Criminals are attempting to trick Attack.Phishing consumers into handing over passwords and credit card details by taking advantage of the flood of emails being sent out Attack.Phishing ahead of new European privacy legislation . The European Union 's new General Data Protection Regulation ( GDPR ) come into force on 25 May and the policy is designed to give consumers more control over their online data . As a result , in the run-up to it , organisations are sending out Attack.Phishing messages to customers to gain their consent for remaining on their mailing lists . With so many of these messages being sent out Attack.Phishing , it was perhaps only a matter of time before opportunistic cybercriminals looked to take advantage of the deluge of messages about GDPR and privacy policies arriving in people 's inboxes . A GDPR-related phishing scam Attack.Phishing uncovered by researchers at cyber security firm Redscan is doing just this in an effort to steal data with emails claiming to be Attack.Phishing from Airbnb . The attackers appear to be Attack.Phishing targeting business email addresses , which suggests the messages are sent Attack.Phishing to emails scraped from the web . The phishing message addresses the user as an Airbnb host and claims Attack.Phishing they 're not able to accept new bookings or send Attack.Phishing messages to prospective guests until a new privacy policy is accepted . `` This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies , like Airbnb in order to protect European citizens and companies , '' the message says , and the recipient is urged Attack.Phishing to click a link to accept the new privacy policy . Those who click the link are asked to enter their personal information , including account credentials and payment card information . If the user enters these , they 're handing the data straight into the hands of criminals who can use it for theft , identity fraud , selling on the dark web and more . `` The irony wo n't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal Attack.Databreach people 's data , '' said Mark Nicholls , Director of Cyber Security at Redscan . `` Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action , whether that 's clicking a link or divulging personal data . It 's a textbook phishing campaign Attack.Phishing in terms of opportunistic timing and having a believable call to action '' . Airbnb is sending messages to users about GDPR , but the messages contain far more detail and do n't ask the users to enter any credentials , merely agree to the new Terms of Service . While the phishing messages might look legitimate at first glance , it 's worth noting they do n't use the right domain - the fake messages come from Attack.Phishing ' @ mail.airbnb.work ' as opposed to ' @ airbnb.com ' . Redscan has warned that attackers are likely to use GDPR as bait Attack.Phishing for other phishing scams Attack.Phishing , with messages claiming to be Attack.Phishing from other well-known companies . `` As we get closer to the GDPR implementation deadline , I think we can expect to see a lot a lot more of these types of phishing scams Attack.Phishing over the next few weeks , that 's for sure , '' said Nicholls , who warned attackers could attempt to use the ploy to deliver malware in future . `` In the case of the Airbnb scam email , hackers were attempting to harvest Attack.Databreach credentials . Attack vectors do vary however and it 's possible that other attacks may attempt to infect hosts with keyloggers or ransomware , for example . '' he said . Airbnb said those behind the attacks have n't accessed Attack.Databreach user details in order to send Attack.Phishing emails and that users who receive Attack.Phishing a suspicious message claiming to be Attack.Phishing from Airbnb should send it to their safety team . `` These emails are a brazen attempt at using our trusted brand to try and steal Attack.Databreach user 's details , and have nothing to do with Airbnb . We 'd encourage anyone who has received Attack.Phishing a suspicious looking email to report it to our Trust and Safety team on report.phishing @ airbnb.com , who will fully investigate , '' an Airbnb spokesperson told ZDNet . Airbnb also provided information on how to spot a fake email to help users to determine if a message is genuine or not .

Apple is reportedly aware Vulnerability-related.DiscoverVulnerability of and is in the middle of fixing Vulnerability-related.PatchVulnerability a pair of vulnerabilities that exist in iTunes and the App Store . If exploited Vulnerability-related.DiscoverVulnerability , researchers claim Vulnerability-related.DiscoverVulnerability an attacker could inject malicious script into the application side of the vulnerable module or function . Vulnerability Lab ’ s Benjamin Kunz Mejri disclosed Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday , explaining Vulnerability-related.DiscoverVulnerability the issues can be jointly exploited Vulnerability-related.DiscoverVulnerability via iTunes and the App Store ’ s iOS “ Notify ” function . Apple implemented the function in September , in the weeks leading up to the release of the game Super Mario Run . The function takes information from the device , such iCloud credentials or devicename values , to alert users when a soon-to-launch application debuts . Mejri , the firm ’ s founder , claims Vulnerability-related.DiscoverVulnerability the Notify functionality can be exploited Vulnerability-related.DiscoverVulnerability via a persistent input validation vulnerability and mail encoding web vulnerability . An attacker could substitute the name variable–the vulnerable firstname parameter–with a script launching a payload . Mejri said the issue stems from how Apple sends notifications from its @ new-itunes.com web server ; which doesn ’ t properly validate the iCloud name or devicename parameter . Instead of displaying introductory text , it can be rigged to execute malicious payloads . “ The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability on restricted accessible iOS devices to the main account holder inbox , ” Mejri wrote in his disclosure Vulnerability-related.DiscoverVulnerability Monday , “ The issue could be used as well to continue to calendar spam activities ” . Mejri told Vulnerability-related.DiscoverVulnerability Threatpost Tuesday that while the issue isn ’ t highly exploitable , it “ definitely has a nice impact ” . Exploiting the persistent input validation flaw would be easier , because it only requires an Apple account and “ low or medium user interaction , ” according to the researcher . Ultimately , if stitched together , he warns Vulnerability-related.DiscoverVulnerability , the bugs could result in session hijacking , persistent phishing attacks , and persistent redirect to external sources . Mejri said Vulnerability-related.DiscoverVulnerability he contacted Vulnerability-related.DiscoverVulnerability Apple ’ s Product Security Team about the issues on Dec. 15 and acknowledged Vulnerability-related.DiscoverVulnerability that the vulnerability should be able to be resolved on the server-side without performing any required end-user interaction or updates . He said a temporary patch has been implemented Vulnerability-related.PatchVulnerability and believes a full fix is expected Vulnerability-related.PatchVulnerability later this month . It ’ s unclear exactly when this month Apple will push that fix Vulnerability-related.PatchVulnerability , however ; it last updated iTunes in December , fixing Vulnerability-related.PatchVulnerability 23 WebKit vulnerabilities in the software . Apple did not return multiple requests for comment regarding Vulnerability-related.DiscoverVulnerability the vulnerabilities on Monday and Tuesday . A month after first communicating the issues to Apple , Vulnerability Lab elected to publish a proof of concept around the issues to see if they had any legs . “ We decided to release the information until somebody uses the issue to exploit via iTunes , ” Kunz Mejri told Threatpost Tuesday . The vulnerability is similar to one disclosed Vulnerability-related.DiscoverVulnerability by Vulnerability Lab and patched Vulnerability-related.PatchVulnerability by Apple in iTunes and the App Store a year and a half ago . Before it was fixed Vulnerability-related.PatchVulnerability , like this week ’ s issue , an attacker could have remotely injected script into invoices , something that could have lead to hijacking , phishing , and redirect .

A hacker that goes by the nickname of Cipher0007 has hacked the Sanctuary Dark Web marketplace . The hacker announced the breach a few hours ago and also posted proof of his intrusion . According to Cipher0007 , the hack took place after he found Vulnerability-related.DiscoverVulnerability an SQL injection flaw in the market 's database . The hacker claims Vulnerability-related.DiscoverVulnerability he used the SQL injection flaw to upload a shell on the market 's server . He then used this backdoor to access Attack.Databreach various parts of the backend and dumped Attack.Databreach the private key used to generate the market 's .onion URL . Cipher0007 also says he used the market 's phpMyAdmin installation to dump Attack.Databreach details on the database configuration and other login information . At the time of writing , the market 's phpMyAdmin login page was still exposed to external connections . To prove his claims , the hacker posted online a screengrab while uploading the shell to the Sanctuary market 's server , the market 's 1024 bit RSA private key , and the market 's root account database login information . The Sanctuary market is a small Dark Web market , and one of the few places where digital products such as data dumps , malware , and others , are far more prevalent than drugs and weapons . The admin of the Sanctuary market did not respond to a request for comment from Bleeping Computer in time for this article 's publication . Cipher0007 has a reputation in the hacking underground already . In January , the hacker collected an unspecified Bitcoin reward for reporting Vulnerability-related.DiscoverVulnerability a bug to the AlphaBay staff that would have allowed an attacker access to over 218,000 private messages . AlphaBay is today 's biggest Dark Web market , and access to those PMs would have allowed an attacker insight into the operations of many sellers and vendors .

Facebook is dismissing Vulnerability-related.DiscoverVulnerability claims Vulnerability-related.DiscoverVulnerability by a researcher who says Vulnerability-related.DiscoverVulnerability multimedia content such as audio-based messages sent via its Facebook Messenger service can be intercepted by a third-party under certain conditions . On Tuesday , Mohamed Baset , a security analyst at ecommerce firm Linio México , published Vulnerability-related.DiscoverVulnerability a proof-of-concept video demonstrating what he calls Vulnerability-related.DiscoverVulnerability a Facebook flaw that allows an attacker to access audio or video files from Facebook servers and play them back . Facebook is dismissing Vulnerability-related.DiscoverVulnerability Baset ’ s claims Vulnerability-related.DiscoverVulnerability , telling Threatpost , “ We appreciate researcher reports , but this is not a flaw and does not impact the normal functioning of voice clips on Messenger ” . Baset concedes that the alleged threat he illustrates represents a “ narrow attack surface ” and is “ not really that dangerous for most users ” .

Facebook is dismissing Vulnerability-related.DiscoverVulnerability claims Vulnerability-related.DiscoverVulnerability by a researcher who says Vulnerability-related.DiscoverVulnerability multimedia content such as audio-based messages sent via its Facebook Messenger service can be intercepted by a third-party under certain conditions . On Tuesday , Mohamed Baset , a security analyst at ecommerce firm Linio México , published Vulnerability-related.DiscoverVulnerability a proof-of-concept video demonstrating what he calls Vulnerability-related.DiscoverVulnerability a Facebook flaw that allows an attacker to access audio or video files from Facebook servers and play them back . Facebook is dismissing Vulnerability-related.DiscoverVulnerability Baset ’ s claims Vulnerability-related.DiscoverVulnerability , telling Threatpost , “ We appreciate researcher reports , but this is not a flaw and does not impact the normal functioning of voice clips on Messenger ” . Baset concedes that the alleged threat he illustrates represents a “ narrow attack surface ” and is “ not really that dangerous for most users ” .

A case involving software vulnerabilities in medical electronics reveals Vulnerability-related.DiscoverVulnerability the inability for both the health care sector and federal regulators to swiftly address cybersecurity problems . This past fall , an investment firm rattled the health care industry with unsubstantiated claims Vulnerability-related.DiscoverVulnerability of multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators . But it took federal authorities who regulate medical devices four months to acknowledge Vulnerability-related.DiscoverVulnerability only one of the alleged defects , and for the company , St. Jude Medical , to patch Vulnerability-related.PatchVulnerability it . The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act , and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet . `` Software is never perfect and all systems still will have these flaws , '' says Joshua Corman , director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security . `` The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws . '' In this particular case , legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response . A cybersecurity firm called MedSec initially discovered Vulnerability-related.DiscoverVulnerability the problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters , which publicized Vulnerability-related.DiscoverVulnerability the flaws and advised clients to bet against the health care firm 's stock . As a result , St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters , denying many of the alleged glitches in its pacemaker and implantable defibrillator systems . `` In theory , most disclosures now should take about 60 days to get to some clarity or resolution , '' said Corman . `` In part , because of the contentious nature and the lawyers involved in this particular one , it took about five months . '' Last week , the Food and Drug Administration along with the Department of Homeland Security confirmed Vulnerability-related.DiscoverVulnerability at least some of MedSec's findings and reported Vulnerability-related.DiscoverVulnerability a flaw in the St. Jude @ Merlin transmitter , an at-home computer that sends data from cardiac implants to the patient 's medical team . The flaw could have allowed malicious hackers to remotely exhaust an implant 's battery power or potentially harm the patient . St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters ' claims Vulnerability-related.DiscoverVulnerability in August , the device manufacturer `` carefully reviewed the claims Vulnerability-related.DiscoverVulnerability in these reports along with our existing plans for our cyber ecosystem , '' evaluated them with FDA , DHS , and outside security researchers , and then identified the improvements announced on Jan. 9 and noted further enhancements `` we will be making in the coming months . '' But Muddy Waters said the problems may take as long as two years to fix . Carson Block , the firm 's founder , said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves . The firm said in a statement , `` these issues have just been given Vulnerability-related.PatchVulnerability a quick fix by St. Jude with the government 's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity . '' It 's important to note that all the players in this medical legal drama , as well as the Veterans Affairs Department , which buys St. Jude devices , say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August . In fact , the VA in recent months has continued paying for operations involving St. Jude devices , according to contract documents . Ever since the US government and St. Jude confirmed Vulnerability-related.DiscoverVulnerability the one flaw , the VA has been `` taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor , ” said Merritt Raitt , acting director of the VA National Cardiac Device Surveillance Program . The controversy could have been partly avoided , perhaps , if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities . A week before federal regulators publicized the one St. Jude glitch on Jan. 9 , they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action . On Jan. 4 , DHS circulated the final Food and Drug Administration ( FDA ) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patch Vulnerability-related.PatchVulnerability vulnerabilities within 60 days . Corman recommends that providers , including VA , heed all the literature that 's been published on the St. Jude glitches , including a DHS technical advisory , FDA security communication , MedSec report , and guidance written by Bishop Fox , a cybersecurity consultancy Muddy Waters hired in response to the lawsuit . `` Just understand that the FDA and DHS do need to get the ground truth , that security researcher claims do need to be validated through the normal regulatory process , '' he says .

Hundreds of thousands–potentially more than one million–Netgear routers are susceptible Vulnerability-related.DiscoverVulnerability to a pair of vulnerabilities that can lead to password disclosure . Researchers said Vulnerability-related.DiscoverVulnerability that while anyone who has physical access to a router can exploit Vulnerability-related.DiscoverVulnerability the vulnerabilities locally , the real threat is that the flaw can also be exploited Vulnerability-related.DiscoverVulnerability remotely . According to Simon Kenin , a security researcher with Trustwave ’ s Spiderlabs team , who discovered Vulnerability-related.DiscoverVulnerability the flaw and disclosed Vulnerability-related.DiscoverVulnerability it Monday , the vulnerabilities can be remotely exploited Vulnerability-related.DiscoverVulnerability if the router ’ s remote management option is enabled . While Netgear claims remote management is turned off on routers by default , Kenin said there are “ hundreds of thousands , if not over a million ” devices left remotely accessible . Kenin claims that all he had to do was send a simple request to the router ’ s web management server to retrieve a router ’ s password . After determining a number that corresponds to a password recovery token , he found he could pair it with a call to the router ’ s passwordrecovered.cgi script . Kenin claims Vulnerability-related.DiscoverVulnerability he made his discovery by leveraging two exploits disclosed Vulnerability-related.DiscoverVulnerability in 2014 on some Netgear routers he had hanging around . It wasn ’ t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router ’ s credentials even if he didn ’ t send the correct password recovery token . “ After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , ” Kenin wrote Monday . Kenin ’ s employer , Trustwave , divulged Vulnerability-related.DiscoverVulnerability details around both vulnerabilities in a lengthy blog post Monday , putting the wraps on a nearly year-long odyssey with the vendor . The firm first disclosed Vulnerability-related.DiscoverVulnerability the vulnerability to Netgear in April 2016 , initially it listing 18 vulnerable models , before listing 25 vulnerable models in a subsequent advisory . After repeated requests for an update on a fix for the vulnerability , Netgear finally obliged in July and provided Vulnerability-related.PatchVulnerability firmware updates for a fraction of the affected routers . It wasn ’ t until this weekend that Netgear acknowledged Vulnerability-related.DiscoverVulnerability the issues again , posting Vulnerability-related.PatchVulnerability an updated version of the article on its support page , instructing users to find and download the appropriate firmware fixes . The most recent version of the advisory claims there are 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability . The company is encouraging users of some devices in which firmware is not available to implement a workaround . According to Netgear , users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices . “ The potential for password exposure remains if you do not complete both steps . NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification , ” the company writes . It ’ s the first critical vulnerability to affect Vulnerability-related.DiscoverVulnerability Netgear routers this year but the second in the last two months . In December , it was discovered Vulnerability-related.DiscoverVulnerability that a handful of the company ’ s Nighthawk line of routers were vulnerable Vulnerability-related.DiscoverVulnerability to a flaw that could have given an attacker root access on the device and allowed them to run remote code . The company was quick to release Vulnerability-related.PatchVulnerability beta firmware updates to address Vulnerability-related.PatchVulnerability the vulnerability but simultaneously confirmed Vulnerability-related.DiscoverVulnerability that more routers than originally reported were vulnerable Vulnerability-related.DiscoverVulnerability . When reached Wednesday , a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out . Trustwave discloses Vulnerability-related.DiscoverVulnerability an unpatched vulnerability in Brother printers with the Debut embedded webserver after numerous attempts to contact the vendor failed .

A miscreant using the handle @ cyberzeist claims Vulnerability-related.DiscoverVulnerability to have infiltrated Plone CMS used by FBI.gov , using a zero day flaw allegedly for sale on an unnamed dark web site . The Register has contacted the FBI to confirm the allegations . The agency was not immediately available for comment – although a staffer said they were aware of the alleged break-in . Cyberzeist claims to have conducted the hack last month and has posted to Twitter what they claim are screen captures showing the FBI patching Vulnerability-related.PatchVulnerability against the vulnerability , which appeared to permit public access . The hacker dumped Attack.Databreach the 155 purported stolen credentials to online clipboard pastebin , claiming Vulnerability-related.DiscoverVulnerability a vulnerability resides in Vulnerability-related.DiscoverVulnerability a Plone Python module . Cyberzeist also claimed the FBI contacted the hacker requesting a copy of the stolen credentials , which they declined to provide . The hacker reckoned the CMS was hosted on a virtual machine running a custom FreeBSD . They said they will tweet the zero day flaw once it is no longer for sale .