Category Archives: phishing
Japan ministry become the recent victim of a cyber attack through a malware that suspected to have compromised and sent overseas more than 3,000 confidential documents from the ministry, including many on global trade negotiations.
After investigation, experts found that Hackers use “HTran” the Advanced Persistant Threat (APT) exploit kit for attack. Computers at country’s Ministry of Agriculture, Forestry and Fishery suspected to be infected from this.
HTran is a rudimentary connection bouncer, designed to redirect TCP traffic destined for one host to an alternate host. The source code copyright notice indicates that HTran was authored by “lion”, a well-known Chinese hacker and member of “HUC”, the Honker Union of China.
A lot of the documents were about the negotiations over the US-led Trans-Pacific Partnership multilateral trade pact. According to a report from SecureWorks, Dell’s security division, in 2011 that the malware is believed to have been developed by a Chinese hacker group back in 2003.
HTran is used by many APT hackers to disguise the location of their command and control (C2) servers. The National Information Security Center of the Cabinet Secretariat discovered about one year ago that suspicious transmissions involving HTran had occurred at the ministry.
But no individuals or groups have been identified as the culprits in this new cyber attack as the police continue to investigate. The police will ask the ministry to explain how it discovered cyber-attacks and confirm whether a leak actually took place, the police sources said.
Original post at –thehackernews
Thanks for reading. hope it might helped you.
The Top 5 Cyber Security Threats That Could Affect Your Life–
Our electronic devices are such a big part of our lives today that it’s hard to imagine what we once did without them. But our constant use of technology to keep in touch, pay bills, stay on top of the news, shop and research things has a downside: Our data can be exposed to criminals who commit crimes such as identity theft and credit card fraud – unless we take the proper precautions. Our growing reliance on electronic devices is part of the reason why careers in cyber security are growing at a faster pace. Jobs in information security, web development and computer network architecture – three fields at the forefront of cyber security – are expected to grow 22% between 2010 and 2020. Understanding the threats can help everyone do their part to make those jobs easier. Here are five top cyber security threats and tips on how to protect yourself against them, according to experts.
1. Malware and Bots
If you’ve ever spent a frustrating afternoon calling a help line to tackle a computer virus, then you know how pesky malicious software – or malware, for short – can be. Malware also includes nuisances like spyware, which allows digital hackers to track your every move and to view the passwords you are entering, according to the National Cyber Security Alliance, an organization focused on educating the public about how to use the Internet safely. Typically consumers get tricked into downloading malware by accident, when for instance they click on a rogue website or try to download what seems to be free software, like a screen saver. When criminals use malware to take control of individuals’ computers remotely to perpetrate financial crimes or attack computer networks and websites, the setup is known as a botnet.
Further, “malware can be spread by your Friends on social networking sites like Facebook,” says, Linda McCarthy, cyber security expert, former senior director of Internet safety at Symantec and author of Own Your Space: Keep Yourself and Your Stuff Safe Online. You need to think about that link your Friend is telling you to click on. Is that really a Friend sending that link, or was their account compromised? Don’t click on suspicious links, McCarthy warns. Spreading malware on social networking sites is growing at an alarming rate. “Even though social networking sites have systems in place to minimize the risk, you are still the first line of defense in protecting yourself. It makes sense that malware writers target social networks because you are likely to trust a link that came from one of your friends,” she says.
You already know that “spam” is the email equivalent of junk mail. But it can do more than clutter up your inbox. Some of these email missives can contain a link or an attachment prompting you to download a computer virus. They can also be used to defraud those close to you. For instance, someone who has hacked into your email account can send a message asking every one of your contacts to wire money because you are in distress – and possibly rope in a few people who aren’t familiar with this common fraud. The CAN-SPAM Act was set up to protect consumers from deceptive email messages, subjecting senders to fines of up to $16,000 per violation.
One common way for identity thieves to gain control of consumers’ personal information is through digital crimes known as “phishing.” In this practice, fraudsters create an email that looks like it was issued from a legitimate company. They will ask for a recipient’s personal information – like an account number or a password – and then use that information to commit financial crimes, such as opening fraudulent charge cards in a consumer’s name and running up big bills on them.
“Phishing scams are successful because they use social engineering techniques to gain your trust,” says McCarthy. For example, one scam claims to be a relative traveling in another country reaching out for your help. It’s an email from your nephew. He was mugged, lost his wallet, and he needs you to wire him money right away. “It’s a natural reaction to want to help someone in trouble. That’s what the phishers count on. Beware of social networking techniques and be sure to protect your accounts,” she adds.
4.Unsecured Home Wireless Networks
Many of us have converted to home wireless Internet networks to connect our TVs, smartphones, laptops, computers and tablets. And why not? It’s very convenient. But with these home networks come risks. Without certain protections, cyber criminals in the area may be able to access the Internet through your network and possibly gain access to your computer and other devices.
5. Data Gone AWOL
Given all of the places where we tote mobile devices such as laptops, tablets and smartphones, it becomes very easy to lose them. If the data on those devices falls into the wrong hands and isn’t properly protected through techniques like encryption (the process of masking information using an algorithm, so that it becomes unreadable), it can be a field day for cybercriminals. It’s not just consumers who lose data. Forty-five percent of data breaches at companies are caused by lost laptops and mobile devices, according to a 2012 study by the Ponemon Institute, a research center based in Traverse City, Mich., that is dedicated to consumer privacy, data protection and information security policy. Even use of YouSendIt, Dropbox and other Internet-based file-sharing tools by employees – now a common phenomenon – raise the risk that confidential corporate data will be leaked, according to Ponemon.
But even if devices don’t get lost, it’s possible that in using them we’ll fall prey to cyber criminals while checking emails in an airport lounge using Wi-Fi on a smartphone, or while reading on a tablet over a mocha latte in a café.
“With all of your devices and more to come, be sure to have a backup strategy,” advises McCarthy. Many of the security software packages now include backup as an option. That won’t help with all of the data on every device, so be sure you plan and back up all of your important devices. There’s no telling what types of devices will be part of our lives years from now. The tech explosion presents immense opportunity for those with the creativity and know-how to make the gadgets we use better and better – and to simply keep them running smoothly. In the meantime, building a few smart cyber security habits is a good way for all of us to enjoy the technology we use every day with few hassles.
Advances in technology are not likely to slow down in the future, nor is our increased reliance on the fruits of that growth. New security threats will be a constant reality, which makes it more important than ever that skilled individuals step up to fill the increasing number of jobs available in cyber security, and that those who choose other career paths take steps to protect their own security.
Original Post at http://www.devry.edu/know-how/top-5-cyber-security-threats-that-could-affect-your-life/
Thanks for reading. hope it might helped you.
Summary: Even now and then you all wanted to send a fake mail to your friends and family members. Lets see, how this works and how to send free fake email to anyone.
Spoofing is a technique of hiding your own identity from others. It can be of any type, like Mobile number spoofing, email spoofing, and many others such way. This technique is basically used by spammers to generate fake mail-id’s. In Email spoofing, we generally hide our own email-id, so that the receiving person might think that it has generated from other source.
Lets take an example, if a person A wants to send a fake mail to person B, but he doesn’t want to show his email-id, and then he can use person C or D’s email id.
You can use the following site for sending free fake mails –
Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).
Examples of spoofed email that could affect the security of your site include:
- email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this
- email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information
- If you provide email services to your user community, your users are vulnerable to spoofed or forged email.
- It is easy to spoof email because SMTP (Simple Mail Transfer Protocol) lacks authentication. If a site has configured the mail server to allow connections to the SMTP port, anyone can connect to the SMTP port of a site and (in accordance with that protocol) issue commands that will send email that appears to be from the address of the individual’s choice; this can be a valid email address or a fictitious address that is correctly formatted.
- In addition to connecting to the SMTP port of a site, a user can send spoofed email via other protocols (for instance, by modifying their web browser interface).
What You Can Do
- You may be alerted to spoofed email attempts by reports from your users or by investigating bounced email error messages.
- Following relevant policies and procedures of your organization, review all information (such as mail headers and system log files) related to the spoofed email.Examine tcp_wrapper, ident, and sendmail logs to obtain information on the origin of the spoofed email.The header of the email message often contains a complete history of the “hops” the message has taken to reach its destination. Information in the headers (such as the “Received:” and “Message-ID” information), in conjunction with your mail delivery logs, should help you to determine how the email reached your system.If your mail reader does not allow you to review these headers, check the ASCII file that contains the original message.
NOTE: Some of the header information may be spoofed; and if the abuser connected directly to the SMTP port on your system, it may not be possible for you to identify the source of the activity.
- Follow up with other sites involved in this activity, if you can identify the sites. Contact them to alert them to the activity and help them determine the source of the original email.We would appreciate a cc to “email@example.com” on your messages; this facilitates our work on incidents and helps us relate ongoing intruder activities.If you have a CERT# reference for this incident, please include it in the subject line of all messages related to this incident. (NOTE: This reference number will be assigned by the CERT/CC, so if you do not have a reference number, one will be assigned once we receive the incident report.)
- To provide as much information as possible to help trace this type of activity, you can increase the level of logging for your mailer delivery daemon.
- Realize that in some cases, you may not be able to identify the origin of the spoofed email.
- Use cryptographic signatures (e.g., PGP “Pretty Good Privacy” or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
- Configure your mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.
- Ensure that your mail delivery daemon allows logging and is configured to provide sufficient logging to assist you in tracking the origin of spoofed email.
- Consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofing attempts to your site.
- Educate your users about your site’s policies and procedures in order to prevent them from being “social engineered,” or tricked, into disclosing sensitive information (such as passwords). Have your users report any such activities to the appropriate system administrator(s) as soon as possible. See also CERT advisory CA-1991-04, available from
Thanks for reading. hope it might helped you.
The phenomenon of “social engineering” is behind the vast majority of successful hacking.
This isn’t the high tech wizardry of Hollywood but is a good, old-fashioned confidence trick.
It’s been updated for the modern age, and although modern terms such as “phishing” and “smishing” are used to describe the specific tricks used, they all rely upon a set of human characteristics which, with due respect to Hieronymus Bosch, you might picture as the “seven deadly sins” of social engineering.
To fall for a confidence trick, or worse, we assume others “must” have taken the necessary steps to keep us secure.
Sadly this leads to a lack of awareness, and in the world of the hacker that is fatal. When we stay in a hotel and we programme our random number into the room safe to keep our belongings secure, how many of us check to see if the manufacturers override code has been left in the safe?
It’s nearly always 0000 or 1234 so try it next time.
If you’re not the paying customer, you’re very likely to be the product”
Humans are curious by nature. However, naive and uninformed curiosity has caused many casualties. Criminals know we’re curious and they will try to lure us in. If we see an unfamiliar door appear in a building we frequent, we all wonder where it leads.
We might be tempted to open it and find out, but in the online world that might just be a trap waiting for an innocent user to spring it. A colleague built a website that contained a button that said Do Not Press, and was astonished to find that the majority of people actually pressed it.
Be curious, but exercise a healthy degree of suspicion.
It is often thought of as a derogatory term, but we all suffer from this sin. We make assumptions.
We take others at face value, especially outside of our areas of expertise. Put a uniform on someone and we assume they have authority.
Give an email an official appearance by using the correct logo and apparently coming from the correct email address, and we might just assume it’s real, regardless of how silly its instructions might be.
All of this can be easily forged online, so make no assumptions.
We quite rightly all teach our children to be polite. However, politeness does not mean you should not discriminate.
If you do not know something, or you feel something doesn’t feel quite right, ask. This principle is truer than ever in the online world, where we are asked to interact with people and systems in ways with which we are quite unfamiliar.
If someone phones you out of the blue and says they are from your bank do you believe them? No. Phone them back.
If someone has a problem with proving who they are, you should immediately be suspicious”
And by the way, use a mobile phone as landlines can remain connected to the person who made the call in the first place and so whilst you might think you’re phoning the bank on a valid number you’re just talking to the person who called you.
Despite what we’d like to think we are all susceptible to greed even though it might not feel like greed.
Since its inception, the very culture of the web has been to share items for free.
Initially this was academic research, but as the internet was commercialised in the mid-1990s, we were left with the impression that we could still find something for nothing.
Nothing is ever truly free online. You have to remember that if you’re not the paying customer, you’re very likely to be the product. In the worst case, you might find that you have taken something onto your machine that is far from what you bargained for.
Many pieces of malware are actively downloaded by owners unaware that the “free” product contains a nasty payload, even if it also appears to do what you expected of it.
People are reluctant to ask strangers for ID, and in the online world it is more important than ever to establish the credentials of those whom you entrust with your sensitive information.
Do not let circumstances lead you to make assumptions about ID.
For example, if someone from “IT support” calls you and asks for your password so they can help fix your problem, how do you know they haven’t called everyone else in the building first until they found you who has really got a problem?
This is a well-known attack. If someone has a problem with proving who they are, you should immediately be suspicious.
Thinking before you act is possibly the most effective means of protecting yourself online. It is all too easy to click that link.
How many of us when reading an apparently valid link in an email would bother to check whether the link is actually valid or whether instead it takes you to a malicious site.
It’s horribly easy to make links look valid so try hovering your cursor over the link for a few seconds before clicking to see what the real link is: the true link pops up if you give it a moment.
As cynical as it may sound, the only answer is to practise your A-B-C:
- Assume nothing
- Believe no one
- Check everything
With more Christmas shopping expected to be done online this year than ever before, you should watch out for those that would exploit the deadly sins.
Don’t give criminals the chance to ruin your holiday season, and remember that a little bit of paranoia goes a long way online.
Thanks for reading. hope it might helped you.
Suppose you check your e-mail one day and find a message from your bank. You’ve gotten e-mail from them before, but this one seems suspicious, especially since it threatens to close your account if you don’t reply immediately. What do you do?
This message and others like it are examples of phishing, a method of online identity theft. In addition to stealing personal and financial data, phishers can infect computers with viruses and convince people to participate unwittingly in money laundering.
Most people associate phishing with e-mail messages that spoof, or mimic, banks, credit card companies or other business like Amazon and eBay. These messages look authentic and attempt to get victims to reveal their personal information. But e-mail messages are only one small piece of a phishing scam.
From beginning to end, the process involves:
- Planning. Phishers decide which business to target and determine how to get e-mail addresses for the customers of that business. They often use the same mass-mailing and address collection techniques as spammers.
- Setup. Once they know which business to spoof and who their victims are, phishers create methods for delivering the message and collecting the data. Most often, this involves e-mail addresses and a Web page.
- Attack. This is the step people are most familiar with — the phisher sends a phony message that appears to be from a reputable source.
- Collection. Phishers record the information victims enter into Web pages or popup windows.
- Identity Theft and Fraud. The phishers use the information they’ve gathered to make illegal purchases or otherwise commit fraud. As many as a fourth of the victims never fully recover [Source:Information Week].
If the phisher wants to coordinate another attack, he evaluates the successes and failures of the completed scam and begins the cycle again.
Phishing scams take advantages of software and security weaknesses on both the client and server sides. But even the most high-tech phishing scams work like old-fashioned con jobs, in which a hustler convinces his mark that he is reliable and trustworthy. Next, we’ll look at the steps phishers take to convince victims that their messages are legitimate.
Thanks for reading. hope it might helped you.