Security researchers dismantled an extensive ad fraud operation nicknamed “VastFlux” that affected millions of devices. The malvertizing campaign planted malicious JavaScript code into digital ad creatives, allowing the operators behind it to stack numerous invisible video ad players behind one another and register ad views.

The fraud scheme was primarily focused on in-app advertising services running on Apple’s iOS platform, spoofing 120 publishers and 1,700 apps. The campaign impacted more than 11 million devices (primarily Apple devices) and at its peak accounted for 12 billion bid requests a day.

FBI links $100M Harmony heist to North Korean Lazarus hackers

The US Federal Bureau of Investigation (FBI) has officially attributed a $100 million Harmony’s Horizon bridge crypto heist to a well-known North Korea-linked state-sponsored threat actor Lazarus Group.

According to the FBI, the perpetrators targeted a cross-chain bridge connecting Harmony, a Layer 1 blockchain, to Ethereum, Bitcoin, and Binance Chain and used the Railgun privacy protocol to move and launder over $60 million of the stolen Harmony assets. Some of the pilfered assets were sent to a number of VASPs and converted to Bitcoin.

T-Mobile says data breach impacted about 37 million customers

US second-largest wireless carrier T-Mobile revealed a massive data breach affecting around 37 million customer accounts. The company explained that a threat actor took advantage of an API to access customer account data, including name, phone number, email, date of birth, and billing address.

The exposed information did not include payment data, password or other sensitive data. T-Mobile said there was no indication that its systems or network was breached.

Thousands of PayPal accounts compromised in credential-stuffing attack

Online payments processor PayPal warned that around 35,000 user accounts have been targeted in a credential-stuffing campaign. According to the company, between December 6 and 8, 2022 a malicious actor accessed user accounts using credentials obtained from a third-party source (via phishing or purchased on underground marketplaces).

The potentially compromised information included personal data like names, phone numbers, addresses, birth dates, ITINs, and Social Security numbers. PayPal’s payment systems were not impacted, and no financial information was stolen, the company assured.

Hackers stole League of Legends source code from Riot Games

Popular gaming company Riot Games fell victim to a social engineering attack that affected its development environment and ability to release new content and game updates. Initially, the game maker did not share any details on how and when the attack took place, but said that there’s no evidence that player data or personal information was compromised.

In an update the company has confirmed that the intruders exfiltrated the League of Legends source code and demanded a $10 million ransom to prevent the stolen information from going public, which Riot Games said it has no intention to pay. Soon after the attackers have put up for sale the League of Legends source code and Packman for a price of $1 million.

What’s next:

Follow ImmuniWeb on Twitter and LinkedIn
Explore 20 use cases how ImmuniWeb can help
Browse open positions to join our great Team
See the benefits of our partner program
Request a demo, quote or special price
Subscribe to our newsletter

United States of America

Application Security Weekly

Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law.

Recent Blog Posts:

US Takes Action Against “Criminal Exchange” Bitzlato, Arrests Founder

Top 10 Cybersecurity Predictions for 2023

Microsoft Bugs Are the Most Common KEVs in Financial Sector