Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.
In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.
When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.”
Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain.
A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn’t be able to steal customers’ credit card data.
But this isn’t always true. RiskIQ previously detailed how Magecart’s Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming.
The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the shopping site itself wouldn’t even ask for it, since visitors are normally redirected to the external PSP.
Google is also tracking all purchases made by G Suite users just as is it does for users of the free Gmail email service, although the Google Account’s Purchases page will not list them for review for the paid accounts.
As BleepingComputer reported during the weekend, Gmail users can see all their email receipts and confirmations from orders placed “using Google services, like Google Play Store, Google Express, or through the Google Assistant” or received from brick-and-mortar stores on the Google Account Purchases page, located at https://myaccount.google.com/purchases.
At the time the previous report was published, BleepingComputer thought that the purchase extraction process was not enabled for users of paid G Suite accounts after seeing that the Google Account Purchases page was empty for two G Suite accounts frequently used to make online purchases.
An industry group of the world’s biggest DNS service providers has agreed on a plan to improve the state of the DNS ecosystem by forcing certain configuration changes upon the smaller server operators that are affecting the speed and performance of the entire internet.
According to this group, starting with February 1, 2020, DNS servers that can’t handle DNS queries over both UDP and TCP may be pushed out of the DNS ecosystem and stop working.
The idea is to get DNS server operators to update their server software and configurations and ensure their servers can handle DNS queries received as either UDP or TCP packets.
Analysis AI experts, lawyers, and law enforcement urged US Congress to regulate the use of facial recognition technology during a hearing held by the House Committee on Oversight and Reform on Wednesday.
The technical issues and social impacts of using AI software to analyse images or videos are well known. There have been repeated reports of how inaccuracies lead to people being misidentified in research and in real life. San Francisco just passed an ordinance banning the local government using facial recognition technology.
A new analysis highlights the prevalence of malware signed by certificate authorities and the problems with trust-based security.
Researchers with Chronicle, the cybersecurity company and Alphabet subsidiary, today published an analysis of its investigation into the trend of signed malware being exploited in the wild.
The process of cryptographically signing code was created to give the Windows operating system a means to distinguish good code from bad. Certificates are signed/issued by trusted certificate authorities (CAs), backed by a trusted parent CA. The purpose behind signing a Windows executable file was to mark the authenticity of code published on the Internet.
The problem is, this system is based on trust, and cybercriminals are taking advantage of it.
Malware authors buy these certificates, directly or through resellers. While a CA can revoke a certificate deemed untrustworthy — and more of them are — this remains the only way to cut down on abuse. The process creates a window during which malware has a trusted certificate.