This month we learned about a host of newfangled malware and hacks that compromise everyday websites, online ads, hotel chains, and British tabloids. Plus, State Department employees recently found out that their love of Facebook made them vulnerable to the Axis of Evil. Check out November’s biggest infosec headlines, below:

US State Department Targeted By Iranian Cyber Attack: Multiple sources reported on an apparent spear phishing attack from Iran’s Revolutionary Guard on the US State Department. The attackers used compromised social media accounts of junior level State Department employees to hack computers of officials who work on Iranian and Middle Eastern affairs. In a strange twist, the US government learned about the attack from Facebook. Often it’s the other way around, with private sector firms and organizations learning they’ve been victims once they’re notified by the feds. The upshot: The government needs to manage employee web access and passwords, and control access to social media apps on work devices. Using a secure browser that handles credentials on behalf of employees could have averted this breach. And it would avoid future government breaches we fear we’ll hear about in the coming months.

Ransomware Sets Its Sights On Sites: Your computer isn’t the only thing hackers can be hold for ransom these days. Now your website could be a target too. Victims of the newest ransomware attack -- dubbed “Linux.Encoder.1” -- must pay off cyber crooks to get a key code that’ll unlock their sites. But people who pay the ransom shouldn’t expect their site to run smoothly right away. Reports indicate that even after sites are decrypted, the site files and code are a bit wonky. Now we know what’s worse than a cybercrook... A cybercrook with poor quality control.

Feds Arrest Suspects In Biggest Bank Data Heist Of All Time: The US government handed down indictments and announced arrests in connection to the 2014-2015 data breaches of JP Morgan, Chase, E*Trade, and Scottrade. The JP Morgan hack, which resulted in the theft of 83 million customer records, is considered the largest data theft of an American bank. According to federal documents, the criminal operation that pulled off the cyber break-ins also manipulated share prices by promoting specific stocks to huge lists of investors. They also ran spam campaigns for fake pharmaceuticals and anti-virus products, and evaded detection by hacking into the security company assigned to sniff out the fraud they were conducting.

Starwood Hotel Customer Credit Card Info Hacked: This month Starwood Hotels and Resorts reported that it was the victim of data breaches at its point of sale devices. The hacks occurred between November 2014 and June of this year. Attackers managed to breach devices at 54 Starwood locations where they gained access to detailed credit card information -- customer names, card numbers, security codes, and expiration dates. Many experts have cited concerns about the company’s decision to disclose this breach only after its recent $12.2 billion buyout by hospitality giant, Marriott International.

Exploit Kits Are On The Rise: According to a new report from Infoblox and IID, exploit kit attacks are 75% more common in Q3 2015 than they were at this time last year. Exploit kits – packages that deliver malware – spread across the web via spam, phishing attacks, infected sites, and malicious ads. Among the most recent big exploit kit attacks was this October’s cyber assault on the British Daily Mail. The tabloid was hit with the Angler exploit kit, which resulted in malicious ads being displayed to online readers for approximately 5 days.

New Malware Ready for the Holiday Rush: The data stealing malware Dyreza is fully equipped to siphon data from the latest operating systems. This news comes courtesy of Heimdal Security, which reports that the Dyreza banking Trojan has been updated to work with Microsoft 10 and Windows Edge, Microsoft’s new Web browser. The new Trojan is especially worrisome because it can hack popular software that’s used for financial transactions. As the Christmas buying frenzy grows, so too will opportunities for thieves to steal from holiday shoppers.

Insta-App Reveals Gaps In App Approval Process: Apple and Google have pulled the InstaAgent app after learning the app was stealing its users’ passwords. The problem with InstaAgent is the tip of the iceberg, according to a new article by Naked Security. The problem is the app vetting process, which can’t possibly handle the enormous volume of approved apps while simultaneously guaranteeing user security. Just how many apps do the big app stores have to approve? NakedSecurity estimates that this year, Apple’s Store and Google Play have been churning out app approvals at an average rate of 400 per day.

Publishers Victimized By Ad-Hacking Malware: Nevermind the mobile ad-blasting features that have struck fear in the hearts of online advertisers. The world of digital marketing has a potentially bigger mortal enemy: hacked ads. According to a new report, digital publishers using the third-party service PageFair had their ads hacked. The publishers had hired PageFair to help them publish safe, unobtrusive ads for their visitors. But instead of seeing more viewer-friendly banners and promotions, online visitors were offered infected ads that executed malicious JavaScript on the publisher’s pages.