View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 19, 2015

5 major cyber security vulnerabilities from the last few days

List: More serious cyber security flaws are exposed.

By Charlotte Henry

In the last few days, a series of quite major vulnerailtities have been discovered across a variety of apps and websites.

Here is everything you need to know.

Casino Malvertising

This attack was pumped out via 10 different ad domains that were mostly on websites offering pirated movies. Without being clicked, the ads would send users to a casino website, which ultimately led to the Angler exploit kit. The Neutrino exploit kit was also being pushed.

The attack has been going on for at least 3 weeks, exposing a large number of people to malware such as the Cryptowall Ransomware and the Bunitu Trojan.

Malwarebytes’ Jerome Segura "one of the largest malvertising campaigns in recent months".

Blackhole resurfaces

The infamous Blackhole malware returned this week, again discovered and documented by Malwarebytes. The attacks were evening reusing the PDF and Java exploits used before. This is despite the fact that the hack behind the code, Paunch, was arrested in 2013.

The fact that the exploits are a bit old does not stop some computers being vulnerable, and it is thought that the old code, which is public is being updated.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

crossdomain.xml open domain traffic

Another vulnerability making an unwelcome reappearance is tone that allows for open domain traffic on the publicly available crossdomain.xml file.

The vulnerability exposes 6% of some of the most popular websites in the UK, including financial services and health care firms, to having sensitive data acquired from them via an SWF file and phishing attacks.

This vulnerability was discovered by Xiphos research, whose co-founder Mike Kemps says it is well documented and relatively easy to exploit.

WITCHCOVEN

This hack deploys a highly persistent tracking cookie on a victim’s computer, with the profiling script modifying underlying HTML on the homepage and subpages of specifically chosen legitimate websites.

The hack collects data on the victim’s computer and browser configuration, It is believed the target of the attacks is government officials and business executives in the US and the UK, probably in preparation for targeted malware attacks in the future.

InstaAgent Password harvesting

The popular InstaAgent app, which tells users who has been looking at the Instagram profile, was pulled last after a Twitter user revealed that username and passwords were being sent to an unknown servers. That data was being used to spam Instagram accounts.

Instagram said apps like this were against its terms of service, and recommended users delete it and reset their password.

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU