Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

How To Tell If Spyware Is Hiding On Your Phone And What To Do About It

  Your smartphone stores personal conversations, financial data, photos, and daily movements. This concentration of information makes it att...

All the recent news you need to know
Personal Data
Android Spyware CISA Cyber Security Cyberattacks Data Hacking data security Hacking WhatsApp Mobile Spyware Personal Data

CISA Warns of Rising Targeted Spyware Campaigns Against Encrypted Messaging Users

 

The U.S. Cybersecurity and Infrastructure Security Agency has issued an unusually direct warning regarding a series of active campaigns deploying advanced spyware against users of encrypted messaging platforms, including Signal and WhatsApp. According to the agency, these operations are being conducted by both state-backed actors and financially motivated threat groups, and their activity has broadened significantly throughout the year. The attacks now increasingly target politicians, government officials, military personnel, and other influential individuals across several regions. 

This advisory marks the first time CISA has publicly grouped together multiple operations that rely on commercial surveillance tools, remote-access malware, and sophisticated exploit chains capable of infiltrating secure communications without alerting the victim. The agency noted that the goal of these campaigns is often to hijack messaging accounts, exfiltrate private data, and sometimes obtain long-term access to devices for further exploitation. 

Researchers highlighted multiple operations demonstrating the scale and diversity of techniques. Russia-aligned groups reportedly misused Signal’s legitimate device-linking mechanism to silently take control of accounts. Android spyware families such as ProSpy and ToSpy were distributed through spoofed versions of well-known messaging apps in the UAE. Another campaign in Russia leveraged Telegram channels and phishing pages imitating WhatsApp, Google Photos, TikTok, and YouTube to spread the ClayRat malware. In more technically advanced incidents, attackers chained recently disclosed WhatsApp zero-day vulnerabilities to compromise fewer than 200 targeted users. Another operation, referred to as LANDFALL, used a Samsung vulnerability affecting devices in the Middle East. 

CISA stressed that these attacks are highly selective and aimed at individuals whose communications have geopolitical relevance. Officials described the activity as precision surveillance rather than broad collection. Analysts believe the increasing focus on encrypted platforms reflects a strategic shift as adversaries attempt to bypass the protections of end-to-end encryption by compromising the devices used to send and receive messages. 

The tactics used in these operations vary widely. Some rely on manipulated QR codes or impersonated apps, while others exploit previously unknown iOS and Android vulnerabilities requiring no user interaction. Experts warn that for individuals considered high-risk, standard cybersecurity practices may no longer be sufficient. 

CISA’s guidance urges those at risk to adopt stronger security measures, including hardware upgrades, phishing-resistant authentication, protected telecom accounts, and stricter device controls. The agency also recommends reliance on official app stores, frequent software updates, careful permission auditing, and enabling advanced device protections such as Lockdown Mode on iPhones or Google Play Protect on Android.  

Officials stated that the rapid increase in coordinated mobile surveillance operations reflects a global shift in espionage strategy. With encrypted messaging now central to sensitive communication, attackers are increasingly focused on compromising the endpoint rather than the encryption itself—a trend authorities expect to continue growing.
Read more »
Zero-Click Exploits
CISA advisory Mobile Security Spyware Zero-Click Exploits

Encrypted Chats Under Siege: Cyber-Mercenaries Target High-Profile Users

 

Encrypted Chats Under Siege Encrypted communication, once considered the final refuge for those seeking private dialogue, now faces a wave of targeted espionage campaigns that strike not at the encryption itself but at the fragile devices that carry it. Throughout this year, intelligence analysts and cybersecurity researchers have observed a striking escalation in operations using commercial spyware, deceptive app clones, and zero-interaction exploits to infiltrate platforms such as Signal and WhatsApp.
 
What is emerging is not a story of broken cryptographic protocols, but of adversaries who have learned to manipulate the ecosystem surrounding secure messaging, turning the endpoints themselves into compromised windows through which confidential conversations can be quietly observed.
  
The unfolding threat does not resemble the mass surveillance operations of previous decades. Instead, adversarial groups, ranging from state-aligned operators to profit-driven cyber-mercenaries, are launching surgical attacks against individuals whose communications carry strategic value.
 
High-ranking government functionaries, diplomats, military advisors, investigative journalists, and leaders of civil society organizations across the United States, Europe, the Middle East, and parts of Asia have found themselves increasingly within the crosshairs of these clandestine campaigns.
 
The intent, investigators say, is rarely broad data collection. Rather, the aim is account takeover, message interception, and long-term device persistence that lays the groundwork for deeper espionage efforts.
 

How Attackers Are Breaching Encrypted Platforms

 
At the center of these intrusions is a shift in methodology: instead of attempting to crack sophisticated encryption, threat actors compromise the applications and operating systems that enable it. Across multiple investigations, researchers have uncovered operations that rely on:
 
1. Exploiting Trusted Features
 
Russia-aligned operators have repeatedly abused the device-linking capabilities of messaging platforms, persuading victims—via social engineering—to scan malicious connection requests. This enables a stealthy secondary device to be linked to a target’s account, giving attackers real-time access without altering the encryption layer itself.
 
2. Deploying Zero-Interaction Exploits
 
Several campaigns emerged this year in which attackers weaponized vulnerabilities that required no user action at all. Specially crafted media files sent via messaging apps, or exploit chains triggered upon receipt, allowed silent compromise of devices, particularly on Android models widely used in conflict-prone regions.
 
3. Distributing Counterfeit Applications
 
Clone apps impersonating popular platforms have proliferated across unofficial channels, especially in parts of the Middle East and South Asia. These imitations often mimic user interfaces with uncanny accuracy while embedding spyware capable of harvesting chats, recordings, contact lists, and stored files.
 
4. Leveraging Commercial Spyware and “Cyber-For-Hire” Tools
 
Commercial surveillance products, traditionally marketed to law enforcement or intelligence agencies, continue to spill into the underground economy. Once deployed, these tools often serve as an entry point for further exploitation, allowing attackers to drop additional payloads, manipulate settings, or modify authentication tokens.
 

Why Encrypted Platforms Are Under Unprecedented Attack

 
Analysts suggest that encrypted applications have become the new battleground for geopolitical intelligence. Their rising adoption by policymakers, activists, and diplomats has elevated them from personal communication tools to repositories of sensitive, sometimes world-shaping information.
 
Because the cryptographic foundations remain resilient, adversaries have pivoted toward undermining the assumptions around secure communication—namely, that the device you hold in your hand is trustworthy. In reality, attackers are increasingly proving that even the strongest encryption is powerless if the endpoint is already compromised.
  
Across the world, governments are imposing stricter regulations on spyware vendors and reassessing the presence of encrypted apps on official devices. Several legislative bodies have either limited or outright banned certain messaging platforms in response to the increasing frequency of targeted exploits.
 
Experts warn that the rise of commercialized cyber-operations, where tools once reserved for state intelligence now circulate endlessly between contractors, mercenaries, and hostile groups, signals a long-term shift in digital espionage strategy rather than a temporary spike.
 

What High-Risk Users Must Do

 
Security specialists emphasize that individuals operating in sensitive fields cannot rely on everyday digital hygiene alone. Enhanced practices, such as hardware isolation, phishing-resistant authentication, rigid permission control, and using only trusted app repositories, are rapidly becoming baseline requirements.
 
Some also recommend adopting hardened device modes, performing frequent integrity checks, and treating unexpected prompts (including QR-code requests) as potential attack vectors.
Read more »
SIM Swap Scams
Cyber Attacks Cybercrime Networks cybersecurity breaches Data Protection Strategies Digital Identity Risks Global Data Leaks Online Fraud Tactics Phishing Crimes SIM Swap Scams

The Digital Trail That Led Scammers to Her Personal and Financial Information


 

In an unmistakable demonstration of the speed and sophistication of modern financial fraud, investigators say a sum of almost six crore was transferred within a matter of minutes, passing through an extensive chain of locations and accounts before disappearing without leaving a trace. It all began in a plush condominium tower in a gated enclave in the National Capital Region. 

Over time, it unravelled to a modest three-room home in a Haryana village, and then onto a rented terrace room on the outskirts of Hyderabad, and then to 15 further states across the country. It has been reported that as the trail grew colder, the money passed through 28 bank accounts, touching 141 more, revealing the increasingly brazen precision with which organized cyber-fraud networks operate as they operate through their intricate, circuitous route. 

Sue’s experience is an example of how a single cyber-security breach can cause the unraveling of an entire digital life. The personal details she provided were later found circulating freely online, which served as the entranceway for criminals who carried out a SIM-swap attack, convincing the mobile network that they were the legitimate account holders and obtaining access to her number. By doing so, they were able to access nearly all of her online accounts and reset the credentials. 

A woman describes the experience as “horrible” because she recalls being hijacked from her Gmail account, having her bank logins repeatedly locked after failing security checks, and even having her credit card stolen. Over £3,000 worth of vouchers had been purchased before she was able to stop it from happening. She took multiple trips to both her bank and her mobile provider in order to get control back. 

Each of these visits provided her with a greater understanding of what had happened to her identity - yet even then, the scammers did not quit attempting to exploit her. There is a common pattern among cyber fraudsters which exploits trust, urgency, and fear in order to breach people's digital defences in order to take advantage of them.

The scammers use these techniques to exploit trust, urgency, and fear in order to gain access to their victims. In addition to impersonating banks, government agencies, delivery companies and well-known brands, these groups construct convincing narratives designed to make individuals make hurried decisions. 

There are numerous ways in which fraudsters use phishing emails that mimic official communications and redirect users to fraudulent websites, to vishing calls where fraudsters try to force targets into divulging OTPs, banking credentials, and smishing messages which warn of blocked cards or suspicious transactions to get recipients to click on their malicious links in the hope that they will become victims. 

The methods each use rely on social engineering, which refers to manipulating human behaviour rather than breaking technical systems, and have proven increasingly effective as more personal data is made available online. 

Experts point out that targeting a person does not necessarily mean they are wealthy; rather, anyone with a digital footprint is a potential target. India has become increasingly digitalized, which means that a greater amount of information can be stored, shared, and exposed on multiple platforms. This has created a greater opportunity for criminals to misuse that information, placing users in a much more vulnerable position than they are aware of. 

As a result of the wide-ranging exposure of data to scams in recent years, it has become fertile ground for global scam networks. A pattern that is highlighted by the number of high-profile breaches reported in the year 2025. Marks & Spencer revealed in April that there had been a similar substantial intrusion at its retail outlets, but they have yet to disclose exactly the extent of the attack. 

The Co-op confirmed that personal information of 6.5 million people had been compromised, whereas Marks & Spencer confirmed a similar intrusion in April. According to Harrods, the company's luxury retail operations were breached after the disclosure of 400,000 customer details, and Qantas announced that 5.7 million flyers' data was compromised. 

Data Breach Observatory of Proton Mail estimates that so far this year, 794 verified breaches have been identified from identifiable sources, which have exposed more than 300 million records in a combined fashion. In the opinion of cybersecurity specialist Eamonn Maguire, the theft of personal information is one of the primary reasons why criminals are willing to pay such high prices for this information, as this information can be used for fraud, blackmail, and even further cyberattacks. Yet there is still a conflict between the corporate response to victims and the standard of standard of care that they are expected to provide. 

While companies are required to inform customers and regulators, no universally accepted protocol has been established for what support the affected individuals should receive. A free credit monitoring service has become less popular compared to a time when it was a standard gesture: Ticketmaster offered it last year to those affected by its breach, but some companies have refused to do the same for companies like Marks & Spencer and Qantas. 

The Co-op, on the other hand, chose to give customers a £10 voucher that they could redeem only with a purchase of £40, a gesture that has been widely criticized as insufficient. More and more victims are turning to class-action lawsuits as frustration grows, though these suits usually do not succeed since it can be difficult to prove individual harm in such suits. 

The following exceptions exist: T-Mobile has begun distributing payments to 76 million subscribers in response to a breach in 2021 which affected 76 million of them, a settlement worth $350 million. The compensation is estimated to range between $50 and $300. Despite this expanding threat landscape, experts warn vigilance and accountability are now essential components of effective protection as authorities struggle to cope with the resulting challenges. 

There is a call for individuals to monitor their financial activity closely and protect themselves from identity theft by enabling multifactor authentication and by treating unsolicited phone calls and messages with suspicion. Furthermore, policy-makers are urging clearer breach-response standards to ensure companies don't leave victims alone to deal with the fallout. 

It has become increasingly evident that cyber-fraud networks are becoming more agile and that data leaks have become more widespread and routine. Protecting one's digital identity is no longer an option, it is the first and most crucial defense against a system that too often in its favors the attacker.
Read more »
Internet
Cloud Cyber Security Data hack Google Internet

Google Confirms Data Breach from 200 Companies


Google has confirmed that hackers stole data from more than 200 companies after exploiting apps developed by Gainsight, a customer success software provider. The breach targeted Salesforce systems and is being described as one of the biggest supply chain attacks in recent months. 
 
Salesforce said last week that “certain customers’ Salesforce data” had been accessed through Gainsight applications, which are widely used by companies to manage customer relationships at scale. According to Google’s Threat Intelligence Group, more than 200 Salesforce instances were affected, indicating that the attackers targeted the ecosystem strategically rather than going after individual companies one by one. The incident has already raised deep concern across industries that depend heavily on third-party integrations to run core business functions. 
 
A group calling itself Scattered Lapsus$ Hunters, which includes members of the well-known ShinyHunters gang, has claimed responsibility. This collective has previously targeted prominent global firms and leaked confidential datasets online, earning a reputation for bold, high-impact intrusions. In this case, the hackers have published a list of alleged victims, naming companies such as Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. Some of these organisations have denied being affected, while others are still conducting internal investigations to determine whether their environments were touched. 
 
This attack underscores a growing reality: compromising a widely trusted application is often more efficient for attackers than breaching a single company. By infiltrating Gainsight’s software, the threat actors gained access to a broad swath of organisations simultaneously, effectively bypassing individual perimeter defences. TechCrunch notes that supply chain attacks remain among the most dangerous vectors because they exploit deeply rooted trust. Once a vendor’s application is subverted, it can become an invisible doorway leading directly into multiple corporate systems. 
 
Salesforce has stated that it is working closely with affected customers to secure environments and limit the impact, while Google continues to analyse the breadth of data exfiltration. Gainsight has not yet released a detailed public statement, prompting experts to call for greater transparency from vendors responsible for critical integrations. Cybersecurity firms advise all companies using third-party SaaS tools to review access permissions, rotate credentials, monitor logs for anomalies, and ensure stronger compliance frameworks for integrated platforms. 
 
The larger picture here reflects an industry-wide challenge. As enterprises increasingly rely on cloud services and SaaS tools, attackers are shifting their attention to these interconnected layers, where a single weak link can expose hundreds of organisations. This shift has prompted analysts to warn that due diligence on app vendors, once considered a formality, must now become a non-negotiable element of cybersecurity strategy. 
 
In light of the attack, experts believe companies will need to adopt a more vigilant posture, treating all integrations as potential threat surfaces, rather than assuming safety through trust. The Gainsight incident serves as a stark reminder that in a cloud-driven world, security is only as strong as the least protected partner in the chain.
Read more »
phishing
Cyber Security Fake Domains Login Credentials Microsoft phishing

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials

 




A new phishing operation is misleading users through an extremely subtle visual technique that alters the appearance of Microsoft’s domain name. Attackers have registered the look-alike address “rnicrosoft(.)com,” which replaces the single letter m with the characters r and n positioned closely together. The small difference is enough to trick many people into believing they are interacting with the legitimate site.

This method is a form of typosquatting where criminals depend on how modern screens display text. Email clients and browsers often place r and n so closely that the pair resembles an m, leading the human eye to automatically correct the mistake. The result is a domain that appears trustworthy at first glance although it has no association with the actual company.

Experts note that phishing messages built around this tactic often copy Microsoft’s familiar presentation style. Everything from symbols to formatting is imitated to encourage users to act without closely checking the URL. The campaign takes advantage of predictable reading patterns where the brain prioritizes recognition over detail, particularly when the user is scanning quickly.

The deception becomes stronger on mobile screens. Limited display space can hide the entire web address and the address bar may shorten or disguise the domain. Criminals use this opportunity to push malicious links, deliver invoices that look genuine, or impersonate internal departments such as HR teams. Once a victim believes the message is legitimate, they are more likely to follow the link or download a harmful attachment.

The “rn” substitution is only one example of a broader pattern. Typosquatting groups also replace the letter o with the number zero, add hyphens to create official-sounding variations, or register sites with different top level domains that resemble the original brand. All of these are intended to mislead users into entering passwords or sending sensitive information.

Security specialists advise users to verify every unexpected message before interacting with it. Expanding the full sender address exposes inconsistencies that the display name may hide. Checking links by hovering over them, or using long-press previews on mobile devices, can reveal whether the destination is legitimate. Reviewing email headers, especially the Reply-To field, can also uncover signs that responses are being redirected to an external mailbox controlled by attackers.

When an email claims that a password reset or account change is required, the safest approach is to ignore the provided link. Instead, users should manually open a new browser tab and visit the official website. Organisations are encouraged to conduct repeated security awareness exercises so employees do not react instinctively to familiar-looking alerts.


Below are common variations used in these attacks:

Letter Pairing: r and n are combined to imitate m as seen in rnicrosoft(.)com.

Number Replacement: the letter o is switched with the number zero in addresses like micros0ft(.)com.

Added Hyphens: attackers introduce hyphens to create domains that appear official, such as microsoft-support(.)com.

Domain Substitution: similar names are created by altering only the top level domain, for example microsoft(.)co.


This phishing strategy succeeds because it relies on human perception rather than technical flaws. Recognising these small changes and adopting consistent verification habits remain the most effective protections against such attacks.



Read more »
Shai-Hulud 2.0 worm
developer credentials JavaScript SDK compromise malware npm malware attack PostHog security breach Shai-Hulud 2.0 worm

PostHog Details “Most Impactful” Security Breach as Shai-Hulud 2.0 npm Worm Spreads Through JavaScript SDKs

 

PostHog has described the Shai-Hulud 2.0 npm worm incident as “the largest and most impactful security incident” the company has ever faced, after attackers managed to push tainted versions of its JavaScript SDKs and attempted to automatically harvest developer credentials.

In a recently published postmortem, PostHog — one of the affected maintainers caught up in the Shai-Hulud 2.0 outbreak — revealed that multiple packages, including core libraries such as posthog-node, posthog-js, and posthog-react-native, were compromised. The malicious versions included a pre-install script that ran the moment the package was added to a project. This script executed TruffleHog to search for secrets, exported any discovered credentials to newly created public GitHub repositories, and then used the stolen npm tokens to publish additional malicious updates, allowing the worm to continue spreading.

Researchers at Wiz, who identified the resurgence of the Shai-Hulud campaign, reported that more than 25,000 developers had their credentials exposed within just three days. Beyond PostHog, the malware also infiltrated packages from Zapier, AsyncAPI, ENS Domains, and Postman — many of which receive thousands of downloads every week.

Unlike a standard trojan, Shai-Hulud 2.0 operates like a fully autonomous worm. Once a compromised package is installed, it can collect a wide range of sensitive data — from npm and GitHub tokens to cloud provider credentials (AWS, Azure, GCP), CI/CD secrets, environment variables, and other confidential information found on developer machines or build environments. PostHog has since revoked all affected tokens, removed the infected package versions, and rolled out “known-good” releases.

However, the postmortem also underscored a deeper systemic flaw: the breach wasn’t caused by a leaked secret, but by a misconfigured CI/CD workflow that allowed untrusted pull-request code to execute with overly broad privileges. A malicious pull request triggered an automated script that ran with full access to the project. Because the workflow did not restrict execution of code from the attacker’s branch, the intruder was able to extract a bot’s personal-access token with organization-wide write permissions and use it to inject malicious updates.

Using the stolen credentials, the attacker created a tampered lint workflow designed to siphon all GitHub secrets — including the npm publishing token. With that token in hand, they uploaded the weaponized SDKs to npm, turning the infection into a self-propagating dependency-chain worm.

PostHog says it is now shifting to a “trusted publisher” model for npm releases, tightening workflow review processes, and disabling install-script execution in CI/CD pipelines, among other security improvements.

If this sounds all too familiar, that’s because it reflects a broader pattern across the ecosystem: over-privileged bots, automated workflows running unchecked, and dependency updates happening faster than anyone can thoroughly validate. As the incident shows, sometimes that’s all a worm needs to thrive.
Read more »
Subscribe to: Comments (Atom)

Featured