Cyber Bites

TikTok secretly transferred user data to China without obtaining consent, according to a lawsuit filed by a college student in the Northern District of California. Misty Hong claimed the viral video service culled off her personal videos and information, then funneled it to servers in China. Source: SC Magazine

The music streaming service received reports indicating attackers gained unauthorized access to its systems. Music streaming service Mixcloud has disclosed a security incident in which unauthorized users gained access to some of its systems, resulting in the sale of customer data on the Dark Web. Mixcloud published a notice regarding the incident late last week, confirming it received reports that intruders breached its systems. At the time, it reported the attack involved email addresses, IP...

American gun manufacturer Smith & Wesson's online store has been compromised by attackers who have injected a malicious script that attempts to steal customer's payment information. This type of attack is called MageCart and is when hackers compromise a web site so that they can inject malicious JavaScript scripts into ecommerce or checkout pages. These scripts then steal payment information that is submitted by a customer by sending it to a remote site under the attacker's...

A new cyberespionage tool called CallerSpy was revealed by Trend Micro, but exactly what the developer’s intentions are for the malware is still unknown. CallerSpy was first spotted in May on the typosquatted website http://goooglepress/ where it was advertised as a chat app called Chatrious. Using the misspelled Google name in the URL appears to be the main method of attracting victims and the website goes an extra step by placing fake Google corporate copyright...

An open database at text messaging solution company TrueDialog left user SMS messages exposed for months, putting nearly a billion records and “millions of Americans at risk,” according to the researchers who discovered the database, hosted by Microsoft Azure and running on the Oracle Marketing Cloud in the U.S. In addition to private text messages, the vpnMentor research team, led by Noam Rotem and Ran Locar, found millions of account usernames and passwords, as well...

Attackers have been actively exploiting an Android vulnerability that allows malicious apps to display dangerous permission requests and phishing overlays under the guise of a legitimate app. Dubbed StrandHogg (an old Norse Viking term), the flaw resides in Android’s taskAffinity control setting, and can be successfully abused without having to first gain root access, according to Norway-based app security firm Promon. Researchers with the company say the flaw affects all versions of Android, and can...

Restaurant diners in the US Midwest and East might want to closely monitor their bank accounts, after four popular restaurant chains operating in those regions had their customers’ payment card information stolen. Discovering that Joker’s Stash – a major underground online portal infamous for buying and selling stolen payment card data – had announced the availability of about four million cards, KrebsOnSecurity investigated the matter further and found that the information was stolen from the restaurant chains...

You may get an email that has the official Netflix logo on it which would say that your payment for the month was not able to go through because of some problem with your bank. The email would then go on to say that if you don’t log in and check your payment details you could potentially end up losing access to your account. Needless to say, when you click the link and log in...

The UK's National Crime Agency (NCA) said 14,500 people had bought spying tools from the Imminent Methods site. Police searched more than 80 properties across the world to find those selling the tools. They were also able to trace people who had bought the software and charge them with computer misuse offenses. It gave the attacker full access to an infected device, letting them steal data, monitor what the victim was doing and even access...

A fake Steam skin giveaway site has been created that states it gives away news skins every day, but in reality it just steals your login credentials. This phishing site was first discovered by researcher nullcookies where he posted a warning about it on Twitter. After nullcookies told us that Steam phishing sites are commonly promoted directly on Steam, we performed a search and found that this scam is being promoted through comments made to Steam profiles. These...