Skip to content

Group activity

New updates
Tohias Avery
19% of social media accounts associated with top ten brands are fraudulent

Online Security
Fake brand social media accounts are on the rise according to a study into the shape of the industry from Proofpoint.

From April through June 2016, the 10 top brands across different industries were identified and analysed across Facebook, Twitter, YouTube, and Instagram. A total of 4,840 brands were found to be associated with these companies – almost a fifth (19 per cent) were fraudulent.

Social media is reportedly a prime platform for fraud. Used as a corporate marketing and communications tool, it can be hijacked with malicious intent such as spamming users and misrepresenting the brand.

Of the 902 fraudulent accounts associated with 10 top brands, nearly 30 per cent were scams or offers for counterfeit products and services. Furthermore, four per cent of these were either phishing for user information, looking to install malware, protesting against the company in question or parodying it – which it claimed could harm the reputation of the brands.

These were BMW, Capital One, Chanel, Amazon, DirecTV, Nike, Samsung, Shell, Sony, Starbucks as selected by the Brand Directory list of top brands for 2015.

The report said: “Many unauthorised accounts are fake brand accounts. They are created solely to defraud your customers or undermine your brand. Bad actors create these accounts for financial gain or to protest your company and create negative brand sentiment.

“Other fraudsters prey on customers who try to engage with your brand. They target customers using fake customer service accounts, phony sweepstakes, and more. Some are motivated by a political agenda and create fraudulent accounts to attack a brand’s image. Most often, they closely imitate the brand to make fun of the company or its customers. These protest accounts diminish brand value and create a negative or even hostile experience for customers.”

The most common fraud practices included offering free gifts or discounts, or posing as customer support or software updates.

A flaw was also identified with Facebook and Twitter verification which can help with capturing the spammers – while the seal is viewable on the profile it is not always readily viewable on individual tweets and posts.

Social media phishing is the fastest-growing social media threat, increasing 150 per cent from 2015 to 2016.

http://averytohia.coffeecup.com/stream/?post=19-of-social-media-accounts-associated-with-top-ten-brands-are-fraudulent
Tohias Avery likes this.
Emilly Birrell
Apple urges iPhone users to update after powerful cyberweapon is found BY Online Security

SAN FRANCISCO – Apple on Friday urged iPhone owners to install a security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by malware dealers.
Researchers at the Lookout mobile security firm and Citizen Lab at the University of Toronto said they had uncovered a three-pronged attack targeting the dissident’s phone “that subverts even Apple’s strong security environment.”

Lookout and Citizen Lab worked with Apple on an iOS patch to defend against the attack, called Trident because of its triad of methods, the researchers said in a joint blog post.
“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” Apple said in a released statement.

Trident is used in spyware referred to as Pegasus, which a Citizen Lab investigation showed was made by an Israel-based organization called NSO Group. NSO was acquired by the U.S. firm Francisco Partners Management six years ago.
Lookout referred to Pegasus as the most sophisticated attack it has seen, accessing calls, cameras, email, passwords, apps and more.

The spyware was detected when used against Ahmed Mansoor, a human rights activist who has been repeatedly targeted using spyware.
After receiving a suspicious text with a link, he reported the matter to Citizen Lab, which worked in conjunction with San Francisco-based Lookout to research the affair.

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information,” the joint blog post said. “This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”

Mansoor received text messages on Aug. 10 and 11 promising that secrets about detainees being tortured in United Arab Emirates jails could be accessed by clicking on an enclosed link, researchers said.
Had he fallen for the ruse, the Trident chain of heretofore unknown “zero-day exploits” would have broken into his iPhone and installed snooping software.

Once infected, Mansoor’s iPhone would have been turned into a “spy in his pocket” capable of tracking his whereabouts and conversations, Citizen Lab said.
Mansoor was targeted five years ago with FinFisher spyware and again the following year with Hacking Team spyware, according to Citizen Lab research.

“The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists,” the researchers said.
Although the cyberattack on Mansoor was not linked to a specific government, Citizen Lab said indicators pointed to the UAE.

UAE authorities did not comment on the matter.

Lookout and Citizen believe the spyware has been “in the wild for a significant amount of time.”
“It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android and Blackberry.”

Citizen Lab has also found evidence that “state-sponsored actors” used NSO weapons against a Mexican journalist who reported on high-level corruption in that country and on an unknown target in Kenya.
The NSO tactics included impersonating sites such as the International Committee of the Red Cross, the British government’s visa application processing website and a wide range of news organizations and major technology companies, the researchers said.

Mansoor’s decision to enlist Citizen Lab instead of falling into the trap gave researchers a rare chance to expose the work of “shady cyber arms dealers” who command high prices for morally questionable services, said Lookout’s vice president of security research, Mike Murray.

Backlinks:
http://figment.com/groups/34475-Online-Security
https://www.goodreads.com/group/invite_members/201181-online-security
Emilly Birrell likes this.
Clara Pressnell
Which? files supercomplaint against banks over transfer fraud by Online Security

Banks may face formal inquiry into whether they can refuse to reimburse victims conned into transferring money into fraudsters’ accounts

UK banks should do more to protect customers tricked into transferring money to fraudsters, according to a consumer body that has lodged a “supercomplaint” with financial regulators. The move by Which? means banks could now face a formal investigation into whether they can continue refusing to reimburse victims.

The organisation submitted its first supercomplaint this year in the same week that official data revealed that fraud in the UK payments industry had soared by 53% as criminals develop increasingly sophisticated tactics to steal bank customers’ cash.

Which? said banks should “shoulder more responsibility” when someone is conned into transferring money to another person’s account, just as they reimburse customers who lose money due to scams involving debit and credit cards or fraudulent account activity.

Some customers have lost considerable sums. In March this year the Guardian featured the case of Sarah and David Fisher, who were conned out of £25,000 after a fraudster posed as their builder and emailed them a fake invoice that was virtually identical to the one they were expecting.

The explosion in online and mobile banking means UK consumers now make more than 70m bank transfers a month, compared with just over 100m in a whole year just a decade ago. Which? claims that “protections have not kept up”.

Using its legal powers, the organisation has submitted a supercomplaint to the Payment Systems Regulator, the watchdog for the UK’s £75tn payment systems industry, which must now respond within 90 days.

There are many financial frauds that directly target customers, such as phishing emails and phone- and text-based scams. However, among the biggest growth areas are impersonation and deception scams where fraudsters hack into someone’s email account and then pose as the builder, solicitor, landscape gardener or other tradesperson that the consumer has legitimately employed. Typically, the victim receives an invoice via email, which does not rouse suspicion because they were expecting it. It looks authentic and is usually for the correct amount – however, unbeknown to the consumer, the bank account number and sort code have been changed to those of the fraudster.

This is what happened to the Fishers, from north-west London. Last October they received a genuine invoice for building work that was being carried out, then what appeared to be a follow-up email from the same firm with a fresh invoice attached that included “our new banking details”. The couple duly paid the requested £25,000, and while it quickly emerged they had been scammed, by the time the bank that operated the account used to accept their money was alerted, the cash had been withdrawn.

Almost a year after the incident, they have yet to recover a penny of their money. Sarah Fisher, a record label manager, told the Guardian this week that the police had identified the fraudster as someone living in Denmark. As a result, the case was “not being progressed” and had effectively come to a halt.

She added: “We took it to the financial ombudsman, who said that Barclays [which operated the account] had not behaved improperly.” However, she said their MP, Tulip Siddiq, had said the case raised important issues and intended to pursue the matter in parliament.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
Clara Pressnell likes this.
Clara Pressnell
A shoe e-retailer takes steps to improve its fraud detection by Online Security

Fast-growing Schutz Shoes upgrades its fraud detection software to slash manual reviews and improve order processing.

Online orders were flowing into shoe e-retailer Schutz Shoes, the U.S. division of Brazilian-based shoe retailer Arezzo & Co., but the small team spent an increasing amount of time checking whether an order was fraudulent. When one employee on a staff of seven has to manually review the legitimacy of an online order, that’s time away from customers and other business, says Kimberly Gort, e-commerce manager for Schutz.

Schutz Shoes started selling online in 2014 operating its e-commerce site in the basement of its New York City store. That first year, Schutz had about $350,000 in online sales. In 2015, about half of its product catalog was available online and sales grew to $1.5 million. Now, with all of its products available online, Schutz Shoes projects about $3 million in online sales for 2016, Gort says. The retailer also opened a store in Los Angeles.

With triple-digit percentage growth comes growing pains. When the e-retailer received a modest five online orders a day, using the free tool from its e-commerce platform provider (Shopify Inc.) worked fine, Gort says. The plugin would flag orders that might be fraudulent, and the retailer decided to approve or decline such orders. For example, the tool flagged an order if the credit card and shipping addresses didn’t match, so a Schutz employee had to call the customer and determine if it was a legitimate order. Deciding what was and wasn’t fraudulent often was difficult, Gort says.

“There’s always a risk,” she says. “It was like we were playing roulette.”

The situation frustrated the retailer and the shopper, as some shoppers were blocked from placing an order or their order was delayed or they had to deal with a phone call from the retailer. Schutz was missing out on orders, devoting almost a full employee to manually check the orders and seek out consumers to verify information. As order volume and sales grew, the manual-review model no longer worked, Gort says.

In July, Schutz Shoes decided to integrate fraud detection software provider ClearSale onto its platform, choosing the vendor because it was used by parent company Arezzo. It took about two weeks to integrate the technology onto Schutz’s site, Gort says.

ClearSale factors in about 100 variables to approve or deny orders, and then has its 500-person team to dig deeper on flagged orders, says Rafael Lourenco, vice president of operations at ClearSale. Orders can be approved within three seconds, while an order that requires manual review will take 24-48 hours, he says.

The impact of adding ClearSale was almost immediate, Gort says, as Schutz Shoes was no longer on the hook to manually check flagged orders. The e-retailer now approves 94-96% of its orders, which is about a 5% increase from when it relied on its free plugin, Gort says.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
Clara Pressnell likes this.
Joseph Shackleton
Apple urges iPhone users to update after powerful cyberweapon is found BY Online Security

SAN FRANCISCO – Apple on Friday urged iPhone owners to install a security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by malware dealers.
Researchers at the Lookout mobile security firm and Citizen Lab at the University of Toronto said they had uncovered a three-pronged attack targeting the dissident’s phone “that subverts even Apple’s strong security environment.”

Lookout and Citizen Lab worked with Apple on an iOS patch to defend against the attack, called Trident because of its triad of methods, the researchers said in a joint blog post.
“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” Apple said in a released statement.

Trident is used in spyware referred to as Pegasus, which a Citizen Lab investigation showed was made by an Israel-based organization called NSO Group. NSO was acquired by the U.S. firm Francisco Partners Management six years ago.
Lookout referred to Pegasus as the most sophisticated attack it has seen, accessing calls, cameras, email, passwords, apps and more.

The spyware was detected when used against Ahmed Mansoor, a human rights activist who has been repeatedly targeted using spyware.
After receiving a suspicious text with a link, he reported the matter to Citizen Lab, which worked in conjunction with San Francisco-based Lookout to research the affair.

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information,” the joint blog post said. “This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”

Mansoor received text messages on Aug. 10 and 11 promising that secrets about detainees being tortured in United Arab Emirates jails could be accessed by clicking on an enclosed link, researchers said.
Had he fallen for the ruse, the Trident chain of heretofore unknown “zero-day exploits” would have broken into his iPhone and installed snooping software.

Once infected, Mansoor’s iPhone would have been turned into a “spy in his pocket” capable of tracking his whereabouts and conversations, Citizen Lab said.
Mansoor was targeted five years ago with FinFisher spyware and again the following year with Hacking Team spyware, according to Citizen Lab research.

“The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists,” the researchers said.
Although the cyberattack on Mansoor was not linked to a specific government, Citizen Lab said indicators pointed to the UAE.

UAE authorities did not comment on the matter.

Lookout and Citizen believe the spyware has been “in the wild for a significant amount of time.”
“It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android and Blackberry.”

Citizen Lab has also found evidence that “state-sponsored actors” used NSO weapons against a Mexican journalist who reported on high-level corruption in that country and on an unknown target in Kenya.
The NSO tactics included impersonating sites such as the International Committee of the Red Cross, the British government’s visa application processing website and a wide range of news organizations and major technology companies, the researchers said.

Mansoor’s decision to enlist Citizen Lab instead of falling into the trap gave researchers a rare chance to expose the work of “shady cyber arms dealers” who command high prices for morally questionable services, said Lookout’s vice president of security research, Mike Murray.

Backlinks:
http://figment.com/groups/34475-Online-Security
https://www.goodreads.com/group/invite_members/201181-online-security
Joseph Shackleton likes this.
John Rodarte
Which? files supercomplaint against banks over transfer fraud by Online Security

Banks may face formal inquiry into whether they can refuse to reimburse victims conned into transferring money into fraudsters’ accounts

UK banks should do more to protect customers tricked into transferring money to fraudsters, according to a consumer body that has lodged a “supercomplaint” with financial regulators. The move by Which? means banks could now face a formal investigation into whether they can continue refusing to reimburse victims.

The organisation submitted its first supercomplaint this year in the same week that official data revealed that fraud in the UK payments industry had soared by 53% as criminals develop increasingly sophisticated tactics to steal bank customers’ cash.

Which? said banks should “shoulder more responsibility” when someone is conned into transferring money to another person’s account, just as they reimburse customers who lose money due to scams involving debit and credit cards or fraudulent account activity.

Some customers have lost considerable sums. In March this year the Guardian featured the case of Sarah and David Fisher, who were conned out of £25,000 after a fraudster posed as their builder and emailed them a fake invoice that was virtually identical to the one they were expecting.

The explosion in online and mobile banking means UK consumers now make more than 70m bank transfers a month, compared with just over 100m in a whole year just a decade ago. Which? claims that “protections have not kept up”.

Using its legal powers, the organisation has submitted a supercomplaint to the Payment Systems Regulator, the watchdog for the UK’s £75tn payment systems industry, which must now respond within 90 days.

There are many financial frauds that directly target customers, such as phishing emails and phone- and text-based scams. However, among the biggest growth areas are impersonation and deception scams where fraudsters hack into someone’s email account and then pose as the builder, solicitor, landscape gardener or other tradesperson that the consumer has legitimately employed. Typically, the victim receives an invoice via email, which does not rouse suspicion because they were expecting it. It looks authentic and is usually for the correct amount – however, unbeknown to the consumer, the bank account number and sort code have been changed to those of the fraudster.

This is what happened to the Fishers, from north-west London. Last October they received a genuine invoice for building work that was being carried out, then what appeared to be a follow-up email from the same firm with a fresh invoice attached that included “our new banking details”. The couple duly paid the requested £25,000, and while it quickly emerged they had been scammed, by the time the bank that operated the account used to accept their money was alerted, the cash had been withdrawn.

Almost a year after the incident, they have yet to recover a penny of their money. Sarah Fisher, a record label manager, told the Guardian this week that the police had identified the fraudster as someone living in Denmark. As a result, the case was “not being progressed” and had effectively come to a halt.

She added: “We took it to the financial ombudsman, who said that Barclays [which operated the account] had not behaved improperly.” However, she said their MP, Tulip Siddiq, had said the case raised important issues and intended to pursue the matter in parliament.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
John Rodarte likes this.
Kevin Cottrell
Anonymous Internet Vigilantes Are Taking Peer Review Into Their Own Hands by Online Security

Since 2012, the message board PubPeer has served as a sort of 4chan for science, allowing anyone to post anonymous comments on scientific studies. Originally intended as a forum for the discussion of methods and results, PubPeer has perhaps become best known as a clearinghouse for accusations of scientific error, fraud, and misconduct—forcing journals to issue corrections and retractions, damaging careers, and eventually embroiling the site in a court case in which it’s advised by Edward Snowden’s legal team at the American Civil Liberties Union.

In the view of its critics, PubPeer enables an unchecked stream of accusations with no accountability. But to its supporters, PubPeer is maybe the only consistently effective way to expose fraud and error in the current scientific system. It exists at a time of quiet crisis for science and science journals, when the community is concerned about an inability to replicate past results—the so-called “reproducibility crisis”—and the number of papers retracted is on the rise. The traditional system of peer review seems unable to address these problems.

“We started it because we wanted more detailed arguments about science, and we were really shocked at how many fundamental problems there are with papers, involving very questionable research practices and rather obvious misconduct,” said Brandon Stell, a neuroscientist at the Centre National de la Recherche Scientifique in Paris and the creator of PubPeer.

There’s certainly no denying its effect. According to Retraction Watch, a blog that monitors scientific corrections, errors, and fraud, at least three high-profile scientists in the past few months have had their studies retracted by journals after their data was questioned by anonymous commenters on PubPeer.

The most frightening words a researcher could read on PubPeer are 'There are concerns'

One of the scientists, Fazlul Sarkar, is currently suing several of the commenters. His lawyers argue the site must reveal the identities of the users that have done damage to Sarkar’s career, after he lost a tenured position at the University of Mississippi. PubPeer has refused to release the information. Both Google and Twitter have filed a court brief in support of the site, which is currently being defended pro-bono by lawyers from the ACLU.

It’s perhaps the most interesting case about internet privacy you've never heard of, and it all stems from a frustration among scientists with the shadowy politics of publishing and peer review.

At its base, PubPeer is a site that allows anyone to post comments on any scientific paper listed on the federally-funded PubMed database, either anonymously or under their own name. It’s functionally very simple, but the built-in anonymity makes it a safe outlet for scientists—especially young, early-career scientists—to discuss and criticize research without fear of repercussion. And that’s something they’re apparently eager to do: The site has logged over 55,000 mostly anonymous comments since its launch.

Back in October 2013, someone on the PubPeer site started threads for about 20 previously published papers on which Fazlul Sarkar, a cancer researcher then at Wayne State University in Michigan, was an author. The papers span over a decade and involve a variety of complex molecular signalling pathways involved in cancer. The issues raised by the comments, though, were relatively straightforward:

Backlinks:
http://renzrisseeuw.bcz.com/2016/10/11/online-security-anonymous-internet-vigilantes-are-taking-peer-review-into-their-own-hands/
https://www.mendeley.com/groups/9537731/online-security/
Kevin Cottrell likes this.
David Medley
Online Security: Apple urges iPhone users to update after powerful cyberweapon is found

SAN FRANCISCO – Apple on Friday urged iPhone owners to install a security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by malware dealers.
Researchers at the Lookout mobile security firm and Citizen Lab at the University of Toronto said they had uncovered a three-pronged attack targeting the dissident’s phone “that subverts even Apple’s strong security environment.”

Lookout and Citizen Lab worked with Apple on an iOS patch to defend against the attack, called Trident because of its triad of methods, the researchers said in a joint blog post.
“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” Apple said in a released statement.

Trident is used in spyware referred to as Pegasus, which a Citizen Lab investigation showed was made by an Israel-based organization called NSO Group. NSO was acquired by the U.S. firm Francisco Partners Management six years ago.
Lookout referred to Pegasus as the most sophisticated attack it has seen, accessing calls, cameras, email, passwords, apps and more.

The spyware was detected when used against Ahmed Mansoor, a human rights activist who has been repeatedly targeted using spyware.
After receiving a suspicious text with a link, he reported the matter to Citizen Lab, which worked in conjunction with San Francisco-based Lookout to research the affair.

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information,” the joint blog post said. “This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”

Mansoor received text messages on Aug. 10 and 11 promising that secrets about detainees being tortured in United Arab Emirates jails could be accessed by clicking on an enclosed link, researchers said.
Had he fallen for the ruse, the Trident chain of heretofore unknown “zero-day exploits” would have broken into his iPhone and installed snooping software.

Once infected, Mansoor’s iPhone would have been turned into a “spy in his pocket” capable of tracking his whereabouts and conversations, Citizen Lab said.
Mansoor was targeted five years ago with FinFisher spyware and again the following year with Hacking Team spyware, according to Citizen Lab research.

“The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists,” the researchers said.
Although the cyberattack on Mansoor was not linked to a specific government, Citizen Lab said indicators pointed to the UAE.

UAE authorities did not comment on the matter.

Lookout and Citizen believe the spyware has been “in the wild for a significant amount of time.”
“It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android and Blackberry.”

Citizen Lab has also found evidence that “state-sponsored actors” used NSO weapons against a Mexican journalist who reported on high-level corruption in that country and on an unknown target in Kenya.
The NSO tactics included impersonating sites such as the International Committee of the Red Cross, the British government’s visa application processing website and a wide range of news organizations and major technology companies, the researchers said.

Mansoor’s decision to enlist Citizen Lab instead of falling into the trap gave researchers a rare chance to expose the work of “shady cyber arms dealers” who command high prices for morally questionable services, said Lookout’s vice president of security research, Mike Murray.

Backlinks:
http://figment.com/groups/34475-Online-Security
https://www.goodreads.com/group/invite_members/201181-online-security
David Medley likes this.
Nathan Blanch
Online Security: 19% of social media accounts associated with top ten brands are fraudulent, says study

Fake brand social media accounts are on the rise according to a study into the shape of the industry from Proofpoint.

From April through June 2016, the 10 top brands across different industries were identified and analysed across Facebook, Twitter, YouTube, and Instagram. A total of 4,840 brands were found to be associated with these companies – almost a fifth (19 per cent) were fraudulent.

Social media is reportedly a prime platform for fraud. Used as a corporate marketing and communications tool, it can be hijacked with malicious intent such as spamming users and misrepresenting the brand.

Of the 902 fraudulent accounts associated with 10 top brands, nearly 30 per cent were scams or offers for counterfeit products and services. Furthermore, four per cent of these were either phishing for user information, looking to install malware, protesting against the company in question or parodying it – which it claimed could harm the reputation of the brands.

These were BMW, Capital One, Chanel, Amazon, DirecTV, Nike, Samsung, Shell, Sony, Starbucks as selected by the Brand Directory list of top brands for 2015.

The report said: “Many unauthorised accounts are fake brand accounts. They are created solely to defraud your customers or undermine your brand. Bad actors create these accounts for financial gain or to protest your company and create negative brand sentiment.

“Other fraudsters prey on customers who try to engage with your brand. They target customers using fake customer service accounts, phony sweepstakes, and more. Some are motivated by a political agenda and create fraudulent accounts to attack a brand’s image. Most often, they closely imitate the brand to make fun of the company or its customers. These protest accounts diminish brand value and create a negative or even hostile experience for customers.”

The most common fraud practices included offering free gifts or discounts, or posing as customer support or software updates.

A flaw was also identified with Facebook and Twitter verification which can help with capturing the spammers – while the seal is viewable on the profile it is not always readily viewable on individual tweets and posts.

Social media phishing is the fastest-growing social media threat, increasing 150 per cent from 2015 to 2016.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
https://www.goodreads.com/group/invite_members/201181-online-security
Nathan Blanch likes this.
Alvin Aguilar
Online Security: Japanese government plans cyber attack institute

The government of Japan will create an institute to train employees to counter cyber attacks. The institute, which will be operational early next year, will focus on preventing cyber attacks on electrical systems and other infrastructure.

The training institute, which will operate as part of Japan’s Information Technology Promotion Agency (IPA), is the first center for training in Japan to focus on preventing cyber attacks. A government source said that the primary aims will be preventing a large-scale blackout during the Tokyo Olympics and Paralympics in 2020, and stopping leaks of sensitive power plant designs.

The source also stated that there is potential for a joint exercise in cyber awareness between the Japanese group and foreign cybersecurity engineers in the future.

The counter cyber attack training institute will take 100 employees of electrical power and related firms and train them for a full year in Tokyo, using former hackers and cyber security experts as instructors. Funds will be allocated through an extra budget that is currently being compiled.

Cyber security is a growing concern in Japan, where over 12 billion cyber attacks were reported in 2014 by the National Institute of Information Technology. The Japanese national police force reported that instances of cyber crime investigated by the police rose 40% from 2014-2015. In February of this year, a study at Cylance SPEAR identified a hacking group that was targeting Japanese infrastructure. While the group was involved mainly in spying activities and had yet to launch a disruptive or destructive attack, the report warned that the activity was likely to escalate.

The need for a comprehensive cybersecurity training program focused on electrical infrastructure was highlighted after the December 2015 power outage in Ukraine, which left 230,000 citizens without power or heat. That attack, the first time a confirmed hack brought down a power grid, demonstrated the vulnerability of electrical stations to a malicious cyber attack. While employees were able to bring the systems back online in a few hours, the power station control centers were reportedly not fully operational for months after the attack.

In June of 2015, Japan’s pension agency was illegally accessed, and the personal data of over 1 million users was leaked. Then, in January of this year, Japan’s Hokkaido University suffered a breach that resulted in the leak of personal data for 110,000 of its students. An unsecured server in the career placement office was believed to be the source of the hack.

Backlinks:
https://www.goodreads.com/group/invite_members/201181-online-security
http://www.yuuby.com/groups/Bunnymp
https://www.quora.com/What-is-Online-Security
Alvin Aguilar likes this.
Joseph Shackleton
Online Security: Cyber crime How companies are hit by email scams

Fraudsters are using clever impersonation techniques to siphon millions from unprotected businesses

When Keith McMurtry, corporate controller of Scoular, a 124-year-old US grain-trading and storage company, was asked by his chief executive to wire $17.2m to an offshore bank account, he did not question it.

Chuck Elsea told Mr McMurtry in a top-secret email that Scoular was in talks to acquire a Chinese company. The chief executive instructed him to liaise with a lawyer at KPMG who would provide the wiring instructions to an account in China.

“We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly,” Mr Elsea wrote in an email in June 2014. Over three transactions, Mr McMurtry transferred the $17.2m to an account in the name of Dadi Co at Shanghai Pudong Development Bank, according to an affidavit signed by an agent with the Federal Bureau of Investigation and filed in a Nebraska court.

The email was a fraud. Criminals impersonated Mr Elsea by creating a phoney email account in his name. They also set up fake email and phone numbers in the name of a real KPMG partner, who later said he had never heard of Scoular. US authorities have traced the emails and phone number to Germany, France, Israel and Russia.

Scoular, which is ranked 66th on Forbes’ list of the US’s largest private companies with revenues of $5.9bn, is one of several thousand companies that have fallen victim to a new type of fraud known as business email compromise schemes which have netted $800m in the past six months.

In January 2015, Xoom, an international money transfer company bought for $890m last July by PayPal, a pioneer in digital payments, said an employee in its finance department was duped into transferring $30.8m in corporate cash to an overseas account.

Ubiquiti Networks, a US manufacturer of wireless networking products, disclosed that its finance department was targeted last June by an imposter and transferred $46.7m to overseas accounts. After discovering the fraud the company began legal proceedings and has recovered $8.1m.

In the boss’s name

More than 12,000 businesses worldwide have been targeted by the scams, also known as CEO email schemes, between October 2013 and this month. The transactions have netted criminals $2bn, according to the Internet Crime Complaint Center, an intelligence and investigative group within the FBI that tracks computer crimes. Companies large and small, across 108 countries, have been hit and the threat is growing, law enforcement officials say.

“It has gotten quite out of hand,” says Mitchell Thompson, a supervisory special agent and head of the financial cyber crimes task force in the FBI’s New York office.

The criminals are “becoming more brash”, he says, by introducing third parties, such as law firms and consultants, to carry out the fraud. They have also become more sophisticated about how they troll potential victims.

“They’re using social media a lot against us. They might send a spam email intentionally to see that the executive is out of the office, [making] it prime time to target. They might look on Facebook and see that [the chief executive is] travelling to Europe or Australia so they know you’re in the air for a certain amount of time” and have a window to strike, Mr Thompson says.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
Joseph Shackleton likes this.
anthony evans
Online Security: What’s Behind Google’s Secretive Ad-Blocking Policy?

When Google decided in May to stop accepting online ads for short-term, ultra-high-cost personal loans known as payday loans, some people wondered whether the company was acting more like a publisher exercising editorial control than a supposedly neutral search engine.

Now that Google’s policy has gone into effect, it’s worth asking: To what extent should the company be a gatekeeper, judging which online ads are okay and which are not? And if the world’s largest Internet search engine is going to be selective about accepting ads, where does it draw the line?

The same questions could be applied to Microsoft and Yahoo, which refuse to carry ads for certain types of sensitive content (but still advertise payday loans). Baidu, the world’s second-largest search engine, has been grappling with these issues since earlier this year, when its practice of promoting medical listings without vetting them sparked outrage over a tragedy: a young man with cancer died after receiving an ineffective treatment from a hospital he found through a Baidu ad. The outcry prompted an investigation by China’s Internet regulator, which ordered Baidu to review its ads and remove any that promote unlicensed medical providers.

University of Maryland law professor Frank Pasquale says Google has tried to have it both ways: sometimes it portrays itself as a simple utility and a mere conduit of its customers’ ads, but other times it presents itself as a content provider that can and should exercise control over the ads it shows.

“Whenever Google is accused of abetting or enabling copyright infringement or defamation, it says, ‘We’re just [connecting people] like the phone company does, and you wouldn’t sue the phone company over this,’” says Pasquale. “But when people say, ‘If you’re a common carrier [utility], you should take all ads,’ Google will say, ‘No, we’re like a newspaper and we should have carte blanche over what we publish.’”

With payday loan ads, Google is characterizing itself as the watchful online guardian. The company has said it banned the ads to protect its users because “research has shown that these loans can result in unaffordable payment and high default rates.” (Google declined to comment for this story beyond saying that it constantly reviews its AdWords policies and updates them ”when necessary.”)

Google also seems to have been influenced by advocacy from a large coalition of civil rights, digital rights, and financial reform organizations. In late 2015, the Leadership Conference on Civil and Human Rights and other groups sent Google reports detailing abuses that often accompany payday loans—among them fraud, unauthorized transactions, and long-term indebtedness. “We said, ‘This is a problem, and we want to talk to you about this,’” says Alvaro Bedoya, the executive director of Georgetown Law’s Center on Privacy & Technology, who participated in the outreach campaign. “There were long conversations with Google and a lot of bringing this research to their attention over the course of a couple of months.”

An ongoing inquiry into payday lending by the U.S. government’s Consumer Financial Protection Bureau may have further heightened Google’s interest in predatory lending practices.

Consumers might not realize it, but Google—and other ad-supported search engines—have been making editorial decisions about the types of ads they will carry for years.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
anthony evans likes this.
Levi  Crisp
Online Security: These Are Today's Top 8 Cyber-Crime Trends According to Europol

In its Internet Organized Crime Threat Assessment (IOCTA) report released today, Europol has detailed today's top 8 most prevalent cybercrime trends, for which investigators have seen a rise in detected incidents since the start of the year.

The report, which highlights an upward trend for volume, scope and material cost of cybercrime, comes on the heels of UK authorities announcing earlier in the year that cybercrime has surpassed traditional crime for the first time in their country's history.

#1: Crime-as-a-Service
Europol says that the digital underground is shifting towards a Crime-as-a-Service business model, with various individuals and groups specializing in a niche crime and providing technical support and service for that crime alone using online services.

From illegal weapons sales to on-demand hacks, and from DDoS-for-Hire services to exploit kit packages, you can buy online almost any type of cybercrime service these days.

#2: Ransomware
If you read Softpedia's Security News section, you can hardly go one day without reading a report on ransomware-related topics. Besides ransomware, Europol also says that banking trojans have been a popular form of malware this year as well.

#3: The criminal use of data
Recent hacks and data breaches have thrust troves of data in the public eye, which crooks are leveraging for other hacks, fraud, and even extortion.

#4: Payment fraud
Europol says it received a large number of fraud complaints, which were traced back to organized crime groups hacking ATMs, EMV, and contactless (NFC) cards.

#5: Online child sexual abuse
The large number of online tools and services providing complex and unbreakable end-to-end encryption, along with anonymous payments supported via crypto-currencies has resulted in "an escalation in the live streaming of child abuse."

#6: Abuse of the Darknet
More and more crime-related activities have now moved to the Darknet (or Dark Web), a portion of the Internet for which you need special software like Tor and I2P to access. Criminals are taking advantage of the anonymity these networks provide to go about their business unabated.

#7: Social engineering
Europol says that spear-phishing incidents aimed at high-value targets have gone up in 2016, and it highlights the increase in CEO fraud (BEC scams) attacks.

#8: Virtual currencies
Europol says Bitcoin has become the de-facto standard currency for extortion payments. This is also the reason why Europol established a Bitcoin Money Laundering Division earlier this month.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
Levi Crisp likes this.
Jaxon Laurantus
Online Security: Which? files supercomplaint against banks over transfer fraud

Banks may face formal inquiry into whether they can refuse to reimburse victims conned into transferring money into fraudsters’ accounts

UK banks should do more to protect customers tricked into transferring money to fraudsters, according to a consumer body that has lodged a “supercomplaint” with financial regulators. The move by Which? means banks could now face a formal investigation into whether they can continue refusing to reimburse victims.

The organisation submitted its first supercomplaint this year in the same week that official data revealed that fraud in the UK payments industry had soared by 53% as criminals develop increasingly sophisticated tactics to steal bank customers’ cash.

Which? said banks should “shoulder more responsibility” when someone is conned into transferring money to another person’s account, just as they reimburse customers who lose money due to scams involving debit and credit cards or fraudulent account activity.

Some customers have lost considerable sums. In March this year the Guardian featured the case of Sarah and David Fisher, who were conned out of £25,000 after a fraudster posed as their builder and emailed them a fake invoice that was virtually identical to the one they were expecting.

The explosion in online and mobile banking means UK consumers now make more than 70m bank transfers a month, compared with just over 100m in a whole year just a decade ago. Which? claims that “protections have not kept up”.

Using its legal powers, the organisation has submitted a supercomplaint to the Payment Systems Regulator, the watchdog for the UK’s £75tn payment systems industry, which must now respond within 90 days.

There are many financial frauds that directly target customers, such as phishing emails and phone- and text-based scams. However, among the biggest growth areas are impersonation and deception scams where fraudsters hack into someone’s email account and then pose as the builder, solicitor, landscape gardener or other tradesperson that the consumer has legitimately employed. Typically, the victim receives an invoice via email, which does not rouse suspicion because they were expecting it. It looks authentic and is usually for the correct amount – however, unbeknown to the consumer, the bank account number and sort code have been changed to those of the fraudster.

This is what happened to the Fishers, from north-west London. Last October they received a genuine invoice for building work that was being carried out, then what appeared to be a follow-up email from the same firm with a fresh invoice attached that included “our new banking details”. The couple duly paid the requested £25,000, and while it quickly emerged they had been scammed, by the time the bank that operated the account used to accept their money was alerted, the cash had been withdrawn.

Almost a year after the incident, they have yet to recover a penny of their money. Sarah Fisher, a record label manager, told the Guardian this week that the police had identified the fraudster as someone living in Denmark. As a result, the case was “not being progressed” and had effectively come to a halt.

She added: “We took it to the financial ombudsman, who said that Barclays [which operated the account] had not behaved improperly.” However, she said their MP, Tulip Siddiq, had said the case raised important issues and intended to pursue the matter in parliament.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
Jaxon Laurantus likes this.
John Rodarte
Online Security: People encouraged to better secure online accounts following Yahoo breach

Residents who use Yahoo Mail are being encouraged by the S.C. Department of Consumer Affairs to take action to secure their online accounts following the announcement last month of a massive breach.

During the last two weeks of September, Yahoo announced that at least 500 million user accounts had been compromised.

An investigation by Yahoo following suspicions of an attack in July uncovered a far larger, allegedly state-sponsored attack in recent weeks, according to the Associated Press.

“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said in a statement last week.

Given the importance most people place on protecting personal information, the Department of Consumer Affairs is encouraging Yahoo Mail users to take action by following several tips, said Megan Stockhausen, communications coordinator with the agency.

• Change the account password and security questions immediately. Use strong, creative passwords (uppercase, lowercase and special characters) and don’t share them with anyone. Also, don’t use the same passwords or security questions for multiple accounts, especially when using an email address as the login name on a site.

• Watch out for phishing attempts, which is defined by asking for personal or sensitive information via a phone call, text or email is a tactic used by scammers. Never reply to texts, pop-ups, or emails that ask for verification of personal information. Avoid clicking on links or downloading attachments from suspicious emails or texts.

• Closely monitor financial and benefits statements/accounts. Check all monthly statements and account activity, especially for financial accounts saved as payment options on internet merchant sites.

Review them carefully and notify the financial institution/provider as soon as an unauthorized or suspicious item is spotted.

• Consider a fraud alert and security freeze. Scammers may use the stolen information to open new accounts.

A fraud alert and security freeze are free security measures for a credit report. A fraud alert tells a business accessing the report to take extra steps to verify that the person holding the account is the one seeking its goods/services.

When a security freeze is in place, no one can access the report without the account holder approving it.

Stockhausen said these tips can help anyone trying to secure any personal online information.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
John Rodarte and Tohias Avery like this.
Nathan Blanch
Online Security: A shoe e-retailer takes steps to improve its fraud detection

Fast-growing Schutz Shoes upgrades its fraud detection software to slash manual reviews and improve order processing.

Online orders were flowing into shoe e-retailer Schutz Shoes, the U.S. division of Brazilian-based shoe retailer Arezzo & Co., but the small team spent an increasing amount of time checking whether an order was fraudulent. When one employee on a staff of seven has to manually review the legitimacy of an online order, that’s time away from customers and other business, says Kimberly Gort, e-commerce manager for Schutz.

Schutz Shoes started selling online in 2014 operating its e-commerce site in the basement of its New York City store. That first year, Schutz had about $350,000 in online sales. In 2015, about half of its product catalog was available online and sales grew to $1.5 million. Now, with all of its products available online, Schutz Shoes projects about $3 million in online sales for 2016, Gort says. The retailer also opened a store in Los Angeles.

With triple-digit percentage growth comes growing pains. When the e-retailer received a modest five online orders a day, using the free tool from its e-commerce platform provider (Shopify Inc.) worked fine, Gort says. The plugin would flag orders that might be fraudulent, and the retailer decided to approve or decline such orders. For example, the tool flagged an order if the credit card and shipping addresses didn’t match, so a Schutz employee had to call the customer and determine if it was a legitimate order. Deciding what was and wasn’t fraudulent often was difficult, Gort says.

“There’s always a risk,” she says. “It was like we were playing roulette.”

The situation frustrated the retailer and the shopper, as some shoppers were blocked from placing an order or their order was delayed or they had to deal with a phone call from the retailer. Schutz was missing out on orders, devoting almost a full employee to manually check the orders and seek out consumers to verify information. As order volume and sales grew, the manual-review model no longer worked, Gort says.

In July, Schutz Shoes decided to integrate fraud detection software provider ClearSale onto its platform, choosing the vendor because it was used by parent company Arezzo. It took about two weeks to integrate the technology onto Schutz’s site, Gort says.

ClearSale factors in about 100 variables to approve or deny orders, and then has its 500-person team to dig deeper on flagged orders, says Rafael Lourenco, vice president of operations at ClearSale. Orders can be approved within three seconds, while an order that requires manual review will take 24-48 hours, he says.

The impact of adding ClearSale was almost immediate, Gort says, as Schutz Shoes was no longer on the hook to manually check flagged orders. The e-retailer now approves 94-96% of its orders, which is about a 5% increase from when it relied on its free plugin, Gort says.

ClearSale charges per transaction and takes a 0.4-1.5% cut of the sale. The commission is worth it, Gort says, as more sales are approved. In August, Schutz Shoes paid ClearSale $1,500. The retailer processed 1,200 online orders that month, 1,002 of which ClearSale reviewed in some capacity; of those 1,002 orders, 973 (97.1%) were approved.

ClearSale has about 2,000 clients, and more than 90% are retailers, Lourenco says. Across all of its clients, 93.5% of orders are automatically approved, Lourenco says.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
Nathan Blanch likes this.
Annabelle Mouratidis
Online Security: Fighting Online Fraud Through eDNA

Long ago, a cartoon ran in The New Yorker, showing a canine seated at a desktop computer. “On the internet,” ran the caption, “nobody knows you’re a dog.”

The same premise holds true today and poses a knotty question in online commerce and FinTech: How do you know the person on the other end of a transaction is really who they say they are? And even if you do confirm their identity, how do you know that person can be trusted?

One firm, IdentityMind Global, provides real-time risk management and fraud prevention through “digital identities,” collecting data across dozens of parameters, separating the financial ecosystem into good actors — those deserving of trust (and completed transactions) — and, well, bad actors.

In an interview with PYMNTS’ Karen Webster, Garrett Gafke, president, CEO and founder of IdentityMind Global, said that the construction of digital identities, by necessity, goes well beyond data that might be thought of as standard, such as a street address, a credit card number or a two-factor security question test.

True merchant risk goes hand-in-hand with global digital commerce and, as Gafke described it, comes in the form of people with little or no history — no history of driver’s licenses, credit cards issued, traditional bank accounts or other standard bits of information. They may not even be scored by the traditional credit bureaus. Yet, these individuals are looking to do business and conduct transactions. Their would-be partners on the other end of the transaction must decide whether to enter into a relationship (however fleeting) with that consumer … or not.

Gafke noted that “transactions of any kind leave a kind of financial, online exhaust” and that each transaction has attributes that, taken together over time, ultimately, can be assembled into a digital identity. “This is real, current information,” said Gafke, “rather than just public, physical information. Good reputations are built slowly, while bad reputations come very quickly.”

That digital identity is established, as Gafke said, in IdentityMind Global’s platform, which links and finds correlations between disparate bits of information and transaction trails that “process, capture, rate and build overall profiles on online identities.” Emails, digital wallets and payments are all linked together, said the executive, to build a “trusted” digital identity.

“Trust” would be the operative word in the relationship between individuals and the firms with which they seek to do business. Trust would also extend to, and be colored by, the people associated with that individual or business. Consider how, in the age of social media, amidst concerns about money laundering, an individual might be viewed with demonstrable trails of following, say, terrorist-linked groups on Twitter.

In a recent whitepaper by the firm, IdentityMind Global also noted that additional data points may come from internet-enabled devices, which can, for instance, help bring location into consideration when determining good actors from bad and in screening across sanctioned individuals or nations.

Using these techniques, said IdentityMind Global in its whitepaper, can help reduce manual review time. There is also a financially positive impact, via a 60 percent reduction in transactional fraud from chargebacks and a 90 percent reduction in fraud that comes at the point of account origination.

Backlinks:
https://www.mendeley.com/groups/9537731/online-security/
http://figment.com/groups/34475-Online-Security
Annabelle Mouratidis likes this.
Laurenz Risseeuw
Online Security: Anonymous Internet Vigilantes Are Taking Peer Review Into Their Own Hands

Since 2012, the message board PubPeer has served as a sort of 4chan for science, allowing anyone to post anonymous comments on scientific studies. Originally intended as a forum for the discussion of methods and results, PubPeer has perhaps become best known as a clearinghouse for accusations of scientific error, fraud, and misconduct—forcing journals to issue corrections and retractions, damaging careers, and eventually embroiling the site in a court case in which it’s advised by Edward Snowden’s legal team at the American Civil Liberties Union.

In the view of its critics, PubPeer enables an unchecked stream of accusations with no accountability. But to its supporters, PubPeer is maybe the only consistently effective way to expose fraud and error in the current scientific system. It exists at a time of quiet crisis for science and science journals, when the community is concerned about an inability to replicate past results—the so-called “reproducibility crisis”—and the number of papers retracted is on the rise. The traditional system of peer review seems unable to address these problems.

“We started it because we wanted more detailed arguments about science, and we were really shocked at how many fundamental problems there are with papers, involving very questionable research practices and rather obvious misconduct,” said Brandon Stell, a neuroscientist at the Centre National de la Recherche Scientifique in Paris and the creator of PubPeer.

There’s certainly no denying its effect. According to Retraction Watch, a blog that monitors scientific corrections, errors, and fraud, at least three high-profile scientists in the past few months have had their studies retracted by journals after their data was questioned by anonymous commenters on PubPeer.

The most frightening words a researcher could read on PubPeer are 'There are concerns'

One of the scientists, Fazlul Sarkar, is currently suing several of the commenters. His lawyers argue the site must reveal the identities of the users that have done damage to Sarkar’s career, after he lost a tenured position at the University of Mississippi. PubPeer has refused to release the information. Both Google and Twitter have filed a court brief in support of the site, which is currently being defended pro-bono by lawyers from the ACLU.

It’s perhaps the most interesting case about internet privacy you've never heard of, and it all stems from a frustration among scientists with the shadowy politics of publishing and peer review.

At its base, PubPeer is a site that allows anyone to post comments on any scientific paper listed on the federally-funded PubMed database, either anonymously or under their own name. It’s functionally very simple, but the built-in anonymity makes it a safe outlet for scientists—especially young, early-career scientists—to discuss and criticize research without fear of repercussion. And that’s something they’re apparently eager to do: The site has logged over 55,000 mostly anonymous comments since its launch.

Back in October 2013, someone on the PubPeer site started threads for about 20 previously published papers on which Fazlul Sarkar, a cancer researcher then at Wayne State University in Michigan, was an author. The papers span over a decade and involve a variety of complex molecular signalling pathways involved in cancer. The issues raised by the comments, though, were relatively straightforward: They claimed that images in these studies appeared to have been changed, duplicated, and re-used across papers, suggesting that the experiments they appeared in may have never actually happened, or could have produced different results.

http://www.icefilmstube.com/blog/7799/online-security-anonymous-internet-vigilantes-are-taking-peer-review-into-their-own-hands.html
Laurenz Risseeuw
Created by Laurenz Risseeuw

About this group

Public Blog Site

Sign up today - FREE

Mendeley saves you time finding and organizing research. Learn more

  • All your research in one place
  • Add and import papers easily
  • Access it anywhere, anytime

Start using Mendeley in seconds!

Sign up & Download

Already have an account? Sign in