Category Archives: Online Security

How to Prevent Your Facebook Account from Getting Hacked

While scams and phishing attacks are issues of serious concern, it’s not an easy task for several users on Facebook to identify and avoid them. Hackers try to hack user accounts by sending them phishing mails, and eventually steal personal information and other credentials like credit card details and bank details.

There are several ways how hackers carry out the hacking process. Scammers Hackers go through users’ account and gather publicly available information, and send phishing emails to obtain secured information like credit card number and bank details. Sometimes, they create malware programs that are automatically downloaded on your computer which help them gain access to credentials like email id, passwords and so on.

However, hacking isn’t as easy as pie. It goes without saying after all that hacking does require some – considerable amount of knowledge. Here are four common methods that hackers use to target and hack the accounts of Facebook users  –

  • Phishing Attacks
  • Key logging Programs.
  • Password rest via Mobile
  • Revealing saved Facebook passwords on web-browsers.

Phishing Attacks

Difficulty Level: Moderate

The term phishing means the fraudulent attempt to steal a person’s confidential information like username, password, bank account numbers, credit card number, and so on. It is one of the most commonly used and easiest methods to gain access to a user’s account.

When you go fishing, you obviously need to have some bait. Similarly, phishers send spoof emails pretending to be from the Facebook team. Typically the email will direct you to click on a URL, which will lead you to a fake webpage, and you will be asked to provide your private information.

The most common and popular phishing attack involves creating a fake login page. Fake login pages appear exactly like the original Facebook login page. When a user attempts to login on this page, the entered username and password will be sent to the hacker, who will then have control over your account.

Here’s an attempt by a hacker that sent a fake security message –

Facebook Security Phishing Attack

From the above screenshot you can notice that the link provided to verify your account is a fake. It has the link – http://shortlink.tk/gh/accountconfirm which redirects again to http://apps_facebook_account_help_center.cast.cc. Facebook does not create any short URLs when it comes to security related issues. Clicking on the link will take you to a page where you will have to go through the verification process.

Please Read Facebook Security Network – Phishing Attack for complete details.

TimesofMoney/Remit2India Database Hacked Through SQL Injection – HDFC Bank Vulnerable Too

Update – August 4th 2011: TimesofMoney contacted us with an update saying that this breach does not exist and will be sending us a statement regarding the same shortly.

In this day and age of technology, it does not come as a surprise that websites are frequently hacked. Groups like Anonymous and Lulzsec have been creating havoc on the internet, however, there are other cases too where security teams hack several websites to show them how insecure they are.

One of the most common way of hacking websites is by SQL injection. Ironically, MySQL.com was also hacked using an SQL Injection attack a few months back.

Today, zSecure Team has found a vulnerability in a very popular digital payments site called TimesofMoney which provides online remittances, fortified domestic e-payment mechanisms and facilitated remittance solutions of banks. The company is behind products like Remit2India, DirecPay and Times Card.

The zSecure Team claims that there exist a critical SQL Injection Vulnerability in the TimesofMoney website using which an attacker can gain access to the site’s entire database which contains the huge amount of customers confidential information.

This vulnerability may prove to be very critical for the company because TimesofMoney is India’s one of the leaders in e-payment system. Existence of such a critical flaw in company’s web may cause huge to the existing market reputation of the company concerned.

The group also claims that HDFC Bank’s Website is also vulnerable right now:

We discovered alike vulnerability in HDFC Bank’s Website as well and issued them a similar advisory. But even after couple of weeks of sending our advisory to the bank, the said vulnerability is still open for outside attacks. If the said vulnerability doesn’t get fixed by the bank as an earliest then our next post may disclose that concerned vulnerability publically.We hope that both the companies (TimesofMoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities

TimesofMoney currently has a SQL Injection Vulnerability which is very high. They are currently running the Oracle Database 11g Enterprise Edition. The vulnerability allows hackers to access the database as well as run a database dump. It also has a possibility of shell uploading.

The security team has also posted images about the hack, which can be viewed below.

TimesofMoney Hacked Database 1

TimesofMoney Hacked Database 2

TimesofMoney Hacked Database 3

TimesofMoney Hacked Database 4

The security team have said that no data has been dumped, but the fact that the attackers can access your financial information so easily is enough to make me cringe. I would suggest that you purge information from the relevant sites, till it is fixed. More information on the vulnerability can be found at zSecure website.

Thanks for the tip Christopher

Using TimThumb on Your Website? Either Patch It Or Ditch It Right Now

If your WordPress theme uses a TimThumb library or you are manually using the TimThumb script on your site’s template, stop reading this article and remove the script right now. Your website is in a state of serious security risk, as anyone can upload and execute arbitrary PHP code in your TimThumb cache directory.

About TimThumb:   TimThumb is a PHP script used for cropping, zooming and dynamically resizing images on websites. While TimThumb can be used on any website, it is ideal for blogs and other websites who use templates and themes (self hosted WordPress blogs, for example). Using TimThumb, you can dynamically fetch a cached copy of an image and proportionally resize it to fit in your blog template. Thumbnails, profile picture of users and signature images are typical examples where TimThumb script is used. Whilst TimThumb has found a home in WordPress themes, it is by no means limited to them – TimThumb can be used on any website to resize almost any image.

Here is how the TimThumb script works under normal conditions:

You get the TimThumb script from Google Code, upload it to a directory of your webserver, specify a cache directory and call the code from the source of your template. There are a lot of parameters which can be used with TimThumb, it depends on the requirements of your website and how you want to scale internal as well as external images.

Once your script is in place, it will continue to work in the background and store a copy of the original image in the cache folder. So if you are scaling a really large image to 100 X 100 using TimThumb, an exact match copy of the image will be saved in the cache folder. This image will be shown to your website visitors.

And here is how the recent TimThumb vulnerability goes to work.

Since the cache directory is public and is accessible to anyone visiting the website, an attacker can compromise your site by figuring out a way to get TimThumb to fetch a PHP file and put that file in the same directory. Now since the cache directory is preconfigured to execute any file ending with a .PHP extension, you are trapped.

The only way this security vulnerability can be avoided is to explicitly modify the permissions of the cache directory and tell your web server not to execute .PHP files from TimThumb’s cache directory. But in case of WordPress blogs and other websites, almost every web server is preconfigured to execute .PHP files on any directory.

Mark Maunder, discovered the problem when his own blog got hacked due to this TimThumb exploit. The hacker uploaded a file in the cache folder of Mark’s web server and added a malicious code with a base64_decode. Suddenly ads were popping out on every page of Mark’s website, the results could have been more alarmic. Some common possibilities are – serving malicious content, redirecting to a random website, loading advertisements or putting up a fake login page for users.

How To Keep Your Website Safe From TimThumb’s Security Exploit

There are quite a number of ways you can avoid such situations on your website.

1. Don’t use the script at all: This is probably the best and recommended option for anyone who don’t know how to tweak the WordPress theme of his site. Ask your theme developer to permanently remove TimThumb script from your WordPress theme or find the files which are calling that TimThumb script. Delete those codes and don’t forget to delete the TimThumb directory as well (be careful, take a backup of your theme first).

2. TimThumb is not exclusive: There are quite a number of alternatives to consider. For example: you can use jquery plugins to resize internal images on your website.

3. Patch it: If You must use the TimThumb Script, first patch the script to it’s latest version. Before using the script, open the timthumb.php file for editing, jump to line number 27 and remove the options for $allowedSites. The array should have no elements and it should look something like this:

//external domains that are allowed to be displayed on your website
$allowedSites = array();

timthumb-security-exploit

Save the file and upload it back. This will disable timthumb.php’s ability to load images from external sites and the attacker wont be able to compromise your site using an external image

4. HTACCESS: Open up Notepad and dump the following code in it:

Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

Save the file as .HTACCESS and upload it to TimThumb’s cache folder (remember to save as All Files and not as a text file). This HTACCESS file will prevent PHP and other scripting languages from being executed and anyone trying to access the files will get a 403 forbidden access denied message.

5. Why not WordPress? WordPress already has a very decent image handling system and there is a chance that you might not need TimThumb in the first place. The way WordPress handles images is far more secure, never creates cached files or writes them to a directory and keeps the images in the same place where they were uploaded by default. And since WordPress releases security and feature enhancements on a time to time basis, your WordPress powered functions will automatically stay secure as you update WordPress.

Ben Gillbanks, the developer of TimThumb is working on a fix and a more secured version of TimThumb should be released soon. [changelog is here]

Bonus tip: Unless you know the code and their corresponding output, never use free WordPress themes  for your site. A lot of them contain base_64 decoded codes embedded within the source, which can hurt in more ways than one.

AVG Premium Security Protects You against Identity Theft

AVG has launched a new product called AVG Premium Security, which boasts of an unique Identity Alert component. Over the past few months we have witnessed numerous large scale data thefts of varying severity. Although the Sony PSN hacking incident grabbed the limelight, there were numerous other small, but perhaps more damaging, incidents. A helpful netizen even created a service that can automatically alert you if your online identity is compromised.

AVG’s Identity Alert component also performs a similar function, but probably more thoroughly. AVG claims that it scours the web, including chatrooms, forums, and criminal webpages to check if your identity has been compromised by monitoring your e-mail address and debit and credit card numbers.

When you combine the shocking security lapses we have seen out of very high profile and respected brands such as Sony, Epsilon and Citigroup in the past few months with the liability shift toward consumers, it is clear that identity theft protection tools are no longer a nice to have,said J.R Smith, CEO, AVG Technologies. Banks and corporations are at an important tipping point, showing strong indications that they will no longer simply cover losses,- expecting the online users to share equal responsibility in taking appropriate security measures that ultimately protect each other from malicious attacks.

Besides the Identity Alert component, AVG Premium Security includes AVG Internet Security and AVG Quick Tune. Internet Security features anti-virus, anti-spyware, AVG Protective Cloud Technology, and the AVG Community Protection Network. Quick Tune is basically a stripped down version of AVG PC Tuneup. It offers disk defragmenter, junk file removal, registry cleaner, and broken shortcut remover.

With its new offering, AVG is hoping to compete with Kaspersky Pure, Norton 360 and other similar products. The Identity Alert module helps AVG differentiate itself from its competitors, and the suite itself is competitively priced at $69.99. However, it might also be an overkill for most users. In my humble opinion, as long as you take the basic precautions like not reusing passwords, a simple firewall and antivirus is likely to suffice.

Redditor Receives Phishing Email, Hacks the Scammer, and Reports Him

While surfing through Reddit this morning, I stumbled across an interesting submission from a Redditor going by the username “Tomble”. Apparently, Tomble received a standard PayPal phishing mail demanding personal information for “verification purposes”. However, unlike most of us, who would simply report it as a phishing attempt and be done with it, Tomble decided to do some snooping around.

Tomble noticed that the domain name had a structure similar to “http://www.example.net/~joe”, which indicated that the username for that domain’s control panel as well as ftp account was probably ‘joe’. He then decided to try his luck by assuming that the ftp address will be similar to the domain name. His guess turned out to be correct. He still didn’t know the ftp password. However, the domain indicated that this particular webspace was provided by an ISP. Hoping against hope that the webmaster hadn’t changed the default password, which is often just ‘password’, he entered ‘password’ as the ftp password. Amazingly, it worked, and Tomble managed to break into the server.

The website actually belonged to some clueless gentleman who probably had nothing to do with the scammer. The scammer probably managed to break into the server in the same way Tomble did, and planted a few PHP scripts to collect PayPal authentication information.

Tomble found all of this information stored in a single text file. So far, three gullible PayPal users had fallen for this scam. He immediately notified the concerned ISP. However, he didn’t receive any immediate response. On the other hand, two more users had fallen victim within the next thirty minutes.

Tomble now decided to intervene. He made a few modifications to the phishing website (see screenshot below). All of the victims, with the exception of one guy from Thailand, had left their phone numbers for verification purposes. Tomble emailed the Thai guy, and called up the other four with the following helpful suggestion.

Hi, my name’s Tomble, this might sound weird but I received a scam email pretending to be from PayPal this morning. I was able to follow it back and discovered your contact information there. You should contact your bank and let them know your credit card has been compromised, so they can protect you from fraudulent charges.

Scammer-Gets-Scammed

While one of the victims was initially suspicious, all of them eventually realized that Tomble was one of the good guys. In one case, he had to leave a message with the wife of the victim, who will probably find himself in some minor domestic trouble due to his gullibility.

It’s unfortunate that even today people are falling for phishing scams and Nigerian scams. Significantly, all of the victims were between the ages 39 and 60. While the younger ‘cyber-generation’ is by and large aware of the threats they face online, many from the older generations still need to be educated. Do you bit today, and educate your parents and grandparents about online security. As our fine Australian friend, Tomble, has shown, a little effort can go a long way.

Find out if Your Account Was Compromised and Leaked in Recent Hacks

For the past month or so, a group called Lulzsec has been causing havoc on the internet. They have been hacking servers and leaking usernames and passwords on the internet.

Should I Change My Password

Earlier today, Groupon India was hacked too, however, it is not known as to who was behind the hack. As a user, it is definitely difficult to find out if your account has been compromised or not. However, a new website called "Should I change My Password" is allowing users to search the database of leaked accounts to see if your account has been compromised.

Also Read: Editorial: LulzSec, AntiSec and Why the Internet is a Sadder Place Now

All you need to do is to enter the email address for your account and click on the "Check it!" button. It will then search the database that have been released by hackers to the public and see if your email address exists in it.

I would want to further add that regardless of whether your email was leaked or not, update your password immediately. It takes only few minutes and you can easily create strong passwords or use tools to generate strong passwords.

(via LH)

MyPageKeeper Promises to Protect You from Facebook Scams

Facebook scams are beginning to become a real nuisance. Most of them don’t do much real damage, other than causing some embarrassment, but that doesn’t mean that they aren’t annoying. Most scams simply blast the same message that fooled you to all your friends, which helps them in going viral. Some of them might also ask you to fill surveys that profit the scammer. However, only a very few try to distribute malware or spread phishing campaigns.

What makes these scams so effective is the fact that they are fairly hard to spot. Most people implicitly trust anything posted on their wall by their friends. Moreover, it is often hard for people to resist clicking on links promising leaked videos of Bin Laden’s death or the last words of a recently dead celebrity. Facebook scams prey on people’s gullibility and curiosity to get the better of them.

A new Facebook app called MyPageKeeper promises to protect you from Facebook scams. It does so by monitoring your news feed, wall posts, and installed apps. It doesn’t say exactly how it detects a piece of content as spam, but it’s most likely that MyPageKeeper is simply database driven.

MyPageKeeper

Two Ph.D. students in computer science at the Bourns College of Engineering teamed up with StopTheHacker, a web protection service founded in 2009 by Anirban Banerjee, who received his Ph.D. in 2008 from UC Riverside, and Michalis Faloutsos, a professor of computer science and engineering at the university, to create MyPageKeeper.

“Facebook is the new web,said Rahman. It provides a fertile ground to spread malware, since users trust links and posts that are seemingly from their friends. Hackers have realized this, and they have started using it to distribute malware and conduct identity theft.

MyPageKeeper is free to use, and getting started is as simple as installing the Facebook application. It’s designed to work automatically, and proactively. Once you enable it, you don’t need to tinker with it further. However, if you like to tinker with things, then there are a few options that you can tweak. You can specify how aggressive you want MyPageKeeper to be. Obviously, being more aggressive runs the risk of generating more false positives. You can also change how you want the app to notify you about malicious content spotted in your profile.

MyPageKeeper-Settings

Faloutsos, who has studied web security for 15 years, believes web security is following the same trajectory as desktop security. Ten years back, people weren’t serious about desktop security, but now almost everyone has an antimalware product installed on their system. Today, most people don’t realize the importance of staying cautious on the web, but in the coming years, Faloutsos believes that everyone will realize the importance of web security. People are educated about e-mail spam,says Faloutsos. But, now there is an implicit trust, almost validation, when someone sees a post from a friend on Facebook.

You can install this Facebook application from MyPageKeeper.org.

[Hat tip to @sreeyesh for recommending this app]

Friending Unknown People on Facebook Could Lead to House Robberies

Social Networking is a fad, and I dare say growing fad because it has gone beyond it. We make friends with people on sites like and . However, we might not know most of them personally and might have never met them too.

Facebook Scams

On one hand Twitter is safer for anonymous or unknown friends because your profile does not have information about your actual location (unless you specify it explicitly in your bio). However, Facebook on the other hand provides detailed information about your location, home address, telephone numbers and more to your friends depending on how you have set up your privacy settings.

Now, this information would be great if you want your friends to find you and visit you. However, it could also be used by thieves to visit your house and rob you.

Must Read: Read about Facebook Scams, How To Avoid Facebook Scams and Removing Unwanted Apps from Facebook.

According to the Daily Telegraph, a recent spate of robberies in West Sussex, London have been credited to users friending unknown people on Facebook. The thieves have been friending people on Facebook to find out when they are going out on vacations and then ransacking their houses. Considering that it is summer, there are bound to be several hundred targets who update their Facebook page to tell everyone when and where they are going on a vacation.

This information is then used by those thieves to rob their houses while they are away. Scary right?  Almost 12 houses have been robbed in the past four months and they might continue to happen if you decide to share critical information without checking your privacy settings and friending unknown people.

This incident might not just be limited to West Sussex though since Facebook makes is easy for users to find people from a particular location. Take for example, the screenshot below which shows how easy it is to find people in a particular area using their search options.

Find Friends On Facebook using Location

If you publicly share  your location information, you will end up being shown in the search results and become a ripe target for the thieves who are looking to find an opportunity.  This information is not shared without user consent (well, you can argue about Facebook privacy settings). However, you can restrict it from being made available by changing your privacy settings.

In the end, it is up to you to know what information is being shared. If something untoward happens a website will simply show that you had an option to change everything but did not. In many cases, users are uneducated about such things. I will briefly touch upon how you can stay safe and avoid such things in the section below.

What Can You Do to Avoid Being Robbed and Stay Safe on Facebook?

Don’t Friend Unknown People

Facebook Mutual Friends

Don’t friend anonymous people. Facebook provides an easy way to see if you have mutual friends between the person asking to be your friend and yourself. Take a look at those mutual friends and see if you can make connections. If you can’t make connections or the connections don’t seem known to you, just ignore the friend request.

Update your Privacy Settings to Friends Only

Custom Facebook Settings

Facebook wants your information to be discoverable and they keep the privacy settings such that people other than your friends along with search engines can see it too. However, it is not necessary. Go to Accounts -> Privacy Settings and Customize your settings such that it is viewable only by your friends. At the most, make your name, school information and work information public. For the rest, let those strangers become your friends before they can view that information.

Please understand that you still have to follow the first step and not friend unknown people to keep your information private from strangers.

Selectively Update Sensitive Information to a Group of People

Facebook provides you an option to create groups of people. You can create groups and add select people to it. For example, you can create a Facebook Group which consists of your family and close friends who you personally know. You can then directly send your updates to that group instead of everyone.

Customize Facebook Update Recipients

Alternatively, Facebook also provides users to display their updates to a selective set of people. To do that, click on the lock icon under the status update box and click on Customize.

Customize Facebook Update Privacy

You can customize who can see the update and even specify a certain set of people to receive them. Alternatively, you can hide updates from a certain set of people too. Facebook also provides an option to make it your default setting so that you don’t have to change it all the time.

I find the option to select specific people a bit tedious. They do have an option to create a list of friends, however, it is just for the sake of it. It would be great if Facebook allowed you to share certain updates with a set of people included in a list rather than use groups, which is an annoyance at best.

Don’t Share Your Exact Address and Phone Numbers with Everyone (In-fact Anyone)

If someone needs to contact you or come to  your house, they will find a way to get in touch with you and get that information. In fact, Facebook has a private messaging system which could be used for that purpose. For security and other reasons, there is no need to make private and sensitive information publicly available unless you want people to come and visit you or call you often, including thieves.

Go ahead and make those changes to hide that information in your Privacy settings so that only your friends or preferably only you can see that information.

Inform Your Neighbors and Use Security Devices if You Are Going on Vacation

If you plan to go away for a long time, inform your neighbors and use security devices in your home to bulletproof your house. Security systems have become far more cheaper than they were years ago and equipping your house with one will not take more than few days. This is definitely a worthwhile investment and will allow you to enjoy your vacation in peace.

Last but not the least, if you do not follow the above steps you are to the one to be blamed if anything like this happens to you, because the web is something you can’t control. However, you can at-least control what information you share on social networking sites. "Common Sense" can save you a whole bunch of trouble. Stay safe on Facebook and elsewhere.

LulzSec Havoc: Change Your Important Passwords Before You Get Hit

The unknown and anonymous group (or single person) LulzSec is creating havoc, not just for companies like Sony, but also for government organizations like CIA and FBI. Most recently, the targets of the group has been common individuals like you and me.

In today’s data dump, LulzSec uploaded 62000 username and passwords for various users. Using this data anyone could login to your email account, , , bank account and more. It is definitely a huge privacy and security issue.

If you go through the Twitter feed of @LulzSec, you will see how the leaked passwords are being used. Some of those updates are really scary, take for example the one below where someone managed to destroy relationships over Facebook using those stolen accounts.

LulzSec Destruction

As you can see from the above screenshot, several users have used those accounts to access Xbox Live, PayPal, Facebook, Twitter, accounts. Some users even withdrew money from PayPal accounts and claimed to ruin relationships. This is definitely sickening.

Gizmodo has written an article to check if your passwords were leaked and find them out, however, don’t sit back happy if you are not one of the people who were not compromised. Regardless of whether or not your data was leaked, take about 15-20 minutes out of your time today and update the passwords for your Facebook, Twitter, Bank accounts and email providers like (, Hotmail, Yahoo) and other important services you use.

Make sure to create a new password for these services and if possible use different passwords on all of them. If you are having trouble with creating strong passwords read our guides on how to create strong passwords and more or use some password creation tools which can help you generate strong passwords

Though you might use hundreds of services, upgrading your passwords for some key services might save you trouble other individuals are going through. As a practice, try and use different passwords for different services and use alternative logins like (login through Twitter or Facebook) wherever you can.

Kaspersky Antivirus 2012 and Internet Security 2012 Released

Kaspersky-2012Kaspersky Lab has released the 2012 editions of its reputed anti-malware products – Kaspersky Antivirus and Kaspersky Internet Security. Kaspersky Antivirus is the base offering which offers file antivirus, web antivirus, cloud scanning and proactive defense. Kaspersky Internet Security offers a more complete protection and has several additional features like firewall, sandboxing, and parental control.

To be honest the biggest change in the new version is the new user interface, which is nothing short of stunning. There isn’t a lot of new stuff, mostly because Kaspersky products are already packed to the brim with features. However, there are several improvements.

Kaspersky-Antivirus-2012-Dashboard

The focus of this release is on offering hybrid protection that harnesses the power of the cloud along with the local database and heuristics based security technologies to reduce the average protection delivery time. Kaspersky’s cloud protection relies on the Kaspersky Security Network (KSN), which has been a part of Kaspersky’s offerings for quite some time now. However, in the latest editions of its products, Kaspersky has done a better job at highlighting the cloud integration. KSN currently has more than 30 million voluntary members from 213 countries, and is capable of tackling advanced threats like zero-day exploits, phishing and spam. It also includes a File Advisor and a URL Advisor, which provides ratings on the trustworthiness of files and websites respectively.

Kaspersky-Antivirus-2012

The proactive defense module has also been improved. System Watcher module should be more efficient than before at analyzing activities performed by various processes and detecting malicious intent. Kaspersky is also promising better performance and improved compatibility with its latest release.

Kaspersky-Antivirus-2012-Scan

As I mentioned earlier, the changelog is pretty short and mostly unimpressive. However, Kaspersky is continuing its tradition of offering free upgrades to existing license holders. Just key in your existing activation code into the trial version, and your license will be automatically upgraded. You can download the free 30 day trial versions of Kaspersky Antivirus and Kapsersky Internet Security from here.