Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Online Privacy
burner account Data Breach Email IP Address Metadata Exposure Online Privacy

Why Using a Burner Email Can Strengthen Your Online Privacy

 



Email accounts are among the most frequently exposed pieces of personal data in security breaches, which is a major reason why people often find their information circulating online. While using stronger passwords and enabling multi-factor authentication can significantly improve online safety, these measures do not address every risk. In many situations, individuals unintentionally make it easier for attackers to access their information simply by sharing their email address.

Whenever you register for promotional emails, shop online, or sign up for free trials, you are usually required to provide an email address. Using your primary email in these cases increases the likelihood that data brokers will collect and resell your information. In an environment where cybercriminals actively look for such data, even basic details can be exploited. Attackers may use this information for account takeovers, phishing campaigns, financial fraud, or even website misuse. If the same password is reused across platforms, a leaked email-password combination can also provide access to social media accounts and digital banking services.

To reduce this exposure without completely changing how you use email, one effective approach is to adopt a burner email, sometimes called a disposable or temporary email, or an email alias. This is a secondary address created specifically for limited or one-time use. It can be useful for situations where you want to remain anonymous, manage signups separately, or prevent your main inbox from becoming overloaded.

Unwanted emails are a persistent issue for most users. Messages from social media platforms, online stores, and newsletter subscriptions can quickly accumulate, resulting in hundreds of unread emails. This clutter can consume storage space and make it harder to notice important messages. Although users often try to manage this by marking emails as spam or clearing their inbox, these efforts are not always effective. Even after unsubscribing, promotional emails often continue to arrive, forcing users to repeat the same cleanup process frequently.

Because managing a primary email account for personal or professional use can become overwhelming, using a separate email for non-essential activities is one of the most efficient ways to reduce spam. A temporary address dedicated to registrations, shopping platforms, or newsletters helps keep the main inbox organized. In many cases, setting up such an address is straightforward. For example, users of Gmail can create variations of their existing email by adding a “+” symbol followed by a keyword. An address like “username+promotions@gmail.com” will still deliver messages to the main inbox.

Since Gmail does not allow these alias variations to be deleted, users can instead create filters to automatically sort incoming messages. These filters can archive, delete, or label emails associated with specific aliases for later review. Other email providers may offer different methods for creating aliases, and some may not support this feature at all, so users should verify what options are available to them.

A primary email account serves multiple purposes beyond communication. It can store important files, act as a central identity across services, and help manage tasks. Because of this, protecting it from data brokers is critical. Receiving alerts that your email address has appeared on the dark web can be alarming. While such exposure does not necessarily mean your accounts have been directly compromised, it does increase the likelihood of attacks such as credential stuffing, identity theft, and phishing.

Since your main email often acts as the entry point to your digital life, limiting where you share it is essential. When asked to provide an email for purchases, downloads, or anonymous participation, it is safer to avoid using your personal or professional address. Although aliases can help organize incoming messages, they do not fully hide your actual email identity.

For stronger privacy, a true burner email is more effective. This type of account is usually anonymous and not connected to your personal identity. It allows you to send and receive messages without revealing who you are. This can also reduce the effectiveness of phishing attacks, as attackers have less information to craft targeted scams or trick users into sharing sensitive data such as financial details or identification numbers.

Most personal or work email addresses include identifiable elements such as your name or initials, making it easier for others to recognize you. This reduces anonymity. In situations where privacy is important, such as accessing discounts or completing one-time verifications, a fully separate burner account is more suitable.

Unlike simple email forwarding systems or aliases, many burner email services generate completely unique addresses using random combinations of letters, numbers, and symbols. This allows users to interact with unfamiliar platforms or individuals without exposing personal details. Some of these services also automatically delete accounts after a short period or limited usage. Once removed, they typically leave little to no recoverable data in storage systems or broker databases.

Despite their advantages, burner emails are not appropriate for every use case. Knowing when to rely on them is as important as knowing when to use a permanent email. Many disposable email services are designed for speed and convenience, which means they may not include features such as password protection, encryption, or multi-factor authentication. Their primary form of security is simply that they are temporary.

Before using such services, it is important to review their terms and privacy policies. Even if you believe no sensitive information is being shared, these platforms may still collect metadata such as your IP address, which can be used to gather additional insights about your activity.

Read more »
fintech companies
Cyber Security digital financial crime Digital Payment fake error messages Fintech fintech companies

Zoho Books Dispute Highlights Third-Party Payment Error Impacting FlexyPe Transactions

 

A conflict involving the fintech firm FlexyPe and the accounting platform Zoho has highlighted potential dangers when external tools connect to financial platforms. Problems emerged following inconsistencies found in FlexyPe's payment logs, which it first linked to flaws within Zoho Books. 

Out of the blue, FlexyPe's Azeem Hussain shared that a hands-on review of financial records showed some transaction failures wrongly labeled as completed. Because of this mismatch, around ₹3.8 lakh appeared logged in Zoho Books as paid - though the money never arrived. While checking entries line by line, the team spotted the gap between system data and real bank inflows. Since then, corrections have been made to reflect what actually moved through the accounts. 

Still nothing arrived, yet Zoho claimed otherwise, Hussain noted - wondering just how many months slipped by undetected. Processing vast numbers of transactions every day, the company now examines its finances more deeply, tracing back twenty-four months to uncover further mismatches that might exist. Still, Zoho pushed back hard against the allegations, insisting the fault lay elsewhere. 

Its official statement pointed to a different source: problems emerged not from inside its own systems. Instead, trouble began when Cashfree Payments - handling payments externally - marked failed attempts as complete. This mismatch fed faulty data into FlexyPe’s records. The result? Discrepancies piled up where numbers should have balanced. Zoho pointed out how its staff helped FlexyPe trace the core problem, while mentioning Cashfree’s public admission of the flaw. 

Although the inquiry wasn’t finished, FlexyPe aired accusations online - a move Zoho called premature. Because of this, the firm views those statements as inaccurate, which might lead to legal steps. Now, questions arise about timing, given the early release of unverified details by one party. Cashfree Payments addressed the matter, stating they found the problem within their system and are now moving forward with corrective steps. 

While building a lasting answer, a short-term adjustment went live to keep FlexyPe running smoothly. Even after clear explanations, legal steps are being prepared by Hussain to claim back money lost because of the event. What happened shows why checking records carefully matters - especially when outside software plays a key role in handling finances. When companies depend more on linked systems, this event shows how small connection mistakes might trigger serious problems in operations and costs.
Read more »
Technology
Advanced security Advanced Tech Passkeys Technology

Passkeys Gaining Traction as More Secure Alternative to Passwords, Experts Say

 

Security experts are increasingly urging users to move away from traditional passwords and adopt passkeys, a newer method of logging into accounts that aims to reduce risks such as hacking and phishing. 

Passwords remain widely used, but they are often reused, simplified or poorly managed. Even with password managers, which help generate and store complex credentials, risks remain. These systems typically rely on a single master password, creating a potential point of failure if compromised. Passkeys take a different approach. 

Instead of requiring users to remember or enter passwords, they rely on device-based authentication, such as a phone’s screen lock or biometric verification like fingerprint or facial recognition. 

The system works using a pair of cryptographic keys. One key is stored on the service being accessed, while the other remains securely on the user’s device. When logging in, the service sends a request that the device verifies locally. 

If the authentication is successful, access is granted without transmitting a password. Because no password is shared or stored centrally, passkeys are considered more resistant to phishing attacks, which the FBI has previously identified as one of the most common forms of cybercrime. 

The method is supported by the FIDO Alliance and adopted by major technology companies including Google, Apple and Microsoft. Passkeys are designed to work automatically once set up, requiring minimal user input. 

However, they are tied to specific devices, meaning losing access to a device could complicate account recovery unless backup options are enabled. Experts say the shift reflects broader concerns about password security. 

Once an email address or login credential is exposed through data breaches or online use, it can be reused by attackers across multiple platforms. Passkeys also generate unique credentials for each service, limiting the impact of a breach on any single platform. 

While adoption is still growing, the approach is increasingly seen as part of a move toward passwordless authentication, as companies look to reduce reliance on systems that have long been vulnerable to misuse.
Read more »
UNC1069
Axios Backdoor Cyber Crime Data North Korea UNC1069

North Korean Hackers Target Axios, Steal Cryptocurrency in a Massive Attack


Threat actors from North Korea hacked software used by organizations in the US to steal cryptocurrency to fund North Korea's nuclear and missile programs. Experts found 135 devices across 12 organizations hacked; however, the list of victims can increase. The investigation may take months to uncover full details of the campaign. 

Axios attacked

Hackers targeted Axios, a famous open-source JavaScript library that developers use to oversee HTTP requests. The North Korean gang accessed organizations' systems via malware that opens backdoor access to OS. Hackers targeted two versions of Axios that were downloaded over 183 million times each week; organizations that downloaded it during the particular time period were exposed to the attack.

About the incident 

Hackers with ties to Pyongyang gained access to the account of a software engineer who oversees the open-source program Axios on Tuesday for at least three hours. According to the report, the attackers used that access to send infected updates to any company that had downloaded the software at the time. This caused the software developer to rush to take back control of his account while cybersecurity executives nationwide attempted to determine the extent of the damage.

The impact 

While the full damage may take months to fix, experts believe that hundreds of thousands of business secrets have already leaked, which can make it one of the worst data breaches. 

About UNC1069

The North Korean group, suspicious of hacking Axios is called UNC1069. Since 2018, the gang has attacked the finance industry. Mandiant believes that the hackers will "try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,"

Why are attacks on the rise from North Korea

Hacking has become a staple of North Korea. The revenue generated from these cyberattacks funds the country’s nuclear and missile programs to the point that these plans are half funded through hacking. In recent years, state-sponsored hackers have stolen billions of dollars from banks and cryptocurrency firms. This includes the infamous (and record-breaking) $1.5 billion crypto theft in 2025 in a single attack. 

Most deadly cyberattack in history

The recent attack was the most advanced supply chain effort to date, cleaning its tracks after installing the payload on the target device. It made detection difficult for developers who unknowingly downloaded the malicious software. Experts say that UNC1069 is not even trying to hide anymore, they just disappears before detection. 

Read more »
User Privacy
Data Breach Fitness Bands Strava UK Military User Privacy

Fitness Tracking Under Fire: Strava Leak Exposes Military Personnel

 

Fitness tracking apps have become a daily habit for millions of people, but a new Strava military data leak is raising old privacy fears again. According to recent reporting, activity logs linked to more than 500 UK military personnel were exposed through exercise data that could be connected to sensitive locations. What looks like an innocent run or bike ride can, when combined with account details and route history, reveal where people live, work, and train. The case is a reminder that fitness data is not just about calories and distance; it can also map routines, movement patterns, and security-sensitive sites. 

The problem is not limited to one incident. Strava has faced privacy concerns before, including warnings that its heatmap and route-sharing features could be used to identify military bases, homes, and individual users. Researchers have shown that even anonymized or aggregated location data can be re-identified when enough patterns are available. In earlier cases, public activity data exposed military facilities and personnel movements, prompting defense agencies to tighten guidance on how service members use connected devices. That history makes the latest leak more troubling because it shows the same basic risk still exists. 

At the heart of the issue is location data. Fitness apps collect GPS routes, timestamps, workout frequency, and sometimes health-related information such as heart rate or sleep trends. When that information is shared publicly, or even stored in ways that can be aggregated, it becomes easier to infer personal routines and secure locations. Privacy settings help, but they are not always enough if users do not understand how default sharing, heatmaps, and visible activity histories work. That gap between user expectations and data reality is what makes these apps risky. 

For military organizations, the lesson is clear: location discipline matters. Personnel need stronger rules on wearable devices, stricter defaults for app privacy, and regular training on how seemingly harmless data can be weaponized. For consumers, the safer approach is to review visibility settings, disable public sharing, and avoid recording workouts near home, workplace, or sensitive sites. Even if an account is private, route patterns and aggregated data can still create exposure in unexpected ways. 

The broader debate goes beyond one app. Fitness platforms profit from collecting valuable data, while users often assume their information stays personal. As regulators and security experts push for stronger protections, the Strava case shows that privacy in the connected fitness world depends on more than trust alone. It depends on design, defaults, and disciplined use.
Read more »
social engineering attacks
Advanced Persistent Threats Charming Kitten cyber espionage cybersecurity risks Insider Threats Iranian Cyber Threats malware Phishing Campaigns social engineering attacks

Old Espionage Techniques Power New Cyber Attacks by Charming Kitten Hackers


 

As zero-day exploits and increasingly sophisticated malware become a norm, a quieter and more calculated threat is beginning to gain momentum - one which relies less on breaking systems than it does on destroying trust. 

In recent months, there have been significant developments in Iran-linked cyber activities, where groups such as Charming Kitten are abandoning conventional vulnerability-driven attacks for deception, psychological manipulation, and carefully orchestrated human interaction. 

Instead of forcing entry through technical loopholes, these actors embed themselves within the digital lives of their targets, posing as credible contacts and cultivating familiarity over time. As a platform-agnostic organization, their operations are both available on macOS and Windows, demonstrating a commitment to maximizing access over exploitative efforts. 

While this occurs, emerging concerns regarding insider-driven data exposure, including allegations of covert methods such as photographing sensitive screens to bypass monitoring systems, underscore a broader reality indicating that the most critical vulnerabilities are no longer associated with code, but with human behavior.

These operations are being carried out by Charming Kitten, a threat group widely linked to Iran's security establishment that has targeted government officials, academic researchers, and corporate employees since its establishment in 2010. As a primary attack vector, the group uses identity deception, impersonating known contacts through convincingly engineered communication to obtain credentials or launch malware, rather than exploiting software flaws or exploit chains. 

As an intentional alignment with traditional intelligence tradecraft, the methodology provides deeper access than purely technical intrusion techniques by cultivating trust and controlling interaction. For this reason, operatives construct layered digital personas based on professional credibility or social engagement as part of this effort and establish rapport with target audiences before executing phishing attacks or delivering payloads.

Using a human-centered approach, it is consistently effective across both Apple and Microsoft environments without relying on platform-specific vulnerabilities, so its effectiveness is consistent across both environments. 

Additionally, insider risk concerns have been intensified in parallel, as investigations indicate the possibility of individuals inside major technology organizations facilitating data exposure through low detection techniques, including the capture of sensitive information physically, thus circumventing conventional cybersecurity controls and reinforcing the complexity of modern threat environments. 

The threat landscape has begun to reflect a more sophisticated approach to visibility and restraint as a result of these targeted intrusion campaigns, in addition to a broader pattern of Iranian-related cyber activity.

In many cases, the activity observed at present has a low level of immediate operational severity, ranging from website defacements and disruptions of distributed denial-of-service to phishing waves, coordinated influence messaging, and reconnaissance of externally exposed infrastructures. These actions, however, are rarely isolated or symbolic; historically, they have served as early indicators of intent, which have enabled the testing of defenses, signaling capabilities, and forming of the operational environment in advance of sustained or covert engagements. 

In extensive and highly adaptable ecosystem is responsible for enabling this activity, which consists of state-aligned advanced persistent threat groups, semi-autonomous proxies, hacktivist fronts, and loosely aligned external collectives. While these actors usually lack overt coordination during periods of geopolitical tension, they are often aligned in their targeting priorities and narrative framing, resulting in disruptive noise and intelligence-driven precision. 

Developing regional dynamics provides the opportunity for this structure to be scalable and implausibly deniable for escalation, particularly in the context of entities in regions aligned with U.S. or Israeli interests. In sectors such as critical infrastructure, energy, telecommunications, logistics, and public administration, high value targets are encountered.

It is important to note that Iran's cyber strategy does not adhere to a single, publicly defined doctrine, but rather represents a pragmatic extension of its broader asymmetric security approach. During the last decade, cyber capabilities have evolved into multipurpose instruments that can be used for intelligence collection, domestic oversight, retaliatory signaling, as well as regional influence. 

The concept of cyber activity is less of a distinct domain within this framework as it is an integral part of statecraft that is designed to operate beneath the threshold of conventional conflict while delivering strategic outcomes. 

Through the surveillance and disruption of opposition networks, it can be applied to strengthen internal regime stability, extract political and economic advantage, and project coercive influence by imposing calculated costs on adversaries while maintaining deniability to achieve political and economic advantage. 

Increasingly, modern cyber operations are being characterized by a convergence of intent and capability which underscores a threat model that incorporates technical intrusions, psychological manipulation, and geopolitical signaling as integral components. These methods are reminiscent of intelligence practices historically associated with Cold War espionage, when cultivating access through trust led to more lasting results than purely technical advancement. 

The current threat landscape operationalizes this principle through the creation of highly curated digital identities that are frequently designed to appear credible or socially engaging. By establishing rapport with their target, adversaries are able to harvest credentials or deliver malware. 

The human-centered intrusion model is independent of platform-specific vulnerabilities and has demonstrated sustained effectiveness across both the Apple and Microsoft ecosystems Nevertheless, parallel concerns have emerged regarding insider risk. 

Investigations have shown that individuals embedded within technology environments can facilitate data exposure through deliberately low-tech methods, such as taking photographs directly from screens, to circumvent conventional monitoring methods. It is a common statement among security practitioners that trusted access remains one of the most difficult vectors to combat, often bypassing even mature security architectures. 

According to analysts, these patterns are not isolated incidents but are part of an integrated intelligence framework integrating cyber operations with human networks, surveillance, and strategic recruitment pipelines. 

In accordance with former Iranian officials, Iran has developed a multi-layered operational model encompassing online intelligence collection, asset cultivation, and procurement mechanisms, which together increase Iran's reach and resilience. It is widely recognized that Iran is a highly sophisticated adversary with the potential to blend psychological operations with technical intrusion, despite historically being overshadowed by larger cyber powers. 

Moreover, the same operational networks have been used to monitor dissident communities beyond national borders, indicating a dual-purpose strategy extending beyond conventional state competition into internal control mechanisms as well. In the context of increasing blurring boundaries between external intelligence gathering and domestic influence operations, attribution and intent assessment become more difficult. 

Several high-profile cases involving alleged insider cooperation further underscore the enduring threat that is posed by human-mediated compromise. Mitigation therefore requires a rigorous, layered security posture that addresses technical as well as behavioral vulnerabilities. Prior to sharing sensitive information, it remains imperative to verify digital identities, particularly in environments susceptible to targeted social engineering schemes. 

By combining strong, unique credentials with multi-factor authentication, it is significantly less likely that a compromised account will occur, while regular updating of antivirus software and endpoint protection solutions provides a baseline level of security.

As part of active network defense, such as properly configured firewalls, unauthorized access pathways can be further limited, and the use of reputable malware detection and remediation tools makes it possible to identify and contain suspicious activity early. These measures reinforce the principle that effective cybersecurity no longer involves merely technological controls, but rather a combination of user awareness, operational vigilance, and adaptive defense strategies.

Increasingly, threat actors are implementing operations that blur the line between human intelligence and cyber intrusion, requiring organizations to increase their focus on resilience beyond perimeter defenses. 

To detect subtle indicators of compromise that do not evade conventional controls, strategic investments in behavioral monitoring, identity governance, and continuous threat intelligence integration will be essential. It is clear that preparedness has evolved from being able to detect and avoid every breach, but rather from being able to anticipate, detect, and respond with precision to adversaries that utilize both systems and human trust to carry out their attacks.
Read more »
Windows
Axios Data Breach http library macOS malicious npm package social engineering attacks supply chain attacks Windows

Axios npm Breach Exposes Threat of Social Engineering Attacks on Open-Source Ecosystem

 



A security incident involving the widely used Axios HTTP library has revealed how attackers are increasingly targeting software maintainers themselves, rather than exploiting code vulnerabilities, to carry out large-scale supply chain attacks.

The issue came to light after Axios maintainers disclosed that an attacker gained access to a contributor’s npm account and used it to publish two compromised versions of the package, 1.14.1 and 0.30.4. These releases included a hidden dependency named plain-crypto-js, which deployed a remote access trojan across macOS, Windows, and Linux systems.

Although the malicious packages were available for only about three hours before being removed, the short exposure window does not reduce the severity. Any system that installed these versions is now considered unsafe. Users have been advised to immediately rotate all credentials, revoke authentication tokens, and assume full compromise of affected environments.

The Axios team confirmed that they have since secured their infrastructure by resetting credentials, cleaning impacted machines, and introducing additional safeguards to prevent similar incidents.

Further investigation by Google Threat Intelligence Group linked the activity to a North Korea-associated threat actor identified as UNC1069. This group, active since at least 2018, is believed to be financially motivated. Attribution was based on malware similarities, including the use of an updated toolset previously tied to the group, as well as overlaps in command-and-control infrastructure observed in earlier operations.


Social Engineering as the Entry Point

The compromise did not begin with a technical flaw. Instead, it started weeks earlier with a carefully orchestrated social engineering attack targeting Axios maintainer Jason Saayman.

Attackers posed as a legitimate organization by replicating its branding, leadership identities, and communication style. They invited the target into what appeared to be a genuine Slack workspace. This environment was not hastily assembled. It contained multiple channels, staged conversations, and curated activity, including links that redirected to real company LinkedIn profiles. Fake user accounts were also created to impersonate employees and known open-source contributors, increasing credibility.

After establishing trust, the attackers scheduled a video meeting that appeared to involve several participants. During the session, the target was shown what looked like a technical issue, specifically a connection-related error. He was then instructed to install an update presented as necessary to resolve the problem.

In reality, this “update” was malicious software that granted the attackers remote access to the system. Once inside, they were able to extract authentication credentials linked to the npm account.


Repeated Tactics Across Multiple Targets

Other maintainers later reported nearly identical experiences. In several cases, attackers attempted to persuade targets to install what they described as a Microsoft Teams software development kit update. When that approach failed, they escalated their efforts by asking victims to execute command-line instructions, including downloading and running scripts via Curl commands.

One such target, Pelle Wessman, described how attackers abandoned the interaction and deleted all communication after he refused to comply.

These methods align with a broader category of attacks sometimes referred to as “ClickFix” techniques, where victims are misled into resolving fake technical issues that ultimately result in malware execution.


Bypassing Security Controls

Because the attackers gained access to already authenticated sessions, they were able to bypass multi-factor authentication protections. This highlights a critical limitation of MFA, which is effective against credential theft but less effective once an active session is compromised.

Importantly, the attackers did not modify Axios’s source code directly. Instead, they inserted a malicious dependency into legitimate package releases, making the compromise significantly harder to detect during routine checks.


A Coordinated Supply Chain Campaign

Research from Socket indicates that this incident is part of a broader, coordinated campaign targeting maintainers across the Node.js ecosystem. Multiple developers, including contributors to widely used packages and even core components, reported receiving similar outreach messages through platforms such as LinkedIn and Slack.

The attackers followed a consistent pattern: initial contact, trust-building within controlled communication channels, followed by staged video calls where victims were prompted to install software or run commands under the pretense of fixing technical issues.

The scale of targeting is particularly concerning. Many of the developers approached are responsible for packages with billions of weekly downloads, meaning a single compromised account can have far-reaching consequences across the global software ecosystem.


Future Outlook 

This incident surfaces a new course in attacker strategy. Rather than focusing solely on software vulnerabilities, threat actors are increasingly exploiting human trust within high-impact projects. Open-source software, which underpins much of today’s digital infrastructure, becomes an attractive target due to its widespread adoption and reliance on maintainers.

Security experts warn that such attacks are likely to increase in frequency. Protecting against them will require not only technical safeguards, but also stronger operational discipline, including stricter access controls, hardware-based authentication, and heightened awareness of social engineering tactics.

The Axios breach ultimately demonstrates that in modern supply chain attacks, the weakest link is often not the code, but the people who maintain it.

Read more »
Google
Cyber Security Cybersecurity data security Gmail Google

Gmail Address Change Feature Fails to Address Core Security Risks, Report Warns

 

A recent update by Google allowing users to change their Gmail address has drawn attention, but cybersecurity experts say it does little to solve deeper issues tied to email privacy and security. 

The feature, which has gained visibility following its rollout in the United States, lets users modify their primary Gmail address while keeping the old one active as an alias. 

The change has been framed as a way to move beyond outdated or inappropriate usernames created years ago. Google CEO Sundar Pichai highlighted the shift in a public post, noting that users no longer need to be tied to early-era email identities. 

However, experts say the update does not address the main problem facing email users today, widespread exposure of email addresses to marketers, data brokers and cybercriminals. 

Once an email address is used online, it is likely to be stored across multiple databases, making it a long-term target for spam and phishing attempts. Changing the visible username does not remove that exposure, especially since older addresses continue to function. 

Jake Moore, a cybersecurity specialist at ESET, said the ability to edit email addresses reflects a broader shift in how digital identity works, but warned it could introduce new risks. “Old addresses will still work as aliases,” he said, adding that this could increase the risk of impersonation and phishing attacks. 

Security researchers also point to the absence of a built-in privacy feature similar to Apple’s “Hide My Email,” which allows users to generate disposable email addresses for sign-ups and online transactions. These temporary addresses can be disabled at any time, limiting long-term exposure. 

Without a comparable system, Gmail users who change their address may still need to share their primary email widely, continuing the cycle of data exposure. 

The update may also create new vulnerabilities in the short term. Cybersecurity reports indicate that attackers are already using the feature as a lure in phishing campaigns, sending emails that direct users to fake login pages designed to steal account credentials. 

There are also early signs of increased spam activity. Online forums have reported a rise in unwanted emails, with some researchers suggesting the address change feature could allow attackers to bypass existing spam filters and start fresh. 

According to security researchers cited by industry outlets, many email filtering systems rely heavily on known sender addresses. 

If attackers rotate or modify those addresses, they may temporarily evade detection until new filters are applied. At the same time, changing a Gmail address does not stop unwanted messages from reaching the original account, since it remains active in the background. 

Experts say the update highlights a broader issue in email security. While giving users more flexibility over their identity, it does not reduce reliance on a single, permanent address that is repeatedly shared across services. 

They suggest that more effective solutions would include tools that limit how widely a primary email address is distributed, along with stronger controls over incoming messages. 

For now, users are being advised to treat emails related to the new feature with caution, particularly those that include links to account settings, as these may be part of phishing attempts.
Read more »
W3LL Phishing
Cyber Crime FBI Indonesian Police Joint Operation W3LL Phishing

FBI and Indonesian Police Dismantle W3LL Phishing Network in Major Cybercrime Bust

 

In a landmark international operation, the U.S. Federal Bureau of Investigation (FBI) collaborated with the Indonesian National Police to dismantle the W3LL phishing network, a sophisticated cybercrime platform responsible for over $20 million in attempted fraud.Authorities seized critical infrastructure, including key domains, and detained the alleged developer, identified as G.L., marking the first joint U.S.-Indonesia effort to shut down a hacking platform.

The FBI's Atlanta division led the charge, emphasizing that the takedown severs a vital tool cybercriminals used to steal account credentials from thousands of victims worldwide. The W3LL phishing kit, sold for around $500, empowered even low-skilled hackers by providing ready-made templates mimicking legitimate login pages for banks and services like Microsoft 365. This phishing-as-a-service (PhaaS) model allowed attackers to deploy fake sites that harvested credentials, hijacked session cookies, and bypassed multi-factor authentication (MFA) via adversary-in-the-middle (AitM) techniques.

First documented by Group-IB in 2023, W3LL operated through an underground "W3LL Store" serving about 500 threat actors with tools for phishing, business email compromise (BEC), and stolen data sales. Active since 2017, the network's developer previously created spam tools like PunnySender and evolved W3LL into a full-service ecosystem, reselling over 25,000 compromised accounts from 2019 to 2023. Even after the W3LL Store shuttered in 2023, operations persisted via encrypted messaging, rebranding the kit and targeting over 17,000 victims in 2023-2024 alone. French firm Sekoia noted code reuse in other kits like Sneaky 2FA, highlighting W3LL's enduring influence in the cyber underground. 

FBI Atlanta Special Agent in Charge Marlo Graham hailed the bust as a strike against "full-service cybercrime," underscoring ongoing partnerships to protect the public. This operation disrupts a key resource for global fraud, but experts warn that cracked versions and similar kits continue circulating, perpetuating threats.For users in India and Asia, where phishing surges amid rising digital banking, the case spotlights the need for vigilance against PhaaS proliferation. 

As cybersecurity evolves, such takedowns signal stronger global enforcement, yet the low barrier to entry for phishing tools demands proactive defenses like direct URL typing and advanced MFA. This victory reinforces international cooperation's role in combating cybercrime, potentially deterring similar networks while urging organizations to bolster detection.
Read more »
Mobile Security
Android Smartphone Cyber risks Cyber Security Cyberattacks Malware attacks Mobile Security

Why Restarting Your Smartphone Daily Can Improve Security and Reduce Cyber Risks

 

A daily routine most overlook could strengthen phone security in ways people rarely consider. Spurred by recent suggestions from Anthony Albanese, turning off mobile devices briefly each day is gaining notice among experts. Moments of complete shutdown, though small, disrupt potential digital intrusions before they take hold. Some risks fade simply because systems reset, clearing temporary weaknesses. What seems minor may actually reduce exposure over time. Brief downtime gives software a chance to shed lingering vulnerabilities. Officials now highlight this pause as both practical and effective. Restarting cuts connection threads hackers might exploit unnoticed. Even short breaks in operation tighten overall defenses. The act itself costs nothing, yet builds resilience through repetition. 

Though dismissed by some as old-fashioned, rebooting your device still holds value against modern digital threats. Security specialist Priyadarsi Nanda points out that such a step interrupts harmful background activities. On either platform - be it Apple’s system or Google’s - it makes intrusion less likely. One simple restart, oddly enough, weakens active exploits. Most times, turning a phone off and on removes short-lived glitches inside the system. Though an app seems inactive, it might still trigger unseen tasks behind the scenes. 

Under certain conditions, hackers take advantage of these lingering operations to stay connected to the hardware. A fresh start shuts every program and silent helper at once - breaking chains that sneaky actions rely upon. This tip has backing from the National Security Agency too; it suggests regular restarts to stay ahead of digital dangers. Its advice states that turning your phone off and on several times weekly may reduce exposure - not just to scams aimed at stealing data, but to complex intrusions as well. Even seemingly harmless app downloads might hide phishing traps aimed at stealing access. 

On the flip side, advanced methods like zero-click breaches take control without clicks or taps. Hidden flaws in chat platforms often open doors for these silent intrusions. A reboot won’t wipe out every trace of such stealthy code - but it may break its hold temporarily. Still, specialists point out rebooting alone won’t secure systems fully. One part of wider protection means also applying patches, steering clear of questionable websites, while relying on verified software. 

People managing confidential information might need extra steps beyond these basics. Though basic, rebooting a phone now then helps guard against shifting digital threats. Doing so each night before sleep cuts potential vulnerabilities without demanding much effort.
Read more »
phishing
Banks Brazil Data JanelaRAT malware Mexico phishing

JanelaRAT Malware Attacks Banks in Brazil and Mexico, Steals Data


Banks in Latin American countries such as Mexico and Brazil have been victims of continuous malware attacks by a strain called JanelaRAT. 

An upgraded variant of BX RAT, JanelaRAT, can steal cryptocurrency and financial data from financial organizations, trace mouse inputs, log keystrokes, collect system information, and take screenshots.  

In a recent report, Kaspersky said, “One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions.” The hackers behind the JanelaRAT attacks constantly modify the malware versions by adding new features. 

Security

Telemetry data collected by a Russian cybersecurity firm suggests that around 11,695 attacks happened in Mexico and 14,739 in Brazil in 2025. We do not know how many of these led to a successful exploit. 

In June 2023, Zscaler first discovered JanelaRAT in the wild, leveraging ZIP archives containing a VBScript to download another ZIP file, which came with a genuine executable and a DLL payload. The hacker then deploys the DLL side-loading tactic to launch the malware. 

Distribution tactic

An analysis by KPMG in 2025 revealed that the malware is circulated via rogue MSI installer files impersonating as a legit software hosted on trusted sites like GitLab. 

"Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG said. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components."

The scripts are also made to recognize installed Chromium-based browsers and secretly configure their launch parameters to install the extension. The browser add-on collects system data, cookies, browsing history, tab metadata, and installed extensions. It also triggers actions depending upon URL pattern matches. 

Phishing campaign

The recent malware campaign found by Kaspersky reveals that phishing emails disguised as due invoices are used to lure recipients into downloading a PDF file by opening a link, causing the download of a ZIP archive that starts the attack chain, including DLL side-loading to deploy JanelaRAT.

Since May 2024, JanelaRAT malware has moved from VBScripts to MSI installers, which work as a dropper for the trojan via DLL side-loading and build persistence in the victim system by making a Windows Shortcut (LNK) in the Startup folder that leads to the executable. 

Victim tracking

According to Kaspersky, “The malware determines if the victim's machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input.” 

If the inactivity is over ten minutes, “the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user's presence and routine to time possible remote operations," Kaspersky said.

Read more »
VPN Crackdown
Banking Outage cybersecurity risk Digital Infrastructure Internet censorship Network Disruption Network Stability Privacy VPN Crackdown

Pavel Durov Says Russia VPN Restrictions Triggered Banking Disruption



In spite of the fact that the Russian government is intensifying its efforts to reaffirm its control over digital communication channels, unintended consequences of that strategy are becoming evident in a number of critical sectors beyond social media. Significant disruptions to the domestic financial infrastructure have coincided with the sweeping restrictions imposed on the use of virtual private networks widely relied upon for bypassing state-imposed restrictions over the past week. 


According to Pavel Durov, the billionaire founder and CEO of Telegram, these enforcement measures were responsible for the widespread banking outages, as attempts to block VPN access caused large-scale payments to be delayed. The remarks of the speaker not only emphasize the heightened tension between state-led digital controls and attempts to circumvent them, but also underscore a deeper systemic vulnerability where tightly interconnected networks can amplify policy actions into nationwide service failures affecting millions. 

Despite being relatively recent in terms of intensity, Russia's expanding intervention in the internet architecture is increasingly being characterized by unintended technical consequences. Service instability is becoming increasingly common as regulatory actions aimed at isolating specific platforms cascade across interconnected systems, resulting in service instability. In response to Maksut Shadayev's announcement late last month of a coordinated effort to curb VPN usage as part of a broader tightening of digital controls, this pattern was reinforced further. 

Max, a state-backed "super app" that combines digital services into a centrally observable ecosystem, announced the strategic shift toward channeling user activity into environments that have minimal encryption and limited resistance to state oversight in announcing the announcement. As a result of this approach, messaging platforms such as WhatsApp and Telegram have been systematically sidelined from Russian domestic internet layers, thereby reducing the number of secure communication channels available to users.

The disruption appears to have occurred as a result of aggressive scaling of traffic filtering and deep packet inspection mechanisms deployed for the identification and blocking of VPN traffic. It is by design that virtual private networks obscure routing metadata by redirecting user traffic through external nodes, which complicates network perimeter enforcement. As a result of these filtering operations-reportedly being managed by the state communications infrastructure-the routing and processing systems have been significantly strained. 

Industry reports, including Bloomberg account references, indicate that this strain resulted in outages affecting banking applications and other digital services, likely due to overload conditions within filtering layers rather than targeted failures of the financial system. When such interventions are implemented at large scale without adequate segmentation, they threaten to erode network stability and to disrupt critical infrastructure unintentionally. 

Pavel Durov has argued that the crackdown is both technically ineffective and strategically counterproductive against such a backdrop, contending that millions of users continue to use circumvention tools for accessing restricted platforms. As a result of VPN adoption, perimeter-based control is limited in a distributed network environment due to its inherent limitations. 

Historically, this assessment has been supported: a similar enforcement effort in 2018, inspired by demands for backdoor access to encrypted Telegram communications, led to significant collateral disruption across payment systems, online services, and connected devices, although only marginal reductions were observed in platform usage. These episodes illustrate the dynamic of centralized control introducing systemic fragility exposing the very infrastructure they seek to regulate to cascading operational risks through uncontrolled centralization. 

Further fueling concerns about the effectiveness of these measures, Pavel Durov expressed concern that restrictions on Telegram have failed to curtail its usage significantly, noting that tens of millions of users continue to access the platform every day through VPN-based routing. 

According to him, recent enforcement actions targeting circumvention tools did not just fail to achieve their objective, but instead caused systemic instability, with the interruption of payment infrastructures to the point that cash transactions were the only reliable means of conducting transactions during the disruption period. 

A parallel report from independent Russian media outlets, including The Bell, indicated that the outage affected banking applications was most likely a result of excessive load within state-operated filtering systems, where increased inspection and blocking mechanisms caused network layer bottlenecks. Without official clarification from regulators, technical assessments indicate that overload conditions within centralized traffic management frameworks are likely to be the primary cause. 

Experts warn that such interventions, when implemented on a national scale, may compromise network resilience by inadvertently doing so. As a result of tightening regulatory practices beyond messaging platforms, the broader operational environment has been impacted. 

The company confirmed disruptions to payment services related to its digital ecosystem beginning on April 1, without disclosing the underlying causes of the disruption. In domestic news reports, authorities were considering restricting top-ups for mobile accounts, a measure that could further restrict VPN accessibility by limiting the continuity of prepaid services. 

Despite the fact that these developments are a result of a sustained policy direction in Moscow toward the consolidation of digital activity within state-aligned infrastructure, the promotion of Max, a WeChat-inspired centralized application, is particularly noteworthy. Additionally, access limitations have been imposed on widely used global platforms such as YouTube, WhatsApp, and Snapchat, as well as intermittent limitations on Telegram. 

A combined effect of these measures, particularly the recent escalation in VPN suppression efforts, highlights the increasingly fragile balance between state-driven network control and interconnected digital service integrity. 

While accusations and counterclaims have risen in recent months, including assertions by Russian officials that Telegram has been compromised by foreign intelligence, a broader trend indicates a shift toward state-curated digital ecosystems based on Max, a product developed by VK, which is a state-curated digital platform. It is becoming increasingly evident that government governance of connectivity is becoming more interventionist, which includes mandatory preinstallations on consumer devices and selective internet shutdowns to test the network.

The developments underscore the importance of reassessing network resilience, implementing segmentation strategies, and preparing for policy-induced disruptions that can propagate across dependent systems in response to these developments for industry stakeholders and infrastructure operators.

The situation underscores the importance of maintaining technical safeguards, transparency, and redundancy within digital ecosystems, as attempts to centralize control over distributed networks continue to introduce systemic risks with widespread operational and security implications. The developments indicate a growing convergence between state policy enforcement and critical digital infrastructure operational stability.

A precautionary signal is being issued for enterprises, financial institutions, and network operators regarding strengthening architectural resilience, diversifying routing dependencies, and preparing for policy-driven disruptions. 

In tightly coupled systems, a proactive approach is essential to reducing cascading failures, anchored in redundancy planning, adaptive traffic management, and continuous risk assessment. Regulating internet access continues to evolve, and it remains a challenging task for both policymakers and technology stakeholders to strike a balance between governance and infrastructure integrity.
Read more »
Temu
Android Users Apps CapCut China data access Data Breach FBI Temu

FBI Warns Smartphone Users About Risks Linked to Foreign Apps, Especially Chinese Platforms

 



The Federal Bureau of Investigation has issued a fresh alert cautioning users about potential security and privacy threats posed by mobile applications developed outside the United States, particularly those linked to China. The advisory emphasizes that while the concern may seem obvious, many users continue to download such apps without fully understanding the risks.

In its public notice, the agency highlighted that a significant number of widely used and top-earning apps in the U.S. market are owned or operated by foreign companies. Many of these are tied to Chinese firms, raising concerns due to China’s legal framework governing data access.

At the center of the warning are provisions within China’s National Intelligence Law. Under Article 7, individuals and organizations are required to assist state intelligence efforts and maintain secrecy around such cooperation. Article 14 further allows authorities to demand support, data, or cooperation from entities and citizens. Together, these provisions create a legal pathway through which user data collected by apps could be accessed by the Chinese state.

Despite raising these concerns, the FBI has not published a formal list of high-risk apps. Instead, it has urged users to evaluate all foreign-developed applications before installing them. Media reports, including analysis referenced by outlets such as New York Post, suggest that popular platforms like CapCut, Temu, SHEIN, and Lemon8 fall into this broader category of concern.

Further analysis by TechRadar indicates that several of these apps rank highly in download charts across both Android and iOS platforms. On Android, for example, TikTok Lite appears among the most downloaded, alongside TikTok and Temu. Some apps are linked to developers based in Hong Kong or operate through complex international structures, making origin tracing less transparent. While Android devices face higher exposure due to sideloading capabilities, iPhone users are not entirely shielded from such risks.

Notably, platforms like TikTok, CapCut, and Lemon8 currently operate in the U.S. under TikTok USDS LLC, a joint venture backed by Oracle Corporation, with majority U.S. ownership. This structure means their U.S. operations are treated differently from their global counterparts, even though their origins remain tied to Chinese development.

The FBI stresses that its advisory is not a blanket ban on Chinese apps. Rather, it encourages users to be more vigilant. One key concern is the type of permissions users grant during installation. Many individuals overlook privacy policies, allowing apps to continuously gather sensitive data such as contact lists, location details, and personal identifiers.

This data can be used to build detailed social networks, which may later support targeted cyberattacks or social engineering campaigns. Some applications also include features that encourage users to invite contacts, enabling developers to collect additional personal data such as names, email addresses, phone numbers, and physical addresses.

Another major concern is data storage. Certain apps explicitly state that collected information may be stored on servers located in China for extended periods. In some cases, users cannot access app functionality unless they agree to such data-sharing practices.

Beyond privacy risks, the FBI also warns about potential cybersecurity threats. Some foreign-developed apps may include hidden malicious components capable of exploiting system vulnerabilities, collecting unauthorized data, or establishing persistent backdoor access on devices.

The advisory highlights that installing apps from unofficial sources significantly increases these risks. This is particularly relevant for Android users, where sideloading is more common. While official app stores conduct security checks to detect harmful code, third-party sources may bypass these safeguards. Companies like Google have taken steps to limit installations from unknown developers, though risks remain.

To mitigate exposure, the FBI recommends several precautionary measures:

• Install applications only from official app stores

• Review terms of service and user agreements carefully

• Restrict unnecessary permissions and data sharing

• Regularly update passwords

• Keep device software up to date

In a parallel development stressing upon global regulatory tensions, China recently ordered the removal of a decentralized messaging application created by Jack Dorsey from its local app store. Authorities claimed the app violated national internet regulations, reinforcing how governments worldwide are tightening control over digital platforms.

The larger takeaway is that app-related risks are no longer limited to malware alone. Increasingly, they are shaped by legal frameworks, data governance policies, and geopolitical dynamics. For everyday users, this makes informed decision-making around app downloads more critical than ever.

Read more »
leaked sensitive data
cybercriminals Ransomware Attack Data Breach Data Hackers Data Leak data security Hacker attack leaked sensitive data

Qilin Ransomware Targets Die Linke in Suspected Politically Motivated Cyberattack

 

A major digital attack hit Die Linke when hackers using the name Qilin said they broke into internal networks and copied confidential files. Because of this breach, private details may appear online unless demands are met - raising alarms about rising cyber threats tied to political agendas across European nations. 

On March 27, the group made public what had just been noticed - odd behavior inside their digital setup. Though Die Linke admitted someone got in without permission, they did not at once call it a complete breakdown of data safety. Later signs point toward intruders possibly reaching inner networks. Some organizational details might now be exposed. One report suggests hackers aimed at company systems plus staff details, mainly tied to central offices. 

What got taken stays uncertain right now - no clear picture on volume or leaks so far. Still, authorities admit: chances of sensitive material being exposed feel real enough. Though gaps remain in understanding the full reach, concern holds steady. Notably, Die Linke confirmed its member records stayed untouched. That means information tied to more than 123,000 individuals likely avoided exposure. 

So, the incident may be narrower than first feared. Early in April, the Qilin ransomware crew named Die Linke among those hit, posting details on their public leak page. Despite holding back actual files until now, these moves often aim to push targets toward payment. Pressure builds when sensitive material might go live - this is how cyber gangs tighten control mid-talks. Something like this might point beyond mere hacking. Die Linke sees signs of coordination, possibly tied to Russian-speaking cybercriminal networks. Not accidental, they argue - the timing matters. 

A move within wider hybrid campaigns emerges here, blending digital strikes with influence efforts. Institutions become targets when data breaches align with disinformation. Cyber actions gain weight when paired with political pressure. This event fits a pattern some have seen before. Digital intrusions serve larger goals when linked to real-world disruption. Following the incident, German officials received official notification along with submission of a criminal report. To examine the security lapse, limit consequences, and repair compromised infrastructure, outside cyber specialists are now assisting the organization. 

Far from unique, such attacks mirror past patterns seen in Germany. State-backed hacking efforts have struck before - especially those tied to APT29 - with political groups often in their sights. Surprisingly, cyber operations against Die Linke reveal how digital security now intertwines with global power struggles - political groups face rising risks from attackers motivated by profit or belief alike. 

While once seen as separate realms, online threats today frequently mirror international tensions, pulling parties like Die Linke into the crosshairs without warning. Because motives differ, so do methods; yet all exploit vulnerabilities in systems meant to serve public discourse. Thus, a breach isn’t merely technical - it reflects broader shifts in who gets targeted, and why.
Read more »
Technology
ai agents CyberThreat Google Technology

Google DeepMind Maps How the Internet Could be Used to Manipulate AI Agents

Researchers at Google DeepMind have outlined a growing but less visible risk in artificial intelligence deployment, the possibility that the internet itself can be used to manipulate autonomous AI agents. In a recent paper titled “AI Agent Traps,” the researchers describe how online content can be deliberately designed to mislead, control or exploit AI systems as they browse websites, read information and take actions. The study focuses not on flaws inside the models, but on the environments these agents operate in.  

The issue is becoming more urgent as companies move toward deploying AI agents that can independently handle tasks such as booking travel, managing emails, executing transactions and writing code. At the same time, malicious actors are increasingly experimenting with AI for cyberattacks. OpenAI has also acknowledged that one of the key weaknesses involved, prompt injection, may never be fully eliminated. 

The paper groups these risks into six broad categories. One category involves hidden instructions embedded in web pages. These can be placed in parts of a page that humans do not see, such as HTML comments, invisible elements or metadata. While a user sees normal content, an AI agent may read and follow these concealed commands. In more advanced cases, websites can detect when an AI agent is visiting and deliver a different version of the page tailored to influence its behavior. 

Another category focuses on how language shapes an agent’s interpretation. Pages filled with persuasive or authoritative sounding phrases can subtly steer an agent’s conclusions. In some cases, harmful instructions are disguised as educational or hypothetical content, which can bypass a model’s safety checks. The researchers also describe a feedback loop where descriptions of an AI’s personality circulate online, are later absorbed by models and begin to influence how those systems behave. 

A third type of risk targets an agent’s memory. If false or manipulated information is inserted into the data sources an agent relies on, the system may treat that information as fact. Even a small number of carefully placed documents can affect how the agent responds to specific topics. Other attacks focus directly on controlling an agent’s actions. Malicious instructions embedded in ordinary web pages can override safety safeguards once processed by the agent. 

In some experiments, attackers were able to trick agents into retrieving sensitive data, such as local files or passwords, and sending it to external destinations at high success rates. The researchers also highlight risks that emerge at scale. Instead of targeting a single system, some attacks aim to influence many agents at once. They draw comparisons to the Flash Crash, where automated trading systems amplified a single event into a large market disruption. 

A similar dynamic could occur if multiple AI agents respond simultaneously to false or manipulated information. Another category involves the human users overseeing these systems. Outputs can be designed to appear credible and technical, increasing the likelihood that a person approves an action without fully understanding the risks. 

In one example, harmful instructions were presented as legitimate troubleshooting steps, making them easier to accept. To address these risks, the researchers outline several areas for improvement. On the technical side, they suggest training models to better recognize adversarial inputs, as well as deploying systems that monitor both incoming data and outgoing actions. 

At a broader level, they propose standards that allow websites to signal which content is intended for AI systems, along with reputation mechanisms to assess the trustworthiness of sources. The paper also points to unresolved legal questions. If an AI agent carries out a harmful action after being manipulated, it is unclear who should be held responsible. 

The researchers describe this as an “accountability gap” that will need to be addressed before such systems can be widely deployed in regulated sectors. The study does not present a complete solution. Instead, it argues that the industry lacks a clear, shared understanding of the problem. Without that, the researchers suggest, efforts to secure AI systems may continue to focus on the wrong areas.
Read more »
User Privacy
Chrome Extensions Data Breach Data Leak Linkedin User Privacy

LinkedIn Secretly Scans 6,000+ Chrome Extensions, Collects Device Data

 

LinkedIn is facing renewed scrutiny after a report alleged that its website secretly scans browsers for more than 6,000 Chrome extensions and collects device data tied to user profiles . The company says the detection is meant to identify scraping and other policy-violating extensions, not to infer sensitive personal information.

LinkedIn’s critics say the practice goes far beyond basic security checks because the platform can connect extension data to real identities, employers, and job roles. That makes the scanning especially controversial, since the results could reveal which tools workers or companies use, including products that compete with LinkedIn’s own sales offerings.

BleepingComputer said it independently confirmed part of the behavior during testing, observing a LinkedIn-loaded JavaScript file with a randomized name that checked for 6,236 browser extensions . The script reportedly did this by probing extension-related file resources, a known method for determining whether specific extensions are installed . 

The report also says the script gathers broader browser and device details, including CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio information, and storage features . That kind of data can contribute to browser fingerprinting, which may allow websites to build a more unique profile of a visitor across sessions . 

LinkedIn, however, rejects the allegation that it is using the data to profile users in a harmful way . The company says it looks for extensions that scrape data without consent or violate its terms, and that it uses the findings to improve defenses and protect site stability . The dispute also appears to be tied to a broader legal fight involving a LinkedIn-related browser extension developer, with LinkedIn pointing to a German court ruling that sided with the company .
Read more »
Trade
Camera CCTV China India surveillance Technology Trade

Indian Government Bans Chinese Camera Import, Supply Shortage in Indian Brands


The Indian government has banned the import and sale of internet-connected CCTV cameras from China. This move has significantly impacted Hyderabad city’s surveillance device market. Traders and installers have reported immediate upsets in consumer behaviour, pricing, and supply. 

Impact on wholesale markets

In famous wholesale hubs like Chenoy Trade Centre (CTC) in Secunderabad and Gujarati Galli in Koti, the effects of the ban are already visible: unsold stock, lower volumes, and price surge in non-Chinese devices.

Om Singh, a local businessman, has been running Kimpex Security Solutions for 14 years. He has called the ban ‘sudden’ and the transition ‘blunt’. According to The Hindu’s reporting, “Before the ban, we had 20 to 25 brands. Now we are left with only one. Customers have reduced significantly because rates have increased a lot and they are not satisfied with the quality.”

The scale of the drop

Om used to sell between 2,000 and 3,000 cameras every month for each of the brands, including Hikvision, TP-Link, and Dahua Technology. In total, he sold ₹30–40 lakh worth of shares each month. Om currently has stock that is worth between ₹15 and ₹20 lakh. He is worried about the sale of this remaining stock.

In the market, local traders say prices of Indian brands have surged by 10-30% since April 1. Cameras previously priced at ₹25k are now available for ₹ 27,000-32,000 or higher. 

Another trader, Bhavesh, has been running Jeevraj CCTV for a decade. He says the change in demand is clear but also confusing. Indian brands are in high demand, especially CP Plus. However, businesses have increased prices for associated equipment and IT cameras. Sales and customer numbers have decreased due to the price increase.

Disruption, supplies, sales

Traders believe the situation is not sudden and has been building up over time. Over the past year, traders have not received significant supplies of these cameras. Shops sold whatever Chinese stock they had before March 31 so that it could be billed for GST, before the new financial year. Therefore, the ban didn’t significantly impact the markets as traders were left with a small number of Chinese stocks. 

For installers and system integrators designing and executing surveillance setups, the impact is more optional. One system integration expert said the sudden rise in demand for Indian brands has resulted in supply bottlenecks. Clients are now demanding ‘Make in India’ products, and stock for Indian cameras is not ready for the current demand. Installers are facing pressure. 

Read more »
ZeroDayRAT
Cybercrime Trends data threat Fake Apps Mobile Malware Mobile Security Phishing Attacks Remote Access Trojan Spyware threats ZeroDayRAT

Advanced Remote Access Trojan Eliminates Need for APK or IPA to Hijack Phones


 

A remote access Trojan (RAT) has evolved steadily from opportunistic malware to highly controlled instruments of digital intrusion in the evolving landscape of cyber threats as they have evolved from opportunistic malware. These programs are designed to create a concealed backdoor within a targeted computer system, allowing attackers to gain administrative access without being noticed by the user. 

A RAT is a piece of software that is often infiltrated with deception to gain access, embedded within seemingly legitimate applications, such as games and innocuous email attachments. When executed, they operate silently in the background, turning the compromised device into an accessible endpoint remotely. Through this foothold, threat actors have the ability to continue monitoring and controlling infected systems, as well as spreading the malware to multiple infected systems, resulting in coordinated botnets.

As a result of their widespread use through exploit frameworks such as Metasploit, modern RATs are designed for efficiency and resilience. They establish direct communication channels with command-and-control servers through defined network ports, ensuring uninterrupted access and control of an infected environment. 

ZeroDayRAT signals an escalation of commercialization and accessibility of advanced mobile surveillance capabilities, building on this established threat model. Researchers at iVerify identified and examined the toolkit in February 2026, which was positioned not as a niche exploit but rather as a fully developed spyware offering distributed through Telegram channels. 

As opposed to traditional RAT deployments that often require a degree of technical proficiency, ZeroDayRAT enables operators to deploy the program without any technical knowledge by providing them with streamlined infrastructure, such as dedicated command servers, preconfigured malicious application builders, and intuitive user interfaces.

With the combination of operational simplicity and capabilities commonly associated with state-sponsored tooling, attackers are able to control Android and iOS devices comprehensively. When the malware has been deployed, commonly through smishing campaigns, phishing emails, counterfeit applications, or weaponized links shared across messaging platforms, it establishes persistent access to the target system and begins gathering data about the device. 

Operator dashboards aggregate critical data points, such as device specifications, operating system information, battery metrics, location, SIM and carrier details, application usage patterns, and SMS fragments, enabling continuous behavioral profiling. With this level of control, attackers can utilize real-time and historical GPS tracking, intercept notifications across applications, and observe incoming communications and missed interactions without direct user engagement to further extend their control. By doing so, they maintain a deep yet unobtrusive presence within the compromised device ecosystem. 

A parallel and equally worrying trend aligns closely with this operational model: a proliferation of fraudulent mobile applications posing as legitimate brands in large numbers. The development and maintenance of authentic applications remains a priority for organizations; however, adversaries are increasingly taking advantage of this trust by distributing nearly perfect replicas across multiple channels for app distribution. 

A counterfeit application not only reproduces the visual identity of the brand—logos, user interfaces, name conventions, and store listing assets—but it also replicates some elements of functional behavior, creating a virtually indistinguishable experience for end users. It is, however, under the surface that the divergence occurs. 

In contrast to connecting to trusted backend infrastructure, these applications have been designed to covertly redirect sensitive data to attacker-controlled environments without disrupting the expected user experience, including authentication credentials, session tokens, financial information, and personally identifiable information.

Unlike other attack vectors that require exploiting software vulnerabilities and breaching enterprise networks, mobile app impersonation represents a low-barrier, high-yield attack vector that does not require exploiting software vulnerabilities or breaching enterprise networks. 

As a result, it utilizes user trust and distribution ecosystems to repackage and replicate existing applications under deceptive branding and requires minimal technical expertise. This category of threat is typically classified into distinct constructs by security analysis: repackaged applications, which involve reverse engineering legitimate binaries, altering them with malicious payloads, resigning, and redistributing them; fully developed interface clones that replicate the original application's design to facilitate credential harvesting and financial fraud; typosquatted variants that utilize minor naming variations in order to capture organic traffic from unaware users.

A significant issue is that the threat is not limited to one platform. Although Android's open distribution model facilitates sideloading and third-party app distribution, adversaries targeting iOS ecosystems have taken advantage of mechanisms such as enterprise provisioning profiles, beta distribution frameworks such as TestFlight, and Progressive Web Application delivery techniques to circumvent traditional review controls in order to gain access to their systems. 

The collective use of these tactics reinforces a shift in the landscape of mobile threats in which deception and distribution manipulation are increasingly enabling large-scale compromises more effectively than technical exploitation. As mobile threats extend beyond initial access and persistence, their operational capabilities reflect the convergence of high-end commercial spyware frameworks with their operational capabilities. 

With advanced control functions, operators are able to manipulate device states remotely, including locking and shutting devices, activating the ringer and adjusting the display, while integrating compromised devices into distributed botnet infrastructures capable of executing coordinated network attacks simultaneously. 

File management tools, typically accompanied by encryption, facilitate structured data extraction, while continuous monitoring of the front and rear cameras, microphone inputs, screen activity, and keystroke logging enables comprehensive monitoring of the user's behavior. By displaying a similar level of visibility to platforms such as Pegasus spyware, people are illustrating a shift in capability from state-aligned operations to widely available cybercriminal tools. 

An integral part of this ecosystem is the exploitation of financial resources. Specialized data extraction modules are designed to target widely used digital wallets and payment platforms, such as MetaMask, Trust Wallet, Binance, Google Pay, Apple Pay, and PayPal, with emphasis on capturing credential data and intercepting transactions automatically. 

Parallel to this, the inclusion of banking trojan capabilities positions such frameworks not only as potential means of immediate financial exploitation, but also as a precursor to more complex attack chains, including those involving ransomware or targeted fraud. Furthermore, the broader threat landscape indicates the acceleration of development cycles as illustrated by underground forum activity in early April 2026, which closely followed earlier releases disseminated via encrypted messaging channels. 

In parallel with these developments, additional toolsets utilizing zero-interaction exploitation techniques have appeared across recent mobile operating system versions, raising concerns regarding the rapid commoditization of previously restricted capabilities. An emerging underground service model is enhancing the evolution of this model further. 

As a result of subscription-based access to modular control panels, customizable payload builders, and attacker-managed command-and-control infrastructure, mid-tier threat actors have experienced a significant reduction in barriers to entry. Additionally, public disclosures and tutorials have accelerated adoption, reducing the need to develop exploits in-house. 

Nevertheless, claims of compatibility with the latest device firmware including the latest smartphone generation and extended support across legacy Android versions suggest that the attack surface is potentially extensive, especially in environments where patch management is inconsistent. From a defensive perspective, mitigation strategies must adapt to these increasingly evasive threat profiles. 

In addition to timely updates to operating systems, activated enhanced security modes, rigorous audits of third-party permissions and OAuth integrations, and continuous monitoring of unusual device behaviors, such as unauthorized sensor activation and unexplained battery drain, are essential. An enterprise should also implement additional controls to ensure that messaging-based delivery vectors are inspected, background process privileges are limited, and mobile threat defense frameworks are aligned with behaviors consistent with advanced spyware activity in order to detect those behaviors. 

As a whole, these developments indicate that the mobile security industry has reached a turning point. In the recent history of cybercrime, the transition from sophisticated surveillance techniques that were once exclusively possessed by state-sponsored actors to scalable, service-oriented offerings signals the emergence of a more competitive and fragmented threat landscape. 

In markets such as India, especially among high-risk groups, such as journalists, corporate executives, activists and cryptocurrency users, the potential impact is amplified by region-specific financial ecosystems, such as UPI-based payment infrastructures. It is important to note that the trajectory of mobile threats underscores the need for organizations and individual users alike to shift from reactive security postures to proactive risk governance. 

Mobile devices must be treated as high-value endpoints of enterprise systems, which require the same level of scrutiny. As threat intelligence monitoring continues, app distribution controls are stricter, and user awareness of installation sources is a necessity, not an optional measure. The resilience of organizations will be affected by adversaries' ongoing industrialization of surveillance capabilities and refinement of social engineering vectors. 

Consequently, layered defenses, rapid detection mechanisms, and informed users will be necessary to identify subtle indicators of compromise before they escalate into full-scale breaches.
Read more »
Subscribe to: Comments (Atom)