News

A couple of Android apps found in Google Play included functionality that stealthy recording audio without user consent. The apps posed as selfie camera filters and had been installed over 1.5 million times. The main activity of the two apps was not spying on users but aggressively pushing adware that covered the entire screen of the Android device. Source: Bleeping Computer

On the heels of its acquisition by Chegg, developer education site Thinkful said an authorized third party had breached its systems. “We recently discovered that an unauthorized party may have gained access to certain Thinkful company credentials so, out of an abundance of caution, we are notifying all of our users,” company Vice President of Operations Erin Rosenblatt told users in an email. “As soon as we discovered this unauthorized access, we promptly changed the...

A Magecart card-skimming campaign this month sabotaged the mobile websites of two hotel chains by executing a supply chain attack on a third-party partner, researchers have reported. The third party in both instances was Roomleader, a Barcelona-based provider of digital marketing and web development services. One of the ways Roomleader helps hospitality companies build out their online booking functionality is through a library module called “viewedHotels,” which saves viewed hotel information in visitors’ browser cookies. Source: SC...

Attackers can exploit a critical security vulnerability in Harbor cloud native registry for container images to obtain admin privileges on a vulnerable hosting system. Harbor is open source and can integrate with Docker Hub and various image registries like Docker Registry and Google Container Registry, to add security, identity, and management features. Source: Bleeping Computer

The Consumer Financial Protection Bureau (CFPB) has been probing of Bank of America (BoA) for allegedly opening customer credit card accounts with authorization a la Wells Fargo. The BoA investigation emerged after the bureau posted documents to its site showing the back and forth regarding turning over emails and other records with the bank’s attorneys, one of whom acknowledged a “vanishingly small” number of “potentially unauthorized credit card accounts.” Source: SC Magazine

A new landing page for a Microsoft account phishing scam has been discovered that utilizes the SmtpJS service to send stolen credentials via email to the attacker. There is nothing special about the appearance of the Microsoft account phishing page shown below that was discovered by MalwareHunterTeam. It's your standard Microsoft login template that will ask you for your Microsoft credentials and then tell you that the submitted credentials are incorrect. Source: Bleeping Computer

Customers of commercial food service wholesaler Restaurant Depot received phishing emails asking for payment of an (attached) outstanding invoice or else the company would deduct the balance from their accounts. Some of those recipients began tweeting to the company’s customer service department with one noting that he “finally got through to tell them. They’re aware. It’s pretty big, the breach.” Source: SC Magazine

Webcams could be potentially accessed and manipulated by anyone with an Internet connection, researchers say. More than 15,000 webcams, many of which are located inside people's homes, are potentially accessible to anyone with an Internet connection. Researchers at Wizcase who discovered the cameras say many are vulnerable to attackers who could steal data or adjust the settings. Source: Dark Reading

Thousands of Google users are exposing the contents of their calendars to the public. The information is indexed by search engines and can include email addresses as well as private events from individuals and businesses. The problem is due to misconfiguring Google Calendar to share its contents with others. However, making the data public means that anyone with your Calendar link can access it. Google shows a warning about this but thousands of users seem to...

A local police department in the U.S. are warning of a wave of phishing scams targeting users Venmo mobile payment service with text messages that direct to a fake website. Owned by PayPal, Venmo is a peer-to-peer payment app that allows sending and receiving money to and from contacts on your phone. Source: Bleeping Computer