Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

There is a phishing attack that is receiving much attention today in the security community.

A phishing attack happens when an attacker sends you an email with a link to a malicious website. You click on the link because it appears to be trusted and may either infect your computer or be tricked into signing into the malicious site with credentials from the real website. The attacker then has access to your username, password and any other sensitive information you may inadvertently provide.

This particular phishing attack uses malicious registered domains that look identical to real domains in your browser.

WordFence, the force behind of one of the best WordPress security plugins set up a test case to demonstrate how this attack works in case you are interested in technicalities, but the most important thing to do if you are using Chrome or Firefox is staying safe, and the easiest thing to do when you are about to log into a website you trust is this.

Copy the URL in the location bar and paste it into any program on your device that allows to paste as plain text.

A fake domain will appear as starting with https://xn--. A real website will look exactly as in your browser’s location bar.

In Chrome, you can even copy the domain and paste it right back into the location bar and the fake website’s domain will reveal itself.

Facebook explains when and why it peeps at your account

Venture Beat reached out to Facebook to find out when, exactly, employees can access a user’s account without entering their login credentials.

A Facebook spokesperson sent this answer:

We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner’s Office as part of their audit of our practices.

Access is tiered and limited by job function, and designated employees may only access the amount of information that’s necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.

We have a zero tolerance approach to abuse, and improper behavior results in termination.

Case Studies: Fixing Hacked Sites

In hopes to provide help to other webmasters who have been victims of hacking, Google shares two different stories of websites that had been hacked and then cleaned up by their owners, one of a restaurant website with multiple hack-injected scripts and another of a professional website with lots of hard to find hacked pages.

Cleaning up a hacked website is usually an involved task that often requires hiring a professional. Google advises to void the hassle by following a few simple steps to minimize chances of being hacked:

  • Avoid using FTP when transferring files to your servers. FTP does not encrypt any traffic, including passwords. Instead, use SFTP, which will encrypt everything, including your password, as a protection against eavesdroppers examining network traffic.
  • Check the permissions on sensitive files like .htaccess. Your hosting provider may be able to assist you if you need help. The .htaccess file can be used to improve and protect your site, but it can also be used for malicious hacks if they are able to gain access to it.
  • Be vigilant and look for new and unfamiliar users in your administrative panel and any other place where there may be users that can modify your site.

Check It Out: 25 Worst Passwords of 2014 (Not Still Using 123456, Are You?)

SplashData has announced its annual list of the 25 most common passwords found on the Internet which makes them the worst passwords that will expose anybody to being hacked or even identity theft.

“Passwords based on simple patterns on your keyboard remain popular despite how weak they are. Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure.” ~ Morgan Slain, CEO of SplashData

Read the full article for more details and tips on keeping your data secure with good passwords.

3 security mistakes small companies make and how to avoid them

Just about every organisation is dependent on computers but dedicated IT staff are a luxury most very small businesses can’t afford. But they still need to find a way to secure their computers against cybercriminals that aren’t going to give them a break just because they’re small.

Follow Mark Stockley’s pointers about full disk encryption, making good backups, and dangers of using outdated operating systems (Windows XP anyone?) and stay safe.

Computer Viruses 101: What You Need to Know Now

Computer viruses first emerged in the 1980s. Since then, they have posed problems for computer users worldwide. Unfortunately, most are here to stay.

In this article, Justin Kemp talks about origins of computer viruses, their types, and ways to prevent them from harming your own computer or your company’s computer network.

Passwords, it’s as easy as 123

Simple passwords are easy to remember, and they are equally easy for hackers to crack. Many of those easy passwords are on default hackers’ lists. Like the word “password” that is still the most common password in use today.

Switching to a more complex password can be unsettling (what if you forget it?), but a hard to crack password does not have to be impossible to remember. Bob Russo shows examples of reasonably memorable passwords that will keep your site and online accounts with sensitive information safe.

Malware Alert: Please Update Your Expired Dropbox Password

If you use Dropbox for your own purposes or while working with us on a project, be advised about a new scam email with a subject “Please Update Your Expired Dropbox Password.” If you open it, do not click on any links. The link will take you to a hacked web site that distributes malware.

Stay safe, go directly to Dropbox.com if you need to make any changes to your account.

Source: Dynamoo’s Blog

New first stop for hacked site recovery

Google just introduced the new Help for hacked sites informational series. It’s a dozen articles and over an hour of videos dedicated to helping webmasters in the unfortunate event that their site is compromised.

The series give practical advise on how to build a support team, quaranteen the hacked web site, touch base with Google Web master Tools, asses the damage, identify the vulnerability, clean the site, and request the review from Google.