Security news weekly round-up - 29th May 2026
Security news weekly round-up - 29th May 2026
安全新闻周报 - 2026年5月29日
Malware and vulnerabilities are the stuff of nightmares for any security-conscious internet user. If you add privacy invasion into the mix, it gets worse. I mean: a website spying on you using activities of your SSD can sound like a script from your favorite Sci-fi movie. However, it’s reality. 对于任何有安全意识的互联网用户来说,恶意软件和漏洞简直是噩梦。如果再加上隐私侵犯,情况就更糟了。我的意思是:一个网站通过监控你的固态硬盘(SSD)活动来监视你,听起来像是你最喜欢的科幻电影剧本。然而,这却是现实。
Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise
不正当竞争:虚假国际足联(FIFA)网站瞄准寻找世界杯门票和周边商品的球迷
The FIFA World Cup season is around the corner. Be careful of any random search while looking to buy tickets and some merchandise. Go to the official website. Do not search on Google. 世界杯赛季即将来临。在搜索购买门票和周边商品时,请务必小心随机搜索结果。请直接访问官方网站,不要在谷歌上搜索。
From the article: Indeed, many sites set up in the run-up to major events will rely on a common trick known as typosquatting, which involves on a domain name that closely resembles the legitimate one, but contains small additions or involves other changes in the domain name that the victim often won’t notice. 文章指出:确实,许多在重大赛事前夕建立的网站会依赖一种常见的伎俩,即“域名抢注”(typosquatting)。这涉及使用与合法域名非常相似的域名,但其中包含细微的添加或更改,受害者往往难以察觉。
These special phone and app features can help protect you from spyware
这些特殊的手机和应用功能可以帮助你抵御间谍软件
If you feel that you are targeted or you think you could be in the future, go through the article. It covers how to get it done on your iPhone and Android devices. The following should get you started: Generally speaking, these features add extra protection, sometimes by turning off or limiting some regular features. It’s a tradeoff. No security measure is perfect, and it’s a constant effort to keep security flaws at bay. But that doesn’t mean these features are not worth using. On the contrary; these features have been proven effective. 如果你觉得你正成为目标,或者认为未来可能会成为目标,请仔细阅读这篇文章。它涵盖了如何在 iPhone 和安卓设备上进行设置。以下内容可以帮你入门:总的来说,这些功能增加了额外的保护,有时是通过关闭或限制某些常规功能来实现的。这是一种权衡。没有完美的安保措施,抵御安全漏洞是一项持续的工作。但这并不意味着这些功能不值得使用。相反,这些功能已被证明是有效的。
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
AI 聊天机器人推荐将用户重定向至加密劫持恶意软件网站
Do not use AI chatbots for searching for download links on the Internet. If you think that’s too much to ask, read the article. 不要使用 AI 聊天机器人来搜索互联网上的下载链接。如果你觉得这个要求太苛刻,请阅读这篇文章。
From the article: It all begins when users search for trusted system utilities and hardware-monitoring software on search engines, which surface malicious sites that have been gamed via techniques like search engine optimization (SEO) poisoning. Each of these sites contains a prominent download button that retrieves a ZIP archive from a campaign-specific subdomain of gleeze[.]com, which is hosted by infrastructure associated with Dynu, a dynamic DNS provider frequently used by threat actors. 文章指出:这一切始于用户在搜索引擎上搜索受信任的系统工具和硬件监控软件时,搜索引擎显示了通过搜索引擎优化(SEO)投毒等技术操纵的恶意网站。这些网站中的每一个都包含一个显眼的下载按钮,该按钮会从 gleeze[.]com 的特定子域名中检索 ZIP 压缩包,而该域名由威胁行为者经常使用的动态 DNS 提供商 Dynu 相关的基础设施托管。
Websites have a new way to spy on visitors: Analyzing their SSD activity
网站有了监视访客的新方法:分析其 SSD 活动
Among the things that I can never think would be possible while browsing on the web, this is going to be among the top 10. While reading, it reminds me of https[://]browserspy[.]dk. 在那些我从未想过在浏览网页时可能发生的事情中,这绝对能排进前十名。阅读时,这让我想起了 https[://]browserspy[.]dk。
From the article: The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices. The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data. 文章指出:这种名为 FROST(基于 OPFS 的 SSD 定时远程指纹识别)的技术,允许网站监控访客正在查看的其他网站以及他们设备上打开的应用程序。该技术在一篇研究论文中提出,利用了一种侧信道,这是一种由电磁辐射、数据缓存或完成任务所需时间等物理表现形式导致的泄露。通过测量这些表现,攻击者可以解密加密流量并推断出其他机密数据。
New BTMOB Android Malware Enables Full Device Takeover
新型 BTMOB 安卓恶意软件可实现设备完全接管
Another Android malware that you and I have to think about. Like previous documented Android malware, this one also abuses the Accessibility Services on the device. Here is how the malware spreads, and what it can do: Threat actors have been observed delivering phishing messages that point victims to websites posing as legitimate services, which redirect to fake application stores mimicking legitimate repositories and serving the malicious APK. Unlike banking trojans, which ‘only’ aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it. 又一个你我都必须警惕的安卓恶意软件。和之前记录的安卓恶意软件一样,这个恶意软件也滥用了设备上的“辅助功能”(Accessibility Services)。以下是该恶意软件的传播方式及其功能:威胁行为者被观察到发送钓鱼信息,将受害者引向冒充合法服务的网站,这些网站会重定向到模仿合法应用商店的虚假商店,并提供恶意 APK。与“仅”旨在窃取个人财务凭证或拦截金融交易的银行木马不同,BTMOB 为攻击者提供了更广泛的选择:窃取一系列敏感数据、截屏并记录设备上的活动,最终实现远程控制。
Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code
受够了“氛围程序员”,开发者在代码中植入数据销毁提示词注入
It can be funny when you read the title. However, it wouldn’t be funny if you end up being a victim. 读到这个标题时可能会觉得好笑。然而,如果你最终成为受害者,那就一点也不好笑了。
From the article: The addition was a prompt injection, a form of AI attack that exploits an LLM’s inability to distinguish between legitimate user prompts and those from unauthorized, potentially malicious third parties. AI coding agents that were vulnerable would then delete work product produced by the testing app. The reception to the discovery has been chilly. One discussion participant called the move “childish,” while another one questioned its legality in some jurisdictions. 文章指出:这种添加物是一种提示词注入(prompt injection),这是一种利用大语言模型(LLM)无法区分合法用户提示和来自未经授权、潜在恶意第三方提示的 AI 攻击形式。存在漏洞的 AI 编码代理随后会删除测试应用程序产生的工作成果。这一发现引发了冷淡的反应。一位讨论参与者称此举“幼稚”,而另一位则质疑其在某些司法管辖区的合法性。
Credits Cover photo by Debby Hudson on Unsplash. That’s it for this week, and I’ll see you next time. 鸣谢 封面照片由 Debby Hudson 在 Unsplash 上提供。本周内容就是这些,我们下次再见。