German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps were successfully smuggled past the companies app store security checks.
Read the rest
After a successful phishing attack that captured over 50 accounts, hackers stole 500,000 records from the San Diego Unified School District, for staff, current students, and past students going all the way back to 2008; including SSNs, home addresses and phone numbers, disciplinary files, health information, emergency contact details, health benefits and payroll info, pay information, financial data for direct deposits.
Read the rest
A new twist on an old email scam making the rounds addresses its recipients by name and uses an actual password (hopefully deprecated). They attempt to blackmail victims, and it's definitely a little anxiety-inducing to see an old password written out. Read the rest
In the early 2000s, a mix of legislative action, vigorous prosecution and advanced countermeasures looked set to kill spam: the terrible economics of mass-scale marketing could easily be disrupted by even moderately effective curbs.
Read the rest
Hacker takeovers of power infrastructure have been seen in Ukraine (where they are reliably attributed to Russian state actors), but now the US power-grid has been compromised by hackers of unknown origin, who have "switch-flipping" control -- that is, they can just turn it all off. Read the rest
Ned Desmond shares the scary story of how a small site he managed that advertised fishing expeditions ended up with 565,192 scam pages. He also suggests five ways to avoid the same fate. Read the rest
In a new report, Amnesty International summarizes the security research they did on the victims of a sophisticated phishing attack aimed at Qatari labor activists, dubbed "Operation Kingphish." Read the rest
A new phishing attack hops from one Gmail account to the next by searching through compromised users' previous emails for messages with attachments, then replies them from the compromised account, replacing the link to the attachment with a lookalike that sends you to a fake Google login page (they use some trickery to hide the fake in the location bar); the attackers stand by and if you enter your login/pass, they immediately seize control of your account and attack your friends. Read the rest
The Electronic Frontier Foundation has launched a new series, 12 Days of 2FA, in which every installment explains how to turn on two-factor authentication for a range of online services and platforms. Read the rest
A fraudster's term of art, "whaling" refers to phishing attempts targeted at "C-level corporate executives, politicians and celebrities" -- it's a play on "phishing" (attacks that trick users into downloading dangerous files or visiting attack sites by impersonating known sources) and "whales" (a term of art from casinos, referring to high-stakes gamblers). Read the rest
In Wire Wire: A West African Cyber Threat, researchers from Secureworks reveal their findings from monitoring a Nigerian bank-fraud ring whose members had unwittingly infected themselves with their own malware, which captured their keystrokes and files and uploaded them to a file-server from which the researchers were able to monitor their activities and methodologies. Read the rest
At Defcon, researchers from the Electronic Frontier Foundation, First Look Media and Amnesty International, revealed their findings on a major phishing attack through which the government of Kazakhstan was able to hack opposition journalists and arrange for an opposition politician's extradition from exile in Italy to Kazakhstan. Read the rest
Former Syrian National Council vice-president Nour Al-Ameer fled to Turkey after being arrested and tortured by the Assad regime -- that's when someone attempted to phish her and steal her identity with a fake Powerpoint attachment purporting to be about the crimes of the Assad regime. Read the rest
Arriving in my inbox at a steady clip this morning: a series of phishing emails aimed at Bitcoiners, promising that the sender has found a bug in "the Bitcoin client" and promising "Pay 0.07 BTC today, get 10 BTC for 15 hours." Read the rest
Last spring, in the chaos following the firing of Mattel's CEO (who presided over a disastrous slide in Barbie sales), a Mattel finance executive got an email from his new boss, replacement CEO Christopher Sinclair, ordering the transfer of $3 million to a new Chinese supplier. Read the rest
If you are a seller on Alphabay -- a darkweb site that sells "drugs, stolen data and hacking tools," you'll have to use two-factor authentication (based on PGP/GPG) for all your logins. Read the rest