Security news weekly round-up - 19th December 2025
Source: Dev.to
Most Parked Domains Now Serving Malicious Content
When you land on a parked domain—whether by typo or because the site has moved—you might see a simple “for sale” notice. Recent research shows that many of these domains now serve malicious content. Two practical steps to protect yourself are:
- Use reputable web‑browser bookmark managers.
- Connect through a trusted VPN.
“It was often a chain of redirects — one or two domains outside the parking company — before threat arrives,” said David Brunsdon, a threat researcher at Infoblox. “Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting.”
The parked pages profile visitors via IP geolocation, device fingerprinting, and cookies before redirecting them to malicious or decoy sites.
GhostPoster Firefox Extensions Hide Malware in Icons
Firefox extensions posing as free VPNs, ad blockers, translation tools, or weather apps have been found to deploy multi‑stage payloads that:
- Monitor user activity.
- Disable security protections.
- Enable remote code execution (RCE).
The developers used steganography to embed a loader after the extension’s icon. This loader contacts a remote command‑and‑control (C&C) server to retrieve an encrypted payload.
Browser Extensions with 8 Million Users Collect Extended AI Conversations
A Chrome Web Store extension, Urban VPN, was discovered harvesting AI chat data. Users who interacted with ChatGPT, Claude, Gemini, or similar platforms while the extension was installed after July 9 2025 should assume their conversations are now stored on Urban VPN’s servers and have been shared with third parties.
“Medical questions, financial details, proprietary code, personal dilemmas—all of it, sold for ‘marketing analytics purposes.’”
UEFI Vulnerability in Major Motherboards Enables Early‑Boot Attacks
A vulnerability affecting the boot process of several major motherboards allows an attacker with physical access to perform a DMA attack using a malicious PCIe device. The firmware incorrectly reports that DMA protections (IOMMU) are enabled, but the IOMMU is not actually configured until just before control is handed to the operating system.
Credits
Cover photo by Debby Hudson on Unsplash.