Fake CIMB Clicks Android App Found on Google Play Store

Fake CIMB Android App
Screenshot: Fake CIMB Android App
Screenshots: Fake CIMB Android App

CIMB Clicks is one of the most popular online banking service in Malaysia. It has official mobile apps for iOS and Android to allow customers to manage their bank account on-the-go.

Apparently, a fake CIMB Clicks app called “CIMB Clicks Perbankan Internet” (no link for obvious reason) get passed Google Play store security check and listed for free download.

Fake CIMB app

The fake app is listed on Google Play Store on June 11, 2013 and it has been installed over 500 times in 1 week. While the official CIMB Clicks app description is written in English. The fake app uses Malay language for its description. The developer’s website – http://tophotappstore.com/ – is not active. You can try to email the developer at tophotappstore@gmail.com.

Based on the app screenshot, the fake CIMB app asks for your CIMB online banking account’s User ID and Password, which is VERY DANGEROUS! The app could collect your login information to access your account. Already have users warned about the fake app in the app review.

I already notified CIMB and Google Malaysia about the fake app, and CIMB replied that they are already working on removing the fake app. Good job!

Like every Malaysian banks, CIMB uses one-time TAC (Transaction Authorisation Code) sent to mobile phone via SMS for additional security to protect customers against unauthorised access to bank account. Nevertheless, you never want to expose your online banking account username and password to strangers.

HERE is the only one official CIMB Clicks app for Android devices.

How to avoid Android Malware?

The Android malware has been doubled in 2012 when compared to 2011. How do you protect yourselves from those malware? Here are a few suggestions (via techrepublic:

  • Install latest Android updates to patch vulnerabilities.
  • For Android 4.1.2 and above, Make sure “Unknown sources” under Security section in Settings is Unchecked.
  • Review all permissions requested by an app upon installation. Is the app asking too much access?
  • Read app reviews before install any app.
  • Install anti-malware app for Android, such as avast! Mobile Security, Lookout Security & Antivirus, Norton Mobile Security Lite, Zoner AntiVirus. (they are free!)

Beware of Mother’s Day Spam Emails

Example of Mother's Day spam
Example of Mother's Day spam
Example of Mother’s Day spam

Mother’s Day 2013 is on May 12th. Symantec has observed an increase in spam messages related to Mother’s Day.

The spam emails trick you to take product offers, survey, e-card, gift, etc. After clicking the link in the email, you will automatically redirected to a website with fake offers, where you are asked a few Mother’s Day related questions.

After submitting the survey, the website asks you to enter personal information to receive the gifts or offers.

[box type=”alert”]Do NOT submit your personal information![/box]

Most of the spam emails are sent from .PW top-level-domain (TLD). Here are some of the examples of the email’s From header:

  • From: Mother’s Day Gifts <Check@[REMOVED].pw>
  • From: “Early Bird Mother’s Day Flowers” <postmaster@[REMOVED].pw>
  • From: “Early Bird Mother’s Day Bouquets” <noreply@[REMOVED].pw>
  • From: “Mother’s Day Bouquets” <MothersDayBouquets@[REMOVED].pw>
  • From: “Mom” <Mom@[REMOVED].pw>

The following are some of the Subject lines used in Mother’s Day spam attacks:

  • Subject: Don’t Forget Mother’s Day – $19.99 Chocolate, Dipped Strawberries
  • Subject: Stunning Personalized Gifts for Mother’s Day
  • Subject: Top Personalized Mother’s Day Gifts
  • Subject: Make Mother’s Day Special With A Personalized Gift
  • Subject: Mother’s Day Car Deal (Half Off Every Make And Model)
  • Subject: Regarding Mothers Day
  • Subject: Celebrate Mom with a $19.99 bouquet.
  • Subject: Mother’s Day Replica’s Women’s Accessories
  • Subject: Mother’s Day Secret Formula.

You are advised to be cautious when receiving unsolicited or unexpected emails.


WordPress Security: How to Protect Against Brute Force Password Attacks

Padlock on a door
Padlock on a door
Padlock on a door (credit: linder6580/stock.xchng)

WordPress has become the world’s most popular blogging system since its first released in 2003. It is now powering over 60 million websites worldwide.

No surprise that WordPress becomes hackers’ attack target. Reported by TheNextWeb, there’s serious brute force attack against WordPress sites across the Internet.

The requests, which are targeted at administrative accounts, appear to be coming from a sophisticated botnet that may be comprised of as many as 100,000 computers, based on the number of unique IP addresses the attacks are coming from.

The brute force attack is targeting WordPress admin panel and try to login using “admin” as username and trying thousands of passwords using unique IP addresses.

Simple WordPress login limit plugins won’t work because those plugins are blocking multiple login attempts from the same IP address. They won’t work for attacks 90,000 unique IP addresses (each IP attempts to login one time).

Fortunately, you can easily protect your WordPress blog against 99% future brute force attacks by applying following security recommendations:

1. Use a strong password

Your WordPress password (in fact, your any password) should be a strong password that’s long, including numbers and symbol. Don’t need to scratch your head to think one, there are many online password generators can help you.

2. Do not use default admin username

Old WordPress installation default to first username as “admin” and you cannot change it from Admin Panel. Recent WordPress versions force you to create a unique username.

If your WordPress username is “admin”, it is time to change that. You can either modify WordPress database entry (not recommended), create a new admin user, or install a WordPress plugin to change the username to anything you like.

While you cannot change WordPress account’s username, but you can create another user account.

We can create a new WordPress admin user, delete the old admin user (username “admin”), then assign all posts by ‘old admin user’ to the ‘new admin user’.

  1. Login WordPress admin panel.
  2. Goto Users > Add New
  3. Fill in the form and choose “Administrator” in the “Role” drop down menu. (Remember to use strong password)
  4. Click on “Add New User” button to add a new administrator account.
  5. Log out WordPress admin panel.
  6. Log in WordPress admin panel using the newly created administrator account.
  7. Goto Users > All Users
  8. Hover the old admin user (username “admin”) and click on the “Delete” link.
  9. On the “Delete Users” page, you will asked to what should be done with posts owned by the “admin” user. Select “Attribute all posts to:” and select your new Admin user.
  10. Click “Confirm Deletion” to delete old “admin” user and assign all posts to new Admin.

If the above 10 steps instructions look too complicated for you, you can install a WordPress plugin like “Admin username changer” to rename administrator username.

3. Update WordPress

Every new WordPress version fixes many bugs and exploit holes and new features to protect your WordPress against attackers. You should always keep your WordPress installation up to date. WordPress Automatic Update feature simplifies the process into a 2 minutes work.

4. Use CloudFlare

CloudFlare is a CDN & security & website optimizer service. It has effectively blocked 60 million brute force attacks against its WordPress customers in a single hour. Sign up free plan to protect your website now.


Things like using a strong password, do not use default username, keeping software up to date are basic and effective methods to protect against attackers.

Perhaps they are too basic that people are often not aware about them. Hopefully this article helps you to secure your WordPress site.

How do you protect your WordPress site? Please share with us in the comment below.

Warning: Easter Spam Messages with Bogus Offers

Easter Spam Sample
Easter Spam Sample
Easter Spam Sample

Easter Sunday fall on 31st March in 2013. Symantec Probe Network detected spam messages related to Easter that offer bogus offers.

Users are adviced to be cautious when handling unsolicited or unexpected emails. Here are some of the email headers observed for Easter related spam:

  • Subject: XXX, Get your Easter savings on all vehicles
  • Subject: Shop Easter toys, baskets, plush and more
  • Subject: HappyEasterInAdvance,
  • Subject: Fun and Unique Easter Gifts
  • Subject: Celebrate Easter with a Personalized Gift
  • Subject: Easter eCard
  • Subject: Easter flowers at exceptional savings – shop now
  • Subject: Make the Easter bunny jealous! Easter flowers – from $19.99
  • Subject: Challenge Ends Easter weekend
  • Subject: Easter is hopping your way…and so are $19.99 bouquets!
  • Subject: 25-free spins on xxx this-Easter
  • Subject: Letter From Easter Bunny For Your Child


Enhanced by Zemanta

Warning: Reset Twitter Password Now

Twitter reset password and sent email to affected users
Twitter reset password and sent email to affected users
Twitter reset password and sent email to affected users

Last week, I received a Twitter email notify me that Twitter has reset my account password. I thought it was a scam but it is not, Twitter has been hacked.

Twitter, the world popular microblogging site, has been hacked and attackers may have gained access to 250,000 user passwords. Twitter has reset passwords for the 250,000 accounts and send email to the users.

Twitter has been hacked and reset 250,000 passwords. Tweet This

Read more