Hackers have compromised an email marketing account belonging to the Chipotle food chain and used it to send out phishing emails, luring recipients to malicious links. Most of the messages directed users to credential-harvesting sites impersonating services from a financial business and Microsoft. A very small number had malware attachments. The campaign sent out in three days at least 120 malicious emails from a hacked Mailgun account used by Chipotle for email marketing purposes. READ MORE...
According to the data shared by Twitter in its recently released transparency report, the popular social network's users are reluctant to adopt two-factor authentication (2FA) to bolster their account security. In fact, the report paints a pretty bleak picture considering that over the second half of 2020 only 2.3% of active Twitter accounts had at least one 2FA method enabled. READ MORE...
A vulnerability patched recently in the WordPress Download Manager plugin could be abused to execute arbitrary code under specific configurations, the Wordfence team at WordPress security company Defiant warns. Tracked as CVE-2021-34639 and having a CVSS score of 7.5, the bug is an authenticated file upload issue that could have allowed attackers to upload files with php4 extensions, as well as files that could be executed if certain conditions were met. READ MORE...
The Python Package Index (PyPI) registry has removed several Python packages this week aimed at stealing users' credit card numbers, Discord tokens, and granting code execution capabilities to attackers. These malicious packages were published under three different PyPI accounts and are estimated to have scored over 30,000 downloads put together, according to the researchers' report. READ MORE...
Recently detected Android malware, some spread through the Google Play Store, uses a novel way to supercharge the harvesting of login credentials from more than 100 banking and cryptocurrency applications. The malware, which researchers from Amsterdam-based security firm ThreatFabric are calling Vultur, is among the first Android threats to record a device screen whenever one of the targeted apps is opened. READ MORE...
Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here's a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database. READ MORE...
As a member of the secretive Senate Intelligence Committee, Sen. Angus King has reason to worry about hackers. At a briefing by security staff this year, he said he got some advice on how to help keep his cellphone secure. Step One: Turn off phone. Step Two: Turn it back on. That's it. At a time of widespread digital insecurity it turns out that the oldest and simplest computer fix there is - turning a device off then back on again - can thwart hackers from stealing information from smartphones. READ MORE...