Web Security News, Articles and Updates

uTorrent apps found vulnerable to remote code execution, information disclosure

The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps after Google Project Zero researcher Tavis Ormandy found critical vulnerabilities that can result in remote code execution and information disclosure upon visiting malicious websites.

Exclusive: Researchers say Kaspersky web portal exposed users to session hijacking, account takeovers

Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.

Pair of WordPress plug-ins inject malicious scripts to deliver unwanted ads

Two malicious plug-ins were recently discovered injecting obfuscated JavaScript into WordPress websites, in order to generate advertisements that appear if a visitor clicks anywhere on the page.

New crop of Twitter pornbots found advertising adult sites, misappropriating hashtags

A researcher who in 2016 uncovered roughly 500 bots programmed to automatically create Twitter posts advertising pornography has found that about 20 percent of them were still active two years later.

Latvian man pleads guilty to role in malvertising-based scareware scheme

A Latvian national who at one point was the fifth most wanted cybercriminal in the U.S. pleaded guilty this week in federal court to supporting a scareware scheme targeting users of the Minneapolis Star Tribune's website.

Malicious Reddit 'twin' discovered

The internet now has two front pages, but one is a fake created to scam Reddit fans or as phishing bait.

Evolving Hancitor downloader remains alive and well, relying on malicious hosted servers

Despite its relatively small pool of viable targets, the malicious Windows-based downloader Hancitor continues to surface in malspam campaigns that recently have relied heavily on distribution servers set up via fraudulent hosting provider accounts, a new blog post report states.

RIG and GrandSoft exploit kits shell out new GandCrab ransomware

Breaking from typical ransomware distribution tactics, the attackers behind the new malicious cryptor GandCrab are relying on a pair of exploit kits - RIG EK and GrandSoft EK - to infect unwitting victims.

Chrome desktop update remedies 53 bugs, adds Spectre and Meltdown mitigations

Google's latest stable channel update for the Chrome browser on Windows, Mac and Linux desktop machines includes fixes for 53 security issues, including three high-severity vulnerabilities.

Malvertising 'conglomerate' created 28 fake ad agencies to abuse legit platforms

A massive malvertising operation bought an estimated 1 billion ad views in 2017 under the guise of 28 different fake ad agencies, in what a new report is calling the largest operation of its kind last year.

Researchers: Malicious Chrome extensions infected 500K workstations

More than a half-million workstations at major global organizations were reportedly found infected with malicious Chrome web browser extensions that were likely used to commit click fraud and search engine optimization manipulation.

Malicious websites can steal from vulnerable Electrum cryptocurrency wallets

The popular Bitcoin client Electrum has developed a patch for a critical vulnerability that allows malicious websites to steal from digital wallets that are not password-protected.

Report: Expect more website ads to contain hidden cryptominers

In addition to hiding cryptocurrency miners in the coding of websites, malicious actors may also increasingly conceal them within advertisements appearing on these sites, according to a new report from CoinDesk, citing the Israeli adtech firm Spotad.

Attackers exploit old WordPress to inject sites with code enabling site redirection, takeover

Attackers have exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers.

Imgur acts fast to disclose years-old breach that compromised 1.7 million users

The image sharing and hosting service Imgur was breached in 2014, resulting in the theft of roughly 1.7 million user email addresses and passwords, the company confirmed last Friday in an online notification.

Facebook fixes polling feature bug that could have deleted users' photos

When Facebook debuted a new polling feature earlier this month, it also introduced a vulnerability that could have allowed a malicious actor to delete any photo saved to the social media site.

Discount deception: AliExpress patches fake coupon vulnerability

Online retailer AliExpress fixed a vulnerability in its online shopping portal last October after researchers discovered a way to inject a fake coupon designed to phish sensitive information from those who receive it.

Hundreds of school websites redirected pro-ISIS web page

Pro-ISIS hackers illegally accessed a web hosting provider and defaced the websites of roughly 800 U.S. schools on Monday, according to various news reports.

Anime enemy: Asian content distributor Crunchyroll blames DNS hijack for malicious redirection

Asian entertainment website Crunchyroll.com is blaming a DNS hijack attack, after site visitors in the early morning of Nov. 4 were redirected to a malicious website designed to infect them with malware.

Bug in anti-malware defenses mistakenly blocks users' Google Docs files

Google issued a public apology on Thursday after a bug mistakenly caused its defenses against malware, phishing, and spam to block some users' access to Google Docs files.

Hack-It Ralph? Circle with Disney parental filter filled with exploitable flaws

A Disney-branded internet filter underwent automatic patching after researchers discovered multiple vulnerabilities that could have exposed users to cyberattacks, researchers from Talos have reported.

Tarte Cosmetics breach exposes nearly 2 million customers

Make-up company Tarte Cosmetics exposed the personal information of nearly two million online customers after two of its online MongoDB databases were reportedly misconfigured for public access.

Report: Dell domain takeover could have spread malware

Dell computer users could have possibly been exposed to malware last summer after visiting a third-party customer support website whose domain was suddenly taken over by an unaffiliated company

Microsoft adds ransomware defense with new Windows update

Microsoft is claiming that the latest version of Windows 10, the Fall Creator's Update, is the most secure version of the operating system yet released.

Russian underground shop selling RDP servers for $15 or less

Russian dark web marketplace Ultimate Anonymity Services was recently observed selling more than 35,000 compromised RDP servers, which cybercriminals can leverage to anonymize themselves or to directly access victims' networks.

The 'Phantom' Menace? Extortionists threaten websites with DDoS attack

A cybercriminal group identifying itself as Phantom Squad has launched an email-based extortion campaign against thousands of businesses, threatening to debilitate their websites with a DDoS attack on Sept. 30 if they do not pay a ransom of .2 bitcoins.

SEC systems breach may aided have insider trading

Hackers breached the U.S. Securities and Exchange Commission's EDGAR document filing system and may have used nonpublic information stored on the database to profit from insider trading, the regulatory body disclosed on Wednesday.