alt=A smartphone displays digital distortions while a fishing hook dangles a white envelope, symbolizing phishing scams.
Cyber security
2025-09-26 Post a Comment

Python developers targeted with new password-stealing phishing attacks – here’s how to stay safe

Story by Sead Fadilpaši?
  • PyPI warns phishing attacks will persist using fake domains and urgent email tactics
  • Victims are tricked into verifying accounts via typosquatted sites like pypi-mirror.org
  • Users and maintainers urged to adopt phishing-resistant 2FA and domain-aware password managers

Phishing attacks against PyPI users and maintainers are going to continue, the foundation is warning, as it urged members to tighten up on security and remain vigilant.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-1-599a2746-ba79-4538-97b1-d9b087c60840″ size=”_2x_1y” part=””>

Ad

See Where Your Next Trade Takes You — Start Today with Just $10

IQ Option
call to action icon

A new blog post, published by the foundation’s security developer-in-residence, Seth Larson,noted the most recent attacks are a continuation of a months-long campaign that uses convincing emails and typosquatted domains to steal people’s login credentials.

“Unfortunately the string of phishing attacks using domain-confusion and legitimate-looking emails continues,” Larson wrote. “This is the same attack PyPI saw a few months ago and targeting many other open source repositories but with a different domain name. Judging from this, we believe this type of campaign will continue with new domains in the future.”

How to stay safe

In the emails, the victims are asked to “verify” their addresses for “account maintenance and security procedures”, and threatened with account closure if they don’t comply.

This sense of urgency and threat is typical for a phishing email, which redirects victims to pypi-mirror.org, a domain not owned by PyPI or the Python Software Foundation.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-2-a6b64005-6010-4d00-8fa9-d8927335b363″ size=”_2x_1y” part=””>

Ad

Start Trading with Just $10

IQ Option
call to action icon

“If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately,” Larson warned. “Inspect your account’s Security History for anything unexpected. Report suspicious activity, such as potential phishing campaigns against PyPI, to security@pypi.org.”

Phishing is both extremely difficult, and extremely easy to defend against. In theory, just using common sense and thinking before clicking should suffice in most cases. However, just in case of a drop in focus, users are advised to use phishing-resistant 2FA such as hardware tokens.

Maintainers, on the other hand, should use a password manager which auto-fills based on domain name. If auto-fill isn’t working when it usually does, that is a huge red flag. Phishing-resistant 2FA is also recommended.

read more
alt=A person in a dark shirt holds a smartphone displaying a red alert symbol, while a laptop is open in front of them.
Cyber security
2025-09-26 Post a Comment

Apple iOS apps are worse at leaking sensitive data than Android apps, worrying research finds – here’s what you need to know

Story by Efosa Udinmwen
  • Report warns attackers can intercept API calls on iOS devices, and make them appear legitimate
  • Traditional security tools fail to protect apps against in-device attacks
  • Compromised mobile devices significantly increase the risk of API exploitation

New research from Zimperium has claimed mobile apps are now the primary battleground for API-based attacks, creating serious risks of fraud and data theft for enterprises.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-1-e12ea3ab-d3ee-4373-a2e2-b7a71aa0b03b” size=”_2x_1y” part=””>

Ad

WordPress Site Security

Jetpack.com
call to action icon

The research shows 1 in 3 Android apps and more than half of iOS apps leak sensitive data, offering attackers direct access to business-critical systems.

Even more worrying the report claims three of every 1,000 mobile devices arealready infected, with 1 in 5 Android devices encountering malware in the wild.

The scale of mobile API vulnerabilities

Unlike web applications, mobile apps ship API endpoints and calling logic onto untrusted devices, exposing them to potential tampering and reverse-engineering.

This allows attackers to intercept traffic, modify the app, and make malicious API calls appear legitimate.

Traditional defenses such as firewalls, gateways, proxies, and API key validation cannot fully protect against these in-app threats.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-2-da4e343c-e1b3-4518-9fb1-f07d8932ce79″ size=”_2x_1y” part=””>

Ad

Yukon denali – Popular in Your Area. – Find Results Within Seconds

searchtravelrepeat.com
call to action icon

“APIs don’t just power mobile apps, they expose them,” said Krishna Vishnubhotla, vice president of product solutions at Zimperium.

“Traditional security tools can’t stop attacks happening inside the app itself. Protecting APIs now requires in-app defenses that secure the client side.”

Client-side tampering is common, as attackers can intercept and alter API calls before they reach backend systems.

Even SSL pinning, designed to prevent man-in-the-middle attacks, has gaps: nearly 1 in 3 Android finance apps and 1 in 5 iOS travel apps remain vulnerable.

Beyond API exposure, many apps mishandle sensitive data on devices, as Zimperium revealed console logging, external storage, and insecure local storage are common problems.

For example, 6% of the top 100 Android apps write personally identifiable information (PII) to console logs, and 4% write it to external storage accessible by other apps.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-3-594a4eaa-9212-4df3-9997-e5e4b297aa2e” size=”_2x_1y” part=””>

Ad

Wimbledon Championship 2025

WimbledonDebentureOwners
call to action icon

Even local storage, although not shared, can become a liability if an attacker gains device access.

The analysis also shows nearly a third (31%) of all apps and 37% of the top 100 send PII to remote servers, often without proper encryption.

Certain apps incorporate SDKs capable of secretly exfiltrating data, recording user interactions, capturing GPS locations, and sending information to external servers.

These hidden activities increase enterprise exposure and show that even apps from official stores can carry major security risks.

“As mobile apps continue to drive business operations and digital experiences, securing APIs from the inside out is critical to preventing fraud, data theft, and service disruption,” added Vishnubhotla.

How to stay safe

  • Inspect apps for improper logging of sensitive information to prevent data leaks.
  • Verify that local storage of data is encrypted and not accessible by other apps.
  • Monitor network traffic to detect apps sending unencrypted personal information.
  • Identify and remove malicious SDKs or third-party components embedded in apps.
  • Review app permissions to ensure they align with intended functionality.
  • Conduct regular audits of app behavior for potential breach vulnerabilities.
  • Implement runtime protections to prevent tampering or reverse engineering of apps.
  • Use code obfuscation to shield business logic and API endpoints from attackers.
  • Validate that API calls come only from legitimate, untampered applications.
  • Establish incident response procedures in case a mobile app compromise occurs.
  • Use mobile security software that protects against malware and ransomware attacks.
read more
alt=A computer displaying the CreditINFO logo stands in water, surrounded by cascading green binary code.
Cyber security
2025-09-18 Post a Comment

Data breach of epic proportions in Vietnam

by Nguyen Ngoc Nhu Quynh

Hackers steal 160 million records from state-run credit center, exposing Communist Party’s digital vulnerability and illiteracy

This month, over 160 million credit records held at Vietnam’s National Credit Information Center (CIC), a unit managed by the State Bank of Vietnam, were stolen and posted for sale online for US$175,000.

The massive breach, allegedly carried out by the hacker group ShinyHunters, exposed the personal data of virtually every Vietnamese citizen above the age of 18.

Yet, beyond the cybercrime headlines, the scandal raises a deeper, more troubling question: What happens when a government simultaneously loses control of citizens’ data, while also proposing to sell it?

Vietnam’s Ministry of Public Security (MPS) has recently introduced a draft law proposing the establishment of a national data exchange platform.

Framed as a way to unlock the value of data for economic development, the platform would allow for the trading of both personal and non-personal data, under certain conditions. While the ministry promises that individual consent will be required, the mechanism for ensuring such consent remains vague.

At the same time, Vietnamese citizens affected by the CIC leak were not notified: not by the CIC, not by relevant banks and not by any state institution.

As of September 13, some individuals whose names appeared in sample files being circulated on the dark web said they had received no warnings, no protection and no explanation.

The leaked dataset, according to security experts, included:

  • Full personal identification (ID numbers, passports, driving licenses)
  • Biometric data and medical records
  • Tax codes, income and debt information
  • Credit card and banking records
  • Employment, education and residence history
  • Government, police and military personnel profiles

This isn’t just a privacy issue; it’s a national security breach. When foreign intelligence services can buy profiles of Vietnamese government officials and military members for less than the cost of a luxury car, no law or slogan can compensate for the damage done.

In a tone-deaf public notice, police authorities urged citizens to remain vigilant and “protect themselves” against identity theft and cybercrime, placing the burden back on the victims.

The irony is stark: the state collects data without consent, fails to protect it and then blames the people for not being digitally literate enough to defend themselves.

This contradiction is particularly jarring in the context of the government’s recent push for a “digital literacy campaign.” On September 13, General Secretary To Lam praised the launch of “Digital Mass Literacy – Digital Parliament” as part of Vietnam’s national modernization.

At the same time, he admitted that most citizens and even government officials lack fundamental knowledge about data protection or digital transformation.

Selling insecure data

The Ministry of Public Security’s draft legislation envisions a future where data is commodified, yet claims to prioritize national security and individual privacy. But the CIC breach reveals a harsh truth: Vietnam does not yet have the technical or institutional capacity to manage that dual mandate.

General Vu Van Tan, head of the Cybersecurity Department, recently stated that data should not sit idly in databases but rather should be “shared and monetized to generate value for society.”

But when the value of data outweighs the commitment to protect it, citizens are no longer stakeholders – they are vulnerable bystanders.

To restore trust, Vietnam needs more than draft laws and slogans. It needs:

  • A public apology and immediate notification to all affected individuals
  • Independent oversight of any future data exchanges
  • Strict liability for state and corporate entities involved in data mishandling
  • Investment in real cybersecurity infrastructure, not just propaganda
  • Clear legal pathways for compensation to citizens harmed by data breaches

Most importantly, the Vietnamese government must recognize that data rights are human rights. Without accountability, security and consent, the promise of a “digital society” becomes instead a digital trap.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights