Restaurants and food delivery services are being ripped off by a new made-to-order fraud scheme taking place on the messaging app Telegram. Research and analysis from Sift’s Digital Trust and Safety Architects found that bad actors are advertising heavily discounted food and beverage delivery services on the app’s forums. After receiving an order, the cyber-criminals pay
by Sally Adam Usually, when Safer Internet Day comes around, the cybersecurity situation hasn’t changed much from the year before, so it doesn’t feel like much of a reason to do anything special. But that’s not the case in 2021, thanks to the lifestyle changes that the coronavirus pandemic has brought around the world. In
In the era of hacking and malicious actors, a company’s cloud security posture is a concern that preoccupies most, if not all, organizations. Yet even more than that, it is the SaaS Security Posture Management (SSPM) that is critical to today’s company security. Recently Malwarebytes released a statement on how they were targeted by Nation-State
A Ukrainian man will spend the next seven years in prison in the United States for helping Eastern European computer hackers to obtain and launder millions of dollars in stolen funds. Odessa resident Aleksandr Musienko partnered with the hackers to steal over $3m from online bank accounts and businesses in the United States, then launder the
by Paul Ducklin Every month of the year has some sort of tax relevance somewhere in the world, and tax scamming cybercrooks take advantage of the many different regional tax filing seasons to customise their criminality to where you live. In the UK, the 2019/2020 tax year ended on 05 April 2020, and the deadline
While you’re living out your fantasies, your internet-enabled sex toy may be setting you up for a privacy nightmare We did it. Somehow, we got through 2020 and now Valentine’s Day is just around the corner. And yet 2020’s imprint may still be observed everywhere, and – believe it or not – the COVID-19 pandemic
Russian Dutch-domiciled search engine, ride-hailing and email service provider Yandex on Friday disclosed a data breach that compromised 4,887 email accounts of its users. The company blamed the incident on an unnamed employee who had been providing unauthorized access to the users’ mailboxes for personal gain. “The employee was one of three system administrators with
Three men in Baltimore County have been accused of impersonating Massachusetts pharmaceutical and biotechnology company Moderna to sell fake COVID-19 vaccines. Twenty-two-year-old Owings Mills resident Kelly Lamont Williams, together with cousins and Windsor Mill residents 22-year-old Olakitan Oluwalade and 25-year-old Odunayo Baba Oluwalade, also known as Olaki and Baba respectively, were arrested on February 11. A criminal complaint unsealed
by Lisa Ventura This guest post is by Lisa Ventura, founder and CEO of the UK Cyber Security Association, a not-for-profit that raises awareness of the importance of cybersecurity for small and medium-sized businesses. Online fraud is a huge challenge for businesses and consumers alike as cybercriminals continue to develop new mechanisms to separate innocent
What can municipalities do to better protect their water supply systems? We reported recently about an attack against the water supply in Oldsmar, Florida, and worry about the potential for future and copycat attacks against other lightly defended water treatment systems in small towns worldwide and what can be done to stem such incursions. In
Popular messaging app Telegram fixed a privacy-defeating bug in its macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats. The vulnerability was discovered by security researcher Dhiraj Mishra in version 7.3 of the app, who disclosed his findings to Telegram on December 26, 2020.
Twitter has been issued a non-compliance notice by the Indian government for failing to block accounts used to spread misinformation and provoke violence. Prime Minister Narendra Modi ordered Twitter to block over 1,000 Twitter accounts after political protestors stormed Delhi’s Red Fort and clashed with police on January 26, India’s Republic Day. Twitter only partially complied with
by Paul Ducklin We delve into Google’s tight-lipped Chrome bugfix, explain how a Belgian researcher awarded himself 111,848 cups of coffee, and discuss the audacious but thankfully temporary theft of the Perl.com domain. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. LISTEN NOW Click-and-drag on the soundwaves below
This month’s relatively humble bundle of security updates fixes 56 vulnerabilities, including a zero-day bug and 11 flaws rated as critical Yesterday was the second Tuesday of the month, which means that Microsoft is rolling out patches for security vulnerabilities found in Windows and its other products. This year’s second batch of security updates brings
Two new Android surveillanceware families have been found to target military, nuclear, and election entities in Pakistan and Kashmir as part of a pro-India, state-sponsored hacking campaign. Dubbed Hornbill and Sunbird, the malware impersonates legitimate or seemingly innocuous services to cover its tracks, only to stealthily collect SMS, encrypted messaging app content, and geolocation, among
Tenable Holdings today announced that it has entered into a definitive agreement to acquire Active Directory security startup Alsid SAS for $98m in cash. Alsid specializes in providing a Software as a Service (SaaS) solution that monitors the security of Active Directory in real time. The company was founded in France in 2016 by two former incident responders from the French National
by Paul Ducklin As you know, our usual advice for Patch Tuesday boils down to four words, “Patch early, patch often.” There were 56 newly-reported vulnerabilities fixed in this month’s patches from Microsoft, with four of them offering attackers the chance of finding remote code execution (RCE) exploits. Remote code execution is where otherwise innocent-looking
While the incursion was thwarted in time, cyberattacks targeting critical infrastructure are a major cause for concern Last Friday, an unknown attacker accessed the computer systems of a water treatment facility in Oldsmar, Florida, and attempted to poison the city’s water supply by manipulating the chemical levels of sodium hydroxide. This substance, commonly referred to
In what’s a novel supply chain attack, a security researcher managed to breach over 35 major companies’ internal systems, including that of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, and achieve remote code execution. The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software
A US Army Cyber Command major has been sentenced to 30 years in federal prison for producing child sexual abuse material (CSAM). Jason Michael Musgrove, of Grovetown, Georgia, was arrested in December 2019. At the time of his apprehension by law enforcement officers, the 41-year-old was serving as an integrated threat operations officer with Top
by Paul Ducklin We’re all appalled at scammers who take advantage of people’s fears to sell them products they don’t need, or worse still products that don’t exist and never arrive. Worst of all, perhaps, are the scammers who offer products and services that do exactly the opposite of what they claim – making their
A view of the Q4 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts 2020 was many things (“typical” not being one of them), and it sure feels good to be writing about it in the past tense. As if really trying to prove a
Endpoint Detection and Response (EDR) platforms have received incredible attention as the platform for security teams. Whether you’re evaluating an EDR for the first time or looking to replace your EDR, as an information security professional, you need to be aware of the gaps prior already to implementation so you can best prepare how to
A woman from Iowa has admitted obtaining confidential information about a drug-trafficking operation from her paralegal friend and then releasing it on social media. Rachel Manna, of West Des Moines, pleaded guilty on February 4 to using a former Department of Justice contractor’s government computer to access government records and to obtain sensitive, non-public law enforcement information.
by Paul Ducklin Google announced a critical bug in Chrome last week – a bug that affected Edge as well. But the company kept details of the bug secret, presumably to avoid having thousands of crooks simultaneously figuring out, “Ah, so that’s where to look!” All we were told was that it involved a zero-day exploit
Twin cyber operations conducted by state-sponsored Iranian threat actors demonstrate their continued focus on compiling detailed dossiers on Iranian citizens that could threaten the stability of the Islamic Republic, including dissidents, opposition forces, and ISIS supporters, and Kurdish natives. Tracing the extensive espionage operations to two advanced Iranian cyber-groups Domestic Kitten (or APT-C-50) and Infy,
America’s National Cyber League has announced a new set of scholarships to help financially disadvantaged students at historically black colleges and universities (HBCUs) compete in its latest competition. Last fall, the non-profit organization collaborated with HBCUs to award scholarships to more than 60 students so they could participate in the NCL games. Today, the NCL
by Paul Ducklin Good news, everybody! Two weeks ago, we wrote that the well-known and widely-used domain perl.com had been taken over by persons unknown. Perl, now more than 30 years young, is amongst the most popular and prevalent programming languages out there, and websites that serve the world of Perl are therefore popular, too.
A new distributed denial-of-service attack (DDoS) vector has ensnared Plex Media Server systems to amplify malicious traffic against targets to take them offline. “Plex’s startup processes unintentionally expose a Plex UPnP-enabled service registration responder to the general Internet, where it can be abused to generate reflection/amplification DDoS attacks,” Netscout researchers said in a Thursday alert.
A charity that protects and restores woodland in England, Northern Ireland, Scotland, and Wales has been targeted by a “sophisticated, high level” cyber-attack. According to a security incident notification published by the Woodland Trust on its website, attackers gained unauthorized access to the charity’s IT systems in December. An investigation is under way to determine what, if any, data held