If you thought you had your online banking security situation under control, along comes this chilling blog entry from security vendor Trusteer about some really nasty stuff they observed over the holiday break. And especially for those of you that have chosen paperless statements, you want to read it carefully and understand the exploit.

Basically, the bad guys have figured out a full-service series of attacks that take money from your debit card account and then proceed to show you a series of screens that cover up the transaction. They use a variety of malware tools to insert themselves in the middle of your transactions to steal your account information, then quickly debit your account. The next time you login to your bank, you are seeing the faked screens that don’t display this transaction.

If you are still one of the people that receive the paper statements in the mail, you will spot it, but only if you are really careful about reconciling your account. If you don’t get the printed statements, you may never see the transactions from the fraudster.

As Amit Klein writes on the company’s blog, “The malware hides the fraudulent transactions in the view transactions page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been taken over, nor that any fraudulent transactions have taken place.” Yikes!

Make sure your browser is up to date and if you have the option to install anti-phishing protection, now would be a good time to make sure that it is working. Most modern browsers have this enabled but it is worth reviewing if you are scared enough by this exploit. Happy holidays, everyone.

Verizon customers who make single payments by phone or online will be charged a $2 fee per payment starting January 15. The new fee is intended to offset the cost of processing these payments.

“The fee will help allow us to continue to support these single bill payment options in these channels,” Verizon said in a statement.

Other Verizon payment options such as electronic check, AutoPay and payment kiosks are still free.

Customer representatives for Sprint and AT&T said that those companies charge no similar additional fee for paying by phone or online. The AT&T representative said there is, however, a fee for paying a bill through a customer service representative by phone.

Will Verizon’s $2 fee affect you? If so, will it motivate you to choose an alternate payment option, or do you find single payments by phone or Internet worth the extra couple of bucks? Let us know in the comments.

The upstart wireless provider now offers unlimited calling and data for just $19 per month–no strings attached.

You pay $199 for an LG Optimus S, then $19 per month for “unlimited” voice, texting, and data.

Why the quotation marks? Republic tweaked the Optimus to use Wi-Fi whenever possible for calls and data, thereby keeping 3G usage to a minimum. It was still available, of course, but users who tapped the network too often could be subject to warnings and, with continued excessive usage, termination of service.

In other words, you could indeed enjoy unlimited everything, provided the bulk of it was on Wi-Fi networks.

That’s over.

Yesterday afternoon, Republic Wireless announced the elimination of all usage thresholds, effectively removing the quotations marks from “unlimited.” Here’s a snippet from Republic’s Brian Dally:

Rather than revising our fair use policy, we’ve decided not to have one at all. There will simply be no thresholds, and no risk of losing service. We’re doing away with all of that to keep all of the focus instead on where it really belongs: Creating a new wireless future together. A future that is simple to understand, unfettered to use, and an amazing value for all. That’s what we started down this path to do. That’s where the power of this vibrant community, dynamic Wi-Fi ecosystem and revolutionary technology should be invested. We’re all-in.

It’s interesting that Republic made this decision while still in beta, and not as part of its official launch. In any case, the one thing that won’t change is the phone’s propensity to leverage Wi-Fi networks whenever possible. And why not? Wi-Fi works perfectly well for VoIP calls, and it allows Republic to offer 3G service (via Sprint’s network) for considerably less than anyone else.

Of course, because the service is still in beta, it remains to be seen whether that $19/month rate will last.

What are your thoughts on Republic now that it’s truly unlimited instead of merely “unlimited”?

Facebook has a new feature that aims to help out with your social life when away from its confines.

A new feature, called suggested events, began rolling out to users this afternoon. It provides users with a list of events they may want to attend, even if they were not explicitly invited.

According to TechCrunch, which picked up on the feature, the events that show up in the new menu are pulled from past history, including check-ins, as well as pages that have been liked. Events that Facebook friends are planning to attend are also thrown into the mix. All of this is in place of the “friends” events menu, which served up a listing of shindigs being put on by people you’re friends with.

The new feature joins suggested tags, another automated feature from Facebook that scans photos to help figure out who’s in them. That feature makes use of facial-recognition technology, whereas this one appears to run off Facebook’s own algorithms to pull out the right information and add some smarts to the listings.

Not everyone has the feature yet, but it will soon be rolling out soon.

Summary:

• This vulnerability affects: Adobe Reader and Acrobat 9.x and earlier, on Windows, Mac, and UNIX computers (The flaws technically affect Reader X as well, but are much less exploitable)
• How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
• Impact: An attacker can execute code on your computer, potentially gaining control of it
• What to do: Windows users should install Adobe’s Reader and Acrobat 9.4.6 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

In a previous post, we warned you that attackers are currently leveraging a zero day vulnerability in Adobe Reader to launch targeted attacks against certain industries. The attack arrives as a targeted phishing email, which contains a specially crafted PDF file. If you open that PDF file, it leverages the previously unknown vulnerability to execute code on your computer, with your privileges.

Adobe promised they’d released a patch for this zero day during this week, which they just did today. According to their security bulletin, this out-of-cycle update actually corrects two security vulnerabilities, which attackers have exploited in the wild. As is typically the case with Adobe, they don’t describe the flaws in much technically detail, but they do say they involve memory corruption issues with the U3D and PRC components in Reader and Acrobat. As I mentioned before, if an attacker can entice you into opening a specially crafted PDF file, he can exploit these issues to execute code with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.

Solution Path

Adobe has released Windows Reader and Acrobat 9.4.6 to fix these vulnerabilities on Windows systems. Though Reader versions running on other platforms (such as Macintosh and Unix) are also susceptible to these issues, Adobe does not plan to patch them till their next quarterly update, scheduled for January 10, 2012.

It’s important to note, the more recent Reader and Acrobat X (10.1.1) versions are also vulnerable to these issue. However, Adobe does not believe attackers can exploit these flaws in the X versions due to built-in protection mechanisms. Nonetheless, they will also release Reader X updates in January.

In the meantime, Windows-based Reader and Acrobat 9.x users should download and install the following updates as soon as they can, or let Adobe’s updater do it for you.

• Adobe Reader 9.4.6
  • For Windows
• Adobe Acrobat 9.4.6
  • For Windows

The new feature is called Find my Face, and it helps tag photos of people in pictures, provided they’ve activated the feature.

Google has obviously learned a lesson from Facebook, which suffered some backlash. In Google+, you can accept or reject someone tagging you or turn the feature on and off and, most importantly, the feature is opt-in.

Find my Face will be rolling out to users over the next couple of days.

Gmail has also been upgraded with a couple of social networking features, making it easier to add people to your Google+ Circles from Gmail and share stuff on Google+ without leaving your inbox.

Furthermore, you can now also filter messages in Gmail according to your Circles; for example, you can see only the messages from your family, work colleagues or any other group of people you’ve defined as a Circle.

Google will be rolling out these new features to users’ Gmail and Gmail Contacts over the next couple of days.

According to ComputerWorld and Symantec, Attackers are currently leveraging a zero day vulnerability in Adobe Reader in targeted attacks against telecommunications, manufacturing, computer hardware, and chemical companies, as well as defense sector organizations like Lockheed Martin.

The attacks may have started as early as the beginning of November, and arrive as a targeted phishing email with a malicious PDF attachment. If you open said attachment, your computer gets infected with information stealing malware.

Earlier this weak, Adobe confirmed this zero day flaw in a Security Advisory. The vulnerability affects all current versions of Reader and Acrobat running on any platform. Though they have not released a fix for the flaw yet, they plan to sometime next week.

Until then, we highly recommend that you inform your users to be very careful handling PDF files that come from outside your organization, whether from a trusted source or not. If you have one of our security appliances, you can also use our proxy policies to strip all PDF content if you like. That said, doing so blocks both legitimate and malicious PDF files. Also, be sure to keep both your gateway and client level antivirus software up to date, as it likely has signatures to block known variants of this attack.

As soon as Adobe releases an update to fix this issue, we will let you know in a follow-up post.

Microsoft seems to be in the Christmas giving spirit this month, as they intend to release 14 new security bulletins during next Tuesday’s Patch Day. The bulletins fix a total of 20 security vulnerabilities in products like Windows, Office, and Internet Explorer, as well as other components that ship with those products. They rate three of the bulletins as Critical, and the rest as Important, and you can expect most of the updates to require a restart.

Of particular note; one of the bulletins will fix the zero day Windows kernel vulnerability used by the well publicized Duqu malware.

You can find a bit more about these upcoming bulletins, including their order of severity, in Microsoft’s  Advanced Notification post for December. As usual, We recommend you try to install these updates as quickly as possible, especially the Critical ones.

We will know more about these bulletins on Tuesday, December 13.