The number of active phishing sites hit a record number earlier this year in January, according to an industry report published this week by the Anti-Phishing Working Group (APWG). The Record reports: A total of 245,771 phishing sites were detected in January. The number represents the unique base URLs of phishing sites found and reported by APWG members. The APWG is an industry coalition made up of more than 2,200 organizations from the cyber-security industry, government, law enforcement, and NGOs sector, which includes some big names such as Microsoft, Facebook, PayPal, ICANN, AT&T, Comcast, Digicert, Cloudflare, Cisco, Salesforce, RSA, Verisign, ESET, McAfee, Avast, Symantec, Trend Micro, PhishLabs, Agari, Cofense, and many others. APWG experts noted that while the number of phishing sites declined in February, the next month, in March, the number of phishing sites jumped above 200,000 again, amounting to the fourth-worst month in APWG's reporting history.

The industry vertical most targeted in phishing attacks in Q1 remained the financial sector, which saw almost a quarter of all phishing attempts. Second was social media, with cybercrime groups attempting to hijack social media accounts to resell online on specialized marketplaces, according to the APWG report (PDF). Furthermore, around 83% of all phishing sites seen in Q1 2020 were also hosted on an HTTP-based connection. This finding reinforces a piece of well-known cybersecurity advice that if a website is loaded via HTTPS, it doesn't mean it's secure, but merely that its traffic can't be easily intercepted.

Apple has begun testing passkeys, a new authentication technology it says are as easy to use as passwords but vastly more secure. Part of iCloud Keychains, a test version of the technology will come with iPhones, iPads and Macs later this year. From a report: To set up an account on a website or app using a passkey, you first choose a username for the new account, then use FaceID or Touch ID to confirm that it's really you who's using the device. You don't ever pick a password. Your device handles generation and storage of the passkey, which iCloud Keychain synchronizes across all your Apple devices.

To use the passkey for authentication later, you'll be prompted to confirm your username and verify yourself with FaceID or Touch ID. Developers must update their login procedures to support passkeys, but it's an adaptation of the existing WebAuthn technology. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," Garrett Davidson, an Apple authentication experience engineer, said Wednesday at the company's annual WWDC developer conference.

Google's experiment to hide parts of a site's URL in the Chrome address bar (the Omnibox) has failed and has been removed from the browser earlier this week. From a report: The experiment ran from June 2020 to June 2021. It consisted of a series of options that Google added to the chrome://flags options page that, when enabled, only showed the main domain name of a site (therecord.media) instead of the full page URL (therecord.media/category/article/title).

McDonald's said hackers stole some data from its systems in markets including the U.S., South Korea and Taiwan, in another example of cybercriminals infiltrating high-profile global companies. From a report: The burger chain said Friday that it recently hired external consultants to investigate unauthorized activity on an internal security system, prompted by a specific incident in which the unauthorized access was cut off a week after it was identified, McDonald's said. The investigators discovered that company data had been breached in markets including the U.S., South Korea and Taiwan, the company said. In a message to U.S. employees, McDonald's said the breach disclosed some business contact information for U.S. employees and franchisees, along with some information about restaurants such as seating capacity and the square footage of play areas.

The company said no customer data was breached in the U.S., and that the employee data exposed wasn't sensitive or personal. The company advised employees and franchisees to watch for phishing emails and to use discretion when asked for information. McDonald's said attackers stole customer emails, phone numbers and addresses for delivery customers in South Korea and Taiwan. In Taiwan, hackers also stole employee information including names and contact information, McDonald's said. The company said the number of files exposed was small without disclosing the number of people affected. The breach didn't include customer payment information, McDonald's said.

The group of hackers that stole a wealth of data from game publishing giant Electronic Arts broke into the company in part by tricking an employee over Slack to provide a login token, Motherboard reported Friday. From the report: The group stole the source code for FIFA 21 and related matchmaking tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools. In all, the hackers claim they have 780GB of data, and are advertising it for sale on various underground forums. EA previously confirmed the data impacted in the breach to Motherboard.

A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10, and using those to gain access to a Slack channel used by EA. In this case, the hackers were able to get into EA's Slack using the stolen cookie. "Once inside the chat we messaged a IT Support members we explain to them we lost our phone at a party last night," the representative said.

Volkswagen says more than 3.3 million customers had their information exposed after one of its vendors left a cache of customer data unsecured on the internet. From a report: The car maker said in a letter that the vendor, used by Volkswagen, its subsidiary Audi, and authorized dealers in the U.S. and Canada, left the customer data spanning 2014 to 2019 unprotected over a two-year window between August 2019 and May 2021. The data, which Volkswagen said was gathered for sales and marketing, contained personal information about customers and prospective buyers, including their name, postal and email addresses, and phone number. But more than 90,000 customers across the U.S. and Canada also had more sensitive data exposed, including information relating to loan eligibility. The letter said most of the sensitive data was driver's license numbers, but that a "small" number of records also included a customer's date of birth and Social Security numbers.