Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes.

Now, researchers say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers. The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. 

Cyber crooks have targeted travel firm Booking.com in a bid to steal hundreds of thousands of pounds from customers. Users were sent WhatsApp and text messages claiming a security breach meant they needed to change their password.

But the link gave hackers access to bookings and they then sent follow-up messages demanding full payment for holidays in advance with bogus bank details provided. These appeared genuine as they included personal data including names, addresses, phone numbers, dates and prices of bookings, and reference numbers. Marketing manager David Watts got a WhatsApp message but realised it was a scam. 

The BND foreign intelligence service has long tapped international data flows through the De-Cix exchange based in the German city of Frankfurt. But the operator argues the agency is breaking the law by also capturing German domestic communications.

"We have grave doubts about the legality of the current practice," said a statement Wednesday on the website of De-Cix Management GmbH, which is owned by European internet industry body the eco association. "We consider ourselves under obligation to our customers to work towards a situation in which strategic surveillance of their telecommunications only takes place in a legal manner." 

The Trump administration issued a fresh warning Tuesday about malicious North Korean cyber activity, as that nation's leader dispatched a top adviser to New York to prepare for a possible summit on its nuclear arsenal.

The technical alert from the FBI and the Department of Homeland Security highlighted two pieces of malware said to have been used to target U.S. infrastructure and aerospace, financial and media companies for at least nine years to steal information and remotely manipulate networks. In recent years, the US has accused North Korea of launching a slew of cyberattacks, and it wasn't immediately clear if there was any significance to the timing of the latest warning.

Facebook and Google have become the targets of the first official complaints of GDPR noncompliance, filed on the day the privacy law takes effect across the EU.

Across four complaints, related to Facebook, Instagram, WhatsApp and Google’s Android operating system, European consumer rights organisation Noyb argues that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given. Max Schrems, the chair of Noyb, said: “Facebook has even blocked accounts of users who have not given consent.”

Researchers at Avast Threat Labs say that more than 100 different low-cost Android devices from manufacturers like ZTE, Archos, and myPhone come with malware pre-installed. Users in more than 90 countries, including the US, are said to be infected. The good news is there’s a fix.

According to the report, this adware variant has been in the wild for three years. It’s called “Cosiloon” and was first noticed by Dr. Web in 2016. Because it’s located in the device’s firmware, it’s extremely difficult to remove. Avast has detected its presence on 18,000 of its users’ devices, so far. 

Fido might be man's best friend, but smart devices designed to track pets' movements and activity could be your worst enemy if attackers manage to capitalize on any of the dozen vulnerabilities researchers recently observed in them.

In a May 22 blog post, Kaspersky Lab researchers Roman Unuchek and Roland Sako warn that malicious hackers could exploit flaws found in these IoT products or their corresponding mobile apps to disable the devices' services, cause them to receive and execute commands from an unauthorized party, or perform man-in-middle attacks that intercept transmitted data. 

Google is being sued in the high court for as much as £3.2bn for the alleged “clandestine tracking and collation” of personal information from 4.4 million iPhone users in the UK.

The collective action is being led by former Which? director Richard Lloyd over claims Google bypassed the privacy settings of Apple’s Safari browser on iPhones to divide people into categories for advertisers. Lawyers for Lloyd’s campaign group Google You Owe Us told the court information collected by Google included race, physical and mental heath, political leanings, sexuality, social class, financial, shopping habits and location data. 

It's starting to feel like everyone in charge of our sensitive data might be incompetent. It's only been a day since Securus, the company that helps police track phones, was apparently hacked. Now, according to security site KrebsOnSecurity, tracking firm LocationSmart leaked real-time location data on its own web site.

LocationSmart aggregates real-time data on the location of subscribers' mobile phones. It's all opt-in, but Krebs reported that anyone could access this information for any AT&T, Sprint, T-Mobile and Verizon phones on the company's web site without a password or any other form of authentication. The vulnerability has been taken offline, said Krebs, but man what a mistake.

In its latest effort to fend off cryptocurrency scams, the Securities and Exchange Commission launched its own fake initial coin offering website today called the Howey Coin to warn people against fraudulent cryptocurrencies.

The name is a tongue-in-cheek reference to the Howey Test that the SEC uses to determine whether an investment is a security, which the Commission would therefore have legal jurisdiction over. Click ‘Buy Coins Now’ on the Howey Coins site and you’ll be redirected to an SEC page that states: “We created the bogus HoweyCoins.com site as an educational tool to alert investors to possible fraud involving digital assets like crypto-currencies and coin offerings.”