Enlarge / iPhone Spyware known as Pegasus intercepts confidential data. (credit: Lookout ) Apple has patched three high-severity iOS vulnerabilities that are being actively exploited to infect iPhones so attackers can steal confidential messages from a large number of apps, including Gmail, Facebook, and WhatsApp, security researchers said Thursday. The spyware has been dubbed Pegasus by researchers from mobile security provider Lookout; they believe it has been circulating in the wild for a significant amount of time. Working with researchers from University of Toronto-based Citizen Lab, they have determined that the spyware targeted a political dissident located in the United Arab Emirates and was launched by an US-owned company specializing in computer-based exploits. Based on the price of the attack kit—about $8 million for 300 licenses—the researchers believe it’s being actively used against other iPhone users throughout the world. “Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile—always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists,” Lookout and Citizen Lab researchers wrote in a blog post . “It is modular to allow for customization and uses strong encryption to evade detection.” Read 8 remaining paragraphs | Comments
Originally posted here:
Actively exploited iOS flaws that hijack iPhones likely spread for years
Naoki Hiroshima had a rare and valuable Twitter handle, @N . It was extorted from him , he claims, by a scammer who figured out that PayPal reveals part of one’s credit card number during security verification—and that GoDaddy accepts the same part of the number during security verification. I asked the attacker how my GoDaddy account was compromised and received this response: From: SOCIAL MEDIA KING To: Naoki Hiroshima Date: Mon, 20 Jan 2014 19:53:52 -0800 Subject: RE: …hello – I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone) – I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com) GoDaddy outright refused to help him at first, too. It’s shocking how weak account security is there, and at PayPal: “Don’t let companies such as PayPal and GoDaddy store your credit card information,” Hiroshima writes.