Things to Know

Choosing an Anti-Virus Is the most important decision you will make after buying a new computer.

Keeping your privet information privet is your business and a real concern.

At HARD DRIVE, we know that you deserve this common decency.  HARD DRIVE IS offended that any of us should need to spend time money and energy to protect ourselves from that threat.  In an effort to keep you up to date we are posting excerpts from the Panda Labs annual report for 2011.

Social networks play a vital role in the life of Internet users, with Facebook and Twitter as the world’s biggest social media sites. This year we have seen the launch of a new social networking service in a bid to rival Facebook: Google+ .

Social networks
Despite its rapid growth, with more than 25 million users registered in just few weeks,
Google+ is still far away from its direct competitor, Facebook, which makes it less of a
target for cyber-crooks. However, we have seen a curious attack: Right after its launch,
as invitations were not open to everyone and there was huge expectation and interest in
getting one, Google+ became the subject of a scam… on Facebook. Fraudsters created a Facebook page titled “Get Google Plus Invitation FREE” where users just had to click the ‘Like’ button to get an invitation. Obviously, you also had to provide your email address to receive the invitation which, unfortunately, never came.

2011 has seen a reduction in the number of attacks on Twitter, the short-message social
network, and despite there continues to be attacks based on exploiting Twitter’s ‘Trending Topics’, they are decreasing probably due to better filtering by Twitter’s own team. In any event, it continues to be exploited as a platform to send out spam and hack accounts, as shown in the following examples: On July 4, Fox News’s Twitter account was hacked and started to post a series of alarming tweets reporting that U.S. President Barack Obama had been assassinated. In addition, the Twitter account of PayPal UK was hacked and used to criticize its poor security in offensive language.

However, other attacks had far more serious consequences. A group of attackers hacked the Twitter account of a financial institution and started sending Direct Messages (DMs) to its followers instructing them to click on a link due to a security problem in their accounts. This link took users to a phishing page that imitated that of the bank and requested data that could then be used by attackers to impersonate the victims and steal their money.

When talking about Facebook attacks, most of us tend to think that cyber-criminals use the platform to spread their malware, but that is not usually the case. As we have said on many occasions, users give away too much information on their social networking profiles, which jeopardizes privacy and facilitates hacking of email and even Facebook accounts themselves George S. Bronk was arrested in California for carrying out this type of illegal activity. Using information available on Facebook, he managed to gain access to victims’ email accounts. Having hijacked the account, he would search for personal information he could then use to blackmail the victim. It would seem that anyone could become a victim of these types of attacks, as even Mark Zuckerberg –creator of Facebook– had his Facebook fan page hacked, displaying a message that
started “Let the hacking begin”.


Finally, if there is one thing that social networks prove, it is that users are very much capable of making the same mistakes over and over again. Malware campaigns fooling Facebook users into believing they will discover who is secretly viewing their profiles are still hugely successful, and infect thousands of computer users around the world.

These scams are actually quite frequent on Facebook, cyber-crooks’ favorite platform for launching social engineering attacks by exploiting real or fake news stories.

For example, a few hours after Steve Jobs’s death, scammers had created a Facebook page called R.I.P Steve Jobs, attracting thousands of users. The page gained five new fans every second and amassed more than 90,000 fans in just a few hours. It contained a malicious URL and a text claiming that 50 free iPads were being given away ‘in memory of Steve Jobs’. Obviously, this was nothing but a scam, and once the user clicked the URL (which ended with “restinpeace-steve-jobs”), they were taken to a website offering prizes like iPads, Sony Bravia TVs, etc. However, in return users had to submit their personal details: name, telephone number, email address, etc.

Cyber-criminals’ goal is to steal information they can turn into cash. This explains why banking Trojans, targeting financial institutions and their customers, are their weapon of choice, although there are also other types of attacks. In January, The Pentagon Federal Credit Union reported the fact that cyber-criminals had used an infected PC to access one of their databases containing confidential customer information. The stolen information included each individual’s name, address, social security number and either bank account information or credit/debit card information.

Another frequent strategy is the use of ATMs equipped with duplicate card readers. In January, two men, aged 32 and 31, were sentenced to 7 and 5 years in prison respectively for this type of scam. These two men were suspected to be members of a gang of Russian and American criminals operating all over the U.S.

But it is not only the banking sector that is at risk. After a theft in the Czech Republic and
attempted hacking in Austria, the European Commission was forced to suspend trading in CO2 emission credits . Of course as usual, the cyber-criminals were seeking to profit from the attack. There was a similar attack some months ago , when a hacker stole 1.6 million carbon trading credits from the Holcim cement company in Romania. At 15 euros each, that represented losses of some €24 million. These types of attacks, in addition to the financial loss, undermine the entire system.

This diversification is present in other areas as well. This year saw the appearance of a number of variants of the infamous ZeuS banking Trojan aimed at online payment platforms like Webmoney or MoneyBookers.

One of these attacks hit the UK Government, which admitted to having suffered a targeted attack with a ZeuS variant designed to steal not only bank account credentials but also all kinds of personal information.

RSA, the security division of EMC Corporation, announced in mid-March that they had suffered a breach on their network systems that had exposed proprietary information about their two-factor hardware-based authentication system “SecurID”.

In May, Lockheed Martin, the largest provider of IT services to the U.S. government and military, suffered a network intrusion stemming from data stolen pertaining to RSA. It seems that the cyber-thieves managed to compromise the algorithm used by RSA to generate security keys, and the company had to replace the SecurID tokens of more than 40 million customers around the world, including some of the world’s biggest companies. Some months later, RSA stated that they were convinced the hackers had been funded by a foreign government and, in October, security analyst Brian Krebs published a list of 760 other victims hit by the same attackers .

In June, the International Monetary Fund said it had been targeted by a sophisticated cyber-attack for months, even though the organization made no public statement about the motivation behind it. The nature of the information stored by the institution would seem to indicate that this was a targeted attack, however, we cannot rule out the possibility that it was just a common case of cyber-crime.

The website of the European Space Agency was also hacked into and a lot of information was stolen and made public. This data included user names, FTP accounts and even FTP login details stored… in plain text files!

Also in May Citigroup revealed that information for more than 360,000 U.S. credit card accounts had been compromised by a website hack. The worst thing about this attack is the fact that the data thieves did not even have to hack a server, but were able to penetrate the bank’s defenses and leapfrog between the accounts of different customers simply by inserting various numbers into a string of text located in the browser’s address bar.

Japanese video game company Sega also fell victim to a cyber-attack. The company confirmed that information belonging to 1.3 million customers was stolen from its database. Names, birth dates, email addresses and even encrypted passwords for Sega Pass online network were taken. The fact that the passwords were encrypted should minimize the impact of the hacking incident, but only if strong encryption was used, which is not always the case.

Perhaps the most infamous attack occurred this year was the one suffered by Sony. Everything started with the theft of data from their PlayStation Network (PSN), affecting 77 million users worldwide. Not only was this the biggest data theft ever, but the situation was also particularly badly handled by the company. They hid the problem for days, and when they finally made it public they simply said that there was evidence that some user data could have been compromised, even though they knew perfectly well that the situation was far more serious than that.

To make things worse, the stolen data was especially sensible, including users’ names, billing addresses, email addresses, PSN IDs, passwords (apparently unencrypted), birthdates, purchase history, credit card numbers (from approximately 10% of users), credit card expiration dates, etc. If this was not sufficient, Sony Online Entertainment was subject to another attack a few days later, a data theft that affected another 24 million users.

In July, Rogelio Hackett, 25, was sentenced to 10 years in prison and a $100,000 fine for stealing 675,000 credit card numbers and related information. The fact that there are tough sentences being handed out is very important as it sends out a strong dissuasive message to criminals: impunity is not as option.

Cyber-crooks continue to use social engineering techniques to deceive users and steal their data, taking advantage of headline-grabbing events such as the untimely death of singer Amy Winehouse or Steve Jobs.

In November, hackers broke into a database with customer information at Steam, the online platform of video gaming firm Valve, stealing information from over 35 million users, including credit card numbers and passwords. Fortunately, this information was encrypted, so the chances of thieves accessing the actual details are slim

Leave a Reply

Your email address will not be published. Required fields are marked *