Malware and vulnerabilities are the stuff of nightmares for any security-conscious internet user. If you add, privacy invasion into the mix, it gets worse. I mean: a website spying on you using activities of your SSD can sound like a script from your favorite Sci-fi movie. However, it's reality.
Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise
The FIFA World Cup season is around the corner. Be careful of any random search while looking to buy tickets and some merchandise. Go to the official website. Do not search on Google.
From the article:
Indeed, many sites set up in the run-up to major events will rely on a common trick known as typosquatting, which involves on a domain name that closely resembles the legitimate one, but contains small additions or involves other changes in the domain name that the victim often won't notice.
These special phone and app features can help protect you from spyware
If you feel that you are targeted you think you could be in the future, go through the article. It covers how to get it done on your iPhone and Android devices.
The following should get you started:
Generally speaking, these features add extra protection, sometimes by turning off or limiting some regular features. It’s a tradeoff
No security measure is perfect, and it’s a constant effort to keep security flaws at bay. But that doesn’t mean these features are not worth using. On the contrary; these features have been proven effective.
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
Do not use AI chatbots for searching for download links on the Internet. If you think that's too much to ask, read the article.
From the article:
It all begins when users search for trusted system utilities and hardware-monitoring software on search engines, which surface malicious sites that have been gamed via techniques like search engine optimization (SEO) poisoning.
Each of these sites contains a prominent download button that retrieves a ZIP archive from a campaign-specific subdomain of gleeze[.]com, which is hosted by infrastructure associated with Dynu, a dynamic DNS provider frequently used by threat actors.
Websites have a new way to spy on visitors: Analyzing their SSD activity
Among the things that I can never think would be possible while browsing on the web, this is going to be among the top 10. While reading, it reminds me of https[://]browserspy[.]dk
From the article:
The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.
The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.
New BTMOB Android Malware Enables Full Device Takeover
Another Android malware that you and I have to think about. Like previous documented Android malware, this one also abuses the Accessibility Services on the device.
Here is how the malware spreads, and what it can do:
Threat actors have been observed delivering phishing messages that point victims to websites posing as legitimate services, which redirect to fake application stores mimicking legitimate repositories and serving the malicious APK.
Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it.
Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code
It can be funny when you read the title. However, it wouldn't be funny if you end up being a victim.
From the article:
The addition was a prompt injection, a form of AI attack that exploits an LLM’s inability to distinguish between legitimate user prompts and those from unauthorized, potentially malicious third parties. AI coding agents that were vulnerable would then delete work product produced by the testing app.
The reception to the discovery has been chilly. One discussion participant called the move “childish,” while another one questioned its legality in some jurisdictions.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)