Category Archives: Hacks

Neon amazing party posters free vector set

/ Leave a Comment

A tremendous vector resource pack, which contains six neon party poster designs. A very adaptable vector resource pack that can be used in so many different ways, and incorporated into you design work. The posters come in a variety of different colours, and designs giving you a wealth of choice. The pack is certainly one we are very pleased to add to our library of free vector resources, and a pack you will certainly enjoy using in your design work.

A special thanks to the team over at Free Pik who have kindly crafted together this spectacular free Icon set exclusive to Creative Nerds readers. Please download the icon set, and tell us what you think in the comments section.  Please do also check out Free Piks website. 

License Details

The design resources distributed on Creative Nerds may be used in commercial and personal design projects, but may not be redistributed or modified for resell. Any further question or queries don’t hesitate to contact us.

Preview

Download below:

[Locker] The locker [id=23699] doesn’t exist or the default lockers were deleted.

Source: http://ift.tt/2s5sNGE

Equifax or Equiphish?

/ Leave a Comment

More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.

Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.

Here’s a redacted example of an email Equifax sent out to one recipient recently:

equifaxcare

As we can see, the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.

The above-pictured message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.

My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I’d further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.

The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.

What’s more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.

While there’s nothing wrong with that exactly, one might reasonably ask: Why didn’t Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn’t that have considerably lessened any suspicion that this missive might be a phishing attempt?

Perhaps, but you see while TrustedID is technically owned by Equifax Inc., its services are separate from Equifax and its terms of service are different from those provided by Equifax (almost certainly to separate Equifax from any consumer liability associated with its monitoring service).

THE BACKSTORY

What’s super-interesting about trustedid.com is that it didn’t always belong to Equifax. According to the site’s Wikipedia page, TrustedID Inc. was purchased by Equifax in 2013, but it was founded in 2004 as an identity protection company which offered a service that let consumers automatically “freeze” their credit file at the major bureaus. A freeze prevents Equifax and the other major credit bureaus from selling an individual’s credit data without first getting consumer consent.

By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).

Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files.

[Author’s note: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.]

Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.

In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.

WHAT SHOULD YOU DO

These days, consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers. As detailed in the analysis section of last week’s story — Equifax Breach: Setting the Record Straight — many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.

Other bureaus, like TransUnion and Experian, are trying mightily to steer consumers away from a freeze and toward their confusingly named “credit lock” services — which claim to be the same thing as freezes only better. The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone who comes asking for them (including ID thieves); and consumers who opt for them over freezes must agree to receive a flood of marketing offers from a myriad of credit bureau industry partners.

While it won’t stop all forms of identity theft (such as tax refund fraud or education loan fraud), a freeze is the option that puts you the consumer in the strongest position to control who gets to monkey with your credit file. In contrast, while credit monitoring services might alert you when someone steals your identity, they’re not designed to prevent crooks from doing so.

That’s not to say credit monitoring services aren’t useful: They can be helpful in recovering from identity theft, which often involves a tedious, lengthy and expensive process for straightening out the phony activity with the bureaus.

The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit. But there’s no need to pay for these services: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

There’s a small catch with the freezes: Depending on the state in which you live, the bureaus may each be able to charge you for freezing your file (the fee ranges from $5 to $20); they may also be able to charge you for lifting or temporarily thawing your file in the event you need access to credit. Consumers Union has a decent rundown of the freeze fees by state.

In short, sign up for whatever free monitoring is available if that’s of interest, and then freeze your file at the four major bureaus. You can do this online, by phone, or through the mail. Given how unreliable the credit bureau Web sites have been for placing freezes these past few weeks, it may be easiest to do this over the phone. Here are the freeze Web sites and freeze phone numbers for each bureau (note the phone procedures can and likely will change as the bureaus get wise to more consumers learning how to quickly step through their automated voice response systems):

Equifax: 866-349-5191; choose option 3 for a “Security Freeze”

Experian: 888-397-3742;
–Press 2 “To learn about fraud or ADD A
SECURITY FREEZE”
–Press 2 “for security freeze options”
–Press 1 “to place a security freeze”
–Press 2 “…for all others”
–enter your info when prompted

Innovis: 800-540-2505;
–Press 1 for English
–Press 3 “to place or manage an active duty alert
or a SECURITY FREEZE”
–Press 2 “to place or manage a SECURITY
FREEZE”
–enter your info when prompted

Transunion: 888-909-8872, choose option 3

If you still have questions about freezes, fraud alerts, credit monitoring or anything else related to any of the above, check out the lengthy primer/Q&A I published here on Sept. 11, The Equifax Breach: What You Should Know.

http://ift.tt/2jUDuMi Source: http://ift.tt/TKsn16

Google Shopping Proposal to EU, iOS11 Intelligent Ad Blocking, Getting Accurate Rankings: Weekly Forum Update

/ Leave a Comment

This week Google presents their proposal for assuging EU anti trust authorities.

iOS 11 launched to users with new intelligent tracking prevention.

Members discuss how to get accurate rank tracking data and what to do if you’re a well known brand but do not rank for your core short tail term.

Google May Open Up Ad Space to Competitors

View full discussion

In order to meet compliance requirements of European Commission antitrust findings, Google offered a proposal to open up Google Shopping Ad System to allow rivals to bid against Google.

Webmaster World members questioned if this action was sufficient.

Glakes commented that, “I can’t help but to think that despite the offering, its overall value will be limited. One of the key benefits of advertising outside of Google are lower costs and a higher ROI. Allowing competition to come in to bid in bulk may be a ploy to inflate an already high CPC when such competitors would have to outbid Google to participate.”

isellstuff who owns a shopping comparison site noted their doubts regarding possible profit margins , “I own a price comparison website in the United States that has a bit of traffic. Google has been offering price comparison websites access to shopping ads for years. This is not a viable option for us due to slim profit margins. The problem being that Google controls the keywords with their shopping ads program. We can use negative keywords, but we can not bid on keywords.

This is a safe offer for Google. They know price comparison websites can not turn a profit via shopping ads. So they are essentially offering smoke and mirrors. They need to offer price comparison websites equal display time via text ads instead of hiding most, if not all text ads and only displaying the shopping ads when highly profitable keywords are used.

 

Apple blocking ads that follow users around web is ‘sabotage’ – “Intelligent tracking prevention” is here.

View full discussion

The latest version of Apples Operating System, iOS11, which became available to users September 19 has a new feature, “intelligent tracking prevention”, that prevents ads that retarget.

Webmasterworld members were split on if this was a good and responsible action on Apples part or not. Members who did not agree with the action cited that relevant ads are more relevant for users and better for advertisers, since they’re less susceptible to banner blindness. These members also pointed out that there is an opt out option but did state that it is not intuitive and has to be repeated for every device.

Members who supported Apples move agreed with if for a variety of reasons. Some members referenced precidence with print; ergophobe stated, “where was it written that the manufacturers of the hardware that runs the internet have an obligation to make every user trackable? This was never the case with radio, TV, or print ads. Suddenly, the ad industry thinks it’s a God-given right on the internet? I’m sorry, but no.”. Ergophone added, ”
In my opinion, the ad industry broke the social contract at some point and now they are trying to glue it back together with things like the IABs LEAN campaign and such, but for me and many others, it’s just too late.”

Other memebers drew the comparision to how email clients developed methods to better control of email spam, after advertisers began to abuse of email marketing.

Accurate Keyword Position Analyzer

View full discussion

A Webmaster World member who purchased a number of paid rank trackers is finding that many of them do not show the correct position. Other members state that for a variety of reasons, it is not possible to get fully accurate position data and that any insights provided are in aggregate and directional.

NickMNS comments, “There is no tool that can give you accurate picture, because there is no one keyword position (To be clear keyword position == position of you website in serp when a specific keyword is searched). Personalization, time of day, year, month, location, browsing history, and many more factors all influence what sites are returned for any given search. As such it is simply impossible for any tool to provide an accurate response.

Your best bet is to use search analytics in Google Search Console, it should provide an accurate result. But the result will be an “average” view of the results and for low traffic keywords it may not be representative.

Google moves to restrict ads for addiction queries

View full discussion

This week it was announced that google will limit ads for addition related queries, including:

“drug detox”
“drug rehabilitation”
“drug treatment program”

While Google takest steps to identify ways to improve how they combat false ads, they will be showing a local pack at the top of search results in the meantime. One question around this issue is if this change will result in a shift of adspend in this sector from SEM to SEO while google figures out new advertising guidelines for addiction?

One Site Or 19?

View full discussion

A consultant is working with a client that has 19 websites targeting specific locations, which have mostly duplicate content. In addition to getting the websites on SSL, Crea8asiteforum members recommend consolidating the sites to either subdomains or create branch pages on subdirectories. Additionally, members suggest using location and branch of schema to help boost SERP appearance.

Authoritative website & famous product can’t get onto SERP for product category

View full discussion

Over on SEOchat, a member asks why their well known brand is not ranking for key phrases even though they are a top three brand in their niche. One item that was considered is if there is a user intent issue with this phrase in US English and another item considered was on page optimization for the phrase on the homepage.

The post Google Shopping Proposal to EU, iOS11 Intelligent Ad Blocking, Getting Accurate Rankings: Weekly Forum Update appeared first on Internet Marketing Ninjas Blog.

Source: http://ift.tt/2iXujVS

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

/ Leave a Comment

We’ve uncovered the notorious EITest campaign delivering a JavaScript (JS) cryptocurrency miner (detected by Trend Micro as HKTL_COINMINE) using tech support scams as a social engineering lure. These are fraud activities impersonating legitimate technical support services, conning unwitting victims to avail/pay for these services (or hand out financial data), by scaring them that their machine has been infected with malware, for instance.

The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or  . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.



Figure 1: Timeline of observed Coinhive-related traffic
Note: We saw that ElTest started incorporating cryptocurrency mining on September 19 (highlighted).

Figure 2: Country distribution of EITest’s tech support scam

Attack Chain
When a user accesses one of the compromised websites, the website first identifies the browser type via User-Agent information through the HTTP request. It then injects a phishing script directly into the webpage if the user’s browser is Chrome. Our initial tests show that the attack doesn’t affect Firefox.

The phishing script is coded to notify the user to download the Hoefler Text font to properly display the page, but it actually downloads a malicious executable file. EITest takes this up a notch: If the user’s browser is Internet Explorer, he is redirected to a tech support phishing page containing the Coinhive Monero-mining JS script. Below is the snapshot of the malicious script that diverts the user to a traffic direction system (TDS)—a tool that manages redirection of traffic—that then reroutes to the tech support scam website.


Figure 3: Screenshot of the compromised website’s malicious script (Redirect URL of TDS highlighted)

Figure 4: Screenshot of the tech support scam webpage 

The tech support scam webpage poses as a legitimate Microsoft Windows notification, alerting victims that the system has been infected with malware. It will prod the user to call their “technical department” to resolve the issue. Behind the scenes, however, the webpage will load script from Coinhive’s server and launch a JS cryptocurrency miner. Users won’t notice that their system has been affected apart from system lags or performance issues.


Figure 5: How Coinhive’s JS cryptocurrency miner is injected (left), and how it affects the user’s system (right)

Indeed, cybercriminal cryptocurrency mining is gaining traction because it’s an apparent non-zero-sum game. Bad guys can profit even if they don’t invest much on creating their own malware—they can just misuse existing grayware. It also gives them the pseudonymity to keep law enforcement away from their activities.

For end users, however, the impact isn’t just about system wear-and-tear or performance issues. From January 1 to June 24, for instance, our sensors noted that 20% of cryptocurrency-mining activities entailed web- and network-based attacks. From cross-site scripting and remote code execution to brute force attacks and SQL injection, intrusive and malicious cryptocurrency mining can threaten the availability and security of a network or system, and the data stored on them. Worse, victims become part of the problem.

Follow best practices to mitigate cryptocurrency-mining-related attacks. Regularly update and patch your system (including your browsers) and be more prudent against socially engineered attack vectors such as suspicious websites and email attachments. You can consider using JS-blocking applications to prevent scripts like Coinhive’s from running. There’s also a silver lining. Given the nature of Coinhive’s Monero-mining script, it has no persistence mechanism—closing the website/browser will stop the script from running.

Trend Micro Solutions
Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related URLs. Trend Micro™ Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring and application control that minimize the impact of this threat.

 

Indicators of Compromise:
Domains and IP address related to the TDS Server:

  • mackenzie190912[.]gq
  • mackenzie19091[.]gq
  • 162[.]244[.]35[.]210

Domain and IP addresses related to the tech support scam:

  • angel200911[.]ml
  • 162[.]244[.]35[.]35
  • 162[.]244[.]35[.]36

With additional insights/analysis from Samuel P. Wang

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

http://ift.tt/2wb1Sec Source: http://ift.tt/1amucZ5

How to Vet a New Marketing Channel in 3 Days or Less

/ Leave a Comment

I get this question a lot.

“What marketing channel should I focus on?”

There are many make or break decisions in business. This is one of them.

The thing is, I can’t give you a cut and dry answer.

The nature of your business matters. So does the audience you wish to target.

What I will do instead is give you a method for figuring this out for yourself.

If you’re starting a new business, this decision is critical. Focusing on the wrong marketing channel can set you back months and maybe even years.

If you’re expanding into a new market, selecting the wrong channel can also have massive ramifications.

You’d be putting your existing operations at risk for a new channel that may not pan out.

Just take a look at all the challenges marketers have to overcome:

top marketing challenges jpg 1 320 783 pixels 1

You can imagine that each channel comes with a unique set of difficulties.

This speaks to the importance of vetting your marketing plan before you set it in motion.

There’s too much at stake.

In this article, I’ll show you how you can evaluate your options and narrow down the best choice quickly.

You don’t need more than three days to get this done.

But first, I have a bit of wisdom to share.

Resist the urge to diversify

You know that voice in your head that says you need to be everywhere at once? That fear of missing out if you don’t at least try everything?

It’s a diversion. Resist it.

It is imperative that you focus on one marketing channel.

At least in the beginning.

You’ll shortchange your success if you spread yourself thin.

Here’s why:

  • You’ll have less impact. If you’re focusing on several channels, you’re not doing everything you can to excel in any one of them.
  • It will cost you more. Testing and thriving with a multichannel approach costs way more than you may be willing to spend. If you want an organic and cost-effective approach, stick to one channel.
  • You’ll never actually know where your strength lies. Jumping from channel to channel means you won’t truly know the impact of one particular strategy on your business.
  • You’ll remain at the heels of your competitors. That’s not where you want to be, is it? You want to be ahead, and the way to do that is to establish dominance in your market.

Now, don’t misunderstand me.

I’m not saying you should go all in on one channel and forget the rest.

But multichannel marketing is complex. Only 30% of marketers are confident they can deliver on such a strategy:

The Importance of Multichannel Marketing Infographic 1

That’s not a lot.

What I’m advocating for is starting from a position of dominance.

Put your energy into one strategy until it succeeds. Then, piggyback on that success to achieve wins in other areas.

Does that make sense?

The steps in this article will be geared towards helping you place a bullseye on the ONE channel that will serve you best.

Now that we got that out of the way, let’s begin.

Step #1: Know your options

The first thing you want to do is brainstorm all your possible options.

This isn’t something you have to conjure up out of thin air.

You can connect with your target audience and spread your message in many different ways.

Better yet, each channel has several subsets that you can zone in on.

Here’s a good representation:

How Does Digital Marketing Work Common SEO Questions 1

Many of these overlap. Some have even morphed into each other.

It can get confusing, quickly.

For example, some people consider SEO to be one marketing channel.

But I can’t imagine a world where SEO and content marketing aren’t intertwined. You can’t do one without the other.

The same goes for social media and paid advertising.

They’re different channels. But there’s a convergence.

Let’s imagine you decide to focus on Facebook as your primary social media platform. It would be unwise to not experiment with Facebook Ads.

Considering that Facebook has developed one of the greatest ad products out there, you’d be underutilizing the full power of the platform.

Marketers agree. Almost 57% plan to increase their social media ad spend.

Industry Statistics Social Media Ad Spending Set to Exceed US 35 Billion Best Digital Marketing Agency Malaysia 1

I say all this to make a simple point.

While you may zone in on one channel, you’ll see lots of overlap you shouldn’t ignore.

Go where your audience takes you.

Let’s look at some of your options.

Content marketing

This is about creating and promoting material relevant to your target audience.

Content marketing is central to your success.

It’s been reported 90% of businesses market using this channel.

Content Marketing Strategy Top 12 Proven Ways You Must Follow 1

It means that no matter what strategy you use, content will be a part of it.

You can narrow your content down to blogging, guest blogging, podcasts, webinars, email, etc.

Social media marketing

You can use social media as your platform to get noticed, build authority, and grow a community.

You can also use it to drive traffic to your main site.

Or you can do both. It’s effective either way.

Paid advertising

Much of marketing is organic and will take time to generate results.

Paid advertising is one way to accelerate that.

The downside is, you have to pay to play.

Facebook ads, other social media ads, print ads, PPC, and direct response fall into this category.

Public relations  

PR is about building relationships and capitalizing on the optics of your business.

It can be both online and offline. Press releases, conferences, events, interviews, and sponsorships are a few examples.

As you can see, you have no shortage of options when it comes to marketing.

I’ve given an overview of the main ones, but you are not limited to them.

Step #2: Choose the channels aligned with your business goals

You now have an idea of what’s available to you.

It’s time to make a list of all the channels that will serve your business.

Start with your business goals.

Some marketing channels are better suited to achieving a particular goal than others.

Goal setting is a flexible thing. You can make changes as your business evolves.

This means that the marketing channel you use right now may not be viable in the future, once your business progresses.

Consider what stage your business is in and what your goal for the next 90 days is.

According to Jay Abraham, there are only three ways to grow a business:

  • Increase the number of customers
  • Increase the frequency with which a customer buys from you
  • Increase the amount that a customer spends on a purchase

infographic idology 3 waysto grow your business small jpg 468 523 pixels 1

Your business goals should serve one of these three phases of business.

If you’re still at the first stage, your goals might be brand awareness, lead generation, and customer acquisition.

If you already have a list of buyers, your goal might be to increase sales.

What if you already have a reliable stream of sales?

There’s no such thing as too many sales, but your goal at this point might be to maximize profits and retain customers.

Here’s what most businesses are prioritizing:

20 Lead Nurturing Statistics Charts for 2017 1

These may or may not apply to you. Just focus on what your business needs at the moment.

This way, you don’t set goals that aren’t yet attainable.

By extension, it ensures you don’t waste time and resources on a marketing channel that won’t serve your business well.

How do you select a channel that’s right for your business goals?

Before you even start testing, do some elimination.

I’ll give you a few examples, and you’ll have to apply this knowledge to your business.

Let’s say your goal is brand awareness.

PR, social media, content marketing, and even paid advertising can be used for this purpose.

The easy solution?

Eliminate the channels that would be less efficient.

For instance, paid advertising won’t be the most useful for brand awareness.

But for sales or lead generation? It can crush it! (If you know what you’re doing, that is).

Take a look at some of the business goals that apply to the content marketing channel. It will give you an idea of what to aim for:

AAEAAQAAAAAAAAiPAAAAJDhmNjBkOTk1LTZmM2UtNGRlMy1iNGY2LTAwMjRhNzRhMjNkYQ png 2 492 1 308 pixels 1

It’s also important to take into consideration what feels the most organic for your business.

If you’re selling something like hoverboards or bicycles, would blog posts serve you the best?

Not likely.

These products are lifestyle-based. You’d be better off using a visual channel that will allow you to provide an experience to potential customers.

Immediately, social media comes to mind.

Then you begin to narrow it down to Instagram or YouTube.

This is a logical process that won’t take you more than an hour to figure out.

You don’t have to find that one channel yet. Just eliminate what won’t work, and rank your remaining options.

Step #3: Narrow down the list by going where your audience is

At this point, you’ve got a few options. It’s time to prioritize.

This one is easy. Find your potential customers.

A marketing channel can serve your goal, but there are many platforms you can focus on.

If your customers are not hanging out there, you’ll be wasting your time.

Note:

The point of this article is not to find you a slam dunk marketing channel right away.

That would take testing and experimentation.

The goal here is to help you validate your chosen channel. This way, you know it’s viable before you start testing it.

Here’s my best advice for finding out where the attention is:

  • SEO is a great place to start
  • competitive research is a must
  • you can’t go wrong with social media

Let’s look at each of these.

SEO

A majority of online interactions begin with a search engine (mostly Google).

The first step is to evaluate the SEO landscape by searching for keywords in your industry.

You’ll find out what your audience is searching for and how often.

This is not just essential for finding out what’s happening online. Let’s say there aren’t that many monthly searches for your keywords.

You may want to focus on an offline channel.

Or you may decide this is a gap you can take advantage of.

You won’t know until you do some basic keyword research.

A simple tool like the Google Keyword Planner will work.

Type in your keyword to get search volume data.

Keyword Planner Google AdWords 1

Competition research

If you want to know where your customers hang out, find your competitors.

First, identify the competitors.

A simple Google search will do the trick. The biggest players are those who rank on the first page of SERP.

Once you’ve got a solid list, use a tool like SimilarWeb for your research.

Enter your competitor’s website and press enter:

Quicksprout com Analytics Market Share Stats Traffic Ranking 5

You’ll find a range of data. Pay attention to “Traffic source:”

Quicksprout com Analytics Market Share Stats Traffic Ranking 8

For Quick Sprout, the highest traffic source is search.

Naturally, my primary marketing channel would be SEO and blogging.

Direct is a close second, but it’s a bit trickier to figure out.

It represents people who type in your URL directly. It doesn’t tell you where these people first came into contact with your business.

The next step is to check out the individual breakdown of each traffic source.

You can see where referrals are coming from:

Quicksprout com Analytics Market Share Stats Traffic Ranking 9

Since SEO is my dominant traffic source, I’ll pay particular attention to my top organic keywords:

Quicksprout com Analytics Market Share Stats Traffic Ranking 7

You can also see which social media platform is the most popular. Mine is Facebook.

Quicksprout com Analytics Market Share Stats Traffic Ranking 6

Social media

I like to take social media research a bit further.

The tool to use is BuzzSumo.

Type in your competitor’s domain. You can also search for a keyword:

BuzzSumo Find the Most Shared Content and Key Influencers 1

You’ll see all the top performing content on the site and which social platform generated the most shares.

Using SimilarWeb, we saw that Facebook was Quick Sprout’s top platform.

BuzzSumo tells the same story:

quicksprout com Most Shared Content 1

If you want to take this a bit further, you can go to these individual platforms and do some sleuthing.

Check out the groups with the most members, listen in on the conversations, and get a feel for what your audience is focusing on.

When you go through this process, you may find you have two or three reliable options.

Which do you select?

I have three criteria.

Cheap. Fast. Easy.

You want to pick a channel that won’t cost you too much, if anything, to get started.

You also want a channel that doesn’t have a steep learning curve. Otherwise, you may spend too much time and money trying to figure it out.

Lastly, pick the channel that will allow you to make the most headway, quickly.

You must pick one, so use these criteria as the final litmus test.

Conclusion

Selecting a new marketing channel is a tall order.

It’s important you take some time to validate a potential channel before you focus on it.

Marketing requires time, which can easily be wasted on ineffective strategies.

It also requires cash.

It means you’d want to see a solid return on both your time and money investment.

The surest way to secure an attractive ROI is to vet potential marketing channels first.

You can then test and double down on what’s working.

Most people don’t go through this process of validation and testing.

As long as you keep experimenting and tweaking your strategy based on your results, you’ll have a significant advantage over your competitors.

What is your most effective marketing channel?

Source: http://ift.tt/UU7LJr

OptionsBleed – The Apache HTTP Server Now Bleeds

/ Leave a Comment

A new vulnerability in the Apache HTTP server was found recently. Designated as CVE-2017-9798, this vulnerability lies in how Apache handles certain settings in its configuration files, resulting in memory leaks. This vulnerability is named OptionsBleed, based on its similarities with the Heartbleed vulnerability. Patches to Apache are now available.

What is OptionsBleed?

A use-after-free bug exists in the Apache HTTP Server when it handles certain settings in .htaccess configuration file(s). When an attacker sends an unauthenticated HTTP request with the OPTIONS method to a vulnerable Apache server, the server reveals some secret data from the memory in response to the request.

The following screenshot shows a typical response for an OPTIONS request from a vulnerable Apache HTTP Server. The highlighted part is the information leaked from the memory:

Figure 1. Memory leak resulting from OPTIONS request

As per Hanno Böck (the researcher who found this vulnerability) and Apache developer Jacob Champion, Apache supports a configuration directive Limit that restricts access to certain HTTP methods to specific users. If one sets this directive in a .htaccess file for an HTTP method that’s not globally registered with the server, the corruption occurs. We were able to reproduce this vulnerability when the value for Limit directive is set to an invalid (or custom) HTTP method in the .htaccess file.

While doing further debugging, we noticed that the OPTIONS method is not needed to exploit this bug. Any HTTP request that forces the server to send an Allow header in the response can be used to trigger the vulnerability.

One common example of this is the 501 Method Not Implemented response to a request with an unknown HTTP method. As shown in the screenshot below, when a non-vulnerable Apache HTTP Server receives an HTTP Request with an unknown method, it responds with HTTP Status code 501 and the response will have the Allow header with a list of HTTP methods supported by the server.

Figure 2. Correct HTTP 501 response

With a vulnerable server and a misconfigured .htaccess file, the same HTTP Request with an unknown method will leak parts of data from process memory in the Allow response header, as shown below.

Figure 3. Memory leak resulting from a misconfigured .htaccess file

How serious it is?

In general, .htaccess files provide a way to make configuration changes on a per-directory basis instead of using the main server configuration file.

The official Apache HowTo Guide for .htaccess file says:

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

Looking at the above guidelines and considering the necessary pre-conditions, OptionsBleed doesn’t appear to be a critical bug.

However, when a user does not have access to the main server configuration file, the .htaccess file can be used to set configurations specific to your website. This will be the case in typical shared web hosting environments, where ISPs do not share root access to the server system and the main server configuration file.

An attacker using a shared host can maliciously craft a .htaccess file for his own website and, use the vulnerability to try to collect the memory leaks. This may contain sensitive data from any other co-hosted websites. Shared hosting is commonly used by many site owners with limited requirements; OptionsBleed puts those users at risk.

Both the 2.2.x (up to 2.2.34) and the 2.4.x branches (up to 2.4.27) are affected by this vulnerability. Patches have already been released by many Linux distributions to cover this flaw, and we recommend that system administrators do so if they haven’t already.

Conclusion

Deep Security customers can use the following DPI Rule to configure allowed HTTP methods in their environment and restrict the possibility of data leak through requests with unknown HTTP methods.

  • 1002593 – Allow HTTP (Including WebDAV) Methods

System administrators should upgrade their installed versions of Apache HTTP Servers and disable the use of .htaccess files, if possible. Site owners without access to these directly and reliant on their ISPs should prod these service providers to upgrade as well.

TippingPoint has posted a Customer Shield Writer (CSW) file for this vulnerability that are available for customers to download on TMC. The applicable rule is as follows:

  • C1000002: HTTP: Apache Server Options Information Disclosure Vulnerability

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

OptionsBleed – The Apache HTTP Server Now Bleeds

http://ift.tt/2jRle6e Source: http://ift.tt/1amucZ5

How to use demand generation channels to effectively expand your reach

/ Leave a Comment

As Q4 approaches, it’s crucial that you plan to capitalize on all the traffic that comes with it.

We all know how effective search is, but it’s also limited to those already in the hunt for what you’re offering.

To continue to scale, you need to effectively get in front of audiences that aren’t yet interested – but could be! – in your service/product. That’s where demand generation comes in, and marketers have more (and better) options for demand generation than ever.

As we head full-steam into Q4, here’s a list of demand generation channels, considerations of when to make use of them to expand your reach, and best practices we’ve honed across clients of all budgets.

Google Display Network

Once rather maligned, the GDN provides a number of targeting options that allow you to leverage the thousands of data points they collect on users across the web. Among the most effective targeting options when it comes to both demand generation and direct response are:

Keyword contextual targeting

Choose your top 10-15 keywords and let Google place ads accordingly.

My strong recommendation is to start off with content-based keyword targeting first; this gives you more control over what is being targeted (websites relevant to your keywords). When you select “audience”-based keyword contextual targeting, you end up targeting a significantly larger group of users where the targeting is not only websites relevant to your keywords but also audiences who may be interested.

This gives Google a lot of power to find users – but it also opens you up to more risk. By starting out with content, you are taking a low-risk approach to GDN. As you see success and build up conversion history, feel free to experiment with audience targeting.

In-market audiences

Based on audience behavior, Google determines users who are currently shopping for different products/categories. The feature combines search intent with display’s reach, and it’s definitely worth testing.

Custom affinity audiences

If you provide Google with competitor websites or industry-relevant domains, CAA will analyze the types of audiences visiting those sites (demographics, interests, website topics) and target audiences similar to them. I recommend that you test by starting off with your top 5 competitors.

As you build conversions – about 40+ conversions is a good benchmark – I would strongly recommend switching your bidding style to CPA optimizer and allowing Google to leverage its thousands of data points and optimize towards your target CPA. We’ve had a lot of success with this option.

Facebook/Instagram

The Facebook/Instagram duo offers powerful audience targeting capabilities. We’ve seen two strategies work consistently:

Make use of lookalike targeting and base your seed lists off your customers

Rather than taking your full customer list, however, segment by identifiable characteristics. I typically recommend high LTV or high AOV, or segmenting by category/type depending on the product or business. If you have a big enough seed list, start by testing a 1% audience, as those users will be most similar to your existing customers.

Use interest/behavior targeting and insights from the platform’s Audience Insights tool

Upload your top customers to Audience Insights and analyze the valuable demographic, interest-based data. Now begin building various personas of audiences you want to target (each ad set should represent a different persona).

When selecting your targeting options within Facebook, layer in demographic data from the Insights tool to make these audiences more relevant.

Pinterest

I recommend this fast-growing channel more for ecommerce than B2B. Remember that Pinterest is somewhat intent-driven, as users are typing in keywords to look for relevant pins. Start off with your top keyword list and test from there, and focus on strong creative that can stand out among the many other pins.

Your Pinterest creative should be eye-catching, high quality, and include compelling images of the product. Write detailed descriptions highlighting the most compelling aspects of the product and inviting users to click on ad, and leverage text overlays on your pins to help any core message stand out.

Twitter

Twitter tends to perform well for B2B or more technical businesses. I recommend that you leverage lookalike targeting on your top-performing customer segments; you can also try targeting followers of certain influencers who may be core to your brand or followers of competitors in the industry.

Last general recommendation: begin leveraging these options ASAP so you can build up a retargeting audience to engage when purchase motivation is higher. Cast a wide net now, and you’ll have more fish to land in the holiday season.

Source: http://ift.tt/1JcVoR1