25 Security breaches Worldwide – Week 12, 2019
Be informed about the latest 25 Security breaches Worldwide, identified and reported publicly during Week 12, 2019. As these security-related breaches have a severe negative impact on your business, consider a security AUDIT to prevent any similar cases.
- Here is a twofer phishing campaign.
- It tries to obtain credentials for both Shopify and PayPal. If you are reading the email message on a phone, you should beware. 2 in 1 Shopify and Paypal phishing scam
- A 20-something North Carolina man collected more than $3M over four years in a tech support scam.
- He used Google and Bing-based adware that mimicked Microsoft messages to drive traffic. He pled guilty last week. Microsoft tech support scammer pleads guilty to defrauding victims of $3 million
- A zero-day flaw in the Easy WP SMTP WordPress plug-in with 300,000 installs has been found.
- It allows hackers to use a backdoor to take admin control over a blog and redirect users to sites running tech support scams. Users should update to v. 22.214.171.124 which contains a patch. Critical zero-day vulnerability fixed in WordPress Easy WP SMTP plugin. and WP Security: 21 plugin vulnerabilities in March 2019
- There has been a three-fold increase in DDoS attacks targeting SaaS sites, and an almost doubling of government targets.
- And almost all DDoS attacks could easily saturate any corporate network that they targeted. These and other findings are according to a new report from Netscout. NETSCOUT Releases 14th Annual Worldwide Infrastructure Security Report
- A phishing campaign that mimics a flu-related warning from the CDC is a new low in venality.
- The come-on message is reproduced below. Instead, it delivers an updated v. 5.2 of the GandCrab ransomware, which doesn’t have a readily-available decryptor. This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware
- Brian Krebs broke this story about how for several years now, thousands of Facebook employees have access to millions of their users’ plain text passwords.
- Soon thereafter, a Facebook VP posted this explanation that said there is no evidence that anyone abused or improperly accessed this information. That is a different statement from saying that no one accessed them. There was also no explanation of why this data, which was contained in log files, was collected to begin with. My colleague Sean Gallagher in Ars has the best analysis. Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years and Keeping FaceBook Passwords Secure and Facebook apps logged users’ passwords in plaintext, because why not
- The SoftNAS cloud storage application had a major authentication bug.
- It was fixed with the help of security researchers and users should update their software.
- The hacking group FIN7 has improved its malware code.
- The group has added a better administrative console and a new remote access program written in SQL. It has stolen millions of payment card records over the years from various hospitality and entertainment-related businesses. FIN7 Revisited: Inside Astra Panel and SQLRat Malware
- Injections and scripting attacks, a majority of official EU government websites contain third-party ad tracking cookies.
- This goes against GDPR regs and comes from this report. The French government websites are the worst offenders, with more than 50 different trackers found. Cookiebot report: Hidden tracking of citizens on EU government and health sector websites
- This post explains how to pull this off and how to stop it. Since a browser will by default have access to localhost as well as the local LAN, these public-to-private attacks can bypass not only the corporate/consumer perimeter firewall, but also the local host-based firewall. Attacking the internal network from the public Internet using a browser as a proxy
- MyPillow and Amerisleep were both hit by Magecart malware.
- Here is a depressing article about why phishing is so potent.
- Using a team of tech-saavy developers, a third of the recipients were still fooled by a very cleverly-designed phish to click on the embedded link. And 14 percent of them submitted personal data as a result. This post shows the importance of security awareness training. Phishing my company. An infosec lesson for businesses
Discover trending and viral stories about Security breaches Worldwide. The remaining Security breaches made news headlines. All these happened just in the last 7 days.