12 Social Network Scams | .::APAJR::.

Social network platforms are gaining much popularity and is making users more curious as well as adventurous. And this is exactly what phishers and scammers are looking for! Here we bring to you top 12 scams watch out for!

 

1. The 419 scam

Scammers hack into Facebook accounts and pretend to be traveling and stranded somewhere without any money. The ruse, called a 419 scam, usually begins an IM on Facebook to someone in the victim’s network pleading for help. The scammer claims to have been robbed or hit with another such tragedy, leaving them without any cash or credit cards. This Scam's Info Is Provided By Cyber Elite.They typically ask the target to wire them money for a return ticket home and promise to pay them back upon return.

2. See who viewed your profile!

This scam has been making rounds on Facebook for quite some time now and plays to the user's desire for information about who is checking out their Facebook page.
But the scam usually asks you to allow an application to access your profile, which then typically leads to a fraudulent survey which earns a commission for the spammer. Not only will you be left still wanting to know who is visiting your profile, you've also just shared your information with the shady character who developed the fake application.

3. Dad walks in on daughter …. Embarrassing!

Another example of clickjacking, this scam also promises you something you will likely never actually get. This scam promises a controversial video, but instead ends up leading the Facebook user to an online survey to earn a commission for the spammer.

4. Get a Starbucks gift card!

A free gift card sounds great, except that it will never actually arrive. This scam is a phishing attempt to get users to divulge personal information and even sign them up for expensive services. The gift-card scam takes on new forms each month but there is almost always one going on at any given time. Other common gift-card scams include fake offers from the Cheesecake Factory and Victoria’s Secret.

5. The ‘dislike’ button

Does the idea of having a 'dislike' button excite you? Apparently, it appeals to many and is a successful trick to fool people. The scam appears to allow the user to “enable dislike button.” But, instead, various versions of this trick have run an obfuscated Javascript on the user’s machine or even lead them to a survey scam. It also often spams itself out to other users’ walls.

6. Make thousands working from home!

These usually-bogus offers on Twitter direct the recipient of the tweet to an offer that charges for a “kit” that can help the person get started on making thousands “working right from the comfort of home.” Sounds too good to be true? It’s almost always is a scam. Any job that requires a fee for you to start is going to be fraudulent.

7. Hey someone is spreading terrible rumours about you!

Also seen on Facebook walls, these messages will ask luring questions like “Hey someone is making terrible rumors about you” and then send you to a malicious link that never shows you anything but instead downloads malware onto your computer.

8. Twitter mentions

Like the previous scam, the scammers take advantage of your desire to see who is “mentioning” you on Twitter. The mysterious mentions often come from Twitter followers you don’t know. That’s because they are spammers trying to trap curious users. While it may have your Twitter handle, the link will likely lead you somewhere dangerous.

9. Justin Bieber stabbed!

Fake celebrity news is almost always a sure way to get clicks. The problem is those links are almost always a sure way to get your machine infected with malware or to find yourself involved in a phishing attempt. Other recent celebrity news hoaxes have included promises of Osama Bin Laden’s death video and claims that 90’s rapper Vanilla Ice had died.

10. Your account has been cancelled.

This scam tries to scare you into thinking your social media account has been cancelled without your consent. But these emails, which appear to legitimately be coming from the supposed source, such as Facebook or LinkedIn, are actually a phishing attempt to get you to hand over your username and password. Any time you want to verify any information about an account, go directly to the site. Do NOT trust a link that claims it will take you there.

11. Facebook will start charging members!

Another ruse that makes round on Facebook every now and then is the urgent call for members to take action against impending plans by Facebook ownership to start charging for site use. The news begins to spread via status updates and often even claims “paste this into your status update so you will not be charged. Facebook will continue to be free for you!” But the move is unnecessary. Facebook has said it has no plans to charge members and the gossip is really just an updated version of a chain letter; generally harmless, but still a nuisance.

12. Tumblr dating game scam

A spam run taking place on Tumblr calls itself the "Tumblr Dating Game." Members receive spam messages that read: "Lol half of your followers are on tumblrdatinggam

e.com". But the URL in the message took members to a dating website totally unrelated to "Tumblr dating" and instead directed them to an Adult Friend Finder service.

Read More

New Facebook SPAM that Shows you "How to Hack FACEBOOK" is FAKE | .::APAJR::.

Recently I was mentioned in a facebook comment.When I visited the image,It shows how to Hack a facebook account.

 

It tells you the following

 

1.Goto victims profile
2.click  F12 or inspect element
3.Click on the Console
4.Paste the given code
5.You will receive  username and password by message

This is 100% fake.The given code is a script that is uploaded on PASTEBIN.

 
When you do this,You automatically like the spamming page and you will tag your friends on that post and ask them to like and share..

 
SO BE CAUTIOUS!!!! Dont blindly believe the posts on FACEBOOK.

 
Sometimes,the spam appears as "CHANGE THE FACEBOOK THEME";Get 100+ Followers etc.

 

Read More

Why You need to Stop using WhatsApp? | .::APAJR::.

If you haven’t heard by now, Facebook just made its biggest move ever, buying the messaging service WhatsApp in a deal worth some $19 billion. That’s 19 times what Facebook paid for Instagram two years ago.

 
The WhatsApp Service run by the team of just 32 engineers, handles more than 50 Billion messages daily, and approx 385 million active users.

 
WhatsApp acquisition has also brought out fresh criticism over security for the billions of messages delivered on the platform. Security Researcher at Praetorian Labs identified several SSL-related security issues in WhatsApp application using Project Neptune, a mobile application security testing platform.

 
"WhatsApp communication between your phone and our server is fully encrypted. We do not store your chat history on our servers. Once delivered successfully to your phone, chat messages are removed from our system." Company said in a blog post.


But researchers found that WhatsApp is vulnerable to Man-in-theMiddle attack because the app has not enforced SSL pinning and hence user credentials can be easily stolen. SSL pinning prevents the user of the application from being a victim of an attack made by spoofing the SSL certificate. SSL pinning won't prove a great solution is not validated properly.

"WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services. This would allow the attacker to sniff user credentials, session identifiers, or other sensitive information."

WhatsApp is allowing its backend servers to use weak 40-bit and 56-bit encryption schemes, which can be easily cracked using brute force attack. 'This is the kind of stuff the NSA would love,' researchers said.

 
WhatsApp team has confirmed that they are actively working on adding SSL Pinning to their app, but still that is not enough to protect our privacy.

 
Facebook and WhatsApp assured that nothing is going to change after the acquisition and WhatsApp will continue to function as an independent service, but is that statement satisfied? May be we can trust Facebook, Google, WhatsApp.. But we really can't trust the U.S. Government  and the Security agencies like the NSA, that don't respect our privacy and freedom of speech.

 
Mobile messaging apps often used to deliver sensitive data or used for personal and corporate communications, so the data stored by the service provider should be encrypted end-to-end, which is not yet in the case of WhatsApp.

 
But there are many other free secure chat applications are available like Telegram, Surespot, Threema, TextSecure, RedPhone etc., that you should use to keep your data private and Secure, until WhatsApp will not adopt end-to-end encryption.

Read More

Why Facebook is buying WhatsApp for $19 Billion? | .::APAJR::.

Popular Smartphone Messaging app WhatsApp's $19 billion acquisition by Social Network giant Facebook made Headlines this week.

While Some are applauding the move, and many other users are worried about WhatsApp’s future and their privacy after this acquisition.

Why So Serious?

WhatsApp currently having 450 million active users and processes 50 billion messages a day. Service charges a nominal service fee of $1/year, that means Facebook is buying at $42.22 per user.

$19 Billion / 450 million users  = $42.22 per user

These figures show, obviously future revenue from WhatsApp can’t cover the acquisition cost in the short or mid-term.

"You can still count on absolutely no ads interrupting your communication. There would have been no partnership between our two companies if we had to compromise on the core principles that will always define our company, our vision and our product." WhatsApp founder said in a blog post.

So, What Facebook is planning for?
 

Facebook is by far the world’s most popular social network, with over 1.2 billion users worldwide, but all WhatsApp users may not have an account on Facebook. Facebook CEO Mark Zuckerberg posted on his wall, "Our mission is to make the world more open and connected", that means Facebook could merge WhatsApp data with them, but Mark also said, "WhatsApp will continue to operate independently within Facebook".

"Facebook Mobile Messenger is widely used for chatting with your Facebook friends, and WhatsApp for communicating with all of your contacts and small groups of people. Since WhatsApp and Messenger serve such different and important uses, we will continue investing in both and making them each great products for everyone." Mark Zuckerberg added.

Mark said,'Making them each great products for everyone'

By design, WhatsApp collects all contact information from phones and uploads that information to the company's servers. This is hugely valuable data that Facebook has apparently been after from last two years. In simple words, 'Facebook Just Bought 450 Million Phone Numbers in $19 Billion'.

WhatsApp claim that users’ messages are never stored on their server after delivery to the recipient. So we are expecting that Facebook could never dig into our private messages history, but that doesn't mean -- it will not store in the future.

Can we trust Facebook and WhatsApp?

Well, 70% users don't trust Facebook with their personal information, whereas a large percentage of users still trust WhatsApp for sharing personal information.

WhatsApp has many Security issues as well as privacy issues, but that hasn't scared off its more than 450 million users around the world.

Alternate Secure & Encrypted messaging Smartphone apps? 

If you care about your privacy a lot and don’t want to hand your communication to Facebook, you might want to look into secure messaging solutions, like - Surespot an open-source Android and iOS messaging solution and Threema, end-to-end encrypted app for Android and iOS.

What would be the next in Facebook's shopping list? A mobile handset company?

Read More

US news agency GlobalPost's twitter and website hacked by Syrian Electronic Army | .::APAJR::.

                            In a series of high profile hacks, 'Syrian Electronic Army (SEA)' just a few minutes before took control twitter account and website of 'GlobalPost', a US based news agency.

'Syrian Electronic Army is an organized hacking group loyal to the Syrian President Bashar al-Assad and known for their high profile cyber attacks.

The hacker posted two tweets from the victim's account, saying "Think twice before you publish untrusted information about Syrian Electronic Army" and "This time we hacked your website and your Twitter account, the next time you will start searching for new job :)" (as shown in the screenshot).

GlobalPost's Deputy Social Media and News Desk Editor 'Kyle Kim' also tweeted that "We've been hacked".

At this point it is unclear that How group managed to access the website and twitter account. We are connecting to the hackers for further information, stay tuned to the page for more updates on this.

Update (5:31 PM Monday, September 30, 2013 GMT) : According to the group, just after the hack GlobalPost website is taken down.

Hackers have shared the hacked website's admin panel screenshot as shown below:

Update (6:33 PM Monday, September 30, 2013 GMT): On asking the reason of hacking, Syrian Electronic Army hackers explained The Hacker News that GlobalPost published innocent peoples' names in their article (Link) and said that they are "SEA members".

"We were able to delete that article, but we didn't, we leave the choice for them." they added.

Read More

Google pays $31,336 bounty to hacker for reporting criticalvulnerabilities in Chrome | .::APAJR::.

Google has fixed a series of serious vulnerabilities in its Chrome OS, including three high-risk bugs that could be used for code execution on vulnerable machines. Bug bounties is the cash prizes offered by open source communities to anyone who finds key software bugs have been steadily on the rise for several years now.


As part of its reward program, Google paid out $31,336 to a researcher who found three of the vulnerabilities. Google's post notes: "We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe."

The three-bug chain credited to Weinmann exploited O3D, a JavaScript API (application programming interface) designed for crafting interactive 3-D graphics-based Web applications. The API and supporting browser plug-in were created by Google, with a preliminary version of the latter released in 2009.



Vulnerabilities that Google fixed in Chrome OS 26:
[227197] Medium CVE-2013-2832: Uninitialized memory left in buffer in O3D plug-in. Credit to Ralf-Philipp Weinmann.
[227181] High CVE-2013-2833: Use-after-free in O3D plug-in. Credit to Ralf-Philipp Weinmann.
[227158] High CVE-2013-2834: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Ralf-Philipp Weinmann.
[196456] High CVE-2013-2835: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Google Chrome Security Team (Chris Evans).
Google has paid out more in various contests it's run or co-sponsored, including $100,000 to a two-man team from MWR InfoSecurity at last month's Pwn2Own.


Most of the rewards are in the $1,000-$3,000 range, with some going above that, depending upon the severity of the vulnerability and difficulty of exploitation.


"The Chromium Vulnerability Rewards Program was created to help reward the contributions of security researchers who invest their time and effort in helping us make Chromium more secure. We've been very pleased with the response: Google’s various vulnerability reward programs have kept our users protected and netted more than $1 million dollars of total rewards for security researchers. Recently, we've seen a significant drop-off in externally reported Chromium security issues."


Other big companies also pays bug bounties, but unlike Google, does not release the names of researchers or the payments they receive.

Read More

Google Hacked? DNS In Kenya Hijacked By Bangladeshi Hacker | .::APAJR::.

A report surfaced Sunday via Hacker News that Google had been the victim of a cyberattack. A Bangladeshi hacker, whose alias is TiGER-M@TE, claimed responsibility for what appeared to be a defacement attack of google.co.ke, the Kenyan version of Google's search engine.

The traditional white background was changed to black, and the Google logo was replaced with a red stamp that read “Hacked.” Users reported that music also played in the background.

Photo: Hacker News This page claimed to have hacked Google, but was actually a redirect page caused by a DNS infiltration.

The wound was only skin-deep. TiGER-M@TE did not actually deface Google, but rather infiltrated a domain name server (DNS) in Kenya and redirected users to an alternate website. The same thing happened to the Kenyan domains for Microsoft, LinkedIn, HP and Dell.

“Google services in Kenya were not hacked,” a spokesperson for Google wrote IBTimes in an email, adding that no user data was compromised in any way. “For a short period, some users visiting google.co.ke and a few other Web addresses were redirected to a different website. We are in contact with the organization responsible for managing domain names in Kenya."

The issue has since been resolved, and google.co.ke was back up and running as usual Monday morning, so it doesn’t look like TiGER-M@TE found any new vulnerability with Google. In fact, this isn’t even the first time this sort of DNS-hijack has happened. Servers in Romania, Morocco and Uganda were also used to redirect users to pages claiming to have hacked Google.

If anyone should be able to protect itself from a hacker, it’s Google. Last month, Google launched an initiative to help webmasters learn more how and why websites get hacked and what can be done to recover any lost or stolen data. It even presented an eight-step recovery process for victims of hacking.

Read More

FBI Busts Hacker who blackmails 350 women for stripping on camera | .::APAJR::.

The FBI Tuesday announced the arrest of Karen 'Gary' Kazaryan, a 27-year old man, who is said to have blackmailed more than 350 women after convincing them to strip off in front of their webcams has been arrested in the US.

He was arrested in Glendale, California on Tuesday after being indicted on 15 counts of computer intrusion and 15 counts of aggravated identity theft, and faces a possible 105 years in the Big House if convicted. The FBI described the alleged blackmail as "sextortion".

He is accused of hacking into the victims accounts and changing their passwords, locking them out of their own online accounts. He then searched emails or other files for naked or semi-naked pictures of the victims, as well as other information, such as passwords and the names of their friends.

He then posed online as the women, sent instant messages to their friends and somehow, persuaded those friends to get undressed so that he could view and take pictures of them. US authorities said they had found about 3,000 pictures of nude or semi-nude women on Mr Kazaryan's computer.

The FBI said that it hasn't yet linked all of the nude and semi-nude images with people's actual identities. "Anyone who believes they may have been a victim in this case should contact the FBI's Los Angeles Field Office at (310) 477-6565," said a statement issued by the bureau.

Read More

Facebook Apps Promise Change but In Reality Phish Your Information | .::APAJR::.

Spammy Facebook apps are nothing new, the web giant has been dealing with suspicious behavior apps since the website launched the Facebook Platform for developers in 2007. As an open source app development tool, anyone can create an app, including people who really just want to steal your information, and your money.

With cyber crime  including identity theft, on the rise, more Facebook users should begin to pay closer attention to what they click on, especially if it is shared in a spammy way. Sophos reports that nearly 60,000 people have clicked on one scam in particular, which is one that promises to allow you to see who has viewed your profile. The app automatically posts a comment to the users timeline, and sometimes posts as a photo with the message ‘OMG OMG OMG… I cant believe this actually works! Now you really can see who viewed your profile ! on (link here). ‘

The app does not actually allow users to see profile views but instead leads them, and anyone who clicks on the link posted to their wall, to a phishing scam designed to steal personal information. And despite the red flags, Sophos, who tracked a single link through bit.ly, found that more than 58,000 people clicked on the link before it was shut down.

Real Life Example

Another all too common Facebook phishing app is the ‘Facebook Colors’ app which can appear as ‘Facebook Green’, ‘Facebook Red’, or in the case of this demonstration ‘Facebook Black.’ The following app was installed on a computer with a fully working antivirus including a link scanner.

First, Facebook Black demonstrates a couple of spammy properties right off the bat. Typically when real people post, they do not post a photo and a comment, which is the first sign. Second, most will say something other than ‘check it out’. Last but not least, if you see more than one person posting the same comment with a link, you definitely have a spam app on your hands. For anyone looking forward to installing a black Facebook let’s look at where this particular app goes.

What this shows you is that despite being advertised as a Facebook application, it’s actually a web browser app. You will have to allow it on your Facebook first, but will then be asked to allow it in your browser. Should you install it to test it out yourself, you can uninstall it via your browser applications. After clicking ‘add’ you would expect to be taken to a ‘black’ Facebook. Instead, you get this page.

You can click on any of the three ‘ you've won’ options, although I tested all three and while two led to phishing websites, one was actually broken, which is more than a little hilarious. The broken link actually goes to this page.

Which is absolutely nowhere, and just about the safest you will get with this particular app installed on your browser. One of the other links was slightly less benign, and was actually picked up by the linkscanner on the browser.

Many Facebook scam and phishing apps promise users things that seem hard to resist. Options such as profile personalization, viewing people who spend time on your profile, and even some games can instead steal your information or spam your friends with malware and viruses, and post items on your wall without your permission. Most of these apps are designed to make money for the maker in some way or another, and usually that money is made off of you.

Warning Signs

Most apps on Facebook are perfectly benign and can be used without a problem. There are however a couple of basic signs you can look out for to help with recognizing scam and phishing apps.

• Automatic tagging and sharing links


• Automatic Commenting and sharing links


• Automatic Invitations


• Promised Features That You Haven't Already Seen in Use


• The App Vanishes With No Results After Being Installed

Removing a Spam or Phishing App from Your Facebook

If the app you have installed includes any of the following signs, you might want to remove it as quickly as possible. The current version of Facebook allows you to completely control which apps have access to your profile by clicking the small gear in the upper lefthand corner. From there, you can click ‘settings’ and then ‘apps’ from the app page. You can remove anything in the apps that you are not familiar with or did not install.

If the app has in fact installed to your browser, you can likely uninstall it by going into tools and then extensions or add-ons depending on which browser you are using.

Studies show that identity theft is once again rising to become the most popular scam. Phishing emails and apps are the easiest way to steal identity including name, phone number, credit card information, and even home address. An estimated 12.6 million Americans were the victims of Identity theft in 2012, a number that is nearly as high as the 2009 record of 13.9 million. The only way to protect yourself is by exercising caution and thinking before you click.

Read More

World's biggest DDoS attack that Almost Broke the Internet | .::APAJR::.

The last week has seen probably the largest distributed denial-of-service (DDoS) attack ever. A massive 300Gbps was thrown against Internet blacklist maintainer Spamhaus' website but the anti-spam organisation , CloudFlare was able to recover from the attack and get its core services back up and running.

                Spamhaus, a group based in both London and Geneva, is a non-profit organisation that aims to help email providers filter out spam and other unwanted content. Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18.

Five national cyber-police-forces are investigating the attacks.  A group calling itself STOPhaus, an alliance of hactivists and cyber criminals is believed to responsible for bombarding Spamhaus with up to 300Gbps.

The attacks on Spamhaus illustrate a larger problem with the vulnerability of systems fundamental to the architecture of the Internet, the Domain Name Servers (DNS). The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood.

Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim's network. According to CloudFlare, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack. There are as many as 25 million of these open recursive resolvers at the disposal of attackers

"In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the CloudFlare IPs we'd issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor."

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. As long as it's not child porn and anything related to terrorism, CyberBunker will host it, including sending spam.  Spamhaus blacklisted CyberBunker earlier in the month.

However, the DDoS attacks have raised concerns that further escalations of the retaliatory attacks could affect banking and email systems. DDoS attacks are typically carried out to extort money from targeted organisations or as a weapon to disrupt organisations or companies in pursuit of ideological, political or personal interests.

Read More

World's Biggest Cyber Attack On The Spamhaus In The Internet History | .::APAJR::.

It has been called one of the biggest ever cyberattacks in history, one that nearly broke the internet. But did you even notice? If not, you're not alone ..







The headlines have been apocalyptic: "Global internet slows after biggest attack in history"; "Biggest ever cyberattack slows internet for millions"; "The attack that nearly broke the internet"; "Cyber attack jams crucial Clicksor advertisement.





So how was it for you?



According to a company called CloudFlare, which specialises in helping websites minimise the impact of online junk data attacks by effectively creating more targets and thus spreading the burden between them, this particular assault – by a Dutch hosting company, Cyberbunker, on a not-for-profit anti-spam organisation called Spamhaus – eventually escalated to cause "congestion across several major [top-level, backbone internet networks], primarily in Europe, that would have affected hundreds of millions of people ... "



Hence, presumably, the armageddon headlines. Except, as the tech website Gizmodo points out, not many people seem to have noticed: few have complained that the internet was more than usually sluggish; movie-streaming services such as Netflix  did not go down; mega net-enterprises such as Amazon reported nothing unusual; organisations that monitor the health of the web "showed zero evidence of this Dutch conflict  spilling over into our online backyards". Specialists contacted by the site reported that the attack, major as it was, had "a severe impact" on the websites it was directed at, but it certainly did not shake the internet to its core.



Gizmodo concludes the whole story was essentially a cynical bid by CloudFlare to drum up more business. James Blessing of the UK Internet service Providers Association council won't go quite that far, saying the attack "did have an impact. Some sites will be affected." But while the global internet, or parts of it, may potentially be vulnerable to a truly massive attack using the kind of DDoS (Distributed Denial of Service) techniques Cyberbunker has allegedly deployed, this one is probably not it. Yet. If you really want to slow down the internet, the best way may still be the simplest: Cut a cable.

Read More