Security News
In spite of customers having reported losses over the weekend, Crypto.com's Thursday statement said that the heist happened on Monday at about 12:46 a.m. UTC. That's when the exchange's risk monitoring systems picked up on unauthorized transactions coming out of 483 accounts and being approved without users' 2FA authentication. The exchange fully restored the affected accounts, revoked all 2FA tokens and added additional security hardening measures, requiring all customers to re-login and set up their 2FA token.
Clearly, the stakes are high - gaining access to a Box account could give cyberattackers access to a vast array of sensitive documents and data for both individuals and organizations. When a user goes to log on with his or her credentials, Box generates the cookies and the user is asked to navigate to an SMS verification page, where the person is instructed to enter a one-time passcode sent to an enrolled mobile phone.
A new phishing campaign that targets CoinSpot cryptocurrency exchange users employs a new theme revolving around withdrawal confirmations with the end goal of stealing two-factor authentication codes. More specifically, the threat actors send emails from a Yahoo address, replicating real emails from CoinSpot that ask the recipients to confirm or cancel a withdrawal transaction.
VK is finally introducing two-factor authentication on all its services and plans to make it mandatory in February 2022 for administrators of large communities. Starting in February, all communities that count over 10,000 subscribers must be managed by a 2FA secured admin account to prevent large-scale phishing incidents.
VMware has warned users a flaw in its VMware Verify two-factor authentication product could allow a malicious actor with a first-factor authentication credential to obtain a second factor from its VMware Verify product. CVE-2021-22057 is the rascal behind this issue and is rated 6.6/10. VMware Verify is part of the wider VMware Workspace ONE Access product, now available in version 21.08.0.1 to fix this bug and a 5.5-rated Server Side Request Forgery that can allow a malicious actor with network access to make HTTP requests to arbitrary origins and read the full response.
GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry. "In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file," GitHub's chief security officer Mike Hanley explained.
It's easy to forget that the "Obviousness" of many scam emails comes from the fact that the crooks never intended those scams for us in the first place. We received a phish this morning that specifically targeted one of the main South African banks.
Google announced today that they plan on auto-enrolling 150 million accounts into two-factor authentication by the end of 2021. To protect Google accounts from unauthorized access, it is possible to enroll in an optional security feature called two-factor authentication, or as Google likes to call it, 2-step verification.
It's telling me I am nearing the end of the app's free trial period and now is the time to commit to a subscription payment or lose the "Pro" features I have been "Enjoying." Although the password app is free, the German volunteer developer who wrote and maintains it always asks his users for modest donations at this time of year to coincide with Oktoberfest.
It's telling me I am nearing the end of the app's free trial period and now is the time to commit to a subscription payment or lose the "Pro" features I have been "Enjoying." Although the password app is free, the German volunteer developer who wrote and maintains it always asks his users for modest donations at this time of year to coincide with Oktoberfest.