Cyber Bites

• Cyber Bites - 31st January 2025

  * Subaru Flaw Could Have Let Hackers Track and Control Vehicles* Hundreds of Fake Reddit Sites Push Lumma Stealer Malware* Cybersecurity Needs to Start Saying 'No' Again* GitHub Desktop and Other Git Clients Vulnerable to Credential Leaks* Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification FlawSubaru Flaw Could Have Let Hackers Track and Control Vehicleshttps://samcurry.net/hacking-subaruA critical security vulnerability in Subaru's Starlink service could have allowed attackers to remotely control and track vehicles in the United States, Canada, and Japan.The flaw, discovered by security researchers Sam Curry and Shubham Shah, enabled attackers to gain unrestricted access to customer accounts using limited information such as the victim's last name, ZIP code, email address, phone number, or license plate.This access would have allowed attackers to:* Remotely start, stop, lock, and unlock vehicles.* Track vehicle locations in real-time and access historical location data.* Access sensitive customer information, including personal details, billing information, and emergency contacts.The researchers exploited a vulnerability in the Starlink admin portal, allowing them to bypass authentication measures and gain unauthorized access to customer accounts. The portal has two-factor authentication (2FA) which was also easily bypassed by removing the client-side overlay from the portal's user interface.Subaru addressed the issue within 24 hours of being notified. While this specific flaw was not exploited, it highlights the critical importance of robust security measures for connected vehicles.This incident follows a similar vulnerability discovered in Kia's dealer portal, emphasizing the need for automakers to prioritize vehicle security and protect customer data.Hundreds of Fake Reddit Sites Push Lumma Stealer Malwarehttps://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/Cybercriminals are leveraging hundreds of fake Reddit and WeTransfer websites to distribute the Lumma Stealer malware.These deceptive websites mimic the appearance of legitimate platforms, tricking users into downloading malicious payloads. For instance, the fake Reddit sites display fabricated discussion threads where users appear to be assisting each other with downloading files. The thread creator asks for help to download a specific tool, another user offers to help by uploading it to WeTransfer and sharing the link, and a third thanks him to make everything appear legitimate.These threads often link to fake WeTransfer pages, which then redirect users to download the Lumma Stealer malware.Lumma Stealer is a sophisticated info-stealer known for its advanced evasion techniques and data theft capabilities. It can steal sensitive information such as passwords, cookies, and other credentials, potentially allowing attackers to hijack accounts and gain access to valuable data.This campaign highlights the ongoing threat of social engineering and the importance of critical thinking when interacting with online content. Users are advised to be wary of unsolicited downloads and to verify the authenticity of websites and messages before clicking on any links.Cybersecurity Needs to Start Saying 'No' Againhttps://www.darkreading.com/cyber-risk/security-needs-start-saying-no-againFor years, cybersecurity teams were often perceived as the "Department of No," constantly blocking initiatives due to security concerns. However, in an effort to demonstrate value and foster collaboration, many teams have shifted towards a more accommodating approach.While this shift has its benefits, some experts argue that it may have gone too far, leading to security teams overlooking critical risks and compromising their ability to effectively protect the organization.Avoiding necessary "nos" can have detrimental consequences, including:* Misalignment: Lack of clear boundaries can lead to confusion and misalignment between security teams and other departments.* Overwhelmed Teams: Constant pressure to accommodate requests can overwhelm security teams and lead to burnout.* Unmanaged Risks: Compromising on security measures can increase the organization's vulnerability to cyber threats.However, saying "no" effectively is crucial. It requires careful consideration, clear communication, and a focus on aligning security decisions with broader business goals.By emphasizing the importance of well-considered "nos" and fostering open communication and collaboration, security teams can better protect their organizations while maintaining positive relationships with other departments.GitHub Desktop and Other Git Clients Vulnerable to Credential Leakshttps://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/Multiple vulnerabilities have been discovered in popular Git clients, including GitHub Desktop, that could allow attackers to steal user credentials.These vulnerabilities, stemming from improper handling of messages within the Git Credential Protocol, could be exploited by attackers to trick users into sending their credentials to malicious servers.One such vulnerability, CVE-2025-23040, affects GitHub Desktop and allows attackers to inject malicious URLs that can mislead the client into sending credentials to the wrong server.Other vulnerabilities impact the Git Credential Manager and Git LFS, also allowing attackers to exploit weaknesses in how these tools handle URLs and potentially leak credentials.GitHub CLI is also vulnerable, particularly when used within GitHub Codespaces, where it can inadvertently leak access tokens to unauthorized hosts.These vulnerabilities highlight the importance of keeping software updated and exercising caution when interacting with untrusted repositories.Users are advised to update their Git clients to the latest versions, avoid cloning repositories from untrusted sources, and minimize the use of credential helpers where possible.Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification Flawhttps://gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4Google is fortifying its security measures following a recent, elaborate voice phishing attack documented by programmer Zach Latta.Latta, founder of Hack Club, detailed a close call he had with scammers who attempted to hijack his Google account through a series of tactics that bypassed traditional security measures.The scammers, posing as Google Workspace support staff, contacted Latta claiming to have detected a suspicious login attempt. They used a phone number associated with Google Assistant calls and a seemingly legitimate "Google" caller ID. Additionally, a password reset email was sent from a genuine Google Workspace address, making the scam highly convincing.However, Latta remained cautious and ultimately identified inconsistencies in the scammers' story. Notably, one scammer contradicted another on details, and a request to call them back was met with an unfazed response, raising a red flag.This incident exposes a critical vulnerability: the ability for attackers to create Google Workspace accounts using unverified g.co subdomains. This allows them to send password reset emails that appear to originate from Google itself.Google has acknowledged the issue and is taking steps to bolster its defenses against such scams. They have suspended the account used in this attempt and are working to prevent attackers from exploiting g.co subdomains during registration.The Latta case serves as a stark reminder to be wary of unsolicited calls, even if they appear to come from legitimate sources. Users should never provide sensitive information over the phone and should be extra cautious about emails originating from unverified senders.This incident also highlights the evolving nature of phishing tactics and the need for continuous vigilance and security improvements. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

  --------  

  8:21
• Cyber Bites - 24th January 2025

  * DDoS Attack Hits Record Breaking 5.6Tbps* Telegram Captcha Trick Lures Users into Running Malicious PowerShell Scripts* 7-Zip Patch Released to Address Mark of the Web Bypass Vulnerability* MasterCard DNS Misconfiguration Exposed for Years* Supply Chain Attack Targets Chrome Extensions, Potentially Impacting MillionsDDoS Attack Hits Record Breaking 5.6Tbpshttps://blog.cloudflare.com/ddos-threat-report-for-2024-q4/Cloudflare has mitigated the largest DDoS attack ever recorded, peaking at a staggering 5.6 terabits per second (Tbps).1 This UDP-based attack, launched by a Mirai-based botnet of over 13,000 compromised devices, targeted an internet service provider (ISP) in Eastern Asia on October 29th, 2024.2While the attack lasted only 80 seconds, it highlights the growing trend of hyper-volumetric DDoS attacks.3 These attacks, exceeding 1 Tbps, surged in the fourth quarter of 2024, with a quarter-over-quarter growth of 1,885%.4Cloudflare observed a significant increase in short-lived attacks, with 72% of HTTP and 91% of network layer DDoS attacks lasting less than 10 minutes. This trend favors "blitz" attacks designed for maximum impact during peak usage periods.Ransom DDoS attacks also saw a notable increase, peaking during the holiday season.5 Cloudflare emphasizes the need for automated DDoS protection services to effectively mitigate these rapid and powerful attacks.6The most targeted sectors included telecommunications, service providers, internet services, and marketing/advertising. China, the Philippines, and Taiwan were the most frequently targeted regions.Telegram Captcha Trick Lures Users into Running Malicious PowerShell Scriptshttps://x.com/vxunderground/status/1881946956806926351Cybercriminals are exploiting the recent pardon of Silk Road founder Ross Ulbricht to spread malware.The attack leverages a "Click-Fix" tactic, where users are tricked into running malicious code disguised as a necessary step. In this case, fake Ross Ulbricht accounts on X (formerly Twitter) direct users to a Telegram channel.Within the Telegram channel, users are presented with a fake "identity verification" process. This process culminates in a Telegram mini-app that automatically copies a PowerShell command to the user's clipboard.Victims are then instructed to paste this command into the Windows Run dialog and execute it. This action downloads and executes a malicious script, potentially leading to the installation of Cobalt Strike, a powerful penetration testing tool often used by threat actors for malicious purposes.This sophisticated attack highlights the importance of exercising extreme caution before executing any code received from unknown sources. Users should always verify the authenticity of any such requests and never blindly execute commands from untrusted sources.7-Zip Patch Released to Address Mark of the Web Bypass Vulnerabilityhttps://www.bleepingcomputer.com/news/security/7-zip-fixes-bug-that-bypasses-the-windows-motw-security-mechanism-patch-now/7-Zip users are urged to update to the latest version (24.09) immediately to address a critical security vulnerability (CVE-2025-0411). This flaw allows attackers to bypass the Mark of the Web (MotW) security warnings in Windows, potentially enabling them to execute malicious code on unsuspecting users' machines.Introduced in June 2022, MotW flags downloaded files as potentially risky, prompting warnings when users attempt to open or run them. This additional layer of security helps prevent malware infections.The newly patched vulnerability allowed attackers to exploit nested archives. When extracting malicious files from such archives, 7-Zip failed to propagate the MotW flag to the extracted files, essentially rendering the security warnings useless.Fortunately, the 7-Zip developer released a fix on November 30th, 2024. However, due to the lack of auto-update functionality, many users might still be running vulnerable versions.Given the potential severity of this exploit, it's crucial for all 7-Zip users to update to version 24.09 as soon as possible. This vulnerability is similar to others exploited in the past to deliver malware. Patching promptly is essential to stay protected.MasterCard DNS Misconfiguration Exposed for Yearshttps://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-years/A critical error in MasterCard's domain name system (DNS) configuration went unnoticed for nearly five years. This misconfiguration could have allowed attackers to intercept or divert internet traffic for a portion of the mastercard.com network.The issue stemmed from a typo in one of the five DNS server names MasterCard uses at Akamai, a major internet infrastructure provider. These servers translate website names into numeric addresses for computers. Instead of ending in "akam.net" like the others, this particular server was named "akam.ne."Philippe Caturegli, a security researcher, discovered the typo and registered the corresponding domain "akam.ne" for $300 to prevent malicious actors from exploiting it. Caturegli observed hundreds of thousands of DNS requests hitting his server daily, indicating others might have made similar typos.Had Caturegli set up malicious services on "akam.ne," he could have potentially intercepted emails or even obtained website encryption certificates for affected domains. However, he responsibly reported the issue directly to MasterCard.MasterCard downplayed the security risks, claiming there was "not a risk to our systems." Caturegli disputed this, highlighting the potential for attackers to leverage public DNS resolvers and long-lasting cached data to reroute a significant portion of traffic.The incident underscores the importance of robust DNS configurations and responsible vulnerability disclosure practices. MasterCard has since corrected the error, but the episode raises concerns about potential security weaknesses in critical infrastructure.Supply Chain Attack Targets Chrome Extensions, Potentially Impacting Millionshttps://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/A sophisticated supply chain attack has targeted Chrome extension developers, compromising dozens of extensions and potentially impacting millions of users.The campaign involved phishing emails impersonating official Chrome Web Store communications. These emails lured developers into granting access to a malicious OAuth app, allowing attackers to upload compromised versions of their extensions.The attack, which may have been ongoing since at least December 2023, targeted sensitive data like API keys and session cookies from services like ChatGPT and Facebook for Business.While many compromised extensions have been removed from the Chrome Web Store, and developers have released updates, the full extent of the damage remains unclear.This incident highlights the critical importance of robust security measures for developers and the need for constant vigilance against evolving phishing tactics. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

  --------  

  7:29
• Cyber Bites - 17th January 2025

  * Ransomware Gang Exploits AWS Feature to Encrypt and Hold Data Hostage* Phishing Texts Trick iMessage Users into Disabling Security* Fake CrowdStrike Job Offers Used to Distribute Cryptominer* Stealthy WordPress Skimmers Infiltrate Database Tables* A New AI-Driven Ransomware Group Blurs the Lines Between Hacktivism and CybercrimeRansomware Gang Exploits AWS Feature to Encrypt and Hold Data Hostagehttps://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-cA new ransomware campaign leverages Amazon Web Services' (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victims' data stored in S3 buckets. This tactic, discovered by cybersecurity firm Halcyon, sees threat actors, such as the group dubbed "Codefinger," infiltrate AWS accounts and utilize the SSE-C feature with their own encryption keys.The campaign hinges on the fact that AWS does not store these customer-provided keys. This makes data recovery impossible for victims even if they report the incident to Amazon. After encrypting the data, attackers set a seven-day file deletion policy and leave ransom notes demanding Bitcoin payments in exchange for the decryption key.Halcyon advises AWS customers to implement strict security protocols, including disabling unused keys, regularly rotating active keys, and minimizing account permissions. They also recommend setting policies that restrict the use of SSE-C on S3 buckets where possible.This incident highlights the critical need for robust security measures within cloud environments, emphasizing the importance of secure key management and vigilant monitoring for unauthorized activity.Phishing Texts Trick iMessage Users into Disabling Securityhttps://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-imessage-users-into-disabling-protection/Cybercriminals are employing a new tactic in their smishing (SMS phishing) campaigns: tricking Apple iMessage users into replying to texts, thereby disabling the platform's built-in phishing protection.iMessage automatically disables links in messages from unknown senders as a security measure. However, replying to such a message or adding the sender to your contacts list will enable these links.Recent smishing attacks, such as those mimicking USPS shipping issues or unpaid road tolls, instruct recipients to reply with "Y" to enable a disabled link. This plays on the common user behavior of replying to texts to confirm appointments or opt-out of services.By replying, users inadvertently disable iMessage's security for that specific text, potentially exposing themselves to malicious links and scams. Even if the user doesn't click the enabled link, their response signals to attackers that they are susceptible to phishing attempts.Security experts advise against replying to texts with disabled links from unknown senders. Instead, users should contact the purported sender directly to verify the message's legitimacy.Fake CrowdStrike Job Offers Used to Distribute Cryptominerhttps://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/Cybercriminals are targeting developers with a new phishing campaign that impersonates CrowdStrike, a cybersecurity company. The campaign tricks victims into downloading a malicious application that installs a cryptominer on their devices.Here's how the scam works:* Phishing Email: The attacker sends a phishing email that appears to be from a CrowdStrike recruiter. The email congratulates the recipient on being shortlisted for a junior developer position and asks them to schedule an interview.* Malicious Link: The email contains a link that takes the victim to a fake website that looks like a legitimate CrowdStrike domain.* Fake CRM Application: The website prompts the victim to download a "customer relationship management (CRM)" application to schedule the interview. However, this application is actually malware.* Cryptominer Download: Once downloaded and installed, the malware downloads and installs a cryptominer on the victim's device. Cryptominers use the victim's device to mine cryptocurrency for the attacker.This is a sophisticated phishing campaign that leverages the credibility of a well-known company. Here are some tips to avoid falling victim to this scam:* Be wary of unsolicited emails: Don't click on links or download attachments from emails from unknown senders.* Verify the sender's email address: If you receive an email from a recruiter, carefully check the email address to make sure it's legitimate.* Don't download software from untrusted sources: Only download software from the official website of the company.* Be suspicious of urgent requests: If an email asks you to take immediate action, it's probably a scam.Stealthy WordPress Skimmers Infiltrate Database Tableshttps://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection.htmlCybersecurity researchers have uncovered a new wave of credit card skimmers targeting WordPress e-commerce sites. This campaign injects malicious JavaScript into the wp_options table of the WordPress database, making it difficult to detect with traditional scanning tools.How the Skimmer Works* Database Injection: The skimmer code is injected into the wp_options table disguised as a widget block.* Checkout Page Activation: The malicious code springs into action only on checkout pages.* Fake Payment Form: The skimmer either hijacks existing payment fields or injects a fraudulent payment form that mimics legitimate processors like Stripe.* Data Theft: The form captures credit card details, including numbers, expiration dates, CVV codes, and billing information. The stolen data is then encoded to evade detection and sent to attacker-controlled servers.Campaign Similarities to Previous AttacksThis campaign shares similarities with a previous attack discovered by Sucuri in December 2024. That attack also used JavaScript to create fake payment forms or steal data from legitimate forms on checkout pages. However, the stolen data was obfuscated differently, using a combination of JSON encoding, XOR encryption, and Base64 encoding.These recent discoveries highlight the evolving tactics of cybercriminals. E-commerce website owners should stay updated on the latest threats and implement robust security measures, including regular vulnerability scanning and database backups. Also users should be cautious about entering payment information on unfamiliar websites and look for signs of a secure connection (HTTPS).A New AI-Driven Ransomware Group Blurs the Lines Between Hacktivism and Cybercrimehttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/FunkSec, a recently emerged ransomware group, has taken the cybersecurity world by storm with its aggressive tactics and claims of over 85 victims in just a month. However, a closer look reveals a more complex story.Key Points:* Rapid Rise: FunkSec emerged in late 2024 and quickly gained notoriety for its high number of claimed victims.* Low Expertise: Despite their claims, FunkSec appears to be run by inexperienced actors, with the malware riddled with redundancies and the group recycling leaked data from other sources.* AI-Assisted Development: The group leverages AI tools to enhance their capabilities, including generating code comments and potentially aiding in ransomware development.* Hacktivist Leanings: FunkSec aligns itself with hacktivist causes and targets specific countries, but the legitimacy of these connections remains unclear.* Blurred Lines: FunkSec's activities blur the line between hacktivism and cybercrime, raising questions about their true motivations.Motives and MethodsFunkSec uses a combination of data theft and encryption (double extortion) to pressure victims into paying ransoms. They offer their custom ransomware, DDoS tools, and password generation utilities. Interestingly, their ransomware demands are unusually low, sometimes as little as $10,000, and they also sell stolen data to third parties.Technical AnalysisThe FunkSec ransomware is written in Rust and exhibits several peculiarities. The code contains redundancies, with functions being called repeatedly. Additionally, the malware leverages AI-generated comments, suggesting a reliance on AI tools for development.Uncertainties and ChallengesFunkSec's true expertise and motivations remain unclear. Their use of recycled data casts doubt on the authenticity of their leaks, and their connection to hacktivism is questionable. This case highlights the evolving threat landscape where even less-skilled actors can leverage AI and readily available tools to cause significant disruption.The FutureFunkSec serves as a wake-up call for the cybersecurity community. We need to develop better methods for assessing ransomware threats and be wary of groups that rely on self-promotion and manipulation. As AI becomes more accessible, it's crucial to stay ahead of its potential misuse by malicious actors. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

  --------  

  9:35
• Cyber Bites - 10th January 2025

  * Cybersecurity in 2024: Top Stories that Rocked the Digital World* Over 4,000 Compromised Systems Exposed Through Hijacked Web Backdoors* Desperate Job Seekers Targeted by WhatsApp Employment Scams* Voice Phishing Rings Target Crypto Investors Using Apple Support Line* Neglected Domains Fuel Rise in Malicious Email CampaignsCybersecurity in 2024: Top Stories that Rocked the Digital Worldhttps://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-and-cyberattack-stories-of-2024/The year 2024 was marked by an unprecedented wave of cybersecurity incidents, from devastating data breaches to crippling ransomware attacks. As new threat actors emerged and vulnerabilities were exploited, both private and public organizations struggled to keep pace. BleepingComputer highlighted the most impactful stories, and here’s a summary of some of the year’s most critical incidents:Major Cyberattacks and Data Breaches* Internet Archive Breach – In October, a dual attack hit the Internet Archive, exposing the data of 33 million users and forcing service disruptions. Threat actors exploited an exposed GitLab configuration file to gain access.* National Public Data Leak – A staggering 2.7 billion personal records, including Social Security numbers, were leaked in August. The breach impacted millions, with hackers later leaking the data for free on a hacking forum.* Microsoft Email Breach by Russian Hackers – Russian-backed group Midnight Blizzard infiltrated Microsoft’s corporate email, stealing sensitive communications and source code. The breach extended to U.S. federal agencies, raising national security concerns.Industry-Wide Disruptions* Faulty CrowdStrike Update Crashes Millions of Devices – A botched update from cybersecurity giant CrowdStrike in July led to 8.5 million Windows devices crashing worldwide. Cybercriminals capitalized on the chaos by distributing malware through fake repair tools.* CDK Global Ransomware Attack – A Black Suit ransomware attack on auto-industry SaaS provider CDK Global disrupted operations for car dealerships across the U.S., halting sales, financing, and service.* UnitedHealth Ransomware Incident – A February ransomware attack on Change Healthcare, a UnitedHealth subsidiary, affected the healthcare sector nationwide. The company paid a $20 million ransom to restore operations, but extortion attempts continued.Government Actions and Security Reforms* Kaspersky Banned in the U.S. – The Biden administration banned Kaspersky antivirus in June, citing national security concerns. A forced migration to UltraAV left users outraged.* Telecom Hacks by Chinese Group Salt Typhoon – Chinese state-sponsored hackers breached major U.S. telecom providers, stealing call data and infiltrating surveillance platforms. The attacks prompted legislative action to improve telecom cybersecurity standards.* LockBit Ransomware Disrupted – In February, international law enforcement seized LockBit’s infrastructure, but the ransomware group re-emerged days later with renewed threats. Despite efforts to return to prominence, LockBit struggled under continued pressure from global authorities.Emerging Threats* Rise of Infostealers – Information-stealing malware campaigns surged, targeting everything from browser data to cryptocurrency wallets. Cybercriminals used infostealers to breach corporate networks and financial accounts, prompting renewed calls for two-factor authentication.* North Korean IT Worker Scheme – North Korean operatives posed as remote IT workers to infiltrate U.S. companies and fund their nation’s operations. A high-profile arrest in August highlighted the growing threat, with several companies unknowingly hiring such agents.Looking AheadAs cyber threats grow more sophisticated, 2024 underscores the critical need for robust cybersecurity measures. Organizations must strengthen defenses, governments must implement stricter regulations, and individuals must adopt best practices like multi-factor authentication to mitigate risks in an increasingly digital world.Over 4,000 Compromised Systems Exposed Through Hijacked Web Backdoorshttps://www.bleepingcomputer.com/news/security/over-4-000-backdoors-hijacked-by-registering-expired-domains/Security researchers at WatchTowr Labs have discovered thousands of active web backdoors hijacked by registering expired domains used to control them. These backdoors, found on systems belonging to governments, universities, and other organizations, provide persistent access for malicious actors.By registering expired domains associated with these backdoors, researchers gained control and observed communication from over 4,000 compromised systems. This included systems within government networks in China, Nigeria, and Bangladesh, as well as educational institutions in Thailand, China, and South Korea.The research highlights the ongoing threat posed by abandoned infrastructure. Even after initial attacks, expired domains associated with backdoors can still be exploited by other cybercriminals. This underscores the importance of proper security measures and the need for organizations to regularly review and update their security posture.WatchTowr Labs, in collaboration with The Shadowserver Foundation, is now monitoring these hijacked domains to prevent their re-use by malicious actors.Desperate Job Seekers Targeted by WhatsApp Employment Scamshttps://www.theage.com.au/national/broke-desperate-jobseekers-are-falling-for-gold-mine-employment-scams-in-droves-20250105-p5l26q.htmlAustralians struggling to find work are falling victim to sophisticated employment scams operating on platforms like WhatsApp, costing individuals and businesses thousands of dollars.These scams often involve impersonating legitimate businesses and offering enticing work-from-home opportunities. Victims are then lured into making upfront payments under false pretenses, with the promise of high returns that never materialize.One such scam targeted the business of Gareth, a marketing agency owner, who received numerous messages from individuals who had been defrauded by scammers impersonating his company. Victims reported losing significant sums of money, with some even facing financial ruin.The scams often involve complex schemes, with victims required to make multiple payments to "unlock" higher earning potential. These schemes prey on the desperation of job seekers, particularly those facing financial hardship.While platforms like WhatsApp offer encryption, they have been criticized for their limited efforts to combat these scams. Experts argue that these platforms have a responsibility to detect and prevent fraudulent activity, such as blocking accounts involved in scams and removing misleading advertisements.The Australian government is taking steps to address the issue, including proposing new legislation to hold social media companies accountable for scams facilitated on their platforms. However, the fight against these sophisticated scams continues.This article highlights the urgent need for increased vigilance and stronger measures to protect individuals from falling victim to online employment scams.Voice Phishing Rings Target Crypto Investors Using Apple Support Linehttps://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/A new report reveals how sophisticated voice phishing gangs are exploiting legitimate services from Apple and Google to steal millions from cryptocurrency investors. These groups, operating within secretive online communities, utilise advanced social engineering techniques and exploit vulnerabilities in security measures.One key tactic involves abusing Apple's support line. By spoofing the victim's phone number, attackers can initiate a call to Apple support and request a notification to be sent to all the victim's Apple devices. This seemingly legitimate notification, which appears to originate from Apple, builds trust and allows the attackers to guide the victim through a series of steps, ultimately leading them to a fraudulent website where they enter their login credentials.These groups meticulously research their targets, leveraging data brokers to gather personal information and identify high-value individuals. They employ sophisticated tools and techniques, including "autodoxers" that automate data collection and verification, to refine their target lists and increase their chances of success.The internal dynamics of these groups are characterised by a precarious balance of collaboration and betrayal. Members often compete for rewards, leading to internal conflicts and the rapid dissolution of groups. This volatile environment creates a constant churn, with new groups forming and disbanding frequently.While companies like Apple are taking steps to enhance security measures, the sophistication of these attacks continues to evolve. This highlights the urgent need for increased vigilance and a multifaceted approach to combatting these sophisticated cyber threats.Neglected Domains Fuel Rise in Malicious Email Campaignshttps://thehackernews.com/2025/01/neglected-domains-used-in-malspam-to.htmlCybersecurity researchers have uncovered a concerning trend where cybercriminals are increasingly exploiting neglected domains to evade email security measures and deliver malicious payloads.By spoofing sender addresses with domains that lack active DNS records, attackers can bypass security checks like SPF and DMARC, which rely on domain authentication mechanisms. This allows them to deliver malicious emails containing phishing links, malware attachments, and extortion threats with greater success.One such observed campaign leverages old, disused domains to deliver emails with QR codes that, when scanned, redirect victims to phishing sites. Other campaigns impersonate legitimate brands like Amazon and Mastercard to steal login credentials.Furthermore, the rise of generic top-level domains (gTLDs) like .top, .xyz, and .shop has provided cybercriminals with readily available and inexpensive options for establishing malicious infrastructure. These domains, often lacking robust registration requirements, are increasingly used for hosting phishing sites and distributing malware.Beyond email-based attacks, the threat landscape is evolving with the emergence of new tactics. These include the use of trusted platforms like Canva and Dropbox to redirect users to malicious sites, and the development of malicious WordPress plugins designed to steal payment information.These findings underscore the need for continuous vigilance and robust security measures to combat the ever-evolving tactics of cybercriminals. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

  --------  

  6:58
• Cyber Bites - 3rd January 2025

  * Fake Stars Inflate Popularity of Malicious GitHub Repositories* Cybercriminals Exploit Chrome Web Store to Infect Millions of Users* Malicious Packages Found on Python Package Index and VSCode Marketplace* One Third of Adults Don't Know How to Erase Their Data from an Old Device* New Clickjacking Technique "DoubleClickjacking" Bypasses Security MeasuresFake Stars Inflate Popularity of Malicious GitHub Repositorieshttps://arxiv.org/pdf/2412.13459A new study reveals a significant problem with inauthentic "stars" being used to artificially inflate the popularity of scam and malware distribution repositories on GitHub. These fake stars mislead users into trusting malicious projects and potentially downloading malware.How Fake Stars Work* GitHub users can "star" repositories similar to liking them on social media platforms.* The number of stars is a key factor in how GitHub ranks repositories and recommends them to users.* Malicious actors create fake accounts or compromise existing ones to star malicious repositories, making them appear more popular and trustworthy.Impact of Fake Stars* Increased Reach for Malicious Projects: Fake stars help malicious repositories reach more unsuspecting users who may be tricked into downloading malware.* Eroded Trust in GitHub: The widespread use of fake stars undermines the overall trust and credibility of the GitHub platform.Researchers developed a tool called StarScout to analyze user activity and identify patterns indicative of fake stars. StarScout looks for signs of low user activity, bot-like behavior, and coordinated starring activity across multiple accounts.The study identified 4.5 million suspected fake stars across GitHub. These fake stars were associated with over 15,800 repositories and 278,000 user accounts. Recommendations for Users* Don't rely solely on the number of stars to judge a repository's legitimacy.* Carefully evaluate the repository's activity, documentation, code quality, and user contributions.* Be cautious when downloading software from GitHub, especially from repositories with few contributions or suspicious activity.This study highlights the importance of staying vigilant when using GitHub. By being aware of fake stars and other deceptive tactics, users can help protect themselves from malware and other online threats.Cybercriminals Exploit Chrome Web Store to Infect Millions of Usershttps://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-itA sophisticated cyberattack has compromised at least 35 Chrome browser extensions, potentially exposing over 2.6 million users to data theft and credential stealing.The campaign began with a phishing attack targeting a Cyberhaven employee, granting attackers access to their Chrome Web Store account. This allowed them to inject malicious code into the Cyberhaven extension, which was subsequently downloaded by numerous users.Further investigation revealed that this was not an isolated incident. Multiple other extensions, including popular tools for AI assistance, VPNs, and video recording, were also compromised, likely through similar phishing attacks.These malicious extensions collected user data, including cookies, access tokens, and potentially even sensitive financial information. Some extensions even contained code designed to steal Facebook login credentials.Attack like these highlights the growing threat of compromised browser extensions. As these extensions often have broad access to user data and browsing activity, they can be a significant entry point for cybercriminals.Users are advised to exercise caution when installing browser extensions, carefully vetting their source and checking for any suspicious activity. Developers are also urged to implement strong security measures to protect their accounts and prevent unauthorised access.This ongoing campaign underscores the importance of vigilant security practices in the ever-evolving threat landscape of online activity.Malicious Packages Found on Python Package Index and VSCode Marketplacehttps://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-codeCybersecurity researchers have discovered malicious packages uploaded to the Python Package Index (PyPI) and the Visual Studio Code Marketplace. These packages, disguised as legitimate tools for cryptocurrency development and productivity, were designed to steal sensitive information from developers' systems.The malicious PyPI packages, named "zebo" and "cometlogger," were downloaded hundreds of times before being removed. These packages contained code to steal keystrokes, capture screenshots, and exfiltrate sensitive data, including credentials from popular platforms like Discord, Steam, and Instagram.Similarly, researchers identified malicious VSCode extensions that targeted cryptocurrency developers and Zoom users. These extensions, often with names resembling legitimate tools, downloaded and executed malicious payloads.Typosquatting and Fake ReviewsAttackers employed typosquatting techniques, creating packages with names that closely resembled legitimate ones, such as "@typescript_eslinter/eslint" instead of "typescript-eslint." They also inflated download numbers and used fake reviews to make these malicious packages appear more trustworthy.Impact and Recommendations:This incident highlights the growing threat of supply chain attacks targeting software development ecosystems. Developers are urged to exercise extreme caution when downloading and installing packages from online repositories.Key recommendations include:* Thoroughly vetting all packages before installation.* Checking the source and reputation of the developer.* Regularly auditing development environments for potential threats.This incident serves as a stark reminder of the importance of maintaining a strong security posture throughout the entire software development lifecycle.One Third of Adults Don't Know How to Erase Their Data from an Old Devicehttps://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/12/14-million-people-don-t-know-how-to-erase-their-data-from-an-old-device/A new survey from the UK's Information Commissioner's Office (ICO) reveals that nearly a third of adults in the UK don't know how to properly wipe their old electronic devices before discarding them. This lack of awareness poses a significant risk to personal data security.The survey found that while 71% of respondents agree that wiping data from old devices is important, 24% find the process too difficult. Worryingly, 21% of young people (aged 18-34) believe wiping data is unnecessary, compared to just 4% of those over 55. This suggests a concerning lack of awareness among younger generations about the importance of data security.The ICO emphasizes the importance of securely erasing personal information before disposing of old devices to prevent data breaches and fraud. Simple methods like factory resets can effectively erase most personal data from mobile phones.With the holiday season approaching and many people expected to purchase new devices, the ICO urges individuals to prioritize data security and properly dispose of their old electronics.New Clickjacking Technique "DoubleClickjacking" Bypasses Security Measureshttps://www.paulosyibelo.com/2024/12/doubleclickjacking-what.htmlA new cyberattack technique dubbed "DoubleClickjacking" has been discovered, exploiting the timing between double-clicks to bypass existing clickjacking protections. This allows attackers to trick users into unknowingly granting permissions or performing actions on websites, potentially leading to account takeovers and data theft.DoubleClickjacking leverages the brief window between two mouse clicks to seamlessly redirect users to malicious pages while they interact with seemingly innocuous elements. This method can bypass common security measures like X-Frame-Options and SameSite cookies, which are designed to prevent clickjacking attacks.While this technique builds upon existing clickjacking methods, it introduces a new layer of complexity that requires a re-evaluation of current security measures. Researchers suggest that browser vendors should consider implementing new standards to specifically address this vulnerability.This disclosure follows the discovery of another clickjacking variant earlier this year, highlighting the ongoing evolution of cyberattack techniques and the need for continuous vigilance in online security. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

  --------  

  7:13

Más podcasts de Tecnología

Podcasts a la moda de Tecnología

Acerca de Cyber Bites