Security

Fraudsters have already made $1.6m from cards stolen via a Magecart supply chain attack on popular e-commerce platform Volusion, and the figure could rise more than 100-fold over the coming months, according to new research. The attack on Volusion’s cloud platform was described by dark web intelligence firm Gemini Advisory as “one of the largest and

by Danny Bradbury Researchers who uncovered a data exposure from mobile app Whisper earlier this week have released more details about the incident. Whisper is an app from MediaLab, a mobile app company that owns a host of other apps including the popular messaging service Kik. It offers a kind of anonymous social network service

The deadline for filing taxes in the United States is eight weeks away, but new research has shown that small businesses are already being hit by tax season–related cyber-attacks. Research conducted by Proofpoint indicates that attackers are “aggressively jumping into tax season,” with the deployment of two main attack strategies.  The first strategy is to send tax-themed emails

by Lisa Vaas Recognize anybody you know? (Anonymized) photos leaked from PhotoSquared’s unsecured S3 bucket IMAGE: vpnMentor No, likely not. No thanks to the leaky photo app they dribbled out of for that, though. After coming across thousands of photos seeping out of an unsecured S3 storage bucket belonging to a photo app called PhotoSquared,

A 19-year-old American man has been arrested for allegedly engaging in a six-year cybercrime wave that involved swatting, computer fraud, and the stalking of multiple victims, including a New York schoolgirl. Tristan Rowe was arrested on February 12 after allegedly threatening to kill one victim and bomb their school. Cops say he sent multiple disturbing messages to

by Paul Ducklin If you’re a regular Naked Security reader, you’ll know that we’ve been fans of HTTPS for years. In fact, it’s nearly nine years since we published an open letter to Facebook urging the social networking giant to adopt HTTPS everywhere. HTTPS is short for HTTP-with-Security, and it means that your browser, which

British police have been investigating children as young as six over their involvement in sexting offenses.  Figures released by London’s Metropolitan Police Service reveal that between January 2017 and August 2019, a total of 353 children aged from six to thirteen were investigated in relation to sending and receiving sexual images.  Sexting investigations involving children under

by John E Dunn Google has abruptly pulled over 500 Chrome extensions from its Web Store that researchers discovered were stealing browsing data and executing click fraud and malvertising after installing themselves on the computers of millions of users. Depending on which way you look at it, that’s either a good result because they’re no

The alleged source of a series of information leaks that rocked soccer and sparked an FFP investigation into the finances of Manchester City Football Club is to be tried before a Portuguese court. An appeal lodged by Portuguese national Rui Pinto to have the accusations against him dismissed as “unfounded” was rejected earlier this month

by John E Dunn The contentious case of a man held in custody since 2015 for refusing to decrypt two hard drives appears to have reached a resolution of sorts after the US Court of Appeals ordered his release. Former Philadelphia police sergeant Francis Rawls was arrested in September 2015, during which the external hard

A report into the spate of data breaches that ripped through America’s healthcare industry last year has revealed that more breaches happened in Texas than in any other state.  The “2019 Healthcare Data Breach Report” published yesterday by HIPAA Journal shows that healthcare data breaches involving the exposure of 500 or more records occurred in

by Danny Bradbury A popular GDPR compliance WordPress plugin vendor has patched a flaw that rendered both site visitors and admins vulnerable to cookie-stealing cross-site scripting (XSS) attacks. The GDPR Cookie Consent plugin, created by WebToffee, claims over 700,000 users. The plug-in is a notification app that begs you to accept cookies when you first

A Chattanooga, Tennessee, information technology infrastructure and cybersecurity consulting firm has unveiled an $8m expansion plan that will see its workforce double by 2023. Currently, the Conversant Group operates with 46 employees from its headquarters on Cowart Street. On Monday, the company’s president and chief listening officer, John Anthony Smith, revealed plans to relocate the firm to a new site

by Paul Ducklin A trio of researchers from Singapore just published a paper detailing a number of security holes they discovered in Bluetooth chips from several different vendors. The good news is that they disclosed the holes responsibly back in 2019 and waited 90 days – a sort-of industry standard period popularised by Google’s Project

Threat actors exploiting public interest in the ongoing coronavirus outbreak have baited their phishing traps with a new lure—conspiracy theories about unreleased cures. The new tactic was noted by researchers at Proofpoint, who have been monitoring global malicious activity related to the life-threatening virus in the form of hundreds of thousands of messages.  Alongside a flurry

by Alice Violet This week we welcome back Peter who discusses RobbinHood – the ransomware that brings its own bug. Greg explains how a student’s Twitter account was handed over to their college and Duck talks SMS 2FA. Host Anna Brading is joined by Sophos experts Peter Mackenzie, Paul Ducklin and Greg Iddon. Listen now!

American bank Fifth Third has come under fire for sending customers a cryptic breach disclosure letter judged to be “vague and deceptive” by a consumer group.   Fifth Third wrote to customers after discovering that at least two of its employees had stolen customer information and provided it to a third party. Data exposed included names, Social Security

by John E Dunn Sometime this March, the Firefox, Chrome, Safari and Edge browsers will start throwing up warnings when users visit websites that only support Transport Layer Security (TLS) versions 1.0 or 1.1. Announced in October 2018 as part of a joint plan to phase out support, the implications for any holdout sites are

A subsidiary of American insurance giant Aflac is to open a global IT and cybersecurity center in the Northern Irish capital city of Belfast.  Aflac Northern Ireland signed a 10-year lease with Belfast Harbor on 11,000 sq ft of office space within the ongoing multi-million-dollar waterfront development City Quays. With the opening of the new center on regenerated dockland, Aflac Northern Ireland will

by Paul Ducklin No matter how safe and secure you feel when you use your computer, there’s always room for improvement. Why not make Safer Internet Day the excuse you need to do all those cybersecurity tweaks you’ve been putting off… …such as picking proper passwords, turning on two-factor authentication, downloading the latest security updates,

The US has indicted Chinese military personnel today on charges of hacking into Equifax’s computer systems and stealing valuable trade secrets and the personal data of nearly 150 million Americans. A federal grand jury in Atlanta, Georgia, returned the indictment last week against four members of the Chinese People’s Liberation Army (PLA). Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu

by John E Dunn Google has announced a timetable for phasing out insecure file downloads in the Chrome browser, starting with desktop version 81 due out next month. Known in jargon as ‘mixed content downloads’, these are files such as software executables, documents and media files offered from secure HTTPS websites over insecure HTTP connections.

New research has revealed that the threat group behind the cryptocurrency-stealing MasterMana botnet has grown increasingly sophisticated and is now trapping victims through spoofed login portals. Gorgon Group has been observed targeting the European Union as well as Dubai’s main electrical/water utility DEWA with fake login pages that are highly convincing. The illicit activity was

by Lisa Vaas Clearview AI, the facial recognition company that’s scraped the web for three billion faceprints and sold them all (or given them away) to 600 police departments so they could identify people within seconds, has received yet more cease-and-desist letters from social media giants. The first came from Twitter. A few weeks ago,

Lawyers who secured a $117.5m deal to resolve litigation tied to multiple data breaches at Yahoo could get paid $30m for their efforts. Class counsel who secured the breach settlement are currently waiting for US District Judge Lucy Koh to give her final stamp of approval and to award them the fees, according to new documents filed in California federal court.

by Danny Bradbury The normal way to steal data from a compromised computer is to retrieve it over a network. If that computer isn’t connected to one, it gets a little trickier. Researchers at Ben-Gurion University of the Negev have made a name for themselves figuring out how to get data out of air-gapped computers.

Cyber-criminals have stolen “almost all funds” entrusted to crypto exchange platform Altsbit. The Italian exchange announced it had become the target of a devastating hack yesterday on Twitter. According to their posts, criminals made off with 1,066 Komodo (KMD) tokens and 283,375 Verus (VRSC) “coins” with a combined value of $27,000. Funds kept in cold storage—crypto coins whose

by Paul Ducklin Ransomware is one of the most feared cybercrime problems of the modern era. The idea of malware that scrambles your files and demands money to get them back is not new – the first widespread attack happened back in 1989 – but the scale of the threat has changed dramatically in the

A new study focused on distributed denial of service (DDoS) attacks has found that pornographic websites received by far the most attacks per site last year.  To produce their “Global DDoS Threat Landscape” report, researchers at Imperva studied attack data gathered between May and December 2019. Their findings, published yesterday, reveal that websites in the adult entertainment industry received

by Alice Duckett Over the past couple of years, Sophos’ Director of Security Craig Jones has discovered a worrying amount of personal data on public Trello boards. Mark says companies shouldn’t microchip their employees and Duck discusses a bug that could have blown a hole in OpenSMTPD. Host Anna Brading is joined by Sophos experts