Info. Security News News, Latest Updates and Recent Announcements on Techminis

A naukri.com initiative

New

Home

Info. Security News News

Dataprivacyandsecurityinsider

147

Image Credit: Dataprivacyandsecurityinsider

The FTC BOTS Act – Leveling the Ticketing Field

President Trump signed executive order (EO 14254) titled 'Combating Unfair Practices in the Live Entertainment Market' on March 31, 2025, directing the FTC to enforce the BOTS Act to address unfair ticket scalping.
The BOTS Act, enacted in 2016, aims to prevent ticket scalping by prohibiting the circumvention of access controls and security measures by entities reselling tickets at inflated prices.
Violations of the BOTS Act are subject to fines up to $53,088 per violation under Section 5 of the FTC Act.
Scalper bots, automated software programs, can rapidly purchase large quantities of tickets leading to inflated prices when resold, thus violating the BOTS Act.
Enforcement actions under the BOTS Act led to fines against ticket brokers for using bots to acquire and resell event tickets at higher prices.
State attorneys general can enforce the BOTS Act to protect residents from violations, and there have been bills introduced to enhance enforcement, such as the 'Taylor Swift bill' in Arizona.
The FTC is instructed to rigorously enforce the BOTS Act under EO 14254, alongside efforts like the Junk Fees Rule to combat deceptive pricing tactics in the live entertainment industry.
Members of Congress have introduced the MAIN Event Ticketing Act as a companion bill to enhance reporting requirements for online ticket sellers and consumer complaints shared with state attorneys general.
Strong bipartisan support for live-event industry regulation is evident, with a focus on regulating ticket sales to combat scalping and unfair practices.
The combined efforts of EO 14254, the FTC's Junk Fee Rule, and legislative initiatives like the MAIN Event Ticketing Act indicate an increased regulatory focus on the live entertainment industry and potential escalation of BOTS Act enforcement.
Ticket scalpers may face heightened scrutiny and consequences as state and federal authorities take steps to address and prevent unfair ticket practices in the industry.

Read Full Article

8 Likes

Dataprivacyandsecurityinsider

Image Credit: Dataprivacyandsecurityinsider

Yahoo ConnectID Faces Class Action Over Email Address Tracking as Alleged Wiretap Violation

A class-action lawsuit has been filed against Yahoo's ConnectID over alleged email address tracking as a violation of wiretap laws.
The lawsuit claims that Yahoo's ConnectID tracks users across websites using their email addresses without consent.
The complaint also alleges that Yahoo shares directly identifiable email addresses, contrary to its Privacy Policy.
The lawsuit seeks nationwide class certification and relief under various laws including New York unfair and deceptive business practices and the California Invasion of Privacy Act.

Read Full Article

2 Likes

Dataprivacyandsecurityinsider

341

Image Credit: Dataprivacyandsecurityinsider

Stall on Automated Decision-Making Technology Rules from the California Privacy Protection Agency

The California Privacy Protection Agency (CPPA) board held its April meeting to discuss proposed regulations on automated decision-making technology (ADMT).
However, the board did not finalize the rules and debated further amendments to the draft regulations.
This delay suggests that the final rules on ADMT, risk assessments, and cybersecurity audits are still far from being implemented.
The board requested additional feedback on six topics before presenting the final set of amendments in the next month's meeting.

Read Full Article

20 Likes

Dataprivacyandsecurityinsider

387

Image Credit: Dataprivacyandsecurityinsider

Privacy Tip #439 – Government Officials’ Venmo Accounts Publicly Accessible

Several government officials exposed their Venmo accounts by not adjusting their privacy settings.
Their public Venmo accounts reveal information about their transactions and contacts.
This provides threat actors with insight into strategies to target the officials and their contacts.
Not only Trump administration officials but also members of Congress have publicly accessible Venmo accounts.

Read Full Article

23 Likes

Discover more

Krebsonsecurity

235

China-based SMS Phishing Triad Pivots to Banks

China-based purveyors of SMS phishing kits, known as the 'Smishing Triad,' have evolved to target customers of international financial institutions by converting phished payment card data into mobile wallets from Apple and Google.
The groups are expanding their cybercrime infrastructure, using innovative phishing techniques to deceive victims into sharing payment card information and one-time SMS verification codes.
The Smishing Triad spoofs well-known brands and targets customers globally, expanding into various industry verticals across at least 121 countries.
They rotate phishing domains frequently, with most hosted by Chinese companies, and they have developed advanced systems to scale their operations efficiently.
The threat actors exploit technical gaps in sender ID validation of messaging platforms like iMessage and RCS, allowing for high-volume, cost-effective phishing campaigns.
There is evidence of Chinese threat actors using specialized tools like Z-NFC to conduct fraudulent NFC transactions globally, victimizing countries outside Russia, Iran, and North Korea.
The Smishing Triad employs over 300 front desk staff to support their fraud activities, showcasing a significant workforce dedicated to maintaining their phishing operations.
Security researchers have uncovered backend management panels and backend systems used by the Smishing Triad, revealing insights into their success rates and phishing campaign strategies.
Financial institutions are urged to enhance security measures by moving away from SMS-based verification for card enrollment and require customers to log in to their mobile apps for added security.
Despite these security recommendations, the persistence of card fraud underscores the ongoing challenges faced by financial institutions and cybersecurity defenses in combating sophisticated phishing attacks.

Read Full Article

14 Likes

Securityaffairs

Image Credit: Securityaffairs

AkiraBot: AI-Powered spam bot evades CAPTCHA to target 80,000+ websites

AkiraBot is a CAPTCHA-evading Python framework that has spammed over 80,000 websites.
AkiraBot uses AI-generated messages to target small and medium-sized businesses.
The spam framework bypasses CAPTCHA and network detection using rotating attacker-controlled domains and proxies.
AkiraBot uses OpenAI's GPT-4o-mini to generate personalized spam messages and evades CAPTCHA services using Selenium WebDriver.

Read Full Article

5 Likes

Kaspersky

Image Credit: Kaspersky

Protecting against attacks in ZIP, RAR, CAB, MSI, ISO and other archives | Kaspersky official blog

Archiving programs are commonly used by attackers to deceive users and extract stolen data, requiring cybersecurity attention to archive handling in operating systems and applications.
Attackers exploit archiver vulnerabilities to deliver malware, bypass security warnings, and execute malicious files.
Flaws in archivers like WinRAR and 7-Zip have been used by attackers to execute malicious actions, highlighting the importance of archive security.
Archiver vulnerabilities, like Zip Slip, can lead to server compromises when handling uploaded archives, posing a risk to organizations with web apps allowing archive uploads.
Attackers may corrupt archive contents to evade security tools, disguise malware in various file formats, and bypass security measures using legitimate archive features.
Social engineering tactics combined with technical tricks are used by attackers to deceive users into interacting with malicious archives without detection.
Protective measures like testing security tools, safe extraction setups, and monitoring archive usage on endpoints are recommended to enhance security when handling archives.
Blocking dangerous archive formats, restricting disk image mounting, and training employees on safe archive handling practices are crucial steps in protecting against archive-related threats.
Inclusion of archivers in vulnerability management programs and regular update maintenance are essential in ensuring archive security.
Employee cybersecurity training should also cover awareness of phishing attacks and safe practices when handling various archive formats to prevent security breaches.

Read Full Article

1 Like

Securityaffairs

Image Credit: Securityaffairs

An APT group exploited ESET flaw to execute malware

At least one APT group has exploited a vulnerability in ESET software to stealthily execute malware, bypassing security measures.
The vulnerability, tracked as CVE-2024-11859, is a DLL Search Order Hijacking issue that potentially allow an attacker with administrator privileges to load a malicious dynamic-link library and execute its code.
The flaw in ESET software was exploited to deploy TCESB, a stealthy C++ tool that bypasses security and monitoring tools to execute payloads.
ESET addressed the vulnerability CVE-2024-11859 in January.

Read Full Article

5 Likes

Cybersecurity-Insiders

383

The Cybersecurity Risk No One Talks About: Poor File Management

Cybersecurity risk related to poor file management is often overlooked.
Poor handling of file uploads and delivery can lead to malware, phishing, data leaks, and other vulnerabilities.
Inadequate security measures can disrupt business operations and result in security breaches.
To secure file management system, businesses should use purpose-built platforms and secure APIs.

Read Full Article

23 Likes

Sentinelone

195

Image Credit: Sentinelone

An Official Statement in Response to the April 9, 2025 Executive Order

SentinelOne, a cybersecurity company, has issued an official statement in response to the April 9, 2025 Executive Order.
The company emphasizes its mission to defend customers, enterprises, and governments against cyber threats using advanced Artificial Intelligence.
SentinelOne considers the White House a crucial collaborator and expresses its commitment to support a strong America amidst heightened geopolitical threats.
The company will cooperate in any review of security clearances held by its staff, but expects no significant impact on its business.

Read Full Article

11 Likes

Hackersking

143

Image Credit: Hackersking

Exploring the Cool World of Crypto with Crypto30x.com ICE: A Beginner’s Guide

Crypto30x.com ICE is a platform that aims to ease, optimize, and financially reward users for investing in cryptocurrency. It offers specialized services and tools to uncover hidden value within the currency market.
The platform is focused on innovation, convenience, and earning opportunities. It provides market analysis, user-friendly data visualization, and diverse paths for growing a crypto portfolio.
Crypto30x.com ICE stands out with its daily updated list of coins with the potential to grow thirty-fold or more. It also offers educational materials and a community for interaction and learning.
For beginners, it is recommended to start with trusted platforms, invest small, protect private keys, and avoid unrealistic promises. Crypto30x.com ICE aims to make the crypto market easier for newcomers.

Read Full Article

8 Likes

Securityaffairs

249

Image Credit: Securityaffairs

National Social Security Fund of Morocco Suffers Data Breach

Threat actor 'Jabaroot' claims breach of National Social Security Fund of Morocco, aiming to steal large volumes of sensitive citizen data.
The breach is seen as the largest cyber attack in Morocco by the number of victims.
The data breach involves personal information of 1,996,026 employees from various enterprises in Morocco.
The compromised data includes passport, email, salary, and banking information, posing risks of fraud and identity theft.

Read Full Article

15 Likes

Amazon

Image Credit: Amazon

Automating AWS Private CA audit reports and certificate expiration alerts

AWS Private Certificate Authority (AWS Private CA) is a solution for creating and managing private certificate hierarchies.
Private certificates are preferred for internal resources to maintain confidentiality and customization.
AWS Private CA simplifies certificate authority management and issuance for various use cases.
Custom certificate requirements can be met using AWS CLI or SDKs for enhanced flexibility.
Automating certificate generation through custom PKI pipelines offers control over the certificate lifecycle.
Generating audit reports from AWS Private CA can help monitor certificate expirations proactively.
An automation workflow using AWS services like EventBridge, Lambda, S3, SNS, and Security Hub enhances certificate expiration tracking.
The solution architecture automates auditing, analysis, and notification for expiring certificates.
The CloudFormation template provided in the article streamlines the deployment of the automation workflow.
Testing procedures and deployment steps are outlined for validating the automation workflow.

Read Full Article

4 Likes

Socprime

207

Image Credit: Socprime

CVE-2025-29824 Vulnerability: Exploitation of a Windows CLFS Zero-Day Could Trigger Ransomware Attacks

A new zero-day vulnerability, CVE-2025-29824, has been discovered in the Windows Common Log File System (CLFS).
The vulnerability allows threat actors to escalate privileges to SYSTEM on compromised Windows systems.
The flaw has been exploited in the wild and has the potential to be used in ransomware attacks.
Microsoft has released patches to fix the CVE-2025-29824 vulnerability.

Read Full Article

12 Likes

Securityaffairs

410

Image Credit: Securityaffairs

The US Treasury’s OCC disclosed an undetected major email breach for over a year

The US Treasury’s Office of the Comptroller of the Currency (OCC) disclosed an undetected major email breach for over a year.
The breach involved unauthorized access to emails via a compromised admin account.
The OCC disabled affected accounts, reviewed email logs, and reported the breach to CISA.
The breach exposed sensitive financial data, and the review process is ongoing.

Read Full Article

24 Likes

For uninterrupted reading, download the app