Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

NSA Urges Americans to Reboot Routers as Russian Hackers Exploit Vulnerable Home Networks

  The National Security Agency (NSA) is once again advising internet users in the United States to restart their routers, warning that cybe...

All the recent news you need to know
Mirai botnet
Botnet CVE vulnerability DVR Fortinet IoT malware Mirai botnet

Mirai Malware Spreads Through Vulnerable TBK DVR Devices

 



Threat actors are actively taking advantage of security weaknesses in TBK digital video recorders and outdated TP-Link Wi-Fi routers to install variants of the Mirai botnet on compromised systems. This activity has been documented by researchers at Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.

One of the primary attack vectors involves the exploitation of CVE-2024-3721, a command injection vulnerability with a CVSS score of 6.3, classified as medium severity. This flaw affects TBK DVR-4104 and DVR-4216 devices and is being used to deliver a Mirai-based malware strain identified as Nexcorium.

Security researchers note that IoT devices continue to be heavily targeted because they are widely deployed, frequently lack timely security updates, and are often configured with weak protections. These conditions allow attackers to exploit known vulnerabilities to gain initial access, deploy malicious code, maintain persistence, and ultimately use infected devices to conduct distributed denial-of-service attacks.

This vulnerability has already been observed in previous attack campaigns. Over the past year, it has been used not only to deploy Mirai variants but also a newer botnet known as RondoDox. In addition, earlier reporting highlighted large-scale botnet operations distributing multiple malware families, including Mirai, RondoDox, and Morte, by exploiting weak credentials and outdated vulnerabilities across routers, IoT devices, and enterprise systems.

In the current attack chain described by Fortinet, exploitation of CVE-2024-3721 allows attackers to download a script onto the target device. This script then determines the system’s Linux architecture and retrieves a compatible botnet payload. Once executed, the malware displays a message indicating that the system has been taken over.

Technical analysis shows that Nexcorium follows a structure similar to traditional Mirai variants. It includes encoded configuration tables, a watchdog mechanism to keep the malware active, and dedicated modules for launching DDoS attacks.

The malware also integrates an exploit for CVE-2017-17215, enabling it to target Huawei HG532 devices within the same network. Additionally, it uses a hard-coded list of usernames and passwords to attempt brute-force logins on other systems via Telnet connections.

If these login attempts succeed, the malware gains shell access, establishes persistence using scheduled tasks and system services, and connects to an external command-and-control server. From there, it waits for instructions to launch attacks using protocols such as UDP, TCP, and SMTP. After securing persistence, it deletes the original binary file to reduce the likelihood of detection and analysis.

Researchers describe Nexcorium as representative of modern IoT botnets, combining multiple techniques such as vulnerability exploitation, multi-architecture support, and persistence mechanisms to maintain long-term control over infected devices. Its use of both older vulnerabilities and brute-force tactics highlights its ability to adapt and expand its reach.

Separately, Unit 42 identified automated scanning activity attempting to exploit another vulnerability, CVE-2023-33538, which has a higher CVSS score of 8.8. This flaw affects several end-of-life TP-Link routers, including TL-WR940N (v2 and v4), TL-WR740N (v1 and v2), and TL-WR841N (v8 and v10). While the observed attack attempts were incorrectly executed and did not succeed, the vulnerability itself remains valid.

This vulnerability was added to the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency in June 2025, reflecting its relevance in real-world threat activity. Researchers emphasize that successful exploitation requires authenticated access to the router’s web interface, which can often be achieved if default credentials are still in use.

The attacks linked to this vulnerability are designed to deploy Mirai-like malware containing references to “Condi” within its source code. This malware is capable of updating itself to newer versions and can also operate as a web server, allowing it to spread to additional devices that connect to the infected system.

Because the affected TP-Link routers are no longer supported by the manufacturer, users are advised to replace them with newer devices. Security experts also stress the importance of changing default login credentials, as these remain a major weakness that attackers continue to exploit.

Researchers warn that the continued use of default credentials in IoT environments will remain a persistent security risk. Even vulnerabilities that require authentication can become critical entry points if weak or unchanged credentials are present, enabling attackers to compromise devices and expand botnet networks with relative ease.


Read more »
Web Skimming
Credit Card Theft E‑commerce Cyber Fraud Magecart Skimmer SVG Image Web Skimming

Hackers Hide Credit Card Stealer in 1‑Pixel SVG Image on Magento Sites

 

Security researchers have uncovered a stealthy web‑skimming campaign in which cybercriminals are hiding credit card‑stealing code inside a 1×1 pixel‑sized SVG image on Magento‑based e‑commerce sites. The attack already affects nearly 100 online stores, turning otherwise legitimate checkout pages into traps that silently capture payment details before orders are processed. 

Modus operandi 

The malware is injected as a single line of HTML code embedding a tiny Scalable Vector Graphics (SVG) image that measures only one pixel in height and width. This SVG element contains an onload JavaScript handler that, when triggered on page load, executes a base64‑encoded skimmer payload via atob() and setTimeout(), keeping the entire malicious logic inline and avoiding external script references. Because the payload lives inside what looks like an ordinary image tag, many security scanners and human reviewers overlook it. 

When a shopper clicks the checkout button on a compromised store, the malicious script intercepts the action and displays a fake “Secure Checkout” overlay. This overlay mimics the real payment form, often copying the site’s CSS so it appears visually identical, and prompts the user to re‑enter card details and billing information. Every keystroke is captured in real time, validated with the Luhn algorithm, and then exfiltrated to an attacker‑controlled server in an XOR‑encrypted, base64‑encoded JSON format. 

The attackers exploit the fact that browsers treat SVGs as safe, trusted images, and that 1×1‑pixel trackers are common for analytics and ads. This camouflage makes the malicious code nearly invisible to both users and many automated scanners that focus on external JavaScript files rather than inline attributes inside images. The Magecart‑style approach also allows criminals to harvest payment data at scale while leaving little trace on the visible page, complicating incident detection and remediation.

Protection for shoppers and merchants 

Online shoppers should watch for unexpected overlays or extra “validation” prompts during checkout and avoid entering card details on pages that load unusually slowly or show suspicious certificate warnings. Merchants, especially those using Magento, should enable strict content security policies (CSP), monitor for unauthorized SVG or image‑tag changes, and use dedicated payment‑card security tools to detect and block skimmers. Regular code audits and third‑party script reviews can help spot this kind of hidden payload before it begins harvesting live transactions.
Read more »
Cyber Security
advance payment scams and money laundering Apple Apple device security Apple Pay call scams Cyber Fraud Cyber Security

Apple Pay Scam Surge Targets iPhone Users With Fake Fraud Alerts and Urgent Calls

 

A fresh surge in digital deception now sweeps through global iPhone communities - fraudsters twist anxiety into action using counterfeit Apple Pay warnings. Moments of panic open doors; criminals slip in, siphoning cash before victims react. Across continents - from city hubs in America to quiet towns in Europe - the pattern repeats quietly, yet widely. These traps snap shut fast: funds vanish while confusion lingers behind. 

A fake alert arrives by text, pretending to be from Apple, saying there is odd behavior on someone’s Apple Pay. Usually, it holds a contact line, pushing people to dial right away if they want to block what seems like theft. Pressure builds fast - this rush matters, because confusion helps trick targets into moving before checking facts. Right away, after the call connects, the person speaking is actually a fraudster pretending to be from Apple support, a financial institution employee, or sometimes even someone claiming police authority. 

Often beginning mid-sentence, these criminals rely on rehearsed dialogue - sometimes knowing bits of private facts - to appear legitimate. Driven by deception, their aim involves getting individuals to disclose confidential credentials like login codes, temporary access numbers, or credit account specifics. Instead of helping, they push for immediate fund transfers using false claims about protecting digital profiles. What makes these attacks effective isn’t code - it’s mimicry paired with pressure. Fake sites appear almost identical, pulling people in through urgency instead of malware. 

Access unfolds when someone hands over a verification number, thinking it's routine. Sometimes, approval prompts arrive disguised as normal alerts - clicking confirms access for thieves. Control shifts without force; consent does the work, quietly. Alerts pretending to come from Apple might seem convincing. Still, the firm emphasizes it never reaches out first to ask for login details or access codes. Messages showing up without warning, particularly ones demanding quick replies, deserve careful attention. 

Instead of responding, consider them suspicious by default. Official communications will not pressure anyone into instant decisions. Should you spot something off, snap a picture of the message and send it straight to Apple’s dedicated fraud inbox. Above all else, stay clear of phone numbers or links tucked inside those alerts - get in touch only via trusted paths marked out by Apple itself. Scammers cast a wider net than just Apple. 

Pretending to be support agents from well-known tech giants - Microsoft, say, or Google - is common practice among cyber actors aiming at regular people, showing how manipulation methods keep evolving across digital spaces. Surprisingly, fake Apple Pay messages show how clever online thieves have gotten lately. Because such tricks now happen so often, staying alert and acting carefully matters more than ever. 

Unexpected notifications should always spark doubt - never hand out private details without verifying first. Real businesses do not demand quick decisions by email or text message, a fact worth repeating quietly to oneself when pressured.
Read more »
Sanctioned Exchange Breach
Africa under cyber threats Blockchain Forensics Investigation Cross Chain Transaction Tracking Cryptocurrency Security Risks Cyber Security Darknet Financial Networks Sanctioned Exchange Breach

$13.74M Exploit Leads to Closure of Sanctioned Grinex Exchange Amid Intelligence Concerns


 

As a consequence of a reported security breach valued at approximately $13.74 million, Grinex, a cryptocurrency exchange registered in Kyrgyzstan, has been suspended from operations as a consequence of sanctions imposed by both the United States and the UK in the previous year. 

Based on the platform's description of the incident, it alleges the involvement of Western intelligence-linked actors in a highly coordinated cyber intrusion. Consequently, unauthorized access to user assets exceeding 1 billion rubles resulted, prompting a temporary suspension of operations while internal containment and assessment procedures were implemented. 

The company further asserted in its official disclosure that the compromise was of a level of sophistication that matches state-grade cyber capabilities. This suggests that advanced tools and infrastructure have been used beyond typical cybercriminal activity. According to Grinex, preliminary forensic analysis indicates a targeted operation that is likely to undermine perceptions of financial stability within sanctioned ecosystems in order to undermine perceived financial stability. 

Additionally, the exchange outlined that its systems had been subjected to persistent probing and hostile activity since inception, and framed the latest incident as an important escalation in an ongoing pattern of attacks that have attempted to weaken the exchange's financial stability and operational environment. It has become increasingly difficult to assess Grinex’s potential continuity with previously sanctioned infrastructure following further investigations into its operational lineage and transactional footprint, particularly since multiple blockchain intelligence assessments have linked it to the defunct Garantex ecosystem. 

The United States Treasury first designated Garantex in April 2022 on allegations that it assisted ransomware-related laundering activities through darknet markets such as Conti and Hydra. When authorities cited more than $100 million in illicit transaction processing and sustained exposure to money laundering networks, the company was subjected to renewed restrictions in August 2025. 

As a result of enforcement actions, analysts from Elliptic and TRM Labs have concluded that Grinex may have effectively absorbed Garantex's user base. During this process, Grinex deployed a ruble-pegged stablecoin mechanism identified as A7A5, which maintained liquidity flows and maintained transactional continuity despite regulatory pressure.

On-chain intelligence has also mapped a wider ecosystem of interconnected exchanges, according to Elliptic. Rapira, an exchange incorporated in Georgia with a presence in Moscow, has executed cryptoasset transfers to and from Grinex worth more than $72 million, reinforcing concerns regarding persistent sanctions circumvention channels linked to Russian financial institutions. 

Elliptic has independently corroborated the timeline of the $13.74 million asset compromise, indicating that the breach occurred at approximately 12:00 UTC on April 15, 2026 and then the assets were rapidly dispersed across both TRON and Ethereum networks. An attacker is believed to have systematically converted USDT holdings into liquid and less traceable assets such as TRX and ETH to mitigate the risk associated with issuer-level freezing mechanisms. 

The TRM Labs team has since identified approximately 70 blockchain addresses associated with this incident, as well as highlighting a concurrent disruption at TokenSpot, a Kyrgyzstan-based exchange suspected of operating in conjunction with Grinex. TokenSpot initially attributed service interruption to routine maintenance through its Telegram communication system, however subsequent activity indicated partial fund movements associated with the same consolidation wallet structure as the Grinex breach, although on a much smaller scale. 

A chain-analysis assessment further indicated the rapid conversion strategy employed during the incident, which was characterised as a well-established method of laundering assets that outpaced enforcement response by rapidly rotating assets from stablecoins into decentralized tokens. As well as raising the possibility of strategic deception within the incident narrative, the firm argued that given Grinex’s sanctioned status and historically opaque organizational structure, the breach may have been the result of either opportunistic cyberexploitation or a deliberately created false flag.

Although various theories have been advanced as to whether or not the event is to be attributed to any particular person, analysts agree that the event has materially disrupted a financial architecture long associated with sanctions evasion mechanisms and cross-border illicit liquidity flows. 

The Grinex incident highlights the evolution of the risk landscape, as cybersecurity analysts suggest that continuous monitoring of cross-chain fund movements is critical, stricter compliance alignment is necessary among exchanges operating in high-risk jurisdictions, and enhanced due diligence needs to be conducted regarding stablecoin liquidity routes. 

In light of this case, it is even more important that blockchain analytics firms, regulators, and financial platforms coordinate intelligence sharing to detect and disrupt laundering activities at a very early stage. Increasing the effectiveness of on-chain tracing capabilities, enforcing robust asset freezing protocols, and improving the transparency of exchange ownership structures will all help reduce systemic exposure to similar incidents in the future.
Read more »
LinkedIn privacy policy
browser extension scanning Cyber Security Data Privacy Concerns Fairlinked report LinkedIn lawsuit LinkedIn privacy policy

LinkedIn Faces Lawsuits Over Alleged Browser Extension Surveillance, Denies Privacy Violations

 

Two class-action lawsuits have been initiated against LinkedIn, accusing the platform of secretly monitoring users through browser extension scanning. The company, however, has strongly rejected the claims, stating that its practices are transparent and already outlined in its privacy policy.

"This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability," LinkedIn tells PCMag.

The lawsuits were filed on Monday in a U.S. District Court in California, following a report by German organization Fairlinked e.V.. The report alleges that LinkedIn uses a JavaScript file on its website to scan users’ Chrome browser extensions, checking for as many as 6,222 extensions. It further claims that this data could potentially be used to profile users or identify whether they are using competing tools.

LinkedIn disputes these allegations, explaining that the scanning is designed to combat web scraping activities. “We do not use this data to infer sensitive information about members,” the company tells PCMag. Its privacy policy also mentions that it may collect device and network-related data, including details about browsers and add-ons.

According to LinkedIn, the scanning mechanism serves as a protective measure to prevent unauthorized scraping of member profiles. Despite this explanation, the lawsuits argue that the company’s actions exceed reasonable expectations of user privacy and are seeking damages, along with a halt to the scanning practice.

"No reasonable user would read generalized references to URLs, browser data, add-ons, device features, cookies, automated systems, security, anti-abuse, fraud prevention, or similar matters and understand that LinkedIn would covertly interrogate the user’s browser, enumerate or infer installed extensions," one of the complaints says.

One of the lawsuits, filed by California resident Jeff Ganan, claims the practice violates the Electronic Communications Privacy Act and the California Comprehensive Computer Data Access and Fraud Act, among other statutes. A second lawsuit, filed by Nicholas Farrell, raises similar concerns with a stronger focus on alleged violations of California-specific laws.

Fairlinked, which represents commercial LinkedIn users, is also connected to the controversy through one of its board members, believed to be Steven Morell, founder of Teamfluence. LinkedIn claims it previously restricted accounts linked to Teamfluence over concerns about misuse of member data.

Commenting on the dispute, LinkedIn’s Vice President for Legal, Sarah Wight, said: “So we acted to restrict the accounts associated with Teamfluence. In retaliation for their accounts being suspended, in January, the creator of Teamfluence sought an injunction against LinkedIn in Germany,” adding, “I’m happy to report that the court thoroughly rejected Teamfluence’s claims, reaffirming LinkedIn’s ability to act swiftly and decisively against bad actors who access member data inappropriately."

In a separate statement to PCMag, LinkedIn added, “Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy,” referring to the ongoing controversy.

Fairlinked, however, disputes LinkedIn’s narrative, stating: “the court case Microsoft cites has nothing to do with the surveillance operation. That case concerns an account suspension. BrowserGate was never mentioned in the proceedings. Microsoft implies it prevailed. It did not. A motion for a preliminary injunction was denied. Both plaintiffs have appealed. The litigation is ongoing.”

The group has also challenged LinkedIn’s justification for scanning browser extensions, arguing that the scope of data collection goes far beyond security needs. “Scanning for 6,000 extensions and transmitting the results to third parties without user consent is not server protection. It’s an illegal spying operation,” it says. "The scan list contains thousands of extensions that have nothing to do with scraping. Religious extensions. Political opinion extensions. Job search tools. Neurodivergent aids. Amazon image downloaders. Pharmacy operations tools. Delivery schedulers. Clearly, server protection is not the goal here.”
Read more »
Malicious Link
2FA Cyber Phishing Data Breach Financial Fraud Fraud Alert Identity Theft Malicious Link

Data Breach Alert: What It Means, Why It Matters, and How to Protect Yourself Immediately




Data breach notifications should never be ignored. Discarding them as junk mail can expose you to serious risks, including financial fraud, identity theft, and unauthorized access to your personal records.

These alerts are now extremely common. They often arrive as emails or letters from organizations such as banks, telecom providers, insurers, or even gyms. Because of their frequency, many individuals overlook them. However, the Identity Theft Resource Center reports that nearly 80 percent of people received at least one such notice in the past year, with many receiving several. This repeated exposure has led to what experts describe as “breach fatigue,” where individuals stop responding to warnings altogether.

The consequences of ignoring these alerts can be severe. Criminals may open credit accounts in your name, accumulate large debts within minutes, or misuse identification numbers to access services such as healthcare. For example, a recent breach involving a U.S.-based benefits administrator exposed Social Security numbers of 2.7 million individuals. In 2024 alone, 1.36 billion breach notifications were issued. While 2025 saw fewer victims overall, the incidents became more serious. Highly sensitive data, including Social Security numbers, appeared in two-thirds of cases, while financial details or driver’s license information were involved in roughly one-third.

Cybersecurity professionals, including Sandra Glading, Greg Oslan, and David Trapp, define a data breach as an incident where unauthorized actors gain access to systems and extract personal data. This information may include basic details such as names and contact information, or more sensitive data like passwords, banking details, or national identifiers. The level of risk increases significantly when multiple types of data are combined, as attackers can reconstruct identities and carry out complex fraud.

The scale of the issue has grown rapidly. The Identity Theft Resource Center recorded 3,322 breaches affecting more than 278 million individuals in the United States in 2025, marking the highest level on record and a 79 percent increase over five years. Two decades ago, such incidents were far less frequent. Around 2010, there were roughly 600 breaches annually, and attackers primarily targeted governments or large institutions. Today, the threat landscape has shifted toward mass exploitation driven by financial incentives. According to the Federal Bureau of Investigation, cybercrime losses reached $16.6 billion in 2024, demonstrating the scale of this criminal ecosystem.


How Do You Know If You’ve Been Affected?

In many countries, including the United States, companies are legally required to inform individuals when their personal data is compromised. Notifications may arrive via email, physical mail, or identity-protection services. In major incidents, the news media may report the breach before individuals receive direct communication.

However, this system is not foolproof. Experts warn that notifications often take months because companies need time to investigate. By the time you are informed, your data may already be in use by attackers.

At the same time, scammers exploit these situations by sending fake breach alerts. These messages may include links offering free credit monitoring or contact numbers. You should never act immediately on such messages. Always verify the information through the official website of the organization before clicking links or sharing personal data.


What to Do Immediately After a Data Breach

Security experts stress that speed matters. According to IBM, the average data breach remains active for 241 days, giving attackers an advantage before detection.

1. Identify What Information Was Exposed

Different types of data create different risks. For example, an exposed email address may lead to phishing attempts, while a leaked Social Security number can enable identity theft.

Carefully review the breach notification and locate the section that lists the compromised data. If the details are unclear, contact the organization directly. You can also use trusted breach-checking tools such as services provided by the National Cybersecurity Center or “Have I Been Pwned” to verify whether your email appears in known leaks.

2. Freeze Your Credit

A credit freeze prevents lenders from accessing your credit report, making it difficult for criminals to open new accounts in your name.

To do this, contact the three major credit bureaus:

• Experian

• Equifax

• TransUnion

This process is free and can typically be completed online within minutes.

3. Place a Fraud Alert

A fraud alert requires lenders to verify your identity before approving new credit.

You only need to contact one credit bureau, which will notify the others. Standard alerts last one year, while extended alerts for confirmed identity theft victims can remain active for up to seven years.

4. Monitor Financial Accounts Closely

Unauthorized transactions may appear quickly or after a delay.

Review your bank and credit card statements regularly for several months. Enable transaction alerts to receive real-time notifications of account activity. If you notice suspicious charges, report them immediately. Most financial institutions offer zero-liability protection, but timely reporting is essential.

5. Update Your Passwords

If login credentials are exposed, attackers often attempt to reuse them across multiple platforms.

Immediately change the password for the affected account. Then update any other accounts that use the same or similar credentials. Use strong, unique passwords for each account to reduce risk.

6. Enable Two-Factor Authentication

Two-factor authentication adds an additional layer of security by requiring a temporary code generated on your device.

Although it may seem inconvenient, it significantly reduces the chances of unauthorized access. Whenever possible, use authenticator apps instead of SMS-based codes, as they are more secure.


Additional Steps to Strengthen Long-Term Protection

After addressing immediate risks, you should adopt preventive measures:

• Use a password manager to create and store complex passwords.

• Enable passkeys, which rely on biometrics or device authentication instead of traditional passwords.

• Consider identity-protection services that monitor credit activity and data leaks.

• Stay alert to phishing attempts, especially after a breach, as attackers often impersonate trusted organizations. Avoid clicking unknown links or downloading unexpected attachments.

Experts also recommend tools like the Personal Cyber Advisor from the National Cybersecurity Center, which provides tailored guidance and alerts to help users reduce their risk.


Why This Matters Now

Data breaches are no longer rare or isolated events. They have become part of a large-scale, financially driven cybercrime ecosystem. The increasing frequency, combined with the growing sensitivity of exposed data, means individuals must take a more proactive approach to digital security.

Ignoring a breach notification is no longer a safe option. Acting quickly and following the correct steps can significantly reduce the potential damage.


Read more »
Subscribe to: Comments (Atom)

Featured