Security daily (09-08-2021)

Fintech company Plaid, consumers reach $58M settlement agreement in privacy suit

Financial tech company Plaid has reached a $58 million settlement agreement in a lawsuit where customers alleged that the company obtained and used their banking information without permission. Plaid’s service connects customer banking accounts to financial apps like Venmo and Robinhood. The plaintiffs claimed that Plaid misled them and violated their privacy by obtaining data from their financial accounts without consent, getting their bank login information through a deceptive interface meant to look like customers’ own bank login screens and selling their transaction histories. Under the settlement agreement, still subject to court approval, Plaid must also delete some data from its systems, minimize the data it stores, improve disclosures of how it uses data and maintain disclosures and websites about its security practices. “We do not, nor have we ever, sold data,” a Plaid spokesperson said. “We make our role and practices clear, and provide services that give consumers control […] The post Fintech company Plaid, consumers reach $58M settlement agreement in privacy suit appeared first on CyberScoop. (CyberScoop)

Two members of QQAAZZ, which laundered funds from cybercrime, plead guilty

Two individuals involved with laundering funds from U.S. victims of cybercrime pleaded guilty to their role in a transnational organization that relied in part on hacking to defraud victims out of millions of dollars, the Justice Department announced Friday. The defendants, Arturs Zaharevics and Aleksejs Trofimovics, are just two of 20 indiviuals charged by the U.S. government with involvement with QQAAZZ, a European-based crime group that provided cash and cryptocurrency laundering for cybercriminals. U.S. and European authorities launched a major crackdown on the group last fall, resulting in indictments against 14 members of the criminal organization. QQAAZZ  allegedly laundered or attempted to launder tens of millions of dollars’ worth of funds stolen from cybercrime victims across 16 countries. Trofimovics opened thirteen corporate bank accounts in Portugal under a shell company to help move money for cybercriminals. Zaharevics, who was extradited from the United Kingdom in April, also set up foreign […] The post Two members of QQAAZZ, which laundered funds from cybercrime, plead guilty appeared first on CyberScoop. (CyberScoop)

Researchers Find Root Access Vulnerabilities In Kindle E-Books

(News ≈ Packet Storm)

New Glowworm Attack Recovers Audio From Devices' Power LEDs

(News ≈ Packet Storm)

AWS And Google Cloud Shut Down Spying Vulnerability

(News ≈ Packet Storm)

A Critical Random Number Generator Flaw Affects Billions of IoT Devices

A critical vulnerability has been disclosed in hardware random number generators used in billions of Internet of Things (IoT) devices whereby it fails to properly generate random numbers, thus undermining their security and putting them at risk of attacks. "It turns out that these 'randomly' chosen numbers aren't always as random as you'd like when it comes to IoT devices," Bishop Fox (The Hacker News)

Users Can Be Just As Dangerous As Hackers

Among the problems stemming from our systemic failure with cybersecurity, which ranges from decades-old software-development practices to Chinese and Russian cyber-attacks, one problem gets far less attention than it should—the insider threat. But the reality is that most organizations should be at least as worried about user management as they are about Bond villain-type hackers launching (The Hacker News)

A Wide Range of Cyber Attacks Leveraging Prometheus TDS Malware Service

Multiple cybercriminal groups are leveraging a malware-as-a-service (MaaS) solution to carry out a wide range of malicious software distribution campaigns that result in the deployment of payloads such as Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish against individuals in Belgium as well as government agencies, companies, and corporations in the U.S. <!--adsense-->Dubbed " (The Hacker News)

‘Glowworm’ Attack Turns Power Light Flickers into Audio

Researchers have found an entirely new attack vector for eavesdropping on Zoom and other virtual meetings. (Threatpost)

Black Hat: Scaling Automated Disinformation for Misery and Profit

Researchers demonstrated the power deep neural networks enlisted to create a bot army with the firepower to shape public opinion and spark QAnon 2.0. (Threatpost)

Auth Bypass Bug Exploited, Affecting Millions of Routers

A mere three days after disclosure, cyberattackers are hijacking home routers from 20 vendors & ISPs to add them to a Mirai-variant botnet used for carrying out DDoS attacks. (Threatpost)

Android Malware ‘FlyTrap’ Hijacks Facebook Accounts

Coupon codes for Netlifx or Google AdWords? Voting for the best football team? Beware: Malicious apps offering such come-ons could inflict a new trojan. (Threatpost)


/security-daily/ 10-08-2021 23:44:23