This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.
Task Scams: Why You Should Never Pay to Get Paid
ESET warns of a growing wave of “task scams” where victims are enticed by offers of quick money for simple online tasks, such as liking content or clicking buttons. While early steps appear legitimate and even show fake earnings, the scheme ultimately demands an upfront payment to “unlock” these earnings—after which victims receive nothing. Reports of task scams have quadrupled, with millions lost to this tactic.
Key Insights:
Scams typically begin through unsolicited messages on WhatsApp, Telegram, or social media.
Fake earnings dashboards give victims a false sense of progress and legitimacy.
Victims are often pressured to pay a fee in cryptocurrency to claim their supposed rewards.
Scammers may use cloned websites and group chats filled with fake success stories to boost credibility.
Other forms of employment fraud include fake job ads, phishing through CV submissions, and impersonated recruiters.
Further Reading: WeLiveSecurity
Jasper Sleet: North Korean Remote IT Workers Use AI to Infiltrate Organizations
Microsoft Threat Intelligence has identified a surge in activity from the North Korea-linked threat actor Jasper Sleet, formerly tracked as Storm‑0287. These operatives are exploiting remote work arrangements to embed themselves within organizations worldwide. Using AI tools to enhance fake identities, they are securing employment, gaining access to sensitive systems, and exfiltrating data to support North Korea’s strategic and financial objectives.
Key Insights:
Jasper Sleet operatives use AI for facial and voice modification to impersonate real job seekers.
Fake identities are supported by fabricated credentials, doctored online profiles, and complicit facilitators.
The campaign targets a wide range of industries across North America, Europe, and Asia.
Over 3,000 accounts have been suspended due to links to this operation.
Common tactics include the use of residential IPs, remote access software, and resume laundering.
Further Reading: Microsoft Security Blog
AI Hiring Bot Breach: McDonald’s Chatbot Exposes Data of Millions
Security researchers Ian Carroll and Sam Curry discovered a critical vulnerability in Olivia, the AI hiring assistant via Paradox.ai's McHire platform, used by McDonald’s. With just the default password 123456, the duo accessed an admin account and discovered a critical API flaw. In under an hour, they viewed personal details—including names, emails, phone numbers, and chat logs—for approximately 64 million job applicants spanning years of data.
Key Insights:
A dormant admin panel was secured by default credentials, lacking any multifactor authentication.
An insecure direct object reference (IDOR) allowed researchers to enumerate applicant records by simply changing numeric IDs.
Data exposed included conversation content and personal identifiers—though not financial or sensitive health info.
McDonald’s and Paradox.ai responded swiftly, disabling the account and patching the API within a day.
Despite the quick fix, the breach underscores the risks of weak third-party oversight and insecure AI-driven recruitment tools.
Further Reading: Wired
Gemini Email Summary Phishing: Invisible Prompt Injection Risk
A newly discovered vulnerability in Google’s Gemini for Workspace demonstrates how attackers can embed hidden instructions in emails—styled with invisible text—so that clicking “Summarize this email” invokes the malicious prompt. This can result in fake security alerts, phishing links, or fraudulent phone numbers appearing in AI-generated summaries.
Key Insights:
Attackers hide directives using invisible HTML/CSS that Gemini parses but users can’t see.
Summarized messages may falsely warn of compromised accounts and urge recipients to click links or call numbers.
Because there are no obvious phishing signals (like attachments or visible links), these emails bypass typical threat detection.
Security teams should flag summaries containing urgent calls to action and train users to verify full email content.
Further Reading: Bleeping Computer
Deepfake It ‘til You Make It: The New AI Criminal Toolset
Cybercriminals are increasingly exploiting deepfake technology to conduct fraud, extortion, and manipulation campaigns. Originally built for creative or entertainment purposes, AI-driven tools for generating fake audio, video, and images are now widely available and being misused to impersonate individuals and mislead organizations.
Key Insights:
Democratized Deepfake Creation: Tools for generating synthetic media are now easy to use, enabling low-skilled actors to produce realistic forgeries.
CEO Fraud & Recruitment Exploits: Deepfake audio and video are being used to impersonate executives during meetings or to create fake candidate profiles in hiring scams.
KYC & Identity Fraud Risks: Attackers use deepfakes to bypass identity verification processes at banks and fintech platforms, facilitating account fraud.
Plug-and-Play Underground: Criminal communities are sharing deepfake tools, tutorials, and services, lowering the barrier to entry for would-be attackers.
Further Reading: Trend Micro
FileFix: A Social Engineering Evolution of ClickFix
Check Point Research has uncovered FileFix, a new social engineering attack that refines the ClickFix method to trick users into executing malicious commands. Delivered through compromised or typo-squatted websites, FileFix prompts victims with a fake download link or “Fix” button—copying harmful PowerShell scripts to the clipboard. When users paste and run these snippets, the attacker gains system access through a stealthy, multi-stage infection chain.
Key Insights:
FileFix uses clipboard hijacking to push malicious payloads via user-initiated paste actions.
Fake prompts mimic legitimate "fix" or software update buttons to build trust.
Infection unfolds in stages—from initial PowerShell downloaders to final payloads like AsyncRAT or remote access trojans.
This variation simplifies and accelerates command execution compared to previous ClickFix variants.
Detection requires user awareness and endpoint policies that block shell execution from clipboard content.
Further Reading: Check Point Research
FBI Warns of Youth-Driven Cybercrime and Violence Networks
The FBI has issued a series of alerts warning about “The Com,” a decentralized network of youth-led cybercriminal groups responsible for a surge in digital fraud, harassment, and real-world violence. Subgroups like Hacker Com focus on cryptocurrency theft, SIM swapping, and ransomware, while IRL Com offers violence-for-hire services such as swatting, assault, and kidnapping. These groups exploit gaming platforms and social media to recruit minors, using threats, doxing, and financial incentives to escalate involvement.
Key Insights:
Youth-focused groups are driving cybercrime and monetizing their skills via extortion, malware, and fraud.
Cryptocurrency enables both virtual and physical attacks, including pay-for-assault services.
Recruitment often starts on gaming and social platforms, escalating into serious criminal activity.
Swatting and doxing are common intimidation tactics tied to digital theft or status-building.
Further Reading: IC3.gov PSA 1 | ICS3.gov PSA 2 | ICS3.gov PSA 3
North Korean IT Worker Schemes: Emerging Threat to U.S. Businesses
The FBI has issued a critical alert (PSA>I‑072325‑4) highlighting how North Korean IT workers and their domestic facilitators are infiltrating U.S. businesses. These workers use deceptive employment setups—often via U.S.-based intermediaries—to bypass sanctions and gain unauthorized access to sensitive systems, generating illicit revenue to support the DPRK regime.
Key Insights:
These schemes rely on unwitting or complicit U.S. individuals who receive, configure, and then forward company assets (like laptops and accounts) to operatives in North Korea.
Facilitators may manage shipping, remote access setup, account creation on job platforms, and even handle proceeds in shared financial accounts.
Tactics exploit front companies and virtual interviews to mask identities and evade detection, with remote desktop tools like TeamViewer used covertly.
There are significant risks of sanction violations, data theft, and unauthorized system control when businesses hire third-party or international IT contractors.
The FBI recommends organizations conduct in-person or video identity verifications, validate employment credentials, monitor shipping/payment methods, and restrict unauthorized remote-access tools.
Further Reading: IC3.gov PSA I‑072325‑4
Targeted Social Engineering Drives Ransom Payments Skyward in Q2 2025
Coveware’s Q2 2025 ransomware spotlight reveals a dramatic shift in attack economics: the average ransom payment jumped to $1,130,070—a staggering 104% increase from Q1—while the median payment doubled to $400,000, indicating high-value extortion is on the rise.
Key Insights:
Ransomware actors are shifting from broad targeting to highly targeted social-engineering campaigns, exploiting trusted communications and tailored deception to pressure specific high-profile victims.
While the payment amounts surged, the overall ransom payment rate remained low at ~26%, suggesting many organizations continue to successfully resist paying demands.
Mid-sized and larger enterprises are now disproportionately affected, as attackers focus on fewer but more lucrative targets rather than bulk low-value victims.
Further Reading: Coveware Blog
Privacy Alert: Tea App Data Breach Exposes Millions of Sensitive Chats
The women-focused “Tea” app, designed for anonymous reviews and dating safety, has suffered a catastrophic data breach impacting users prior to February 2024. Initial reports of exposed selfies and ID documents (around 72,000 images) have now escalated: researchers uncovered a second compromised database containing 1.1 million private messages on deeply personal topics—spanning infidelity, abortion, and abuse.
Key Insights:
Legacy storage misconfiguration in Firebase led to unauthorized data exposure, including chat logs and user IDs.
Messaging functionality has been disabled while Tea investigates and coordinates with cybersecurity experts and the FBI.
Victims face potential risks of identity theft, harassment, and blackmail through leaked information involving personal phone numbers and real‑world identifiers.
Further Reading: WebProNews
Scattered Spider Alert: FBI & CISA Update on Tactics & Threats
Critical infrastructure and commercial entities are urged to review CISA's updated joint advisory AA23‑320A (last revised July 29, 2025), detailing evolving tactics used by the Scattered Spider cybercriminal group. Known for preying on IT and help desk personnel, this financially motivated threat actor now combines social engineering, ransomware, and data extortion with sophisticated new techniques.
Key Insights:
Scattered Spider continues targeting IT support channels using voice phishing (vishing), SMS phishing (smishing), and MFA fatigue attacks alongside SIM swapping to obtain access credentials.
Once inside, attackers repurpose legitimate remote-access and tunneling tools (e.g. TeamViewer, AnyDesk, Ngrok) instead of relying on malware, enabling stealthy and persistent access.
New variants like DragonForce ransomware are now being deployed as part of combined extortion operations (data theft + encryption).
In recent operations, actors have refined social engineering methods while rotating TTPs to evade detection and extend dwell time.
Updated mitigations emphasize phishing-resistant MFA, verifying helpdesk contacts out-of-band, limiting remote access tool use, and continuous validation of security controls against evolving attack behaviors.
Further Reading: CISA Advisory AA23‑320A (Scattered Spider)
Scam Alert: Gaming Sites Flooded with Fake Platforms and Phishing Traps
Threat actors have launched a large-scale social engineering campaign using polished, fraudulent gaming and wagering websites—promoted via Discord and social media ads. These platforms lure users with claims of partnerships with influencers like “Mr. Beast,” and offer fake promo codes for in-game credits. Once victims deposit funds or connect crypto wallets, the sites disappear—often taking user data and assets with them.
Key Insights:
Hundreds of scam sites—often over 1,200 domains—are promoted via sponsored ads and influencer tie-ins to appear legitimate.
These platforms impersonate giveaways or wagering systems, incentivizing sign-ups with fake bonus credits and “verified” endorsements.
After registration or payment, users often lose access to funds and face account theft or credential compromise.
Scams are heavily directed toward younger users on Discord and gaming communities, exploiting trust in influencer culture.
In addition to phishing domains, attackers distribute malware via fake mods or “game cheats,” particularly targeting titles like Minecraft and Roblox.
Further Reading: KrebsOnSecurity
Phishing Trends Q2 2025: Microsoft at the Helm, Spotify Rejoins the Spotlight
Check Point Research’s latest Brand Phishing report reveals that in the second quarter of 2025, cybercriminals continued to impersonate high-trust brands to trick users into revealing credentials or financial data. Microsoft remained the most spoofed brand—used in 25% of phishing attempts—followed by Google (11%), Apple (9%), and Spotify (6%), marking Spotify’s first reappearance in the charts since late 2019.
Key Insights:
Microsoft led phishing campaigns, accounting for a quarter of all spoofed brands.
Spotify saw a surprising resurgence in impersonation attempts after a long absence, used in campaigns involving fake credential and payment pages.
Booking.com–themed domains surged by over 700 in Q2, many embedding personal user data to deceive targets convincingly.
Tech remained the top spoofed sector, with social networks, travel, and retail brands also seeing elevated impersonation activity.
Seasonal alignment played a key role: the rise in travel scams coincided with summer holiday planning, amplifying phishing success.
Further Reading: Check Point Research
Microsoft OAuth Phishing Campaign: MFA Bypass via App Impersonation
Proofpoint has exposed a sophisticated phishing campaign where attackers used malicious Microsoft OAuth applications—disguised as trusted brands like Adobe, DocuSign, and SharePoint—to trick users into granting access to their Microsoft 365 accounts. These apps operated within legitimate authorization flows, enabling attackers to bypass multi-factor authentication (MFA) with minimal-risk consent requests.
Key Insights:
The fake OAuth apps mimicked trusted publishers to obtain permissions for profile, email, and openid scopes—enough to capture credentials and session tokens without raising suspicion.
Once approved, users were redirected to phishing pages that intercepted login credentials and session tokens using AiTM (attacker-in-the-middle) kits like Tycoon or EvilProxy.
Attackers were able to maintain access via stolen tokens even after password resets, remaining linked to accounts until consent was manually revoked.
The campaign compromised multiple sectors—including finance, healthcare, and retail—targeting executives and high-privilege users.
Standard security controls such as DMARC or domain reputation were largely ineffective since the phishing originated from within Microsoft's system.
Microsoft is rolling out updated defaults that require administrative approval for third-party app permissions, aiming to limit similar attacks going forward.
Further Reading: Proofpoint Threat Insight
FBI Alert: QR Code Packages Used in Emerging Fraud Scheme
The FBI has issued a Public Service Announcement (PSA I‑073125) warning about a new twist on the classic "brushing scam": unsolicited packages sent to recipients containing QR codes that, when scanned, prompt the victim to share personal or financial information or inadvertently download malware. These packages often arrive without sender details, making recipients more likely to investigate the code out of curiosity.
Key Insights:
Mail includes no sender information, tempting recipients to scan QR codes in order to identify the sender.
Scanning the code can lead to phishing forms requesting sensitive data or installation of smartphone malware.
The tactic is a modification of brushing scams, repurposed for fraud by exploiting user curiosity and trust.
Fraudsters may ask victims to grant permissions or download apps that compromise device security.
Protective Measures:
Don’t scan QR codes from unexpected or unknown packages.
Avoid granting app or account access triggered via unsolicited QR links.
If suspicious, report the package to your local authorities or the FBI’s Internet Crime Complaint Center (IC3).
Further Reading: IC3.gov PSA I‑073125