The effects of climate change on cybersecurity
Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however,.....
-0.5AI Score
Node.js third-party modules: [express-cart] Wide CSRF in application
NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report CSRF in...
AI Score
Nord Security: Hard-coded API keys at NordVpn Android App
Hello NordVpn, APK Version : 4.6.2 API'S at res/values/strings.xml Google google_api_key = AIzaSyBySEqk7_WWee9bxpw5BM1eJeUx1TWdH_E Stripe stripe_publishable_api_key = pk_live_j1Mt911wyZwAhATA9TYdA8q2 Referance; https://stripe.com/docs/keys Impact Cleartext Storage of Sensitive...
6.9AI Score
Battling online coronavirus scams with facts
Panic and confusion about the recent coronavirus outbreak spurred threat actors to launch several malware campaigns across the world, relying on a tried-and-true method to infect people’s machines: fear. Cybercriminals targeted users in Japan with an Emotet campaign that included malicious Word...
-0.3AI Score
Happy New Fear! Gift-wrapped spam and phishing
Pre-holiday spam Easy money In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line. For.....
0.2AI Score
Dropbox Passes $1M Milestone for Bug-Bounty Payouts
Dropbox, the cloud-based file-sharing service, has reported that it has paid out more than $1 million to bug-bounty hunters since starting its program in 2014. The milestone comes after the service tripled its bounties in 2017, and after running two live hacking events with the HackerOne platform.....
-0.5AI Score
Accusoft ImageGear TIFF TIF_read_stripdata code execution vulnerability
Summary An exploitable out-of-bounds write vulnerability exists in the TIF_read_stripdata function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted TIFF file file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a...
8.8CVSS
-0.6AI Score
0.009EPSS
Wawa Breach May Have Compromised More Than 30 Million Payment Cards
In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen...
6.7AI Score
This tool is intended for penetration testers who want to perform an engagement quickly and efficiently. While this tool can be used for more covert operations (including some additions below), it really shines when used at the scale of a large network. At the core of it, you provide it a list...
7.1AI Score
Stripo Inc: Information disclosure through Server side resource forgery
Summary: The application https://my.stripo.email has a template feature where can we can enter html code. By including an iframe in the html template, I was able to make a call to my server. This exposed an internally running web application. Please refer below, 63.33.82.168 - -...
0.1AI Score
Card Skimmer Hits Australian Bushfire Donation Site
Concerned global citizens making donations to help fight the massive Australia bushfires have been caught up in a Magecart attack, after one of the groups implanted a payment-card skimmer on the check-out page of a legitimate online donation site. Researchers ran across the Magecart script, named.....
0.4AI Score
0.001EPSS
Cybercriminals Fill Up on Gas Pump Transaction Scams Ahead of Oct. Deadline
Gas stations are gearing up for a major change in credit-card fraud liability in October, when they will find themselves on the hook for card-skimming attacks at the pump. In the meantime though, cybercriminals will be targeting pay-at-the-pump point-of-sale mechanisms with a vengeance,...
0.2AI Score
Data Breach Affects 63 Landry's Restaurants
Dining giant Landry’s disclosed a data breach, Thursday, warning that malware had infected its order-entry systems to steal customers’ payment card information. Landry’s, which owns over 600 popular American restaurants across 35 states, such as Del Frisco’s Grill, McCormick & Schmick’s,...
0.5AI Score
Landry's Restaurant Chain Suffers Payment Card Theft Via PoS Malware
Landry's, a popular restaurant chain in the United States, has announced a malware attack on its point of sale (POS) systems that allowed cybercriminals to steal customers' payment card information. Landry's owns and operates more than 600 bars, restaurants, hotels, casinos, food and beverage...
AI Score
WordPress Donorbox plugin 7.1-7.1.1 - Stored Cross-Site Scripting (XSS) via plugin shortcode
Stored Cross-Site Scripting (XSS) found by Sybre Waaijer in WordPress Donorbox plugin (versions 7.1-7.1.1). Solution Update the WordPress Donorbox plugin to the latest available version (at least...
2.8AI Score
Donorbox 7.1~7.1.1 - Stored Cross-Site Scripting via Shortcode
In Donorbox WordPress plugin, one can perform an XSS attack via the included shortcode by inserting arbitrary HTML attributes. This vulnerability was introduced in v7.1 and fixed in v7.1.2. PoC [donate url='/?" autofocus onfocus="alert(window)"...
2.4AI Score
FIN8 Targets Card Data at Fuel Pumps
The notorious FIN8 cybercrime group has a new target when it comes to skimming payment-card details from consumers: Point-of-sale (PoS) systems used at fuel pumps at gas stations. Visa warned this week in a public alert posted online that its Payment Fraud Disruption (PFD) department has seen at...
0.1AI Score
Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains
On Nov. 23, one of the cybercrime underground's largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different...
6.9AI Score
Mozilla Bug Bounty Program Doubles Payouts, Adds Firefox Monitor
Mozilla is bumping up its bug bounty payouts and has added new websites and services – including the recently deployed Firefox Monitor– to its bug bounty program in hopes of attracting more researchers to sniff out vulnerabilities. The browser-maker is doubling bug bounty payouts for most of its...
AI Score
0.024EPSS
A week in security (October 28 – November 3)
Last week on Malwarebytes Labs, we celebrated the birth of the Internet 50 years ago, highlighted reports about the US Federal Trade Commission (FTC) filing a case against stalkerware developer Retina-X, issued a PSI on disaster donation scams, looked at the top cybersecurity challenged SMBs face,....
-0.4AI Score
plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options...
4.3CVSS
4.4AI Score
0.001EPSS
Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Stripe plugin <=2.0.1. Solution Update the WordPress YITH WooCommerce Stripe plugin to the latest available version (at least...
4.3CVSS
2.3AI Score
0.001EPSS
2.1AI Score
0.001EPSS
4CVSS
Help prevent disaster donation scams from causing more misery
It’s a sad day when we have to warn people about medical charity scams, or tax fakeouts, or even have a week dedicated to foiling charity fraud—but here we are. With so many natural disasters occurring, from wildfires in California to tornadoes in Dallas, disaster donation scams remain a top...
0.9AI Score
Takeaways from the $566M BriansClub breach
Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world's largest financial institutions tend to have a much better idea of which merchants and bank cards have been...
6.8AI Score
The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...
6.1CVSS
6AI Score
0.001EPSS
The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...
6.1CVSS
6.1AI Score
0.001EPSS
The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...
6.1CVSS
6.3AI Score
0.001EPSS
The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...
6.1AI Score
0.001EPSS
“BriansClub” Hack Rescues 26M Stolen Cards
"BriansClub," one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including....
6.7AI Score
Mapping the Attack Surface of an Airport
Aviation security is a complex environment. What first sparked my interest in avionics security was a comment from an airport customer of ours. They had seen the media coverage of the DHS work against a Boeing 757 a few years ago and were concerned that an ‘infected’ airplane might create a fresh.....
7.5AI Score
This Week in Security News: IoT Devices Are a Target in Cybercriminal Underground
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how fileless malware abuses PowerShell. Also, read how Trend Micro researchers are pulling back the curtain on the cybercriminal...
8.5AI Score
0.04EPSS
gitGraber is a tool developed in Python3 to monitor GitHub to search and find sensitive data for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe... How it work ? It's important to understand that gitGraber is not designed to check...
7.4AI Score
The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...
7.5CVSS
7.5AI Score
0.002EPSS
The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...
7.5CVSS
7.6AI Score
0.002EPSS
The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...
7.5CVSS
7.5AI Score
0.002EPSS
The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...
7.6AI Score
0.002EPSS
Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...
6.1CVSS
6AI Score
0.001EPSS
Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...
6.1CVSS
6.2AI Score
0.001EPSS
Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...
6.1CVSS
6.1AI Score
0.001EPSS
Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...
6.1AI Score
0.001EPSS
Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards
On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the....
7.1AI Score
Talos DEFCON badge build instructions and use
By Patrick Mullen. We want to thank everyone who stopped by the Cisco Talos booth at DEFCON's Blue Team Village earlier this month. We handed out these badges at our area where we had Snort rules challenges, reverse-Capture the Flag and recruiters ready to answer attendees' career advice...
AI Score
El Paso and Dayton Tragedy-Related Scams and Malware Campaigns
In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch out for possible malicious cyber activity seeking to capitalize on these tragic events. Users should exercise caution in handling emails related to....
6.6AI Score
New Facebook ad reporting tool launches in UK
Last year, well-known consumer advice expert Martin Lewis decided to take Facebook to court for defamation. The cause? Multiple bogus adverts placed on the social network featuring his likeness, appearing via the ad network Outbrain. As a trusted face in consumer causes, scammers bolting Lewis'...
AI Score
Steer clear of Bitcoin Cash generators
Here’s an interesting evolution on a well-worn scam, taking one profit generating fakeout and turning it into something else entirely. For years, gamers have been stuck navigating the treacherous waters of fake video game giveaways. With so many actual genuine gaming giveaways around, you’re never....
-0.3AI Score
Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS
Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation notice PoC...
0.9AI Score
0.001EPSS
4.3CVSS
Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS
Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation...
1.9AI Score
0.001EPSS
4.3CVSS
Hackers Stole Customers' Credit Cards from 103 Checkers and Rally's Restaurants
If you have swiped your payment card at the popular Checkers and Rally's drive-through restaurant chains in past 2-3 years, you should immediately request your bank to block your card and notify it if you notice any suspicious transaction. Checkers, one of the largest drive-through restaurant...
1.5AI Score
POS Malware Found at 102 Checkers Restaurant Locations
The popular Checkers and Rally’s drive-through restaurant chain was attacked by Point of Sale (POS) malware impacting 15 percent of its stores across the U.S. Checkers is one of the largest drive-through restaurants in the U.S., operating in 28 states and headquartered in Tampa, Florida. The...
0.1AI Score