@cyberalerts.io
//
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.
The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets. The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.
Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
North Korea-linked APT group ScarCruft has been identified deploying a new Android spyware dubbed KoSpy, targeting Korean and English-speaking users. The spyware was distributed through fake utility apps on the Google Play Store and third-party app stores like APKPure. At least five malicious applications, masquerading as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, were used to trick users into installing the spyware onto their devices.
The malicious apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The spyware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It's also equipped to record audio and take photos. The apps have since been removed from the app marketplace. Recommended read:
References :
Andres Ramos@Arctic Wolf
//
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.
This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have uncovered a large-scale phishing campaign distributing the Lumma Stealer malware. Attackers are using fake CAPTCHA images embedded in PDF documents hosted on Webflow's content delivery network (CDN) to redirect victims to malicious websites. These malicious actors are employing SEO tactics to trick users into downloading the PDFs through search engine results, ultimately leading to the deployment of the information-stealing malware. The Lumma stealer is designed to steal sensitive information stored in browsers and cryptocurrency wallets.
Netskope Threat Labs identified 260 unique domains hosting 5,000 phishing PDF files, affecting over 1,150 organizations and 7,000 users. The attacks primarily target users in North America, Asia, and Southern Europe, impacting the technology, financial services, and manufacturing sectors. Besides Webflow, attackers are also utilizing GoDaddy, Strikingly, Wix, and Fastly to host the fake PDFs. Some PDF files were uploaded to legitimate online libraries like PDFCOFFEE and Internet Archive to further propagate the malware. Recommended read:
References :
@www.infosecurity-magazine.com
//
Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT (Remote Access Trojan) via malicious PowerShell commands, according to recent findings. These campaigns involve tricking users into running PowerShell commands that ultimately install the Lumma Stealer. Attackers direct potential victims to attacker-controlled sites and prompt them to complete fake authentication challenges. These challenges often involve directing potential victims to malicious websites where they are prompted to complete verification steps, but instead of a CAPTCHA, it instructs them to press Windows + R and run a PowerShell command—under the false pretense of running “Windows Defender.”
These attacks leverage weaponized CAPTCHAs, with users being directed to malicious websites where they are prompted to complete verification steps. Upon completing these steps, users inadvertently copy and run PowerShell scripts that download and install malware, such as the Lumma Stealer. This allows the attackers to steal sensitive data like cryptocurrency wallets. The exploitation involves fake Cloudflare verification prompts, which lead users to execute malicious PowerShell commands to install the LummaStealer Trojan through infected WordPress sites, posing a significant threat. Recommended read:
References :
Mike Robinson@Tech Crawlr
//
A significant data breach at location data firm Gravy Analytics has exposed the sensitive location data of millions of users. The compromised data includes coordinates from mobile devices across the US, Europe, and Russia, with some records also linking the location data to specific apps. Popular apps like Candy Crush, Tinder, MyFitnessPal, and various others are impacted. The data was initially posted on a Russian-language forum by a hacker using the alias "Nightly".
The breadth of the breach is staggering with apps across several categories being affected including dating apps such as Grindr, games like Temple Run and Subway Surfers, transit apps such as Moovit, period trackers, religious apps including muslim prayer and christian bible apps, various pregnancy trackers, and even virtual private network (VPN) applications. It appears that these apps were co-opted by rogue members of the advertising industry to collect this data through the advertising bid stream, often without the knowledge of the app developers. This has raised concerns about how user data is being collected and sold within the advertising ecosystem. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News
//
Cybercriminals are exploiting the legitimate Eclipse Jarsigner tool to deploy the XLoader malware, using a DLL side-loading technique. Researchers at AhnLab Security Intelligence Center (ASEC) discovered the campaign, which involves packaging a legitimate jarsigner.exe executable, a tool used for signing Java Archive (JAR) files, with malicious DLL files inside a compressed ZIP archive. When the legitimate executable is run, the malicious DLLs are loaded, triggering the XLoader malware infection. This method allows the malware to evade security defenses by exploiting the trust associated with a legitimate application.
The attack sequence starts with a renamed version of jarsigner.exe (Documents2012.exe) executing, which then loads a tampered "jli.dll" library. This malicious DLL decrypts and injects "concrt140e.dll," the XLoader payload, into a legitimate process (aspnet_wp.exe). XLoader is designed to steal sensitive information, including user credentials, browser data, and system information. The malware can also download and execute additional malicious payloads. Users are advised to exercise caution when handling compressed files with executable files and accompanying DLLs from unverified sources. Recommended read:
References :
@www.forbes.com
//
A new report by Citizen Lab and the EFF Threat Lab has uncovered critical security vulnerabilities within the popular Chinese social media application, RedNote. The analysis, conducted on version 8.59.5 of the app, revealed that RedNote transmits user content, including viewed images and videos, over unencrypted HTTP connections. This exposes sensitive user data to potential network eavesdroppers, who can readily access the content being browsed.
Additionally, the report highlights that the Android version of RedNote contains a vulnerability that could allow attackers to access the contents of files on a user's device. The app also transmits device metadata without adequate encryption, sometimes even when using TLS, potentially enabling attackers to learn about a user's device screen size and mobile network carrier. Despite responsible disclosures to RedNote and its vendors NEXTDATA and MobTech in late 2024 and early 2025, no response has been received regarding these critical security flaws. Recommended read:
References :
@singularityhub.com
//
OpenAI models, including the recently released GPT-4o, are facing scrutiny due to their vulnerability to "jailbreaks." Researchers have demonstrated that targeted attacks can bypass the safety measures implemented in these models, raising concerns about their potential misuse. These jailbreaks involve manipulating the models through techniques like "fine-tuning," where models are retrained to produce responses with malicious intent, effectively creating an "evil twin" capable of harmful tasks. This highlights the ongoing need for further development and robust safety measures within AI systems.
The discovery of these vulnerabilities poses significant risks for applications relying on the safe behavior of OpenAI's models. The concern is that, as AI capabilities advance, the potential for harm may outpace the ability to prevent it. This risk is particularly urgent as open-weight models, once released, cannot be recalled, underscoring the need to collectively define an acceptable risk threshold and take action before that threshold is crossed. A bad actor could disable safeguards and create the “evil twin” of a model: equally capable, but with no ethical or legal bounds. Recommended read:
References :
@www.ghacks.net
//
Recent security analyses have revealed that the iOS version of DeepSeek, a widely-used AI chatbot developed by a Chinese company, transmits user data unencrypted to servers controlled by ByteDance. This practice exposes users to potential data interception and raises significant privacy concerns. The unencrypted data includes sensitive information such as organization identifiers, software development kit versions, operating system versions, and user-selected languages. Apple's App Transport Security (ATS), designed to enforce secure data transmission, has been globally disabled in the DeepSeek app, further compromising user data security.
Security experts from NowSecure recommend that organizations remove the DeepSeek iOS app from managed and personal devices to mitigate privacy and security risks, noting that the Android version of the app exhibits even less secure behavior. Several U.S. lawmakers are advocating for a ban on the DeepSeek app on government devices, citing concerns over potential data sharing with the Chinese government. This mirrors previous actions against other Chinese-developed apps due to national security considerations. New York State has already banned government employees from using the DeepSeek AI app amid these concerns. Recommended read:
References :
@www.bleepingcomputer.com
//
Brave Browser is introducing a new feature called 'custom scriptlets' in its latest desktop release. This feature allows advanced users to inject their own JavaScript into websites, granting them deep customization and control over their browsing experience. Brave Browser is getting a new feature called 'custom scriptlets' that lets advanced users inject their own JavaScript into websites, allowing deep customization and control over their browsing experience.
This new functionality empowers users to modify website functionality, offering enhanced privacy and the ability to block trackers more effectively. The 'custom scriptlets' feature is similar to popular browser extensions like TamperMonkey and GreaseMonkey, enabling users to create custom scripts for specific websites. This feature is coming in Brave Browser version 1.75 for the desktop. Recommended read:
References :
|