Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.

CVE-2021-28861: gh-87389: Fix an open redirection vulnerability in http.server. by gpshead · Pull Request #93879 · python/cpython

Categories: News
Categories: Social engineering
Scammers subject their victims to a whirlwind of emotions so they can achieve their end goal: money.



(Read more...)




The post Criminals socially engineer their way to bank details with fake arrest warrants appeared first on Malwarebytes Labs.

When an organization experiences a massive data breach, it knows (at least) that it needs to inform the federal government about the cybersecurity incident, get law enforcement involved, and then inform its clients and affiliates. Seems simple enough, but this process, which countries from the West have been abiding by, is the result of countless breaches in the past, followed by a myriad of digital crimes that took advantage of those leaked and stolen data.

Unfortunately, not all governments in the world are in the same boat when handling incidents of compromised data—something every country has been familiar with, along with its associated victims. And while some governments continue to deny the real-life impacts of such online incidents and lawmakers are still figuring out what to do, consumers are left to fend for themselves with no real help in sight from law enforcement.

Such was the case of @TheVenusDarling, a Twitter user in Malaysia. She was targeted by online scammers who used her personal details gleaned from an April 2022 data leak that affected 22.5 million people.

Note that Venus's case is just one of many. After she shared her experiences on Twitter, some came forward to tell a similar tale that, more than losing money, left them feeling traumatized for a long time. Without Venus's quick thinking and help from a cybersecurity pro, she would've been left in a far more difficult situation.

**Scammers put victims in a swirl of "too much"**

It began with a phone call.

The caller, a female who was purportedly working for the Inland Revenue Board of Malaysia (IRBM), an agency responsible for collecting taxes, said that "Venus" owed at least RM50,000 ($11,000) in arrears for a business created under her name.

"The caller seemed authoritative and convincing and even supplied a reference number," said Munira Mustaffa, the expert who helped Venus in her case. It didn't stop here. In further attempts to sell the legitimacy of the call and the integrity of the person on the other end of the line, the caller connected Venus to a "police inspector" (PI), who then instructed her to hang up and Google the number of the local police headquarters. She then received a call from a number matching the number she had just searched.

Mustaffa, who founded the Chasseur Group and serves as its executive director and principal analyst, is known in counter-terrorism and organized crime circles. In her post, she broke down the scam into four phases, reflecting the scammers' intent in each stage: Dismay, Isolate, Overwhelm, and Intimidate.

The so-called PI proceeded to inform Venus that there was an arrest warrant for her because her ATM card was linked to money laundering and fraud activities **\[Dismay\]**. He then passed the call to a "high-ranking officer" (HRO), who instructed her to move to a quieter place to ensure the call's privacy **\[Isolate\]**. The HRO then sent Venus a copy of the purported arrest warrant, containing her legitimate details, via WhatsApp **\[Overwhelm\]**. He also told her to download and install an APK file he sent via the messaging app to aid them in their investigation.

The fake arrest warrant the supposed "high-ranking officer" sent to the victim. It contains the official emblem of the country's law enforcement body and contains legitimate details of the victim gleaned from the April 2022 leak. (Source: Chasseur Group)

Venus did what she was instructed, including filling out the form in the app. When she was about to enter her bank account PIN, she remembered she wasn't supposed to share it with anyone. She then realized she was about to be scammed. Sensing her hesitation, the HRO began shouting to further freak her out into giving up the PIN **\[Intimidate\]**.

She then ended the call, uninstalled the app, and sought Mustaffa's help.

"Unfortunately, in this instance, uninstalling the app is not sufficient," Mustaffa said. "Even with the application deleted, we had to assume that the device remained infected with malware. Hitting reset would have been the recommended option; however, that would result in data loss—an outcome not many are willing to go for."

**Scammers know what people don't**

If this scam is not spotlighted and people are not educated, many more will continue to fall for this campaign. Scammers find success in what they do because not only do they have the tools to take advantage of anything ill that happens to people—they know what people know and what they don't.

In this case, they know that citizens are largely unaware of government processes. And while the IRBM and law enforcement have social media presence and do inform their followers of scams, it's not enough.

"\[T\]he general populace must be properly informed about the government's procedures and standards," Mustaffa said. "And in order to do this, it is vital to enhance the accessibility, clarity, and transparency of information that is already widely available."

Getting familiar with the scam is also a big way to prevent it.

A scam is a scam, regardless of origin. If it proves lucrative, many will copy it. It's only time before online criminals adopt this tactic and begin their social engineering campaign against unwary citizens.

Criminals socially engineer their way to bank details with fake arrest warrants

HD Moore's company has rebranded its IT, IoT, and OT asset discovery tool as the platform rapidly evolves.

HD Moore's company has rebranded its IT, IoT, and OT asset discovery tool as the platform rapidly evolves.

Source: HD Moore

Renowned security industry pioneer HD Moore — creator of the wildly popular Metasploit hacking toolkit — has renamed his startup Rumble to runZero in a nod to how its platform has evolved since its inception in 2019.

Moore initially built the IT asset discovery tool Rumble Network Discovery after years of witnessing firsthand as a penetration tester that organizations can't properly find, track, and manage IT devices on their networks, nor the security posture of those devices. He pioneered major research scanning for and discovering all types of exposed devices on the public Internet, ultimately developing the Rumble IT asset discovery tool that finds and fingerprints devices and their status on the network.

According to a blog post on the rebranding, the new name better reflects how the platform has evolved. Moore, the chairman and founding CTO of the startup, originally named the platform (and company) "Rumble" to mean "discover," but now that the platform can do more than find assets, he decided to rename it.

"Rumble was the perfect name for us at the time, but we've outgrown it. Each new integration we've added has extended Rumble's capabilities beyond discovery, by enriching asset data and uncovering coverage gaps in other IT and security tools," the company said in a blog post.

Moore's company received $5 million in venture capital in 2021.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Metasploit Creator Renames His Startup and IT Discovery Tool Rumble to 'runZero'

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the "msg" parameter which is inserted into the document with insufficient sanitization.

Permalink

**0** contributors

**Users who have contributed to this file**

\-- ### Credit

\-- 2022-Jul-07

\--

\-- Discovered by Claudio Bozzato of Cisco Talos.

\--

\-- TALOS-2022-1534

\--

\-- Now the userUpdate.json.php requires a request from the same domain as the AVideo site

\-- in addition all save and delete database calls require the same by default (a whitelist can be built hardcoding it in the objects/Object.php file)

\--

\-- TALOS-2022-1535

\--

\-- Session ID will only change if you are not logged in

\-- In case the session ID changes we will regenerate it with a new name avoiding reusing it

\--

\-- TALOS-2022-1536

\--

\-- plugin/Live/view/Live\_schedule/add.json.php and objects/playlistAddNew.json.php will deny updating if the users\_id is not = as the original record when it is editing

\--

\-- TALOS-2022-1537

\--

\-- Add a sanitize rule on the security file

\--

\--

\-- TALOS-2022-1539

\--

\-- Add a sanitize rule on the view/img/image403.php file itself

\--

\-- TALOS-2022-1540

\--

\-- Video title and the filename will always be sanitized on the setTitle method (sometimes more than once)

\--

\--

\-- TALOS-2022-1542

\--

\-- httponly set to true

\-- we are now using the passhash instead of the database pass in all site

\-- the passhash is totally different than the original DB password, it is an encrypted JSON and has an expiration time, and also will be automatically rejected if the original password is updated

\-- the login with the pass hash (database password field) directly will be disabled soon, for now, it is only enabled to buy some time to update the other third parties apps

\--

\-- TALOS-2022-1545

\--

\-- Fixed on TALOS-2022-1542

\--

\-- TALOS-2022-1546

\--

\-- Filename is now sanitized with escapeshellarg(safeString($filename,true));

\--

\-- TALOS-2022-1538

\--

\-- all 4 parameters are sanitized now

\-- also if the request does not come from the same site, the showAlertMessage() function will not be executed

\--

\-- TALOS-2022-1547

\--

\-- Now every time the admin login we will check if the new videos/.htaccess is there, and create it if it is not

\-- <IfModule !authz\_core\_module>

\-- Order Allow,Deny

\-- Deny from all

\-- </IfModule>

\-- <IfModule authz\_core\_module>

\-- Require all denied

\-- </IfModule>

\-- <filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|ts|txt|mp4|mp3|m3u8|webp|key|css|tff|woff|woff2)$">

\-- <IfModule !authz\_core\_module>

\-- Order Allow,Deny

\-- Allow from all

\-- </IfModule>

\-- <IfModule authz\_core\_module>

\-- Require all granted

\-- </IfModule>

\-- </filesMatch>

\--

\-- this will only allow access to only some specific file types inside the videos folder

\--

\-- TALOS-2022-1548

\--

\-- we now verify if is a valid URL properly, also we are using the escapeshellarg for URL and destination filename

\--

\-- TALOS-2022-1549

\--

\-- We now only download the downloadURL\_image if it is a valid URL NOT local files anymore

\--

\-- TALOS-2022-1551

\--

\-- All our classes were updated using the prepared statement to avoid SQL injection

\-- also \`videoDownloadedLink\` and \`duration\` are now sanitized

\-- if you are editing anything we now "forbidIfItIsNotMyUsersId"

\-- key and URL are now sanitized Clone plugin

\--

\-- TALOS-2022-1550

\--

\-- the url\_get\_contents now only download files from valid URLs or files from inside the cache folder

UPDATE configurations SET version \= '12.0', modified \= now() WHERE id \= 1;

CVE-2022-32772: AVideo/updateDb.v12.0.sql at e04b1cd7062e16564157a82bae389eedd39fa088 · WWBN/AVideo

A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity.

'1980648?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-3639: Invalid Bug ID

A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

'1967738?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-3586: Invalid Bug ID

The Simple Banner WordPress plugin before 2.12.0 does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-0446

The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.

CVE-2022-2172: Diff [2750802:2754739] for linkworth-wp-plugin – WordPress Plugin Repository

The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks

CVE-2022-2593

The Auto-hyperlink URLs WordPress plugin through 5.4.1 does not set rel="noopener noreferer" on generated links, which can lead to Tab Nabbing by giving the target site access to the source tab through the window.opener DOM object.

Tag

#perl