Scammers advertise Pinterest bots on Facebook

Internet scammers have launched a paid advertising campaign on Facebook targeting Pinterest fans, bringing the hunt for victims to a higher level of investment and sophistication to online social fraud, according to Bitdefender.

The ad, created by a web site promoting Pinterest bots, promises to show interested parties how to “make money with Pinterest”. This is an element of novelty as scammers actually seem to be taking money out of their pockets to make sure that their scams hit it big.

The paid advertising campaign can increase the efficiency of scams as the Facebook ad targeting mechanism allows you to “define your ideal audience by what they are interested in, using terms people have shared in their Facebook profiles (timelines). These may be drawn from their listed interests, activities, education and job titles, pages they like or groups to which they belong,” according to Facebook’s help centre.

The embedded link in the ad takes users to a web page that features a survey they are supposed to take in exchange for a Visa gift card and an e-mail address submission form for possible subscribers. While the “free gift card” method is reminiscent of a recent spam wave that hit the Pinterest platform, the bot-based money making mechanism advertised in the ad is very similar to the #followback scams on Twitter.

“Pinterest is one of the hottest social platforms of the moment, which would explain scammers’ malicious interest in its huge user base. The interesting thing about this scam is that it pays a twisted tribute to Facebook by targeting its users with ads,” said Catalin Cosoi, Chief Security Researcher at Bitdefender. “We should all be on the lookout for new, customized scam mechanisms.”

The Pinterest team indicated that the spam and money-making mechanisms violate the platform’s acceptable use policy in two areas: unsolicited advertising materials and use of the service for third parties’ benefit without Pinterest’s agreement. Pinterest recently updated its policies to eliminate a few unclear matters regarding ownership of pinned content and more general copyright issues.

“As a growing service, Pinterest is not immune to challenges faced by sites across the web including spam and phishing. However, it is a tremendous priority for us to quickly address them. Our engineers are actively working to manage issues as they arise and are revisiting the nature of public feeds on the site to make it harder for fake or harmful content to get into them”, stated Erica Billups from The OutCast Agency, on behalf of Pinterest.

How much does a 0-day vulnerability cost?

The market for exploits for zero-day vulnerabilities has exploded in the last year, says Adriel Desautels, the founder of Netragard, a penetration testing and vulnerability assessment outfit that, among other things, acquires and develops exploits.


The number of buyers and the money they are willing to pay for working exploits has dramatically increased, and so has the number of exploits offered for sale each month, he says. Also, the purchase deals are made much more quickly than in the past.

Obviously, the whole economy around this "product" has matured.

As a legitimate company, Netragard must be very careful when selling its exploits. According to Desautels, the firm rejects the majority of those who want to buy them.

“Realistically, we’re selling cyberweaponry,” he points out, but does not share how the vetting process is performed or the price that specific exploits can reach.

It is very well known what some software vendors offer for them through their own bug bounty programs, as well as the prizes offered for working exploits to participants in hacking contests such as Pwn2Own and Pwnium.

These sums are considerably smaller that the ones that can be earned by enterprising vulnerability researchers and hackers if they choose to sell exploits to other organizations, and that's counting in the fee for the intermediary.

The Bangkok-based security researcher that goes by the handle “the Grugq” is one of these mediators. His contacts in various governments and knowledge of the matter at hand make him eminently suitable for brokering such deals.

He is also careful when choosing to whom to sell the offered exploits, and that's mostly US and European governments and agencies. Ethical considerations aside, they simply pay much more than a Middle Eastern or Asian government can offer.

The Chinese government doesn't need his services, he says, because its huge number of hackers usually sell their exploits exclusively and directly to them. He also says that he has no contacts in the Russian government, and that "selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money.”

So how much does a working exploit go for? Well, the price depends on a number of things.

An exploit of a vulnerability in a widely used piece of software is more costly than that of one in a less popular one, and the same goes for those that take advantage of vulnerabilities in the latest software versions. Exploits for software that is more difficult to crack is also more pricey.

Taking all this in consideration, it's easy to see that an exploit for Windows will be more expensive than one for breaking into a Mac OS X machine, and that the tougher security features of iOS will raise the price for its exploits above that for Android.

According to Andy Greenberg, the current rough price list looks like this:


"Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor," he says.

"Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit."

Event though considered unethical by some, these sales and acquisitions are sure to continue for the time being.

Demand creates supply and, according to the Grugq, banning the sale of exploits would have the same effect that the war on drugs has had on eliminating drugs - none.

Call center employees are selling user information

Indian call center employees sell confidential data belonging to users for as little as $0.03, reports the Daily Mail.

According to the news outlet, reporters from The Sunday Times have gone undercover in India and have tried to discover if the information that call center employees have access to is in danger of being shared with marketers and crooks.

Unfortunately, the answer is yes, as two IT "consultants" were ready to meet and to offer for sale over 45 different sets of information on nearly 500,000 Britons.

Among the information contained in the data sets were names, addresses and phone numbers, credit and debit card information complete with the expiry dates and the three-digit security verification codes, information about loans and mortgages, mobile phone contracts, television subscriptions, medical records and more.

Most of the information comes from a number of major banks and financial organizations, and its usually less than 72 hours old, allowing its buyers to easily take advantage of it.

"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number," boasted the "consultants" to the reporters, showing the records on a laptop.

The financial data is definitely a boon for cyber crooks, but the rest is a goldmine for marketers. Having that much insight into the personal lives of the users allows them or their clients to make their efforts at targeting users more successful.

According to DM, some 330,000 people are employed in call centers in India, and it's logical to assume that these particular "consultants" are not the only ones selling. Some British companies have already closed down the call centers they had in India and transferred them to other countries, the problem is likely to remain.

As long as the theft can be executed without getting caught, there are always those who will try to get away with it, even in "rich" countries.

It seems to me that the answer to this problem to make it as difficult as possible for employees to exfiltrate the data in the first place. Data leakage prevention solutions come to mind, as well as making it impossible for them to use movable data storage devices.

It is also important to put data security policies in place, and punish those who break them. Of course, all these are not full-proof solutions by themselves, but used together they can seriously lessen the risk of data being stolen.

Apple, Facebook and others named in privacy lawsuit

Thirteen individuals have filed a lawsuit against a number of app makers including Path, Facebook, Instagram, Yelp and Rovio, accusing them of uploading the information stored in their mobile phones' address book to their servers and using the appropriated data for their own ends, Venture Beat reports.

The suit, filed in U.S. District Court in Austin, Texas, is the result of last month's discovery by app developer Arun Thampi that the Path app copies the entire contents of the users' address books and sends them to the company servers without asking the users for permission or notifying them of it in any way. Path has subsequently admitted to doing it.

Further investigation into the matter revealed that other app developers have seemingly been doing the same thing, and Twitter has also confirmed the practice, explaining that the data is collected and stored only if the user takes advantage of the “Find Friends” feature because it scans the address book to search for individuals who also have a Twitter account.

Even though the developers of the apps have been found violating Apple's privacy policies by distributing these apps through its App Store, the company has also been named as a defendant in the suit because it approved the apps, allowing them to be sold from its Store.

"Literally billions of contacts from the address books of tens of millions of unsuspecting wireless mobile device owners have now been accessed and stolen," claim the plaintiffs. "The surreptitious data uploads—occurring over both cellular networks and open, public wireless access nodes in homes, coffee shops, restaurants, bars, stores and businesses all across the nation—have, quite literally, turned the address book owners’ wireless mobile devices into mobile radio beacons broadcasting and publicly exposing the unsuspecting device owner’s address book data to the world."

As a result of the companies' wrongful actions and/or inaction, the plaintiff say that they suffered damages and incurred many expenses, for which they want to be reimbursed. They accused the companies of having invaded their privacy, having been negligent, breaching their devices, earning money by using and selling things that don't belong to them, and more.

The plaintiffs asked for the suit to be allowed to gain class-action status, and their attorneys say that the list of defendants could also be expanded.