A callback phishing extortion campaign by Luna Moth (aka Silent Ransom Group) has targeted businesses in multiple sectors, including legal and retail. The findings come from Palo Alto Network’s security team Unit 42, which described the campaign in a new advisory published earlier today. “This campaign leverages extortion without encryption, has cost victims hundreds of
Month: November 2022
Over 1500 apps have been found leaking the Algolia API key & Application ID, potentially exposing user data. Security researchers at CloudSEK shared the data with Infosecurity before publication, adding that 32 of the above applications were found to have critical Admin secrets hardcoded and that the team had identified 57 unique admin keys so far.
by Paul Ducklin Phishing scams that try to trick you into putting your real password into a fake site have been around for decades. As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because: Password managers
The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like IcedID and Bumblebee. “Hundreds of thousands of emails per day” have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, “the new activity suggests Emotet is returning to its
The cybercrime group called Daixin Team has leaked sample data belonging to AirAsia, a Malaysian low-cost airline, on its data leak portal. The development comes a little over a week after the company fell victim to a ransomware attack on November 11 and 12, per DataBreaches.net. The threat actors allegedly claim to have obtained the
On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) published the final part of its three-section series on securing the software supply chain. The publication, which follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers, provides recommended practices for customers to ensure the integrity and
by Paul Ducklin Remember those Exchange zero-days that emerged in a blaze of publicity back in September 2022? Those flaws, and attacks based on them, were wittily but misleadingly dubbed ProxyNotShell because the vulnerabilities involved were reminiscent of the ProxyShell security flaw in Exchange that hit the news in August 2021. Fortunately, unlike ProxyShell, the
Both Tor and a VPN can greatly help you keep prying eyes away from your online life, but they’re also two very different beasts. Which suits your needs better? People who want to keep their online activities private are often faced with the question – should I use a virtual private network (VPN) or the Tor anonymity network?
The Indian government on Friday released a draft version of the much-awaited data protection regulation, making it the fourth such effort since it was first proposed in July 2018. The Digital Personal Data Protection Bill, 2022, as it’s called, aims to secure personal data, while also seeking users’ consent in what the draft claims is
The US authorities have urged all agencies to patch VMware systems after revealing that Iranian state-backed actors exploited the Log4Shell bug to compromise a government organization. The alert from the Cybersecurity and Infrastructure Security Agency (CISA) claimed the unnamed Federal Civilian Executive Branch (FCEB) organization was compromised as long ago as February 2022. An incident
The PCI Security Standards Council (PCI SSC) has published a new standard designed to improve the security of mobile-based payments and ease compliance efforts. The council, a cross-industry payment card group responsible for the ubiquitous PCI DSS standard, said the launch recognizes the different security requirements for regular versus mobile payments. Its new standard, Mobile Payments
Cybersecurity has become a public good with the industry tasked with maintaining society’s trust in digital technologies, according to the UK’s National Cyber Security Centre (NCSC) founding CEO. Speaking during the (ISC)2 Secure UK & Europe event, the former NCSC CEO Ciaran Martin highlighted the societal impact of the recent ransomware attack on Australian healthcare
Over half (56%) of Black Friday spam emails received between October 26 and November 6 2022 were scams, according to research from Bitdefender. The firm’s antispam researchers analyzed all unsolicited Black Friday-related emails delivered to its customers over the period, with the vast majority (68%) sent on the final three days (November 4, 5 and
Hundreds of Amazon relational database service (RDS) instances have been found exposed monthly, with extensive leakage of personally identifiable information (PII). The discovery has been made by security researchers at Mitiga, who published a post about the findings on Wednesday. The Platform-as-a-Service (PaaS) tool, first released by Amazon in 2009, provides a database platform based on
Several IT professionals worry that cybersecurity-specific funding might be at risk, suggests new data by JumpCloud. According to the company’s Q4 2022 IT Trends for Small and Medium-Sized Enterprises (SMEs) report, 44% of those surveyed agree their organization will cut spending on cybersecurity in the next year. Published earlier today, the research document also mentions
Swiss authorities have apprehended a Ukrainian national wanted by the Federal Bureau of Investigation (FBI) for 12 years for connections with a cyber-criminal group that stole millions of dollars from bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov was arrested in Geneva on October 23, 2022, and is now pending extradition to the US,
by Paul Ducklin THREE BILLION DOLLARS IN A POPCORN TIN? Radio waves so mysterious they’re known only as X-Rays. Were there six 0-days or only four? The cops who found $3 billion in a popcorn tin. Blue badge confusion. When URL scanning goes wrong. Tracking down every last unpatched file. Why even unlikely exploits can
by Paul Ducklin A bug bounty hunter called David Schütz has just published a detailed report describing how he crossed swords with Google for several months over what he considered a dangerous Android security hole. According to Schütz, he stumbled on a total Android lockscreen bypass bug entirely by accident in June 2022, under real-life
by Naked Security writer He was sentenced under his real-life name of Ramon, but in back in his boastful days of pretending to be a seriously successful real estate agent based in Dubai, you may have seen and heard of him as Ray, or, to give him his full nickname, Ray Hushpuppi. To be clear,
by Paul Ducklin Researchers at cloud coding security company Oxeye have written up a critical bug that they recently discovered in the popular cloud development toolkit Backstage. Their report includes an explanation of how the bug works, plus proof-of-concept (PoC) code showing how to exploit it. Backstage is what’s known as a cloud developer portal
by Paul Ducklin Firefox’s latest once-every-four-weeks security update is out, bringing the popular alternative browser to version 107.0, or Extended Support Release (ESR) 102.5 if you prefer not to get new feature releases every month. (As we’ve explained before, the ESR version number tells you which feature set you have, plus the number of times
by Paul Ducklin Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet… …including, of course, right here on Naked Security! As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter
by Paul Ducklin DON’T LET ONE LOUSY EMAIL PASSWORD SINK THE COMPANY Microsoft’s tilt at the MP3 marketplace. Apple’s not-a-zero-day emergency. Cracking the lock on Android phones. Browser-in-the-Browser revisited. The Emmenthal cheese attack. Business Email Compromise and how to prevent it. Click-and-drag on the soundwaves below to skip to any point. You can also listen
Smishing and vishing are scams where criminals attempt to get users to click a fraudulent link through a phone text message, email, or voicemail. These scams are becoming increasingly popular as cybercriminals try to take advantage of people who are more likely to fall for them, such as those who aren’t as familiar with technology
The joy of purchasing a new device is liberating. Now you can work, learn, and play faster — along with enjoying ample storage space. So, the last thing you’d expect is your apparently safe device being exposed to vulnerabilities, or “bloat.” Exposure to unwanted software can derail its performance and hog its storage within a
Hackers have posted another batch of stolen health records on the dark web—following a breach that could potentially affect nearly 8 million Australian Medibank customers, along with nearly 2 million more international customers. The records were stolen in October’s reported breach at Medibank, one of Australia’s largest private health insurance providers. Given Australia’s population of
Following up on our previous blog, How to Stop the Popups, McAfee Labs saw a sharp decrease in the number of deceptive push notifications reported by McAfee consumers running Microsoft’s Edge browser on Windows. Such browser-delivered push messages appear as toaster pop-ups in the tray above the system clock and are meant to trick users
Authored by Oliver Devane It hasn’t taken malicious actors long to take advantage of the recent bankruptcy filing of FTX, McAfee has discovered several phishing sites targeting FTX users. One of the sites discovered was registered on the 15th of November and asks users to submit their crypto wallet phrase to receive a refund. After
Internet security is a broad term that refers to a wide range of tactics that aim to protect activities conducted over the internet. Implementing internet security measures helps protect users from different online threats like types of malware, phishing attacks, scams, and even unauthorized access by hackers. In this article, we highlight the importance of
Monkey in the middle, the beloved playground staple, extends beyond schoolyards into corporate networks, home desktops, and personal mobile devices in a not-so-fun way. Known as a monkey-in-the-middle or man-in-the-middle attack (MiTM), it’s a type of cybercrime that can happen to anyone. Here’s everything you need to know about mobile MiTM schemes specifically, how to