Web Security News, Articles and Updates

Cryptomining campaign targeting web servers vulnerable to Drupalgeddon 2.0 nets $11,000

An ongoing malware campaign that attempts to exploit web servers susceptible to the Drupalgeddon 2.0 bug in order to infect them with an XMRig-based cryptominer has generated around $11,000 in profits since commencing last April and peaking on May 20.

Cryptocurrency service Bancor robbed of millions; MyEtherWallet users targeted via malicious VPN Chrome extension

Cryptocurrency token conversion service Bancor disclosed yesterday that hackers stole millions in coins from one of its online wallets, while Etherium crypto wallet service MyEtherWallet warned that hackers may have compromised anyone who accessed its service while using the free VPN service Hola and its Chrome extension.

Cryptojacking operation leverages shortlinks and traffic distribution system to infect users

A cryptojacking operation that injects legitimate websites with secret Coinhive shortlinks was recently discovered to be part of an even larger malicious infrastructure that redirects innocent site visitors to servers that distribute both web-based and standard cryptominers.

Spam and eggs: Red Hen restaurant's website apparently injected with SEO spam links

The website for the restaurant that recently refused to host White House Press Secretary Sarah Huckabee Sanders was found unknowingly hosting hidden code linking to ads for Viagara and other pharmaceuticals.

Apple discloses new protections against snoopy apps and websites at WWDC event

Apple's newest enhancements to its Safari browser will inhibit websites and apps -- including Facebook -- from using cookies and fingerprinting techniques to track users across the internet.

That smarts! 'Brain Food' spam botnet malware found on thousands of websites

A spam campaign called Brain Food has been feeding email recipients a steady diet of junk messages containing links to pages promoting bogus intelligence-boosting supplements and diet pills.

Two alleged Syrian Electronic Army members indicted for spear phishing and defacement campaign

U.S. prosecutors filed an indictment yesterday for two alleged Syrian Electronic Army hacktivists who are accused of compromising news media websites and social media accounts in order to spread propaganda supporting the regime of Sryian president Bashar al-Assad.

RIG EK campaign delivers researcher-phobic backdoor trojan Grobios

The RIG exploit kit has been causing trouble again, this time delivering a backdoor trojan called Grobios, which takes great pains to avoid detection and evade virtual and sandbox environments.

Chrome update for desktop operating systems repairs critical sandbox escape bug

Google's latest stable channel update for the Windows, Mac and Linux versions of Chrome fixes four vulnerabilities, including a critical bug that can lead to sandbox escape.

Cryptojacking campaign hits 400 Drupal-based sites, many run by governments and universities

Nearly 400 websites running outdated and vulnerable versions of the Drupal content management system, many affiliated with governments and educational institutions, were recently discovered to be running cryptomining programs without their operators' knowledge.

Trojanized CMS plug-ins infect thousands of websites in tech support scam campaign

A recently uncovered tech support scam campaign has compromised thousands of websites with malicious ad injections that redirect users to a browser locker page that claims their computers are infected.

Ghosts in the machine: Researchers reportedly find eight more Spectre flaws in CPU chips

CPU chip manufacturers are facing a brand new onslaught of Spectre speculative execution vulnerabilities, some of which could be disclosed as soon as Monday, May 7, German technology news outlet c't has reported.

Four versions of PHP programming language updated to fix multiple bugs

The developer of the PHP (Hypertext Preprocessor) server-side scripting language has issued a series of updates that fix 40 vulnerabilities spread across four different versions -- the most serious of which was severe enough to allow an attacker to execute arbitrary code within the context of an affected application.

Terbium Labs CEO: We have the tools to curtail fake news, if we'd only use them

We already have the means to significantly curtail fake news campaigns emanating from Russia and elsewhere, but it is up security practitioners, and especially online content and advertising platforms, to meaningfully employ these measures, according to Dr. Daniel Rogers, CEO of Terbium Labs.

UK politician admits and apologizes for hacking into opponent's website 10 years ago

A now high-ranking member of the UK's Conservative Party admitted and apologized for hacking into her Labour opponent's website to post pro-Tory propaganda, a crime punishable by up to two years in prison.

Study: Malware counts higher on computers whose users visited piracy sites

Each time a user doubles the amount of time he spends visiting illegal torrent and streaming websites, the malware count on his machine jumps another 20 percent, according to an academic paper released earlier this month.

Binge watching and bug watching: Netflix launches public bug bounty program

Digital entertainment powerhouse Netflix officially launched a public bug bounty program on Wednesday, offering vulnerability hunters anywhere from $100 to $15,000 per discovery.

Credential stuffing attack suspected after several UK National Lottery accounts compromised

As many as 150 player accounts registered with the UK's National Lottery were compromised, accessed and potentially viewed by an unauthorized party, according to an online statement from Camelot, the parent company that runs the sweepstakes.

Breaches expose 50,000 student and teacher records at Leon County Schools; more districts likely affected

The records of roughly 50,000 students, parents, teachers and staff members from the Leon County Schools District in Tallahassee, Fla. were compromised in two related breach incidents involving a third-party education services provider.

BlackTDS offering lets cybercriminals purchase drive-by attacks as a service

The makers of a new "Traffic Distribution System" that performs malicious drive-by attacks as a service to paying cybercriminals have been advertising their product in underground online markets since December last year, according to a new report from Proofpoint.

Avast: CCleaner hackers planned to infect victims with third-stage Chinese hacking tool

The hackers who injected malicious code into a version of computer maintenance app CCleaner last year may have been preparing to deliver third-stage malware to at least a select few of the 2.27 million computers that had downloaded the tainted utility program.

Browser stored personal information there for the taking: Report

Researchers have found that browsers like Chrome and Firefox store a great deal of visitor information, much of which can be easily discovered and taken by cybercriminals.

Researchers identify extortion as motive behind memcached DDoS attacks

The adversaries who have been abusing exposed memcached servers to launch amplified distributed denial of service attacks have been including a ransom note amidst their flood of malicious packets, according to researchers from Cybereason who now suspect the actors' true motivation is extortion.

GitHub rides out record-breaking DDoS attack that leveraged memcached servers

GitHub on Wednesday withstood the largest-ever recorded distributed denial of service attack in history, experiencing roughly 10 minutes of disruption during the onslaught, which was amplified using exposed memcached servers -- a vector that has seen a significant increase in abuse since last month.

Old version of HPE Lights-Out server management tech contains DoS vulnerability

Hewlett Packard Enterprise has disclosed the discovery of a serious vulnerability in a previous version of its Lights-Out 3 embedded server management technology, which could be remotely exploited to trigger a denial of service condition.

uTorrent apps found vulnerable to remote code execution, information disclosure

The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps after Google Project Zero researcher Tavis Ormandy found critical vulnerabilities that can result in remote code execution and information disclosure upon visiting malicious websites.

Exclusive: Researchers say Kaspersky web portal exposed users to session hijacking, account takeovers

Security researchers say they discovered several vulnerabilities and security lapses in Kaspersky Lab's my.kaspersky.com web portal earlier this month, adding that the flaws exposed users to potential session hijackings and account takeovers.

Pair of WordPress plug-ins inject malicious scripts to deliver unwanted ads

Two malicious plug-ins were recently discovered injecting obfuscated JavaScript into WordPress websites, in order to generate advertisements that appear if a visitor clicks anywhere on the page.