Europol has recently notified over 400 websites that their online shops have been hacked with malicious scripts that steal debit and credit cards from customers making purchases.  Skimmers are small snippets of JavaScript code added to checkout pages or loaded from a remote resource to evade detection.  Europol noted that they are designed to intercept and steal payment card numbers, expiration dates, verification numbers, names, and shipping addresses and then upload the information to the attackers' servers.

UK telco EE has recently warned customers they could be deluged with millions of scam SMS messages on December 23 as fraudsters look to capitalize on last-minute Christmas shopping.  The mobile operator claimed that the equivalent day last year saw it block three million text message scams (aka “smishing”), the highest daily number in 2022.  The copany warned that this year the figure could reach as high as five million.

The Donald W. Wyatt Detention Facility in Rhode Island has recently disclosed a data breach impacting the personal information of roughly 2,000 inmates, staff, and vendors.  According to the correctional facility, the incident occurred in November, involving malware being deployed on its computer systems and data theft.  It was noted that the investigation into the matter revealed that the attackers compromised the personal information of more than 1,450 detainees, over 430 current and former staff members, and roughly 90 outside vendors.

The National Institute of Standards and Technology (NIST) released two draft publications aimed at helping organizations transition from traditional encryption schemes to ones that can withstand attacks from a potential quantum computer. NIST opens the documents up for public comment as the agency ushers in the next era of cybersecurity.

Trustwave researchers have detailed a new phishing method that aims to bypass Instagram accounts' two-step verification. A misleading email message and login page lead users to reveal their credentials and a temporary six-digit backup code. The phishing method involves sending an email purporting to be from Instagram's parent company, Meta. It informs users that their account may have violated copyrights. To prevent losing their account, the user is prompted to log in within 12 hours using a specific link.

Prompt injection is an unresolved issue that poses a significant threat to the integrity of Large Language Models (LLMs). This threat is heightened when LLMs are transformed into agents that interact directly with the outside world, using tools to retrieve data or carry out actions. Prompt injection techniques can be used by malicious actors to produce unintended and potentially harmful output by distorting LLMs' reality.

A new Group-IB report warns of an increase in fake delivery websites. Group-IB's Computer Emergency Response Team (CERT-GIB) identified 587 fake postal resources in the first ten days of December, 34 percent more than in the last ten days of November. CERT-GIB has identified 1,539 phishing websites impersonating postal operators and delivery companies since the beginning of November.

It has recently been discovered that the BidenCash stolen credit card marketplace is giving away 1.9 million credit cards for free via its store to promote itself among cybercriminals.  BidenCash launched in early 2022 as a new marketplace on both the dark web and the clearnet, selling credit and debit cards that were stolen through phishing or skimmers on e-commerce sites.

The National Institute of Standards and Technology (NIST) has issued a Request for Information (RFI) to help implement its responsibilities under the recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI). The order requires NIST to develop guidelines for evaluation, red-teaming, and other activities, as well as to facilitate the development of consensus-based standards. NIST will also provide testing environments for AI system evaluation.

According to security researchers at vpnMentor, an unprotected database belonging to Real Estate Wealth Network was left accessible from the internet for an unknown period.  Founded in 1993 and based in New York, Real Estate Wealth Network is an online real estate education platform that provides subscribers with access to courses, training materials, and a community. The researchers noted that the unprotected database was 1.16 terabytes in size, containing more than 1.5 billion records.