Author Archives: Lindsey O'Donnell

Phishing Scam Cloaks Malware With Fake Google reCAPTCHA

Phishing emails target a bank's users with malware - and make their landing page look more legitimate with fake Google reCAPTCHAs.

Video: HackerOne CEO on the Evolving Bug Bounty Landscape

Threatpost talks to HackerOne CEO Marten Mickos on the EU's funding of open source bug bounty programs, how a company can start a program, and the next generation of bounty hunters.

Threatpost News Wrap Podcast For Feb. 22

From password manager vulnerabilities to 19-year-old flaws, the Threatpost team broke down this week's biggest news stories.

Adobe Re-Patches Critical Acrobat Reader Flaw

Adobe has issued yet another patch for a critical vulnerability in its Acrobat Reader - a week after the original fix.

19-Year-Old WinRAR Flaw Plagues 500 Million Users

Users of the popular file-compression tool are urged to immediately update after a serious code-execution flaw was found in WinRAR.

Separ Malware Plucks Hundreds of Companies’ Credentials in Ongoing Phish

An ongoing phishing campaign is targeting hundreds of businesses to steal their email and browser credentials using a simply - but effective - malware.

GitHub Increases Rewards, Scope For Bug-Bounty Program

GitHub is offering unlimited rewards for critical vulnerabilities - and has added "safe harbor" terms to its bug bounty program.

Eight Cryptojacking Apps Booted From Microsoft Store

The eight apps were secretly stealing victims' CPU power to mine for Monero.

Ultra-Sneaky Phishing Scam Swipes Facebook Credentials

Researchers warn that the phishing campaign looks "deceptively realistic."

Threatpost Poll: Over Half of Firms Asked Struggle with Mobile Security

A Threatpost poll found that 52 percent don't feel prepared to prevent a mobile security incident from happening. The results reflect a challenging mobile security landscape.

Coffee Meets Bagel Dating App Warns Users of Breach

The dating site said users' names and email addresses that were added to the system prior to May 2018 may be impacted.

Google Play Cracks Down on Malicious Apps

Google Play said that app suspensions increased by 66 percent in 2018 on its platform.

Unpatched Apple macOS Hole Exposes Safari Browsing History

There are no permission dialogues for apps in certain folders for macOS Mojave, which allows a malicious app to spy on browsing histories..

Critical WordPress Plugin Flaw Allows Complete Website Takeover

Users of the popular plugin, Simple Social Buttons, are encouraged to update to version 2.0.22.

Xiaomi M365 Electric Scooter Hacked and Remotely Controlled

Hackers up to 100 meters away could take over Xiaomi M365 scooters to brake or accelerate them.

Threatpost Poll: Is It Impossible to Secure Mobile Devices?

From spyware to leaky apps, mobile devices are facing a heightened level of threats. Are we prepared to secure them?

Temporary Patch Released For Adobe Reader Zero-Day

The zero-day flaw in Adobe Reader DC could allow bad actors to steal victims’ NTLM hashes.

First ‘Clipper’ Malware Discovered on Google Play

A fake MetaMask app is the first instance of this new type of cryptocurrency stealer appearing outside of shady third-party app stores.

Google Boosts Encryption For Low-End Android Devices

Google's Adiantum boosts encryption for low-end devices with processors that do not have hardware support for AES.

FireOS Flaw Allowed Limited Content Injection in Amazon Tablets

A vulnerability in FireOS, the Amazon Fire Tablet's operating system, has been patched.

Apple Fixes Pesky FaceTime Bug in iOS 12.1.4 Update

Apple's iOS 12.1.4 fixes a FaceTime bug that made headlines last week.

Flaw in Multiple Airline Systems Exposes Passenger Data

Up to eight airlines do not encrypt e-ticketing booking systems - leaving personal customer data open for the taking.

MacOS Zero-Day Exposes Apple Keychain Passwords

A researcher who discovered a flaw letting him steal passwords in MacOS is not sharing his findings with Apple without a macOS bug bounty program.

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google's translate feature.

Microsoft Confirms Serious ‘PrivExchange’ Vulnerability

The elevated privilege flaw exists in Microsoft Exchange and would allow a remote attacker to impersonate an administrator.

IoT Scale Flaws Enable Denial of Service, Privacy Issues

Flaws in this connected smart scale might give the diet-challenged a legitimate reason to be nervous.

EU Recalls Children’s Smartwatch That Leaks Location Data

The children's smartwatch allows bad actors to track their location and communicate with them, according to the alert.

Spy Campaign Spams Pro-Tibet Group With ExileRAT

Referencing the Dalai Lama, the spam campaign is targeting recipients of a mailing list run by the Central Tibetan Administration.

‘Collection #1’ Data Dump Hacker Identified

Despite several threat actors stating they are behind a massive 773M credential dump, researchers believe they have found the real distributor.

Houzz Urges Password Resets After Data Breach

The decorating website said that account usernames, passwords and more have been compromised as part of a breach.

Threatpost News Wrap Podcast For Feb. 1

From Facebook's research app being pulled from iOS devices to a new-found dump of compromised credentials, here are the top news of the week.

Facebook Boots Hundreds of Iran-Linked Accounts For Spreading Misinformation

Facebook is continuing to crack down on misinformation, political meddling, and "coordinated inauthentic behavior" on its platform.

U.S. Government Goes After North Korea’s Joanap Botnet

The Department of Justice is looking to dismantle the Joanap botnet, which has been built and controlled by North Korea-linked hackers since 2009.

Google Pulls Data-Chugging App From iOS Devices

A day after Facebook was dinged for shady iOS distribution techniques of its data-collecting research app, Google was discovered using the same methods for its own app.

Mac “CookieMiner” Malware Aims to Gobble Crypto Funds

A newly discovered malware steals cookies, credentials and more to break into victims' cryptocurrency exchange accounts.

Apple Blasts Facebook Over Data-Sucking ‘Research’ App

Another one of Facebook's apps has been banned from Apple's ecosystem due to the level of data that it collects and how it was distributed.

Mozilla Firefox 65 Ups the Ante on Privacy with Anti-Tracking Efforts

Firefox 65 rolls out new redesigned privacy controls as part of Mozilla's anti-tracking promise.

Apple Disables Group FaceTime Following Major Privacy Glitch

The bug allows iPhone users to FaceTime other iOS users and eavesdrop on their conversations - even when the other end of the line doesn't pick up.

Researchers Allege ‘Systemic’ Privacy, Security Flaws in Popular IoT Devices

A report found that a dozen connected devices are open to several security and privacy issues.

WordPress Users Urged to Delete Zero-Day-Ridden Plugin

The development team of the vulnerable Total Donations plugin appears to have abandoned it, and did not respond to inquiries from researchers.

Threatpost News Wrap Podcast For Jan. 25

From a massive GDPR fine on a big tech company, to an emergency government security alert, here are the top security stories of the week.

Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

A spate of phishing emails with Word attachments deliver both the Gandcrab ransomware and Ursnif executable.

ThreatList: Credential-Sniffing Phishing Attacks Erupted in 2018

Credential compromise emerged the main target for phishing campaigns in 2018 - rather than infecting victims' devices with malware.

Malware in Ad-Based Images Targets Mac Users

Researchers detected 191,970 bad ads and estimates that around 1 million users were impacted.

U.S. Gov Issues Urgent Warning of DNS Hijacking Attacks

An emergency directive from the Department of Homeland Security provides "required actions" for U.S. government agencies to prevent widespread DNS hijacking attacks.

Microsoft Windows RCE Flaw Gets Temporary Micropatch

0patch released the fix for the remote code execution vulnerability in Windows, which has a CVSS score of 7.8.

Adobe Issues Unscheduled Updates for Experience Manager Platform

The patches are part of Adobe's second unscheduled update this month.

Google Play Removes Malicious Malware-Ridden Apps

Two apps on Google Play were infecting devices with the Anubis mobile banking trojan.

Threatpost News Wrap Podcast For Jan. 18

Threatpost editors break down the top headlines from the week ended Jan. 18.

Twitter Android Glitch Exposed Private Tweets for Years

Twitter has fixed the issue, which has been ongoing since 2014.

Microsoft Launches Azure DevOps Bug Bounty Program

Microsoft is offering rewards of up to $20,000 for flaws in its Azure DevOps online services and the latest release of the Azure DevOps server.

Apple CEO Demands Federal Data Privacy Legislation

Apple CEO Tim Cook has called on the government to double down on data privacy regulation in 2019.

Cryptomining Malware Uninstalls Cloud Security Products

New samples of cryptomining malware performs a never-before-seen function: uninstalling cloud security products.