Nacha Gotcha
The target of the scam is therefore businesses, according to The Washington Post's Brian Krebs, who calls this scheme "The Nacha gotcha." In his "Security Fix" column Friday, Krebs wrote that the scam e-mails warn recipients of unauthorized or failed automated clearing house payments in an attempt to trick "people who actually recognize what a failed or rejected ACH transaction can mean for their business's bottom line."
The e-mail contains a link to a "transaction report" that actually leads to a malicious program that can steal banking credentials and has already been used in several scams to drain businesses' bank accounts, Krebs wrote.
Most popular antivirus products would not flag the "report" as a piece of malicious software.
Hitting Twitter
An IBM security researcher in Turkey has made an attack on the social networking service Twitter to demonstrate a potentially dangerous weakness in online authentication systems.
The exploit by Anil Kurmus employs the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams using the Secure Sockets Layer protocol, PC World magazine reported Monday. The security hole has since been patched.
Client renegotiation gives a Web site such as Twitter a way to ask a user for an SSL certificate from a user who is already signed on. It's useful for sites that let users log on using smart cards or for sites that restrict access to a select group of predefined Web surfers, PC World said, but until the flaw is fixed, client renegotiation also opens the door for SSL attacks.
But there has been some debate about the seriousness of the flaw. Shortly after the bug was made public, IBM researcher Tom Cross said that, for the most part, major Web applications would not be affected by the issue.
But Cross later changed his mind, writing: "Unfortunately, the situation is worse than I thought."
Webmail applications, in particular, may also be at risk from this attack. And security experts also worry that other applications — databases, for example — may be at risk, PC World said.
The flaw was discovered by a researcher from PhoneFactor, a provider of two-factor authentication services. Steve Dispensa, PhoneFactor's chief technology officer, wrote in an e-mail message: "This flaw violates one of the core guarantees made by SSL — namely, that an attacker with access to the data stream can't make any changes to the encrypted data. When such a guarantee is violated, it's difficult to predict the consequences. I fear this Twitter attack is just the first of what may be many to come."
New iPhone Hack
The first iPhone bug simply mocked its victims for their poor security — a newer version actually steals their data.
Both the innocuous bug, which was discovered a week and a half ago, and the malicious one target phones that have been "jailbroken" to run software that has not been approved by iPhone maker Apple Inc. Vulnerable phones must also run the SSH network protocol and still use their default password.
