A vulnerability has been discovered in the Apple iOS VoiceOver feature which can be exploited by attackers to gain access to a victim’s photos. As reported by Apple Insider, the bug, a lock screen bypass made possible via the VoiceOver screen reader, relies on an attacker having physical access to the target device.
Revealed by iOS hacker Jose Rodriguez and subsequently demonstrated in the YouTube video below, the attack chain begins with the attacker calling the victim’s phone. This can be made possible by asking the Siri voice assistant to read out the phone number digit by digit, should the attacker not possess this information.
Read more about the newly discovered iOS lock screen bypass on ZDNet.
Credential theft was substantially up in the United States during the third quarter – even as declines were charted in Europe and Asia.
Periodic analysis from Blueliv shows a whopping 141 percent increase in compromised credentials from North American targets between June and August compared to the March through May period. In contrast, there were fewer compromised European and Asian credentials detected over same period (22 percent and 36 percent decreases respectively).
Read more about the findings of the Blueliv analysis on Threatpost.
While fake Flash updates that push malware have traditionally been easy to spot and avoid, a new campaign has employed new tricks that stealthily download cryptocurrency miners on Windows systems.
To the average user, the newly discovered samples, which have been active as early as August, seem legitimate. The samples act as Flash updates, borrowing pop-up notifications from the official Adobe installer, and even actually updating a victim’s Flash Player to the latest version. Unbeknownst to the victims, while the legitimate Flash update has occurred, a tricky XMRig cryptocurrency miner is quietly downloaded and runs in the background of the infected Windows computers.
Read more about the stealthy new cryptojacking campaign on Threatpost.
Looking for hard numbers to back up your sense of what’s happening in the cybersecurity world? CSO’s Josh Fruhlinger has been digging into studies and surveys of the industry’s landscape to get a sense of the lay of the land—both in terms of what’s happening and how your fellow IT pros are reacting to it.
Read the full overview of hard numbers from studies and surveys that provide a sense of the troubling state of cybersecurity on CSO.
A peek into the cybercriminals underground of Russian and Chinese hackers reveals sharp differences between the two communities in terms of interests and the way they run their businesses, often shaped by state laws and unwritten norms.
Over the past year, researchers at Recorded Future monitored the activity of various markets used for dealing with illegal content or tools employed for carrying out illicit activities. They focused on Chinese and Russian communities and discovered that members of the two communities rarely mix on underground forums and are driven by different motivations.
Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries. This is one of the findings of new analysis by security vendor CrowdStrike of intrusion detection engagements at customer locations between January and June this year.
This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike’s OverWatch and security response team.
Read more about the findings of the new research on DarkReading.
The Magecart threat group has struck again, this time attacking Shopper Approved – a piece of third-party software that provides rating seals for online stores. The attack consequently put payment data from multiple online stores at risk. It’s only the most recent attack for the notorious threat group which has been behind several large-scale breaches, including those of Ticketmaster and British Airways.
“Similar to the attack against Ticketmaster, this attack did not impact a single store directly,” said RiskIQ researchers in a post about the breach. “Instead, it attempted to skim payment information from multiple online stores at once by compromising a widely used third party.”
Read more about the latest attack by Magecart on Threatpost.
The idea of using the internet to commit crimes isn’t new, but the problem continues to grow as people become more reliant on the internet for making purchases and storing personal information. Just as you’d take steps to defend yourself from crime in a major city, you should do so while using the internet. Sometimes, avoiding a questionable areas isn’t enough.
To help you out, Cloudwards has published a new guide to cybercrime that explores the most potent threats on the internet today.
Read the full overview of the common kinds of cybercrime, which includes real-world examples and suggest tools you can use to protect yourself, on Cloudwards.
A digital passport scan costs an average of $14.71 on the Dark Web, but a scan is all you’ll get for that price. Cybercriminals up the cost for scans accompanied by identity verification documents, and you’ll pay more than $13,000 for a legitimate physical passport.
Researchers at Comparitech combed the Dark Web in late September to learn more about the selling prices of passport scans. Their search took them across several illicit marketplaces, including Dream Market, Berlusconi Market, Wall Street Market, and Tochka Free Market. A wide range of vendors are selling passport scans, but only a few specialize in them.
Read more about the findings of the Comparitech research on Darkreading.
The US Secret Service has issued a warning to banks due to a recent surge in incidents of ATM wiretapping. According to a copy of the notice secured by Krebs on Security, the non-public alert states that multiple reports have been received relating to the ATM hacking tactic.
ATM wiretapping or eavesdropping is more complicated than many other attacks. In order to be successful, a criminal must drill a large hole in a cash machine and use a combination of magnets and devices to attach a skimmer directly to the ATM card reader. This skimmer then harvests credit card information.
Read more about the non-public US Secret Service alert on ZDNet.