Tagsecurity

Registration Form Used To Send Spam Via Welcome Email

R

While reviewing a client site, I recently noticed a small number of accounts had registered with spurious firstName and lastName values such as: firstName:You have 5 new messages from Patty: lastName: After some digging, it appeared these customers had legitimate email addresses, however had placed no orders, nor had they interacted with our site. Looking at the logs, these emails had received...

Reversing hashes of PwnedPasswords api using number of breaches

R

I was recently working on a requirement to log the number of breached sites a password appeared on when customers were registering (if that password had been breached at all) Importantly, we are not logging the breached password itself (nor the hash of the password) – just the number of breaches that particular password appeared in (as per the Pwned Passwords data set) So, to log this, I’m...

Phishing with internationalised domains

P

While on a train this morning, one of my close friends sent me this WhatsApp message: The person who sent it to me is not usually someone to send out scams or spam, but, to me at least, this message, did not look legit. It smelled strongly of a phishing scam. However, it was a link to adidas.com/shoes – so how was this going to phish me? Of course they are not giving away 3000 free pairs of...

Amazon DDOS attack – hardware failure cover-up

A

I’m a great fan of Amazon. I admire what they have done for technology, especially with their AWS Platform. However, when the company decided to blame a “hardware failure” for their outages yesterday evening, I felt they were trying to pull the wool over our eyes. An Amazon spokesman said: ‘The brief interruption to our European retail sites last night was due to hardware failure in our...