Web Security


Online Ad Sales Open Door to Viruses

From The Wall Street Journal (Emily Steel)
On a Saturday night at the end of May, visitors to the forums section of Digital Spy, a British entertainment and media news Web site, were greeted with an ad that loaded malicious software onto their computers. The Web site’s advertising system had been hacked.
A number of such attacks have occurred this year, as perpetrators exploit the complex structure of business relationships in the online advertising, with its numerous middlemen and resellers. Web security experts say they have seen an uptick in the number of ads harboring malware as the economy has soured and publishers, needing to boost their ad revenues, outsource more of their ad-space sales.  Read the full story [wsj.com]

How to Avoid Scareware Attacks

From Just Ask Gemalto (Dennis Fisher)
Computer users have been conditioned over the last few years to recognize and avoid many of the more common scams and threats on the Internet: email viruses, phishing, spam, Nigerian 419 ploys and work-at-home money-mule schemes. You know that an email promising funny pictures of Britney Spears is probably more likely to install malware on your machine than to brighten up your day with more of Britney’s zany antics.

URL Shortening Service Hacked

From Computerworld (Gregg Keizer)
A URL-shortening service that condenses long Web addresses for use on micro-blogging sites like Twitter was hacked over the weekend, sending millions of users to an unintended destination, a security researcher said today. Read the full story [cio.com]  Also see commentary from Roel Schouwenberg [viruslist.com]


A collection of some of the top names in the security community has sent a letter asking Google to force users of its online applications to use secure connections by default. And Google has responded quickly, saying that it is investigating the possibility of enabling HTTPS connections by default for users of Gmail, Google Calendar and other applications.

A security researcher who specializes in browser and Web 2.0 vulnerabilities plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem.
The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff.  It will disclose a  combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws that put Twitter users at risk of malicious hacker attacks.

By Alex Rothacker, Team SHATTER

It seems as though the latest rash of threats and attacks all have a familiar ring to them: they’re all aimed at social networking sites like Twitter and Facebook, which is interesting, because smart attackers will use whatever means possible to get to the stuff that really counts – enterprise data.

Threatpost editors Ryan Naraine and Dennis Fisher talk about the problems with developers implementing their own crypto libraries in Web applications, the short list of names for the cybersecurity czar job and the possibility of a full-scale hacker bracket competition.
[audio http://www.threatpost.com/sites/default/files/newswrap_4.mp3]

From ZDNet (Dancho Danchev)
Researchers from ParetoLogic are reporting on a newly discovered Mac OS X malware variant posing as fake video ActiveX object [paretologic.com] found at a bogus Macintosh PortTube site.
The use of fake video codecs is a social engineering tactic exclusively used by malware targeting Windows, and seeing it used in a Mac OS X based malware attack proves that successful social engineering approaches remain OS independent.  Read the full story [zdnet.com]

Patch management has become, in the words of one bleary-eyed IT guy, “just freaking ridiculous.”

Here’s a look at what this IT guy, whose primary role is managing risk at a medium-sized business, was up against in the last two weeks:

07/21/18 8:00
How #cyberinsurance changes the conversation around risk: https://t.co/a6hKWUWuNG

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.