Introduction
Hello everyone, welcome to this edition of our security news weekly round-up here on DEV. As you prepare for the weekend (or if you've passed that, depending on your time zone), we'll review some security news that should know about.
In summary, the articles that we'll cover are about the following:
- Scams on Social Media
- Spyware
- Application Security
- System Breach
Hijacked: How hacked YouTube channels spread scams and malware
It's not news and it's also news. I am saying this because the core behind these account takeovers is when you fall victim to phishing attacks. In some cases, these might render your two-factor authentication useless. Nonetheless, we all need reminders and education about these types of attacks.
What's more, we should educate others not to click on links in the video description of a video that's offering a paid application for "free". Stay safe and read the article. The following excerpt should get you started.
...it all starts with good ol’ phishing. Attackers create fake websites and send emails that look like they are from YouTube or Google and attempt to trick the targets into surrendering their “keys to the kingdom”
CapraRAT Spyware Disguised as Popular Apps Threatens Android Users
Being alert of typosquatting can potentially save you from this malware because one of the applications that contains the malware is called TikToks. If you want to know what I mean, read the last word of the previous sentence carefully. Did you spot it? 😊
The article is quite detailed on the attack. Meanwhile, I will launch you on your reading journey using the excerpt below.
The campaign, dubbed CapraTube, was first outlined by the cybersecurity company in September 2023, with the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT, a modified version of AndroRAT with capabilities to capture a wide range of sensitive data.
3 million iOS and macOS apps were exposed to potent supply-chain attacks
They have patched the flaw. However it begs the question, is any system safe? Or they are just waiting to be exploited by anyone who knows where to look and how to look? To make it more thought-provoking, they are three vulnerabilities. Do you want more mind-blowing facts? It all dates back to 2014.
Take your reading inspiration from the following excerpt, then read the entire article. You'll learn something new.
The three vulnerabilities EVA discovered stem from an insecure verification email mechanism used to authenticate developers of individual pods. The developer entered the email address associated with their pod. The trunk server responded by sending a link to the address. When a person clicked on the link, they gained access to the account.
Hacker Stole Secrets From OpenAI
I'll guess that when you think of OpenAI, your subconscious will also mention ChatGPT 😊. Based on the article, nothing that sensitive was taken. Therefore, OpenAI did not report to an agency like the FBI. This article made the final edit before publishing because ChatGPT is that popular and you deserve to know when stuff like this happens to the maker, OpenAI.
Here is an excerpt from the linked article above:
After the breach, Leopold Aschenbrenner, an OpenAI technical program manager, focused on ensuring that future A.I. technologies do not cause serious harm, sent a memo to OpenAI’s board of directors, arguing that the company was not doing enough to prevent the Chinese government and other foreign adversaries from stealing its secrets.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.