The Windows Club: Emsisoft Browser Security blocks malware and phishing attacks . “These two are dangerous. While one can turn your computer unusable, the later can steal your account details along with your passwords. Emsisoft Browser Security is a new light-weight browser extension for Firefox and Chrome which can stop both of them.” Sounds promising, but I can’t get past the really broad permissions these kinds of extensions need.
The Register: Fake ‘U’s! Phishing creeps use homebrew fonts as message ciphers to evade filters . “Security house Proofpoint reports this week that miscreants hoping to steal login credentials from customers of ‘a major retail bank’ were able to hide their phishing emails from automatic detection tools by seemingly scrambling their messages into gibberish. Once rendered in an email client, the messages appear as coherent text, thanks to a custom font unscrambling the letters.”
The Next Web: Twitter let someone promote an obvious PayPal phishing scam. “Phishing scams are nothing new, but it’s certainly unusual to see them show up in your Twitter timeline as a promoted tweet. Nevertheless, earlier this evening, I came across this promoted post from the (since deleted) account @PaypalChristm.”
Mashable: Netflix subscribers targeted in (yet another) phishing scam. “Received a strange email, Netflix subscribers? Don’t fall for it, it’s likely a scam. Following similar scams in September and October 2017, the U.S. Federal Trade Commission (FTC) has issued a warning for a reported email phishing scam targeted at Netflix users.”
Mashable: Student health, discipline, and Social Security info exposed in massive school district hack. “San Diego Unified School District, the second largest school district in California, said more than 500,000 students and staff had their personal information accessed through a data breach. Through a phishing attack, an unauthorized user accessed data from as far back as the 2008-2009 school year. The hack also affected 50 district employees.”
Ars Technica: Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail. “A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.”
Krebs on Security: Phishing Your Employees 101. “A new open source toolkit makes it ridiculously simple to set up phishing Web sites and lures. The software was designed to help companies test the phishing awareness of their employees, but as with most security tools, this one could be abused by miscreants to launch malicious attacks.”