The days of ugly-looking phish pages hosted on something akin to a Geocities page are slowly receding into the distance. For quite some time now, phish attacks have made attempts to look fairly sophisticated and stand a decent chance of fooling anyone not keeping their guard up.

Today, we have a good example of this with a Netflix phish currently in circulation and (potentially) dropping into a mailbox near you. Netflix is a frequent target of all manner of scams, and is a popular go-to for phishers.

Here’s the email that kickstarts the process:

Apart from the clunky typo in the small print, this is a fairly convincing email scam, combining someone who knows how to make an email not look terrible with the imminent threat of losing access. Having said that, you’ll notice the mail system above flagged it as suspicious anyway. This isn’t the case for all email clients, however, and one shouldn’t assume nothing slips through the cracks. The destination site, located at login(dot)netflix-activate(dot)com, appropriates a standard, no-frills Netflix login screen.

The phish itself consists of a grab for personal information including name, address, phone number, and date of birth. After that, they try and swipe payment information, asking for the name as written on the card, card number, expiry date, security code, and even a cheap grab at a security question answer for good measure.

These emails follow a similar format as the Apple phishes in February, and indeed quite a few others going around at the moment (also Apple-centric, so constant service-related vigilance is the order of the day). Phishing emails won’t be going away anytime soon, and the people behind them keep striving to make their fake-outs ever more believable. It’s up to us to do what we can, and consign their sneaky missives to the recycle bin. Your bank account will thank you for it.

If you’re shopping for a new wireless router, don’t be intimidated by all the technical jargon. For the average person, most of those specs won’t be all that relevant. Most likely, you just want to know which router is right for your particular set of wifi circumstances. Are you a gamer? Are you a streamer? Do you live in a big house or a cramped apartment? What’s your budget?

Best Overall, Best for Larger Homes: Linksys AC1900 Dual Band Router

Price: $159.97

If you live in a large, multi-story home, you likely have several people – and even more devices – fighting over the WiFi connection. The Linksys AC1900 Dual Band Wireless Router is perfect for households with high WiFi traffic, letting you connect 12 or more devices, including smartphones, tablets, smart TVs, game consoles and virtual assistants (we're looking at you, Alexa!). And the router’s Beamforming technology means it focuses its signal towards those devices, rather than just sending out a blanket signal, resulting in a stronger connection for everyone.

Best for Streaming: Netgear AC1750 Smart Router

Price: $94.99

Nothing ruins a binge watching marathon like a stream that won’t stop buffering. Well, the Netgear AC1750 Smart WiFi Router has come to your rescue. It features 450+1300 Mbps speeds and high-power external antennas for improved coverage. It has one USB 3.0 port and one USB 2.0 port and it has the best wireless security with WPA/WPA2. It even has separate and secure guest network access.

Best for Complete Home Coverage: Netgear Orbi

Price: $291.99

It’s a pain point homeowners across the world are all too familiar with: How do you fill up every inch of your home with a solid WiFi signal? Fortunately, the time has come to put this problem to rest thanks to the introduction of Netgear’s Orbi. It’s pricey, starting at $399, but the cost belies the satisfaction you’ll receive walking around your entire home with a strong signal. The price includes two devices, a router that’s plugged into your Internet modem and an identical satellite device setup elsewhere in the home to extend the signal throughout your house. If it sounds familiar, Netgear wasn’t the first to try mesh networking but they have a secret weapon: a tri-band system that not only extends the signal, but maintains its performance by optimizing the signal with your home ISP as well.

Best Under $50: TP-Link AC1200

Price: $39.99

TP-Link claims the 1200's Signal Sustain Technology (SST) can help provide a stronger WiFi signal while handling multiple high-bandwidth applications. And it can easily be found for less than $50. If you’re looking for a budget router, 867Mbps is more than enough for most needs—and more than you’ll ever find in the sub-$50 price range. And the system is future-proofed with 802.11ac WiFi technology.

Best for Small Apartments: ASUS RT-ACRH13 Dual-Band AC1300

Price: $61.12

When you live in a small apartment rather than a big house, there’s no need to splurge on a big router. The ASUS RT-ACRH13 fits the bill perfectly because it comes in under $65. It has four external 5dBi antennas that ensure you get good range throughout your apartment and can use multiple devices (smartphones, computers, etc.) at the same time. It can handle combined speeds of up to 1267 Mbps, so no matter what kind of downloads or uploads you throw at it, it can probably manage.

Twitter chief technology officer Parag Agrawal disclosed in a blog post that the company had inadvertently recorded user passwords, in plaintext, in an internal system. This is not how things are supposed to go! And while Twitter has fixed the bug, and doesn't think any of the exposed passwords were accessed in any way, you should still change your Twitter password right now to make sure your account is secure.

"It's a bad thing and Twitter should be held to the fire for it," says David Kennedy, CEO of the penetration testing firm TrustedSec. "But they are taking the right steps by requesting everyone change their password and making the bug public versus hiding it."

Twitter has begun notifying both mobile and desktop users to change their passwords, but several people have reported errors and lags, presumably because everyone is trying to make account changes at once (which is good!).

Companies generally protect user passwords by scrambling them in a cryptographic process known as hashing. As Agrawal explained, Twitter does this, too, using a well-regarded hash function called bcrypt. But a bug caused Twitter to accidentally store passwords unprotected in some type of internal log before its password management system finished hashing them. The system would then complete the hash, and everything would look fine, even though the passwords were readable in the log. While it's great that Twitter eventually realized the situation and is taking steps to ensure that it never happens again, it's disconcerting that such a fundamental flaw in a crucial user protection existed in the first place.

"I’m sorry that this happened," Agrawal wrote on Twitter after posting the announcement. "We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do." The disclosure came on World Password Day.

It's true that Twitter could have simply implemented remediations and hoped for the best, but its users deserve to know if and when their passwords have been exposed—especially because it's always possible that the data actually was improperly accessed. And the company could have gone even farther with its disclosure. "We ask that you consider changing your password on all services where you’ve used this password," Agrawal wrote in the statement. Instead of making it optional, Twitter could have forced all of its users to change their passwords to guarantee their security.

To do just that for your own account, navigate to Settings and privacy > Password. Enter your current password and then pick a new one. And if you used your old Twitter password for any other accounts, you should change those, too.

While you're at it, set up two-factor authentication for Twitter if you don't have it enabled already. Go to Settings and privacy > Account. In the Security subsection, click on Review your login verification methods. After entering your (newly revised) password to confirm that you want to make changes, you'll land on a Login verification screen. Here you can set things up so you receive second factor codes via SMS or, preferably, using a code-generating app like Google Authenticator or Authy. The problem Twitter announced today is exactly the type of situation where two-factor is helpful—even if your Twitter password was compromised while it was exposed in the internal log, two-factor would keep a bad actor from using that information alone to access your account.

Twitter declined to comment on how long the plaintext passwords were exposed, or why the company decided not to reset all user passwords, but it seems to have acted in good faith to resolve the issue. For a platform with 336 million users, though, it's a pretty major gaffe.

Facebook announced a whole lot of new features at its 2018 Facebook F8 developers conference, along with the keynote by its CEO Mark Zuckerberg addressing concerns from app developers after Facebook paused 3rd-party app review in the wake of the Cambridge Analytica scandal.

Here are some big takeaways from Zuckerberg's keynote on Day 1 of Facebook F8, held for two days, May 1 and 2, at the McEnery Convention Center in San Jose, California:

FaceDate—Facebook's New Tinder-Like 'Dating' Feature

The social network giant is introducing a new dating feature that will allow you to build your profile that will only be visible to other Facebook users (non-friends) who have also opted into looking for love.

Dubbed FaceDate, the new feature will match your profile based on all its data with others to find potential suitors and messaging will happen in a dedicated inbox rather than its default Messenger application.

And worry not. Neither FaceDate will match your profile with your friends, nor your friends will not be able to see your dating profile.

FaceDate is "not just for hookups," said Zuckerberg said. Rather, the feature has been designed for "real long-term relationships."

Shortly after the announcement of FaceDate, the share price of Match Group, the parent company of Match.com, fell 22%, and IAC, the parent of both popular hookup app Tinder and Match Group, fell more than 16%.

Facebook Adds 'Clear History' Tool

Facebook had been embroiled in controversies over its data sharing practices after the Cambridge Analytica scandal, forcing people to think about how the social media handles user privacy, collects data and uses it.

Now to help users protect their privacy, Facebook introduced a new feature, dubbed "Clear History," that will let users clear their browsing history on Facebook.

Clear History will enable users to see the websites and apps that send Facebook information when users use them, delete this information from users' account, and turn off Facebook's ability to store the data "associated with your account" going forward.

Once you clear your history, Facebook will remove identifying information so a history of the sites and apps you have used will not be associated with your account.

However, Facebook will take a few months to build the Clear History feature, and work with "privacy advocates, academics, policymakers, and regulators to get their input on our approach," Facebook VP and chief privacy officer Erin Egan said in a blog post.

"After going through our systems, this is an example of the kind of control we think you should have," Zuckerberg said. "It's something privacy advocates have been asking for."

Facebook also warned users that by using the Clear History tool, they might be required to sign back in everytime they want to log into their account.

Facebook is also committed to preventing "fake news" and fake accounts from spreading on its platform, though Zuckerberg did not tell much about how Facebook plans to do it.

Facebook Re-Opens App Reviews On Its Platform

In the wake of the Cambridge Analytica scandal, Facebook paused third-party app review, but now Zuckerberg announced that the company is re-opening app reviews for developers starting Tuesday.

The relationship between Facebook and app developers has gotten complicated since it was revealed how digital consultancy firm Cambridge Analytica improperly obtained and misused data on potentially 87 million Facebook users to reportedly help Donald Trump win the US presidency in 2016.

Facebook paused review of new apps after it was revealed that a third-party app developer named Aleksandr Kogan, who created personality quiz app and collected personal data on millions of users who took the quiz, handed over the data to Cambridge Analytica.

"I know it hasn’t been easy being a developer these past couple months, and that’s probably an understatement," Zuckerberg said. 

Facebook has re-opened app review, but the process has changed a bit. The company will now "require business verification for apps that need access to specialized APIs or extended Login permissions."

"Apps that ask for basic public profile or additional permissions, such as a birthday or user friends, are not subject to business verification," a blog post published Tuesday reads.

Real Time Language Translations In Facebook Messenger

Facebook has introduced chat translation within Messenger through its M Suggestions assistant, which will translate conversations in real time, just like web browsers do.

However, the feature will be rolled out to users in the United States throughout this year and will only translate English-Spanish conversions.

In the coming weeks, all American Messenger users will get access to this feature, and over time the social media says it will "launch this functionality in additional languages and countries."

Launching in closed beta, businesses will now be able to integrate augmented reality (AR) camera effects for its customers to experience directly into Messenger.

Now when you interact with certain businesses on Messenger, you will be able to virtually try or customize merchandise by opening the app's camera and use a pre-populated brand-specific AR effect.

Facebook is also making simplifications to Messenger's interface. Since the app's quest to embrace businesses, bots, Stories and visual sharing have made it bloated, the company has re-designed Messenger by cutting out the games and camera tabs from the navigation bar.

Besides these features, Facebook has also introduced a new way for people to share from their favorite apps, like Spotify and GoPro, to both Facebook and Instagram Stories. The company has also made its first standalone VR headset Oculus Go available globally for anyone to purchase, starting at $199.

To know more about new launches and watch the full keynote, you can head on to this blog post.

If you receive a link for a video, even if it looks exciting, sent by someone (or your friend) on Facebook messenger—just don't click on it without taking a second thought.

Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials.

Dubbed FacexWorm, the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month.

New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.

FacexWorm redirects the victim to a fake YouTube page, where the user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video.

Below is a brief outline of what FacexWorm malware can perform:

• To spread itself further like a worm, the malware requests OAuth access token for the Facebook account of the victim, using which it then automatically obtains the victim's friend list and sends that malicious, fake YouTube video link to them as well.
• Steal the user's account credentials for Google, MyMonero, and Coinhive, when the malware detects that the victim has opened the target website’s login page.
• FacexWorm also injects cryptocurrency miner to web pages opened by the victim, which utilizes the victim computer's CPU power to mine Cryptocurrency for attackers.
• FacexWorm even hijacks the user's cryptocurrency-related transactions by locating the address keyed in by the victim and replacing it with the one provided by the attacker.
• When the malware detects the user has accessed one of the 52 cryptocurrency trading platforms or typed keywords like "blockchain," "eth-," or "ethereum" in the URL, FacexWorm will redirect the victim to a cryptocurrency scam webpage to steal user's digital coins. The targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info.
• To avoid detection or removal, the FacexWorm extension immediately closes the opened tab when it detects that the user is opening the Chrome extension management page.
• The attacker also gets a referral incentive every time a victim registers an account on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.