Phishing emails are all over the place, and the pandemic only made things worse. If you have been deferring that subscription to email security services, now is the time to get one! The adversaries are out there launching newer and more sophisticated cyberattacks, and your system might be the next one. The following news headlines shall help convince an unsuspecting user to start investing in cybersecurity tools
RedHunt Discovers 400,000 Misconfigured CNAME Records
Indian security firm RedHunt has recently discovered over 400,000 subdomains with misconfigured CNAME records. Despite deleting cloud-hosted web pages, attackers can re-register the host and serve whatever they wish on the website. And once they have access, it’s obvious that the adversaries aren’t stopping at just posting malicious content on the compromised web pages – they can intercept internal emails and even launch mount clickjacking or broken-link hijacking attacks.
But this isn’t all that RedHunt researchers discovered! They found that e-commerce operators are the most vulnerable to subdomain takeovers, with 63% of vulnerable DNS records hinting towards Shopify, followed by Unbounce (14%). Their research also revealed that ‘www,’ ‘store,’ ‘blog,’ and ‘shop’ are among the most vulnerable subdomains.
The RedHunt study indicates that many large enterprises struggle to track their infrastructure, even after adopting email protection or ransomware protection measures. Google Chrome’s updates since Chrome 69 add to users’ woes by making it harder for them to identify attacker-controlled webpages.
Xbox Live Vulnerability Exposes Email Addresses
Two anonymous hackers have recently informed about a zero-day vulnerability in the Xbox Live enforcement portal, which lets hackers trace the email address associated with any Xbox Gamertag.
Although Microsoft was reluctant to consider this a significant bug, it patched the vulnerability anyhow. They believe that an email address isn’t as harmful a piece of sensitive information to lose, and as such, they aren’t tracking the issue. But to ensure email protection, Microsoft customers are required to update to the latest version.
Beware Of Holiday Season Frauds: Warns CISA
The holiday season is all about shopping, traveling, and merry-making but what people often overlook is that this is also the most vulnerable period of the year in terms of cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA) acknowledges this rise in cyber incidents and has warned people against fake websites, phishing emails, and financial frauds.
The CISA has posted an advisory guiding people on the do’s and don’ts of online shopping in the holiday season and has emphasized the use of cybersecurity tools. Anyone suspecting a cyberattack must report the same to the local police and file an online report at the FTC’s fraud report page.
TikTok’s Bug Bounty Program Awards 20-Year-Old Researcher
Although the United States perceives TikTok as a national security threat, the latter is adamant about strengthening its security by fixing all vulnerabilities. The app’s bug bounty program has made it possible to identify and patch 85 vulnerabilities to date, for which the app has paid over $85000. The recent security flaw would have let the adversaries change passwords of TikTok accounts created through third-party apps.
The security flaw was discovered by a 20-year-old German researcher Muhammed Taskiran in August. Taskiran rightly pointed out that by merely making a targeted user click on a malicious link, a hacker could exploit the XSS and CSRF vulnerabilities and quickly change account passwords. The vulnerability was found to be “high severity,” and this TikTok awarded the researcher with $3,860 for helping them to ensure protection against cyberattacks such as phishing.
Hackers Target Joe Biden’s Presidential Campaign `Vote Joe’ Website
Imagining the US elections without a few cyberattacks is impossible these days. The latest hack of Joe Biden’s Presidential campaign `Vote Joe’ website is just another security incident added to the list! Turkish hacker group RootAyyildiz is responsible for the defacing attack, which lasted for more than a day.
After the hack, the Vote Joe site displayed a message in Turkish which warned US political parties to stop manipulating politics in Turkey, and attached was a picture of Abdul Hamid – the 34th Sultan of the Ottoman Empire. It also mentioned the names of the hacker groups involved in the incident – RootAyyildiz, Turkish And Muslim Defacer, MarbeyliWerom, b4rbarøs as, and oneshot.
It isn’t unusual to find that ransomware protection is overlooked in both Trump and Biden’s presidential apps. The hackers are only exploiting the vulnerabilities which the websites left room for!
Celebrities Become Victims of Sextortion Campaigns
In a recent security breach, the adversaries have stolen hundreds of private photos and videos from the phones of female sports stars and celebrities. These nude photos and videos are now leaked, and the victims seem desperate to get the pictures off the internet.
Four unnamed British athletes were victims of this attack – while one lost around 100 images to the attack, another had over 30 pictures and videos leaked! One must always adopt advanced security measures to protect themselves from phishing. The NCSC advises people to enable multiple-factor authentication for all online accounts that support it. Taking such sensitive content off the internet is an ordeal in itself because nothing goes off the internet!
New Security Merger: Jacobs And The Buffalo Group LLC
Amidst all the news of data breaches and cyberattacks, a new cybersecurity acquisition seems promising. The professional services company Jacobs has recently purchased the cyber solutions company The Buffalo Group LLC. Although the deal’s financial terms haven’t been disclosed, the deal in itself heralds better defense to the growing complexities in the cyber realm.
While the Buffalo Group is renowned for its incomparable intelligence and cyber capabilities, Jacobs provides exceptional technology solutions, and this merger shall only enhance cybersecurity at a national level.
And that’s the week that was.