Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Login Credentials. Show all posts
Login Credentials
AI in robotics AI password attacks Cyber Security Data protection data security Device Security Login Credentials

Yarbo Robotic Lawnmower Flaw Exposed Thousands of Devices With Shared Passwords

 

A single password opened thousands of Yarbo’s robot mowers worldwide, leaving owners in over thirty nations vulnerable without knowing it. While testing how these smart devices manage login requests, analyst Andreas Makris spotted the weak point - simple as typing “admin” into a forgotten backdoor. Some of these exposed devices operate using Linux platforms, linked straight to the web, depending on camera inputs, location signals, wireless links - also automatic map functions. 

Units across many regions used identical preset login details, investigators found. Remote entry into such hardware could happen without consent, Makris explained. Midway through the review, personal data came into view - email addresses, exact lawn mower locations, and network credentials laid bare. Testing revealed a real-time display pinpointing above 11,000 units active in at least thirty nations. 

While examining traffic patterns, digital trails linked each machine to specific geographic points. Visibility extended beyond basic details once hidden layers were uncovered. Not just limited to leaked information, the dangers included remote hijacking of lawn robots. Through experiments, scientists showed unauthorized users might trigger motion controls, switch on built-in imaging tools, while also probing residential networks for weak spots - all from a distance. 

Operating much like standard web-linked machines, these gadgets may end up pulled into coordinated hacking efforts. Such capabilities raise concern about their role in broader digital threats. A test shown to journalists supposedly let someone in Germany steer a 200-pound lawn mower near a home in New York, though they were separated by thousands of miles. Commands sent from afar took priority over hands-on operation, yet people close by received no warning when shifts occurred.  
Warnings emerged about gadgets placed close to critical infrastructure raising wider safety risks. Not far from power stations or manufacturing zones, fragile automated machines might operate, Makris noted - highlighting growing unease over threats to both physical setups and digital networks. Fixing the problem via firmware patches did not work - systems kept falling back to identical default passwords. 

Even after updates, the same login details resurfaced across devices. Experts pointed out that swapping passwords alone misses larger flaws: built-in factory access remains, while remote management tools stay vulnerable by design. Later, Yarbo admitted the issues once details emerged. Though based openly in New York, it holds ties to Hanyang Tech located in Shenzhen, China. Reports indicate the firm shut down some remote diagnostics pathways following scrutiny. 

Root passwords were reset shortly afterward. Access without authentication saw restrictions applied. Instead of using one password for every machine, new measures shifted toward unique credentials per device. Despite pledges of improved audit mechanisms and stricter controls on remote diagnostics, concerns lingered. Backdoor-style access by manufacturers allegedly persists in the equipment, skeptics noted - undermining claims of real change. Hidden backdoors and minimal built-in safeguards in smart gadgets are drawing sharper scrutiny, according to researchers. 

With households increasingly using AI-powered tools, robotic aids, or connected sensors, vulnerabilities multiply. Instead of isolated digital leaks, failures might now trigger real-world harm - door locks failing, cameras hijacked, entire home networks invaded. Security flaws once seen as minor glitches may now enable intrusions beyond data theft. 

When manufacturers skip strong defaults, everyday convenience turns into risk points across neighborhoods. Because these devices interact physically with environments, weaknesses aren’t just virtual - they can reach into living rooms, garages, even children's bedrooms. So while automation spreads rapidly, oversight lags behind, leaving gaps attackers can exploit.
Read more »
stolen data
BWH Hotels Data Breach Login Credentials scams stolen data

BWH Hotels Confirms Cyberattack Exposed Customer Reservation Information

 



BWH Hotels, the parent company of hotel brands including Best Western Hotels & Resorts, WorldHotels, and SureStay Hotels, has disclosed a cybersecurity incident that exposed sensitive guest reservation data.

The company recently began notifying affected individuals after detecting unauthorized access within its systems earlier this year. According to the breach notification, BWH Hotels discovered the incident on April 22, 2026. The organization said attackers managed to obtain customer information stored within a web application connected to hotel reservations.

The stolen data reportedly includes customers’ names, email addresses, phone numbers, and home mailing addresses. Reservation-related details were also accessed, including booking confirmation numbers, stay dates, and special requests submitted by guests during reservations.

While the company did not reveal how many individuals were impacted, the exposed information appears to cover records generated between October 14, 2025, and April 22, 2026. BWH Hotels also did not specify how long the attackers may have remained inside its systems before the intrusion was identified.

According to the company’s Chief Technology Officer Bill Ryan, the attackers exploited a weakness in a web-based application that stored certain guest reservation information. However, the company stated that the compromised environment did not contain customers’ payment card details or banking information.

After identifying the intrusion, BWH Hotels said it immediately disabled the affected application and blocked the unauthorized access. The company also confirmed that external cybersecurity specialists were brought in to assist with the investigation, incident response, and additional security improvements.

Ryan further warned customers to remain cautious when receiving unexpected communications related to hotel reservations or travel bookings. Cybercriminals frequently use stolen reservation data to launch convincing phishing campaigns by impersonating hotels, travel agencies, or customer support teams.

The company advised customers not to respond to suspicious emails, text messages, WhatsApp messages, or phone calls requesting payments, login credentials, security codes, or verification details, even if those communications appear to reference an upcoming reservation or a BWH Hotels property. Customers were also encouraged to visit official websites directly instead of clicking links sent through messages.

Cybersecurity experts have repeatedly warned that hospitality companies remain attractive targets for attackers because hotel reservation systems store large volumes of personal information connected to travel activity. Even when financial records are not exposed, reservation data can still be valuable for social engineering scams, identity fraud, and targeted phishing operations.

In recent years, researchers have observed a rise in travel-related phishing schemes where attackers use stolen booking information to send fake payment requests or fraudulent reservation updates. Because these messages often contain real travel dates or hotel details, victims may find them more believable than ordinary scam attempts.

BWH Hotels operates approximately 4,300 properties across more than 100 countries and generates annual revenue exceeding $8.5 billion, making it one of the largest hospitality groups globally. The company has not publicly attributed the incident to any specific threat actor, and it remains unclear whether additional customer information may have been affected as the investigation continues.

Read more »
phishing
Cyber Security Fake Domains Login Credentials Microsoft phishing

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials

 




A new phishing operation is misleading users through an extremely subtle visual technique that alters the appearance of Microsoft’s domain name. Attackers have registered the look-alike address “rnicrosoft(.)com,” which replaces the single letter m with the characters r and n positioned closely together. The small difference is enough to trick many people into believing they are interacting with the legitimate site.

This method is a form of typosquatting where criminals depend on how modern screens display text. Email clients and browsers often place r and n so closely that the pair resembles an m, leading the human eye to automatically correct the mistake. The result is a domain that appears trustworthy at first glance although it has no association with the actual company.

Experts note that phishing messages built around this tactic often copy Microsoft’s familiar presentation style. Everything from symbols to formatting is imitated to encourage users to act without closely checking the URL. The campaign takes advantage of predictable reading patterns where the brain prioritizes recognition over detail, particularly when the user is scanning quickly.

The deception becomes stronger on mobile screens. Limited display space can hide the entire web address and the address bar may shorten or disguise the domain. Criminals use this opportunity to push malicious links, deliver invoices that look genuine, or impersonate internal departments such as HR teams. Once a victim believes the message is legitimate, they are more likely to follow the link or download a harmful attachment.

The “rn” substitution is only one example of a broader pattern. Typosquatting groups also replace the letter o with the number zero, add hyphens to create official-sounding variations, or register sites with different top level domains that resemble the original brand. All of these are intended to mislead users into entering passwords or sending sensitive information.

Security specialists advise users to verify every unexpected message before interacting with it. Expanding the full sender address exposes inconsistencies that the display name may hide. Checking links by hovering over them, or using long-press previews on mobile devices, can reveal whether the destination is legitimate. Reviewing email headers, especially the Reply-To field, can also uncover signs that responses are being redirected to an external mailbox controlled by attackers.

When an email claims that a password reset or account change is required, the safest approach is to ignore the provided link. Instead, users should manually open a new browser tab and visit the official website. Organisations are encouraged to conduct repeated security awareness exercises so employees do not react instinctively to familiar-looking alerts.


Below are common variations used in these attacks:

Letter Pairing: r and n are combined to imitate m as seen in rnicrosoft(.)com.

Number Replacement: the letter o is switched with the number zero in addresses like micros0ft(.)com.

Added Hyphens: attackers introduce hyphens to create domains that appear official, such as microsoft-support(.)com.

Domain Substitution: similar names are created by altering only the top level domain, for example microsoft(.)co.


This phishing strategy succeeds because it relies on human perception rather than technical flaws. Recognising these small changes and adopting consistent verification habits remain the most effective protections against such attacks.



Read more »
Vulnerabilities and Exploits
Browser Clickjacking links Login Credentials Password Manager Vulnerabilities and Exploits

Password Managers Face Clickjacking Flaw, Millions of Users at Risk



For years, password managers have been promoted as one of the safest ways to store and manage login details. They keep everything in one place, help generate strong credentials, and protect against weak or reused passwords. But new research has uncovered a weakness in several widely used browser extensions that could expose sensitive information for millions of people.


Details about the flows

Security researchers recently found that 11 different password manager extensions share a vulnerability linked to the way they rely on the Document Object Model (DOM). The DOM is part of how web pages are structured, and in this case, it opens a door to a technique known as “clickjacking.”

Clickjacking works by tricking users into clicking on invisible or disguised elements of a web page. For example, a malicious site may look legitimate but contain hidden layers. A single misplaced click can unintentionally activate the password manager’s autofill function. Once that happens, the manager may begin entering saved credentials directly into the attacker’s page.

The danger lies in how quietly this happens. Users often close the site without realizing that their passwords or even stored credit card information and personal details like addresses or phone numbers may already have been copied by attackers.


The scale of the issue

The affected list includes some of the most recognized password managers in the industry. An estimated 40 million users worldwide could be impacted. While some companies have already addressed the issue through updates, not all providers have released fixes yet. For example, RoboForm has patched its extension, and Bitwarden has rolled out a new version. However, others remain in the process of responding.


Protecting yourself

There is no universal fix for clickjacking, but users can take important steps to reduce risk:

1. Be cautious with links: Avoid clicking on unfamiliar or suspicious links, even if they appear genuine. It is always safer to type the website address directly or use trusted bookmarks.

2. Update your tools: Make sure your password manager extension is up to date. Updates often contain security fixes that block known vulnerabilities.

3. Change autofill settings: If you use a Chromium-based browser, switch your password manager’s autofill to “on-click.” This ensures that details are only filled in when you actively choose to do so.

4. Disable unnecessary autofill: Consider turning off automatic completion for personal information like email addresses in your browser settings.


The bottom line

Password managers are still an essential tool for safe online habits, but like any technology, they are not immune to flaws. Staying alert, practicing careful browsing, and keeping your software updated can substantially lower the risk. Until every provider has addressed the vulnerability, users should take extra precautions to keep their digital identities secure.



Read more »
personal data leak
Data Breach Data Leak data security Data stealing malware Database Breach Infostealer Infostealer Malware Login Credentials Login Security Malware attacks personal data leak

Massive Data Leak Exposes 16 Billion Login Records from Major Online Services

 

A recent investigation by Cybernews has uncovered a staggering 30 separate online datasets containing approximately 16 billion stolen login credentials from services including Apple, Google, and Facebook. These data dumps, discovered through open sources, appear to be the result of large-scale malware attacks that harvested user information through infostealers. 

Each dataset contains a URL alongside usernames and passwords, suggesting that malicious software was used to collect login details from infected devices. While some overlap exists among the records, the overall size and spread of the leak make it difficult to determine how many unique users have been compromised. 

Except for one dataset previously identified by cybersecurity researcher Jeremiah Fowler—which included over 185 million unique credentials—most of the remaining 29 databases had not been publicly reported before. These leaked collections are often only temporarily available online before being removed, but new compilations are regularly uploaded, often every few weeks, with fresh data that could be weaponized by cybercriminals. The exact sources and individuals behind these leaks remain unknown. 

To avoid falling victim to similar malware attacks, experts advise staying away from third-party download platforms, especially when obtaining software for macOS. Users are encouraged to download apps directly from the Mac App Store or, if not available there, from a developer’s official website. Using cracked or pirated software significantly increases the risk of malware infection. 

Phishing scams remain another common threat vector. Users should be cautious about clicking on links in unsolicited emails or messages. Even if a message appears to come from a trusted company, it’s vital to verify the sender’s address and inspect URLs carefully. You can do this by copying the link and pasting it into a text editor to see its actual destination before clicking. 

To reduce the chance of visiting malicious sites, double-check the spelling of URLs typed manually and consider bookmarking commonly used sites. Alternatively, using a search engine and clicking on verified results can reduce the risk of visiting typo-squatting domains. 

If you suspect your credentials may have been compromised, take immediate action. Start by updating passwords on any affected services and enabling two-factor authentication for added security. It’s also wise to check your financial statements for unauthorized activity and consider placing a freeze on your credit file to prevent fraudulent account openings. 

Additionally, tools like Have I Been Pwned can help verify if your email address has been part of a known breach. Always install the latest system and app updates, as they often include crucial security patches. Staying current with updates is a simple but effective defense against vulnerabilities and threats.
Read more »
PumaBot
Data Login Credentials malware Passwords PumaBot

PumaBot: A New Malware That Sneaks into Smart Devices Using Weak Passwords

 


A recently found malware called PumaBot is putting many internet-connected devices at risk. This malicious software is designed to attack smart systems like surveillance cameras, especially those that use the Linux operating system. It sneaks in by guessing weak passwords and then quietly takes over the system.


How PumaBot Finds Its Victims

Unlike many other threats that randomly scan the internet looking for weak points, PumaBot follows specific instructions from a remote command center. It receives a list of selected device addresses (known as IPs) from its control server and begins attempting to log in using common usernames and passwords through SSH — a tool that lets people access devices remotely.

Experts believe it may be going after security and traffic camera systems that belong to a company called Pumatronix, based on clues found in the malware’s code.


What Happens After It Breaks In

Once PumaBot gets into a device, it runs a quick check to make sure it's not inside a fake system set up by researchers (known as a honeypot). If it passes that test, the malware places a file on the device and creates a special service to make sure it stays active, even after the device is restarted.

To keep the door open for future access, PumaBot adds its own secret login credentials. This way, the hackers can return to the device later, even if some files are removed.


What the Malware Can Do

After it takes control, PumaBot can be told to:

• Steal data from the device

• Install other harmful software

• Collect login details from users

• Send stolen information back to the attackers

One tool it uses captures usernames and passwords typed into the device, saves them in a hidden file, and sends them to the hackers. Once the data is taken, the malware deletes the file to cover its tracks.


Why PumaBot Is Concerning

PumaBot is different from other malware. Many botnets simply use infected devices to send spam or run large-scale attacks. But PumaBot seems more focused and selective. Instead of causing quick damage, it slowly builds access to sensitive networks — which could lead to bigger security breaches later.


How to Protect Your Devices

If you use internet-connected gadgets like cameras or smart appliances, follow these safety steps:

1. Change factory-set passwords immediately

2. Keep device software updated

3. Use firewalls to block strange access

4. Put smart devices on a different Wi-Fi network than your main systems

By following these tips, you can lower your chances of being affected by malware like PumaBot.

Read more »
Passwords
Cyber Security Login Credentials Oracle Passwords

Hacker Claims Oracle Cloud Breach, Threatens to Leak Data

 



A hacker who goes by the name “Rose87168” is claiming to have broken into Oracle Cloud systems and is now threatening to release or sell the data unless their demands are met. According to security researchers, this person says they’ve gained access to information from over 140,000 accounts, with a total of 6 million records.

Oracle has not confirmed that any such breach took place. At first, the company denied the claims. Since then, they’ve chosen not to respond to questions about the situation. However, cybersecurity experts are beginning to find signs that support the hacker’s story.

One group of researchers believes that the attack may have happened through a flaw in how users log in. They suggest that the hacker may have found a hidden security weakness or a problem in Oracle's login system, which let them get in without needing a password. This could be tied to a previously reported vulnerability in Oracle’s software, which has been labeled a high risk by experts. That earlier issue allowed anyone with internet access to take over accounts if not fixed.

The hacker claims the stolen material includes sensitive information like login credentials, passwords for internal systems, and private security keys. These are all crucial for keeping accounts and data secure. If leaked, this information could lead to unauthorized access to many companies’ services and customer details.

Researchers have examined some of the data provided by the hacker and say it appears to be genuine. Another security group, Trustwave SpiderLabs, also looked into the case. They confirmed that the hacker is now offering the stolen data for sale and allowing buyers to choose what they want to purchase based on specific details, like company names or encrypted passwords.

Experts from both teams say the evidence strongly suggests that the breach is real. However, without a statement from Oracle, nothing is officially confirmed.

This situation is a reminder of how critical it is for companies to keep their systems up to date and to act quickly when possible flaws are discovered. Businesses that use cloud services should check their security settings, limit unnecessary access, and apply all software updates as soon as they are available.

Staying alert and following good cybersecurity habits can reduce the chances of being affected by incidents like this.


Read more »
Malwares
browser credential theft Browser Extension Cyber Attacks Login Credentials Malicious Browser Extension Malware attacks Malwares

New Malware Impersonates Browser Extensions to Steal Login Credentials

 

Cybercriminals are continually evolving their tactics to evade antivirus detection and trick users into installing malicious software. One of the latest threats involves malware that impersonates legitimate browser extensions, allowing attackers to steal login credentials while remaining undetected. Although this discovery is concerning, researchers have identified the vulnerability before it could be widely exploited, giving security teams time to respond. 

According to a report by SquareX Labs, this attack starts with scammers developing seemingly useful browser extensions, such as an AI-powered transcription tool. To avoid malware detection, they distribute the extension outside official platforms like the Chrome Web Store or Google Play. Users are then encouraged to pin the extension for easy access, allowing it to quietly monitor their browsing habits over time. 

Once installed, the malicious extension collects data on the user’s existing extensions, particularly those used for handling sensitive information, such as password managers. When the right opportunity arises, it disables the legitimate extension and replaces its icon with an identical version. If the user attempts to access their password manager, they unknowingly interact with the fake extension instead. 

To further deceive users, the fraudulent extension displays a message stating that their session has expired, requiring them to log in again. However, rather than accessing their accounts, victims unknowingly submit their credentials directly to cybercriminals. With this information, attackers can break into password vaults, gaining access to sensitive data, stored passwords, and linked accounts. This method is particularly dangerous because it exploits trust in well-known extensions. 

Unlike traditional phishing attempts, which rely on fake websites or deceptive emails, this attack leverages the user’s own browser environment, making it harder to detect. Victims may not realize they’ve been compromised until they notice unauthorized activity on their accounts. Despite the sophistication of this attack, there is no immediate reason for panic. Security researchers identified the exploit before cybercriminals could widely deploy it, and browser developers have been alerted to the risk. 

However, this incident underscores the importance of practicing good cybersecurity habits. Users should only install browser extensions from trusted sources like the Chrome Web Store, avoid third-party downloads, and check reviews before installation. 

Additionally, enabling multi-factor authentication (MFA) on important accounts can provide an extra layer of security, reducing the risk of credential theft. As cyber threats continue to evolve, staying informed and cautious about software installations remains crucial to maintaining online security.
Read more »
Technology INdustry
Cyberattacks CyberCrime Data Breach Data Security Breach EMBARGO Hackers Login Credentials Non Bank Lender Stock Exchange Technology INdustry

Australia's Premier Non-Bank Lender Suffers Data Security Breach

 


One of Australia's largest non-bank mortgage lenders, Firstmac, has suffered a cyberattack, which resulted in customer information such as credit card and passport numbers, Medicare numbers and driver's licence numbers being stolen and published on the dark web. In a letter sent to its customers, the Brisbane-based lender informed them that one of its information technology systems had been successfully breached by an unauthorised third party, making it one of Australia's largest non-bank lenders. 

According to the non-bank lender, hackers have taken possession of nearly ten thousand driver's licenses and two hundred and fifty thousand "customer records" over the last few days. The company notified the Australian Stock Exchange of the incident. As a result of the unusual activity it has detected on its systems "in the last few days," the company has suspended trading until Monday. The hackers were said to be very sophisticated.

There is no indication that the hackers gained access to Latitude information held at two separate service providers by using employee login credentials - whether they have been stolen or if this was a credential stuffing attack - which they were not aware of. A consortium of investors, including KKR and Deutsche Bank, acquired Latitude from GE in 2015 to sell its credit cards and instalment payment plans to retailers. In 2021, the company became public. 

Firstmac Limited, one of the largest firms in the country, has informed its customers that it has suffered a data breach the day after an alleged theft of 500GB of data from the company by the new Embargo cyber-extortion group was uncovered. In the financial services industry of Australia, Firstmac is primarily known for its mortgage lending, investment management, and securitization services, which it provides to its clients. 

Based in Brisbane, Queensland, the company employs 460 people and has issued 100,000 home loans. At the moment, the firm manages around $15 billion in mortgage loans. Troy Hunt, the creator of Have I Been Pwned, published on X yesterday a sample of the notice letter sent to Firstmac's customers informing them of a major data breach. 

Cyberdaily, the technology industry publication, reported that a large amount of data was posted on the dark web by the hackers behind the attack. EMBARGO, a ransomware gang with roots in the Netherlands, is credited with the hack – which was carried out sometime in April, according to the publication. As a report points out, Firstmac was given a ransom deadline of May 8 by the gang, a deadline that seems to have lapsed since the gang did not appear to have met that deadline. 

Cyberdaily posted screenshots of the dark website EMBARGO, which provided customer information such as their loan and financial information, as well as their email addresses. Several FirstMac executives and IT departments were also published by the gang. It is unclear how many customers and employees have been affected by the breach. 

FirstMac has been contacted for further information. While Firstmac's security systems have been strengthened in recent months, it still assured its beneficiaries that their funds and accounts are safe, and the firm's systems have been bolstered to ensure this. There has been a new requirement that everyone who wants to change an account or add a card to an account will need to provide their two-factor authentication code or biometric information to verify their identity as one of the measures that increased security.

IDCare is offering free identity theft protection services for recipients of the notices. Users are advised to be cautious when responding to unsolicited correspondence and to regularly check their account statements for any unusual activity or transactions. As a resOn the newly formed threat group's extortion page, it appears that only two victims have been identified, and it is unclear whether or not the new threat group is doing their own data breaches, or if they have been buying stolen data from others intending to blackmail the owners. 

A sample of Embargo encryption has still not been found, so it is unknown if this is a ransomware group, or if they are simply aiming to profit by extorting funds. A large number of hacks against Australian servers were recorded in the 2022-23 financial year, which is an increase of more than 300 per cent compared to the previous financial year, according to the Australian Signals Directorate, an agency under the federal government responsible for security and information. 

A data breach was discovered late last year affecting Melbourne travel agency Inspiring Vacations, in which approximately 112,000 records, totalling 26.8 gigabytes of data, were exposed online as a result of an insecure database that couldn't be password protected. The recent data breach of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks has been labelled a "new normal" of constant attacks and breaches which have affected millions of Australians including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks among others. 

There have now been significant increases in penalties for serious or repeated breaches of customer data, largely due to the Optus breach in particular. As a result of the Embargo extortion group having announced the attack online on its site, there was extensive coverage by Australian media outlets about the attack on Firstmac which occurred at the end of April. Earlier this week, Embargo published all of the data they claimed to have stolen from Firstmac's systems, including documents, source code, email addresses, phone numbers, and database backups, one day after they made a claim it had been stolen.
Read more »
User Privacy
Chrome Extension data security Data Theft Login Credentials Mobile Security User Privacy

Malicious Chrome Extension Discovered Siphoning Private Data of Roblox Players

 

Customers at Roblox, the popular online game platform, are being targeted via malicious Google Chrome browser extension that attempts to siphon their passwords and private data. 

Threat analysts at Bleeping Computer uncovered two separate chrome extensions called SearchBlox, with more than 200,000 downloads, containing a backdoor that allow the hackers to steal users’ Roblox credentials and their Rolimons assets. 

It remains unclear clear whether the designer of these two extensions added the backdoor intentionally or if another hacker did, however, threat analysts were able to analyze their code and find the backdoor. 

The malicious extensions identified on the Chrome Web Store add a player search box to the users’ page that allows it to scan the game’s servers for other players. Although they have different icons, the extensions were both designed by the same developer and have identical descriptions. 

Surprisingly, the first extension was actually featured on the Chrome Web Store despite its three-star rating. Upon scanning the comment section on its review page, Roblox players seemed quite satisfied with the extension before the backdoor was suddenly added, which indicates that a threat actor was responsible and not its developer TheM2. 

To mitigate the potential threat, researchers advised Roblox players to uninstall the extension immediately, clear browser cookies, and alter the login credentials for Roblox, Rolimons, and other websites where they logged in while the extension was active. 

Additionally, the Google spokesperson confirmed that the extensions were removed immediately and would also be automatically erased from systems where they were installed. 

"The identified malicious extensions are no longer available on the Chrome Web Store," Google stated. The extensions are block listed and will be automatically removed from any user machine that previously downloaded them." 

This is not the first instance Roblox users have been the victims of cybercrime. Earlier this year in May, security experts identified a malicious file concealed inside the legitimate Synapse X scripting tool which is utilized to inject exploits or cheat codes into Roblox. 

Malicious hackers exploited Synapse X to deploy a self-executing program on Windows PCs that installs library files into the Windows system folder. This has the potential to break applications, corrupt or erase data or even send data back to the attackers responsible.
Read more »
SharkBot
Data Google Play Hackers Login Credentials malware SharkBot

SharkBot Malware Returns to Google Play, to Steal Login Credentials

 

A new and updated version of the SharkBot malware has returned to Google's Play Store, targeting Android users' banking logins via apps with tens of thousands of installations. When submitted to Google's automatic review, the malware was found in two Android apps that did not contain any malicious code. SharkBot, on the other hand, is added in an update that takes place after the user installs and launches the dropper apps.

According to a blog post by Fox IT, a division of the NCC Group, the two malicious apps are "Mister Phone Cleaner" and "Kylhavy Mobile Security," which have 60,000 installations combined. Although the two apps have been removed from Google Play, users who have installed them are still at risk and will require to uninstall them manually.

SharkBot has advanced now

SharkBot was discovered in October 2021 by malware analysts at Cleafy, an Italian online fraud management and prevention company. NCC Group discovered the first apps carrying it on Google Play in March 2022.

At the time, the malware was capable of performing overlay attacks, stealing data through keylogging, intercepting SMS messages, and granting threat actors complete remote control of the host device by abusing the Accessibility Services. 

ThreatFabric researchers discovered SharkBot 2 in May 2022, which included a domain generation algorithm (DGA), an updated communication protocol, and completely refactored code. On August 22, Fox-IT researchers discovered a new version of the malware (2.25) that adds the ability to steal cookies from bank account logins.

“Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this is not the case in this new version of the dropper for Sharkbot. The dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did,” Fox IT says.

When the dropper app is installed, it contacts the command and control (C2) server and requests the malicious SharkBot APK file. The dropper then notifies the user that an update is available and instructs them to install the APK and grant all necessary permissions. SharkBot stores its hard-coded configuration in encrypted form using the RC4 algorithm to make automated detection more complicated. 

About cookie-loving Sharkbot

SharkBot 2.25 retains the overlay, SMS intercept, remote control, and keylogging systems, but a cookie logger has been added on top of them. When the victim logs into their bank account, SharkBot uses a new command ("logsCookie") to steal their valid session cookie and send it to the C2.

Cookies are useful for account takeovers because they contain software and location information that help bypass fingerprinting checks or, in some cases, the user authentication token itself. Throughout the investigation, Fox IT personnel discovered new SharkBot campaigns in Europe (Spain, Austria, Germany, Poland, and Austria) and the United States. 

The researchers discovered that the malware uses the keylogging feature in these attacks to steal sensitive information directly from the official app it targets. Fox IT expects SharkBot campaigns to continue and the malware to evolve now that an improved version of the malware is available.

Read more »
User Security
Countdown Timer Cyber Attacks Login Credentials Phishing Camapign User Security

Novel Phishing Campaign Employs Countdown Timer to Pressurize Victims

 

A new phishing campaign is forcing victims into entering their credentials by claiming their account will be deactivated and it employs a countdown timer to build the pressure. 

The malicious campaign begins with a text which claims to warn the recipient that an attempt to log in to their account from a location they haven't used before has been blocked and is offered a solution in the form of email verification, cybersecurity researchers at Cofense explained in a blog post. 

Ransomware attackers frequently employ fear tactics because sending victims into a state of panic means they're more likely to follow instructions, particularly if they've been told something is wrong with their accounts. 

What sets this phish apart from other campaigns is the countdown clock displayed to the recipient once the malicious link is accessed. The timer ticks down for an hour, claiming the user must enter their username and password to 'validate' their account before the countdown clock hits zero. 

The real scenario is completely different because nothing will be deleted even if the countdown timer reaches zero. The phishing campaign can only be successful if the targeted user falls into a trap and enters login credentials. 

Phishing attacks are one of the most common techniques hackers employ to steal usernames and passwords. Earlier this year in May, researchers at Zscaler's ThreatLabz identified a phishing campaign employing fake voicemails to exfiltrate data of US organizations across various industries, including software security, security solution providers, the military, healthcare, and pharmaceuticals. 

Tips to mitigate phishing attacks 

1. Employ MFA 

Using multi-factor authentication (MFA) can help protect accounts because even if the attacker knows the correct login credentials, the need for extra verification prevents them from being able to access the account, as well as providing a warning that something could be wrong. 

2. Get free anti-phishing add-ons 

Most browsers nowadays will enable you to download add-ons that spot the signs of a malicious website or alert you about known phishing sites. They are usually completely free so there’s no reason not to have them installed on every device in your organization. 

3. Don’t enter your credentials on an unsecured site 

If the URL of the website doesn’t start with “https”, or you cannot see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site. Sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.
Read more »
Windows
Credit Card Data data security Internet Explorer Login Credentials malware Malware Campaign Phishing Campaign Windows

Latest Phishing Campaign Deploys Malware and Steals Critical Information

A phishing campaign on a massive scale is targeting Windows PC and wants to deploy malware that can hack usernames, passwords, contents of the crypto wallets, and credit card credentials. Malware named RedLine Stealer is provided as a malware-as-a-service scheme, giving amateur level cybercriminals the option to steal various kinds of critical personal information, for amounts as much as $150. The malware first surfaced in 2020, but RedLine recently added a few additional features and is widely spread in large-scale spam campaigns in April. 

The phishing email campaign includes a malicious attachment which, if active, starts the process of deploying malware. Hackers target users (mostly) from Europe and North America. The malware uses CVE-2021-26411 exploits discovered in Internet Explorer to send the payload. The vulnerability was revealed last year and patched, to limit the malware's impact on users who are yet to install the security updates. Once executed, RedLine Stealer does starting recon against the target system, looking for information that includes usernames, the type of browser that the user has, and if an antivirus is running in the system. 

After that, it finds information to steal and then extracts passwords, credit card data, and cookies stored in browsers, crypto wallets, VPN login credentials, chat logs, and information from files. Redline can be bought from the dark web, hackers are offered services on different hierarchical levels, this shows how easy it has become to buy malware. Even noob hackers can rent the software for $100 or get a lifetime subscription for $800. 

The malware is very simple, but very effective, as it can steal vast amounts of data, and inexperienced hackers can take advantage of this. ZDNet reports "it's possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability." The users should keep their operating systems updated, anti-virus and apps updated, to prevent known vulnerabilities from getting exploited for distributing malware.

Read more »
Phishing emails
COVID-19 Cyber Crime cybercriminals Login Credentials Phishing emails

Cybercriminals Exploit Omicron as an Enticement to Steal University Credentials

 

Researchers at Proofpoint have discovered an uptick in email threats aimed mostly at North American institutions and aiming to steal university login credentials. COVID-19 themes, such as testing data and the new Omicron variant, are frequently used by threats. Proofpoint observed COVID-19 themes affecting educational institutions throughout the pandemic, but persistent, targeted credential theft attacks against universities began in October 2021. Following the disclosure of the new Omicron variant in late November, threat actors began using it in credential theft campaigns. 

According to Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, fraudsters frequently use news events to dupe their victims. “If there’s a significant event, be it a pandemic or a Super Bowl, it will be used as bait for phishing,” Callow said. 

According to Selena Larson, a senior threat intelligence analyst at Proofpoint and co-author of the blog post, the wave of phishing assaults mentioning the Delta, and now the Omicron, variations was extremely specific in its targeting of universities. She projected that the attacks will rise in the coming two months as colleges conduct more campus testing in response to both holiday travel and the emergence of the Omicron variation. 

The phishing emails utilized in these attacks contain either malicious attachments or URLs to pages designed to capture university account credentials. Although Proofpoint has identified several campaigns that use generic Office 365 login gateways, these counterfeit landing pages often replicate a university's official login portal. The threat actors behind some of these campaigns attempted to steal multifactor authentication (MFA) credentials by impersonating MFA providers such as Duo. An attacker can circumvent the second layer of security designed to keep out threat actors who already have access to a victim's credentials by stealing MFA tokens. 

Although a majority of the mails in these campaigns are transmitted through spoofed senders, Proofpoint has also detected threat actors using actual, compromised university accounts to send Covid-19 related threats. Attackers are most likely stealing credentials from colleges and sending the same threats to other universities via compromised mails. 

 To avoid becoming a victim of these or other email-based threats, university students should carefully check the email addresses of messages they receive, avoid clicking on any links in suspicious emails, and refrain from logging into their school's online portal after clicking on links in emails that appear to have originated from their university or college, said the researchers.
Read more »
Phishing Campaign
Cyber Security Login Credentials Microsoft 365 Multi-factor authentication Phishing Campaign

Proofpoint Phish Harvests Credentials from Microsoft Office 365 and Google Email

 

Phishers are posing as Proofpoint, a cybersecurity company, in order to steal victims' Microsoft Office 365 and Google email credentials. According to Armorblox analysts, one such effort was launched against an undisclosed global communications business, with roughly a thousand personnel targeted solely within that company. 

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.” 

A file apparently related to mortgage payments was the email's bait. The subject line, "Re: Payoff Request," was designed to trick targets into thinking it was part of an ongoing conversation, offering validity to the proceedings while also adding urgency. Users were led to a splash page with Proofpoint branding and login spoofs if they clicked on the "secure" email link embedded in the message. 

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Researchers discovered another phishing campaign that appears to be abusing an Amazon service called Amazon Simple Email Service (SES), which allows developers to send email messages from their apps. According to Kaspersky, the campaign was based on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth. The 2050.earth website is a Kaspersky initiative that includes an interactive map depicting the future impact of technology on the Earth, as predicted by futurologists. Because the 2050.earth site is housed on Amazon's infrastructure, the stolen SES token is linked to Kaspersky and SES. 

Noreply@sm.kaspersky.com is one of the sender addresses used in these emails. The security alert cautioned that they come from a variety of sources, including Amazon Web Services infrastructure. The stolen SES token was only utilized in a restricted way, according to the company, as part of a larger campaign that targeted many brands. 

Social engineering, brand impersonation, and the utilization of genuine infrastructure are used in attacks like these to get through typical email security filters and consumers' eye checks. Armorblox made the following suggestions to protect against similar campaigns: 

 • Be wary of social engineering: Before opening an email, users should perform a visual inspection that involves looking at the sender's name, email address, language, and any logical flaws. 

 • Improve password hygiene: Implement multi-factor authentication (MFA) on all potential corporate and personal accounts, avoid the usage of the same password across several sites/accounts, and avoid passwords that are linked to publicly available data.
Read more »
QR Codes
Credential Phishing Cybersecurity Login Credentials malware Microsoft 365 QR Codes

Threat Actors Use QR Codes to Steal Login Credentials

 

Hackers are distributing phishing mails having QR codes in a cyberattack campaign built to extract login details of Microsoft 365 cloud apps. Passwords and usernames for cloud services of entreprises have become a main target for hackers, exploiting these to launch ransomware and malware attacks, or by selling stolen login details to other threat actors, who exploit it for their own campaigns. 

Threat Actors are finding sneaky opportunities to scam victims into opening malicious links that lead to phishing websites built to look like genuine Microsoft login webpages, and smartly selling the login credentials. 

Cybersecurity experts at Abnormal Security analyzed a recent campaign, the researchers sent various phishing mails which tried to use QR codes built to evade mail protections and steal login details. QR codes are useful when it comes to attempts malicious tasks, as standard mail security regulations like URL scanners don't detect any hint of suspected links or attachments in the email. 

The campaign is operated via email accounts hacked earlier, which allows hackers to send mails from authentic user accounts of companies to give a look of authenticity to these mails, and users believe it to be legitimate. As of now, experts are yet to confirm how threat actors are able to get control of these accounts used for sending phishing mails. 

As per experts, these phishing mails contain a voicemail message from the email account admin sending the mail, the target is requested to scan a QR code for listening to the voice mail. The QR codes sent to the victims were also created the same day. An earlier variant of the campaign tried to scam users into opening a malicious link by hiding it in an audio file. 

But, antivirus softwares were able to find and identify the malicious files, which made threat actors turning to QR codes. "While using the QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen," ZDNet reports.
Read more »
Vulnerabilities and Exploits
Bug Cloud Provider Container Security Login Credentials User Data Vulnerabilities and Exploits

Microsoft Alerted Azure Customers of Bug That Could Have Allowed Hackers to Access Data

 

Microsoft alerted some Azure cloud computing users that a vulnerability uncovered by security experts might have given hackers access to their data. 

In a blog post from its security response team, Microsoft stated it had patched the issue identified by Palo Alto Networks and had no sign malicious attackers had exploited the technique. It further stated that certain users have been asked to change their login passwords as a preventive measure. 

The blog post was in response to an inquiry from Reuters regarding Palo Alto's technique. Microsoft refused to respond to any of the inquiries, including whether or not it was assured that no data had been accessed. 

Palo Alto researcher Ariel Zelivansky told Reuters in a previous interview that his team had cracked Azure's widely used platform for so-called containers, which store applications for users. 

According to him, the Azure containers utilized code that had not been updated to address a known vulnerability. As a result, the Palo Alto team was finally able to gain entire authority over a group that comprised containers from other users. 

Ian Coldwater, a longtime container security expert who evaluated Palo Alto's work at the request of Reuters stated, "This is the first attack on a cloud provider to use container escape to control other accounts." 

In July, Palo Alto reported the problem to Microsoft. Zelivansky added it took his team several months to complete the project and agreed that malicious hackers were unlikely to apply a similar approach in real-world attacks. 

Nonetheless, this is the second significant issue discovered in Microsoft's fundamental Azure infrastructure in less than a month. Wiz security specialists revealed a database vulnerability in late August that would've let one client modify the data of another. 

In both situations, Microsoft's remarks were directed to customers who may have been harmed by the researchers' work, rather than everyone who was put in danger by its own code. 

Microsoft wrote, "Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher's activities."

According to Coldwater, the issue stemmed from a failure to deploy fixes on time, something Microsoft has frequently faulted on its customers. He said that certain cloud security tools would have identified malicious assaults similar to the one predicted by the security firm and that logs would also indicate evidence of such activity. 

The research emphasized that security is a collective responsibility between cloud providers and clients. Cloud architectures, according to Zelivansky, are typically safe, Microsoft and other cloud providers can make improvements themselves rather than relying on customers to do so. 

He further added, cloud attacks by well-funded opponents such as sovereign governments, are a legitimate concern.
Read more »
User Security
Bug Customer Data Data Breach Data Leak Login Credentials Password User Data User Privacy User Security

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”
Read more »
Security Researchers
attackers cloud storage Cyber Security Login Credentials Security Researchers

Hopper: A Tool Developed at Dropbox to Detect Lateral Movement Attacks

 

Hopper, a tool developed by Dropbox, UC Berkeley, and other organizations, adds a different method to spotting hostile activities in corporate networks. Hopper is a tool that examines an organization's login records to look for indicators of lateral movement attacks. The tool has two main components: a causality engine that tracks login paths and a score algorithm that determines which login paths contain lateral movement attack features. 

Dropbox, Inc., is an American corporation based in San Francisco, California. It offers cloud storage, file synchronization, personal cloud, and client software service. Dropbox organizes files into a single location on the user's computer by generating a dedicated folder. The contents of these folders are synchronized with Dropbox's servers as well as other computers and devices where the user has installed Dropbox, ensuring that all devices have the same files. 

Many data breaches and security issues in businesses begin with the compromising of a basic device or low-privileged user account. As attackers succeed, they acquire access to increasingly important systems and resources by moving beyond their initial point of entry to other workstations and administrator-level user accounts. This is referred to as "lateral movement," and it is a warning indication of an oncoming security disaster. 

It's difficult to tell the difference between typical user activity and malevolent lateral movement. Detecting the change in the past required establishing precise network activity rules or using anomaly detection methods. “Unfortunately, the scale of modern enterprises inherently produces large numbers of anomalous-but-benign logins, causing traditional anomaly detection to generate too many false alarms,” the researchers explain.

Hopper was created with the understanding that lateral movement attacks have two distinct characteristics – attackers want to gain access to a server that their original victim doesn't have, and they'll need to attack privileged accounts like sysadmins to accomplish so. Hooper can identify which behaviors require additional inquiry by filtering and reviewing login pathways based on these two vectors. 

Hopper was evaluated using 15 months of data from Dropbox's enterprise network, which includes more than 780 million login events and 326 simulated red team attacks. Other lateral movement detection techniques produced eight times more false alarms than the tool, which was able to detect 94.5 % of attacks.
Read more »
User Security
Login Credentials Nord Security Personal Information Privacy User Security

Millions of Login Credentials Stolen By an 'Unnamed Malware'

 

Cybersecurity researchers from Nord Security have unearthed a new set of Trojan-type malware that has exploited over three million Windows computers and has stolen nearly 26 million login credentials for about a million websites. 

Nord Security researchers have grouped the websites into a dozen categories. These include email services, financial platforms, e-commerce platforms, file storage and sharing services, and social media platforms. In total, the report revealed that the unnamed malware succeeded in stealing about 1.2 terabytes of personal data including over a million unique email addresses, over two billion cookies, and more than six million other files.

There are millions of other details the threat actors were able to steal, according to the researchers. The researchers also discovered 6 million files from the victims’ download folders and desktops that were stolen from this unnamed malware. It also took screenshots of the infected systems and tried to take a picture of the victim using the device’s webcam. 

“For every malware that gets worldwide recognition and coverage, there are thousands of custom viruses made specifically for the buyer's needs. These are nameless pieces of malicious code that are compiled and sold on forums and private chats for as little as $100,” Nord Security, explained. 

During their analysis, Nord security researchers observed that each malware that gets worldwide attention has thousands of custom viruses designed specifically for the needs of the br. This is not helped by the fact that there are several nameless malicious codes easily sold on private chats and forums at very cheap amounts. 

“Antimalware software like antiviruses doesn’t fully protect our devices. Public Wi-Fi poses as much danger to our logins as malware does. In many cases, public Wi-Fi can have poorly configured firewalls that let hackers monitor your Wi-Fi connection,” Daniel Markuson, a digital security expert at NordVPN, Nord Security’s VPN service stated.

Hackers are now employing different attacking techniques to launch series of attacks on organizations and users. Last week, the REvil ransomware group targeted Kaseya VSA cloud-based solution and demanded $70 million as a price to unlock the systems encrypted during the supply-chain attack. The gang demanded the ransom of Bitcoin before releasing the tool that enables all affected businesses to recover their files.
Read more »
Subscribe to: Posts (Atom)