Week in review: Social engineering, Facebook clickjacking and a new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news and articles:

Automated social engineering PoC successful on Facebook and IRC
In order to reach a great number of targets, the attack must be automated. But, in order to dupe as many people possible, the attack must also not seem to be automated.

Backdoor in open source Linux IRC server
A recent post on the UnrealIRCd Forums reveals that users of the open source IRC server UnrealIRCd may have had their machines compromised through no fault of their own.

Do you have what it takes to pass your PCI audit?
Just as The PCI DSS doesn’t rest on its laurels, neither should an organization and, therefore, it should come as no surprise that compliance is not a one-time event, but rather an annual undertaking requiring continually improved audit procedures.

Lines between personal and company data becoming blurred
Failure by SMBs to adopt formal corporate social media policies, as highlighted by a survey by SpamTitan, could be storing up legal trouble for themselves in the not too distant future.

Facebook not doing enough to prevent clickjacking attacks
Although the attacks are yet to deliver malicious payloads, they demonstrate an exploitable weakness in the way that Facebook works, putting users at potential risk from further malware or phishing attacks.

Recently published and still unpatched Windows XP flaw exploited in the wild
Less than a week since the controversial release of details of a vulnerability in the Windows Help and Support Center function – executed by Google researcher Tavis Ormandy – the vulnerability has been spotted being exploited in the wild.

Twitter PDF exploit spam
As evidenced by these real-time results, various Twitter accounts have recently bombarded other users with a message saying “Wow, A marvelous Product” and containing a malicious link.

Farmville and Sex and the City 2 used for Facebook clickjacking
The attack uses eye-catching messages related to the popular game Farmville or the Sex and the City 2 movie to grab the attention of logged-in Facebook users as they browse Web pages with the “Like” button.

(IN)SECURE Magazine issue 26 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

Financial services firms hesitant to adopt cloud computing
Today’s financial services firms are avoiding popular IT infrastructure investments such as cloud computing, in large part due to data security and transparency concerns.

Months-old Skype vulnerability exploited in the wild
The vulnerability has been discovered in the EasyBits Extras Manager, a plug-in component for Skype, and for all those people who haven’t updated their client, this presents a gaping hole in their security perimeter.

Next-generation Trojan plunders East European bank accounts
It bypasses the Java application that the customers use to authenticate themselves when accessing their accounts, steals the credentials, and then proceeds to bombard the same application with data until it crashes.

Winning the browser security battle
The Web browser is one of the most ubiquitous applications used throughout the computing community, and each application integrated in it is likely to contain additional flaws and vulnerabilities.

Zbot Trojan delivery via fake Pentagon emails
Attention-piquing malicious spam emails purportedly coming from the DHS, the Pentagon or the Transportation Security Administration have recently been spotted by Sophos.

Apple updates Mac malware protection
Researchers at Sophos discovered that Apple updated the anti-malware protection built-into Mac OS X when it released a new version earlier this week.

HTML files redirect users to malicious sites, evade mail server antivirus
The number of emails that try to trick recipients into downloading malicious files has surged in the last few days.

Don't miss