Read How 3ve’s BGP hijackers eluded the Internet—and made $29M by DAN GOODIN (Ars Technica)

Members of 3ve (pronounced "eve") used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly "viewed" ads that were hosted on bogus pages run by the scammers themselves­ -- who then received a check from ad networks for these billions of fake ad impressions. Normally, a scam of this magnitude coming from such a small pool of server-hosted bots would have stuck out to defrauded advertisers. To camouflage the scam, 3ve operators funneled the servers' fraudulent page requests through millions of compromised IP addresses.

About one million of those IP addresses belonged to computers, primarily based in the US and the UK, that attackers had infected with botnet software strains known as Boaxxe and Kovter. But at the scale employed by 3ve, not even that number of IP addresses was enough. And that's where the BGP hijacking came in. The hijacking gave 3ve a nearly limitless supply of high-value IP addresses. Combined with the botnets, the ruse made it seem like millions of real people from some of the most affluent parts of the world were viewing the ads.

This is an interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol.

Read Security Design: Stop Trying to Fix the User by Bruce Schneier (schneier.com)
We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

Old (by Internet standards) but still relevant.

Replied to Voice Phishing Scams Are Getting More Clever by Brian Krebs (krebsonsecurity.com)
Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

I’ve also seen some very convincing email phishing in the last few weeks with spoofed email headers. It’s made it challenging for my email spam filter to weed out the fakes. I think the best I can do at this point is to never trust these phone calls or email even if it seems to be coming from legitimate sources. It is best to visit the website of the bank or call the numbers on the back of the card. The risk are too high.