A recent incident in which Epsilon – one of the largest email service providers in the world – fell victim to phishing has highlighted the need for companies, big and small, to pay more attention to their security protocols lest not only their business data be compromised, but also that of their clients.

There’s been a lot of buzz recently about Epsilon, one of the biggest email service providers in the world, as it suffers from the backlash of allowing itself to be a victim of phishing efforts – which has affected the business data of as many as 50 major companies who are clients of theirs.

Reports are also citing Epsilon’s failure to heed an alert from a business partner which advised the provider to be on its toes against potential attacks from cyber-criminals targeted towards email service providers. The damage estimates vary, with Epsilon citing only about 2% of their data being stolen, but the impact is undeniable. Cyber-criminals now have access to a sizable number of personal data stored through Epsilon – passwords, account numbers, and even the purchasing / buying habits of the customers of Epsilonงs clients. Many of Epsilon’s clients are now sending out messages to their own customers, warning them that their email addresses may have been compromised.

It’s a lesson to companies, big and small, to pay more attention to beefing up their security protocols, since all it takes is one breach to endanger all of your data. In addition to having the right security software, it also helps if you require your employees undergo proper user training to make sure that they won’t be easily baited by scams like phishing, and will be more aware of how to contribute to the safety of your business data. Failing to do so puts not only your company, but also your clients, at risk.

If you’d like to make sure your systems are safe, call us and we’ll evaluate your current security measures and suggest ways to make critical improvements.

If you suspect that you’ve responded to a phishing scam with personal or financial information or entered this information into a fake Web site, take these steps to minimize any damage.

Read more

Hotmail, Microsoft’s free online email service, finds itself in hot water when 10,000 email accounts usernames and passwords were recently discovered posted in a code-sharing website.

BBC News has reported that these Hotmail account owners, mostly from Europe, were victimized by a phishing attack. Microsoft is currently investigating the incident, and hinted that there may be more users who have inadvertently compromised the privacy of their email accounts.

The total scale of the phishing attack has yet to be determined, since the 10,028 Hotmail usernames and passwords are only of users whose names begin with A or B. Microsoft has confirmed the accounts to be genuine.

Microsoft has also taken action to remove the passwords and usernames from the website. As of now, there is no news regarding what action the software giant will take against the instigators of the attack, nor what the impact will be to the owners of the compromised accounts. Microsoft has advised users to immediately change their passwords, and warned email account holders to be more careful in responding to emails.

Phishing is an online scam in which email accounts are sent fake emails disguised as legitimate correspondence from trusted websites. Once the recipient clicks on a link included in the email, his or her account is then compromised, allowing phishers to gain access to account information as well as other sensitive information, including bank passwords and credit card accounts.

The original BBC story can be found here.

In a previous post, we pointed out how just browsing the web these days can possibly infect your PC with malware. To show how dangerous surfing can become, Symantec recently released their list of the “Dirtiest Websites of Summer” – the top 100 infected sites on the Internet based on number of threats detected by their software as of August 2009. The list identifies websites that could compromise security with risks including phishing, malicious downloads, browser exploits, and links to unsafe external sites.

Some interesting findings from the study:

• The average number of threats per site on the Dirtiest Websites list is roughly 18,000, compared to 23 threats per site for most sites
• 40 of the Top 100 Dirtiest Sites have more than 20,000 threats per site
• 48% of the Top 100 Dirtiest Web sites feature adult content
• 3/4 of the Top 100 Dirtiest Web sites have distributed malware for more than 6 months
• Viruses are the most common threat represented on the Dirtiest Websites list, followed by security risks and browser exploits

You can read more about this research at Symantec’s website. If you suspect your PCs are at risk, or if you want to ensure your website doesn’t get hijacked by cybercriminals, contact us. We can help.

Related articles:

• Symantec lists “Dirtiest Web Sites”
• Virus Security By Leveraging Community And Clouds
• Smartphone users need more security

Another reason to keep your computer malware free: cyber-pirates raided several businesses as well as a school in recent attacks through the Automated Clearing House (ACH) Network.

The losses, which ranged from $150,000 to more than $400,000, were accomplished by the crooks in mere minutes. Luckily for these companies, the banks managed to reverse some of the transfers. If they hadn’t, the losses would have amounted to $700,000 up to a whopping $1.2 million.

The modus operandi of the hackers is simple. Making use of the ACH network, they send out “phishing” emails to account holders. When the recipient clicks on the link, malicious software – a Trojan horse or virus – automatically downloads itself to the recipient’s computer, allowing the hacker to infiltrate the system. Keylogging software (software that tracks keystrokes) is installed, which gives phishers access account numbers, names, and passwords. They then divert the company’s funds into their own accounts.

ACH fraudsters can also use the same method to not only siphon off money into their own pockets, but also to establish “ghost employees”, which they insert into the payroll and qualify to receive regular paychecks.

While banks are doing their best to strengthen the system, they can only do so much, and experts admit that the ACH network is a very old system compared to today’s standards. The volume of money that flows through the ACH is also so massive that it is difficult to keep track of specific amounts for specific accounts.

Despite its shortcomings, the ACH system still remains widely used, and the best defence is to guard your system well. For our clients, we have firewalls and anti-malware software in place, but you should also make sure your bookkeepers and staff are briefed on how to avoid being the victim of fake phishing emails.

If you have any questions or concerns please give us a call.

For more details about this story, visit http://www.computerworld.com/s/article/9136334/Cyber_attackers_empty_business_accounts_in_minutes?taxonomyId=17&pageNumber=1.

Last May 14th, reports indicated that hackers had launched a phising attack on Facebook’s 200 million users, successfully stealing passwords from some. The hackers set up websites designed to look like the Facebook home page. Victims were directed to log back in to the site, but were routed to the fake site instead, unwittingly giving away their passwords. Facebook has deleted all references to the fake domains, which included www.151.im, www.121.im and www.123.im. This is the latest in a string of campaigns launched by hackers to steal personal information from users and to spread spam. Facebook’s large user base makes them an attractive target for many cybercriminials. Users are urged to seek help from authorities or trusted IT consultants if they believe their accounts were compromised, or to avoid similar scams.Related articles:

• Facebook users targeted by hackers in successful phishing attack
• Gadgetwise: More Facebook Phishing Trouble Today
• Hackers launch phishing attack on Facebook users