Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Investigation Uncovers Thousands of Accounts Tied to Digital Arrest Fraud Networks

  Indian authorities have launched a massive enforcement response to the escalation of extortion and impersonation fraud resulting from cybe...

All the recent news you need to know
Toronto Police
Canada Cyber Crime Cyber Scam SMS Blaster Toronto Police

Canada's First SMS Blaster Bust: 3 Arrested in Toronto Cybercrime Crackdown

 

Toronto police have exposed a first-of-its-kind SMS blaster cybercrime case in Canada, where investigators say three men used a rogue device to mimic a cell tower and push fake texts to nearby phones. The operation, known as Project Lighthouse, reportedly ran across the Greater Toronto Area for months before police arrested the suspects and seized multiple devices. 

The core issue is the use of an SMS blaster, a tool that can trick smartphones into connecting to a fake cellular signal. Once connected, the device can send fraudulent messages that look like they come from banks, delivery services, or other trusted organizations, often leading victims to phishing sites that steal passwords or banking details. Police also said the tactic creates a wider network risk because it can interrupt legitimate mobile connections. 

Investigators say the threat was not small in scale. Reports indicate tens of thousands of devices may have connected to the rogue equipment over several months, and police recorded more than 13 million network disruptions linked to the operation. That disruption is especially serious because it can interfere with emergency access, including the ability to reach 911.

The arrests show how quickly cybercrime is evolving from online-only scams into hybrid attacks that combine physical devices, mobility, and social engineering. Police charged the three suspects with a combined 44 offences, including fraud, mischief, personation, and unauthorized interception-related crimes. The case is being treated as Canada’s first confirmed investigation of this kind, which makes it a warning sign for other cities and countries. 

The broader lesson is that mobile phones can be vulnerable even when users do not click anything suspicious. If a rogue tower is nearby, the attack can start at the network level and then move into fake texts, credential theft, and financial fraud. For readers, the main takeaway is to be cautious with urgent SMS links, verify messages through official apps or websites, and treat unexpected texts from banks or government services as potentially malicious.
Read more »
leaked sensitive data
API API Attack API Keys API security Cyber Security data security government data breaches leaked sensitive data

ClickUp API Key Exposure Leaves Corporate and Government Email Data Public for Over a Year

 

A previously unnoticed weakness in ClickUp’s web infrastructure sat undetected - exposing private data due to an embedded API key left visible on its public site. For over twelve months, access to internal records remained possible because safeguards were missing at a basic level. Emails tied to businesses and official agencies could be pulled by outside parties; no login required. This gap emerged not from complex hacking but from routine coding oversights ignored during deployment. Hidden credentials like these often escape review until examined closely. Months passed before scrutiny revealed what should have been caught earlier. Security gaps of this kind stem less from advanced threats and more from everyday lapses repeated across teams. 

Open talk about the problem began when security analyst Impulsive shared findings showing the leaked credential sat inside a JavaScript file served by ClickUp's site, even before login steps occurred. Since code running in browsers can always be seen, grabbing the API key took little effort and allowed contact with internal servers. Without needing any special access, one basic query allegedly pulled close to a thousand emails plus vast numbers of hidden development settings from the system. The study showed that 959 employee email addresses were part of the leaked data, tied to staff in large companies and public institutions spanning various locations. 

About 3,165 feature flags also turned up in the exposure - visible without restriction. Hidden inside what looks like routine code, these flags might expose how teams test software, plan releases, roll out new tools, or shape future updates. Because of that, malicious actors might mine them to craft deceptive emails, manipulate individuals through tailored messages, or collect insights on rivals’ progress. Surprisingly useful intel often hides where it seems least likely. Early in 2025, news of the exposure surfaced - yet by April 2026, it still hadn’t been fixed, stretching out the time hackers could act. Because access stayed open so long, experts say attackers gained more chances to try breaking in using stolen login details, fake identities, or personalized emails targeting workers linked to the affected websites. 

What happened shows a wider issue for groups depending on cloud-based services. Though easy to avoid, fixed login details remain common in today’s coding practices. When secret access tokens appear in open-source repositories, bots usually find them fast - sometimes in under sixty seconds. Even low-level access codes can lead to large data leaks if internal systems lack strong verification rules. Rotating API keys often helps lower exposure over time. Client-side apps without embedded secrets tend to withstand attacks better. Strict limits on backend access form another layer of defense. 

Protection against phishing gains strength when using tools like DMARC, SPF, or DKIM. Unusual logins catch attention faster with constant tracking. Exposed domains become visible through active threat data streams. Security improves not by one fix alone, but steady adjustments across systems. A quiet mistake lingered unseen within ClickUp's system, revealing data widely before detection. When operations move into shared online environments, oversight gaps often emerge - making careful monitoring essential. Security lapses like this highlight growing pressure on organizations to act earlier, respond smarter, stay alert longer.
Read more »
VECT 2.0 ransomware
Check Point research data wiper malware malware ransomware bug ransomware encryption VECT 2.0 ransomware

VECT 2.0 Ransomware Bug Turns Malware Into a Permanent Data Wiper

Cybersecurity researchers have uncovered a major flaw in the VECT 2.0 ransomware that causes the malware to permanently destroy large files instead of properly encrypting them, making recovery impossible even if victims decide to pay a ransom.

The ransomware operation has reportedly been promoted on newer versions of BreachForums, where the group invited users to join its affiliate program. Interested participants were allegedly given access keys through private messages.

VECT operators also announced a collaboration with TeamPCP, the threat actor linked to recent supply-chain attacks targeting Trivy, LiteLLM, Telnyx, and even the European Commission. According to the announcement, the partnership aimed to exploit victims affected by those supply-chain breaches by deploying ransomware payloads and expanding attacks against additional organizations.

Critical Encryption Flaw Discovered

Researchers found that VECT 2.0 contains a serious issue in how it manages encryption nonces during the file-encryption process. Although the ransomware was designed to speed up encryption for large files, the implementation accidentally overwrites nonce data during each encryption cycle.

Because the malware uses the same memory buffer repeatedly for nonce generation, every newly created nonce replaces the previous one. Once the encryption process is completed, only the final nonce remains stored and is written to disk.

This mistake means that only the last 25% of an affected file can potentially be recovered, while the remaining portions become permanently inaccessible due to the missing nonces.

The problem becomes even more severe because the lost nonces are not sent back to the attackers either. As a result, even the ransomware operators themselves would be unable to decrypt victim files after payment.

Security researchers warned that the flaw effectively transforms the ransomware into a destructive data wiper, particularly in enterprise environments where most valuable assets exceed the malware’s file-size threshold.

“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point says.

Researchers also confirmed that the same nonce-management vulnerability exists across all VECT 2.0 variants, including Windows, Linux, and ESXi versions, meaning the irreversible file destruction behavior impacts every platform supported by the ransomware.
Read more »
Technology
cloud act Data Digital Sovereignty Europe Microsoft Technology

Europe Pushes to Reduce Dependence on U.S. Tech as Sovereign Digital Infrastructure Gains Momentum

 




Several European governments are trying to reduce their dependence on American software, cloud platforms, and digital infrastructure as debates around data control, political influence, and technological independence become more intense across the region.

The situation has exposed contradictions in Europe’s relationship with U.S. technology companies. Microsoft chief executive Satya Nadella has largely stayed away from the kind of political messaging often associated with Alex Karp. Despite this difference, France has started moving parts of its public systems away from Microsoft Windows while simultaneously renewing contracts linked to Palantir Technologies through its domestic intelligence agency.

This complicated approach shows how Europe is attempting to distance itself from American tech firms without fully breaking away from them. Many governments now believe that relying too heavily on foreign technology companies can also mean depending on foreign laws, political priorities, and corporate influence. Still, Europe’s response has not followed one common strategy, with many actions appearing fragmented or reactive.

Much of the debate intensified after the U.S. passed the CLOUD Act in 2018 during President Donald Trump’s first term. The law gives American authorities the ability to request data from U.S.-based technology companies even if that information is stored outside the United States. For European officials, this raised concerns that storing data inside Europe may no longer be enough to fully protect sensitive information from foreign legal access.

Healthcare data quickly became one of the strongest examples used in these discussions. Medical records are considered among the most sensitive forms of information governments hold because they contain deeply personal details tied to citizens. Even after the CLOUD Act came into force, the United Kingdom partnered with companies including Google, Microsoft, and Palantir Technologies during the COVID-19 pandemic for projects involving National Health Service data.

Critics have argued that such partnerships could expose public-sector information to outside influence. France later decided that its Health Data Hub would stop using Microsoft Azure infrastructure and move toward what officials described as a sovereign cloud model. The contract was awarded to Scaleway, a cloud provider owned by French telecommunications group Iliad. Scaleway has also been expanding its network of data centers across Europe.

Scaleway later became one of four companies selected in a €180 million sovereign cloud contract backed by the European Commission. The program is intended to support cloud services that operate under European legal and regulatory standards. Notably, the European Sovereign Cloud initiative launched by Amazon Web Services was not included among the selected providers, even though Amazon created the project to answer European concerns about digital sovereignty.

Questions have also emerged around whether some so-called sovereign alternatives remain partly tied to American technology companies underneath. Some observers pointed to S3NS, a joint venture involving French defense company Thales Group and Google Cloud. Critics worry that arrangements like these could still leave room for indirect U.S. access or legal exposure despite being promoted as trusted European solutions.

Europe has faced similar problems in the search engine market. French search company Qwant was previously recommended for public servants in France while relying on Microsoft Bing’s underlying search infrastructure. The relationship later deteriorated after Qwant accused Microsoft of taking advantage of its dominant position in the market. Although French regulators declined to act against Microsoft, Qwant eventually started searching for alternatives on its own.

Qwant later partnered with German nonprofit search platform Ecosia to launch Staan, a Europe-based search index designed to reduce reliance on Google and Bing technologies. The project focuses on privacy and regional control over search infrastructure. Even so, both companies remain far smaller than their American competitors. Ecosia, despite having around 20 million users, still operates on a completely different scale compared to Google’s global user base.

One of the biggest problems facing European technology firms is market dominance from American companies. U.S. providers continue to control large parts of cloud computing, enterprise software, internet search, and artificial intelligence markets because of their global infrastructure, financial resources, and established ecosystems. European officials hope that large public-sector contracts could help regional providers compete more effectively.

Besides Scaleway, the European Commission’s sovereign cloud program also selected French companies Clever Cloud and OVHcloud, along with STACKIT. STACKIT was developed by the Schwarz Group, the parent company of Lidl, originally for its own internal systems before later being turned into a commercial cloud service.

Supporters of the initiative believe government-backed contracts could encourage more European companies to invest in domestic infrastructure instead of depending on foreign cloud providers. Backers of the program have also said the project aims to encourage digital solutions that align with European laws, governance rules, and privacy standards.

Still, Europe’s strategy of distributing contracts across several companies may create another challenge. While diversification could reduce dependence on one dominant provider and improve resilience, it may also make it harder for Europe to build a single technology giant capable of competing globally with firms such as Microsoft, Amazon, or Google.

Some critics also view sovereign tech partly as an economic strategy meant to keep European spending within the region. However, Europe’s attempts to move away from U.S. technology have not always translated into direct support for startups. In several cases, governments have instead turned toward open-source software alternatives.

France has already started replacing parts of its Windows-based systems with Linux. Public institutions in Germany, Denmark, Austria, and Italy are also exploring alternatives to Microsoft’s office software products through platforms such as LibreOffice.

Several governments have also embraced a “build instead of buy” approach by creating internal software tools. That strategy has faced criticism from parts of the technology and financial sectors. France’s Court of Auditors reportedly questioned spending linked to Visio, an internally developed platform intended to act as an alternative to Zoom and Microsoft Teams.

French newspaper Les Echos also reported frustration from parts of the country’s technology sector. Some critics argued that if governments themselves do not consistently adopt domestic technology tools, it becomes difficult to convince large private companies to do the same.

Many giants of European businesses continue selecting American technology providers when they offer stronger technical or commercial advantages. German airline Lufthansa chose Starlink for onboard internet services. Air France also selected Starlink despite partial ownership ties to the French and Dutch governments. Reports have additionally suggested that France’s national railway operator SNCF may eventually adopt similar services.

The debate around European alternatives has become particularly visible in satellite communications. During a disagreement involving Poland, Elon Musk stated publicly that “there is no substitute for Starlink.” European governments are now trying to prove otherwise by investing in domestic telecommunications and space infrastructure projects.

Public sentiment has also started influencing the discussion. After President Trump threatened to take control of Greenland, applications encouraging consumers to boycott American products surged in popularity on Denmark’s App Store rankings. The reaction showed that calls to reduce dependence on U.S. companies are no longer limited to policymakers and regulators.

Pressure is also building on European governments to reconsider contracts involving controversial American firms. Palantir’s recent public messaging and political positioning have drawn criticism inside parts of the European Union and the United Kingdom. At the same time, many European officials and citizens have started distancing themselves from X, formerly Twitter, because of growing dissatisfaction around platform governance and political discourse.

American technology companies have also shown that Europe is not always their top commercial priority. When Meta delayed the European release of Threads because of regulatory concerns tied to EU laws, it reinforced the perception that large U.S. firms can afford to deprioritize the region when legal requirements become too restrictive.

At the same time, this environment is opening new opportunities for companies building products specifically designed for European markets, languages, and legal standards. Supporters of the EuroStack initiative are pushing for rules that would encourage or require public institutions to purchase locally developed technology whenever possible.

Backers of sovereign tech also hope European companies can eventually compete internationally rather than only within domestic markets. French artificial intelligence company Mistral AI has reportedly experienced strong revenue growth as some businesses search for alternatives to OpenAI. Meanwhile, the governments of Canada and Germany are supporting cooperation between Cohere and Aleph Alpha to create what supporters describe as a transatlantic AI platform for governments and businesses.

As geopolitical tensions continue reshaping the global technology industry, some companies are discovering that not being American, Chinese, or Russian is itself becoming a commercial advantage in international markets.

Read more »
WhatsApp Worm
Banking Security Banking Trojan Credential Theft DLL Sideloading Financial Cybercrime malware Outlook Malware TCLBANKER WhatsApp Worm

TCLBANKER Threat Actors Intensify Financial Attacks Using Outlook and WhatsApp Worms


 

Elastic Security Labs has identified TCLBANKER as REF3076, which represents a significant development in Latin American banking malware. In addition to credential theft, remote session control, and worm-like propagation, it has been linked to older Maverick and SORVEPOTEL malware families, but with more sophisticated stealth and self-distribution features. 

By delivering the trojan via trojanized Logitech AI Prompt Builder MSI installer hidden within malicious ZIP archives, the trojan spreads through compromised WhatsApp and Microsoft Outlook accounts. As well as employing extensive anti-analysis protections to evade sandboxes, debugging tools, and security monitoring systems, TCLBANKER targets 59 Brazilian banking, fintech, and cryptocurrency platforms. 

Research has shown that although the campaign is currently focused on Brazil through locale verification and keyboard layout verification checks, its modular architecture is capable of enabling broader international expansion in the future. Researchers have found that the malicious library “screen_retriever_plugin.dll” is executed through the legitimate Logitech application via DLL sideloading. 

The malware only activates when loaded by approved executables such as “logiaipromptbuilder.exe,” allowing it to blend into trusted processes and avoid detection. Watchdog subsystems are included in its loader, which continuously searches for debuggers, sandboxes, antivirus engines, and forensic analysis tools. Also, it removes usermode hooks from “ntdll.dll” and disables Event Tracing for Windows (ETW) telemetry so that endpoint monitoring visibility can be compromised. 

The TCLBANKER software generates an environment-specific hash value by performing multiple anti-debugging, anti-virtualization, disk, and language checks before decrypting its payload. In the event analysis conditions are detected, the payload is intentionally disabled from decrypting, preventing execution in sandboxes. 

Following validation, the malware establishes persistence through scheduled tasks and communicates with external command-and-control infrastructure using HTTP POST requests containing information regarding the system. 

An increasing trend among financially motivated threat actors is to combine enterprise-grade evasion techniques with consumer-centered banking fraud operations, as evidenced by the malware's layered execution model. During their research, researchers found that TCLBANKER did not rely exclusively on credential theft, but rather operated as an interactive remote intrusion platform, maintaining prolonged access to compromised systems. 

In addition to monitoring user behavior in real time, attackers can manipulate banking sessions directly and bypass traditional fraud detection mechanisms that detect automated transactions, allowing them to bypass traditional fraud detection mechanisms. Since the malware executes most of its activity in memory, and limits visible artifacts on disk, it can be detected more easily by conventional anti-virus and endpoint monitoring programs. 

As a consequence of these characteristics, analysts caution that traditional banking trojans and lightweight advanced persistent threat tooling are becoming increasingly blurred, particularly as financial criminals target online banking ecosystems with targeted cybercrime campaigns. With TCLBANKER, users can perform a number of remote fraud functions, including screen capture, live session monitoring, clipboard interception, keylogging, and direct shell command execution. 

During fraudulent activities, the malware blocks shortcuts such as Alt+F4, Escape, PrintScreen, and the Windows key while terminating Task Manager processes repeatedly to prevent user interference. Moreover, the WDA_EXCLUDEFROMCAPTURE flag was used by worms to hide malicious overlays from screen-recording tools. 

TCLBANKER is also known to include two worm modules, Tcl.WppBot and Tcl.WppBot, which spread via WhatsApp Web and Microsoft Outlook. Through phishing links sent through authenticated WhatsApp sessions to victim contacts, as well as through Outlook COM automation, the malware distributes malicious emails from legitimate user accounts using trusted communication channels, thus significantly increasing infection success rates.

As part of its monitoring of activity across Chrome, Firefox, Edge, Brave, Opera, and Vivaldi, TCLBANKER targets 59 Brazilian fintech, banking, and cryptocurrency services specifically. During operation, the malware maintains persistence through a hidden scheduled task called "RuntimeOptimizeService," while monitoring virtualization platforms, debugging tools, and sandbox environments to preserve operational stealth. 

Additionally, researchers stressed the operational advantages created by TCLBANKER's abuse of trusted communication environments. As opposed to traditional phishing campaigns that rely on a large-scale spam infrastructure, this malware uses compromised user accounts to distribute malicious content through existing personal and corporate relationships, leveraging compromised user accounts. 

Social engineering success rates are substantially improved as recipients are more likely to trust links or attachments received from trusted sources. Using WhatsApp Web and Microsoft Outlook also allows the campaign to spread without being dependent on attacker-controlled infrastructure that could otherwise be blocked or blacklisted. 

According to analysts, this propagation strategy represents an evolution in malware delivery operations, as threat actors are increasingly weaponizing legitimate platforms and authenticated sessions in order to bypass spam filtering technologies, reputation-based detection systems, and user suspicion, and to bypass email filtering technologies. 

Additionally, cybersecurity researchers are concerned about the continued abuse of legitimately signed applications within malware delivery chains as a consequence of the campaign. TCLBANKER takes advantage of user trust in recognized brands by embedding malicious components inside authentic Logitech software, thereby decreasing the likelihood of immediate detection during installation. 

DLL sideloading techniques of this kind continue to be particularly effective because they exploit legitimate application behavior instead of exploiting exploits. Due to the combination of signed software abuse, environment-aware payload activation, and memory-resident execution, the malware is much less forensically accessible than traditional commodity banking trojans. 

The analysts believe that the use of these methods will likely continue in future financial malware operations as cybercriminal groups adapt increasingly stealth-oriented intrusion techniques to improve persistence and reduce defence visibility over an infected environment as a result of increasing stealth-oriented intrusion techniques. The TCLBANKER platform has been designed to highlight the increased sophistication of today's banking malware. 

TCLBANKER combines trusted software abuse, advanced defense evasion, and self-propagating distribution methods to create a highly adaptive financial threat platform. Despite the malware's ability to spread through legitimate WhatsApp and Outlook accounts, it reflects the shift toward trust-based infection chains that improve victim engagement and compromise rates. 

While the malware's current operations are mainly targeted at Brazilian financial users, researchers caution that its modular architecture and stealth-focused architecture could allow for broader international targeting in the future. 

According to the findings, hardware and software endpoint monitoring should be strengthened, software validation controls implemented, and user awareness should be increased as financially motivated cyber threats continue to evolve in terms of complexity and extent.
Read more »
Robinhood phishing scam
Cybersecurity Data Phishing Attack Robinhood email exploit Robinhood login alert Robinhood phishing scam

Robinhood Email System Exploited to Deliver Phishing Messages Through Legitimate Alerts

 

Online trading platform Robinhood recently faced a phishing campaign in which cybercriminals manipulated its account creation process to send fake security alerts through legitimate company emails. The incident caused confusion among users, as the fraudulent messages appeared to come directly from Robinhood’s official email system.

The phishing emails carried the subject line “Your recent login to Robinhood” and warned recipients about an “Unrecognized Device Linked to Your Account.” The messages included suspicious IP addresses and partially hidden phone numbers to create a sense of urgency and authenticity.

"We detected a login attempt from a device that is not recognized," reads the phishing email. "If this was not you, please review your account activity immediately to secure your account."

Recipients were directed to click a button labeled “Review Activity Now,” which redirected users to a phishing domain designed to steal login credentials. The malicious site has since been taken offline, though screenshots shared on Reddit suggested it was being used to capture Robinhood account details.

What made the attack particularly convincing was that the emails originated from Robinhood’s legitimate email address, noreply@robinhood.com
, and successfully passed SPF and DKIM authentication checks commonly used to verify email legitimacy.

According to findings by BleepingComputer, attackers exploited a weakness in Robinhood’s onboarding workflow that failed to properly sanitize HTML input during account registration.

During the signup process, Robinhood automatically sends a “Your recent login to Robinhood” notification containing information such as device details, IP address, login time, and approximate location. Threat actors reportedly manipulated the device metadata field by inserting malicious HTML code, which was later rendered inside the email.

This caused the “Device” section of the message to display a fake warning about suspicious account activity, effectively embedding a phishing alert into a legitimate email template.

Researchers believe the attackers may have used previously leaked customer email lists to target existing Robinhood users. In 2021, Robinhood experienced a breach that affected nearly 7 million customers, with stolen information later appearing for sale on hacking forums.

The attackers also reportedly took advantage of Gmail’s dot aliasing feature, which allows email addresses with added periods to still route to the same inbox. This method enabled cybercriminals to create multiple Robinhood accounts using slight variations of real customer email addresses while ensuring delivery to the intended victims.

As a result, many recipients received what looked like a genuine Robinhood login notification containing a fraudulent warning about “unrecognized activity” and instructions to review their accounts immediately.

Robinhood later addressed the incident publicly on X.

"On Sunday evening, some customers received a falsified email from noreply@robinhood.com
 with the subject line 'Your recent login to Robinhood.'," posted RobinHood.

"This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."

The company has since resolved the vulnerability by removing the abused Device field from account creation emails. Robinhood also advised affected users to delete the suspicious email and avoid interacting with any embedded links.
Read more »
Subscribe to: Posts (Atom)

Featured