, the general concept is that cyber criminals will only sendAttack.Phishinga link to trickAttack.Phishingusers into logging in with their social media or email credentials . But since that is an old school trick , the malicious threat actors are aiming at much more than your Facebook or Gmail password . Recently , we discovered a sophisticated phishing campaignAttack.Phishingtargeting Apple users . The aim of this attackAttack.Databreachis to stealAttack.Databreachtheir Apple ID , credit card data , a government issued ID card , and or passport . That ’ s not all , the scam also asks users to provide it with access to their device webcam to take their snap for verification purposes . It all starts with users receivingAttack.Phishingan email in which the sender poses asAttack.Phishingone of the officials from Apple Inc . The email alerts the user that their iCloud account is on hold because of an unusual sign in activity through an unknown browser and in case they didn ’ t log in from the device mentioned in the email they need to click on a link to change the password . Those who understand how phishing scamsAttack.Phishingwork will know how to ignore it , but unsuspecting users may fall for it and be trickedAttack.Phishinginto clicking the link and giving away their personal and financial information . Upon clicking the link users are takenAttack.Phishingto the phishing page which looks exactly likeAttack.Phishingthe official Apple ID login page . The users then are then asked to enter their Apple ID and its password to proceed . Once the users are logged in , they are taken to another page which asks users for their credit card details including cardholder name , card number , expiration date , CVV code and ED secure password . Upon giving this info , the users are asked to click the next tab . Remember by now the scammers have got your Apple ID login credentials and credit card information . Because criminals will remain criminals , the more you feed them the more they will ask for . Once the “ next ” tab is clicked , users are invited to enter their personal information including full name , date of birth , country , state , city , address , Zip code and phone number . This is done to use user information for further scams like identity theft and social engineering frauds . Once your personal information is handed over to the criminals , the page asks users to click the “ finish ” tab , but they aren ’ t done yet . Upon clicking the Finish tab users are taken to another page asking them to upload their password , a government issued identity card or the driver license – both sides . The users can click skip to avoid uploading their government issued documents but then they need to allow the website to access their device ’ s camera and microphone to take a snap of them . The users can also click the “ Skip ” tab , and the page will redirect them to the official Apple ID website . Good news is that Google Chrome has already detected the scam and marked the phishing domain as “ Deceptive. ” However , the bad news is that Firefox , Opera , and Safari browsers didn ’ t show any warning messages to their users therefore if you are using these browsers be vigilant .
A zero-day vulnerability exists inVulnerability-related.DiscoverVulnerabilityWordPress Core that in some instances could allow an attacker to reset a user ’ s password and gain access to their account . Researcher Dawid Golunski of Legal Hackers disclosedVulnerability-related.DiscoverVulnerabilitythe vulnerability on Wednesday via his new ExploitBox service . All versions of WordPress , including the latest , 4.7.4 , are vulnerableVulnerability-related.DiscoverVulnerability, the researcher said . The vulnerability ( CVE-2017-8295 ) happens because WordPress uses what Golunski calls untrusted data by default when it creates a password reset email . In a proof-of-concept writeup , Golunski points out that WordPress uses a variable , SERVER_NAME , to get the hostname to create a From/Return-Path header for the password reset email . Since that variable , by its nature , can be customized , an attacker could insert a domain of his choosing and make it so an outgoing email could be sent to a malicious address , the researcher says . The attacker would then receive the reset email and be able to change the account password and take over . “ Depending on the configuration of the mail server , it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers , ” Golunski wrote . “ This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. ” Golunski writes that there are three scenarios in which a user could be trickedAttack.Phishing, and only one of them relies on user interaction . In one , an attacker could perform a denial of service attack on the victim ’ s email account in order to prevent the password reset email from reaching the victim ’ s account . Instead , it could bounce back to the malicious sender address , pointed at the attacker . Second , Golunski says some auto-responders may attach a copy of the email sent in the body of the auto-replied message . Third , by sending multiple password reset emails , he says the attacker could trigger the victim to ask for an explanation , below , which could contain the malicious password link . Golunski saidVulnerability-related.DiscoverVulnerabilityhe reportedVulnerability-related.DiscoverVulnerabilitythe issue to WordPress ’ s security team multiple times , initially more than 10 months ago in July 2016 . The researcher told Threatpost that WordPress never outright rejected his claim – he says WordPress told him it was working on the issue – but acknowledged that too much time has passed without a clear resolution , something which prompted him to release detailsVulnerability-related.DiscoverVulnerabilityon the bug on Wednesday . Campbell said that it ’ s possible WordPress will patchVulnerability-related.PatchVulnerabilitythe issue , even if just for poorly configured servers , but acknowledged he didn ’ t have a timetable for the fix . Concerned WordPress users should follow a public ticket that was started for the issue last July , Campbell added . While there ’ s no official fix availableVulnerability-related.PatchVulnerabilityyet , Golunski says users can enable the UseCanonicalName setting on Apache to enforce a static SERVER_NAME value to ensure it doesn ’ t get modified . Golunski has had his hands full findingVulnerability-related.DiscoverVulnerabilityvulnerabilities related to PHP-based email platforms . He discoveredVulnerability-related.DiscoverVulnerabilitya remote code execution bug in SquirrelMail in January that disclosedVulnerability-related.DiscoverVulnerabilityand quickly patchedVulnerability-related.PatchVulnerabilitylast month and similar RCE bugs in PHPMailer and SwiftMailer , libraries used to send emails via PHP , at the end of 2016 .