The Telegraph discusses a new report reveals that cybercriminals are attacking millions of computers every month – and infecting approximately 10 %.

Cybercriminals are increasingly focussing on money, a new report suggests, and improved organisation means that “toolkits” have been developed to methodically infect PCs so that illegally obtained information can be bought and sold.

In a survey by security firm AVG, 165 internet domains were found to have attacked 12 million visitors over the course of two months. More than 1.2 million computers were subsequently infected.

The research looked at criminals using the so called “Eleonore toolkit”, which aims to use malware contained on specially created websites to steal information such as credit card details, emails and national insurance numbers.

The software targets known vulnerabilites, primarily in older versions of Microsoft’s web browser. Internet Explorer 6 alone accounted for one-third of all infections. Apple Browser Safari proved the most resistant to Eleonore attacks, allowing just 2.78 per cent of machines using it to be infected. Adobe Acrobat and Sun Javascript also accounted for a significant number of infections.

Criminal servers were typically hosted in the Ukraine, where more than a quarter were found, the Russian Federation and Kazakhstan. Hackers appeared to target the Russian Federation, too: 8,906,025 attacks were recorded, and 916,430 (10.3%) were successful. The United States and Britain attracted approximately half a million attacks each, which met with a similar level of success.

AVG encouraged users to ensure they were using security software to protect their computers.

Access the original article online at: http://www.telegraph.co.uk/technology/news/7904216/Cybercrime-one-in-10-computers-vulnerable-to-attack.html

The BBC reports on how YouTube has been forced to fix a flaw allowing hackers to bombard users with fake pop-up messages and redirect them to adult sites.

Hackers placed code in the comments section, under targeted videos, that would run when people watched the clip. In some cases, a pop-up screen appeared reporting that the Canadian singer, Justin Bieber, had died in a car crash.

Google, which owns YouTube, said that it had fixed the problem “about two hours” after it was discovered. “We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com,” a spokesperson said. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours.

Cross-site scripting (XSS) vulnerabilities are relatively simple attacks that allow hackers to place code into web pages. In the YouTube incident, hackers used JavaScript code and HTML, both commonly used on web pages.

Security experts said that although in most cases the code was relatively benign, it has been used for more malicious purposes such as phishing, a common tactic used by cybercriminals and involves using fake websites to lure people into revealing details such as bank accounts or login names.

Google said it was “continuing to study the vulnerability to help prevent similar issues in the future”.

When the vulnerability was first reported, rumours suggested that YouTube was infected with a virus.

Access the original article online at: http://news.bbc.co.uk/1/hi/technology/10506150.stm

The BBC reports that hi-tech criminals are “escalating” attacks on an unpatched bug in the Windows XP help and support system. Microsoft said it had seen more than 10,000 machines hit by the attack that, so far, it has not found a fix for.

Windows PCs falling victim will have control of that machine handed over to attackers. Microsoft said the attacks had gone from theoretical to real very quickly and urged users to take steps to protect themselves.

Microsoft revealed the upturn in attacks in a blog post saying that it had been monitoring activity around the loophole since it was first revealed on 10 June. Found by Google engineer Travis Ormandy, the loophole revolves around the Help and Support system built into XP. Mr Ormandy found that it was possible to exploit its ability to give remote aid and apply fixes to ailing machines.

Initially, said Microsoft, it only saw “innocuous” attacks by researchers attempting to replicate what Mr Ormandy had found. Real exploits turned up on 15 June and these have been enthusiastically adopted by hi-tech criminals.

Writing on the Microsoft Security Centre blog, Holly Stewart said it had started seeing “seemingly-automated, randomly-generated” web pages that host the exploit. A variety of trojans, spam tools and viruses are being downloaded to compromised machines, she said.

Statistics gathered by Microsoft suggest Portugal was taking the brunt of the attacks but users in Russia and Croatia were also being hit. More than 10,000 machines had been hit at least once by the attack, it found.

To avoid falling victim, Microsoft advised users to turn off the part of the Help and Support system that is vulnerable. It has produced an automated tool that can do this for users.

“It is important to ensure that your security software is capable of identifying and blocking malicious websites,” said a security expert, “as you can be sure that the criminals behind this will be constantly updating their malicious files to try and avoid traditional security.”

Microsoft said it was working on a lasting fix for the loophole.

Access the original article online at: http://news.bbc.co.uk/1/hi/technology/10473495.stm

The Sun reports that two schoolboys have been arrested after police uncovered a huge web crime “forum”.

Details of more than 65,000 bank accounts hacked from personal computers worldwide were allegedly sold on an internet site, with at least £8 million emptied from the accounts.

And 8,000 crooked “customers” were also offered advice on how to use card details fraudulently to buy goods, wire cash and call sex phonelines.

The arrested pair, public schoolboy Nick Webber and comprehensive pupil Ryan Thomas, are thought to have met via a social networking site when they were 16. Police believe the hackers hatched a plot to break into computers with “malicious” programs.

The boys are thought to have made a fortune from the alleged scam. Webber, now 18, is seen wearing designer clothes and posing next to a huge Hummer car on his Facebook page.

The forum is said to have offered American account details for three US dollars, EU ones for $5 and UK ones for $7.

Webber, of Southsea, Hants, and Thomas, now 17, of Seer Green, Bucks, were held on suspicion of plotting to defraud and misusing computers. They are on bail.

Access the original article online at: http://www.thesun.co.uk/sol/homepage/news/3038172/Teens-held-as-65000-hacked-bank-details-allegedly-sold-on-net.html#ixzz0sW5jrqee

The Telegraph reports on how Britons receive more than 420,000 scam emails every hour. Every seven seconds someone is conned out of money – an average of £285 per person.

The study from life assistance company CPP estimated that people in the UK were targeted by 3.7 billion ‘phishing’ emails in the last 12 months.

More than half of the emails sent out were impersonating legitimate correspondence from high street banks. Recent industry figures show online banking fraud rose by 132 per cent in the last 12 months.

Nearly half (46%) of those surveyed were concerned that their card details could be used to make illegal online purchases. Con artists have also begun to exploit social networking sites and current defaults in privacy settings to target victims. Nearly one fifth of Brits have received phony Facebook messages claiming to be from friends or family.

A third are concerned their social networking account could be hacked.

Nicole Sanders, identity fraud expert at CPP said: “It seems that not a day goes by without a new case of online fraud hitting the headlines. But what’s concerning is that consumers are still falling victim. Fraudsters are becoming ever more skilled in their techniques and tactics. It can be extremely difficult to spot a legitimate email from a scam, so we advise caution at all times when online. And as social networking sites become increasingly popular, people need to continue to be mindful of what they post. Their identity is as valuable to a thief as a credit card, so protecting personal details is key.”

Robert Schifreen, a reformed computer hacker, advised: “Staying safe online is easy if you follow some basic precautions. Never type your credit card number, password, or any other confidential information into a web site unless its address begins with https and your browser displays the “closed padlock” symbol. These indicate that the site is safe and that your data is encrypted. Also, make sure your antivirus software subscription is up to date and that your computer is configured to automatically download protective software.”

Access the original article online at: http://www.telegraph.co.uk/technology/news/7831633/Britons-receive-more-than-420000-scam-emails-every-hour.html

The Telegraph reports that hackers are exploiting a vulnerability to update Facebook status without the permission of the profile owner, warn security experts

Facebook users have been warned to look out for a new scam which hijacks their status updates and sends spam message to all of their friends on the social-networking website.

To date, hundreds of thousands of users had fallen victim to the “clickjacking” or “likejacking” scam. Users are tricked in to clicking a link in their News Feed labelled “101 hottest women in the world”.

The link takes the user through to a webpage showing a picture of Hollywood actress Jessica Alba, and, whenever they click their mouse on that page, an update will automatically be posted to their Facebook profile telling their friends that they “like” that story, and thereby encouraging other people to click on the link.

It has been reported that “clickjackers” are creating these worms in order to make money. The site at the centre of the most recent scam is part of the CPALead advertising network, he said, and every hijacked click helps to generate revenue for the people behind the scam.

“Facebook really needs to grab this problem by the horns, as it is increasingly being struck by clickjacking worms,” said a security expert. “The social network should tighten up the way it handles the ‘liking’ of external web pages before it is more widely abused by malicious hackers and spammers.”

He advised Facebook users who feared they may have fallen victim to the scam to check their News Feed for suspicious recent activity, and to delete any entries that contained a link through to the “101 hottest women in the world” website. “You may also be wise to warn your friends if they might have followed your lead and also clicked on the page,” he said.

Access the original article online at: http://www.telegraph.co.uk/technology/facebook/7827530/Facebook-users-hit-by-clickjacking-scam.html

The Daily Mail reports that the email addresses of more than 114,000 Apple iPad users have been exposed in a targeted hacking attack in the US. The massive security breach leaves all of those affected open to spam and malicious hacking.

The vulnerability affected only iPad users who signed up for AT&T’s 3G wireless internet service. A hacker group that calls itself Goatse Security claims to have discovered the weakness by tricking AT&T’s site into giving up the email addresses.

iPad users in the UK will not have been exposed as the breach was an issue with AT&T’s security procedures rather than with Apple itself.

AT&T admitted today that a security weak spot involved an insecure way its website would prompt users when they tried to log into their AT&T accounts through their iPad. The site would supply users’ email addresses to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads.

White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg were among those listed. The emails of CEOs and executives of companies like The New York Times, Time Inc. and Dow Jones as well as senior military personnel were also compromised. The list was passed to Gawker’s Valleywag technology website.

Gawker is part of the same group as Gizmodo, which has been in a running battle with Apple over the past few months after it picked up a prototype iPhone 4 which had been left in a bar by a member of Apple’s staff. A representative for the Goatse group said today they had contacted AT&T and waited until the vulnerability was fixed before going public with the information.

Even though only emails have been exposed they can still be used to launch an attack. Criminals could use that knowledge to trick them into opening emails that plant malicious software on their computers. Apple refused to comment on the breach.

The iPad comes in two different set-ups – one that only connects to the internet via wi-fi, and another that also can connect through AT&T’s 3G network. The wi-fi-only models are not affected by the breach.

Access the original article online at: http://www.dailymail.co.uk/sciencetech/article-1285505/Apple-iPad-security-breach-114-000-email-addresses-exposed.html#ixzz0qSk8ykY8

Police in Finland are investigating 400 cases of online theft in the virtual world of Habbo Hotel, a chat site popular with children and teenagers.

Habbo Hotel allows its members to use real money to buy virtual goods online, such as furniture. However, members have reported that they have had up to £840 worth of virtual items stolen by cyber criminals.

Sulake, the Finnish company who owns Habbo Hotel, has reported that several hundred users have been targeted. The online thieves targeted members with fake web pages that captured their usernames and passwords.

This is not the first time Habbo Hotel has been targeted. In 2007, a Dutch teenager was also arrested for allegedly stealing virtual furniture worth thousands of euros on the site.

Unfortunately, it seems that online games and virtual worlds are becoming an increasingly popular target for hackers and cyber criminals. World of Warcraft and Facebook’s Farmville game have also been subject to malware and Trojans that attempt to steal user information.

Anyone using Habbo Hotel or similar sites should be aware of these scams and not enter their log in details to any pages other than the site itself.

Facebook confirmed today it is in discussions with the Child Exploitation & Online Protection Centre (CEOP) to insiall a ‘panic button’ application on the site. Richard Allan, Facebook’s director of public policy for Europe told Sky News, “We have continued talking to CEOP and are working very closely with them on a Facebook application that allows Facebook users, when they have concerns, to connnect with CEOP.”

The social networking site had previously turned down calls by CEOP to add “panic buttons” to its pages, despite public concern following the conviction of serial rapist Peter Chapman who posing as a young boy, used the site to meet 17-year-old Ashleigh Hall and lure her to her death in October last year.

Initially, Facebook claimed it had its own “safety net” to ensure its users were secure online. However, it now appears that the site has backed down. “We have been in dialogue with Facebook for some time,” a spokesperson for CEOP told Sky News Online. “Obviously we cannot confirm progress until we have an agreement in place with Facebook, but we are continuing to work with them.”

Facebook also confirmed its willingness to co-operate with CEOP, stating “We have had a number of constructive meetings and are working on a range of innovative approaches that will help educate and raise awareness of how to keep safe online.”

Read more about CEOP here: http://www.ceop.gov.uk/