Cover photo by Jazmin Quaynor on Unsplash.
Introduction
Welcome to the weekly round-up of security news from around the Web. I hope your week was fine.
This week includes the following:
- Vulnerability
- Phishing
- Attacks
- Cybercrime
7 VPNs that leaked their logs – the logs that “didn’t exist”
Virtual Private Network are meant to be secure networks used by internet users to attain some level of privacy when browsing the web.
Some users prefer to use a VPN that keeps no logs, with this in mind some VPN services advertise with the following tagline — we keep no logs; in this scenario it turns out that is not the case.
Excerpt from the article:
According to a report published last week by VPNMentor (note: VPNMentor earns affiliate revenue from links to and coupons for selected VPN companies that it recommends), its researchers stumbled across copious user logs from seven VPNs operating out of Hong Kong.
(VPNMentor named the affected services as follows: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN.)
Adobe Photoshop gets fixes for critical security vulnerabilities
The title says it all.
Excerpt from the article:
Adobe has released security updates to address twelve critical vulnerabilities in Adobe Photoshop, Adobe Prelude, and Adobe Bridge that could allow attackers to execute arbitrary code on Windows devices.
In addition to the code execution vulnerabilities, a information disclosure bug was fixed in Adobe Reader Mobile for Android users.
Phishing campaign uses Google Cloud Services to steal Office 365 logins
Phishing is a form of social engineering that trick users into submitting their personal information to an innocent looking form, on the other hand the form is not what it appears to be.
Excerpt from the article:
In a campaign this year, fraudsters set up a clever scenario that involves multiple legitimate elements to hide the theft of Office 365 credentials.
Researchers at Check Point describe in a report today that the attackers relied on Google Drive to host a malicious PDF document and Google’s “storage.googleapis[.]com” to host the phishing page.
Ongoing Meow attack has nuked >1,000 databases without telling anyone why
Databases are meant to be secure, if they not, it's not a good thing.
Excerpt from the article:
As the head of research for security firm Comparitech, Diachenko regularly scans the Internet for databases that expose information as a result of not being secured by a password. The attackers appear to be running similar searches, and once they identify databases that can be modified without credentials, the attackers execute scripts that delete the data.
Twilio exposes SDK, attackers inject it with malvertising code
According to Wikipedia Twilio is a cloud communications platform as a service.
Excerpt from the article:
Twilio today disclosed that its TaskRouter JS SDK was compromised by attackers after they gained access to one of its misconfigured Amazon AWS S3 buckets which left the SDK's path publicly readable and writable for roughly five years, since 2015.
Twitter hackers read private messages of 36 high-profile accounts
We discussed in last week weekly round-up. It turns out the attackers did more than pushing a bitcoin scam.
Excerpt from the article:
Twitter today admitted that the attackers behind last week's incident read the private messages of 36 out of a total of 130 high-profile accounts targeted in the attack.
Among these, the hackers also accessed the Twitter inbox of Geert Wilders, a Dutch elected official and the leader of the Party for Freedom (PVV).
Sports team nearly paid a $1.25m transfer fee… to cybercrooks
Long story short: It was an attempted Business Email Compromise scam also called BEC Scam.
Excerpt from the article:
Well, according to a report entitled The Cyber Threat to Sports Organisations, released today by the UK’s National Cyber Security Centre, that almost happened, except that the new account number was fraudulent and rather than saving the deal at the last minute, the club would have lost the lot.
Apparently, one of the UK’s top football clubs – the report doesn’t say which one – almost paid out £1m ($1.25m) to crooks after a genuine-looking but fraudulent email convinced the club to nominate a new account to receive the funds.
Fortunately, the club’s bank flagged the transaction as suspicious, provoking further investigation and uncovering the scam.
That's it for this week, I'll see you next Friday.