1092 matches found
Jared, Kay Jewelers Parent Fixes Data Leak
The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers. In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receip...
ExxonMobil Bungles Rewards Card Debut
Energy giant ExxonMobil recently sent snail mail letters to its Plenti rewards card members stating that the points program was being replaced with a new one called Exxon Mobil Rewards+. Unfortunately, the letter includes a confusing toll free number and directs customers to a parked page that...
Money Laundering Via Author Impersonation on Amazon?
Patrick Reames had no idea why Amazon.com sent him a 1099 form saying he'd made almost $24,000 selling books via Createspace, the company's on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that's full of...
4 Years After Target, the Little Guy is the Target
Dec. 18 marked the fourth anniversary of this site breaking the news about a breach at Target involving some 40 million customer credit and debit cards. It has been fascinating in the years since that epic intrusion to see how organized cyber thieves have shifted from targeting big box retailers ...
Source: Deloitte Breach Affected All Company Email, Admin Accounts
Deloitte, one of the world's "big four" accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted "very few" clients. But according to a source close to the...
Credit Card Breach at Kmart Stores. Again.
For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those...
SEC Investigating Data Leak at First American Financial Corp.
The U.S. Securities and Exchange Commission SEC is investigating a security failure on the Web site of real estate title insurance giant First American Financial Corp. that exposed more than 885 million personal and financial records tied to mortgage deals going back to 2003, KrebsOnSecurity has...
Bomb Threat Hoaxer, DDos Boss Gets 3 Years
The ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched distributed denial-of-service DDoS attacks against Web sites -- including KrebsOnSecurity on multiple occasions -- has been sentenced to three years in a U.K. prison, and faces the...
Microsoft Patch Tuesday, June 2018 Edition
Microsoft today pushed out a bevy of software updates to fix more than four dozen security holes in Windows and related software. Almost a quarter of the vulnerabilities addressed in this month's patch batch earned Microsoft's "critical" rating, meaning malware or miscreants can exploit the flaws...
Zyxel Fixes 0day in Network Storage Devices
Patch comes amid active exploitation by ransomware gangs Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage NAS devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the...
Dirt-Cheap, Legit, Windows Software: Pick Two
Buying heavily discounted, popular software from second-hand sources online has always been something of an iffy security proposition. But purchasing steeply discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction,...
GovPayNow.com Leaks 14M+ Records
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six...
Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted
A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the "Satori" botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other "Internet of Things" IoT devices. This outcome is hard...
Notorious ‘Hijack Factory’ Shunned from Web
Score one for the good guys: Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company's bandwidth providers chose to sever ties...
Serial SWATter Tyler “SWAuTistic” Barriss Charged with Involuntary Manslaughter
Tyler Raj Barriss, a 25-year-old serial "swatter" whose phony emergency call to Kansas police last month triggered a fatal shooting, has been charged with involuntary manslaughter and faces up to eleven years in prison. Tyler Raj Barriss, in an undated selfie. Barriss's online alias -- "SWAuTisti...
Blowing the Whistle on Bad Attribution
The New York Times this week published a fascinating story about a young programmer in Ukraine who'd turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected ...
PlugwalkJoe Does the Perp Walk
Joseph "PlugwalkJoe" OConnor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor. One day after last summers mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph "PlugwalkJoe" OConnor appeared to...
Microsoft Patch Tuesday, May 2020 Edition
Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you're running Windows on any of your machines it's time once again ...
Cybersecurity Firm Imperva Discloses Breach
Imperva, a leading provider of Internet firewall services that help Web sites block malicious cyberattacks, alerted customers on Tuesday that a recent data breach exposed email addresses, scrambled passwords, API keys and SSL certificates for a subset of its firewall users. Redwood Shores,...
MyEquifax.com Bypasses Credit Freeze PIN
Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number PIN which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don't already have an account at the credit bureau's new myEquifax portal, it m...
Calif. Man Pleads Guilty in Fatal Swatting Case, Faces 20+ Years in Prison
A California man who pleaded guilty Tuesday to causing dozens of swatting attacks -- including a deadly incident in Kansas last year -- now faces 20 or more years in prison. Tyler Raj Barriss, in an undated selfie. Tyler Barriss, 25, went by the nickname SWAuTistic on Twitter, and reveled in...
Voice Phishing Scams Are Getting More Clever
Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it's easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you're too smart to fall for one?...
Drugs Tripped Up Suspects In First Known ATM “Jackpotting” Attacks in the US
On Jan. 27, 2018, KrebsOnSecurity published what this author thought was a scoop about the first known incidence of U.S. ATMs being hit with "jackpotting" attacks, a crime in which thieves deploy malware that forces cash machines to spit out money like a loose Las Vegas slot machine. As it happen...
Is Your Mobile Carrier Your Weakest Link?
More online services than ever now offer two-step authentication -- requiring customers to complete a login using their phone or other mobile device after supplying a username and password. But with so many services relying on your mobile for that second factor, there has never been more riding o...
Trump Hotels Hit By 3rd Card Breach in 2 Years
Maybe some of you missed this amid all the breach news recently I know I did, but Trump International Hotels Management LLC last week announced its third credit-card data breach in the past two years. I thought it might be useful to see these events plotted on a timeline, because it suggests that...
‘Petya’ Ransomware Outbreak Goes Global
A new strain of ransomware dubbed "Petya" is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 -- the same bug that was exploited by the recent and prolific WannaCry ransomware...
Patch Tuesday, May 2024 Edition
Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two "zero-day" vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, a...
Tricky Phish Angles for Persistence, Not Passwords
Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user's data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file...
It’s Way Too Easy to Get a .gov Domain Name
Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience...
First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records
The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. NYSE:FAF leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records -- including bank account numbers and...
Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site
LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site -- without the need for any password or other form of authentication or...
New EU Privacy Law May Weaken Security
Companies around the globe are scrambling to comply with new European privacy regulations that take effect a little more than three months from now. But many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down...
Here’s What to Ask the Former Equifax CEO
Richard Smith -- who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers -- is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are...
Adobe, Apple, Google & Microsoft Patch 0-Day Bugs
Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do. On...
How to Tell a Job Offer from an ID Theft Trap
One of the oldest scams around -- the fake job interview that seeks only to harvest your personal and financial data -- is on the rise, the FBI warns. Heres the story of a recent LinkedIn impersonation scam that led to more than 100 people getting duped, and one almost-victim who decided the job...
A Closer Look at the DarkSide Ransomware Gang
The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Heres a closer look at the DarkSide...
Alleged Member of Neo-Nazi Swatting Group Charged
Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in "swatting" attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into...
Who Owns Your Wireless Service? Crooks Do.
Incessantly annoying and fraudulent robocalls. Corrupt wireless company employees taking hundreds of thousands of dollars in bribes to unlock and hijack mobile phone service. Wireless providers selling real-time customer location data, despite repeated promises to the contrary. A noticeable uptic...
No Jail Time for “WannaCry Hero”
Marcus Hutchins, the "accidental hero" who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge rul...
Hackers Sell Access to Bait-and-Switch Empire
Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people...
U.S. Mobile Giants Want to be Your Online Identity
The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer's phone and mobile subscriber account, such as location, customer reputation, and physical...
Florida Man Arrested in SIM Swap Conspiracy
Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims. On July 18, 2018, Pasco County...
Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage
MyHeritage, an Israeli-based genealogy and DNA testing company, disclosed today that a security researcher found on the Internet a file containing the email addresses and hashed passwords of more than 92 million of its users. MyHeritage says it has no reason to believe other user data was...
Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’
A greater number of ATM skimming incidents now involve so-called "insert skimmers," wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers -- which record card data and store it on a...
Fat Patch Tuesday, February 2024 Edition
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks. Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a...
Red Cross Hack Linked to Iranian Influence Operation?
A network intrusion at the International Committee for the Red Cross ICRC in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the...
Convicted SIM Swapper Gets 3 Years in Jail
A 21-year-old Irishman who pleaded guilty to charges of helping to steal millions of dollars in cryptocurrencies from victims has been sentenced to just under three years in prison. The defendant is part of an alleged conspiracy involving at least eight others in the United States who stand accus...
IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts
Identity thieves who specialize in tax refund fraud have been busy of late hacking online accounts at multiple tax preparation firms, using them to file phony refund requests. Once the Internal Revenue Service processes the return and deposits money into bank accounts of the hacked firms' clients...
Microsoft Patch Tuesday, December 2022 Edition
Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web,...
The Security Pros and Cons of Using Email Aliases
One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a "+" character after the username portion of your email address -- followed by a notation specific to the site youre signing up at -- lets you create an infinite...