The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic[.]com," which was registered in February 2024. "Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said . This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstra...

Meta has been given time till September 1, 2024, to respond to concerns raised by the European Commission over its "pay or consent" advertising model or risk-facing enforcement measures, including sanctions. The European Commission said the Consumer Protection Cooperation ( CPC ) Network has notified the social media giant that the model adopted for Facebook and Instagram might potentially violate consumer protection laws. It described the new practice as misleading and confusing, with authorities expressing worries that consumers might have been pressured into choosing quickly between either paying for a monthly subscription or consenting to their personal data being used for targeted advertising. This, the agency said, could have been motivated by fears that they "would instantly lose access to their accounts and their network of contacts." Meta, which introduced a subscription plan for European Union (E.U.) users in late 2023, has run into hot water over o...

The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign that targeted a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. The agency attributed the attack to a threat actor it tracks under the name UAC-0063 , which was previously observed targeting various government entities to gather sensitive information using keyloggers and backdoors. The attack is characterized by the use of a compromised email account belonging to an employee of the organization to send phishing messages to "dozens" of recipients containing a macro-laced Microsoft Word (DOCX) attachment. Opening the document and enabling macros results in the execution of an encoded HTML Application (HTA) named HATVIBE, which sets up persistence on the host using a scheduled task and paves the way for a Python backdoor codenamed CHERRYSPY, which is capable of running commands issued by a remote server. CERT-UA said it detected ...

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn't have asked for a better kickoff panel: three cybersecurity leaders who don't just talk security, they live it. Let me introduce them. Alex Delay , CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead , Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity's targeted RNA therapeutics. Last but not least, Michael Francess , Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments. Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here's the kicker -...

Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time," Anthony Chavez, vice president of the initiative, said . "We're discussing this new path with regulators, and will engage with the industry as we roll this out." The significant policy reversal comes nearly three months following the company's announcement that it intends to eliminate third-party cookies starting early next year after repeated delays, underscoring the project's tumultuous history. While Apple Safari and Mozilla Firefox no longer support third-party cookies as of early 2020, Go...

The relationship between various TDSs and DNS associated with Vigorish Viper and the final landing experience for the user A Chinese organized crime syndicate with links to money laundering and human trafficking across Southeast Asia has been using an advanced "technology suite" that runs the whole cybercrime supply chain spectrum to spearhead its operations. Infoblox is tracking the proprietor and maintainer under the moniker Vigorish  Viper , noting that it's likely synonymous with the Yabo Group (aka Yabo Sports), which has been linked to illegal gambling operations and pig butchering scams in the past. In late 2022, it rebranded as Kaiyun Sports and has since been absorbed into another newly formed entity called Ponymuah. The suite, marketed in China as "baowang" ("包网," meaning full package) encompasses several components such as Domain Name System (DNS) configurations, website hosting, payment mechanisms, advertising, and mobile apps. It also...

A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. "Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google said in its biannual Threat Horizons Report [PDF] shared with The Hacker News. "These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment." The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an onli...

The opportunities to use AI in workflow automation are many and varied, but one of the simplest ways to use AI to save time and enhance your organization's security posture is by building an automated SMS analysis service. Workflow automation platform Tines provides a good example of how to do it. The vendor recently released their first native AI features , and security teams have already started sharing the AI-enhanced workflows they've built using the platform.  Tines' library of pre-built workflows includes AI-enhanced pre-built workflows for normalizing alerts, creating cases, and determining which phishing emails require escalations.  Let's take a closer look at their SMS analysis workflow, which, like all of their pre-built workflows, is free to access and import, and can be used with a free Community Edition account.  Here, we'll share an overview of the workflow, and a step-by-step guide for getting it up and running. The problem - SMS scam messages targete...

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clien...

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. BOINC , short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed. "It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week. These malicious installations are designed to connect to an actor-controlled domain ("rosettahome[.]cn" or "rosettah...