This document provides a summary of website security threats from February 2014. It discusses the following key points:
- Malware tactics are evolving, with the return of the Redkit exploit toolkit and the emergence of fake browser update sites designed to trick users into downloading malware.
- Mobile applications are still not as secure as they should be, with many banking apps found to be vulnerable to man-in-the-middle attacks and data leakage issues reported for other popular apps.
- Social media continues to be exploited through scams on platforms like Snapchat, WhatsApp, and fake celebrity death notices.
- Some good news includes the arrest of a notorious hacker, and more services like Yahoo enabling encryption
Human Factors of XR: Using Human Factors to Design XR Systems
Symantec Website Security Threats: February 2014 Update.
1. WEBSITE SECURITY THREATS:
FEBRUARY 2014 UPDATE
Thursday 13th February 2014
Andrew Horbury
Andrew Shepherd
Product Marketing Manager
EMEA Marketing Manager
andy_horbury@symantec.com
andrew_shepherd@symantec.com
Website Security Threats: February 2014 Update
2. Agenda
1
Month in Numbers
2
Malware tactics: Redkit, Fake Browsers
3
Mobile Applications
4
Social Media Scams
5
Stranger than fiction
6
Good news
Website Security Threats: February 2014 Update
3. The month in numbers
• 82% of enterprise Mac users not getting security
updates
• 16 million online accounts in Germany
compromised
• 20 million credit card details stolen in South Korea
• UK government: “Half of UK people are not
protecting themselves online”
• Attackers steal personal details from 800,000
Orange customers
• Eleven US high school students expelled for hacking
teacher accounts, and augmenting their grades
• Around 45 retailers affected by POS malware.
Website Security Threats: February 2014 Update
4. Malware and toolkits – Redkit, Fake Browser, FedEx
• After an absence of 18 months
Redkit exploit toolkit returns
after Blackhole’s author
(Paunch’s) arrest
• Phony FedEx: malicious email
campaign that impersonates
FedEx targets unsuspecting
home and business users
• Chrime or Chrome? Fake
browser update sites aims to
trick users into download
malware posing as a browser
update.
Website Security Threats: February 2014 Update
5. Mobile Applications not quite as secure as you would
hope
• Issues with global banking
apps
– 4 in 10 banking apps,
vulnerable to man in the
middle attacks because they
don’t validate server SSL
certificates
– 90 percent of analysed apps
contain several unencrypted
links which could potentially
let an attacker intercept
traffic and inject code to
display fake login screens to
the user.
• Its not just the banks…
– Starbucks have updated their app
after data leakage reported
Website Security Threats: February 2014 Update
6. Social Media Scams – RIP, SnapChat, WhatsApp
• RIP Scams continue to work and work
– The online list of alive ‘dead’ celebs continues
to grow
– Linking to malicious, apps, sites and phony
surveys
• SnapChat Spam
– Spam uses sexually suggestive images and
compromised short URLs
• WhatsApp being used to spread malware
– messages claim that
WhatsApp for PC is
available & that the
recipient has 11 pending
invitations from friends.
Website Security Threats: February 2014 Update
7. Stranger than fiction
• Thanks but no thanks! Teenager reported
to the police for finding website
vulnerability
• Its that time again…. Academics discover
the prefect time for cyber attacks
• Who’s to blame for security problems?
Surveys say….you, me them, us…
EVERYONE
Website Security Threats: February 2014 Update
8. Stranger than fiction part two
Live from the security HQ at the Superbowl
#oops
Website Security Threats: February 2014 Update
9. Good News
• The fridge comes back in from the
cold….
– Spamming fridge is not quite what it seems
• Guccifer the celebrity hating hacker
arrested
– Leaker of Downton Abbey and Sex and City
scripts finally shut down
• Yahoo defaults to AOSSL
• Yahoo enables https encryption by default
and more services being added all the
time
• Tumblr activated SSL this past week
Website Security Threats: February 2014 Update
10. Link glossary
• POS attacks http://bit.ly/1aTXsfe
• Fake Browsers:
– http://bit.ly/1eThlCQ
– http://bit.ly/1iO7YVN
• Redkit http://bit.ly/1dHcwYs
• SnapChat http://bit.ly/LTYY5q
• WhatsApp http://bit.ly/1gsYXze
• Yahoo and SSL http://tnw.co/1bo9Ncc
• Symantec Intelligence Report December 2013 http://bit.ly/1fYlxzb
• Symantec IOT blog http://bit.ly/1hb4aAy
• Rest In Peace Scams http://bit.ly/1ntvUOm
• Slides available to download on SlideShare http://slidesha.re/1j2jxIi
Website Security Threats: February 2014 Update