Spyware, viruses, & security forum: NEWS - October 24, 2012

"The company has admitted that its Web tracking software collected usernames, passwords, credit card numbers, Social Security numbers and more."

The FTC recently announced that Compete Inc. has agreed to settle charges that it violated federal law by using its Web tracking software to collect extensive amounts of personal data without disclosing that fact to users.

"Boston, Massachusetts-based Compete Inc. agreed to obtain end users' consent before collecting future data on their browsing history, according to a release published on Monday by officials with the Federal Trade Commission," writes Ars Technica's Dan Goodin. "The company also agreed to delete or anonymize the consumer data it has already collected and to provide directions for removing tracking software installed on the computers of many of the people whose data was collected."

"The company tracks the browsing habits of people who download its software and then sells that data to clients so they can improve their website traffic and sales," explains The Register's Brid-Aine Parnell.

Continued : http://www.esecurityplanet.com/network-security/compete-inc.-settles-ftc-privacy-charges.html

Also:
FTC smacks down security sloppiness by web analytics company Compete
Two analytics companies to settle charges for online user tracking

GFI Labs Blog:

For everyone's information:

Below is a screenshot of a new spam run in the wild, and the sender (whoever he, she, or it is) presents to recipients a very suspicious but very free license for Microsoft Windows that they can download.

Sounds too good to be true? It probably is. [Screenshot]

From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,

You can download your Microsoft Windows License here -

Microsoft Corporation

Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php. [Screenshot]

This spam is a launchpad for a Blackhole -Cridex attack on user systems.

Continued : http://www.gfi.com/blog/bogus-windows-license-spam-is-in-the-wild/

[Screenshot: Client-side Exploit Anatomy]

No application or operating system is perfect. Perfection just isn't possible. An imperfection that allows malefactors to take control of your computer or execute arbitrary code is called a vulnerability, and the attack that does the dirty deed is called an exploit. Until the vendor patches a newly-discovered vulnerability, consumer and business users must depend on their security software to protect against attack. In a recent test by NSS Labs, quite a few security products proved seriously ineffective at blocking exploits.

Exploits Collected

The CVE (Common Vulnerabilities and Exposures) dictionary lists many years worth of exploits. Each exploit gets a unique reference number, first the current year and then the exploit's order of discovery within the year. So, for example, CVE-2008-4844 is the 4,844th exploit discovered in 2008.

The exploits used by NSS Labs for testing have all been public for months or even years. Yes, several of them date back to 2008. Researchers made their selection based on severity and prevalence of the exploits, and included attacks on Windows, Internet Explorer, Firefox, Acrobat, QuickTime, and other widely used applications.

Continued : http://securitywatch.pcmag.com/none/304206-many-security-products-fail-exploit-blocking-test

Yesterday's unveiling of the iPad Mini has not lead to a decrease in desirability of its bigger version, and the offer of a free device is still a very effective lure employed by online scammers.

The latest of these "Get a free iPad" starts with Direct Messages on Twitter asking users to check out a picture of themselves with an unnamed woman.

The link offered in the message takes them to a Facebook app page that is set to execute a PHP script as soon as they land on it, and it redirects them to a fake Facebook page.

This page offers them to participate in a iPad 3 (or iPad 2) quality test and says they will be rewarded with a free iPad: [Screenshot]

Unfortunately, that's a complete lie.

"Depending on where users are in the US and UK, they are led to either a survey scam page or a phishing page once they click Click here," warns GFI, while others are redirected to a well-known ad campaign page.

Continued : http://www.net-security.org/secworld.php?id=13831

Detailing some new twists on cyber scams, the Internet Crime Complaint Center released a report on dating and payday loan scams that take it one step further, to the real world and into your pockets.

A series of dating scams initiated on singles websites lead to extortion after users were notified that some of their sexual conversations were posted online, along with their real names and phone numbers. Charging from $9 to $99, scammers promised to have the posts removed and the victim's anonymity preserved. However, the posts remained online even after the victim paid the fees.

"The victims were provided a link to a page on the website that claimed they were a "cheater." Photos of the victims and their telephone numbers were also posted," said the Internet Crime Complaint Center. "There was an option to view and buy the posted conversations for $9. Victims were also given the option to have their names and conversations removed for $99."

Email and telephone scammers harassing and extorting money from victims involved a payday loan that users supposedly forgot to cover. Calling the victims friends and relatives made the story more believable as accurate information on the victim's social security number, bank account number and date of birth were confirmed.

Continued : http://www.hotforsecurity.com/blog/cyber-scammers-threaten-harass-and-call-you-at-work-4045.html

Also: The FBI Warns of Dating Extortion Scams and Payday Loan Schemes