Most of the security threats that we face today come from online sources. I mean, the moment we switch on our devices and click "connect", we walk into a world where we can be vulnerable to threats that we cannot even fathom. Yet, we trust our instincts that I will be fine. Sometimes, that turns out to be the case. Most of the time (ask those who have been victims), it's not always the case.
One wrong move and we could be toast. Searching for that thing on your favorite search engine? In the search results, you could end up clicking on a malware-laden site or a phishing site using a typosquatted domain name. Or, you have vulnerable software and an exploit is already available waiting for a target to come online, and just like that, your system is owned.
The list is endless. Nonetheless, we still connect to the internet and for the security-minded person, hope and pray for the best.
FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins
TL;DR: In the season of the World Cup 2026, there are scam sites out there ready to steal your financial and identity details. To prevent this, go to FIFA's website directly by typing the address in your web browser's address bar and hitting the enter key on your keyboard. This means do not search for anything related to tickets or stuff like that on Google (or your favorite search engine).
You have been warned.
Everybody Is Vibe Coding But Nobody Told the Security Team
I wish they did. Wait. Let me take that back. They should tell the security team! Why? These vibe-coded applications are ending up in Google Search results.
Here is what I am saying (emphasis mine):
Researchers at RedAccess recently analyzed thousands of vibe-coded applications built on Lovable, Replit, Base44, and Netlify. They found more than 5,000 with virtually no security or authentication. Around 40% exposed sensitive data — medical information, financial records, corporate strategy documents, detailed customer conversation logs.
Among verified exposures: a shipping company app detailing vessel port arrivals; an internal health company application listing active UK clinical trials.
Cybercriminals: the 'auditors' you never hired
Nonetheless, they are at your door scanning and probing where the loopholes are. If they do find one, you might find out after the damage is done.
From the article:
There’s one cognitive bias that we humans are prone to, and it lies at the centre of some of the challenges that cybersecurity professionals face every day. It’s known as the normalcy bias
As this bias can lead us to mistake familiarity for safety and assumptions for evidence, it’s increasingly getting in the way of dealing with the cybersecurity reality. It causes people to underestimate the likelihood of a cyberattack or to interpret an absence of obvious problems or consequences as evidence that risks are under control.
Infostealers Turn Millions of Devices Into Credential Theft Machines
To add to the article's title: Without you even knowing. I know you might say: of course that's how infostealers work! Yes, I know. I just couldn't help myself but say it out loud.
From the article:
Stealers are available on the underground ecosystem, often via malware-as-a-service (MaaS) and for hire at as little as $60 per month. During 2025, the most successful stealers, in order, were Lumma, Acreed, Rhadamanthys, Vidar, and StealC.
When attackers acquire a stealer, they must then infect a target device. This could usually be any device connected to the network he intends to raid since secrets available here would provide access to other parts of the network.
Oracle warns of security bug that hackers abused to breach 100+ companies
At the time of writing, it's a zero-day bug. Meaning: no patches available only mitigations.
From the article:
Oracle, which has not released a patch for the vulnerability at the time of writing, said in the advisory that the bug can be exploited over the internet without needing any authentication, such as a password.
Japanese energy firm loses drive with data of 10.9 million clients
They stored the stolen data on a drive. Locked it in a server room cabinet that is behind many physical security layers. Yet, someone got in, took the data, and at the time of writing, they have not located the person nor the data.
From the article:
The data present on the now missing drive includes:
- Customer names
- Service location addresses
- Electricity usage data
- Telephone numbers
- Names of retail electricity providers
- Other related information
The firm has clarified that no bank account information or credit card data was stored in the drive. It also promised to notify impacted customers individually in the upcoming period.
Alert Fatigue Is Becoming a Security Threat of Its Own
TL;DR: When alert is too much, it can be a problem.
From the article:
Alert fatigue isn’t caused by occasional long hours and stress – it is caused by continuous long hours and continuous stress with no escape. If it isn’t prevented, the effect on the analyst could begin with a few missed false negatives and grow into a full business compromise.
For the analyst, it could start with subconscious, but overly aggressive filtering merely designed to keep up with the volume of fresh alerts. Within this filtering, too many alerts may be assumed to be false positives. Many will be but some may not, and true positive signals may be filtered out as noise.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)