Exploit This

Security News, Exploits, and Vulnerabilities.

Extortionists Target Ashley Madison Users

People who cheat on their partners are always open to extortion by the parties involved. But when the personal details of millions of cheaters get posted online for anyone to download — as is the case with the recent hack of infidelity hookup site AshleyMadison.com — random blackmailers are bound to pounce on the opportunity.

A Phishing Trampoline – embedding redirects in PDF documents

Today I ran into a typical fraud email claiming to come from a U.S. bank but with a twist! Analyzing the attachment, it turns out that there’s no malware inside but instead a new middle step to fool lesser security software.

Street Gangs, Tax Fraud and ‘Drop Hoes’

Authorities across the United States this week arrested dozens of gang members who stand accused of making millions of dollars stealing consumer identities in order to file fraudulent tax refund requests with the Internal Revenue Service (IRS). The arrests highlight the dramatic shift in gang activity in recent years from high-risk drug dealing to identity fraud — a far less risky yet equally lucrative crime.

New activity of The Blue Termite APT

The main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. The attack is still active and the number of victims has been increasing.

You’re Paying for Your Starbucks, One Way or the Other

Today, I received this message from a friend living in Mexico via Whatsapp.

Indicators of compromise as a way to reduce risk

“Indicators of compromise” help to use threat data effectively: identify malware and quickly respond to incidents. These indicators are very often included in threat reports. How should information system administrators use this data in practice?

Was the Ashley Madison Database Leaked?

Many news sites and blogs are reporting that the data stolen last month from 37 million users of AshleyMadison.com — a site that facilitates cheating and extramarital affairs — has finally been posted online for the world to see. In the past 48 hours, several huge dumps of data claiming to be the actual AshleyMadison database have turned up online. But there are precious few details in them that would allow one to verify these claims, and the company itself says it so far sees no indication that the files are legitimate.

Microsoft Pushes Emergency Patch for IE

Microsoft today released an out-of-band software update to plug a critical security flaw in all supported versions of its Internet Explorer browser, from IE7 to IE 11 (this flaw does not appear to be present in Microsoft Edge, the new browser from Redmond and intended to replace IE).

How Not to Start an Encryption Company

Probably the quickest way for a security company to prompt an overwhelmingly hostile response from the security research community is to claim that its products and services are “unbreakable” by hackers. The second-fastest way to achieve that outcome is to have that statement come from an encryption company CEO who served several years in federal prison for running a $210 million Ponzi scheme. Here’s the story of a company that managed to accomplish both at the same time and is now trying to learn from (and survive) the experience.

IRS: 330K Taxpayers Hit by ‘Get Transcript’ Scam

The Internal Revenue Service (IRS) disclosed today that identity thieves abused a feature on the agency’s Web site to pull sensitive data on more than 330,000 potential victims as part of a scheme to file fraudulent tax refund requests. The new figure is far larger than the number of Americans the IRS said were potentially impacted when it first acknowledged the vulnerability in May 2015 — two months after KrebsOnSecurity first raised alarms about the weakness.

%d bloggers like this: