Month: July 2022

Enlarge (credit: Getty Images)

On Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when they're protected with multi-factor authentication measures designed to prevent such takeovers. The threat actors behind the operation, who have targeted 10,000 organizations since September, have used their covert access to victim email accounts to trick employees into sending the hackers money.

Multi-factor authentication—also known as two-factor authentication, MFA, or 2FA—is the gold standard for account security. It requires the account user to prove their identity in the form of something they own or control (a physical security key, a fingerprint, or face or retina scan) in addition to something they know (their password). As the growing use of MFA has stymied account-takeover campaigns, attackers have found ways to strike back.

The adversary in the middle

Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server's response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn't need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server.

Enlarge / The iPhone 12. (credit: Samuel Axon)

Two years after the feature was made available to third-party developers on iPhones and seven years after it came to iPad, Google announced it will now roll out picture-in-picture viewing for the YouTube iOS and iPadOS app.

Google says picture-in-picture capability will roll out gradually, though it didn't name a time frame. However, it clarified that the feature's availability would vary based on Premium subscriber status and location. Globally, picture-in-picture capability will work for anyone with a YouTube Premium subscription and any video. Users in the US who don't have YouTube Premium will also be able to take advantage of picture-in-picture, but only for what Google deems non-music content.

That limitation is likely to keep users from simply listening to music in the background on their devices via a free YouTube account instead of subscribing to the company's music offerings. While picture-in-picture is new, background audio (including for music) for currently playing videos has long been a cornerstone of the YouTube Premium service.