In a statement to CNN, an FBI spokesperson admitted there was a cyber attack on its systems, but added, "This is an isolated incident that has been contained." At the moment, there's no word on who might be responsible for this incident.

This is definitely not the first time the FBI has had to deal with cyber criminals attacking the agency, either directly or indirectly. In November of 2021, someone hacked into a real FBI email address and used it to send over 100,000 emails to organizations.

Those messages had a false warning claiming the Department of Homeland Security was looking into a cyber attack on the recipients. The FBI said it fixed a software error that led to the emails, but as of today there's no word on who actually took over that email address.

The FBI is dealing with a cyber attack on its computers, but says it's been "contained"

Frebniis was discovered by Symantec's Threat Hunter Team, who reported that an unknown threat actor is currently using it against Taiwan-based targets.

Microsoft IIS is a web server software that acts as a web server and a web app hosting platform for services like Outlook on the Web for Microsoft Exchange.

In the attacks seen by Symantec, the hackers abuse an IIS feature called 'Failed Request Event Buffering' (FREB), responsible for collecting request metadata (IP address, HTTP headers, cookies). Its purpose is to help server admins troubleshoot unexpected HTTP status codes or request processing problems.

The malware injects malicious code into a specific function of a DLL file that controls FREB ("iisfreb.dll") to enable the attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests the attacker sends, it parses the request to determine what commands to execute on the server.

Symantec says that the threat actors first need to breach an IIS server to compromise the FREB module, but they could not determine the method used to gain access initially.

The injected code is a .NET backdoor that supports proxying and C# code execution without ever touching the disk, making it completely stealthy. It looks for requests made to the logon.aspx or default.aspx pages with a specific password parameter.

A second HTTP parameter, which is a base64 encoded string, instructs Frebniis to communicate and execute commands on other systems via the compromised IIS, potentially reaching protected internal systems that are not exposed to the internet.

The malware supports the following commands:

Commands sent to Frebniis via specially crafted HTTP requests (Symantec)

 

"If an HTTP call to logon.aspx or default.aspx is received without the password parameter, but with the Base64 string, the Base64 string is assumed to be C# code that will be executed straight in memory," explains Symantec's report.

"The Base64 string is decoded and then decrypted (xor 0x08) and is expected to be an XML document with the C# code to be executed in the '/doc' node under the 'data' attribute (E.g. <doc data=C# code>)."

The main advantage of abusing the FREB component for the described purposes is evading detection from security tools. This unique HTTP backdoor leaves no traces or files and creates no suspicious processes on the system.

Although the initial compromise pathway is unknown, updating your software is generally recommended to minimize the chances of hackers exploiting known vulnerabilities.

Advanced network traffic monitoring tools might also help detect unusual activity from malware like Frebniis.

In October 2022, Symantec discovered another malware used by the Cranefly hacking group that abused ISS logs to send and receive commands from the C2 server without raising any alarms.

Source

Health info for 1 million patients stolen using critical GoAnywhere vulnerability

Interim City Administrator G. Harold Duffey declared a state of emergency to allow the City of Oakland to expedite orders, materials and equipment procurement, and activate emergency workers when needed.

"Today, Interim City Administrator, G. Harold Duffey issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8," a statement issued today reads.

The incident did not affect core services, with the 911 dispatch and fire and emergency resources all working as expected.

While last week's ransomware attack only impacted non-emergency services, many systems taken down immediately after the incident to contain the threat are still offline.

The ransomware group behind the attack is currently unknown, and the City is yet to share any details regarding ransom demands or data theft from compromised systems.

A City of Oakland spokesperson could not provide additional details when BleepingComputer reached out for more information immediately after the incident was disclosed.

"The City's IT Department is working with a leading forensics firm to perform an extensive incident response and analysis, as well as with additional cybersecurity and technology firms on recovery and remediation efforts," the statement said.

"This continues to be an ongoing investigation with multiple local, state, and federal agencies involved."

Oakland proclamation of local emergency

 

Almost three years ago, in July 2019, Louisiana Governor John Edwards also declared a state of emergency after a wave of ransomware attacks that hit the state's school districts.

That month, the IT systems of school districts in Morehouse, Sabine, Monroe City, and Ouachita were all taken offline after being encrypted with ransomware causing state-wide disruptions to school systems.

The Federal Motor Carrier Safety Administration (FMCSA) also issued a regional emergency declaration affecting 17 states and the District of Columbia after a DarkSide ransomware attack took down Colonial Pipeline, the largest fuel pipeline in the United States.

Emsisoft threat analyst Brett Callow said that "at least 6 U.S. local governments have been impacted by ransomware already this year, with at least 4 of them having had data stolen."

Microsoft also revealed in January that it's now tracking more than 100 ransomware gangs known to have deployed over 50 unique ransomware families until the end of last year.

Source

Slavik Markovich, CEO and co-founder of Descope, has stated that "Passwords are detrimental to both security and usability." He notes that they are the primary cause of security breaches and are often the primary entry point for cybercriminals to achieve their goals. Moreover, passwords cause disruptions throughout the user journey, leading to dissatisfaction and a negative user experience, which may result in decreased user engagement or retention.

In addition, Markovich highlighted that recent advancements, such as FIDO2, WebAuthn, and passkeys, have laid the foundation for a future without passwords. However, he emphasizes that achieving this future will only be possible when app developers are equipped with the necessary tools and resources to effortlessly integrate passwordless authentication methods into their apps.

Descope aims to contribute to this "passwordless future" by simplifying the process for developers to incorporate passwordless authentication into their applications or services. It is a challenging and time-consuming task for development teams to construct these components from the ground up. Descope provides a drag-and-drop workflow editor that enables users to create authentication flows without the need for coding. These no-code workflows enable developers to establish user access controls and get their applications to market more quickly without sacrificing security.

The authentication market is booming

According to researchers, the market for passwordless authentication is expected to expand from $6.6 billion in 2022 to $21.2 billion by 2027, as more organizations seek protection against social engineering, phishing, and other forms of credential theft. One of Descope's primary competitors is Stytch, a tool that enables developers to create authentication flows via an API, as well as JavaScript and Mobile SDKs. Stytch raised $90 million in series B funding in November 2021 and achieved a valuation of $1 billion.

Another major player in the market is Auth0, a Customer Identity Access Management (CIAM) vendor that empowers organizations to establish access roles for application and API end-users, resulting in dynamic access controls. In 2021, Okta purchased Auth0 for $6.5 billion.

According to Markovich, Descope's primary distinction from other vendors is its use of workflows. "These no-code workflows simplify the process of constructing authentication while still providing app builders control over their UX and UI," he concluded.

Source

"In response to increasing thefts targeting its vehicles without push-button ignitions and immobilizing anti-theft devices in the United States, Hyundai is introducing a free anti-theft software upgrade to prevent the vehicles from starting during a method of theft popularized on TikTok and other social media channels," reads Hyundai's announcement.

The car hack has been heavily promoted on TikTok as a "challenge" since July 2022, with videos showing how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire the car.

The issue lies in a logic flaw that allows the "turn-key-to-start" system to bypass the immobilizer that verifies the authenticity of the code in the key's transponder to the car's ECU. This allows thieves to forcibly activate the ignition cylinder using any USB cable to start the vehicle.

The impact of the so-called "Kia Challenge" was so significant that in Los Angeles, the two brands had a steep 85% increase in thefts in 2022 compared to the previous year, while Chicago reported a nine-fold rise for the same.

The United States Department of Transportation (NHTSA) published a post yesterday explaining that the security flaw impacts approximately 3.8 million Hyundai vehicles and 4.5 million KIA cars.

The agency also stated that these hacks have resulted in at least 14 confirmed car crashes and eight fatalities.

Software upgrade underway

Since November 2022, the two car brands have been working with law enforcement agencies across the United States to provide tens of thousands of steering wheel locks. Still, a software update will now better solve the security problem.

The software upgrade will be provided free of charge for all impacted vehicles, with the rollout starting yesterday to more than 1 million 2017-2020 Elantra, 2015-2019 Sonata, and 2020-2021 Venue cars.

The second rollout phase will be completed until June 2023 and will be for the following models:

• 2018-2022 Accent
• 2011-2016 Elantra
• 2021-2022 Elantra
• 2018-2020 Elantra GT
• 2011-2014 Genesis Coupe
• 2018-2022 Kona
• 2020-2021 Palisade
• 2013-2018 Santa Fe Sport
• 2013-2022 Santa Fe
• 2019 Santa Fe XL
• 2011-2014 Sonata
• 2011-2022 Tucson
• 2012-2017, 2019-2021 Veloster

The free upgrade will be installed on Hyundai's official dealers and service network in the U.S. and will take less than an hour. Eligible car owners will be notified by the carmaker individually.

The announcement explains that the software upgrade will modify the "turn-key-to-start" logic to kill the ignition when the car owner locks the doors using the genuine key fob. After the upgrade, the ignition will only activate if the key fob is used to unlock the vehicle.

Hyundai will also supply its customers with a window sticker that makes it clear to aspiring thieves that the car's software has been upgraded to neutralize the social-media-promoted hack, discouraging any attempts.

For models with no engine immobilizers that cannot receive the fixing software upgrade, Hyundai will cover the cost of steering wheel locks for their owners.

KIA has also promised to start the rollout of its software upgrade soon but has not released any announcements with specific dates or details yet.

Hyundai, Kia patch bug allowing car thefts with a USB cable

The cybercrime gang specializes in online scams, employing social engineering, phishing, and smishing to collect sensitive victim details and then use that information to commit financial fraud.

The organization maintained over a hundred bank accounts in various Spanish banks, using them to deposit their criminal proceeds, withdraw cash from ATMs, send it to international accounts, or convert it to cryptocurrency.

As a result of the joint law enforcement operation, the police have arrested eight people in Spain and one in Miami, USA. In addition to the arrests, the police seized luxury items valued at €200,000 and froze assets worth over €500,000.

Social engineering attacks

The cybercriminals contacted individuals and companies in North America via phishing emails and SMS. They followed up with calls using a spoofed number to make it appear as if the caller was a legitimate entity.

The criminals aimed to deceive the victims into revealing their confidential information, allowing them to perform online purchases or transfer funds directly from the victim's bank accounts to their own in Spain.

The police's announcement says the crooks stole nearly €5,000,000 from 200 individuals and companies in just a year. However, there are some indications that the total stolen amount may exceed €7,000,000.

The main suspect utilized an array of false identity documents to control over a hundred bank accounts where the stolen funds were deposited. These accounts were opened under the names of other individuals, some collaborating directly with the crime ring, while others were unsuspecting victims themselves.

The cybercriminals then used the proceeds to travel extensively across Europe and the United States, acquiring luxury items and opening additional bank accounts to help with money laundering.

According to the Spanish authorities, cybercrime is on the rise in the country, with one in every five crimes now taking place online.

In 2022, the police recorded 375,500 cases of cybercrime in Spain, a 72% increase from 2019 and a 352% increase from 2015.

The police say one clear sign of fraud is when the caller puts the victim on hold every time they provide the requested information, as they are using that information to commit money transfers in real-time as they speak to the victim.

Source

This discovery is a continuation of a campaign initially launched in November 2022, which initially started with only twenty-seven malicious PyPi packages, and now greatly expanding over the past few months.

These packages are being promoted through a typosquatting campaign that impersonates popular packages but with slight variations, such as an altered or swapped character. The goal is to deceive software developers into downloading these malicious packages instead of the legitimate ones.

As Phylum explains in a report published on Friday, in addition to scaling up the campaign, the threat actors now utilize a novel obfuscation method that involves using Chinese ideographs in function and variable names.

New typosquatting wave

Some of the popular packages impersonated in the current typosquatting include bitcoinlib, ccxt, cryptocompare, cryptofeed, freqtrade, selenium, solana, vyper, websockets, yfinance, pandas, matplotlib, aiohttp, beautifulsoup, tensorflow, selenium, scrapy,

colorama, scikit-learn, pytorch, pygame, and pyinstaller.

The threat actors use between 13 and 38 typosquatting versions for each of the above, trying to cover a broad range of potential mistypes that would result in downloading the malicious package.

To evade detection, the threat actors have employed a new obfuscation method that wasn't present in the November 2022 wave, now using a random 16-bit combination of Chinese ideographs for function and variable identifiers.

Chinese ideographs in the code
Source: Phylum

 

Phylum's analysts discovered that the code uses built-in Python functions and a series of arithmetic operations for string generation. So, while the obfuscation creates a visually strong result, it's not very hard to break.

"While this obfuscation is interesting and builds up extremely complex and highly obfuscated looking code, from a dynamic standpoint, this is trivial," reads Phylum's report.

"Python is an interpreted language, and the code must run. We simply have to evaluate these instances, and it reveals exactly what the code is doing."

Malicious browser extensions

To hijack cryptocurrency transactions, the malicious PyPi packages will create a malicious Chromuim browser extension in the '%AppData%\Extension' folder, similar to the November 2022 attacks.

It then searches for Windows shortcuts related to Google Chrome, Microsoft Edge, Brave, and Opera and hijacks them to load the malicious browser extension using the '--load-extension' command line argument.

For example, a Google Chrome shortcut would be hijacked to "C:\Program Files\Google\Chrome\Application\chrome.exe --load-extension=%AppData%\\Extension".

When a web browser is launched, the extension will load, and malicious JavaScript will monitor for cryptocurrency addresses copied to the Windows clipboard.

When a crypto address is detected, the browser extension will replace it with a set of hardcoded addresses under the threat actor’s control. This way, any sent crypto transaction amount will go to the threat actor's wallet instead of the intended recipient.

A list of regular expressions used to detect cryptocurrency addresses in the Windows clipboard and replace them with the threat actor's addresses can be seen below.

Browser extension script to hijack cryptocurrency transactions
Source: Phylum

 

In this new campaign, the threat actor extended the number of supported wallets and has now added cryptocurrency addresses for Bitcoinm Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos.

For a complete list of the malicious packages that should be avoided, check the bottom section of Phylum’s report.

Source

The company said it detected and mitigated not just one but a wave of dozens of hyper-volumetric DDoS attacks targeting its customers over the weekend.

"The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps," Cloudflare's Omer Yoachimik, Julien Desgats, and Alex Forster said.

"This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022."

The attacks were launched using over 30,000 IP addresses from multiple cloud providers against various targets, including gaming providers, cloud computing platforms, cryptocurrency firms, and hosting providers.

Increasingly powerful and more frequent DDoS attacks align with Cloudflare's recent DDoS threat report that paints a grim picture:

• the amount of HTTP DDoS attacks increased by 79% year-over-year
• the number of volumetric attacks exceeding 100 Gbps grew by 67% quarter-over-quarter (QoQ)
• the number of attacks lasting more than three hours increased by 87% QoQ

Record 71 million RPS DDoS attack (Cloudflare)

 

Today's news comes after Google's announcement in August 2022 that it blocked a record DDoS attack over the HTTPS protocol against a Google Cloud Armor customer that had reached 46 million RPS.

That was an increase of roughly 80% more than the previous record, an HTTPS DDoS of 26 million RPS mitigated by Cloudflare in June.

Volumetric DDoS attacks had slowly grown in size since 2021 when several botnets began leveraging powerful devices to hit targets with millions of requests per second.

For instance, in September 2021, the Mēris botnet hit Yandex with a 21.8 million RPS attack and previously hammered a Cloudflare customer with 17.2 million RPS.

In reaction to this stream of ever-increasing attacks, the FBI seized dozens of Internet domains and charged six suspects for their involvement in running 'Booter' or 'Stresser' platforms that anyone can use to launch DDoS attacks.

The move was part of a more extensive coordinated international law enforcement operation targeting DDoS-for-hire services dubbed Operation PowerOFF.

Besides seizing such platforms' domains and taking control of their infrastructure (where possible), the FBI is also working with the UK's National Crime Agency and the Netherlands Police to show ads in search engines to people searching for DDoS services.

For instance, when searching for 'booter service,' Google would show an advertisement stating, "Looking for DDoS tools? Booting is illegal."

Source

Both malware infections are used to conduct financial fraud, with the ransomware used to extort victims to receive a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions.

Laplas is a cryptocurrency hijacker released last year that monitors the Windows clipboard for crypto addresses and, when found, substitutes them for addresses under the attacker's control.

As for MortalKombat, Cisco Talos says the new ransomware is based on the Xorist commodity ransomware family, which utilizes a builder that lets threat actors customize the malware. Xorist has been decryptable for free since 2016.

Code similarities between Xorist and MortalKombat (Cisco)

 

The attacks observed by the Talos researchers focused mainly on the United States, with some victims also in the UK, Turkey, and the Philippines.

Victim heatmap (Cisco)

Phishing attacks

The email contains a malicious ZIP attachment containing a BAT loader script that downloads a second archive from a remote resource. This archive contains one of the two malware payloads.

The loader script will execute the downloaded payload as a process in the compromised system and then delete the downloaded files to minimize the chances of detection.

Sample of the phishing email (Cisco)

 

The email message carries a malicious ZIP attachment that contains a BAT loader script, that when opened, downloads a second archive from a remote resource. This archive contains one of the two malware payloads.

The loader script will execute the downloaded payload as a process in the compromised system and then delete the downloaded files to minimize chances of detection.

MortalKombat ransomware

MortalKombat is a Xorist ransomware variant first discovered in January 2023, named after the popular fighting video game and featuring a ransom note/wallpaper that includes art from the franchise.

Talos analysts report that the particular ransomware isn't very sophisticated as it will target system files and applications too, which are commonly avoided to prevent the system from becoming unstable.

All file types targeted by the ransomware (Cisco)

 

"Talos observed that MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine," describes the report.

"It drops the ransom note and changes the victim machine’s wallpaper upon the encryption process."

Ransom note on wallpaper (Cisco)

 

The wallpaper also acts as a ransom note, instructing the victim to use the qTOX Tor-based instant messaging app to negotiate with the cybercriminals who demand payment in Bitcoin.

The attacker also provides a ProtonMail email address if the victim has trouble registering a new account on qTOX.

Although MortalKombat does not feature wiper functionality, it corrupts system folders like the Recycle Bin so that the victims cannot retrieve files from there, disables the Windows Run command window, and removes all entries from Windows startup.

Corrupted Recycle Bin (Cisco)

 

Moreover, the ransomware fiddles with the Windows registry, creating a Run registry key ("Alcmeter") for persistence while deleting the installed application's root registry key in the HKEY_CLASSES_ROOT registry hive.

The HKEY_CLASSES_ROOT hive stores information about file associations, commands, and icons used for each file type, so deleting these entries means the applications can no longer function.

Cisco's analysts do not know what the operational model of MortalKombat ransomware is, and whether it is the custom strain of a lone threat actor or is sold to other cybercriminals like Laplas.

Source

Nearly 11,000 websites in recent months have been infected with a backdoor that redirects visitors to sites that rack up fraudulent views of ads provided by Google Adsense, researchers said.

All 10,890 infected sites, found by security firm Sucuri, run the WordPress content management system and have an obfuscated PHP script that has been injected into legitimate files powering the websites. Such files include “index.php,” “wp-signup.php,” “wp-activate.php,” “wp-cron.php,” and many more. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional injected code works as a backdoor that’s designed to ensure the malware will survive disinfection attempts by loading itself in files that run whenever the targeted server is restarted.

“These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes, wp-admin and wp-content directories,” Sucuri researcher Ben Martin wrote. “Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

Sneaky and determined

The malware takes pains to hide its presence from operators. When a visitor is logged in as an administrator or has visited an infected site within the past two or six hours, the redirections are suspended. As noted earlier, the malicious code is also obfuscated, using Base64 encoding.

Once the code is converted to plaintext, it appears this way:

Similarly, the backdoor code that backdoors the site by ensuring it is reinfected looks like this when obfuscated:

When decoded, it looks like this:

The mass website infection has been ongoing since at least September. In a post published in November that first alerted people to the campaign, Martin warned:

“At this point, we haven’t noticed malicious behavior on these landing pages. However, at any given time site operators may arbitrarily add malware or start redirecting traffic to other third-party websites.”

For now, the entire objective of the campaign appears to be generating organic-looking traffic to websites that contain Google Adsense ads. Adsense accounts engaging in the scam include:

To make the visits evade detection from network security tools and to appear to be organic—meaning coming from real people voluntarily viewing the pages—the redirections occur through Google and Bing searches:

The final destinations are mostly Q&A sites that discuss Bitcoin or other cryptocurrencies. Once a redirected browser visits one of the sites, the crooks have succeeded. Martin explained:

Essentially, website owners place Google-sanctioned advertisements on their websites and get paid for the number of views and clicks that they get. It doesn’t matter where those views or clicks come from, just so long as it gives the impression to those that are paying to have their ads seen that they are, in fact, being seen.

 

Of course, the low-quality nature of the websites associated with this infection would generate basically zero organic traffic, so the only way that they are able to pump traffic is through malicious means.

 

In other words: Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organized advertising revenue fraud.

 

According to Google AdSense documentation, this behavior is not acceptable and publishers must not place Google-served ads on pages that violate the Spam policies for Google web search.

 

Google representatives didn’t respond to an email asking if the company has plans to remove the Adsense accounts Martin identified or find other means to crack down on the scam.

It’s not clear how sites are becoming infected in the first place. In general, the most common method for infecting WordPress sites is exploiting vulnerable plugins running on a site. Martin said Sucuri hasn’t identified any buggy plugins running on the infected sites but also noted that exploit kits exist that streamline the ability to find various vulnerabilities that may exist on a site.

The Sucuri posts provide steps website admins can follow to detect and remove infections. End users who find themselves redirected to one of these scam sites should close the tab and not click on any of the content.

Source

According to a report by BleepingComputer, the phishing campaign originated from SendGrid, an email platform that Namecheap uses to send marketing emails and renewal notices. The phishing emails pretended to come from logistics provider DHL and cryptocurrency wallet Metamask.

The DHL emails claim that a parcel delivery was unsuccessful as the sender failed to pay the necessary delivery fee. To allegedly be able to proceed with the delivery, the email recipient has to pay the fee themselves. However, clicking on the "Track and Pay" button will lead the user to a fake DHL page that aims to steal their sensitive information.

Meanwhile, the Metamask email says that the recipient's account has been suspended and they need to complete a Know Your Customer (KYC) verification process to reactivate it. "By completing KYC verification, you will be able to securely store, withdraw, and transfer funds without any interruptions. It also helps us to protect you against financial fraud and other security threats," the email stated.

The email also contains a marketing link from Namecheap that redirects the user to a fake MetaMask page asking the user to enter their Secret Recovery Phrase or private key. Providing any of these enables threat actors to import the Metamask wallet to their own devices and drain all of its funds and assets.

After some recipients of the phishing emails started complaining, Namecheap CEO Richard Kirkendall confirmed that their email account was indeed hacked. The company also published a statement on its website:

Dear Customers,

We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you.

We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.

Please ignore such emails and do not click on any links.

We have stopped all the emails (that includes Auth codes delivery, Trusted Devices’ verification, and Password Reset emails, etc.) and contacted our upstream provider to resolve the issue. At the same time, we are also investigating the issue from our side.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.

Once we have any news from the responsible team, this post will be updated right away.

___________________

Kind regards,

Namecheap Support Team

In another later update, Namecheap announced that its mail delivery system has been restored. Despite this, it will continue investigating the issue.

One effective way to protect yourself from phishing attacks is by always thinking twice before opening links and attachments from unsolicited emails. Also, always check the URL of the website you're visiting. For example, if the website doesn't start with dhl.com or metamask.io, it could be fraudulent. Finally, always use strong passwords and enable multifactor authentication to make it more difficult for threat actors to infiltrate your online accounts.

Source: BleepingComputer, Namecheap | DHL email image via Kathy Zant (Twitter)

Domain registrar Namecheap's email hacked to send DHL, Metamask phishing emails

Your devices and apps really, really want to know where you are—whether it's to tell you the weather, recommend some restaurants you might like, or better target advertising at you. Managing what you're sharing and what you're not sharing, and when, can quickly get confusing.

It's also possible that you have inconsistencies in the various location histories logged by your devices: Times when you thought you'd switched off and blocked location sharing but you're still being tracked, or vice versa.

Here we'll cover everything you need to consider when it comes to location tracking, and hopefully simplify it along the way. Whether you want to give out access to your current location or not, you should be in control of these settings, and not be caught unawares by additional options that you missed.

How Location Tracking Gets Confusing

You can turn off Google Location History—but it's just the start.

Google via David Nield

What happens if you distinctly remember turning location tracking off on a device, yet your position is still popping up on a map? Or maybe you thought you'd left the feature on, yet you're seeing gaps in your location history? There are a few explanations, but essentially you need to remember all the different ways your location can be logged: by your devices, by your apps, and by websites you visit.

For example, you might have disabled location tracking on a phone but left it enabled on a tablet. Alternatively, you might have a laptop that's tracking where you are in the background, even though you thought you'd disabled the feature in the apps you use. If you want location tracking completely enabled or disabled, you need to factor in all these different ways of keeping tabs on where you are.

If you have a Google account, this is a good illustration. Head to your account settings on the web, then choose Data and Privacy and Location History. Select Devices on This Account, which may reveal some phones, tablets, and laptops that you'd forgotten about—any device with a check next to it in this list is saving your movements to your Google account for future reference.

You can click Turn Off to disable this, but note the caveats that are listed in the confirmation box that appears onscreen: Your location might still be logged by your mobile devices, by the Find My Device service that helps you recover lost hardware, and by Google Maps when you're navigating or searching around the area you're in. This Location History setting is more of an overall toggle switch, affecting features such as the Google Timeline and the ability to quickly look up places you visit regularly.

From the main Google account screen, there are several more places where your location gets logged and shared: Click Data and Privacy then Web & App Activity to manage location data saved by Google Maps and other apps and websites, and click People and Sharing then Manage Location Sharing to see a list of specific contacts who can see where you are through various Google services.

Managing Location Tracking on Mobile

The steps to manage your location on Android vary slightly depending on the manufacturer of your phone, but the menus and instructions involved are broadly similar. On Google Pixel devices, you can open up Settings then select Location: You'll see the Use Location toggle switch, and if you turn this off, none of your apps will be able to know where you are, nor will Google.

If you leave the Use Location toggle switch on, you can customize location access for individual apps further down on the same screen. Note that you can choose to allow apps to know where you are at all times, or only when the app in question is running in the foreground—tap on any app in the list to make changes.

Over on iOS, it's a similar setup. If you select Privacy & Security from Settings, and then tap Location Services, you can turn off location tracking for the phone and all the apps on it. If you choose to leave this enabled, you can manage individual app access to your location via the list underneath. As on Android, you can choose to restrict apps to knowing your location only when the particular app itself is running, or allow them to monitor it in the background too.

Erasing the location data that's been collected on you is a complex process, as you need to check the records and the settings of every app that's ever had access to your location. For Google and Google's apps, you can head to your Google account on the web, then choose either Location History or Web & App Activity under Data and Privacy to wipe this data from the record. You'll also find options for automatically deleting this data after 3, 18, or 36 months.

Apple doesn't log your movements in quite the same way, but it does build up a list of places you visit frequently (like your home and perhaps your office) so you can quickly get to them again. To clear this list on your iPhone, open Settings then choose Privacy & Security, Location Services, System Services, and Significant Locations. You can clear this list and stop it from populating in the future.

Managing Location Tracking on Desktop

Your laptop or desktop computer is unlikely to be fitted with GPS capabilities, so it won't track your location in quite the same way as your phone, but applications, websites, and the operating system will still have some idea where you are—primarily through the locations that you sign into the web from (via your home Wi-Fi, for example).

On Windows, you can open up Settings and then choose Privacy & Security and Location. As on Android and iOS, you'll see you can turn location tracking off for individual applications (via the toggle switches on the right) or shut it down for the entire computer (the option at the top). The same screen lets you see which apps have been using your location, and enables you to wipe the log of your travels—click Clear next to Location History to do this.

When it comes to the same process on macOS, you need to click the Apple menu and select System Settings, Privacy & Security, and Location Services. The next screen looks very similar to the Windows one, with toggle switches for individual applications as well as for macOS itself—turn off any of the switches where you don't want location access to be given. If you click Details next to System Services on this screen, you can clear the list of “significant locations” Apple has saved for you, just like on iOS.

If location tracking is on for your computer and your browser of choice, that means individual websites such as Facebook, Amazon, or the Google Search can know where you are as well. Sometimes this is useful, of course (for getting the right weather forecast), but there might be times when you want to turn it off if you're trying to keep your whereabouts private.

Every browser will have settings for managing website access to your location. In Chrome, it's Privacy and Security, Site Settings, and Location from the settings pane; if you're using Edge you need to open settings and choose Cookies and Site Permissions then Location; and on Safari on macOS, pick Websites and Location once you've got the settings dialog open. Changing these settings won't affect data these sites have collected in the past, though—you'll need to visit the options for the individual sites for that.

How to Make Sure You’re Not Accidentally Sharing Your Location

(May require free registration to view)

Reddit has confirmed its systems were hacked last weekend as the result of a sophisticated and highly targeted phishing attack: the attackers gained access to documents, code, and some internal business systems.

Late on February 5, Reddit became aware of the phishing campaign that targeted its employees. The attacker sent out "plausible-sounding prompts", pointing employees to a website that cloned the behavior of its intranet gateway, in an attempt to steal credentials and second-factor tokens. After obtaining a single employee's credentials, the attacker gained access to some documents and code, as well as some internal dashboards and business systems.

We know all of this information because Reddit's CTO posted about the incident on Reddit. Currently, there's no indication that usernames and passwords of Reddit users have been accessed -- but Reddit has suggested users should apply multi-factor authentication (MFA) to their accounts for added protection.

There are two key takeaways from the Reddit security incident. The first is that phishing attacks continue to be a key tool in the cyber criminal's arsenal -- we all use emails, and a carefully crafted phishing attack can trick even the most security-conscious user.

The second is that Reddit has -- I think -- chosen the right option by being transparent about falling victim to cyber attackers, publicly disclosing the incident just days after it was first detected.

Despite the prolific nature of cyberattacks and data breaches, many victims decide that the best course of action is to keep quiet about what has happened -- sometimes, they won't even mention that there was an incident at all.

The reasons for keeping quiet include fear of reputational damage, fear of financial losses, or even fear of alerting other cyber criminals to the fact that they might make a good target for attacks.

But Reddit's openness over what happened -- and how the incident was discovered and managed -- provides a good example of how incident disclosure could and should be done, and how it can benefit both a company's users and customers, as well as the business itself.

According to Reddit, soon after being phished, the employee suspected something was wrong and self-reported the incident, alerting the information security team. They responded quickly, removing the infiltrator's access and started an internal investigation.

What's also key here is that an employee came forward with their suspicions. Keeping it quiet doesn't help anyone but the attacker, who gets more time in the network.

But in this instance, the employee reported the incident, something Reddit's CTO commented he was "extremely grateful" for in the thread below the initial post. As a result, the attacker only had access to the network for a few hours because the security team was able to respond quickly.

The speed of detection -- combined with transparency over the incident -- has gone down well with Reddit users, many of whom have praised Reddit's response, which included answering queries about what happened.

Reddit also used the post to encourage users to apply MFA to their Reddit accounts, and to use a password manager to help stay secure.

At a time when many businesses that fall victim to cyberattacks won't say anything, Reddit's openness after the phishing attack provides a good lesson on being transparent about a cybersecurity incident -- and it's something that other companies can learn from.

As shown by the response online, users and customers will be grateful they've been told about the incident quickly, enabling them to take the necessary steps to secure their accounts.

It's unfortunate that the nature of cyber crime means that phishing and cyberattacks are an everyday occurrence -- but a company that shows it can deal with incidents well is positive for everyone.

Source

Raisi, whose hardline government faces one of the boldest challenges from young protesters calling for its ouster, appealed to the “deceived youth” to repent so they can be pardoned by Iran’s supreme leader.

In that case, he told a crowd congregated at Tehran’s expansive Azadi Square: “the Iranian people will embrace them with open arms”.

His live televised speech was interrupted on the internet for about a minute, with a logo appearing on the screen of a group of anti-Iranian government hackers that goes by the name of “Edalate Ali (Justice of Ali).”

A voice shouted “Death to the Islamic Republic.”

Nationwide protests swept Iran following the death in September of 22-year-old Mahsa Amini in the custody of the country’s morality police.

Security forces have responded with a deadly crackdown to the protests, among the strongest challenges to the Islamic Republic since the 1979 revolution ended 2,500 years of monarchy.

As part of an amnesty marking the revolution’s anniversary, Iranian authorities on Friday released jailed dissident Farhad Meysami, who had been on a hunger strike, and Iranian-French academic Fariba Adelkhah.

On Sunday, Supreme Leader Ayatollah Ali Khamenei issued an amnesty covering a large number of prisoners, including some arrested in recent anti-government protests.

Rights group HRANA said dozens of political prisoners and protesters, including several prominent figures, had been freed under the amnesty but that the exact conditions of their release were not known.

Rights activists have expressed concern on social media that many may have been forced to sign pledges not to repeat their “offenses” before being released. The judiciary denied this on Friday.

HRANA said that as of Friday, 528 protesters had been killed, including 71 minors. It said 70 government security forces had also been killed. As many as 19,763 protesters are believed to have been arrested.

Iranian leaders and state media had for weeks appealed for a strong turnout at Saturday’s rallies as a show of solidarity and popularity in an apparent response to the protests.

On the anniversary’s eve Friday night, state media showed fireworks as part of government-sponsored celebrations, and people chanting “Allahu Akbar! (God is Greatest!).” However, many could be heard shouting “Death to the dictator!” and “Death to the Islamic Republic” on videos posted on social media.

The social media posts could not be verified independently.

Government television on Saturday aired live footage of the state rallies around the country.

In Tehran, domestic-made anti-ballistic missiles, a drone, an anti-submarine cruiser, and other military equipment were on display as part of the celebrations.

“People have realized that the enemy’s problem is not woman, life, or freedom,” Raisi said in a live televised speech at Tehran’s Azadi Square, referring to the protesters’ signature slogan.

“Rather, they want to take our independence,” he said.

His speech was frequently interrupted by chants of “Death to America” – a trademark slogan at state rallies. The crowd also chanted “Death to Israel.”

Raisi accused the “enemies” of promoting “the worst kind of vulgarity, which is homosexuality”.

Adelkhah, who had been in prison since 2019, was one of seven French nationals detained in Iran, a factor that has worsened relations between Paris and Tehran in recent months.

She was sentenced in 2020 to five years in prison on national security charges. She was moved to house arrest later but in January returned to jail. Adelkhah has denied the charges.

Meysami’s release came a week after supporters warned that he risked dying because of his hunger strike. He was arrested in 2018 for protesting against the compulsory wearing of the hijab.

In announcing Adelkhah’s release on Friday, the French foreign ministry called that her freedoms be restored, “including returning to France if she wishes.”

“Legally, her file is considered completed, and legally there should be no problem to leave the country, but this issue has to be reviewed. So … it is not clear how long it will take,” said her lawyer, Hojjat Kermani.

Source

For the user, it is a convenience feature, as future purchases do not require typing the full credit card number and other requested data anymore. For sites, it also binds the customer, which means that they are more likely to use their services in the future. Information about Internet users is also of importance to many companies.

But the shopping sites and payment providers are not the only ones that may suggest to save the credit card information. The web browser or a password manager may also recommend that. It depends on whether the feature is supported in the browser, the password managers integration and functionality.

At least some Internet users may wonder whether it is a good idea to store credit card information in a password manager, browser or online.

The case for saving credit card information

The main argument for saving credit card numbers and data is convenience. Users do not have to have their credit cards with them to make purchases, once the number is saved. While some sites may request the three digit security code as verification, it is still more convenient than before.

Password managers and browsers encrypt the data and may support additional security features, such as two-factor authentication, to protect the data. These may be favorable over physical use of a credit card in some situations.

The case against saving Credit Card numbers

One strong argument against saving credit card information online, in browsers or in password managers, is that these add another attack vector. Sites may get hacked, and depending on how the information is saved, it may fall into the hands of malicious actors.

Password managers too are not offering 100% security. Last year's LastPass hack showed that high security sites may get hacked, sometimes using indirect ways, and that important user data may fall into the hands of criminals.

Browsers share the issue with online password managers, especially if they sync data to the cloud. Even local password managers are affected, even though it may be less exploitable because data is not stored online.

Apart from security concerns, there are additional reasons for skipping the "save card online" prompts when they are encountered.

The first is often found when companies offer trials of applications or services. Users who sign-up for a free trial may need to provide credit card information before the trial starts. The main issue here is that companies will charge the card automatically, if the user does not end the trial actively. Some may like the service, but some may forget about it and subscribe for a month, year or even longer to a service that they do not want to use.

Sometimes, users may pick different payment options to have better control over the processing of payments.

A second reason is that saved payment information paves the way for impulse purchases. A study in the United States from 2019 suggests that 83% of U.S. adults have already made impulse purchases.

Lastly, a case can also be made that someone with access to the computer, smartphone or tablet may make purchases using the stored payment information.

Closing Words

It is recommended to avoid saving payment information only. Even though that makes purchases online a tad less convenient, it is improving security, reducing the likelihood of erroneous payments and impulse purchases.

Should you store Credit Card data online or in password managers?

The medical groups impacted by the cyberattack are Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical.

The entities collectively issued a notice of data breach at the start of the month and shared a sample letter with the California Attorney General's office earlier this week.

Today, the healthcare organization reported on the U.S. Department of Health and Human Services breach portal that the data of 3,300,638 patients was exposed in the attack.

Sensitive data were stolen in attack

The data breach notification says the ransomware attack occurred on December 1, 2022, with Regal's employees noticing technical difficulties the following day.

After engaging a third-party cybersecurity expert to help investigate, it was determined that malware had infected the organization's servers, so a system restoration process was initiated.

Based on the review of the logs, the investigation determined that the following data had been compromised:

• Full name
• Social Security Number (SSN)
• Date of birth
• Address
• Medical diagnosis and treatment
• Laboratory test results
• Prescription data
• Radiology reports
• Health plan member number
• Phone number

Ransomware actors steal this data to create further leverage when extorting healthcare organizations, taking advantage of the highly sensitive nature of medical data.

Regal's notice encloses instructions on enrolling for one year of free credit monitoring via Norton LifeLock.

"Regal understands the importance of safeguarding your personal information and takes that responsibility very seriously," reads the notice.

"We will do all we can to assist any individuals whose personal information may have been compromised and help them work through the process."

The healthcare organization says they have implemented additional security measures and stricter protocols to prevent similar incidents and safeguard sensitive patient information from unauthorized access.

Impacted patients should look out for targeted phishing attacks, scams, social engineering, or extortion using stolen data.

If you are unsure if an email or text is legitimate, ignore it or contact your doctor to confirm if it's valid.

Source

Google password manager is a feature that is built into the Google account system and allows you to manage your passwords and securely store them on your device for different websites and applications.  With Google password manager, your password will be encrypted and stored on the Google servers, so you really don't have pressure to remember them.  When you sign into your Google account, the password manager offers you to automatically fill in your login credentials for the website and applications as long as they're saved on your Google account. 

This means logging in is a breeze. In addition, the password manager could also assist with generating some secure passwords while storing them securely. Remember, the pressure of remembering your password is eased with Google password manager. Stick with us as we give you the 411 on whether you should use Google password manager. 

How to Safely Use Google Password Manager? 

Simplicity is the name of the game when it comes to using Google password manager. One of the things I love about having a Google account is that all important information can be attached to your account and easily accessed when you sign into your Google account. Well, the big question now could be, what if somebody gets a hold of my device and I'm already signed into my Google account? Don't worry; Google password manager has got you covered. 

For many years the one thing that kept me from using the password manager was the fear of storing all of my passwords in one place. Actually, using a password manager to manage passwords has been deemed safer than using a password that you can easily remember.  Google password manager comes well equipped with tools such as two-factor authentication that prevents anyone from accessing your Google account on a new device even though they have your password. 

If you aren't sure how to access your Google password manager here, we go: 

1. Sign into your Google account. 
2. Access the password manager by clicking the Security tab.
3. Here you can view all the accounts with saved passwords. You’ll get access either to add a new password and edit or delete an old password. Remember you have the automatic generator to assist with that. 

The only negatives I drew from using Google password manager were that: 

• It lacks a few features when compared with other password managers such as Dashlane and OnePassword. 
• You also have to be careful if you leave your computer unattended. Although most password managers can be automatically set to sign out after a certain amount of time when your computer sleeps or is locked. 

So to answer the golden question. Yes, you can use Google password manager. Just remember to use the security features.

Should You Use Google Password Manager?

According to LastPass CEO, Karim Toubba, there was a security incident in August that led to unauthorized parties stealing customer data in December. However, this is not a unique event for LastPass since it’s been having security incidents since 2011.

What kind of data was exposed? According to Toubba, hackers got their hands on unencrypted data such as LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses. 

There was also vault data stolen, containing both unencrypted and encrypted information such as usernames and passwords for all visited sites. 

Let’s pause for a second here. This is a password manager. They’re holding the keys to your kingdom, so to speak. Anyone sensible would think that they’d do well what they’re supposed to do, that is, storing your passwords securely.

Even more alarming is the fact that this has been happening since at least 2011, and nobody knows how many other undisclosed events might have happened so far.

What to do about it

If you’re a LastPass user, the first thing that comes to mind is switching to another service. However, the most pressing issue is to immediately change your passwords on any site you have visited. You have to assume there’s somebody out there with all your data, and possibly a lot of ideas on how to use it.

Even though the most sensitive data is encrypted, nothing prevents crackers from using brute force attacks on your information, even though it can take a long time for a good password to be cracked. According to LastPass, it could be millions of years, unless you have used “qwerty1234” or something similar.

Since the company has a history of security breaches, you might also consider visiting sites you no longer use but still have access to, just in case. You may think this is a colossal task, and it is. But it’s much better to be safe than sorry.

The best course of action is to start with the most important sites first. This means your passwords for online banking, e-commerce platforms, job-related sites, health services and anywhere where you may have critical private information stored.

Then you can go on to changing passwords for less critical sites such as newspaper subscriptions, online forums, etc. Don’t forget your phone apps, too, since many are permanently logged in. Finally, use 2-factor authentication. I know it’s a drag, but it’s the best way to prevent someone from accessing your account. 

A “fun” fact about this security breach and LastPass is that, even though you may think your encrypted info is safe, it indirectly isn’t. This is because LastPass doesn’t encrypt your visited URLs, so hackers can see where you logged in, and whether you have login information saved. This paves the way for many social engineering tactics.

We live in a brave new world, folks. But with these recommendations, you’ll be in top shape to prevent major issues even if someone manages to get their dirty hands on your data.

If You Use LastPass, You Need to Change All of Your Passwords ASAP

Last week, word about a vulnerability in the password manager spread online. Reported by the Federal Cyber Emergency Team of Belgium, it revolved around the application's trigger mechanism.

Using a specific trigger, an attacker could export the entire password database to another file. The main issue that Belgium's Federal Cyber Emergency Team saw was that KeePass did not prompt the user for the master password before allowing the export of passwords to commence.

KeePass itself disputed the vulnerability, stating that malicious actors needed write access on the system and that the access would give them even more malicious options, including replacing the KeePass executable file, running malicious programs on the system, or modifying autostart and configurations on the system.

The lead developer of KeePass, Dominik Reichl, suggested that users could create an enforced configuration file to lock the trigger functionality. An attacker with write access could, however, modify that configuration file either, so that it did not resolve the underlying issue.

A properly protected system, with state-of-the-art antivirus, a firewall, and users who avoid common attack scenarios should prevent this type of attack entirely.

KeePass users had a few options to deal with the issue. They could switch to KeePass 1.x, a legacy version of the password manager that is still actively maintained. It lacks several features, including triggers. Other options included migrating to a KeePass port. The benefit of that approach is that the password database format is supported.

KeePass 2.53.1: vulnerability resolved

The point release addresses the issue. The official changelog highlights the fact: "Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data.".

In other words: KeePass will prompt the user for confirmation before export data operations. Confirmation is given with the user's primary password, which needs to be entered before data exports begin.

The controversially discussed vulnerability shows how important it is to address concerns, especially regarding security. Reichl may not have changed his initial opinion that the vulnerability is not one, but he reacted to public concern and made a change to the application to address these concerns.

Information about the use of triggers is not available, but it seems likely that only a minority of KeePass users use these. Even fewer may use the password export trigger.

Closing Words

KeePass users may want to upgrade to version 2.53.1 immediately to protect their passwords against automated exports.

Users may also want to check a KeePass security setting to make sure that the database is properly protected against brute force attacks.

Now You: vulnerability or not, what is your take on this case?

KeePass 2.53.1 password manager resolves vulnerability controversy

Reddit confirmed yesterday that a hacker had managed to gain access to its internal systems, grabbing internal documents and source code in the process.

The "security incident(Opens in a new window)" occurred on the night of Feb. 5 when a hacker cloned the behavior of Reddit's intranet gateway and then attempted to guide the company's employees to it using "plausible-sounding prompts." Those prompts were successful as credentials were stolen and then used to access Reddit's internal systems.

The good news is, Reddit found no breach of its primary production systems and therefore no non-public user data was accessed. The personal information stolen seems to be limited to hundreds of company contacts and advertiser details.

Reddit's security team is still in the process of fully understanding how the attack managed to break through its defenses, but points out "the human is often the weakest part of the security chain." There's also a promise that all information about what they find will be shared publicly.

Even though no sensitive user data was stolen, Reddit is urging all users to turn on two-factor authentication for their accounts. It's easy to do and adds an extra layer of security, as is regularly changing your password, choosing strong passwords, and making the whole process easy by using a reputable password manager.

Source

DNS-resolver Quad9 continues to fight back against Sony Music's demands for pirate site blocking measures to be deployed at the DNS level. The non-profit foundation argues that blocking injunctions shouldn't apply to DNS resolvers as that would create a chilling effect on the free and open Internet. Quad9's defense is supported by an expert report from Prof. Dr. Ruth Janal.

Sony vs. Quad9: Court Hears Landmark DNS Piracy Blocking Case

Today, AgileBits, developer of popular password managing service 1Password, has unveiled its plans to roll out passkey authentication as a replacement for passwords. Notably, the password manager had already started heading into this direction a while back, with support for storing passkeys for other services introduced earlier as well - for which the firm is already offering an interactive demo.

Chief Product Officer at 1Password, Steve Won, stated that users will be able to utilize the following by using passkeys:

• Create a 1Password account without a password or a Secret Key.
• Sign in on new devices with ease.
• Use your phone to unlock 1Password on your Mac, PC, and in the browser.
• Accelerate onboarding for enterprise users, or friends and family.
• Use built-in biometric authenticators everywhere you use 1Password including on the web.

He also acknowledged that the shift to passwordless for a service named 1Password may seem counter-intuitive at first, but he emphasized on how passkeys worked on the same principles as passwords, with additional layers of protection that just serve to make them more secure than their more traditional counterparts.

Passkeys as a form of login and registration will start rolling out this summer for 1Password.

1Password does away with passwords, shifts to passkeys

According to Reddit, the attack was made possible through a "sophisticated phishing campaign" wherein cybercriminals created a fraudulent yet legitimate-looking landing page of its intranet site. This is a ruse to steal employees' login credentials and two-factor authentication codes.

One employee eventually fell victim to the phishing scam, allowing the threat actors to infiltrate Reddit's code, internal documents, and some internal dashboards and business systems. Despite this, the company claims that there were no indications that its primary production systems were breached.

Reddit says that it became aware of the incident after the employee who fell for the phishing attack self-reported the issue to the company's security team. The team responded by removing the infiltrator’s access and initiating an internal investigation.

"Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information," Reddit stated in its post. "Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online."

The company announced that it is continuing to investigate and monitor the incident closely. It is also working with employees to fortify their security skills.

To stay safe from phishing attacks, always be careful when opening links or downloading attachments from unsolicited emails. Regularly check the URL of the website you're visiting as well. For instance, if the URL doesn't start with "reddit.com" or "paypal.com," or shows something completely different, it's likely fraudulent. Finally, make sure to enable multifactor authentication if available to make it harder for cybercriminals to infiltrate your account.

Reddit suffers security breach after employee falls for phishing attack

Tor Project's Executive Director Isabela Dias Fernandes revealed on Tuesday that a wave of distributed denial-of-service (DDoS) attacks has been targeting the network since at least July 2022.

"At some points, the attacks impacted the network severely enough that users could not load pages or access onion services," Fernandes said on Tuesday.

"We have been working hard to mitigate the impacts and defend the network from these attacks. The methods and targets of these attacks have changed over time and we are adapting as these attacks continue."

While the goal of these ongoing attacks or the identity of the threat actor(s) behind them are not yet known, Fernandes said the Tor team will keep tweaking the network's defenses to address this ongoing issue.

The Tor Network team will also be expanded to include two new members focusing on .onion services development.

"In the interest of protecting the Tor network and our global community, we chose to limit public information on the nature of those attacks for now," Fernandes told BleepingComputer when we reached out for more information on the DDoS attacks.

"To clarify, our services have not been down, but on occasion slow for some users, and it is important to note that the user experience is affected by a variety of factors, including what onion services are being used, or which relays get picked when they build a circuit through Tor."

DDoS attacks also hit the I2P network

Tor is not the only anonymous communications network currently targeted by DDoS attacks. The I2P (short for Invisible Internet Project) peer-to-peer network has also been dealing with a massive attack for the last three days.

As a result, I2P users might also experience issues due to some i2pd routers crashing with OOM (out of memory) errors when hit by this Denial-of-Service attack.

"As you already know, the I2P network has been targeted by a Denial-of-Service attack for the past ~3 days. The attacker is flooding the network with malicious floodfill routers, which are responding incorrectly or not at all to other routers and feeding the network false information," one of the I2P subreddit's mods said yesterday.

"This results in performance and connectivity problems, because the floodfills provide peer information to the participants in the network. The result is a form of sybil attack which is used to cause widespread denial of service.

"This attack has degraded the performance of the network but it remains intact and usable. Java I2P routers still appear to be handling the issues better than i2pd routers. Various mitigations should appear in dev builds of both Java and C++ routers in the next week."

Just as in Tor's case, the threat actors are using a variety of tactics as "the attack is starting / stopping / changing several times a day," as I2P's project manager and core dev lead said in a Tuesday community meeting on IRC.

Source