Security News > 2020 > September

This data is then used to launch phishing attacks against even more people and organizations. So it's hardly surprising that phishing is now responsible for almost one-quarter of all data breaches.

The process of vulnerability disclosure has improved over the years, but still too many security researchers face threats when trying to report bugs. Disclosure policies that give ethical hackers clear guidelines are vast and varied and are seldom universally followed, which adds to the friction between researchers and vendors.

In essence makework alows a senior administrator to gain status by head count and keep those excesses hidden from others. Interestingly makework like peek demand is a headcount ratchet, which is why some estimate that around one third of the working population is performing makework.

Facebook has implemented a fresh security vulnerability disclosure policy this week - in an effort to explain how it decides when and how to roll out details on various bugs that its team finds in third-party software and open-source projects. If Facebook determines that disclosing a security vulnerability sooner "Serves to benefit the public or the potentially impacted people," it may pull the rip cord on disclosure: For instance, if a bug is being actively exploited in the wild.

Attackers are on the prowl for enterprise Microsoft Outlook credentials, with a new phishing campaign that leverages email-quarantine policies and uses an overlay screen tactic - on top of legitimate company webpages - to lure in victims. The initial email said, the company's email system "Failed to process new messages in the inbox folder," and "Two valid email messages have been held and quarantined for deletion." It asked the target to review the messages and recover their lost mail in the inbox folder - or they will be automatically deleted after three days.

Dubbed PyVil, the new remote access trojan goes after passwords, documents, browser cookies, and email credentials, says Cybereason. A new remote access trojan is aiming at financial technology companies in the UK and European Union to capture sensitive information through keylogging and screen captures.

History teaches us that email tricks can work surprisingly well with no text in the message body at all. The email consisted only of an attachment - there was no subject line or message, so the only visible text in the email was the name of the attachment, HAPPY99.

The goal is to concoct phishing emails and landing pages so convincing that they can fool even the most sharp-eyed user. A new phishing campaign described by phishing awareness provider Cofense in a Friday blog post uses several tactics to appear legitimate.

Facebook-owned WhatsApp has fixed six previously undisclosed vulnerabilities in its chat platform, revealing the move on a new dedicated security advisory site aimed at informing its more than 2 million users about bugs and keeping them updated on app security. The site is part of an effort by WhatsApp to be more transparent about platform vulnerabilities to not just users, but also the security community, and patch them in a timely manner.

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities-which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. Two of the four flaws can be exploited to gain remote code execution on target systems by sending specially crafted chat messages in group conversations or specific individuals.