Week in review: Extortion schemes, vulnerability tax and new malware strains

Here’s an overview of some of last week’s most interesting news and articles:

Microsoft Windows MHTML XSS vulnerability
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to conduct cross-site scripting (XSS) attacks.

EFF exposes extensive FBI violations
The EFF has compiled a report by reviewing the nearly 2,500 pages of documents released by the FBI concerning intelligence investigations from 2001 to 2008, and the results are rather alarming.

ATM skimmers don’t even have to be on the ATM
Careful ATM users know enough to give a hasty visual check to the machine before using it and to hide the keyboard while entering their PIN, but a there’s a new type of attack that can’t be detected by ATM users because there’s nothing off on the machine or close enough to it to make them suspicious.

PlentyofFish CEO accuses Argentian hackers of elaborate extortion scheme
The Argentinian hackers that hacked The Pirate Bay back in July are at it again. They have supposedly hacked the popular free online dating site PlentyofFish and, according to the site’s founder and CEO Markus Frind, have tried to extort money from him and his company by trying to create a sense of panic and then offering to help him close the hole in the site.

New malware strains wreaking havoc on Facebook
PandaLabs announced the discovery of security exploits via popular social media sites Facebook and Twitter.

Changing the status quo for security
When a problem is recognized that impacts virtually everyone and a group of experts provides a solution, what can possibly prevent the solution from being used?

Could a vulnerability tax spur vendors to improve security?
He has recently been appointed as Apple’s global director of security and he is expected to begin his work in March, but former National Security Agency cryptographer and SANS instructor David Rice is already positioning himself on the frontline of the security debate by proposing a vulnerability tax as way to push software manufacturers to get (even) more serious about security.

“Facebook closing all accounts” scam hits users
The latest scam to hit Facebook users is a slight variation of the survey scams that target them daily. But this time, the lure isn’t bogus “OMG” I can’t believe it!” content, but an announcement supposedly coming from Mark Zuckerberg saying that Facebook will close down all accounts.

Rogueware starts misusing names of legitimate AV
As time passes and users become more and more adept at finding out whether the name belongs to a real or fake AV solution, rogueware developers will have to resort to the more risky business of using names of legal software.

Private info on Facebook increasingly used in court
Making the content of your Facebook account private can thwart the social network’s plan to share as much information possible with advertisers, but may not keep out lawyers looking for material that will contradict your statements in a court of law.

Chinese spies attempted to spear-phish US diplomats?
While some of the documents from the batch of US diplomatic cables dumped by WikiLeaks have proved to be more explosive than others, every now and then some nugget of information fished from the less controversial cables turns up and proves interesting enough to merit a mention.

Expanding phishing vector: Classified ads
The online classified advertisement services sector has been increasingly exploited as a phishing attack vector by e-crime gangs.

Facebook bug allows user data theft via specially crafted websites
A proof-of-concept attack page that exploits a Facebook vulnerability to access a user’s private data has been devised by two students who shared the information with the social network’s security team and Sophos’ Graham Cluley.

Google offers Pwn2Own contestants $20,000 for Chrome exploit
After last year’s edition of the contest, Google’s Chrome browser was the only one left standing, so this year Google has decided to offer up to $20,000 to anyone who manages to compromise it.

500,000 stolen e-mail credentials for Waledac’s comeback
Security researchers are still monitoring its activities and recently the team from Lastline has managed a peek into a stash of stolen credentials the botmasters have managed to acquire.

250,000 Facebook profiles harvested for setting up dating site
250,000 Facebook users have become the unwitting members of a “dating” site whose authors claim is a “work of art” and not set up to make money, but Facebook is expectedly not entertained by their stunt.

Cybercriminals target Super Sunday as their biggest game ever
Security experts predict record-breaking numbers of online threats and cyber attacks related to Super Sunday as compared to other holidays or events.

The dark side of the new Android Market
A new version of the Android Market has just been launched, making it possible for every device owner to look for applications, buy or even remotely install apps to an Android device directly from the browser on a desktop computer. Wait, remotely install? Have we misheard something?