Tag: privacy

16 million German email addresses stolen, including passwords

german-email-addresses-stolen-bsiThe BBC has reported no less than 16 million German email addresses stolen, and account passwords stolen as well by hackers. The hackers infected the computers of the victims which in turn registered those victims in a network from where their data could be stolen.

The German Federal Office of Security (BSI, Bundesamt für Sicherheit in der Informationstechnik) is investigated the matter, but no sign yet of any details of where the theft has originated from. The agency has created a website to check whether you have been hacked or not. The website can be found here. On the first day more than 300,000 people had already visited the website. With this many German email addresses stolen, it seems that the hackers have been executing their theft quite professionally.

German news site Bild (Google Translate version of article) notes that when a match is made with an email address that is entered on that website, an email will be sent to that email address. That email contains tips on what to do: if a match is made the chances are pretty high that the email address owner’s computer is infected.

The fact that more than half of the stolen email addresses ended with .de provided the insight that the attack was aimed mainly at German email address owners. 16 million addresses would cover about one fifth of the total german population.

Related Posts:

To prevent phishing scams, banks are collecting special TLD domains

icannScammers will have a harder time trying to do phishing: banks are picking up new type top level domain names (TLD) to prevent attacks.

In the land of email, phishing scams are a common sight: your bank or credit card company supposedly sends you an email, with a request to either click on a link or reply with details.

This is all a big scam of course, trying to either get you to fill in financially critical data and/or trying to break into your computer via the installation of malware on your computer after clicking a link.

Banks are battling this on many fronts, and one of it is the domain name industry. Earlier last year, new types of TLD names have become available so that there is no more limit to the type of TLD you can register.

A quote from the Wall Street Journal article:

The new addresses include extensions like dot-citi, dot-bofa and dot-barclays. The banks hope these extensions will help their online customers know they are actually dealing with the bank and not a scam website trying to pilfer personal information.

The trouble with these new TLDs like .citi, .americanexpress and .jpmorgan is that the end user doesn’t know about these TLDs yet. Things will have to move slow, both in services offered from those new domains as well as communications. If it all goes too fast, consumers might think that scammers are trying to pull a phishing scam on them instead of the actual banks trying to conduct business.

Other reasons for registering these TLDs that are mentioned are customer service and brand promotion. Having a TLD like .jpmorgan or .barclays can provide a clear endpoint for people: when visiting a domain like service.barclays they can be sure they are at their bank’s domain and not at a scammer’s site.

You can read the whole WSJ article here.

Related Posts:

US Senate votes to extend FISA Amendments Act for five years

us_senate_fisa_amendments_actThe FISA Amendments Act, which has been in effect since 2008, has been extended for another five years by a US Senate vote. The vote turned out to be 72 to 23 to extend the FISA Amendments Act for five years until December 31,2017.

The act allows the US to warrantlessly spy on phone calls and email communications made by American citizens with foreigners abroad, when there’s reason to believe that terrorism is involved.

A quote from a Mashable article on the extension:

As part of the monitoring program, the government can get court orders — which do not require probable cause, like typical search warrant — to access citizens’ phone calls as well as electronic messages such as emails, provided there is evidence those communications involve “foreign intelligence information.”

The trouble with the act is that a single FISA order can affect a large portion of the US people, without being specific on what is involved in the communications – just ‘foreign intelligence information’ is sufficient.

Read more on the FISA Admendments Act extension on the Electronic Frontiers Foundation website here (written before the Act was extended).

Related Posts:

Updated: Botnet hits Android smartphones, sends spam from Yahoo accounts?

botnet_on_smartphones_email_spamCompromised Yahoo accounts have been used to send out spam by a botnet recently. In this case it’s not a ‘regular ol’ botnet’ living on zombie computers, but one operating out of Android powered smartphones.

A blogger on the Microsoft blogs named tzink noted this recently, with a lot of commenters posting about the same happening to them. The originating countries can be traced back due to the IPs used: they were Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine and Venezuela.

A quote:

All of these message are sent from Android devices.  We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices.  These devices login to the user’s Yahoo Mail account and send spam.

 

Apparently the developing world citizens are less strict about security on their smartphones. In this case tzink suspects that malicious software disguised as a free app is is part of the botnet.

However, one commenter thinks it’s just the malicious Android app itself signing up for new Yahoo accounts, and not using existing Yahoo email accounts:

With all of the samples I’ve seen, the Yahoo! email address follows the same format (FirstnameLastname followed be 2 numeric characters @yahoo.com). This would suggest it is simply a botnet which has circumvented the Yahoo! Android sign-up API to create new accounts rather than those being peoples actual email addresses.

 

Spam filters will have a tougher time distinguishing good email from bad email, if these email are being sent from/by normally legitimate Yahoo email accounts. They should be able to filter by content though, as tzink notes that the spam message content

Email spam volume has been dropping in recent times, but this jump into the smartphone arena by a botnet makes it clear that we’re not yet finished with the spam game.

Remember, there’s always a way to handle spam: don’t forget to read ‘Help, I’ve received spam from $company! What to do now?

Update 1: according to a post on The Verge, Google denies that Android smartphones have been compromised and a botnet is sending out the emails.

From the end of that article:

There’s still a definite possibility that this is indeed an Android botnet of some sort, and both researchers claim the evidence points that direction, but we’re far less certain than we were before, and a little less trusting, too.

The spam was supposedly sent using a spoofed mobile email signature, bypassing spam filters. Because of that mobile email signature, the messages are/were considered to be coming from Android smartphones, but that is now uncertain.

Related Posts:

Google, Yahoo sued for preemptive reading of email to serve ads

google_yahoo_email_privacy_ad_serving_gmailGoogle and Yahoo have been sued in the state of California for intercepting emails and serving ads based on keywords in those emails before they’ve reached the inbox of the intented recipients.

Such is the case of the lawsuit, filed in June in Marlin County Superior Court. The three men who filed the lawsuit note that the CIPA, or California Invasion of Privacy Act, has been violated in the ad serving process.

A quote from the ABC article:

“We began the investigation quite some time ago when a client came to us,” said F. Jerome Tapley, a lawyer in Birmingham, Ala. who represents the plaintiffs. “They noticed that the ads within their email browser were strangely correlating to the incoming email they were getting from their friends. It creeps people out.”

Yahoo has yet to respond to the lawsuit, but a Google spokesperson noted that ‘no humans read users’ emails or Google account information in order to show advertisements.’

Next to that, what about spam filters? These days we’re so happy with them (even though spam has been on the decline as of last year): if Google, Yahoo and other email providers would not check the content of emails, how could they decide what was spam or not?

It will be interesting to see how this will pan out: this might have a big effect, not just on ad targeting and serving, but also on spam filters.

Related Posts: