Flaw Could Have Allowed Bitcoin Theft Using Poisoned NFT Art
Visible admits to credential-stuffing attacks, A bank manager was duped with 'Deep Voice' technology into $35 million in fraudulent transfers, Acer suffers a second breach in India, much more
Check out my latest column in CSO that recaps a theme running through last week’s VB2021 conference, how shape-shifting threat actors complicate attack attribution.
Researchers at CheckPoint discovered that an attacker could leave NFT marketplace OpenSea account owners with an empty cryptocurrency balance by luring them to click on malicious NFT art.
The simple attack method involved creating an NFT with a malicious payload and waiting for a victim to take the bait and view it. Check Point researchers informed OpenSea of their findings on September 26. After collaborating with CheckPoint, OpenSea came up with a solution in less than an hour from the responsible disclosure. (Ionut Ilascu / Bleeping Computer)
In a threat analysis report, Apple said that its iOS devices are locked into the App Store for security reasons because this allows its security teams to scan applications for malicious content before they reach users.
Apple issued the report against a backdrop of an antitrust investigation in the EU into Apple’s anti-competitive practices, including Apple’s requirement that app developers use its proprietary App Store for app installations and payments. (Catalin Cimpanu / The Record)
U.S. wireless carrier Visible, owned by Verizon, admitted that threat actors were able to access usernames or passwords from outside sources and exploit that information to log in to Visible accounts in what is known as a credential stuffing attack.
Visible said it has deployed tools to mitigate the issue and told customers that if they use the same username and password across multiple accounts, they should update those details. (Duncan Riley / Silicon Angle)
Research by Alex Holden, founder of cybersecurity firm Hold Security, discovered that phishers are trying to sign up for new cryptocurrency exchange Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.
One now-defunct phishing domain at issue, coinbase.com.password-reset[.]com, was successful at targeting Italian Coinbase users. (Brian Krebs / Krebs on Security)
Fraudsters duped a bank manager in the United Arab Emirates as part of an elaborate scam that used “deep voice” technology to clone a bank director’s speech to authorize around $35 million in fraudulent transfers.
The U.A.E believes it was an elaborate scheme that sent the funds to bank accounts across the globe. It involved at least 17 individuals. (Thomas Brewster / Forbes)
Thomas Brewster @iblametomSCOOP - And a wild one… Fraudsters used “deep voice” tech - as in deep fake for speech - to clone a company director’s voice. They then convinced a bank manager to send $35 million to various accounts across the world. AI-powered cybercrime is big. https://t.co/4MERyCOG9g
Taiwanese computer giant Acer confirmed that its after-sales service systems in India were recently breached in what the company called "an isolated attack."
A threat actor has already claimed the attack on a popular hacker forum, saying they stole more than 60GB of files and databases from Acer's servers. The allegedly stolen data include client, corporate, and financial data and login details belonging to Acer retailers and distributors from India. (Sergiu Gatlan / Bleeping Computer)
Broadcom's Symantec Threat Hunter Team discovered a new ransomware strain, dubbed Yanluowang ransomware, used in highly targeted attacks against enterprise entities.
Yanluowang will stop hypervisor virtual machines, end all processes harvested by the precursor tool (including SQL and Veeam), encrypt files, and appends the .yanluowang extension. It also drops a ransom note named README.txt that warns its victims not to reach out to law enforcement or ask ransomware negotiation firms for help. (Sergiu Gatlan / Bleeping Computer)
The University of Sunderland in the UK has admitted that a suspected cyberattack has caused “extensive IT issues” that have led to online classes being halted and staff facing difficulties accessing email.
Students are urged to continue to attend on-campus classes and contingency measures are being put in place to support remote learning. (Ross Robertson / Sunderland Echo)
The Office of the Australian Information Commissioner (OAIC) has found that convenience store chain 7-Eleven breached customers' privacy by collecting their sensitive biometric information without adequate notice or consent.
From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, installed in 700 stores, captured customers' facial images at two points during the survey-taking process. The facial images uploaded to a server as algorithmic representations, or "faceprints,” that were then compared with other faceprints to exclude responses that 7-Eleven believed may not be genuine. 7-Eleven has been ordered to cease collecting facial images and faceprints as part of the customer feedback mechanism and destroy all the faceprints it collected. (Campbell Kwan / ZDNet)
Thingiverse, a website dedicated to sharing user-created digital design files, has reportedly leaked a 36GB backup file containing 228,000 unique email addresses and other personally identifiable information.
Troy Hunt, the Have I Been Pwned data breach notification service creator, cites this data set's circulation on a popular hacking forum. (Mihir Bagwe / Data Breach Today)
Cybersecurity-as-a-service start-up Black Kite has raised $22 million in series B funding round.
Volition Capital led the round with participation from existing investors Moore Strategic Ventures, Glasswing Ventures, and Data Point Capital. (Kyle Wiggers / Venture Beat)