phishing attack | Breaking Cybersecurity News | The Hacker News

A serious security vulnerability has been uncovered in Apple's Safari web browser that could trick Safari users into visiting a malicious website with the genuine web address. A group of researchers, known as Deusen , has demonstrated how the address spoofing vulnerability could be exploited by hackers to fool victim into thinking they are visiting a trusted website when actually the Safari browser is connected to an entirely different address. This flaw could let an attacker lead Safari users to a malicious site instead of a trusted website they willing to connect to install malicious software and steal their login credentials. The vulnerability was discovered by the same group who reported a Universal Cross Site Scripting (XSS) flaw in all the latest patched versions of Microsoft's Internet Explorer in February this year that put IE users' credentials and other sensitive information at risk. The group recently published a proof-of-concept exploit code that makes

Google Chrome browser's new Anti-Phishing Password Alert extension is in controversies right after its launch last Wednesday, but now the search engine giant has effectively pulled off Password Alert from its store. Password Alert was not bypassed once, twice, but every time Google introduced a new updated version of the extension. Google developed this Password Alert Chrome extension in an effort to alert Internet users whenever they accidentally enter their Google password on a carefully crafted phishing website that aimed at hijacking users' account. Here's the worst part: However, the first version of Password Alert was bypassed in less than 24 hours of its launch.  Security expert Paul Moore from UK-based Urity Group quickly circumvented the Anti-Phishing technology by pure JavaScript code of seven lines. Since then Google released Password Alert version 1.4, version 1.5 and version 1.6, but… ...all of them were bypassed, keeping users unaware o

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Less than 24 hours after Google launched the new Phishing alert extension Password Alert , a security researcher was able to bypass the feature using deadly simple exploits. On Wednesday, the search engine giant launched a new Password Alert Chrome extension to alert its users whenever they accidentally enter their Google password on a carefully crafted phishing website that aimed at hijacking users' account. However, security expert Paul Moore easily circumvented the technology using just seven lines of simple JavaScript code that kills phishing alerts as soon as they started to appear, defeating Google's new Password Alert extension. Google shortly fixed the issue and released a new update to Password Alert extension that blocked the Moore's exploit. However, Moore discovered another way to block the new version of Password Alert, as well. The first proof of concept exploit by Moore relied on a JavaScript that looks for instances of warning screen every five mil

As cybercriminals have started using sophisticated phishing techniques in an attempt to hijack online users' account, Google on Wednesday launched a new Chrome Extension to fight against Phishing . The search engine giant has launched a new Password Alert Chrome extension that will alert you whenever you accidentally enter your Google password on a carefully crafted phishing website that aimed at hijacking your account. So, GO and INSTALL the freely available, open-source Password Alert extension which is now available in the Chrome Web Store. Password Alert extension does two things: Prevents you from re-using your Google account password on other websites. Protects you if you've typed the same Google password on a non-Google website by generating a warning that you have just been phished and should immediately change your password. According to the company , nearly two percent of the e-mail messages to Google's Gmail are phishing emails from cyber

The Market of E-commerce websites is at its peak, as today people love to shop online to save their time. However, E-commerce and financial sites stand first in the rundown of potential victims as they manage financial exchanges. The traditional way to target victims of e-commerce sites is to use targeted "phishing" attacks via social media and emails. But… …due to increased awareness among the people about the threat of phishing attacks, hackers have now discovered new way — by malvertising legitimate websites where people assume to be safe and secure. We know: Today, there are many ready-to-use e-commerce platforms available on the Internet that are very easy to install and manage and that too at no extra cost; ' Magento ' is one of the most popular out of them. The most popular, the most targeted: Yes! Security researchers at Sucuri have found a malicious code inside the Magento e-commerce website that was intended to send all the data

When it comes to cyber security, even big organizations lack the basic knowledge of how to protect company's data from the outside. Everyday businesses are facing the threat of phishing, ransomware , data breaches and malware attacks that not only results in millions of dollars losses, but also damaged the reputations. A new study shows that five out of six of the most serious IT security threats directly relate to phishing or the aftermath of a successful phishing attack . SEA, short for Syrian Electronic Army , is famous for its advanced phishing attack capabilities and with the help of the same technique they fooled many popular organizations, social media and news media, including Twitter, Microsoft, Skype, Forbes, eBay and Paypal. Where do we lack? According to the annual Verizon Data Breach Investigations report, about 58% of cyber security incidents were caused by employees, either due to failure in handling data or approving malicious data. So, in

A critical vulnerability has been discovered in the Google Apps for Work that allows hackers to abuse any website's domain name based email addresses, which could then be used to send phishing emails on company's behalf in order to target users. If you wish to have an email address named on your brand that reads like admin@yourdomain.com instead of myemail@gmail.com , then you can register an account with Google Apps for Work. The Google Apps for Work service allows you to use Gmail, Drive storage, Calendar, online documents, video Hangouts, and other collaborative services with your team or organization. To get a custom domain name based email service from Google, one just need to sign up like a normal Gmail account. Once created, you can access your domain's admin console panel on Google app interface, but can not be able to use any service until you get your domain verified from Google. SENDING PHISHING MAILS FROM HIJACKED ACCOUNTS Cyber security researchers

The United Kingdom's National Crime Agency (NCA) has arrested 56 suspected hackers in a campaign against cybercrime called "strike week." Law-enforcement officials conducted, in total, 25 separate operations across England, Scotland and Wales, and those arrested were suspected in a wide range of cyber crimes including: Network intrusion and data theft from multinational companies and government agencies Distributed Denial of Service (DDoS) attacks Cyber-enabled fraud Malicious software and virus development The raids conducted by NCA were coordinated by its National Cyber Crime Unit (NCCU) , special officers Metropolitan Police and Regional Organised Crime Unit's (ROCUs) , associated with local forces around the UK. The arrested hackers also include alleged hackers suspected of being behind attacks on Yahoo, the US Department of Defence (DoD) , and PlayStation. The list of hackers arrested in the operation is given below: A 23-year-old man w

It seems like the world has declared war against the Cyber Criminals. In a recent update, we reported that FBI is offering $3 Million in Reward for the arrest of GameOver Zeus botnet mastermind, and meanwhile British cyber-police has taken down widely-spread RAMNIT botnet . The National Crime Agency (NCA) in a joint operation with Europol's European Cybercrime Centre (EC3) and law enforcement agencies from Germany, Italy, the Netherlands, and the United Kingdom has taken down the Ramnit "botnet", which has infected over 3.2 million computers worldwide, including 33,000 in the UK. Alike GameOver Zeus, RAMNIT is also a ' botnet ' - a network of zombie computers which operate under criminal control for malicious purposes like spreading viruses, sending out spam containing malicious links, and carrying out distributed denial of service attacks (DDoS) in order to bring down target websites. RAMNIT believes to spread malware via trustworthy links se

One of the most popular computer manufacturers Lenovo is being criticized for selling laptops pre-installed with invasive marketing software, or malware that, experts say, opens up a door for hackers and cyber crooks. The software, dubbed ' Superfish Malware ', analyzes users' Internet habits and injects third-party advertising into websites on browsers such as Google Chrome and Internet Explorer based on that activities without the user's permission. Security researchers recently discovered  Superfish Malware  presents onto new consumer-grade Lenovo computers sold before January of 2015. When taken out of the box for the first time, the adware gets activated and because it comes pre-installed, Lenovo customers might end up using it inadvertently. SUPERFISH CERTIFICATE PASSWORD CRACKED The  Superfish Malware  raised serious security concerns about the company's move for breaking fundamental web security protocols, carrying out " Man in the Middle " (MitM) at

Bad news for AT&T customers! You all are vulnerable to phishing scams – thanks to AT&T's text protocols. The actual problem lies in the way AT&T handles its customer alerts via text messages, as it's very easy for cybercriminals to mimic. In "Phishing" attacks , scammers attempt to trick victims into revealing their personal and financial information by sending email or text messages that appear to be from legitimate companies. Instead of emails, here hackers have targeted AT&T users with the text messages. According to Dani Grant , the computer programmer who discovered the flaw and reported to the company, AT&T is making use of plethora for short codes, due to which its customers unable to distinguish between the legitimate and phishing messages . The second issue is that some of AT&T's real links directs its users to att.com while others take you to dl.mymobilelocate.com. " Another problem is that AT&T directs cu

A Greek security researcher, named George Chatzisofroniou , has developed a WiFi social engineering tool that is designed to steal credentials from users of secure Wi-Fi networks. The tool, dubbed WiFiPhisher , has been released on the software development website GitHub on Sunday and is freely available for users. "It's a social engineering attack that does not use brute forcing in contrast to other methods. It's an easy way to get WPA passwords ," said George Chatzisofroniou. However, there are several hacking tools available on the Internet that can hack a secure Wi-Fi network, but this tool automates multiple Wi-Fi hacking techniques which make it slightly different from others. WiFiPhisher tool uses "Evil Twin" attack scenario. Same as Evil Twin, the tool first creates a phony wireless Access Point (AP) masquerade itself as the legitimate Wi-Fi AP. It then directs a denial of service (DoS) attack against the legitimate Wi-Fi access poi

The Internet Corporation for Assigned Names and Numbers (ICANN) has been hacked by unknown attackers that allowed them to gain administrative access to some of the organization's systems, the organization confirmed. The attackers used " spear phishing " campaign to target sensitive systems operated by ICANN and sent spoofed emails disguised as internal ICANN communications to its staff members. The link in the emails took the staff to bogus login page, where they provided their usernames and passwords with the keys to their work email accounts. The data breach began in late November 2014 and was discovered a week later, ICANN, which oversees the Internet's address system, said in a release published Tuesday. ICANN is the organization that manages the global top-level domain system. " We believe a 'spear phishing' attack was initiated in late November 2014 ," Tuesday's press release stated. " It involved email messages that we

Holiday Shopping season is really an excited time for both shoppers and retailers, but unfortunately it's a good time for cyber criminals and scammers as well. With Black Friday (28th November 2014) and Cyber Monday (1st December 2014) coming up, you need to be more careful while shopping. These are the two very busy shopping days where shoppers spend millions online. Every eye will be on retailers to ensure that consumers' online shopping experiences are straightforward and, most importantly, secure. So, at the major part, retailers need to pay attention to extra security measures in order to prevent themselves from massive data breaches, like Target data breach that occurred last year during the Black Friday sales in which over 40 million Credit & Debit cards were stolen . Not just Target alone, multiple retailers including Neiman Marcu s , Michaels Store were also targeted during last Christmas holiday, involving the heist of possibly 110 million Cr

Scammers have again targeted more than one billion active users of the popular social networking giant Facebook, to infect as many victims as possible. Not by serving fake post, neither by providing malicious video link, instead this time scammers have used a new way of tricking Facebook users into injecting or placing malicious JavaScript or client-side code into their web browsers. This malicious code could allow an attacker to gain access to victims' accounts, thereby using it for fraud, to send spams, and promoting further attacks by posting the scam on timeline to victims' friends. This technique is known as Self Cross-site Scripting or Self XSS. Self-XSS (Self Cross-Site Scripting) scam is a combination of social engineering and a browser vulnerability , basically designed to trick Facebook users' into providing access to their account. Once an attacker or scammer gets access to users' Facebook account, they can even post and comment on things on users' behalf.