Friday, August 8, 2014

Hold Security's Sales Stunt with Russian Gangsters?

Cyber Crime at Large
Cyber Crime @Large
Are you safe? Probably! But is your data safe? Probably not! Hold Security has discovered 500 Million unique usernames and passwords which were stolen by a Russian gang and are probably being misused right now. According to the official statement, the details were extracted from the websites using a network of compromised computers known as a botnet.

Your bank account details, Passwords, social security details, PAN details... might not be safe! 
So I ask again... ARE YOU SAFE?

This can very well be a sales stunt by Hold Security, specially after the company has been courteous enough to let people know if they have been victims of this scheme - at a nominal charge of $120. Going by this, Graham Cluley has done some further digging and found that this news was perfectly timed with the security conferences going on in Las Vegas.

www.tech-on-hand.blogspot.in
Firstly, the company's claims are not verified. Secondly, to verify these details, the company wants people to give them the passwords in order to compare with the database that they have "Discovered". Isn’t this the firm that just warned the world about a huge number of stolen credentials? And here it is coaxing users to behave in a way which is clearly unsafe. 

“It’s certainly in the interest of any security firm to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm,” reports Forbes.

This sounds almost kiddish. Easier is for people to just change their passwords anyways. Here is a screen grab of the funny little form that users are supposed to fill up:

http://grahamcluley.com/2014/08/cybervor-pay/


Here are the 'Easy to Understand' risks involved:
  • Imagine your computer has a keylogging malware running in the background. This means a software is recording all the keys you punch on your keyboard including passwords from your FB account to Bank account. Wouldn't this form give hackers a free pass to scoop up the victim’s details easily? 
  • What if this page gets a namesake account or someone creates an identical version of this webpage, specifically with the intention of nabbing users’ passwords? This is not unusual or unheard of. Most attempts for this are on banking websites and Facebook, so please check the browser address bar before entering the login details.
  • More importantly, no one should ever encourage users to enter passwords for website X into an entirely different website, for whatever reason. 


Also, another important fact: "If this is true", Most Indians need not worry as this is only with banks having servers abroad. :) Actually, I wonder if Indians aren't interested in such crazy data capturing OR are we just too smart to get caught. 

-@vaimasters aka vaibhav k.

-

No comments:

Post a Comment