EUVD-2026-24531

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

FBI Warns of Fake IC3 Websites Designed to Steal Personal Data

The FBI is warning internet users about fake versions of its official IC3 cybercrime reporting website. Learn how to spot these ‘spoofed’ sites, avoid scams where criminals impersonate agents, and protect your personal information by following the FBI’s crucial safety tips...

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Cybersecurity researchers are drawing attention to a new campaign that's using legitimate generative artificial intelligence AI-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivat...

A week in security (July 21 – July 27)

A list of topics we covered in the week of July 21 to July 27 of 2025 Last week on Malwarebytes Labs: Steam games abused to deliver malware once again Watch out: Instagram users targeted in novel phishing campaign Age verification: Child protection or privacy risk? iPhone vs. Android: iPhone user...

FBI Warns of Health Insurance Scam Stealing Personal and Medical Data

The Federal Bureau of Investigation FBI has issued a warning about a scam where criminals pretend to be…...

Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number

The examples in this post are actual fraud attempts found by Malwarebytes Senior Director of Research, Jérôme Segura. Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a...

Xinbi Telegram Market Tied to $8.4B in Crypto Crime, Romance Scams, North Korea Laundering

A Chinese-language, Telegram-based marketplace called Xinbi Guarantee has facilitated no less than $8.4 billion in transactions since 2022, making it the second major black market to be exposed after HuiOne Guarantee. According to a report published by blockchain analytics firm Elliptic, merchant...

GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets

Cybersecurity researchers are calling attention to an ongoing campaign that's targeting gamers and cryptocurrency investors under the guise of open-source projects hosted on GitHub. The campaign, which spans hundreds of repositories, has been dubbed GitVenom by Kaspersky. "The infected projects...

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data...

Mr. Cooper leaks personal data of 14 million loan and mortgage customers

A major mortgage and loan company based in Dallas, working under the name Mr. Cooper Group Inc. has released more information on a recent breach. In a data breach notification, the company didnt say what type of cyberattack caused the compromise of customer data, calling it a rather non-descripti...

Main phishing and scamming trends and techniques

There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers deploy social engineering to persuade targets to transfer money on...

400 Banks’ Customers Targeted with Anubis Trojan

Customers of Chase, Wells Fargo, Bank of America and Capital One, along with nearly 400 other financial institutions, are being targeted by a malicious app disguised to look like the official account management platform for French telecom company Orange S.A. Researchers say this is just the...

New Android Malware Targeting US, Canadian Users with COVID-19 Lures

An "insidious" new SMS smishing malware has been found targeting Android mobile users in the U.S. and Canada as part of an ongoing campaign that uses SMS text message lures related to COVID-19 regulations and vaccine information in an attempt to steal personal and financial data. Proofpoint's...

Conti Gang Demands $40M Ransom from Florida School District

UPDATE The Conti Gang has demanded a $40 million ransom from a Fort Lauderdale, Fla., school district after a ransomware attack last month. Attackers stole personal information from students and teachers, disrupted the district’s networks, and caused some services to be unavailable. The incident...

Nude photo theft offers lessons in selfie security

Two former college graduates are in a lot of trouble after breaking into other students accounts and stealing sensitive personal data. They’re facing some serious charges with restitution payments of $35,430, potential jail time, and the threat of very big fines thrown into the mix. What happened...

Active PayPal Phishing Scam Targets SSNs, Passport Photos

A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports. The campaign starts with a fairly run-of-the-mill...

Critical Android Bluetooth Bug Enables RCE, No User Interaction Needed

A critical vulnerability in the Bluetooth implementation on Android devices could allow attackers to launch remote code execution RCE attacks – without any user interaction. Researchers on Thursday revealed further details behind the critical Android flaw CVE-2020-0022, which was patched earlier...

Two TalkTalk hackers jailed for 2015 data breach that cost it £77 million

Two hackers have been sent to prison for their roles in hacking TalkTalk, one of the biggest UK-based telecommunications company, in 2015 and stealing personal information, banking, and credit card details belonging to more than 156,000 customers. Matthew Hanley, 23, and Connor Allsopp, 21, both...

Online generators… of dashed expectations

Quite recently, we and hence our security solutions started to designate an entire class of sites — gift card generators — as fraudulent, despite their not stealing any money or personal data from visitors. Why? Let's try to unpick these sites and see how they work. How it works Ads for all kinds...

Flexense SyncBreeze 10.7 Cross Site Scripting

Description: URL: l ocalhost/ Affected Component: /?n0ipr0csalert'XSS'n0ipr0cs=1 Vulnerability Type: Cross Site Scripting https://cwe.mitre.org/data/definitions/79.html Vendor of Product: Flexense- SyncBreeze Version: from v10.1 to v10.7 Attack Type: Remote Impact: This attack allows an attacker...