does present a lot of information about “application-specific passwords” and “2-step verification” but again there is not enough context.

Me on the Web

The second item on my Google Dashboard is “Me on the Web” and it has three sections, although that is really over-selling the content Google has put together for this section:

1. How to manage your online identity: Tips on searching for yourself to see what is out there; creating a Google profile as a way to control what people learn about you; removing unwanted content and search results, and; getting notified when information about you appears on the web.
2. How to remove unwanted content: More about the same topic covered in section 1.
3. About Me on the Web: More about the section you are looking at.

Despite the redundancy, this is good information, stuff that people who are heavily involved in social media probably know and do already (for example, I regularly Google myself to make sure nothing bad pops up and I have a Google Alert on myself for the same reason). What may come as a surprise to the more casual Google user is the amount of work it takes to manage your online identity.

Web History

What may also come as a surprise when you start to explore the Dashboard is the fact that the privacy item most people seem concerned about–Web History, the information that Google stores about what you search for–is way down at the bottom of the page. (I know that's because the page is alphabetically arranged, but to me that is weak user interface design.) When you do work your way down to Web History it can make interesting reading. Here's what I saw when I clicked the “Remove items or clear Web History” link:

When you check out this page for yourself, don't be surprised to find that it includes searches conducted on multiple devices. From my entries it was clear that Google was tracking my searches on my laptop, my iPhone, and my Kindle Fire. It is this kind of all-embracing, cross-platform tracking of what you do with Google that seems to bother some privacy-conscious people. Fortunately, Google makes it easy to put a stop to this: just click the Pause button. According to Google, the Pause button will “prevent your future web activity from being saved in Web History and from being used to personalize your search results.” If you then click Remove all Web History all your past activity will be erased.

Another way to avoid Google tracking your search activity is to use search without signing in. If you go to www.google.com in a web browser on a laptop or desktop and you see your name at the top of the page, that means you are signed in. You can click on your name to access the Sign out option.

If you are using Google as your search engine on your Apple iPhone and you are using iOS5 then you can go into the Safari settings and turn on Private Browsing to turn off tracking. (I'm pretty sure Private Browsing is off by default and I don't recall signing into Google on Safari on my iPhone, but I can assure you my searches from that phone were tracked by Google until I turned on Private Browsing.)

You may have noticed that Google is pretty persistent about signing you back in and keeping you signed in once you have logged in from a particular browser. One strategy to consider on your laptop or desktop is multiple browsers because Google login is browser specific. That means you can use the Chrome browser for your “logged in” Google activity but Firefox for activity where you don't log into Google. For good measure you can turn on the “Do not Track” option in Firefox.

How problematic is it that Google records your search history? The answer is largely subjective, based on how you feel about other people knowing what subjects interest you. Not that people at Google sit around reading your search history, but there are clearly issues of trust around what could happen to your history.

Consider the section of the Google Privacy Policy titled “For legal reasons.” Basically, it says Google will indeed share your personal information with companies, organizations or individuals outside of Google if the company has “a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to meet any applicable law, regulation, legal process or enforceable governmental request.” I'm no lawyer but I would say that's a pretty broad definition and there seems to be a lot of room for interpretation in phrases like “good-faith belief” and “reasonably necessary.” The extent to which you feel you can rely on Google to screen and vet such requests is a matter of trust. And Google would clearly have no control over the way in which a third party would interpret my Google searches for subjects like “missile silos near me” and “where to buy arsenic.”

Ads Preferences

One reason Google would like to track your searches is to improve the targeting of adverts. The company argues that such targeting is better for you. The stock market suggests it is also better for Google. But although Google allows you to exercise some control over the ads you see, those controls are strangely absent from the Dashboard. You have to go to a place called Ads Preferences to make changes. The preferences are broken out into “Ads on Search and Gmail” and “Ads on the Web.”

You will find the latter very interesting if you have been allowing Google to use its cookie to track your activities. The page presents “a summary of the interests and inferred demographics that Google has associated with your cookie.” Frankly, I was surprised at what I found because it was not a very well-rounded picture of my interests. This suggests that Google is not doing all the correlation of data that it could, at least not yet. (For example, the fact that my demographic age is listed as 45-54 has to be intentional flattery since my date of birth is in my Google Profile and it proves I'm older than that).

The Ads Preferences page allows you to opt out of seeing targeted ads and gives you access to the Remove and Edit features for ad preferences. These enable you to tailor ads by removing erroneous categories or adding fresh categories. As with many things Google, the details are quite complex. For example, a cookie is required to prevent tracking. So if you routinely erase your cookies you potentially remove your opt-out preference (we will have more to say about this in a future post).

More to be Said

Indeed, there is a lot more to be said about Google's privacy policy changes and the way they are being handled, starting with the fact that Google went ahead with them despite a chorus of objections from legislators and regulators in the U.S. and the E.U. There is also the question of corporate and government agency use of Google products and what the changes mean for them. Expect to see more blog posts on this topic in the coming weeks. (For further reading right now, the San Jose Mercury News offers a fairly balanced review of reaction to the recent Google privacy changes and there is an extended discussion here on NPR.)

During the financial crisis of '08 we all became familiar with the term “Too big to fail.” I find it hard to escape the feeling that, given the vast size of Google's installed base and the broad range of its services, its privacy policy changes are: “Too big to understand.” Certainly, getting a clear picture of where things now stand will take a lot of work on the part of Google users, even as Google continues to build out tools like the Dashboard, which is still a work in progress (for example, I got a “page not found” error when I checked out the link titled “About privacy and security in Google Voice”).

We'd love to hear your thoughts about Google privacy and your experiences with the Dashboard.

Read more:
Google’s data mining bonanza and your privacy: an infographic

Our colleagues at ESET UK drew my attention to another article on the resurrection of the Kelihos botnet (Win32/Kelihos).

1. AVG Secure Search

AVG Secure search  is powered by Google only the results are checked at remote AVG server before displayed in your browser. Warning verdict icons are displayed with suspicious search results.

More information on disabling AVG Secure Search on newly opened tabs in Mozilla Firefox can be found in our previous feedbacks, for example here.

Please feel free to contact AVG technical support or ask at AVG Forums if you have specific questions on AVG Secure Search.