Security News

A new targeted phishing campaign includes the novel obfuscation technique of using Morse code to hide malicious URLs in an email attachment. Samuel Morse and Alfred Vail invented morse code as a way of transmitting messages across telegraph wire.

Microsoft has warned of an increasing number of consent phishing attacks targeting remote workers during recent months, BleepingComputer has learned. Consent phishing is an application-based attack variant where the attackers attempt to trick targets into providing malicious Office 365 OAuth apps with access to their Office 365 accounts.

IRONSCALES announced new platform features as part of its new release to further improve the company's ability to detect advanced and highly targeted phishing attacks, especially those focused on credential harvesting and account takeover. IRONSCALES unveiled improvements to its phishing awareness training module with the addition of a "One-click campaign" feature offering a more seamless process for security teams to test employees' individual phishing awareness via targeted simulations.

Threat actors are sending phishing emails impersonating a Small Business Administration lender to prey on US business owners who want to apply for a Paycheck Protection Program loan to keep their business going during the COVID-19 crisis. The attackers behind this phishing campaign are taking advantage of the ongoing financial problems some businesses are experiencing due to the pandemic to lure them into handing over sensitive business and personal info.

The proprietors of the phishing service were variously known on cybercrime forums under handles such as SMSBandits, "Gmuni," "Bamit9," and "Uncle Munis." SMS Bandits offered an SMS phishing service for the mass sending of text messages designed to phish account credentials for different popular websites and steal personal and financial data for resale. Sasha Angus is a partner at Scylla Intel, a cyber intelligence startup that did a great deal of research into the SMS Bandits leading up to the arrest.

"Serious" vulnerability found in Libgcrypt, GnuPG's cryptographic libraryLibgcrypt 1.9.0, the newest version of a cryptographic library integrated in the GNU Privacy Guard free encryption software, has a "Severe" security vulnerability and should not be used, warned Werner Koch. Sudo vulnerability allows attackers to gain root privileges on Linux systemsA vulnerability in sudo, a powerful and near-ubiquitous open-source utility used on major Linux and Unix-like operating systems, could allow any unprivileged local user to gain root privileges on a vulnerable host.

Attackers are tricking employees into logging into phishing sites.

A newly-uncovered phishing kit, dubbed LogoKit, eliminates headaches for cybercriminals by automatically pulling victims' company logos onto the phishing login page. These targeted services range from generic login portals to false SharePoint, Adobe Document Cloud, OneDrive, Office 365, and cryptocurrency exchange login portals.

An ongoing campaign powered by a phishing kit sold on underground forums is explicitly targeting high-ranking executives in a variety of sectors and countries with fake Office 365 password expiration notifications, Trend Micro researchers warn. The compromised accounts can be used to send out even more convincing phishing emails, perpetrate BEC scams, or collect sensitive information.

A vulnerability in the popular TikTok short-form video-sharing platform could have allowed attackers to easily compile users' phone numbers, unique user IDs and other data ripe for phishing attacks. In order to help users find friends through their contacts, TikTok contained a sync feature for contacts who had TikTok accounts.