Lenovo has been preinstalling adware (called “Superfish”) and a compromised security certificate on laptops. The compromised certificate allows Superfish to perform a “Man-In-The-Middle” attack on any internet connection secured by SSL/TLS, allowing capturing of confidential information like bank accounts and passwords.

Lenovo’s user forum:
https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839
thenextweb.com article:
http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
https://news.ycombinator.com/item?id=9072424

A twitter user has created a fake (usable) certificate for Bank of America:
https://twitter.com/kennwhite/status/568270748638318593/photo/1

It appears only Google’s Chrome and Microsoft’s Internet Explorer are affected: Firefox uses its own certificate chain.

While we’re talking security, today I received this fake PayPal email (I know it’s fake because it’s not from PayPal’s email address and when I logged onto my actual Paypal account, there was no mention of any of this). If you get one of these, don’t click on the links:

Update your details for PayPal
We need more information from you
Just like a bank, we need to confirm the information you’ve given us. Please provide the requested information as soon as possible to ensure you can continue to use your PayPal account.
Click Resolution Center to see the steps you’ll need to complete. If no steps are currently listed, please check back in 24 hours.
Until we can confirm the information you’ve given us, we need to limit most of the functionality on your account. For now, you can continue to receive payments but you won’t be able to withdraw funds or make payments.

You have 48 hours to provide this information. If we don’t hear from you by then, we’ll need to restrict your PayPal accountIf your account is restricted, you won’t be able to send, transfer or receive funds..
If your account is restricted, you won’t be able to send, transfer or receive funds.
You can update your information in our Resolution Center.
Update Card

You can update your information in our Resolution Center.Resolution Center.

Yours sincerely,
PayPal

Bubblecar said:

While we’re talking security, today I received this fake PayPal email (I know it’s fake because it’s not from PayPal’s email address and when I logged onto my actual Paypal account, there was no mention of any of this). If you get one of these, don’t click on the links:

Update your details for PayPal
We need more information from you
Just like a bank, we need to confirm the information you’ve given us. Please provide the requested information as soon as possible to ensure you can continue to use your PayPal account.
Click Resolution Center to see the steps you’ll need to complete. If no steps are currently listed, please check back in 24 hours.
Until we can confirm the information you’ve given us, we need to limit most of the functionality on your account. For now, you can continue to receive payments but you won’t be able to withdraw funds or make payments.

You have 48 hours to provide this information. If we don’t hear from you by then, we’ll need to restrict your PayPal accountIf your account is restricted, you won’t be able to send, transfer or receive funds..
If your account is restricted, you won’t be able to send, transfer or receive funds.
You can update your information in our Resolution Center.
Update Card

You can update your information in our Resolution Center.Resolution Center.

Yours sincerely,
PayPal

I get those fake paypay emails too

Email programs should have a verify email address option which checks the displayed email address against the actual email link to see if they both match

This is starting to get a bit more interesting. You may not want to screw with these ex-Israeli-8200 unit guys. It’s entirely possible that Superfish is primarily a front company to provide “plausible deniability” for various nefarious activities. It would be very interesting to know the sources of those $38 million in revenues.

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/

Superfish: A History Of Malware Complaints And International Surveillance

Superfish, a little-known “visual search” and ad tech provider from Palo Alto whose CEO was once part of the surveillance industrial complex, is about to learn what it feels like to face the unwavering wrath of the privacy and security industries. Lenovo will take much of the blame for potentially placing users at risk by contracting Superfish to effectively carry out man-in-the-middle attacks on users to intercept their traffic just to get the firm’s “visual” ads up during customers’ web searches.

Lets all set up front companies to provide plausible deniability when we need it.

btm said:

Lenovo has been preinstalling adware (called “Superfish”) and a compromised security certificate on laptops. The compromised certificate allows Superfish to perform a “Man-In-The-Middle” attack on any internet connection secured by SSL/TLS, allowing capturing of confidential information like bank accounts and passwords.

Lenovo’s user forum:
https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839
thenextweb.com article:
http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
https://news.ycombinator.com/item?id=9072424

A twitter user has created a fake (usable) certificate for Bank of America:
https://twitter.com/kennwhite/status/568270748638318593/photo/1

It appears only Google’s Chrome and Microsoft’s Internet Explorer are affected: Firefox uses its own certificate chain.

If you are not a Lenovo user, you are safe? Correct/