Google services, designed for easy interoperability, are being exploited in a range of social engineering campaigns, Kaspersky has found. The two services in question, Gmail and Google Calendar, have over a billion users worldwide. Attackers are using calendar invitations, which generate a pop-up notification on the recipient's phone, to send a malicious payload embedded in the invitation. Because users are accustomed to trusting the invitations, the pop-up becomes an effective phishing tool. The attacks observed so far send victims to credential-stealing sites, but there’s considerable room for expansion into other scams.
The US signalled a new willingness to undertake offensive operations in cyberspace to counter hostile nation-state economic espionage. The Wall Street Journal reports that National Security Advisor Bolton alluded to the policy shift ("opening the aperture") during annual meetings of the Journal's CFO Network. The Washington Post's quick discussions with security industry leaders found them to be, in general, cautiously in favor of the policy.
AppleInsider reports that Foxconn says it can shift its iPhone-related production out of China, should Sino-American relations deteriorate to a point where continuing to supply Apple from Chinese plants became impossible.
Huawei told the UK's Parliament Monday that the company wasn't bound by Chinese laws requiring cooperation with Beijing's intelligence services, SecurityWeek notes.
Microsoft patched eighty-eight vulnerabilities Tuesday, twenty-one of them classified as critical. Four of the vulnerabilities fixed, BleepingCompter notes, seem to be the ones disclosed by SandboxEscaper. Adobe also patched, as expected, addressing issues in its Flash, Cold Fusion, and Campaign products.