The Java saga continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle’s patch release from their users’ application of it, is part of a watering hole campaign also targeting Tibetan and Uygur human rights groups as well as Hong Kong and Taiwanese political parties and other non-governmental organizations.
Browsing Category: Social Engineering
Scammers are spamming out malicious emails purporting to come from payroll processing company ADP, according Dancho Danchev of Webroot.
For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in China and Russian malware, Kaspersky researchers said.
An apparent clickjacking, or UI redress vulnerability, in Google’s Chrome web browser could make it possible for attackers to glean users’ e-mail addresses, their first and last names and other information according to recent work done by an Italian researcher.Luca De Fulgentis, who writes about security for Nibble Security’s blog, detailed the issue earlier this week, along with another separate data extraction method.
In spring of last year, reports began surfacing that some employers were demanding that current and sometimes prospective employees hand over the log-in credentials or otherwise provide access to their various social media accounts. People were outraged. Such invasions of what many perceive as their personal, albeit, online privacy prompted much debating and the writing of a never-ending slew opinion pieces.
Late last week the social networking giant Facebook patched a particularly voyeuristic security vulnerability in the platform that could have given malefactors the ability to remotely turn on the webcams of other users and post videos to their profiles, according to a Bloomberg News report.
Tis the season for predictions and security firm Trusteer checks in today with a handful for the upcoming New Year. In a post on the company’s blog, CTO Amit Klein distills Trusteer’s top ideas into an infographic,. The company predicts the security landscape will see more exploits, specifically Man-in-the-Browser malware, targeting Google’s Chrome browser, the further emergence of native 64-bit Windows malware and what the firm claims will be a more drawn out malware lifecycle.
Persistent targeted attacks against the government, financial services, manufacturing and critical infrastructure take on many characteristics. Attackers can have different backgrounds and motivations, and the tools they use can range from commodity malware to zero-day exploits.
Phishers are using a typosquatted domain name designed to mimic the URL of a popular e-commerce destination in order to lure their victims to a malicious Website that prompts its visitors to download a malicious add-on that will guide users to phishing sites, even when they type legitimate URLs into their browser’s address bar.
Attackers are sending spoofed “pending notification” emails to Facebook users, claiming that the recipients overlooked some alert on the world’s largest social network, and providing them with a link that supposedly leads to the allegedly neglected content but which, in reality, funnels users to a series of compromised websites hosting the Black Hole Exploit Kit, according to researcher Dancho Danchev.