ISBuzz Team

Officials say a possible data breach may have compromised the personal information of more than 500 employees of a Virginia police department. Fairfax County Police Chief Edwin Roessler Jr. told the Washington Post that he doesn’t have any reports that officers’ personal information has been exploited. Roessler says the data was on a missing memory stick that contained the email inbox of the Purcellville police chief. Roessler said it wasn’t clear if there was a reason for the data to be in the other chief’s email or if Fairfax County also had a data breach. But the chief says he…

The infamous Phineas Fisher is at it again, this time offering $100K bounty for any hacker that successfully conducts politically motivated hacks against companies that could lead to the disclosure of documents in the public interest–think WikiLeaks. This “bug bounty” style approach is meant to encourage other hackers to launch their own hacktivist hacks.

Disney’s long-awaited streaming service, Disney+, launched last week to much fanfare, notching an impressive 10 million subscribers on its first day. However, within 24 hours of going live, it was reported that thousands of accounts have been hacked, with critical data stolen and sold onto the dark web. Disney+ users began posting messages on Twitter and Reddit stating that their accounts had been compromised. Some users complained of being locked out of pre-paid accounts after receiving alerts that account information, including their password and contact details, had been changed. https://twitter.com/NYDailyNews/status/1196622903707652097 Commenting on the news are the following cybersecurity experts:

Whatsapp have posted a security advisory acknowledging a security flaw within the app that allowed hackers to access people’s messages by sending a malicious video file. Although a fix has been issued, users who haven’t updated the app remain vulnerable to hackers. The attack is carried out through a video file sent by hackers, but Whatsapp have not revealed if the video needs to be opened for the hack to be executed.

More than a 100,000 look-alike domains that use valid TLS certificates to appear safe and trusted have been found on the Internet just in time for the holidays according to security researchers at Venify.

Macy’s has disclosed a data breach  – their web site was hacked with malicious scripts that steal customer’s payment information. In Magecart attacks,  hackers compromise web sites to inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer. The ‘Notice of Data Breach’ issued by Macy’s said their web site was hacked on October 7th, 2019 and a malicious script was added to the ‘Checkout’ and ‘My Wallet’ pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer…

60 percent of the UK’s top ten online retailers are not actively blocking fraudulent emails from reaching customers Proofpoint, Inc., (NASDAQ: PFPT) a leading cyber security and compliance company, today released research identifying that only four of the top 10 (40 percent) online retailers in the UK have implemented the strictest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection, making them susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud for customers.  Worryingly, this leaves online shoppers at 60 percent of top retailers in the UK open to email fraud. With Black Friday upon us, and over half of UK consumers set to shop…

PhishLabs has detected attempts to compromise Microsoft Office 365 administrator accounts as part of a broad phishing campaign. In the campaign, the threat actor(s) delivered a phishing lure that impersonated Microsoft and their Office 365 brand but came from multiple validated domains – an educational institution for example – not belonging to Microsoft. If the victim clicked the link, they were presented with a spoofed login for Office 365. Administrators often have privileges on other systems within an organisation, potentially allowing further compromises. https://twitter.com/InfosecEditor/status/1196393759249879040

Yesterday, an investigative report from the Financial Times revealed that some of the UK’s most popular health websites are sharing people’s sensitive data — including medical symptoms, diagnoses, drug names and menstrual and fertility information — with dozens of companies around the world, ranging from ad-targeting giants such as Google, Amazon, Facebook and Oracle, to lesser-known data-brokers and adtech firms like Scorecard and OpenX. Using open-source tools to analyse 100 health websites, which include WebMD, Healthline, Babycentre and Bupa, an FT investigation found that 79 per cent of the sites dropped “cookies” — little bits of code that, when embedded in your browser,…