Web Security News, Articles and Updates

Terbium Labs CEO: We have the tools to curtail fake news, if we'd only use them

We already have the means to significantly curtail fake news campaigns emanating from Russia and elsewhere, but it is up security practitioners, and especially online content and advertising platforms, to meaningfully employ these measures, according to Dr. Daniel Rogers, CEO of Terbium Labs.

UK politician admits and apologizes for hacking into opponent's website 10 years ago

A now high-ranking member of the UK's Conservative Party admitted and apologized for hacking into her Labour opponent's website to post pro-Tory propaganda, a crime punishable by up to two years in prison.

Study: Malware counts higher on computers whose users visited piracy sites

Each time a user doubles the amount of time he spends visiting illegal torrent and streaming websites, the malware count on his machine jumps another 20 percent, according to an academic paper released earlier this month.

Binge watching and bug watching: Netflix launches public bug bounty program

Digital entertainment powerhouse Netflix officially launched a public bug bounty program on Wednesday, offering vulnerability hunters anywhere from $100 to $15,000 per discovery.

Credential stuffing attack suspected after several UK National Lottery accounts compromised

As many as 150 player accounts registered with the UK's National Lottery were compromised, accessed and potentially viewed by an unauthorized party, according to an online statement from Camelot, the parent company that runs the sweepstakes.

Breaches expose 50,000 student and teacher records at Leon County Schools; more districts likely affected

The records of roughly 50,000 students, parents, teachers and staff members from the Leon County Schools District in Tallahassee, Fla. were compromised in two related breach incidents involving a third-party education services provider.

BlackTDS offering lets cybercriminals purchase drive-by attacks as a service

The makers of a new "Traffic Distribution System" that performs malicious drive-by attacks as a service to paying cybercriminals have been advertising their product in underground online markets since December last year, according to a new report from Proofpoint.

Avast: CCleaner hackers planned to infect victims with third-stage Chinese hacking tool

The hackers who injected malicious code into a version of computer maintenance app CCleaner last year may have been preparing to deliver third-stage malware to at least a select few of the 2.27 million computers that had downloaded the tainted utility program.

Browser stored personal information there for the taking: Report

Researchers have found that browsers like Chrome and Firefox store a great deal of visitor information, much of which can be easily discovered and taken by cybercriminals.

Researchers identify extortion as motive behind memcached DDoS attacks

The adversaries who have been abusing exposed memcached servers to launch amplified distributed denial of service attacks have been including a ransom note amidst their flood of malicious packets, according to researchers from Cybereason who now suspect the actors' true motivation is extortion.

GitHub rides out record-breaking DDoS attack that leveraged memcached servers

GitHub on Wednesday withstood the largest-ever recorded distributed denial of service attack in history, experiencing roughly 10 minutes of disruption during the onslaught, which was amplified using exposed memcached servers -- a vector that has seen a significant increase in abuse since last month.

Old version of HPE Lights-Out server management tech contains DoS vulnerability

Hewlett Packard Enterprise has disclosed the discovery of a serious vulnerability in a previous version of its Lights-Out 3 embedded server management technology, which could be remotely exploited to trigger a denial of service condition.

uTorrent apps found vulnerable to remote code execution, information disclosure

The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps after Google Project Zero researcher Tavis Ormandy found critical vulnerabilities that can result in remote code execution and information disclosure upon visiting malicious websites.

Exclusive: Researchers say Kaspersky web portal exposed users to session hijacking, account takeovers

Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.

Pair of WordPress plug-ins inject malicious scripts to deliver unwanted ads

Two malicious plug-ins were recently discovered injecting obfuscated JavaScript into WordPress websites, in order to generate advertisements that appear if a visitor clicks anywhere on the page.

New crop of Twitter pornbots found advertising adult sites, misappropriating hashtags

A researcher who in 2016 uncovered roughly 500 bots programmed to automatically create Twitter posts advertising pornography has found that about 20 percent of them were still active two years later.

Latvian man pleads guilty to role in malvertising-based scareware scheme

A Latvian national who at one point was the fifth most wanted cybercriminal in the U.S. pleaded guilty this week in federal court to supporting a scareware scheme targeting users of the Minneapolis Star Tribune's website.

Malicious Reddit 'twin' discovered

The internet now has two front pages, but one is a fake created to scam Reddit fans or as phishing bait.

Evolving Hancitor downloader remains alive and well, relying on malicious hosted servers

Despite its relatively small pool of viable targets, the malicious Windows-based downloader Hancitor continues to surface in malspam campaigns that recently have relied heavily on distribution servers set up via fraudulent hosting provider accounts, a new blog post report states.

RIG and GrandSoft exploit kits shell out new GandCrab ransomware

Breaking from typical ransomware distribution tactics, the attackers behind the new malicious cryptor GandCrab are relying on a pair of exploit kits - RIG EK and GrandSoft EK - to infect unwitting victims.

Chrome desktop update remedies 53 bugs, adds Spectre and Meltdown mitigations

Google's latest stable channel update for the Chrome browser on Windows, Mac and Linux desktop machines includes fixes for 53 security issues, including three high-severity vulnerabilities.

Malvertising 'conglomerate' created 28 fake ad agencies to abuse legit platforms

A massive malvertising operation bought an estimated 1 billion ad views in 2017 under the guise of 28 different fake ad agencies, in what a new report is calling the largest operation of its kind last year.

Researchers: Malicious Chrome extensions infected 500K workstations

More than a half-million workstations at major global organizations were reportedly found infected with malicious Chrome web browser extensions that were likely used to commit click fraud and search engine optimization manipulation.

Malicious websites can steal from vulnerable Electrum cryptocurrency wallets

The popular Bitcoin client Electrum has developed a patch for a critical vulnerability that allows malicious websites to steal from digital wallets that are not password-protected.

Report: Expect more website ads to contain hidden cryptominers

In addition to hiding cryptocurrency miners in the coding of websites, malicious actors may also increasingly conceal them within advertisements appearing on these sites, according to a new report from CoinDesk, citing the Israeli adtech firm Spotad.

Attackers exploit old WordPress to inject sites with code enabling site redirection, takeover

Attackers have exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers.

Imgur acts fast to disclose years-old breach that compromised 1.7 million users

The image sharing and hosting service Imgur was breached in 2014, resulting in the theft of roughly 1.7 million user email addresses and passwords, the company confirmed last Friday in an online notification.

Facebook fixes polling feature bug that could have deleted users' photos

When Facebook debuted a new polling feature earlier this month, it also introduced a vulnerability that could have allowed a malicious actor to delete any photo saved to the social media site.