Go homepage(回首页) Upload pictures (上传图片) Write articles (发文字帖)
The author:(作者)aaapublished in(发表于) 2013/12/11 8:47:31 Dual 12 tomorrow, your PayPal account safe? ,
Dual 12 tomorrow, your PayPal account safe?-Scanning software, scan, PayPal, double-12-IT information Dual 12 tomorrow, your PayPal account safe?
"Double 11" just go, "double 12" coming again, lured by the one promotion after another, netizens keep PayPal account recharge. And a lot of money, become outlaws most desired prey. Journalists found after several weeks, there are some wrong user data bought through hacking, and then enter them into specially designed "scanning software", they can easily invade the user's PayPal account and transfer funds, or other types of crime.
"Sweep," the three-step
1 the "hacker" stealing packets
Selling swept the group includes Taobao, Alipay, mailboxes, Baidu, microblogging, games account password. One of the sellers said, their ultimate source of data is a hacker.
2 "swept" data to get account key
Opens the scan software, click on the "import accounts" to open after you bought the data package, the software automatically matches. During the run, account numbers, passwords in clear text. "Filtering login status" column shows the "Taobao login is successful", it means that, through the sweep of validation is the correct account password.
3 login accounts to steal funds
End of the sweep, and get the account number, password, login online account. Invasion users if there are other personal information disclosed, their account security could be compromised.
-Scan software could threaten the Taobao, Alipay users, security/morning news reporter Xiaoyun
Alipay-bound bank cards stolen brushes
Who lives in Baoshan of the week is "scanning software" victims. November 10, 23:44 in just 4 minutes, his bank debit card has been stolen through Alipay brush 30,000 yuan. The investigation, Mr Zhou's Alipay account numbers and passwords stolen by criminals, lawless elements by targeting quick payment, binding the week PayPal bank card fraudulent funds.
PayPal survey found that not only the user's PayPal password was stolen, bound by bank card number, account name, and other relevant information were stolen. PayPal account theft reasons, is likely to be weeks in other websites, forums, using the same account password by unscrupulous elements had conducted a "sweep".
And point-to-point, "stolen," direct access to targeted accounts different passwords, "anti" is obtained through sinuous account password. Use an analogy, a person's account, the password would be like home door and keys, "ones" are criminals going after you, intent upon stealing the keys to your House can be implemented in theft. "Anti" is different, criminals steal hundreds of thousands of households in bulk in the home key, once a door in your House with one of the volume keys to match, so criminals can feel out from the volume keys open the door of your House.
For the automated batch logon tool
Sweep is a kind of software the software? Security experts unveil their true face to reporters An Yang.
"To put it bluntly, scanning software is an automatic batch logon tool. "An Yang explained," due to many website was hacker steal user password library, so Qian of CSDN, and end, more website user data leaked event, and has many netizens habits in different website set same of registered mailbox and password, sweep, software is uses website leaked of database, for QQ, and micro-Bo, and electric commercial, and game, platform for automatically bulk login operation, found can success login of account. ”
For example, the CSDN website leaked 600yuwange registered email address and password for the database, which includes many QQ mailbox registered users. Hackers want to know the QQ number is using the CSDN and the same password one by one manually verify the very troubling, then use the scanning software automatically tries to log in, login QQ number successfully swept it all.
"In General, sweep, are directed to a Web site or program, such as QQ, sweep, swept to microblogging, Taobao, Jingdong, commercial sites such as sweeping. "According to the different site preventive measures, swept the technical content and production costs also vary considerably.
[Expert advice]
Online banking, commercial accounts separate passwords
An Yang called on, users are reminded to observe personal computer system security, clear the Trojans and other potential risks. "Internet banking, commercial, securities transactions involving property, frequently used mailboxes, chat accounts and account privacy security, should set up a separate password software login, can avoid being swept. Try to use ' letters + numbers + special symbols ' forms of strong passwords, letters are case-sensitive, and special symbols on the number keys on the computer keyboard can be used for those characters. ”
He suggested that users can follow the account of importance to rate managing passwords, password more important the higher the intensity, and important accounts should regularly change your password. "Avoid using birthdays, names, phonetic, phone number and other identity-related information as passwords, because hackers when you crack the code for specific target, are often the first to test this type of information. ”
[Reporter experience]
By sweeping the software really can successfully log on to others accounts
Data is correct but unable to log on
In order to catch a glimpse of "scanning software" beholding the journalists entered the name "scan data exchange group," QQ groups, and contact the sellers of "apps", offered to buy online subject to sweep, you pay 500 Yuan, and comes with a packet.
When payments are sent each other quickly via QQ a nearly 9,000 packets of text documents and account key "Ali and Sun secret Taobao 1.03" sweep. Follow the steps given vendor demonstrations, journalists personally "sweep". Operation is completed in a few minutes, 8,971 displayed out of 183 accounts "Taobao login success", and explicitly show the account password. But reporters found that several of these accounts cannot successfully log on Taobao, but rather "the unauthorized use of your account may temporarily restrict the use, please follow the steps to self launch" page prompts, the page displayed after the jump need cell phone carrier and the validation code.
Purchase "primary data" after successful login
When a reporter questioned why scanning software shows "Taobao login success", but not when you log on Taobao, the smooth, sellers says, because these data are secondary data, "was my sweep yesterday, Taobao is probably a risk is detected, so is write protected. "Journalists to 300 yuan price from the seller" apps "bought 10,000" first hand data ".
And in the same sweep, the same way. This time, 10,131, all through the sweep, "sweep", 112 of which number is displayed "Taobao login success" and was recorded in the automatically generated "results" text document.
Thick laid on these data, the reporter found passwords are relatively simple, suspected birthday password or pinyin combination accounted for most of the names, and also comparable to the login name.
Reporters through a variety of ways to get in touch with some of these users, after the consent of, attempts to log on with a user ID and password online face to face, turns out to be able to successfully log in and see all the information, including personal data, transactions, shipping address, and so on.
Bound mail, mobile phones can change
A user's online page, reporters through "binding PayPal settings" option directly into their PayPal account. 0 Alipay and thousands of Yuan of Bao balances will display on the home page of a prominent position, balances behind the numbers is the "transfer" option.
Reporters tried to click on "transfer", select transfer out bank cards to bind it, and "arrival time" two options-"arrived the next day (use computers out of)" and "arrived 2 hours (using a mobile phone out of)" has a check mark in the former. Page then prompts, "are you a digital certificate users, but the computer certificate has not been installed."
Follow the prompts, the reporter began the first step in installing a digital certificate operation: need input on cell phones that are bound to send verification code, because the binding is the users own mobile phone, press click on the phone number "replacement number" option. Jump to the page "manual processing", fill in the modified cell phone number request form: "we request form will be sent to your mailbox", and accompanied by binding the user's mailbox.
Press modify the binding mailbox. And this time, no validation required popup "change email address" dialog box, additional reminders "only as this contact using this mailbox." When reporters have filled out their own mailbox and click on "send a message" after successfully receives a verification email, click on the links to jump to a message to modify the phone number page, the page displays "enter a new phone number". At this point, reporters only need to enter a new phone number, cell phone number that can replace the original binding.
PayPal explained
"Sweeping" + other information disclosure can transfer successful
By sweeping, software, whether you can successfully modify the binding of cell phone and email, and then transfer the funds in your account? Alipay reporters contacted public relations manager Zhu Jian.
Zhu Jian, said PayPal was "sweeping" does exist, he himself heard. He explained: "may be a user at some risk for the small Web site leaked the account password, and use the same Alipay account key binding, thus being outlaws test and attempt to exploit. "He said:" our PayPal was double password (logon password and payment password), there are layers of barriers, such as digital certificates, mobile phone check, lawless elements want to ' sweep ' transfers of funds were not so easy. ”
For users have been "swept", Zhu Jian explained that criminals can replace the user's binding mobile and email, but at the time of transfer, you also need to enter your PayPal payment password, "PayPal was double password settings, some users hack the login password, therefore payment password is relatively safe. Unless he has some other crooks have mastered the personal information, further replacing his personally-identifiable information and payment password, will it be possible to transfer successful. ”
Zhu Jian said, "we have a real-time risk monitor system, 120 million times a day monitoring, and real-time processing to detect the vast majority of irregular behavior, once an exception is detected, by sending a check code or freeze the account for confirmation. ”
明天双12,你的支付宝账户安全吗? - 扫号软件,扫号器,支付宝,双12 - IT资讯明天双12,你的支付宝账户安全吗?
“双11”刚走,“双12”又来,在一个接一个的促销诱惑下,网民们不断向支付宝账户充值。而里面大量的资金,正成为不法分子最渴望的猎物。记者经数周调查发现,有一些不法分子通过黑客买来用户数据,再将其输入专门设计的“扫号软件”,便能轻而易举入侵用户的支付宝账户,进而转移资金,或者进行其他类型的犯罪。
“扫号”三步走
1“黑客”盗取数据包
扫号群里叫卖的数据包括淘宝、支付宝、邮箱、百度贴吧、微博、游戏等的账号密码。一名卖家透露,自己数据的终极来源是黑客。
2 “扫”数据获取账密
打开扫号软件,点击“导入账号”,打开买来的数据包后,软件自动进行匹配。运行过程中,账号、密码明文显示。“过滤登录状态”栏显示“淘宝登录成功”,则表示通过了扫号器的验证,是正确的账号密码。
3 登录账户盗取资金
扫号结束,用获取的账号、密码登录淘宝账户。如果被入侵用户还有其他个人信息遭泄露,其账户资金安全可能受到威胁。
□扫号软件可能威胁淘宝、支付宝用户安全/晨报记者肖允
支付宝绑定银行卡被盗刷
家住宝山的周先生就是“扫号软件”的受害者。11月10日23时40分到23时44分,短短4分钟内,他的工商银行储蓄卡被人通过支付宝盗刷3万元。经查,周先生的支付宝账号和密码被不法分子盗取,此后不法分子又通过定向快捷支付方式,将周先生支付宝绑定的工行卡内资金盗刷。
支付宝调查发现,不仅用户的支付宝密码被盗,所绑定的银行卡卡号、户名等相关信息也被盗。而支付宝账户被盗的原因,很可能是周先生在其他网站、论坛使用了同样的账户密码,被不法分子利用了,进行了“扫号”。
与一般点对点的“盗号”直接获取目标账户密码不同,“扫号”是通过曲折迂回方式获得账户密码。打个比方,一个人的账户、密码就好比家里的大门和钥匙,“盗号”就是不法分子盯上了你,一心一意窃取你家的钥匙从而实施盗窃。而“扫号”则不同,不法分子批量窃取成百上千户居民家中的各类钥匙,一旦你家某扇门与批量钥匙中的一把匹配,那么不法分子就能从批量钥匙中试探出开启你家大门的那一把。
实为自动批量登录工具
扫号软件究竟是一个怎么样的软件?安全专家安扬向记者揭开其真实面目。
“说白了,扫号软件其实就是个自动批量登录工具。”安扬解释,“由于很多网站被黑客盗取用户密码库,如此前的CSDN、天涯等多网站用户数据泄露事件,而且有不少网友习惯在不同网站设置相同的注册邮箱和密码,扫号软件就是利用网站泄露的数据库,针对QQ、微博、电商、游戏等平台进行自动批量登录操作,找到能够成功登录的账号。”
举例来说,CSDN网站数据库泄露了600余万个注册邮箱和密码,其中包括很多QQ邮箱注册用户。黑客想知道这些QQ号是否使用了和CSDN相同的密码,逐个手工验证是非常麻烦的,于是就会使用扫号软件自动尝试登录,把能够成功登录的QQ号全部扫出来。
“一般来说,扫号器都是针对某个网站或程序制作的,比如对QQ的扫号器,对微博的扫号器,对淘宝、京东等电商网站的扫号器。”而根据网站防范措施的不同,扫号器的技术含量和制作成本也有很大差别。
[专家建议]
网银、电商账户应单独设密码
安扬呼吁,用户应保持个人电脑系统安全,清除木马等潜在风险。“网银、电商、证券交易、常用邮箱、聊天账户等涉及财产和隐私安全的账户,应单独设置密码,可以避免被扫号软件登录账号。尽量使用‘字母+数字+特殊符号’形式的高强度密码,字母可区分大小写,特殊符号可使用电脑键盘数字键上的那些字符。”
他建议,网友可以按照账户重要程度对密码进行分级管理,密码越重要,强度也要越高,且重要账户应定期更换密码。“避免用生日、姓名拼音、手机号码等与身份相关的信息作为密码,因为黑客针对特定目标破解密码时,往往首先试探此类信息。”
[记者体验]
通过扫号软件真能成功登录他人账户
数据正确但无法登录
为了一窥“扫号软件”的真面目,记者进入名为“扫号器数据互换交流群”的QQ群中,并联系到了卖家“小何”,提出要购买淘宝主题的扫号器,对方开价500元,并附赠一个数据包。
付款后,对方很快通过QQ发来一个近9000个账密的数据包文本文档和“阿里和淘宝晒密1.03”扫号器。按照卖家示范的操作步骤,记者开始亲自“扫号”。几分钟后操作完毕,8971个账号中有183个显示“淘宝登录成功”,并明文显示账户密码。不过记者发现用其中的一些账号并不能成功登录淘宝,而是出现了“您的账户可能被盗用,暂时限制使用,请按步骤自助开通”的页面提示,页面跳转后显示需要手机接收并通过验证码。
购“一手数据”后成功登录
当记者质疑为什么扫号软件显示“淘宝登录成功”的号却不能在淘宝网上顺利登录时,卖家说因为这些数据都是二手数据,“都是我昨天扫过的,淘宝大概是检测到了风险所以被写了保护。”记者于是又以300元的价格从卖家“小何”手中买了1万个“一手数据”。
还是同样的扫号器,同样的方式。这一次,10131个号全部经由扫号器“扫号”,其中112个号显示“淘宝登录成功”并被记录在自动生成的“综合结果”文本文档。
粗览这些数据,记者发现密码大多比较简单,疑似生日密码或是姓名拼音的结合占据了大多数,还有的竟然和登录名相差无几。
记者通过各种方式与其中的一些用户取得联系,在征得对方同意后,当面尝试用账号和密码登录淘宝,结果发现能够成功登录并能查看所有信息,包括个人资料、交易记录、收货地址等。
绑定邮箱、手机都能改
在一位用户的淘宝页面中,记者通过“绑定支付宝设置”选项直接进入其支付宝账号。0元支付宝和数千元的余额宝余额都在主页显眼位置显示,余额数字后面就是“转账”选项。
记者试图点击“转账”,选择转出至其绑定的银行卡,又在“到账时间”的两个选项——“次日到账(使用电脑转出)”和“2小时到账(使用手机转出)”中勾选了前者。页面继而提示“您是数字证书用户,但本台电脑尚未安装证书”。
按提示,记者开始了安装数字证书的第一步操作:需要输入绑定手机上发送的验证码,因为绑定的还是用户自己的手机,记者点击了手机号码后的“更换号码”选项。此时页面跳转到“人工处理”,填写修改手机号码申请单:“我们会将申请单发送至您的邮箱”,并附有该用户绑定的邮箱。
记者修改绑定邮箱。而这次,没有任何验证要求就弹出“修改邮箱地址”对话框,附加提醒“此邮箱仅作为本次联系使用”。当记者填写完自己的邮箱并点击“发送邮件”后,顺利收到发来的验证邮件,点击邮件中的链接便跳转到修改手机号的页面,页面显示“输入新手机号码”。至此,记者只需要输入新的手机号,就能替换掉原本绑定的手机号。
■支付宝解释
“扫号”+其他信息泄露才可能转账成功
通过扫号软件,是否就能成功修改绑定的手机和邮箱,继而转走账户内的资金呢?记者就此联系了支付宝公关部经理朱健。
朱健表示,支付宝被“扫号”的情况确实存在,自己也有所耳闻。他解释:“可能是用户在一些有风险的小网站上泄露了账号密码,并且用同样的账号密码绑定了支付宝,从而被不法分子试验到并企图利用。”他说:“我们的支付宝是双密码设置(登录密码和支付密码),还有层层数字证书、手机校验等关卡,不法分子想要通过‘扫号’转移资金没那么容易。”
对于用户被“扫号”的情况,朱健解释,不法分子虽然能够替换掉用户的绑定手机和邮箱,但在转账时,还需要输入支付宝支付密码,“支付宝是双密码设置,而一些用户被破解的是登录密码,因此支付密码还是相对安全的。除非他其他的个人信息也被骗子掌握了,进一步替换掉了他的个人身份信息及支付密码,才有可能转账成功。”
朱健表示,“我们有一个实时风险监控系统,每天进行1.2亿次行为监控,能够侦测绝大多数非正常行为并予以实时处理,一旦发现异常,会通过发送校验码或冻结账户方式进行确认。”
赞