Category Archives: Latest Warnings

Recycle Your Phone, Sure, But Maybe Not Your Number

Posted on by

Many online services allow users to reset their passwords by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over one thanks to a divorce, job termination or financial crisis can be devastating.

Even so, plenty of people willingly abandon a mobile number without considering the potential fallout to their digital identities when those digits invariably get reassigned to someone else. New research shows how fraudsters can abuse wireless provider websites to identify available, recycled mobile numbers that allow password resets at a range of email providers and financial services online. Continue reading Recycle Your Phone, Sure, But Maybe Not Your Number

Malicious Office 365 Apps Are the Ultimate Insiders

Posted on by

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others. Continue reading Malicious Office 365 Apps Are the Ultimate Insiders

Experian’s Credit Freeze Security is Still a Joke

Posted on by

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States.  Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space. Continue reading Experian’s Credit Freeze Security is Still a Joke

Can We Stop Pretending SMS Is Secure Now?

Posted on by

SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of people (many of them low-paid mobile store employees) who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users. Continue reading Can We Stop Pretending SMS Is Secure Now?

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

Posted on by

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems. Continue reading At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails

Posted on by

Microsoft Corp. today released software updates to plug four critical security holes that attackers have been using to plunder email communications at companies that use its Exchange Server products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group. Continue reading Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails

The Taxman Cometh for ID Theft Victims

Posted on by

The unprecedented volume of unemployment insurance fraud witnessed in 2020 hasn’t abated, although news coverage of the issue has largely been pushed off the front pages by other events. But the ID theft problem is coming to the fore once again: Countless Americans will soon be receiving notices from state regulators saying they owe thousands of dollars in taxes on benefits they never received last year. Continue reading The Taxman Cometh for ID Theft Victims

Be Very Sparing in Allowing Site Notifications

Posted on by

An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters. Continue reading Be Very Sparing in Allowing Site Notifications

FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

Posted on by

On Monday, Oct. 27, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Continue reading FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

Breach at Dickey’s BBQ Smokes 3M Cards

Posted on by

One of the digital underground’s most popular stores for peddling stolen credit card information began selling a batch of more than three million new card records this week. KrebsOnSecurity has learned the payment card data was stolen in a two-year-long data breach at more than 100 Dickey’s Barbeque Restaurant locations around the country. Continue reading Breach at Dickey’s BBQ Smokes 3M Cards