Phishing emails target a bank's users with malware - and make their landing page look more legitimate with fake Google reCAPTCHAs.
Threatpost talks to HackerOne CEO Marten Mickos on the EU's funding of open source bug bounty programs, how a company can start a program, and the next generation of bounty hunters.
From password manager vulnerabilities to 19-year-old flaws, the Threatpost team broke down this week's biggest news stories.
Adobe has issued yet another patch for a critical vulnerability in its Acrobat Reader - a week after the original fix.
Users of the popular file-compression tool are urged to immediately update after a serious code-execution flaw was found in WinRAR.
This entry was posted in ace format , code execution , file compression , patch , path traversal flaw , proof-of-concept exploit , update , Vulnerabilities , Vulnerability , WinRAR on February 21, 2019 by Lindsey O'Donnell .
An ongoing phishing campaign is targeting hundreds of businesses to steal their email and browser credentials using a simply - but effective - malware.
This entry was posted in adobe , credential , credential stealer , credential theft , hacks , malicious PDF , Malware , ongoing campaign , pdf , Separ , Vulnerabilities on February 20, 2019 by Lindsey O'Donnell .
GitHub is offering unlimited rewards for critical vulnerabilities - and has added "safe harbor" terms to its bug bounty program.
The eight apps were secretly stealing victims' CPU power to mine for Monero.
Researchers warn that the phishing campaign looks "deceptively realistic."
A Threatpost poll found that 52 percent don't feel prepared to prevent a mobile security incident from happening. The results reflect a challenging mobile security landscape.
The dating site said users' names and email addresses that were added to the system prior to May 2018 may be impacted.
This entry was posted in 617 million records , breach , coffee meets bagel , dark web , Data Breach , dating app , okcupid , Phishing , Scams , Security Flaw , valentine's day on February 14, 2019 by Lindsey O'Donnell .
Google Play said that app suspensions increased by 66 percent in 2018 on its platform.
There are no permission dialogues for apps in certain folders for macOS Mojave, which allows a malicious app to spy on browsing histories..
This entry was posted in app folder permissions , apple , apple security bug , High Sierra , macOS , macOS Mojave , Mobile Security , safari browsing history , spy , Vulnerabilities , Vulnerability , web security on February 13, 2019 by Lindsey O'Donnell .
Users of the popular plugin, Simple Social Buttons, are encouraged to update to version 2.0.22.
Hackers up to 100 meters away could take over Xiaomi M365 scooters to brake or accelerate them.
From spyware to leaky apps, mobile devices are facing a heightened level of threats. Are we prepared to secure them?
The zero-day flaw in Adobe Reader DC could allow bad actors to steal victims’ NTLM hashes.
This entry was posted in adobe , adobe reader , adobe reader dc , excel style sheet , Fix , micropatch , NTLM hash , password , SMB server , Vulnerabilities , web security on February 11, 2019 by Lindsey O'Donnell .
A fake MetaMask app is the first instance of this new type of cryptocurrency stealer appearing outside of shady third-party app stores.
Google's Adiantum boosts encryption for low-end devices with processors that do not have hardware support for AES.
A vulnerability in FireOS, the Amazon Fire Tablet's operating system, has been patched.
Apple's iOS 12.1.4 fixes a FaceTime bug that made headlines last week.
Up to eight airlines do not encrypt e-ticketing booking systems - leaving personal customer data open for the taking.
A researcher who discovered a flaw letting him steal passwords in MacOS is not sharing his findings with Apple without a macOS bug bounty program.
A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google's translate feature.
The elevated privilege flaw exists in Microsoft Exchange and would allow a remote attacker to impersonate an administrator.
Flaws in this connected smart scale might give the diet-challenged a legitimate reason to be nervous.
The children's smartwatch allows bad actors to track their location and communicate with them, according to the alert.
Referencing the Dalai Lama, the spam campaign is targeting recipients of a mailing list run by the Central Tibetan Administration.
This entry was posted in 60th anniversary , central tibetan administration , CTA , Dalai Lama , espionage , ExileRAT , government , rat , Remote Access Trojan , spam campaign , Tibet , tibet was never part of china , web security on February 4, 2019 by Lindsey O'Donnell .
Despite several threat actors stating they are behind a massive 773M credential dump, researchers believe they have found the real distributor.
The decorating website said that account usernames, passwords and more have been compromised as part of a breach.
From Facebook's research app being pulled from iOS devices to a new-found dump of compromised credentials, here are the top news of the week.
Facebook is continuing to crack down on misinformation, political meddling, and "coordinated inauthentic behavior" on its platform.
The Department of Justice is looking to dismantle the Joanap botnet, which has been built and controlled by North Korea-linked hackers since 2009.
A day after Facebook was dinged for shady iOS distribution techniques of its data-collecting research app, Google was discovered using the same methods for its own app.
This entry was posted in app privacy , apple , data privacy , Facebook app , facebook research , Google , google .app , Mobile Security , Privacy , Screenwise meter , web security on January 31, 2019 by Lindsey O'Donnell .
A newly discovered malware steals cookies, credentials and more to break into victims' cryptocurrency exchange accounts.
This entry was posted in cookie miner , credentials , cryptocurrency , cryptomining , exchanges , Mac , Malware , miner , Mobile Security , Stealing , xmrrig2 on January 31, 2019 by Lindsey O'Donnell .
Another one of Facebook's apps has been banned from Apple's ecosystem due to the level of data that it collects and how it was distributed.
This entry was posted in app privacy , apple , banned , data collection , enterprise developer , facebook , Facebook privacy , facebook research project , Mobile Security , Onavo Protect , paid data tracking , Privacy , Project atlas , teens , web security on January 30, 2019 by Lindsey O'Donnell .
Firefox 65 rolls out new redesigned privacy controls as part of Mozilla's anti-tracking promise.
The bug allows iPhone users to FaceTime other iOS users and eavesdrop on their conversations - even when the other end of the line doesn't pick up.
A report found that a dozen connected devices are open to several security and privacy issues.
The development team of the vulnerable Total Donations plugin appears to have abandoned it, and did not respond to inquiries from researchers.
From a massive GDPR fine on a big tech company, to an emergency government security alert, here are the top security stories of the week.
This entry was posted in DNS , DNS Hijacking , Domain , GDPR , Google , government , homeland security , Podcast , Podcasts , Privacy on January 25, 2019 by Lindsey O'Donnell .
A spate of phishing emails with Word attachments deliver both the Gandcrab ransomware and Ursnif executable.
Credential compromise emerged the main target for phishing campaigns in 2018 - rather than infecting victims' devices with malware.
Researchers detected 191,970 bad ads and estimates that around 1 million users were impacted.
An emergency directive from the Department of Homeland Security provides "required actions" for U.S. government agencies to prevent widespread DNS hijacking attacks.
This entry was posted in Alert , cyberattack , Department of Homeland Security , DNS hijack , DNS Hijacking , Domain Name System , government , government warning , hack , hacks , Iran on January 23, 2019 by Lindsey O'Donnell .
0patch released the fix for the remote code execution vulnerability in Windows, which has a CVSS score of 7.8.
The patches are part of Adobe's second unscheduled update this month.
Two apps on Google Play were infecting devices with the Anubis mobile banking trojan.
Threatpost editors break down the top headlines from the week ended Jan. 18.
Twitter has fixed the issue, which has been ongoing since 2014.
Microsoft is offering rewards of up to $20,000 for flaws in its Azure DevOps online services and the latest release of the Azure DevOps server.
Apple CEO Tim Cook has called on the government to double down on data privacy regulation in 2019.
New samples of cryptomining malware performs a never-before-seen function: uninstalling cloud security products.