Phishing scam uses PayPal secure servers
(InfoWorld) - A cross-site scripting flaw in the PayPal Web site allows a new phishing attack to masquerade as a genuine PayPal log-in page with a valid security certificate, according to security researchers. Fraudsters are exploiting the flaw to harvest personal details, including PayPal log-ins, Social Security numbers and credit card details, according to staff at Netcraft, an Internet services company in Bath, England. The PayPal site, owned by eBay, allows users to make online payments to one another, charged to their credit cards, and log-in credentials for the service are a prized target of fraudsters. The attack works by tricking PayPal members into following a maliciously crafted link to a secure page on PayPal's site. Anyone thinking to check the site's security certificate at this point will see that it is a valid 256-bit certificate belonging to the site, Netcraft employee Paul Mutton wrote in the company's blog on Friday. However, the URL (uniform resource locator) exploits a flaw in PayPal's site that allows the fraudsters to inject some of their own code into the page that is returned, he wrote. In this case, the result is a warning that the user's account may have been compromised, and that they "will now be redirected to Resolution Center." The page to which they are redirected asks for their PayPal account details -- but thanks to the cross-site scripting flaw in the PayPal site, and the data injected into the URL by the fraudsters, the page is no longer on the PayPal site. Instead, the page steals the log-in details and sends them to the fraudsters' server, then prompts the user for other personal information, Mutton said. The Web server harvesting the personal details is hosted in Korea, Mutton said. The cross-site scripting technique makes the phishing attempt difficult to detect, said Mike Prettejohn, also of Netcraft. If the malicious link arrived by e-mail, then "there would be clues in the mail that it's not genuine," he said. "It's a technique chosen by fraudsters because it is hard to spot." Although there could be benign uses of cross-site scripting to transfer data between sites, the technique has an inherent security risk, Prettejohn said. "I don't think people would intentionally use it," he said. "If somebody knows there's a cross-site scripting opportunity on their site, the right thing to do would be to fix it," he said. Staff at PayPal could not immediately be reached for comment.SEE ALSO:Update: eBay, PayPal cater to developers with new tools MySpace.com targeted by phishing scam ADVERTISEMENTThe IT EvolutionA new wave of innovation is rolling across the IT industry. Learn more at TheITEvolution.com, compliments of IDG and IBM.
Source: www.infoworld.com
A Few Simple Steps to an Outlook Express Backup
Despite being one of the most, if not the most commonly used e-mail clients; outlook express was designed for non-profesional use and does not have any built in backup.http://free-backup.info
Source: free-backup.info
Data Recovery: When You Think You've Lost Everything
If your computer has crashed and you think that there is no way that you will be able to restore your files, data recovery is the last resort. Even if you cannot access anything or even run your computer, all the data that made up your hard disk is s...http://free-backup.info
Source: free-backup.info
Using Divx Technology to Backup Your Dvds
Most DVD players incorporate some kind of protection against playing backup copies of DVDs, as well as DVDs from other regions. However what are you supposed to do if you want to make backup copies of your movies, but you do not have a DVD burner on ...http://free-backup.info
Source: free-backup.info
Computer Forensic: Siezing the Evidence
The computer forensic experts have to conform with many rules and regulations if the evidence they uncover is to be acceptable to the courts. The first step in obtaining computer forensic evidence is obtaining a search warrant to seize the suspect sy...http://free-backup.info
Source: free-backup.info
Sun joins OpenAJAX, Dojo Foundation
(InfoWorld) - Bolstering its AJAX (Asynchronous JavaScript and XML) efforts, Sun Microsystems is joining the OpenAJAX Alliance and the Dojo Foundation. In participating, Sun plans to help drive standards for AJAX programming and boost interoperability in AJAX technologies. OpenAJAX features more than 30 member companies and organizations, including IBM, BEA Systems, and Oracle. Sun will collaborate with the organization as it pursues its goals, which include identifying best practices and reaching a consensus on programming models around a reference implementation for tools interoperability. Wider AJAX adoption also is a goal of OpenAJAX, which was formed in February. Sun has not been part of OpenAJAX until now for two reasons, said Dan Roberts, Sun director of marketing for developer tools. It was approached by IBM but the invitation went to the wrong group at Sun, and Sun, upon learning of the new initiative, feared OpenAJAX was too skewed toward the Eclipse open source tools platform, which rivals Sun's own NetBeans initiative. "IBM did invite us, however, it didn't get to any of the groups that understood what OpenAJAX was," Roberts said. After discussing OpenAJAX with IBM and finding that the organization is not Eclipse-centric, Sun decided to join, Roberts said. "What we want to do is ensure with the rest of the OpenAJAX Alliance that AJAX technologies are patent-free, royalty-free, and freely available to developers," Roberts said. Some AJAX technologies have not met this criteria, he said. Sun already supports AJAX in its Sun Java Studio Creator tool and plans to offer more AJAX tools, with many of them to be offered via open source. Sun can generate revenues via AJAX through enabling deployment on Sun platforms such as the company's application server and portal. Sun also can sell training and support services, Roberts said. The Dojo Foundation is a non-profit organization for JavaScript programming and features the Dojo Toolkit project which is an open source JavaScript toolkit for Web development. Sun will contribute to the toolkit AJAX widgets, and it will help with internationalization and refinement of documentation. Sun AJAX Architect Greg Murray will be one of Sun's representatives with the foundation. In joining the two AJAX groups, Sun with its new management team is demonstrating intentions to do more with JavaScpript and look at scripting languages as full peers to Java, said James Governor, principal analyst at RedMonk. "[With the new management team in place], we're going to see a lot more that is not obsessed with Java," Governor said. Sun does not see AJAX as a rival to Java, Roberts said. Java and JavaScript coexist, according to Roberts. AJAX also needs standardization, and Sun's participation in these efforts makes sense, Governor said. Sun also is announcing a preview of a plug-in for the NetBeans IDE to support the jMaki framework, an open source JavaScript framework for the Java platform. jMaki will help boost developer productivity, Sun said. Sun also recently launched two AJAX Web portals, at http://developers.sun.com/ajax and http://java.sun.com/javascript. Sun also is offering Sun BluePrintsAJAX-enabled JavaServer Faces Components. The components function with Sun Java Studio Creator.SEE ALSO:Microsoft AJAX framework forges ahead in spite of difficulties Sun, Microsoft eye high-performance computing, AJAX
Source: www.infoworld.com
Using Windows Backup Software
The Backup programs in Windows 98 and Windows Me where originally created by Seagate Software, now Veritas. They are relatively simple but, not surprisingly considering their origin, work well with removable magnetic media such as tapes and floppy di...http://free-backup.info
Source: free-backup.info
Give Your Video Games an Extra Life: Ps2 Backup
Everyone loves PS2, but everyone also knows how expensive the games are, but not everyone knows how cheap and easy it can be to backup your PS2 games.http://free-backup.info
Source: free-backup.info
Data Recovery from Various Media
Compared with a complex hard drive, data recovery from a floppy disc is quite straightforward. Floppy discs need to be robust to operate in a hostile environment of dirt, dust, and moisture.http://free-backup.info
Source: free-backup.info
No comments:
Post a Comment