Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

How Telecom Systems Were Used to Secretly Track Mobile Users Worldwide

A new investigation by the digital rights research group Citizen Lab has revealed how weaknesses inside global telecom infrastructure were ...

All the recent news you need to know
location tracking
Bluetooth Bluetooth exploits Bluetooth Flaw Cyber Police Cyber Privacy Cyber Security cybersecurity risks location tracking

Axon Police Taser and Body Camera Bluetooth Flaw Raises Officer Tracking Concerns

 

Australian police may unknowingly be exposing their live locations through Bluetooth-enabled devices made by Axon. Researchers discovered that body cameras and tasers used across the country broadcast signals without modern privacy protections, potentially allowing anyone nearby to detect and track officers in real time. 

Unlike smartphones that randomize Bluetooth MAC addresses to prevent tracking, Axon devices reportedly use static identifiers. This means simple apps or laptops can detect nearby police equipment and reveal device details, coordinates, and movement patterns. 

A security researcher demonstrated the issue in Melbourne using publicly available Android software capable of identifying Axon devices. Custom tools reportedly extended the tracking range to nearly 400 meters, raising concerns for undercover officers, tactical teams, and police returning home after shifts. 

Experts warn criminal groups could deploy low-cost Bluetooth scanners across neighborhoods to monitor police activity, detect raids, or map officer movement in real time. The flaw has reportedly been known since 2024, when warnings were sent to police agencies, ministers, federal authorities, and national security offices urging immediate action. 

Internal reviews within Victoria Police reportedly acknowledged the threat and recommended protections for covert units. However, after discussions with Axon, the issue was later downgraded internally. Victoria Police later stated there had been no confirmed cases of officers being tracked through the devices. Police agencies across New South Wales, Queensland, Western Australia, South Australia, Tasmania, the Northern Territory, and the Australian Federal Police were also informed of the vulnerability. 

Most declined to explain whether officers were warned or if safeguards had been introduced. Researchers believe the flaw stems from hardware design rather than software alone, making simple patches unlikely to fully resolve the problem. Fixing it may require redesigning core system components entirely. 

Axon has acknowledged on its security pages that its cameras emit detectable Bluetooth and Wi-Fi signals and advises customers to consider operational risks before deployment in sensitive situations. Critics argue these warnings remain buried in technical documentation instead of being clearly communicated to frontline officers. 

The issue highlights growing concerns about modern policing’s dependence on connected technology. As law enforcement increasingly relies on wireless devices, AI systems, and cloud-based tools, small cybersecurity flaws can quickly become serious operational and physical safety risks.
Read more »
Telegram
Application Apps Crypto Crypto scams Cyber Crime Scam Telegram

Hackers Exploit Telegram Mini Apps, Distribute Malware and Crypto Scams

 

Cybersecurity experts found a large-scale fraud campaign that used Telegram’s Mini App feature to launch crypto attacks, mimic famous brands and spread Android malware. 

FEMITBOT malware 


Research by CTM360 has dubbed the platform as FEMITBOT, it is based on a string present in API responses and uses Telegram bots and integrated Mini Apps to make believable, app-like experiences directly inside the messaging platform.

These Mini Apps are lightweight web apps that run within Telegram’s built-in browser, allowing services like payments, interactive tools, and account access without needing users to leave the application. Exploiting Telegram Mini apps

The FEMITBOT platform is used for various scams such as financial frauds, AI tools, streaming sites, and fake cryptocurrency platforms.

In a few campaigns, hackers imitated famous brands to boost engagement and credibility, while having the same backend infrastructure with multiple Telegram bots and different domains.

Brands impersonated


Brands copied in this campaign are Disny, eBay, YouKu, NVIDIA, Moon Pay, Apple, and Coco-Cola. The campaign used a common backend, different phishing domains used the same API response: “Welcome to join the FEMITBOT platform," indicating they are all using the same infrastructure.

Telegram bots compromised


Campaign used Telegram bots to show phishing websites directly inside the social media site. Once a user interacts with a Telegram bot and opens “Start,” the bot starts a Mini App that shows a phishing page inside Telegram’s default WebView. The user is tricked into thinking it's part of the application itself.

Tricking users via phishing tactics


After entering the system, targets are displayed dashboards with fake balances with fake countdown timers or limited-time offers to bait users.

When a user tries to take money, they are asked to make a deposit or do referral work. This is a general tactic in advanced-fee scams and investments.

The infrastructure is built to be used across multiple campaigns so that hackers can easily switch among brands, themes, and languages. The campaigns also use tracking scripts like TikTok and Meta tracking pixels, to trace users’ activity, optimize performance, and measure interactions.

Malware distribution via mini apps


Additionally, some Mini Apps tried to spread malware by posing as companies like the BBC, NVIDIA, CineTV, Coreweave, and Claro in Android APKs.

“Built on a modular, template-driven architecture, FEMITBOT enables rapid deployment, brand impersonation, and campaign optimization using real-time tracking and analytics. This reflects a shift toward scalable, marketing-like fraud operations designed to maximize user conversion and financial gain,” the report said.
Read more »
Vulnerabilities and Exploits
Cybersecurity Exim security flaw Exim vulnerability remote code execution Vulnerabilities and Exploits

Critical Exim Flaw Exposes Email Servers to Remote Code Execution Risk

 

A newly discovered security vulnerability in the widely used mail transfer agent Exim has raised serious concerns among cybersecurity experts, as attackers could exploit the flaw to potentially execute malicious code remotely on vulnerable email servers.

According to researchers, the vulnerability occurs due to improper memory handling during the TLS session shutdown process. The issue specifically affects Exim installations using GnuTLS configurations.

“This sequence of events can cause Exim to write into a memory buffer that has already been freed during the TLS session teardown, leading to heap corruption. An attacker only needs to be able to establish a TLS connection and use the CHUNKING (BDAT) SMTP extension.”

Security experts confirmed that all Exim versions starting from 4.97 through 4.99.2 are vulnerable. However, systems relying on OpenSSL or other TLS libraries are not affected, as the flaw only impacts builds compiled with USE_GNUTLS=yes.

The vulnerability was identified by Federico Kirschbaum, Head of Security Lab at XBOW, an autonomous cybersecurity testing platform, who reported the issue on May 1, 2026.

“During TLS shutdown, Exim frees its TLS transfer buffer – but a nested BDAT receive wrapper can still process incoming bytes and end up calling ungetc(), which writes a single character (\n) into the freed region,” Kirschbaum said. “That one-byte write lands on Exim's allocator metadata, corrupting the allocator's internal shape; the exploit then leverages that corruption to gain further primitives.”

XBOW described the flaw as one of the most severe vulnerabilities uncovered in Exim in recent years, noting that attackers require minimal server-side configuration to trigger the exploit successfully.

To address the issue, Exim developers released version 4.99.3 and urged administrators to upgrade immediately. The developers also clarified that no temporary workaround or mitigation is currently available.

“The fix ensures that the input processing stack is cleanly reset when a TLS close notification is received during an active BDAT transfer, preventing the stale pointers from being used,” Exim noted.

This is not the first major security concern involving Exim. Back in 2017, the platform fixed another critical use-after-free vulnerability, tracked as CVE-2017-16943, which allowed unauthenticated attackers to execute remote code using specially crafted BDAT commands and potentially take control of email servers.
Read more »
Token Hijacking
Cloud Account Compromise Cyber Threats Identity Attacks Microsoft Azure OAuth Abuse Token Hijacking

Automated OAuth Abuse by ConsentFix v3 Raises Azure Security Concerns


 

Researchers discovered that a newly identified phishing framework called ConsentFix v3 is having a direct impact on identity-based attacks in cloud environments after finding its ability to systematically compromise Microsoft Azure accounts using automated OAuth abuse. 

The latest iteration combines large-scale social engineering, tenant reconnaissance, and automated token harvesting into a coordinated attack chain designed to bypass conventional security controls. This represents an advanced evolution of previous ConsentFix campaigns. Attackers can manipulate authentication consent mechanisms and gain persistent access to enterprise environments via OAuth2 exploits that exploit weaknesses in the authorization code flow. 

Another defining element of the campaign is the use of Pipedream, a serverless integration platform leveraged to automate authorization code collection, refresh token generation, and data exfiltration workflows, significantly improving the scale and operational efficiency of the intrusion process. 

Using Azure tenant IDs and profiling employees for targeted impersonation, attackers initiate compromises, as demonstrated by report findings. Phishing infrastructure is deployed across multiple online services to support credential deception, token interception, and long-term account persistence by deploying phishing infrastructure across several online services.

ConsentFix v3 represents a rapid evolution of OAuth-related phishing methodologies. Late last year, Push Security introduced the original ConsentFix technique as a ClickFix-inspired attack targeting Microsoft authentication workflows, which attracted attention. An early variant of this attack relied heavily on social engineering techniques to trick victims into completing a legitimate Azure CLI login sequence and manually pasting a localhost URL containing an authorization code. 

In exchange for the code, attackers were able to hijack Microsoft accounts without the use of password theft once they had captured it, effectively bypassing multi-factor authentication by utilizing trusted identity processes rather than exploiting endpoint vulnerabilities. In order to streamline the phishing chain, researcher John Hammond developed refinements that eventually resulted in ConsentFix v2, which incorporated a drag-and-drop mechanism for the localhost URL instead of manual copy-and-paste interaction. This improved the realism of the deception process and its success rate. 

ConsentFix v3 continues to weaponize the OAuth2 authorization code flow while abusing Microsoft first-party applications that are already trusted and pre-consented within enterprise environments. This attack model is complemented by enhanced automation, broader scalability, and infrastructure designed to support high volume token interception operations across Azure tenants, while also expanding the attack model. 

A systematic operational analysis of ConsentFix v3 indicates that the campaign is organized around a multi-stage intrusion workflow, which maximizes authenticity as well as the efficiency of token acquisition. Several threat actors report that they conduct extensive reconnaissance on targeted Azure environments, validate tenant identifiers, and aggregate employee intelligence, including corporate e-mail addresses, organizational roles, and identity metadata, in order to support highly tailored impersonation attempts. 

The campaign infrastructure relies on Cloudflare Pages for phishing page hosting and Pipedream for backend automation, enabling attackers to coordinate credential lures, webhook execution, and token collection through a highly scalable framework. By carefully crafting phishing emails containing embedded document links that direct users to fake Microsoft authentication portals that trigger legitimate OAuth login requests, victims are subsequently targeted. This technique significantly increases user trust and reduces conventional phishing indicators, thereby enhancing user trust.

After user interaction, the attack moves into the exploitation phase, where users are manipulated to copy, paste, or interact with localhost URLs containing OAuth authorization codes. Once intercepted, the authorization codes are transmitted to attacker-controlled infrastructure where automated workflows use Microsoft APIs to exchange them for access and refresh tokens capable of granting unauthorized access to mailboxes, cloud storage, and internal enterprise data. 

According to researchers, the abuse of Microsoft's Family of Client IDs (FOCI) functionality further amplifies the threat by enabling token reuse between multiple trusted Microsoft applications, which provides attackers with greater persistence and lateral access without having to repeatedly complete authentication procedures. 

Consequently, the campaign highlights persistent architectural weaknesses associated with OAuth-based trust models and token-centric authentication mechanisms, resulting in a renewed emphasis on defensive measures, such as enforcing granular conditional access policies, binding tokens to managed devices, monitoring anomalous non-interactive sign-ins, and revoking refresh tokens immediately upon suspicion of compromise. 

The security team is also being encouraged to tighten consent controls, reduce excessive permission exposure, and continuously audit authentication telemetry in order to detect signs of advanced OAuth abuse before it can establish long-term persistence. 

Researchers observed substantial operational overlap between ConsentFix and device code phishing, as both techniques abuse OAuth authorization workflows to bypass traditional authentication barriers and achieve unauthorized token issuance without directly stealing credentials. The primary distinction between the two techniques lies in the OAuth mechanisms they exploit. 

Device code phishing abuses the device authorization grant defined in RFC 8628, whereas ConsentFix targets the authorization code grant outlined in RFC 6749, particularly within native and desktop application flows that rely on localhost redirects. The two attack paths converge within the same token issuance infrastructure, regardless of their differences in execution. Therefore, attackers' access level is less dependent on the OAuth flow than it is on the targeted application, its permission scopes, and user privileges. 

Both authentication flows ultimately allow threat actors to obtain highly valuable authentication artifacts capable of sustaining persistent access across cloud environments. Further, researchers report that attackers are increasingly targeting Microsoft applications classified under the Family of Client IDs (FOCI) model due to their portability and utility after compromise, particularly against non-administrative enterprise users. 

The ability to silently pivot between interconnected Microsoft services, such as Outlook, Teams, OneDrive, and SharePoint through API-based access without repeatedly authenticating is enabled by attacking FOCI-enabled applications via ConsentFix or device code phishing campaigns. Operators who are more advanced may escalate the intrusion by abusing Primary Refresh Tokens (PRTs), a technique that allows seamless single sign-on across applications and browser sessions connected to Entra ID. 

Such escalation commonly involves abusing the Microsoft Authentication Broker application and chaining the compromise into a rogue device registration within the victim environment, mirroring tactics previously associated with Storm-2372 during large-scale device code phishing campaigns in 2025. 

Researchers believe ConsentFix v3 currently resembles an operational proof of concept more than a fully industrialized phishing-as-a-service platform. Despite its reliance on legitimate SaaS tools and readily accessible automation infrastructure, its rapid operation by threat actors with minimal custom development overhead demonstrates just how quickly sophisticated OAuth abuse can be operationalized.

In addition, the campaign has intensified the need for a change in defensive strategy, particularly given the fact that browser-based identity attacks continue to bypass many of the conventional methods of protecting endpoints. To detect malicious OAuth activity occurring within trusted authentication sessions, organizations need to use real-time behavioral monitoring and identity-aware threat hunting capabilities, combining real-time behavioral monitoring with identity-aware threat hunting capabilities. 

Traditional mitigations recommended for device code phishing, including disabling device code flow through conditional access policies, offer only partial protection against ConsentFix because the framework abuses a separate authentication pathway. Instead of exposing vulnerable applications to OAuth token phishing, defenders are recommended to create dedicated Service Principals and restrict access only to explicitly authorized users. 

Furthermore, proactively searching authentication logs for suspicious application and resource identifiers should be considered, correlating inconsistencies between initial login IP addresses and subsequent token activity should be monitored closely, as well as closely monitoring anomalous session behavior that could indicate attacker control following legitimate authentication attempts. This emergence of ConsentFix v3 can be attributed to a trend in the modern threat landscape in which cybercriminals are increasingly targeting identity infrastructure and trusted authentication frameworks as an alternative to malware and credential theft alone. 

The campaign demonstrated how adversaries could gain persistent access within enterprise environments while remaining difficult to detect through conventional security mechanisms through the abuse of legitimate OAuth workflows and cloud-native services. According to research, similar techniques are likely to become more operationalized across cloud ecosystems as automation, token abuse and SaaS-based attack infrastructure mature.

Organizations should strengthen identity-centric defenses, continuously monitor authentication behavior, and evaluate their trust relationships embedded within modern cloud platforms as soon as possible before OAuth-driven intrusions become a mainstream enterprise threat vector. The findings reinforce the growing urgency for organizations to strengthen identity-centric defenses before OAuth-driven intrusions become a mainstream enterprise threat.
Read more »
technology
Apple Pay Bank Digital payment system Ghost Tap Google Pay payment scams technology

Experts Say ‘Ghost Tapping’ Payment Scams Are Uncommon, But Consumers Should Still Stay Alert

 










As contactless payment systems become increasingly common at stores, public events, and seasonal markets, cybersecurity and payment security experts are reminding consumers to remain aware of how digital transactions work and to regularly monitor their financial activity. The warning follows growing discussions around so-called “ghost tapping” scams, a term used to describe situations where a payment could allegedly be processed through a smartphone’s tap-to-pay feature without the owner intentionally authorizing the transaction.

Despite online concern surrounding the issue, consumer protection specialists say incidents involving “ghost tapping” remain highly uncommon. Erin McGovern, a consumer protection official who has been monitoring complaints linked to the scam, said her organization has received fewer than 10 reports connected to these cases so far. However, she cautioned that risks associated with payment fraud may become more noticeable during busy shopping periods such as holiday markets, craft fairs, and seasonal events where large numbers of people rely on mobile payment systems for convenience.

At these public events, many vendors use portable payment terminals that allow customers to quickly complete purchases using smartphones or digital wallets instead of physical cash or bank cards. McGovern explained that while the speed and convenience of tap-to-pay technology make shopping easier, consumers should still remain careful about confirming the exact amount being charged before approving any transaction. She noted that shoppers sometimes become distracted in crowded environments, making it easier to overlook suspicious activity or incorrect payment totals.

The discussion around “ghost tapping” has raised concerns online because many consumers are unfamiliar with the technical limitations of contactless payment systems. Security specialists explain that tap-to-pay technology operates through Near Field Communication, commonly known as NFC. This wireless communication technology allows devices such as smartphones, smartwatches, and payment terminals to exchange encrypted payment information when placed extremely close together.

According to payment security experts, NFC technology only functions across a very short range, typically four centimeters or less. Michael Jabbara, Senior Vice President and Head of Payment Ecosystem Risk and Control at Visa, explained that the required distance is approximately the size of a small paper clip. Because of this limitation, an individual attempting to secretly trigger a payment would need to move unusually close to another person’s phone or pocket.

Jabbara stated that most people would naturally notice if someone entered their personal space to that extent. For that reason, experts say it would be highly difficult for a scammer to perform an unauthorized tap-to-pay transaction without drawing attention. While researchers acknowledge that such activity may be technically possible under certain conditions, they emphasize that it would be extremely unusual for it to happen without the victim becoming aware of suspicious behavior.

Still, cybersecurity professionals say the conversation surrounding “ghost tapping” highlights a broader and more realistic concern: many consumers fail to regularly review their banking activity or payment notifications. According to Jabbara, fraudsters often depend on victims ignoring account activity until the end of the month or waiting several weeks before reviewing statements. This delay can allow unauthorized purchases to remain undetected long enough for scammers to continue exploiting stolen payment information.

Financial security experts recommend reviewing banking applications, credit card activity, and digital wallet transactions frequently instead of waiting until a dispute becomes necessary. Early detection of suspicious purchases significantly increases the chances of stopping additional fraudulent activity and recovering lost funds.

Consumer protection authorities also note that individuals who believe they were targeted by payment fraud can dispute unauthorized charges directly with their bank or credit card provider. In some cases, victims may also submit formal complaints to their local attorney general’s office or consumer protection agencies for further investigation.

However, specialists say prevention remains the most effective defense against digital payment scams. One of the strongest recommendations from payment security experts is enabling instant transaction alerts through banking and credit card applications. Many financial institutions already use automated fraud-detection systems that analyze unusual spending behavior and risk patterns before approving transactions. Even so, transaction alerts provide another important layer of protection by notifying users immediately whenever money is spent through their account.

These notifications can help consumers quickly identify purchases linked to unfamiliar merchant names, unexpected locations, or payment amounts they did not approve. Experts say immediate awareness often prevents fraud from escalating into larger financial losses.

Another important safety measure is always requesting a receipt after making a purchase. Receipts serve as proof of payment and can become important evidence if consumers later need to challenge suspicious charges with their bank or payment provider. McGovern warned that vendors refusing to provide receipts or claiming that their payment system is suddenly malfunctioning could represent a potential warning sign of fraudulent behavior.

Cybersecurity analysts additionally point out that modern digital wallet systems, including services such as Apple Pay and Google Pay, already contain multiple layers of security protection. These systems rely on technologies such as tokenization and encryption, which help prevent actual card numbers from being directly exposed during transactions. Instead of transmitting sensitive banking details, digital wallets generate encrypted payment tokens designed to reduce the likelihood of financial data theft.

Although security protections built into modern payment platforms have substantially reduced many traditional forms of card fraud, experts caution that scammers continuously adapt their tactics as digital payment technology evolves. For that reason, cybersecurity professionals stress that awareness, regular account monitoring, transaction alerts, and cautious payment habits remain essential safeguards for consumers using contactless payment systems.

Read more »
User Privacy
Aadhaar Scam Ahemdabad AI Deepfakes Cyber Fraud User Privacy

AI Deepfake Scam Changes Aadhaar Mobile Without OTP

 

AI-enabled fraudsters are now using deepfake tools to change Aadhaar details, such as the mobile number linked to an account, without victims noticing, enabling identity theft and loan fraud.

In Ahmedabad, cybercrime investigators uncovered a racket that quietly replaced victims’ Aadhaar-linked mobile numbers and then used those new numbers to intercept OTPs and take control of digital services, including DigiLocker and banking apps. The gang reportedly collected Aadhaar numbers, photographs and other personal data from leaks and social media, then used AI software to turn still photos into short “blink” videos that mimic liveness checks and fool verification systems. 

Once the fraudsters changed the registered mobile number, they could receive OTPs and update KYC details, effectively hijacking victims’ digital identities and applying for loans or accessing accounts in their names. Police say the operation was organised with distinct roles: some members sourced data and photos, others used Aadhaar update kits—often through Common Service Centres (CSCs)—to make unauthorised changes, and specialists created deepfake clips to pass biometric checks.

Authorities arrested several suspects after a businessman reported that his Aadhaar-linked number was altered without any OTP or call alerts, revealing how smoothly the criminals combined social engineering, physical update kits, and AI manipulation to bypass safeguards. Reports indicate the attackers exploited weaknesses in offline update workflows and gaps in liveness-detection systems that still accept AI-generated motion as genuine.

Safety recommendations 

To protect yourself, regularly verify the mobile number linked to your Aadhaar and lock your biometrics using official mAadhaar or UIDAI services when not in use. Monitor DigiLocker and bank accounts for unexpected changes and set up transaction alerts with your bank; if you spot unusual activity, report it immediately to local cybercrime units or UIDAI’s helplines. Avoid uploading Aadhaar photos or documents on unfamiliar platforms and be cautious about sharing personal information on social media, which criminals can reuse to create realistic deepfakes. 

Longer-term fixes will require stricter controls around Aadhaar update kits at CSCs, better audit trails for demographic changes, and improved liveness-detection algorithms that can distinguish AI-generated clips from real facial movement. Experts and regulators also urge faster data-breach notification rules and tighter controls on access to identity databases so criminals cannot easily assemble the building blocks for such attacks. Until these systemic changes arrive, vigilance, biometric locks, and immediate reporting remain the best defenses for citizens.
Read more »
Subscribe to: Posts (Atom)

Featured