June 2025 - ExploreSec Cybersecurity Awareness Newsletter

June 9, 2025

This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.

Be Cautious of Government Emails About Unpaid Tolls and Other Urgent Matters

Have you recently received an email from a government agency about an unpaid toll or another urgent issue? It's important to be extra careful, as cybercriminals are now exploiting official government email systems to send out scam messages.

Key Insights:

Scammers are using official-looking emails that appear to come from legitimate government departments.

A common scam involves emails claiming unpaid tolls and urging you to click a link to pay.

Be wary of urgent requests for information or payment designed to pressure you.

Always check the actual web address of a link by hovering over it without clicking. Suspicious or non-official links should be avoided.

Never share personal or financial information through links in suspicious emails.

Independently verify any questionable government emails by contacting the agency directly through their official website or phone number.

Further Reading: TechCrunch

Beware of Crypto Scams Promoted Through Hacked Social Media

The Internet Crime Complaint Center (IC3) has issued a public service announcement warning about a growing trend: scammers are taking over social media accounts and using them to trick people into investing in fake cryptocurrency schemes. These scams can look very convincing because they appear to come from accounts you or your friends might already follow.

Key Insights to Protect Yourself:

Be suspicious of investment opportunities shared via social media: Even if a post comes from a friend's account, be very cautious about any cryptocurrency investment being promoted. Their account may have been hacked.

Look for red flags in investment promises: Be wary of claims of guaranteed high returns with little to no risk. Legitimate investments always carry some level of risk.

Don't rush into investment decisions: Scammers often create a sense of urgency to pressure you into investing quickly before you have time to think it over or do your research.

Verify the information through official sources: Before investing in any cryptocurrency opportunity, independently research the platform or opportunity through trusted financial news outlets and official cryptocurrency websites. Don't rely solely on what you see on social media.

Be cautious of direct messages about investments: If you receive unsolicited direct messages on social media encouraging you to invest in cryptocurrency, treat them with extreme caution, even if they appear to be from someone you know.

Report suspicious activity: If you see suspicious cryptocurrency promotions on social media, report them to the platform. If you have been a victim of such a scam, file a complaint with the IC3 at ic3.gov.

Remember: If an investment opportunity sounds too good to be true, it probably is.

Further Reading: IC3

Hacked TikTok Videos Push Fake Apps and Steal Your Info!

Trend Micro researchers have uncovered a concerning new trend: videos on TikTok are promoting what appear to be pirated apps, but are actually designed to trick you into downloading dangerous "infostealer" malware like Vidar and StealC. These videos use clever social engineering, providing step-by-step instructions that lead users to compromise their own systems.

Key Insights:

Be Skeptical of "Free" Pirated Apps: If an offer seems too good to be true, especially for paid software offered for free, it's very likely a scam.

Avoid Unsolicited Technical Instructions: Never follow commands or instructions from untrusted sources, particularly if they tell you to disable security features or run unusual software.

Verify Video Sources: Just because a video is popular doesn't mean it's legitimate. Be cautious of content that pushes you to download files or visit external sites.

Recognize Social Engineering: Scammers use convincing visuals and instructions to make their malicious content seem harmless and easy to follow. Always pause and think before acting.

Further Reading: Trend Micro

Watch Out for Payroll Scams and Fake Login Pages!

Cybercriminals are getting sneakier, using new tricks to steal your paycheck. A recent alert highlights how attackers are using "SEO poisoning" to create fake payroll login pages that show up at the top of search results. If you fall for it and enter your login details, they can change your direct deposit information and reroute your pay!

Key Insights:

Access Payroll Directly: Don't rely on search engines. Always go to your payroll portal by typing the official website address directly into your browser or using a trusted bookmark.

Enable Multi-Factor Authentication (MFA): If your payroll portal offers MFA (like a code sent to your phone), enable it! This adds an extra layer of security.

Be Wary of Suspicious Changes: Set up alerts in your payroll software to notify you of any changes to your direct deposit information. If you get an unexpected alert, investigate immediately.

Report Unauthorized Changes: Know how to report any unauthorized changes or suspicious activity to your HR or IT department right away.

Update Your Devices: Keep your home office routers and mobile devices updated with the latest software and use strong, unique passwords. Attackers can exploit weaknesses in outdated systems to hide their activities.

Further Reading: ReliaQuest

Deceptive CAPTCHA "ClickFix" Campaign Uses Clipboard Injection to Deliver Malware

Threat actors are employing a new social engineering campaign, dubbed "ClickFix," that utilizes fake CAPTCHA prompts on compromised or cloned websites. This sophisticated technique tricks users into launching malware by combining clipboard injection with abuse of the Windows Run dialog, leading to the delivery of payloads like Lumma Stealer and NetSupport RAT.

Key Insights:

Social Engineering Focus: The campaign heavily relies on user fatigue with CAPTCHA mechanisms, guiding victims through seemingly familiar steps to execute malicious code.

Clipboard Injection & Run Dialog Abuse: The core of the attack involves copying a malicious PowerShell or mshta command to the clipboard, which users are then instructed to paste and execute in the Windows Run dialog.

Living Off the Land Binaries (LOLBins): Attackers extensively use trusted system binaries like PowerShell, mshta.exe, and certutil.exe to bypass traditional security defenses, making detection challenging.

Payloads: Frequently observed payloads include infostealers (e.g., Lumma Stealer targeting browser data, credentials, and crypto wallets) and remote access tools (e.g., NetSupport RAT for full system access).

Simplicity and Effectiveness: The campaign's success stems from its simplicity, avoiding zero-day exploits or complex hidden mechanisms, relying instead on user interaction.

Proactive Defense: This campaign underscores the need for robust endpoint detection and response (EDR) solutions capable of behavioral analysis and detection of LOLBin abuse, alongside user education on suspicious CAPTCHA prompts and the dangers of pasting unknown commands.

Further Reading: SecurityOnline.info

Cybercriminals Exploit AI Hype to Spread Malware

Cybercriminals are increasingly exploiting the public's interest in artificial intelligence by creating fake AI-themed websites and advertisements to distribute malware. A recent campaign identified by Mandiant Threat Defense involves the threat group UNC6032 using deceptive ads on platforms like Facebook and LinkedIn to lure users into downloading malicious software disguised as AI video generation tools.

Key Insights:

Deceptive Advertising: Thousands of malicious ads have been disseminated, impersonating legitimate AI tools such as Luma AI and Canva Dream Lab. These ads direct users to fraudulent websites designed to mimic authentic AI services.

Malware Deployment: Upon interacting with these fake sites, users are prompted to download a ZIP file containing the STARKVEIL malware dropper. This dropper installs multiple malware components, including GRIMPULL, XWORM, and FROSTRIFT, which are designed to steal sensitive information and establish persistent access to the victim's system.

Information Theft: The deployed malware targets a range of data, including login credentials, cookies, credit card information, and digital wallet contents. Some components, like XWORM, also perform keylogging and screen capture, further compromising user privacy.

Evasion Techniques: The malware employs sophisticated methods to avoid detection, such as using Braille pattern blank characters to obscure file extensions and leveraging legitimate processes for malicious activities.

This campaign underscores the importance of vigilance when engaging with online advertisements, especially those offering AI-related services. Users should be cautious of unsolicited offers and verify the legitimacy of websites before downloading any software.

Further Reading: Google Cloud Blog

Beyond the Kill Chain: How Cybercriminals Invest Their Profits

Sophos X-Ops' five-part series, Beyond the Kill Chain, explores what happens after a successful cyberattack. The series reveals how financially motivated threat actors invest their illicit earnings—often blending legitimate business with ethically questionable and outright criminal ventures.

Key Insights:

Legitimate Business Ventures: Cybercriminals are investing in seemingly lawful enterprises such as restaurants, real estate, and e-commerce platforms. These ventures help launder money while also creating additional income streams.

Ethically Dubious Activities: Some threat actors operate in legal gray zones, selling spyware, monetizing vulnerability research under the guise of security services, or manipulating online traffic for advertising profits.

Criminal Enterprises: Illicit gains are also funneled into traditional criminal operations like counterfeit goods, drug trafficking, and underground gambling, showing how cybercrime supports broader organized crime ecosystems.

Implications for Cybersecurity: Mapping how threat actors reinvest their profits helps threat intelligence teams understand evolving risk models and disrupt the infrastructure supporting ongoing cybercriminal activity.

Further Reading: Sophos News

CFOs Targeted in Sophisticated Spear-Phishing Campaign

A recent spear-phishing campaign is targeting Chief Financial Officers (CFOs) and finance executives across banking, energy, insurance, and investment sectors in regions including Europe, Africa, Canada, the Middle East, and South Asia. The attackers use a multi-stage approach to deploy NetBird, a legitimate WireGuard-based remote access tool, onto compromised systems.

Key Insights:

Deceptive Recruitment Emails: The campaign begins with emails impersonating a Rothschild & Co recruiter offering a “strategic opportunity.” Victims are directed to a Firebase-hosted page featuring a custom CAPTCHA to access a malicious file.

Malicious Payload Delivery: After solving the CAPTCHA, users download a ZIP file containing a VBS script. When executed, it installs NetBird and OpenSSH, creates a hidden local admin account, and enables Remote Desktop Protocol (RDP) for persistent attacker access.

Evasion Techniques: The use of custom CAPTCHAs and trusted hosting services helps the attackers bypass traditional security defenses and increases credibility.

Attribution: Some infrastructure overlaps with known nation-state campaigns, but the specific threat actor remains unidentified.

Further Reading: Trellix Blog

Threat Actors Exploit Google Apps Script for Evasive Phishing Attacks

Threat actors are leveraging Google's Apps Script platform to host phishing pages that appear legitimate, allowing them to steal login credentials. These campaigns often begin with emails posing as invoice notifications, linking to webpages hosted using Google Apps Script. By operating within Google's trusted environment, attackers make their phishing pages seem more authentic, increasing the chances of success.

Key Insights:

Abuse of Trusted Services: Google Apps Script, a JavaScript-based platform used for automating Google Workspace tasks, is being exploited to host fake login pages that capture user credentials and send them to attacker-controlled servers.

Evasion of Security Measures: Because the scripts are hosted on Google's own domain, they can bypass traditional email and web filters that typically block suspicious domains.

Sophisticated Phishing Techniques: The phishing emails and login prompts are convincingly designed to mimic legitimate services, making it more likely that targets will engage and provide sensitive information.

Further Reading: BleepingComputer

Cybercriminals Use Fake Booking Sites to Spread AsyncRAT Malware

Cybercriminals are exploiting fake Booking.com websites to infect users with AsyncRAT, a remote access trojan. Victims are lured through deceptive ads and social media links to counterfeit booking sites, where they are tricked into running a malicious PowerShell script. The attack results in full remote control of the infected system, putting sensitive personal information at risk.

Key Insights:

Attackers use fake CAPTCHA prompts to manipulate users into executing malware.

The AsyncRAT payload allows for full system access, including surveillance and data theft.

Domains rotate every few days, making detection and blocking more difficult.

Further Reading: Malwarebytes Blog

UNC6040 – Voice Phishing to Salesforce Data Extortion

Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster specializing in voice phishing (vishing) campaigns. This group is successfully impersonating IT support to gain access to organizations' Salesforce instances, primarily to steal large volumes of data for subsequent extortion. Their tactics rely heavily on manipulating end users rather than exploiting software vulnerabilities.

Key Insights:

Vishing is Key: UNC6040 uses convincing phone calls, often targeting English-speaking employees, to socially engineer access.

Salesforce Data Loader Abuse: They trick victims into authorizing malicious versions of Salesforce Data Loader, gaining broad access to exfiltrate sensitive data.

Lateral Movement: After Salesforce, they use stolen credentials for lateral movement into other cloud platforms like Okta and Microsoft 365.

No Platform Vulnerability: Attacks exploit user trust and process gaps, not inherent Salesforce flaws.

Persistent Threat: Extortion can occur months after the initial intrusion, indicating a patient and persistent threat.

Further Reading: The Cost of a Call: From Voice Phishing to Data Extortion

Exploring the security awareness newsletter - *Image created by ChatGPT*

Security Awareness Newsletter April 2024

May 6, 2024

These are the stories I’ve been tracking that are of interest to people outside of security. Feel free to take this and use it as part of your own security awareness program. The items were created with the help of ChatGPT

Confirmed: AT&T Data Breach Exposes Millions

A large data leak containing personal information of millions of AT&T customers is being investigated. While AT&T denies the breach originated from their systems, this incident highlights the importance of protecting your personal information.

Here are some steps you can take to stay safe:

Be mindful of the information you share online and over the phone.
Use strong passwords and change them regularly.
Monitor your bank statements and credit reports for suspicious activity.

AI in Elections: Beware the Deepfakes!

AI is shaking up elections! Check Point Research warns of deepfakes and voice cloning being used to mislead voters. They found evidence in 10 out of 36 recent elections. Stay informed - the future of voting might depend on it!

Heads Up, Gamers! Malware Lurks in YouTube Video Game Cracks

Phishing for free games can land you in hot water!

A recent report by Proofpoint discovered threat actors using YouTube to distribute malware disguised as popular video game cracks.

Here's the breakdown:

Compromised Accounts: Hackers are targeting both legitimate and newly created YouTube accounts.
Deceptive Content: Videos promise free software or game upgrades, but descriptions contain malicious links.
Targeting Young Gamers: The campaigns exploit younger audiences' interest in bypassing paid features.

Alert on Privacy Risks in Dating Apps: Spotlight on Hornet

Recent investigations by Check Point Research have exposed critical privacy vulnerabilities in the popular dating app Hornet, affecting its 10+ million users. Despite Hornet's attempts to safeguard user locations by randomizing displayed distances, researchers found ways to determine users' exact locations within 10 meters using trilateration techniques. This finding poses a significant privacy risk, particularly in dating apps that rely on geolocation features to connect users.

Highlights:

Hornet's geolocation vulnerabilities could allow attackers to pinpoint users' precise locations.
Even after implementing new safety measures, locations could still be determined within 50 meters.
Check Point Research advises users to be cautious about app permissions and consider disabling location services to protect their privacy.

The study illustrates the ongoing challenges and potential dangers of balancing app functionality with user privacy, urging both developers and users to remain vigilant.

Ransomware Scams Can Get Creative

Ransomware gangs are constantly looking for new ways to pressure companies into paying up. A recent article on TechCrunch describes a hilarious (but ultimately unsuccessful) attempt by a hacker to extort a company through their front desk Ransomware gang's new extortion trick? Calling the front desk.

While this specific incident might be lighthearted, it serves as a reminder that ransomware attackers are always adapting their tactics. Here's what you should be aware of:

Be cautious of any unsolicited calls or emails claiming a security breach. Don't engage with the sender and report them to the IT department immediately.
Never click on suspicious links or attachments. These could contain malware that gives attackers access to our systems.
Be mindful of what information you share over the phone. Hackers may try to sound legitimate to gather details about our company's network.
Stay informed about cybersecurity best practices. The IT department may send out phishing simulations or training materials – take advantage of these resources.

By staying vigilant and following these tips, we can all play a part in protecting our company from ransomware attacks. Remember, if you see something suspicious, report it!

FBI Alert: Increase in Social Engineering Attacks

The FBI has issued a warning about the rise in social engineering attacks targeting personal and corporate accounts. These attacks employ methods like impersonating employees, SIM swap attacks, call forwarding, simultaneous ringing, and phishing, which are designed to steal sensitive information.

Key Techniques:

Employee Impersonation: Fraudsters trick IT or helpdesk staff into providing network access.
SIM Swapping: Attackers take control of victims' phone numbers to bypass security measures like multi-factor authentication.
Call Forwarding and Simultaneous Ring: Calls are redirected to the attackers' numbers, potentially overcoming security protocols.
Phishing: Cybercriminals use fake emails from trusted entities to collect personal and financial data.

How to Protect Yourself:

Ignore unsolicited requests for personal information.
Ensure unique, strong passwords for all accounts.
Contact mobile carriers to restrict SIM changes and call forwarding.
Regularly monitor account activity for signs of unauthorized access.

If Compromised:

Immediately secure accounts by changing passwords and contacting service providers.
Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Stay vigilant and implement these protective measures to defend against these sophisticated social engineering threats.

Smishing Scam Hits the Road!

Beware of texts claiming unpaid tolls! Scammers are targeting drivers with smishing attacks. The texts claim that the recipient has unpaid tolls. Don't click links or give out info. Report scams to the FBI: https://www.ic3.gov/Home/ComplaintChoice. Stay safe!

Data Breach at Hospital: Ex-Employee Admits to Sharing Patient Records

Patients at Jordan Valley Community Health Center in Missouri are being notified of a data breach involving over 2,500 individuals. The culprit? A former employee, Chante Falcon, who admitted to accessing and sharing patient records.

Facing federal charges for wrongful disclosure of patient information, Ms. Falcon pleaded guilty and awaits sentencing. The potential penalty? Up to 10 years in prison.

Tax Time Trouble: Don't Fall Victim to Tax Scams!

It's tax season again! While you're busy gathering documents and filing your return, scammers are out in force trying to steal your money and personal information.

This year, security experts are seeing a rise in Artificial Intelligence (AI)-powered tax scams. These scams can look and feel more sophisticated than ever before, making them even trickier to spot.

Here are some red flags to watch out for:

Urgency and Threats: Scammers often try to pressure you into acting quickly by claiming you owe overdue taxes or face penalties.
Suspicious Emails and Texts: Be wary of emails or texts claiming to be from the IRS or tax software companies. Don't click on links or attachments unless you're sure they're legitimate.
Phishing for Information: Scammers may ask for your Social Security number, bank account details, or other personal information you wouldn't normally share via email or text.

Stay Safe This Tax Season:

Go Directly to the Source: If you receive a message about your taxes, contact the IRS directly using a phone number you know is correct (don't use the one provided in the message).
Don't Share Personal Information Unsolicited: The IRS will never ask for sensitive information through email or text message.

By following these tips and staying vigilant, you can protect yourself from tax scams and ensure a smooth tax season!

Tracking AI's Influence in Global Elections

Rest of World, a news organization, has launched a new initiative to monitor and document the impact of artificial intelligence (AI) on global elections. This effort comes as generative AI tools become increasingly accessible, presenting both innovative uses and potential risks in political contexts.

Scope and Objective: The project tracks AI incidents across the globe, particularly focusing on regions outside the Western hemisphere. From the general elections in Bangladesh to those in Ghana, the tracker will compile AI-generated content related to elections, encompassing both positive applications and problematic issues like misinformation.

Noteworthy Incidents:

In Belarus, a ChatGPT-powered virtual candidate is providing voter information while circumventing censorship.
AI-generated videos have enabled Pakistan’s former Prime Minister Imran Khan to address the public from imprisonment.
A spam campaign against Taiwan’s president has been linked to a Chinese Communist Party actor.
Deepfake videos falsely depicted Bangladeshi candidates withdrawing on election day.

Comprehensive ChatGPT Risk Assessment

Walter Haydock from StackAware has conducted an exhaustive risk assessment of OpenAI's ChatGPT. This summary encapsulates the critical findings and documentation from the assessment, aiming to enhance your understanding and governance of AI tools.

Key Findings from the Assessment:

Purpose and Criticality: ChatGPT serves multiple functions, from generating marketing content to converting unstructured data into structured formats. Its operational importance is significant, with potential major business impacts in case of system failure.
System Complexity and Reliability: Despite its complex nature, ChatGPT has shown reliable performance, although occasional performance and availability issues have been documented on OpenAI’s status page.
Environmental and Economic Impacts: ChatGPT's operation is energy-intensive, with considerable carbon emissions and water usage. However, it also offers potential economic benefits, potentially contributing significantly to global productivity and economic output.
Societal and Cultural Impacts: The system’s ability to automate repetitive tasks could liberate millions from mundane work but also poses risks to employment and misinformation, particularly during sensitive periods like elections.
Legal and Human Rights Considerations: The system's deployment must carefully navigate potential impacts on employment and privacy, with strict adherence to legal and human rights norms.

Deepfake Phishing Attempt Targets LastPass Employee: Audio Social Engineering on the Rise

A recent incident reported by LastPass sheds light on a concerning trend: the use of audio deepfakes in social engineering attacks.

What Happened?

A LastPass employee received a series of calls, text messages, and voicemails supposedly from the company's CEO.
The voice messages utilized deepfake technology to convincingly mimic the CEO's voice.
The attacker attempted to pressure the employee into performing actions outside of normal business communication channels and exhibiting characteristics of a social engineering attempt.

Why This Matters:

This incident marks a potential turning point in social engineering tactics. Deepfakes can bypass traditional email-based phishing attempts and create a more believable scenario for the target.
Audio deepfakes pose a significant threat because they exploit the inherent trust we place in familiar voices.

How LastPass Responded:

The targeted employee, recognizing the red flags of the situation, did not respond to the messages and reported the incident to internal security.
LastPass highlights the importance of employee awareness training in identifying and reporting social engineering attempts.

Change Healthcare Cyberattack: A Costly Reminder for Physicians

A recent cyberattack on Change Healthcare, a major healthcare IT provider, has had a significant impact on physicians across the country. According to a KnowBe4 article, a staggering 80% of physicians reported financial losses due to the attack. United Health announced the attack cost them $1.6 billion alone.

The High Cost of the Breach

The article details the financial strain placed on physician practices:

Revenue Loss: Disruptions caused by the attack made it difficult to submit claims and verify benefits, leading to lost revenue.
Increased Costs: Extra staff time and resources were required to complete revenue cycle tasks.
Personal Expenses: Some practices were forced to use personal funds to cover business expenses.

USPS Now the Most Impersonated Brand in Phishing Attacks

Phishing attacks are one of the most common cyber threats. Criminals impersonate well-known brands to trick people into giving up personal information. According to a recent report, the United States Postal Service (USPS) has surged to the top spot on the list of most impersonated brands.

Here are some tips to avoid falling victim to a USPS phishing attack:

Be wary of emails or text messages that claim to be from USPS about a delivery issue or package requiring additional fees.
Do not click on any links or attachments in suspicious emails or text messages.
If you are unsure about the legitimacy of an email or text message, contact USPS directly.
Be mindful of the sender's email address and look for typos or inconsistencies.

By following these tips, you can help protect yourself from phishing attacks.

InfoSec links December 17, 2014

December 17, 2014

Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System - Kim Zetter - WIRED

He was surprised again when, six months later, USA Today published a different story revealing for the first time that the NSA was secretly collecting the phone call records of tens of millions of Americans, records that US telecoms were willingly handing over without a warrant. Two of the three identified telecoms denied the allegations, and the story quickly died. But its ghost lingered on, neither fully confirmed nor denied, haunting Wyden. It took another seven years for a document leaked in 2013 by Edward Snowden to end the speculation and finally confirm that the bulk-collection phone records program existed.

Facebook, Google, and the Rise of Open Source Security Software - Cade Metz - WIRED

Arpaia is a security engineer, but he’s not the kind who spends his days trying to break into computer software, hoping he can beat miscreants to the punch. As Sullivan describes him, he’s a “builder”—someone who creates new tools capable of better protecting our computer software—and that’s unusual. “You go to the security conferences, and it’s all about breaking things,” Sullivan says. “It’s not about building things.”

Dark Hotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests - Kim Zetter - WIRED

Kaspersky researchers named the group DarkHotel, but they’re also known as Tapaoux by other security firms who have been separately tracking their spear-phishing and P2P attacks. The attackers have been active since at least 2007, using a combination of highly sophisticated methods and pedestrian techniques to ensnare victims, but the hotel hacks appear to be a new and daring development in a campaign aimed at high-value targets.

This post first appeared on Exploring Information Security.

InfoSec links October 15, 2014

October 15, 2014

WPScan Vulnerability Database A New Wordpress Security Resource - Michael Mimoso - Threatpost

It’s not unlikely that a developer may be at a loss as to the security of a particular plug-in, or the disclosure of a devastating flaw in the core WordPress code that could expose a website to attack. During last weekend’s BruCon in Belgium, U.K.-based security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities that he hopes becomes an indispensable resource for pen-testers, administrators and WordPress developers.

The Criminal Indictment That Could Finally Hit Spyware Makers Hard - Kim Zetter - WIRED

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

Developers of hacked Snapchat web app says "Snappening" claims are hoax - Sean Gallagher - ars technica

Posters to 4Chan’s /b/ forum continue to pore over the contents of thousands of images taken by users of the Snapchat messaging service that were recently leaked from a third-party website. Meanwhile, the developer behind that site, SnapSaved.com, used a Facebook post to say it was hacked because of a misconfigured Apache server. The statement also gets into the extent of the breach, while playing down reports that personal information from the users involved was also taken.

This post first appeared on Exploring Information Security.

InfoSec links October 7, 2014

October 7, 2014

Fileless Infections from Exploit Kit: An Overview - Jéróme Segura - Malwarebytes Unpacked

Unique patterns, packets that match the size of binaries on disk, all make things easier for the good guys to detect and block malicious activity. But the reality is this was just an adaptive phase when the bad guys did not need to spend any extra effort and still got what they wanted: high numbers of infections.

How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks - Kim Zetter - Wired

Viruses and worms have each had their day in the spotlight. Remote-access Trojans, which allow a hacker to open and maintain a secret backdoor on infected systems, have had their reign as well. These days, though, point-of-sale RAM scrapers are what’s making the news.

The Unpatchable Malware That Infects USBs Is Now on the Loose - Andy Greenberg - WIRED

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

This post first appeared on Exploring Information Security.

ZeuS GameOver links June 11, 2014

June 11, 2014

Apologizes for the formatting. Squarespace appears to be having text format issues on its backend.

Mounties join crack down on Russian cyber crime - Dave Lewis - CSO Online

Recently a new botnet was taken over by authorities across the globe (Canada, and more importantly the mounties, in this story). This was a particularly nasty botnet in that it featured both cryptolocker (ransomware) and a distributed denial of service (DDoS) functionality.

We've Set Up a One-Click Test For GameOver ZeuS - Antti - F-secure

F-Secure has a link you can use to test your computer to see if it has GameOver on it as well as a technical description on how they accomplish the test.

Click here to check your computer for GameOver.

Backstage with the Gameover Botnet Hijackers - Brian Krebs - Krebs on Security

Of course Brian Krebs got an interview with two of the people involved in the GameOver ZeuS botnet takeover. Very interesting read.

This post first appeared on Exploring Information Security.

InfoSec Links April 18, 2014

April 18, 2014

This is Earth's malware threat, visualized - Sean Buckley - Engadget

Created by Kaspesky Labs, this is a real cool visualization of malware threats around the world.

Crimeware Helps File Fraudulent Tax Retruns - Brian Krebs - Krebs on Security

A big reason why you should do your taxes as soon as possible; otherwise someone else might do them for you and get your tax return.

Critical Java Update Plugs 37 Security Holes - Brian Krebs - Krebs on Security

If you can do without Java, uninstall Java from your computer as quickly as possible. Unfortunately, I think there are very few people who can do without Java. Personally, I have several sites that I use at home and work that require Java to function properly so I'm screwed. If you do need Java to function on the internet, then, at the very least, make sure you keep Java up to date.

This post first appeared on Exploring Information Security.