GBHackers On Cyber Security and an anonymous Slashdot reader have shared a story about a new zero-day vulnerability found in Adobe's Flash Player. Bleeping Computer reports: South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea. Adobe said it plans to patch this zero-day on Monday, February 5.

36-year-old Fraser Thompson is going to prison, according to Reuters, after receiving a five-year sentence for "defrauding" cellphone customers out of millions of dollars. An anonymous reader quotes Reuters: Prosecutors said Thompson engaged in a scheme to sign up hundreds of thousands of cellphone customers for paid text messaging services without their consent. The customers were subsequently forced to pay more than $100 million for unsolicited text messages that included trivia, horoscopes and celebrity gossip, according to the prosecutors. They said the scheme was headed by Darcy Wedd, Mobile Messenger's former chief executive, who was found guilty by a jury in December but has not yet been sentenced. "They ripped off everyday cellphone users, $10 a month, netting over $100 million in illegal profits, of which Thompson personally received over $1.5 million," Manhattan U.S. Attorney Geoffrey S. Berman said in a statement.
Thompson was ordered to forfeit $1.5 million in "fraud proceeds," according to the article, and was convicted of conspiracy, wire fraud, identity theft and money laundering.

Seven other people also pleaded guilty to participating in the scam -- and one has already been sentenced to 33 months in prison.

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.
They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."

MojoKid writes: You have probably at some point been contacted via email spam by someone claiming you are the beneficiary in a will of a Nigerian prince. As the scam goes, all you have to do is submit your personal information and Western Union some funds to process the necessary paperwork, and in return you will receive millions of dollars. One of the people behind the popular scam, Michael Neu, has been arrested by police in Slidell, Louisiana.

This may come as a shocker, but Neu is not a prince, nor is he Nigerian. He is a 67-year-old male possibly of German descent (based on his last name) who is facing 269 counts of wire fraud and money laundering for his alleged role as a middle man in the scheme. According to Slidell police, some of the money obtained by Neu was wired to co-conspirators who do actually live in Nigera.

An anonymous reader quotes a report from Ars Technica: Twenty years ago this week, on December 29, 1997, Bill Gates bought Microsoft a $450 million late Christmas present: a Sunnyvale-based outfit called Hotmail. With the buy -- the largest all-cash Internet startup purchase of its day -- Microsoft plunged into the nascent world of Web-based email. Originally launched in 1996 by Jack Smith and Sabeer Bhatia as "HoTMaiL" (referencing HTML, the language of the World Wide Web), Hotmail was initially folded into Microsoft's MSN online service. Mistakes were made. Many dollars were spent. Branding was changed. Spam became legion. Many, many horrendous email signatures were spawned. But over the years that followed, Hotmail would set the course for all the Web-based email offerings that followed, launching the era of mass-consumer free email services. Along the way, Hotmail drove changes in Windows itself (particularly in what would become Windows Server) that would lay the groundwork for the operating system to make its push into the data center. And the email service would be Microsoft's first step toward what is now the Azure cloud.

Former Microsoft executive Marco DeMello, now CEO of mobile security firm PSafe Technology, was handed the job of managing the integration of Hotmail as the lead program manager for MSN -- Microsoft's own answer to America Online. In an interview with Ars, DeMello -- who would go on to be director of Windows security and product manager for Exchange before leaving Microsoft in 2006 -- recounted how, right after he was hired in October of 1996 to manage MSN, he was summoned to Redmond for a meeting with Bill Gates. "He gave me and my team the mission of basically finding or creating a system for free Web-based email for the whole world that Microsoft would offer," DeMello said.

An anonymous reader shares a Wired report: Algorithms, unlike humans, are susceptible to a specific type of problem called an "adversarial example." These are specially designed optical illusions that fool computers into doing things like mistake a picture of a panda for one of a gibbon. They can be images, sounds, or paragraphs of text. Think of them as hallucinations for algorithms. While a panda-gibbon mix-up may seem low stakes, an adversarial example could thwart the AI system that controls a self-driving car, for instance, causing it to mistake a stop sign for a speed limit one. They've already been used to beat other kinds of algorithms, like spam filters. Those adversarial examples are also much easier to create than was previously understood, according to research released Wednesday from MIT's Computer Science and Artificial Intelligence Laboratory. And not just under controlled conditions; the team reliably fooled Google's Cloud Vision API, a machine learning algorithm used in the real world today. For example, in November another team at MIT (with many of the same researchers) published a study demonstrating how Google's InceptionV3 image classifier could be duped into thinking that a 3-D-printed turtle was a rifle. In fact, researchers could manipulate the AI into thinking the turtle was any object they wanted.

Facebook is cracking down on a new type of clickbait: Posts that ask people to "Like" or share or comment to goose engagement numbers, what Facebook is calling "engagement bait." Their solution? Demote the posts considered to be "engagement bait." Recode reports: Facebook has decided it doesn't like publishers gaming the system this way, and claims users don't like it either."People have told us that they dislike spammy posts on Facebook that goad them into interacting with likes, shares, comments, and other actions," the company wrote on its blog. So starting Monday, posts that Facebook considers to be engagement bait will be pushed down in News Feed. Beginning in a few weeks, publishers and Pages that continue to utilize this tactic will see their reach diminished for all of their posts.

An anonymous reader writes: As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware. DDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened. DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

The December Patch Tuesday disables DDE only in Word, but not Excel or Outlook. The reason is that several cybercrime and spam groups have jumped on this technique, which is much more effective at running malicious code when compared to macros or OLE objects, as it requires minimal interaction with a UI popup that many users do not associate with malware. For Outlook and Excel, Microsoft has published instructions on how users can disable DDE on their own, if they don't want this feature enabled.

"Google's annual list of the most popular searches is here, offering a peek into what people are really thinking about," writes CNN. An anonymous reader quotes their report: This year, you wanted to know more about one of the most powerful storms on record, the devastating Hurricane Irma. But you were also curious about [hip hop artist] Cardi B. and Unicorn Frappuccinos... Like 2017 itself, this year's top searches skew a little darker than usual, but are punctuated with some whimsy and positive moments. The top trending searches in the U.S. were Irma, Matt Lauer, Tom Petty, the Super Bowl and the Las Vegas shooting.

To determine the most popular trending searches, Google looked at its trillions of queries, filtered out spam and repeats, and identified searches that had the highest uptick in traffic compared with the previous year. It breaks them into categories like news, memes, and recipes (beef stroganoff was a hit).
Surprisingly there were more searches for 'iPhone 8" than for 'iPhone X," though those were the top two most-searched consumer technology products. (Followed by Nintendo Switch, Samsung Galaxy S8, and Xbox One X.) Other top searches this year included "What is net neutrality?" as well as questions about what bitcoin is, how to buy it, and the latest bitcoin prices. And one of the 10 most-searched phrases of the year was "fidget spinner."

Google uploaded an inspiring video to YouTube stating "This year more than ever we asked how." To dramatic music, the examples it gives include "How to calm a dog during a storm," "How to help Puerto Rico," "How to make a protest sign" -- and "How to move forward."

Tech support scammers have been aggressively posting on Spotify forums to inject their phone numbers in a bid to vastly improve their odds of showing up on Google and Bing search results, a new report claims. And that bet seems to be working. From the report: They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google. While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software. BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.

AmiMoJo quotes The Verge: It's no secret that YouTube's algorithm for automatically flagging videos can be troublesome -- recent issues have seen content creators getting their videos demonetized for seemingly no reason -- but Google's latest faux pas might hit the company a little closer to home. Google posted an ad for its new Chromebook Pixel that is getting flagged as spam... It's particularly telling about whatever is happening with YouTube's algorithm that even official Google content is getting removed "for violating YouTube's policy on spam, deceptive practices, and scams."

Jeff Kao from Hacker Noon used natural language processing techniques to analyze net neutrality comments submitted to the FCC from April-October 2017 and found that at least 1.3 million pro-repeal net neutrality comments were faked. From the report: NY Attorney General Schneiderman estimated that hundreds of thousands of Americans' identities were stolen and used in spam campaigns that support repealing net neutrality. My research found at least 1.3 million fake pro-repeal comments, with suspicions about many more. In fact, the sum of fake pro-repeal comments in the proceeding may number in the millions. In this post, I will point out one particularly egregious spambot submission, make the case that there are likely many more pro-repeal spambots yet to be confirmed, and estimate the public position on net neutrality in the "organic" public submissions. [The key findings include:]

1. One pro-repeal spam campaign used mail-merge to disguise 1.3 million comments as unique grassroots submissions.
2. There were likely multiple other campaigns aimed at injecting what may total several million pro-repeal comments into the system.
3. It's highly likely that more than 99% of the truly unique comments were in favor of keeping net neutrality.

An anonymous reader quotes a report from The Verge: The FCC received a record-breaking 22 million comments chiming in on the net neutrality debate, but from the sound of it, it's ignoring the vast majority of them. In a call with reporters yesterday discussing its plan to end net neutrality, a senior FCC official said that 7.5 million of those comments were the exact same letter, which was submitted using 45,000 fake email addresses. But even ignoring the potential spam, the commission said it didn't really care about the public's opinion on net neutrality unless it was phrased in unique legal terms. The vast majority of the 22 million comments were form letters, the official said, and unless those letters introduced new facts into the record or made serious legal arguments, they didn't have much bearing on the decision. The commission didn't care about comments that were only stating opinion. The FCC has been clear all year that it's focused on "quality" over "quantity" when it comes to comments on net neutrality. In fairness to the commission, this isn't an open vote. It's a deliberative process that weighs a lot of different factors to create policy that balances the interests of many stakeholders. But it still feels brazen hearing the commission staff repeatedly discount Americans' preference for consumer protections, simply because they aren't phrased in legal terms.

Jon Christian, writing for The Outline: For a while, spam -- unsolicited bulk messages sent for commercial or fraudulent purposes -- seemed to be fading away. The 2003 CAN-SPAM Act mandated unsubscribe links in email marketing campaigns and criminalized attempts to hide the sender's identity, while sophisticated filters on what were then cutting-edge email providers like Gmail buried unwanted messages in out-of-sight spam folders. In 2004, Microsoft co-founder Bill Gates told a crowd at the World Economic Forum that "two years from now, spam will be solved." In 2011, cybersecurity reporter Brian Krebs noted that increasingly tech savvy law enforcement efforts were shutting down major spam operators -- including SpamIt.com, alleged to be a major hub in a Russian digital criminal organization that was responsible for an estimated fifth of the world's spam. These efforts meant that the proportion of all emails that are spam has slowly fallen to a low of about 50 percent in recent years, according to Symantec research.

But it's 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills. Networks associated with the buzzy new cryptocurrency system Ethereum have been plagued with spam. Facebook recently fought a six-month battle against a spam operation that was administering fake accounts in Bangladesh, Indonesia, Saudi Arabia, and other countries. Last year, a Chicago resident sued the Trump campaign for allegedly sending unsolicited text message spam; this past November, ZDNet reported that voters were being inundated with political text messages they never signed up for. Apps can be horrid spam vectors, too. Repeated mass data breaches that include contact information, such as the Yahoo breach in which 3 billion user accounts were exposed, surely haven't helped. Meanwhile, you, me, and everyone we know is being plagued by robocalls.

An anonymous reader shares a report: Phone companies will have greater authority to block questionable calls from reaching customers as regulators adopted new rules to combat automated messages known as robocalls. Rules adopted Thursday by the Federal Communications Commission represent the latest tools against "robocalls," which pester consumers, sometimes multiple times each day, and often push scams. Phone companies can already block some calls that trick consumers by showing up on Caller ID with fake numbers. The new rules make clear that they can block additional calls that are likely scams, such as numbers that start with a 911 area code, or one that isn't currently assigned to anyone.

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.

An anonymous reader quotes the New York Times: Facebook estimates that about 200 million of its more than 2.07 billion users may be fakes... [Non-paywalled article here.] Colin Stretch, the general counsel of Facebook, told the Senate Intelligence Committee the company was doubling its review staff to 20,000 and using artificial intelligence to find more "bad actors"... Sean Edgett, Twitter's general counsel, testified before Congress that about 5 percent of its 330 million users are "false accounts or spam," which would add up to more than 16 million fakes.

Independent experts say the real numbers are far higher. On Twitter, little more than an email address is needed to start tweeting. Facebook's requirement that users be their authentic selves means the company asks for a smattering of information to sign up -- name, birthday, gender and email address. But few checks exist to verify if that information is true when a user signs up.

An anonymous reader writes: The operator of a 77,000-strong spam botnet was sentenced to two years probation and no prison time after admitting his crime and completely reforming his life. The former botnet operator is now working for a cybersecurity company, and admitted his actions as soon as the FBI knocked on his door back in 2013. The botnet operator, a 29-year-old from Santa Clara, California, says he was tricked by fellow co-schemers who told him they were not doing anything wrong by infecting computers with malware because they were not accessing private information such as banking or financial records. Furthermore, the botnet operator escaped prison time because he used all the money he earned in getting a college degree at Cal Poly instead of using it on a lavish lifestyle or drugs. This case is similar to the one that MalwareTech (aka Marcus Hutchins) now faces in the U.S. for his role in developing the Kronos trojan, but also after turning his life around and working as a cybersecurity researcher for years.

On Tuesday, Google's cloud-based word processing software was randomly flagging files for supposedly "violating" Google's Terms of Service, resulting in some users not being able to access or share their files. Google today explained the issue and addressed concerns that arose. 9to5Google reports: Several users on Tuesday morning reported no longer being able to open certain files they were working on in Docs, while others were locked out mid-edit. "On Tuesday, October 31, we mistakenly blocked access to some of our users' files, including Google Docs," Google said in a blog post. "This was due to a short-lived bug that incorrectly flagged some files as violating our terms of service (TOS)." Afterwards, Google provided a comment to Gizmodo noting that a code push made earlier that morning was at fault and that full access had been restored to users hours after the bug first arose. Today's clarification goes on to explain how that error on Tuesday caused Drive to "misinterpret" responses from the antivirus system designed to protect against malware, phishing, and spam. As a result, Docs "erroneously mark[ed] some files as TOS violations, thus causing access denials for users of those files."

"Feeds need to die because they distort our views and disconnect us from other human beings around us," argues TechCrunch's Romain Dillet: At first, I thought I was missing out on some Very Important Content. I felt disconnected. I fought against my own FOMO. But now, I don't feel anything. What's going on on Instagram? I don't care. Facebook is now the worst internet forum you can find. Twitter is filled with horrible, abusive people. Instagram has become a tiny Facebook now that it has discouraged all the weird, funny accounts from posting with its broken algorithm. LinkedIn's feed is pure spam.

And here's what I realized after forgetting about all those "social" networks. First, they're tricking you and pushing the right buttons to make you check your feed just one more time. They all use thirsty notifications, promote contrarian posts that get a lot of engagement and play with your emotions. Posting has been gamified and you want to check one more time if you got more likes on your last Instagram photo. Everything is now a story so that you pay more attention to your phone and you get bored less quickly -- moving pictures with sound tend to attract your eyes... [F]inally, I realized that I was missing out by constantly checking all my feeds. By putting my phone on 'Do Not Disturb' for days, I discovered new places, started conversations and noticed tiny little things that made me smile.
He concludes that technology has improved the way we learn, communicate, and share information, "But it has gone too far...

"Forget about your phone for a minute, look around and talk with people next to you."