SMS About Bank Fraud as a Pretext for Voice Phishing (Krebs on Security)

Actualités, Sécurité
Most of us have probably heard the term “smishing” — which is a portmanteau for traditional phishing scams sent through SMS text messages. Smishing messages usually include a link to a site that spoofs a popular bank and tries to siphon personal information. But increasingly, phishers are turning to a hybrid form of smishing — blasting out linkless text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. KrebsOnSecurity recently heard from a reader who said his daughter received an SMS that said it was from her bank, and inquired whether she’d authorized a $5,000 payment from her account. The message said she should reply “Yes” or “No,” or 1 to decline future fraud alerts. Since this seemed like a reasonable…
Read More

Microsoft Patch Tuesday, November 2021 Edition (Krebs on Security)

Actualités, Sécurité
Microsoft Corp. today released updates to quash at least 55 security bugs in its Windows operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today — potentially giving adversaries a head start in figuring out how to exploit them. Among the zero-day bugs is CVE-2021-42292, a “security feature bypass” problem with Microsoft Excel versions 2013-2021 that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren’t available yet). Microsoft’s revised, more sparse security advisories don’t offer much detail on what exactly is…
Read More

REvil Ransom Arrest, $6M Seizure, and $10M Reward (Krebs on Security)

Actualités, Sécurité
The U.S. Department of Justice today announced the arrest of Ukrainian man accused of deploying ransomware on behalf of the REvil ransomware gang, a Russian-speaking cybercriminal collective that has extorted hundreds of millions from victim organizations. The DOJ also said it had seized $6.1 million in cryptocurrency sent to another REvil affiliate, and that the U.S. Department of State is now offering up to $10 million for the name or location any key REvil leaders, and up to $5 million for information on REvil affiliates. If it sounds unlikely that a normal Internet user could make millions of dollars unmasking the identities of REvil gang members, take heart and consider that the two men indicted as part this law enforcement action do not appear to have done much to separate…
Read More

‘Tis the Season for the Wayward Package Phish (Krebs on Security)

Actualités, Sécurité
The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients. One of dozens of FedEx-themed phishing sites currently being advertised via SMS spam. Louis Morton, a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered. “It is a nearly perfect attack vector at this time of year,” Morton said. “A link was included, implying that the recipient could reschedule delivery.” Attempting to visit the domain in the…
Read More

The ‘Groove’ Ransomware Gang Was a Hoax (Krebs on Security)

Actualités, Sécurité
A number of publications in September warned about the emergence of “Groove,” a new ransomware group that called on competing extortion gangs to unite in attacking U.S. government interests online. It now appears that Groove was all a big hoax designed to toy with security firms and journalists. “An appeal to business brothers!” reads the Oct. 22 post from Groove calling for attacks on the United States government sector. Groove was first announced Aug. 22 on RAMP, a new and fairly exclusive Russian-language darknet cybercrime forum. “GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years,” wrote RAMP’s administrator “Orange” in a post asking forum members to compete in a contest for designing a website for the new group. “Let’s make…
Read More

Trick & Treat! 🎃 Paying Leets and Sweets for Linux Kernel privescs and k8s escapes (Google Online Security Blog)

Actualités, Sécurité
Posted by Eduardo Vela, Google Bug Hunters Team Starting today and for the next 3 months (until January 31 2022), we will pay 31,337 USD to security researchers that exploit privilege escalation in our lab environment with a patched vulnerability, and 50,337 USD to those that use a previously unpatched vulnerability, or a new exploit technique. We are constantly investing in the security of the Linux Kernel because much of the internet, and Google—from the devices in our pockets, to the services running on Kubernetes in the cloud—depend on the security of it. We research its vulnerabilities and attacks, as well as study and develop its defenses. But we know that there is more work to do. That’s why we have decided to build on top of our kCTF VRP from…
Read More

‘Trojan Source’ Bug Threatens the Security of All Code (Krebs on Security)

Actualités, Sécurité
Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness. Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). Specifically, the weakness involves Unicode’s…
Read More

Zales.com Leaked Customer Data, Just Like Sister Firms Jared, Kay Jewelers Did in 2018 (Krebs on Security)

Actualités, Sécurité
In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure. Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else’s order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number. The reader noticed that the link for the order information she’d stumbled on included a lengthy numeric combination that — when altered — would produce yet another customer’s order information.…
Read More

Protecting your device information with Private Set Membership (Google Online Security Blog)

Actualités, Sécurité
Posted by Kevin Yeo and Sarvar Patel, Private Computing Team  At Google, keeping you safe online is our top priority, so we continuously build the most advanced privacy-preserving technologies into our products. Over the past few years, we've utilized innovations in cryptographic research to keep your personal information private by design and secure by default. As part of this, we launched Password Checkup, which protects account credentials by notifying you if an entered username and password are known to have been compromised in a prior data breach. Using cryptographic techniques, Password Checkup can do this without revealing your credentials to anyone, including Google. Today, Password Checkup protects users across many platforms including Android, Chrome and Google Password Manager. Another example is Private Join and Compute, an open source protocol which…
Read More

Pixel 6: Setting a new standard for mobile security (Google Online Security Blog)

Actualités, Sécurité
Posted by Dave Kleidermacher, Jesse Seed, Brandon Barbello, Android, Pixel & Tensor security teams With Pixel 6 and Pixel 6 Pro, we’re launching our most secure Pixel phone yet, with 5 years of security updates and the most layers of hardware security. These new Pixel smartphones take a layered security approach, with innovations spanning across the Google Tensor system on a chip (SoC) hardware to new Pixel-first features in the Android operating system, making it the first Pixel phone with Google security from the silicon all the way to the data center. Multiple dedicated security teams have also worked to ensure that Pixel’s security is provable through transparency and external validation. Secure to the Core Google has put user data protection and transparency at the forefront of hardware security with…
Read More