Facebook and Twitter Contain Sneaky Vulnerability Within Links

MALAGA, SPAIN - NOVEMBER 10, 2015: Facebook login page in a laptop computer screen. Man typing on the keyboard. Facebook is the most famous social website all over the world.

There is a sneaky vulnerability in Facebook and Twitter that is difficult to detect and hackers may use it for phishing for your credentials. It is within the URL address that either opens a new window or tab after you click a link in either of the social media sites.

It happens when you click a malicious link that you see in your feed or elsewhere while you are logged into your account. After it opens the window, it logs you out. When you go back to visit your Facebook or Twitter page, you have to log in again. You may think nothing of it, but that is actually when the hackers grab your credentials.


Unfortunately, it’s really difficult to know if or when this may be happening. The best advice is just to be 100% sure you want to click that link and that it won’t cause harm to your device.

In addition, make sure you have the anti-phishing features enabled on your browsers and that anti-malware is installed and up to date on all of your devices. There is no guarantee these will stop this attack, but you are certainly in better shape.

The technical details have to do with how the link is written, but suffice it to say that the reason these links are written in such a way is so that the referral information to the new site records from where the link was clicked. For example, if you click an ad on any social media site or browser, there is an indicator in the link that gets sent to the advertiser for reference. Advertisers want this information. It helps them know where their advertising dollars are being best spent.

Facebook has taken steps to help mitigate this, but their action will not eliminate the threat. It just diminishes the probability that a large-scale attack will occur.

Just be sure that whatever you are clicking on at all times is really what you want to do. If you cannot be certain without a doubt that it isn’t harmful, then just don’t go there.

© Copyright 2016 Stickley on Security

Music Lovers “Spotted” Downloading Malware Via Spotify


Users taking advantage of the free version of the Spotify music service have recently been the targets of those wishing to do harm using malicious advertising. Some users have complained that even when performing no action at all, ads on the site were launching their default web browsers. It is not known at this time what actions the ads do once the new popup is open, but that may just be because no one has figured it out yet.

Malicious ads can do a lot of damage. They can launch attacks such as hijack users’ traffic, install key loggers, or simply inject malware on to the computer; and no one has to click or open anything for these things to happen. That is why making sure your devices are updated with the latest operating system versions and patches is so important. If these attacks are taking advantage of a known issue, having the patches applied will prevent them from hitting you.

In addition, install anti-malware products on all devices that connect to the Internet. This includes all mobile devices. Mobile malware infections are on the rise and because of the increase in use of these to do financial transactions and access accounts that store sensitive information, they are not expected to decline any time soon.

Spotify has taken action and is blocking the suspect ads. If you use the free service and notice a black bar on the web page, that is possibly one such ad. However, because of the ease of getting malware into those ads, Spotify likely has not found them all. So update your computers and devices and make sure your anti-malware products are all updated and running.

This is not the first time Spotify has been in the cyber security news. In 2014, it was the victim of a data breach that the company believed was a “proof of concept” attack intended as a test for a larger attempt. Earlier this year, the company blamed password reuse for strange activity some users were complaining about with their accounts and forced Android users to change passwords. It also isn’t the only music service under attack. Pandora also experienced a security incident, as did spin.com and more recently, Last.fm found data of its customers from 2012 for sale on the Dark Web.

© Copyright 2016 Stickley on Security

FBI Warns That New Types of Mobile Banking Malware Are On the Rise

Male Caucasian industry professional pressing MOBILE SECURITY on an interactive touch screen with virtual forensics tool icons. Cyber concept for mobile phone security. Solid stone wall background.

Malware making its way onto mobile devices is not a new concept. However, it is on the upswing as mobile banking becomes more popular. Cyberthieves are now using new ways to hack their way into bank accounts on mobile devices and this tactic is not likely to go away any time soon. That’s because it’s working.

The FBI is warning that new types of malware that are specifically designed to target banking applications on mobile devices are increasing. Most of the time they are aimed at larger financial institutions, but not exclusively. In fact, a banking-fraud-solutions manager at SAS estimated that the malware called Acecard has customized overlays for 50 financial services applications.

An overlay is a façade of sorts that sits on top of the interface to an actual application. It looks similar enough that it’s often difficult to tell if it’s real or fake. These catch out consumers more often than we’d like to think and if they are successful, malware can get downloaded to the device without the user having any idea. Once the credentials are captured by the thieves, they make their way back to the criminals remotely. They are then used or sold on the Dark Web for around $1 apiece. The malware to do this costs about $15,000. However, the payoff to criminals can be far more.

One sign that malware has managed to make its way onto your mobile devices if it asks for any additional personally identifying information, such as a social security number or birthdate.  If yours does, it’s not legitimate and you should not continue entering your login credentials.

The FBI believes that the reason this type of malware is gaining ground is because people often fail to install anti-malware on their phones and tablets. This leaves them vulnerable to additional attacks. Therefore, be sure to install this on your devices. Do some research on the available options for your products and get the right one for your device. Make sure to read the reviews and that it’s from a reputable company.

In addition, any application that you install should come from the official app store for your device. The malware affects both Android and iOS devices. Sideloading, or getting them from locations other than the app stores adds additional risk. Those are not usually put through as much security scrutiny and therefore may not be as safe to download. The FBI identified this as a problem as well.

If your financial institution offers multi-factor authentication before allowing access to your account, take advantage of it. While some malware has been known to thwart this additional security step, it is still better to take the time to do it. This could mean entering an access code that is sent via text, but could also entail entering a randomly generated code from a key fob that the institution can provide to you.

These crimes can be difficult to track. Those who fall victim may not even know it’s happened until long after the damage has been done. So, don’t underestimate how vulnerable your phone can be. Just because it hasn’t left your side, doesn’t mean someone hasn’t been inside it.

© Copyright 2016 Stickley on Security

Bug in Tesla Software Demonstrates How Cyber Threats Are Now Also Our Physical Safety Concerns

Amsterdam Holland Canal - May 7 2015: Tesla electric car parked in the charging point on the canal

Security experts have been warning that the increased complexity and computerization of vehicles is inviting additional risk to the already high-risk activity of being on the roadways. Recently, Chinese security researchers from Tencent’s Keen Security Lab found a flaw in the Tesla electric car’s Controller Area Network bus (CANbus) that allowed them to switch on the windshield  wipers, open the sunroof, activate a turn signal, and apply the vehicle’s brakes (as well as perform other actions) remotely.

While being able to remotely control a car won’t allow hackers to steal your identity, it could allow other nefarious acts to take place, such as acts of terrorism. Should someone with bad intentions be able to exploit a vulnerability in the vehicle’s software, they could conceivably orchestrate an event in which they applied the brakes on thousands of vehicles driving on the roadways at once. This could result in massive pileups, injuries, and deaths.

It’s important that no matter what software or firmware is running on any system; be it a computer or a vehicle, if a security or critical patch is released that you apply it right away. If your car is recalled for a software vulnerability, take it in to the dealer or other shop to get it remedied right away. Otherwise you are putting your physical well-being at unnecessary risk.

Cyber terrorism has already made an appearance in recent years. Some may consider the Stuxnet malware that infiltrated one of Iran’s nuclear facilities a form of cyber terrorism. That virus caused approximately one-fifth of Iran’s nuclear centrifuges to be destroyed by sending them spinning out of control. It demonstrated that a cyber attack could result in real mass physical harm should it be so desired. The attack against Sony where information about unreleased movies, payroll information, and email conversations among executives were posted for all the world to see, not only hurt Sony financially, but also harmed its reputation. This could also be considered cyber terrorism. These types of attacks are expected to get more frequent and more dangerous. They also are not expected to be limited to nation states, but will likely creep into the private business space as well. So for those charged with the company’s cyber security, make sure to update all computer systems ASAP when a patch is released.

Cyber security no longer applies only to fraud and identity theft. As this issue shows, it has now crossed the line into threatening our physical safety. So as much as technology can improve our lives, instances like this show it can also be very harmful. That’s why it’s important to stay on top of patching and updating all software; even for that which is in our garages.

© Copyright 2016 Stickley on Security

The Ripper Malware Jackpotting an ATM Near You

Withdraw some money from the ATM machine

There is a term, or two, for the type of attack that the malware Ripper performs. It’s called “jackpotting” or a “cash out” attack. This happens when malware is planted in an ATM and allows thieves to send it commands to, well, dispense cash. It happened in Taiwan not long ago and recently, it also happened in Thailand. Three groups of men throughout six Thai provinces managed to steal roughly the equivalent of $350,000 from 21 ATMs. While “pocket change” compared to the $2.2 million in the Taiwanese machines, it demonstrates a continuing and disturbing trend.

According to experts, one reason this works is that many ATMs are still running on embedded versions of Windows XP, which is no longer supported by Microsoft. ATMs are computers and therefore are susceptible to the same types of attacks that can hit any organization’s network. Unfortunately, it is not known how this malware made its way onto the ATMs. However, the cash is dispensed after a payment card is inserted into the card slot and authenticates with the malware that was previously installed.

The best defense for those in charge of ATM security, is upgrade any of these outdated machines with newer technology that has fewer vulnerabilities and that run on products that are still supported by manufacturers. It’s also important to keep all systems updated with security and critical patches when they are made available. This doesn’t apply only to the desktops and laptops, but also applies to those ATMs.

Yes, it might be expensive and time consuming to do this, but with millions of dollars in cash at stake, it’s worth it. Criminals know what an effort this is, which is why they are having success.

Ripper involves taking advantage of the common APIs that many of the ATMs use to communicate with the hardware. Ripper is sophisticated enough to use the public specifications that are used on many brands. Although this particular attack happened on NCR machines, researchers found that it is also effective on machines by two other vendors. However, the researchers (from FireEye and NCR) have not identified the others. So to be on the safe side, regardless of the brand at your institution(s), it’s a great idea to get it up-to-date.

© Copyright 2016 Stickley on Security

Yahoo! Confirms Theft of Data of 500 Million Users


About a month ago, it was reported that Yahoo! was investigating a possible data breach affecting 500 million users from 2012 (the New York Times is reporting 2014). Since then, the company has confirmed the breach. The same hacker that claimed responsibility for the breaches of MySpace and LinkedIn has claimed this one too. Information accessed included user names, birthdates, contact email addresses, and poorly scrambled passwords.

The advice is the same as it was before. If you haven’t changed your Yahoo! password in a while, it’s a great time to do it. Also change passwords on any accounts for which you reused that one. Use strong passwords that:

  • are at least eight characters,
  • include at least one number,
  • include at least one special character, such as a number sign,
  • are not dictionary words or names,
  • cannot be easily guessed,
  • are not used on any other online site.

It is difficult to remember so many passwords. However, it is important to have different ones for all the sites you visit. Password reuse happens more often than ever and is being blamed for breaches and account access regularly. If the thief (or thieves) figures out that some of the contacts in those Yahoo! accounts are related to financial sites or people, they could try them on banking sites.

Jim Stickley of Stickley on Security recommends having a core password or phrase of at least six characters such as “Xu8*V@” and adding letters from the URL to your password in some manner you can remember. For example, if you were visiting Yahoo, your password would become “Xu8*V@YO” or some other derivation of that. It is highly unlikely a password would be reused this way.

Another way is the “dice” method. This is when you take dice with words on them (create your own dice if needed) and roll them to combine words into a password.

If you have to write down passwords, try to use clues to trigger your memory as opposed to writing down actual passwords. Then keep the list in a place separate from your computer; in a locked cabinet is preferred. And never put your passwords on sticky notes and attach it anywhere on your desk or monitor at work. This leaves your accounts vulnerable to a physical security breach.

In addition to changing your password, keep an eye out for additional email showing up in your in box that includes links or attachments that you don’t expect. These could be phishing. Even if the email comes from a known sender, the theft of such a large number of email addresses means that spam and phishing messages may appear to come from Yahoo! account holders and/or from any email address in their contact lists.

Some news sources have reported the perpetrator is a state-sponsored actor. However, this information has not been confirmed by Yahoo! or the U.S. Government.

© Copyright 2016 Stickley on Security