Google Pulls Data-Chugging App From iOS Devices

Google has found itself in hot water for a research app that may have violated Apple’s policies by collecting user data in exchange for gift cards. The tech giant said it has now disabled Screenwise Meter“audience measurement” app – which voluntarily collects data from users’ phones, browsers and...

Mac "CookieMiner" Malware Aims to Gobble Crypto Funds

A newly-discovered malware is targeting Mac users’ web cookies and credentials in hopes of withdrawing funds on their cryptocurrency exchange accounts. The malware, discovered this month and aptly named “CookieMiner,” collects cryptocurrency-related cookies – in addition to compromised credential...

Attackers Can Track Kids' Locations via Connected Watches

Despite ongoing warnings about connected watches and toys endangering kids’ privacy and potentially their physical safety, makers of these Internet of Things gadgets continue to turn out products that do just that. The latest concern is a gamut of kids’ GPS-tracking watches, which were found to b...

Stealthy Malware Disguises Itself as a WordPress License Key

UPDATE A spam-injecting malware is targeting WordPress site owners by disguising itself as a legitimate license key for a WordPress design theme. According to analysis from Sucuri, a customer opened a malware removal ticket reporting “some weird spam URLs injected onto their WordPress website.”...

Apple Blasts Facebook Over Data-Sucking 'Research' App

Apple has revoked Facebook’s enterprise iOS developer certificate on the heels of a “Facebook Research” VPN app that was being distributed to consumers; the app paid teens and Millennial users in exchange for being able to track their phone and web activity, and has been available since 2016. App...

Japan to Hunt Down Citizens' Insecure IoT Devices

The Japanese government is taking the problem of insecure IoT devices into its own hands, with what some say is an audacious plan to carry out wide-scale penetration testing on its citizens’ gadgets. The country’s National Institute of Information and Communications Technology NICT has been taske...

2019 and Beyond: The (Expanded) RSAC Advisory Board Weighs in on What’s Next: Pt. 2

Our first 2019 predictions post from the RSA Conference Advisory Board was not all sunshine and roses — cautious optimism was tabled by the acknowledged distance we must still travel as an industry — and our second set of predictions does not belie that theme. This trepidation does not mean we’re...

Feds Dismantle Dark Web Credentials Market

Law-enforcement agencies across the world have taken aim at Dark Web denizens this week, with the takedown of a credentials marketplace as well as continued action against former users of the Webstresser.org DDoS-for-hire site. An international law-enforcement operation has dismantled the xDedic...

Mozilla Firefox 65 Ups the Ante on Privacy with Anti-Tracking Efforts

Mozilla has unveiled new anti-tracking policies and redesigned privacy controls in tandem with the release of Firefox 65 on Tuesday. The company announced a new set of redesigned controls for the Content Blocking section, where users can choose their desired level of privacy protection. These are...

Apple Disables Group FaceTime Following Major Privacy Glitch

Apple has made Group FaceTime temporarily unavailable following a major flaw discovered on Monday evening. The bug allows anyone with iOS to FaceTime other iOS users and listen in on their private conversations – without the user on other end rejecting or accepting the call. The bug makes use of ...

Researchers Allege 'Systemic' Privacy, Security Flaws in Popular IoT Devices

Researchers are highlighting the insecure nature of Internet of Things devices in a report released Tuesday alleging a bevy of popular consumer connected devices sold at major retailers such as Walmart and Best Buy are riddled with security holes and privacy issues. In analyzing 12 different IoT...

2019 and Beyond: The (Expanded) RSAC Advisory Board Weighs in on What’s Next

Just when we thought we’d escaped 2018 without an attack on the scale of WannaCry, NotPetya or Equifax, we were struck by Marriott’s November news of a breach affecting 500 million guests and once again reminded that complacency is the enemy of cybersecurity. We were also reminded that predicting...

Dailymotion Fights Ongoing Credential-Stuffing Attack

Dailymotion, the video-sharing platform, said Friday that it had fallen victim to a “large-scale” and ongoing credential-stuffing assault by attackers looking to harvest user data. The French YouTube competitor said in an alert that it has “successfully contained the attacks following the...

Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution

UPDATE Malicious scanning activity targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers is underway, with a swell of opportunistic probes looking for vulnerable devices ramping up since Friday. According to Bad Packets Report’s honeypot data, cyberattackers are targeting a...

Wordpress Users Urged to Delete Zero-Day-Ridden Plugin

Researchers are urging WordPress site owners to delete a compromised plugin after multiple zero-day vulnerabilities were discovered being exploited by a malicious actor. Researchers at Wordfence said on Friday that flaws in the plugin, Total Donations, are being exploited by malicious actors to...

LabKey Vulnerabilities Threaten Medical Research Data

A trio of vulnerabilities in a popular open source medical data collaboration tool leaves important healthcare research data and potentially subject information open to multiple cross site scripting XSS attacks. The flaws are serious as they allow an attacker to retrieve user credentials once a...

Threatpost News Wrap Podcast For Jan. 25

Threatpost editors Tom Spring, Tara Seals and Lindsey O’Donnell discuss the biggest news from this week. That includes a rare “emergency directive” issued by the Department of Homeland Security on Tuesday, which warned that multiple government domains have been targeted by DNS hijacking attacks...

Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

An array of phishing emails harboring Word attachments with embedded macros have been infecting systems with a deadly malware and ransomware duo. The campaign, spotted by researchers at Carbon Black, has hit infected systems with a lethal attack combination that harvests credentials, gathers syst...

Razy Malware Attacks Browser Extensions to Steal Cryptocurrency

UPDATE A Windows malware dubbed “Razy” has been uncovered that sports a toolbox of cryptocurrency theft and fraud tools. Razy works by weaponizing browser extensions in order to perpetrate a range of online scams on unwitting victims. According to researchers at Kaspersky Lab, the trojan targets...

Fighting Fire with Fire: API Automation Risks

Akamai research shows that 83 percent of all traffic on the web today are API calls JSON / XML. In many cases this fast growth can be attributed to the adoption and popularity of mobile devices and the mobile app ecosystem, as well as the abuse by threat actors using bots to automate their manual...

ThreatList: Credential-Sniffing Phishing Attacks Erupted in 2018

Phishing attacks have continued to grow over the past year – but now, it appears that more bad actors are launching these tricky attacks in hopes of scooping up credentials, rather than a previously-popular goal of infecting victims’ devices with malware. The new trend was outlined by Proofpoint...

Bit-and-Piece DDoS Method Emerges to Torment ISPs

A pioneering distributed denial-of-service DDoS attack pattern has emerged, targeting internet service providers ISPs with something researchers have dubbed the bit-and-piece “Mongol” attack. The approach involves spreading out junk traffic across large numbers of IP addresses in order to evade...

Redaman Spams Russian Banking Customers with Rotating Tactics

The Redaman banking trojan ramped up its activity in the last part of 2018, employing ongoing back-end changes in order to evade detection, according to a new Wednesday report. Redaman as a malware first came on the scene in 2015, and since then has consistently targeted victims that use Russian...

Malware in Ad-Based Images Targets Mac Users

A massive adware campaign has so far impacted up to a million Mac users, using a tricky steganography technique to hide malware in image files. Researchers at Confiant and Malwarebytes said the attacks have been running since Jan. 11, using ads on the web and steganography to spread; steganograph...

Monero: Cybercrime's Top Choice for Mining Malware

An academic analysis of cryptomining malware has determined that the Monero virtual currency XMR is “by far” the most popular cryptocurrency to mine among cybercriminals. And, it would appear that cryptomining as a criminal enterprise is unlikely to wane anytime soon. After examining approximatel...

6 Signs of Successful Threat Hunting

When a threat hunting program is established by an organization, their goal is to proactively hunt threats, with a focus on newer, more sophisticated attacks for which reliable signatures or indicators are not yet available. However, without an effective threat hunting program, the attacker is...

'Chaos' iPhone X Attack Alleges Remote Jailbreak

A Chinese security researcher has published what he claims is a proof-of-concept exploit that would allow a remote attacker to jailbreak an iPhoneX, unbeknownst to the user – allowing them to gain access to a victim’s data, processing power and more. Qixun Zhao of Qihoo 360 built the exploit, whi...

U.S. Gov Issues Urgent Warning of DNS Hijacking Attacks

The Department of Homeland Security is ordering all federal agencies to urgently audit Domain Name System DNS security for their domains in the next 10 business days. The department’s rare “emergency directive,” issued Tuesday, warned that multiple government domains have been targeted by DNS...

Microsoft Windows RCE Flaw Gets Temporary Micropatch

Three unfixed Microsoft Windows vulnerabilities have been assigned unofficial, temporary micropatches – including a recently-disclosed high-severity remote code-execution flaw. The micropatches were released Tuesday by ACROS Security’s 0patch platform. 0patch, which is still in its beta stage,...

RogueRobin Malware Uses Google Drive as C2 Channel

A custom malware used by the APT known as DarkHydrus uses a mix of novel techniques, including using Google Drive as an alternate command-and-control C2 channel. According to Palo Alto’s Unit 42 intelligence division, the targeted attack involved spear-phishing emails written in Arabic sent to...

How Web Apps Can Turn Browser Extensions Into Backdoors

Researchers have added another reason to be suspicious of web browser extensions. According to a recently published academic report, various Chrome, Firefox and Opera browser extensions can be compromised by an adversary that can steal sensitive browser data and plant arbitrary files on targeted...

Google Fined $57M in Largest GDPR Slap Yet

France’s National Data Protection Commission CNIL has fined Google $57 million €50 million for violations of the General Data Protection Regulation GDPR – the largest fine yet issued under the EU’s new data privacy law. In investigating group complaints from privacy advocacy groups None Of Your...

Adobe Issues Unscheduled Updates for Experience Manager Platform

Adobe has issued unscheduled patches for vulnerabilities rated “important” across its Experience Manager platform, which allows developers to create mobile apps, social campaigns and landing pages. Overall, Adobe issued three fixes, including an “important” flaw CVE-2018-19726 and a “moderate” fl...

Google Play Removes Malicious Malware-Ridden Apps

Google Play has removed two malicious apps that were infecting devices with a notorious banking malware bent on scooping up victim’s credentials. The two apps, Currency Converter and BatterySaverMobo, purported to be useful mobile tools that help users calculate currency and optimize mobile batte...

Fallout EK Retools for a Fresh New 2019 Look

A new version of the Fallout exploit kit EK has emerged, featuring new exploits and fresh payloads, including the GandCrab ransomware. The development shows that EKs have a lot of life yet left in them, researchers say. The Fallout EK generally finds its victims by way of malvertising campaigns,...

Threatpost News Wrap Podcast For Jan. 18

Exposed personal data seemed to be the big trend this week, which was overshadowed by Troy Hunt’s discovery of a database of breached emails totaling 773 million unique addresses in a popular cloud service. Millions of sensitive files on a storage server belonging to the Oklahoma Department of...

Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open

A critical and unpatched vulnerability in the widely deployed Cisco Small Business Switch software leaves the door open to remote, unauthenticated attackers gaining full administrative control over the device – and therefore the network. Cisco Small Business Switches were developed for small offi...

Twitter Android Glitch Exposed Private Tweets for Years

Twitter disclosed a security issue on Thursday that had exposed protected tweets on Android devices – for more than four years. According to the social media giant, if Twitter users on the Android operating system made specific changes to their account settings – like changing the email address...

Microsoft Launches Azure DevOps Bug Bounty Program

Microsoft lifted the curtain on a new Azure DevOps bug bounty program, designed to sniff out flaws in its Azure DevOps online services and servers. Azure DevOps is a cloud service launched in 2018 that enables collaboration on code development across the breadth of a development lifecycle...

Apple CEO Demands Federal Data Privacy Legislation

Apple CEO Tim Cook is adding his voice to the wave of tech giants, privacy watchdogs, and consumers calling for the government to roll out tightened consumer data privacy regulations. The Apple executive called on Congress to pass “comprehensive federal privacy legislation” that would effectively...

Cyber-Jackpot: 773M Credentials Dumped on the Dark Web

UPDATE A database of breached emails totaling 773 million unique addresses has turned up on a popular underground hacking forum, giving cybercriminals one of the largest jackpots ever seen when it comes to account-compromise efforts. Troy Hunt was first alerted to the cache, which totals 87GB of...

Cryptomining Malware Uninstalls Cloud Security Products

Researchers say they have discovered a unique malware family capable of gaining admin rights on targeted systems by uninstalling cloud-security products. Instances of the malicious activity are tied to coin-mining malware targeting Linux servers. Palo Alto Networks’ Unit 42, which published the...

Threatpost Survey Says: 2FA is Just Fine, But Go Ahead and Kill SMS

The author of a recently released penetration testing tool called Modlishka, which can bypass mainstream two-factor authentication 2FA, asked a provocative question in a recently published research note: “Is 2FA broken?” Since this isn’t the first example of how 2FA can be defeated, we asked...

Millions of Oklahoma Gov Files Exposed by Wide-Open Server

Millions of sensitive files on a storage server belonging to the Oklahoma Department of Securities were left exposed for a week – including credentials, internal docs and personal data stretching back decades. Researchers at UpGuard who discovered the data leak said that the publicly accessible...

U.S. Issues Multiple Charges For 2016 SEC Hack

Two Ukrainains have been indicted in hacking the U.S. Securities and Exchange Commission SEC in order to steal and sell non-public, confidential information from publicly-traded companies. The two have been charged as part of a large-scale conspiracy to hack the SEC’s computer systems and profit ...

Fortnite Hacked Via Insecure Single Sign-On

Epic Games patched a bug that could have allowed hackers to break into millions of Fortnite accounts and steal virtual currency or resell virtual goods. The vulnerability is tied to an insecure Fortnite application program interface API used by players to log into their accounts using third-party...

Magecart Returns with Advertising Library Tactic

The Magecart card-skimming crime conglomerate has changed up its tactics in recent campaigns, injecting malicious code into third-party Java libraries used by e-commerce websites to serve advertisements. Typically, Magecart subsidiaries tend to compromise a few targeted websites in order to...

VOIPO Database Exposes Millions of Texts, Call Logs

UPDATE An improperly secured database owned by a California voice-over-internet provider left millions of customer call logs, SMS message logs and credentials in plain text open for months for the taking. The database belongs to VOIPO, which provides mobile services for consumers and commercial...

IDenticard Zero-Days Allow Corporate Building Access, Location Recon

UPDATE Most denizens of corporate America are pretty familiar with building security, and the requirement to swipe a badge to enter a building or an office suite; and as a result, most workers likely go about their day feeling secure that their stuff is physically secure from outsiders...

Data Breach Roundup: U.S. Healthcare, Cryptopia, SingHealth and Experian

Millions of people were affected by data breaches in 2018, and 2019 shows no signs of waning activity. The latest round of breaches as of Tuesday includes an attack on a managed-health provider in Indiana, an offensive against a rehab and wellness center in Michigan, millions in purloined funds a...