Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hackers. Show all posts
Identity Theft
Airline Customer Data Cyber Attacks cyberattacks on airline Data Breaches Data Leak data security Hackers Identity Theft

Qantas Data Leak Highlights Rising Airline Cyberattacks and Identity Theft Risks

 

Airlines continue to attract the attention of cybercriminals due to the vast amounts of personal data they collect, with passports and government IDs among the most valuable targets. According to privacy firm Incogni, the exposure of such documents poses a “severe, long-term identity theft risk” since they are difficult to replace and can be exploited for years in fraud schemes involving fake identities, counterfeit documents, and impersonation scams. 

The recent Qantas Airways data breach, claimed by the Scattered LAPSUS$ Hunters group, underscores the sector’s growing vulnerability. The stolen data included names, email addresses, Frequent Flyer details, and limited personal information such as phone numbers and birth dates. Fortunately, Qantas confirmed that no passport details, financial information, or credit card data were compromised. 

However, experts warn that even limited leaks can have serious consequences. “Attackers often combine personal identifiers like names and loyalty program details from multiple breaches to build complete identity profiles,” said Darius Belejevas, Head of Incogni. Such composite records can enable large-scale fraud even without financial data exposure. 

The Qantas incident also highlights the danger of third-party compromises. The breach reportedly stemmed from Salesforce social engineering and vendor vulnerabilities, illustrating how a single compromised supplier can have ripple effects across industries. Belejevas emphasized that “one compromised partner can expose millions of records in a single incident.” 

Data breaches in the airline industry are escalating rapidly. According to Cyble’s threat intelligence database, more than 20 airline-related breaches have been reported on the dark web in 2025 — a 50% increase from 2024. Much of this surge is attributed to coordinated attacks by Scattered Spider and the broader Scattered LAPSUS$ Hunters alliance, although other groups have also begun targeting the aviation sector. 

In a separate incident, the CL0P ransomware group claimed to have breached Envoy Air, a regional carrier of American Airlines. Envoy confirmed the intrusion but stated that no customer data was affected, only limited business information. In contrast, WestJet, which suffered a breach in June 2025, had passports and government-issued IDs exposed, prompting it to offer two years of free identity monitoring to affected customers. Incogni, however, warned that identity theft risks from such documents can persist well beyond two years. 

Experts urge travelers to take preventive security measures. Incogni recommends enrolling in identity theft monitoring, reporting phishing attempts to national anti-fraud agencies, using strong passwords with multi-factor authentication, and removing personal data from data broker sites. 

“Individuals and organizations must do more to safeguard sensitive data,” said Ron Zayas, CEO of Incogni. “In today’s world, data isn’t just being stolen by hackers — it’s also being misused by legitimate entities to manipulate outcomes.”
Read more »
Payroll Company
Data Breach Email Hackers HR MFA Microsoft Payroll Company

Payroll Hackers Target U.S. Universities, Microsoft Warns

 



Microsoft researchers have surfaced a new phishing campaign where cybercriminals are stealing university employees’ salaries by redirecting their payroll deposits to accounts under their control. The group behind the attacks has been named “Storm-2657” by Microsoft.

The hackers have been carrying out these attacks since March 2025, targeting staff at multiple U.S. universities and organizations that use third-party HR and payroll platforms, including Workday.

According to Microsoft’s report, at least 11 employee accounts across three universities were compromised and later used to send phishing emails to nearly 6,000 individuals in 25 universities. The scale of the attack suggests a coordinated attempt to infiltrate university payroll systems through deception and stolen credentials.


How the Attack Works

The attackers send phishing emails that appear to come from legitimate university sources or human resources departments. These emails often carry urgent subjects like “COVID-Like Case Reported — Check Your Contact Status” or “Faculty Compliance Notice – Classroom Misconduct Report.”

When recipients click on the embedded links, they are redirected to fake login pages designed to steal their login details and multifactor authentication (MFA) codes. With these details, the hackers gain full access to the victim’s Workday or HR accounts.

Once inside, the criminals create inbox rules that automatically delete emails from Workday, particularly notifications about payroll or bank account changes, ensuring victims remain unaware of any tampering. They also register their own devices for MFA, allowing them to retain access even if the victim later changes their password.

This enables the attackers to quietly change the employee’s bank account information, diverting salary payments into accounts they control.


Broader Pattern of Business Email Compromise

Experts classify this as a variant of Business Email Compromise (BEC), a fraud method where attackers infiltrate or impersonate legitimate business accounts to redirect payments or steal sensitive data.

According to the FBI’s 2024 Internet Crime Report, BEC scams caused over $2 billion in losses last year alone. Many victims include corporations, suppliers, and even schools that handle large financial transactions through wire transfers or automated clearing house (ACH) systems.

In one notable 2024 case, cybercriminals stole $60 million from a major carbon products supplier, while a Tennessee school district also lost millions through similar fraudulent transfers.


Microsoft and Workday Respond

Microsoft said it has alerted affected institutions and shared recommendations to contain the threat. The company advised organizations to adopt phishing-resistant MFA options, monitor for suspicious inbox rules, and require extra verification for any changes to payroll details.

A Workday spokesperson also encouraged clients to strengthen their MFA policies and implement additional review steps before processing sensitive updates like salary or banking information.


Protecting Employees and Institutions

Cybersecurity experts emphasize the importance of employee awareness and vigilant reporting. Staff should avoid clicking on unsolicited HR emails and instead confirm any urgent requests directly with their university’s payroll or IT department.

With education institutions increasingly targeted by financially motivated hackers, proactive defenses and real-time verification remain the most effective safeguards against salary diversion scams.



Read more »
Radware
ChatGPT ChatGPT risks Cyber Security Data Leak Data protection data security Gmail Hackers OpenAI Radware

OpenAI Patches ChatGPT Gmail Flaw Exploited by Hackers in Deep Research Attacks

 

OpenAI has fixed a security vulnerability that could have allowed hackers to manipulate ChatGPT into leaking sensitive data from a victim’s Gmail inbox. The flaw, uncovered by cybersecurity company Radware and reported by Bloomberg, involved ChatGPT’s “deep research” feature. This function enables the AI to carry out advanced tasks such as web browsing and analyzing files or emails stored in services like Gmail, Google Drive, and Microsoft OneDrive. While useful, the tool also created a potential entry point for attackers to exploit.  

Radware discovered that if a user requested ChatGPT to perform a deep research task on their Gmail inbox, hackers could trigger the AI into executing malicious instructions hidden inside a carefully designed email. These hidden commands could manipulate the chatbot into scanning private messages, extracting information such as names or email addresses, and sending it to a hacker-controlled server. The vulnerability worked by embedding secret instructions within an email disguised as a legitimate message, such as one about human resources processes. 

The proof-of-concept attack was challenging to develop, requiring a detailed phishing email crafted specifically to bypass safeguards. However, if triggered under the right conditions, the vulnerability acted like a digital landmine. Once ChatGPT began analyzing the inbox, it would unknowingly carry out the malicious code and exfiltrate data “without user confirmation and without rendering anything in the user interface,” Radware explained. 

This type of exploit is particularly difficult for conventional security tools to catch. Since the data transfer originates from OpenAI’s own infrastructure rather than the victim’s device or browser, standard defenses like secure web gateways, endpoint monitoring, or browser policies are unable to detect or block it. This highlights the growing challenge of AI-driven attacks that bypass traditional cybersecurity protections. 

In response to the discovery, OpenAI stated that developing safe AI systems remains a top priority. A spokesperson told PCMag that the company continues to implement safeguards against malicious use and values external research that helps strengthen its defenses. According to Radware, the flaw was patched in August, with OpenAI acknowledging the fix in September.

The findings emphasize the broader risk of prompt injection attacks, where hackers insert hidden commands into web content or messages to manipulate AI systems. Both Anthropic and Brave Software recently warned that similar vulnerabilities could affect AI-enabled browsers and extensions. Radware recommends protective measures such as sanitizing emails to remove potential hidden instructions and enhancing monitoring of chatbot activities to reduce exploitation risks.
Read more »
Social Engineering
Corporate data Data Breach Extortion Scheme FBI Hackers Salesforce Social Engineering

FBI Warns of Hackers Exploiting Salesforce to Steal Corporate Data

 



The Federal Bureau of Investigation (FBI) has issued a pressing security alert regarding two cybercriminal groups that are breaking into corporate Salesforce systems to steal information and demand ransoms. The groups, tracked as UNC6040 and UNC6395, have been carrying out separate but related operations, each using different methods to compromise accounts.

In its official advisory, the FBI explained that attackers are exploiting weaknesses in how companies connect third-party tools to Salesforce. To help organizations defend themselves, the agency released a list of warning signs, including suspicious internet addresses, user activity patterns, and malicious websites linked to the breaches.


How the Attacks took place 

The first campaign, attributed to UNC6040, came to light in mid-2024. According to threat intelligence researchers, the attackers relied on social engineering, particularly through fraudulent phone calls to employees. In these calls, criminals pretended to be IT support staff and convinced workers to link fake Salesforce apps to company accounts. One such application was disguised under the name “My Ticket Portal.” Once connected, the attackers gained access to sensitive databases and downloaded large amounts of customer-related records, especially tables containing account and contact details. The stolen data was later used in extortion schemes by criminal groups.

A newer wave of incidents, tied to UNC6395, was detected a few months later. This group relied on stolen digital tokens from tools such as Salesloft Drift, which normally allow companies to integrate external platforms with Salesforce. With these tokens, the hackers were able to enter Salesforce systems and search through customer support case files. These cases often contained confidential information, including cloud service credentials, passwords, and access keys. Possessing such details gave the attackers the ability to break into additional company systems and steal more data.

Investigations revealed that the compromise of these tokens originated months earlier, when attackers infiltrated the software provider’s code repositories. From there, they stole authentication tokens and expanded their reach, showing how one breach in the supply chain can spread to many organizations.


The Scale of this Campaign 

The campaigns have had far-reaching consequences, affecting a wide range of businesses across different industries. In response, the software vendors involved worked with Salesforce to disable the stolen tokens and forced customers to reauthenticate. Despite these steps, the stolen data and credentials may still pose long-term risks if reused elsewhere.

According to industry reports, the campaigns are believed to have impacted a number of well-known organizations across sectors, including technology firms such as Cloudflare, Zscaler, Tenable, and Palo Alto Networks, as well as companies in finance, retail, and enterprise software. Although the FBI has not officially attributed the intrusions, external researchers have linked the activity to criminal collectives with ties to groups known as ShinyHunters, Lapsus$, and Scattered Spider.


FBI Recommendations

The FBI is urging organizations to take immediate action by reviewing connected third-party applications, monitoring login activity, and rotating any keys or tokens that may have been exposed. Security teams are encouraged to rely on the technical indicators shared in the advisory to detect and block malicious activity.

Although the identity of the hackers remains uncertain, the scale of the attacks highlights how valuable cloud-based platforms like Salesforce have become for criminals. The FBI has not confirmed the groups’ claims about further breaches and has declined to comment on ongoing investigations.

For businesses, the message is clear: protecting cloud environments requires not only technical defenses but also vigilance against social engineering tactics that exploit human trust.



Read more »
Website
AI Deepfakes Facebook Hackers malware SVG files Website

Hackers Are Spreading Malware Through SVG Images on Facebook


The growing trend of age checks on websites has pushed many people to look for alternative platforms that seem less restricted. But this shift has created an opportunity for cybercriminals, who are now hiding harmful software inside image files that appear harmless.


Why SVG Images Are Risky

Most people are familiar with standard images like JPG or PNG. These are fixed pictures with no hidden functions. SVG, or Scalable Vector Graphics, is different. It is built using a coding language called XML, which can also include HTML and JavaScript, the same tools used to design websites. This means that unlike a normal picture, an SVG file can carry instructions that a computer will execute. Hackers are taking advantage of this feature to hide malicious code inside SVG files.


How the Scam Works

Security researchers at Malwarebytes recently uncovered a campaign that uses Facebook to spread this threat. Fake adult-themed blog posts are shared on the platform, often using AI-generated celebrity images to lure clicks. Once users interact with these posts, they may be asked to download an SVG image.

At first glance, the file looks like a regular picture. But hidden inside is a script written in JavaScript. The code is heavily disguised so that it looks meaningless, but once opened, it runs secretly in the background. This script connects to other websites and downloads more harmful software.


What the Malware Does

The main malware linked to this scam is called Trojan.JS.Likejack. Once installed, it hijacks the victim’s Facebook account, if the person is already logged in, and automatically “likes” specific posts or pages. These fake likes increase the visibility of the scammers’ content within Facebook’s system, making it appear more popular than it really is. Researchers found that many of these fake pages are built using WordPress and are linked together to boost each other’s reach.


Why It Matters

For the victim, the attack may go unnoticed. There may be no clear signs of infection besides strange activity on their Facebook profile. But the larger impact is that these scams help cybercriminals spread adult material and drive traffic to shady websites without paying for advertising.


A Recurring Tactic

This is not the first time SVG files have been misused. In the past, they have been weaponized in phishing schemes and other online attacks. What makes this campaign stand out is the combination of hidden code, clever disguise, and the use of Facebook’s platform to amplify visibility.

Users should be cautious about clicking on unusual links, especially those promising sensational content. Treat image downloads, particularly SVG files with the same suspicion as software downloads. If something seems out of place, it is safer not to interact at all.

Read more »
Microsoft vulnerability
CBC CVSS CyberCrime Cyberhacks Data Breach Hackers Hackers Breach Microsoft Flaw Microsoft vulnerability

Microsoft Flaw Blamed as Hackers Breach Canada’s House of Commons

 


In a recent security incident involving Canada's parliamentary network, hackers exploited a recently released Microsoft vulnerability to breach the House of Commons network, shaking up the country's parliament. 

According to an internal e-mail obtained by CBC News, the intrusion occurred on Friday and affected a database that was used to manage computers and mobile devices. The data revealed in the email included names, titles, email addresses, and details about computers and mobile devices, including operating systems, model numbers, and telephone numbers. 

Officials have not been able to link the attack with any nation-state or criminal group, but questions remain as to whether additional sensitive information has been accessed. According to a statement from Olivier Duhaime, spokesperson for the Speaker's Office, the House of Commons is cooperating closely with its national security partners to conduct an investigation. However, he declined to provide further information due to security concerns. 

An unauthorised actor gained access to the House's systems, which was first reported by CBC News on Monday, leading to the public discovery of the breach. According to an internal email of the intruders, they exploited a recent Microsoft vulnerability in order to gain access to parliamentary computers and mobile devices. 

There was a lot of information exposed, including employee names, job titles, office locations, e-mail addresses, as well as technical information about devices controlled by the House. A cybersecurity agency such as Canada's Communications Security Establishment (CSE) has joined the investigation, although no one knows who the attackers are. 

According to the CSE, a threat actor is defined as any entity seeking to disrupt or access a network without authorisation. In a recent report, the agency warned that foreign nations like China, Russia, and Iran are increasingly targeting Canadian institutions, despite this fact. Nevertheless, no attribution has been established in this case, and officials have cautioned against using the compromised information for scams, impersonation, or further invasions. 

According to Canada's latest Cyber Threat Assessment, the country faces an ever-increasing exposure to digital threats, and it is described as a "valuable target" for both state-sponsored adversaries and criminals who are financially motivated to do so. In the last two years, the Canadian Centre for Cyber Security has reported a significant increase in the number and severity of cyber-attacks, with a warning that state actors are increasingly aggressive. 

It has also been noted that cybercriminals are increasingly using illicit business models and artificial intelligence to expand their capabilities, according to Rajiv Gupta, head of the centre. Chinese cyber threats pose the greatest threat to Canada, according to the report, and it indicates that at least 20 government networks were compromised by threat actors affiliated with the People's Republic of China over the past four years.

The House of Commons incident is likely to be linked to a recently exploited zero-day Microsoft SharePoint vulnerability, which is known as CVE-2025-53770, although officials have not confirmed which particular flaw was exploited. During the exploitation of untrusted data in on-premises SharePoint Server, a vulnerability that has a CVSS score of 9 was discovered, which could allow an attacker to remotely execute code. 

The vulnerability has been reported by Viettel Cyber Security through Trend Micro’s Zero Day Initiative since July. Since then, the vulnerability has been actively exploited, which prompted Microsoft to issue a warning and recommend immediate measures to mitigate the problem while a full patch is being prepared. As a result of the breach of parliament, members and staff have been urged to stay vigilant against potential scams. 

The incident occurs at a time when Canada is facing an escalation of cyber threats that are becoming increasingly sophisticated as both adversaries and financially motivated criminals are increasingly leveraging advanced tools and artificial intelligence in order to gain an edge over their adversaries. During the past four years, the federal government has confirmed at least 20 network compromises linked to Beijing, indicating that China is the most sophisticated and active threat actor. 

There is an increasing pressure on Canada's critical infrastructure due to recent incidents like the hack on WestJet in June that disrupted both the airline's internal systems as well as its mobile application. Initially discovered in May, this vulnerability, which was confirmed to be actively exploited in late July, can allow the attacker to execute code remotely, allowing them to gain access to all SharePoint content, including sensitive configurations and internal file systems. 

As Costis pointed out, many major organisations, including Google and the United States, have recently been breached as a result of vulnerabilities in Microsoft platforms like Exchange and SharePoint. Several ransomware groups, including Salt Typhoon and Warlock, have been reported to have exploited these vulnerabilities by targeting nearly 400 organisations worldwide as a result of these campaigns.

In addition, the United States Cybersecurity and Infrastructure Security Agency (CISA) has also warned about the vulnerability, known as the “ToolShell” vulnerability. It was warned earlier this month that the vulnerability could enable not only unauthenticated access to systems, but also authenticated access to them through the use of network spoofing. This type of exploit could allow attackers to take complete control of SharePoint environments, including file systems and internal configurations. 

A Mandiant CEO, Charles Carmakal, emphasised on LinkedIn that it is not just about applying Microsoft's security patch, but about taking steps to mitigate this risk along with implementing Mitigation strategies, in addition to applying Microsoft's security patch. It was reported by Microsoft in a July blog post that nation-state actors based in China have been actively trying to exploit the vulnerability, including Linen Typhoon, Violet Typhoon, and possibly Storm-2603, among others. 

The group has historically targeted the intellectual property of governments, the defence sector, the human rights industry, strategic planning, higher education, as well as the media, finance, and health sectors throughout North America, Europe, and Asia. It has been reported that Linen Typhoon is known for its "drive-by compromises" that exploit existing vulnerabilities, whereas Violet Typhoon constantly scans exposed web infrastructure to find weaknesses, according to Microsoft. 

The House of Commons breach echoes a growing trend of security concerns linked to enterprise technologies that have been widely deployed in the past few years. As a result, government and corporate systems have become increasingly fragile. Because Microsoft platforms are omnipresent, security analysts argue that they provide adversaries with a high-value entry point that can have far-reaching consequences when exploited by adversaries. 

The incident highlights how, not only is it difficult to safeguard sensitive parliamentary data, but also to deal with systemic risks that cross critical sectors such as aviation, healthcare, finance, and higher education when they are exploited. There is an argument to be made that in order to achieve this goal, it will require not only timely patches and mitigations, but a cultural shift as well—one that integrates intelligence sharing, proactive threat hunting, and ongoing investments in cyber defence—along with the ongoing use of cyber defence technologies. 

Even though global threat actors are growing in strength and opportunity, the incident serves as a reminder that it is vital that national institutions are protected with vigilance that matches the sophistication and scale of their adversaries.
Read more »
Raspberry Pi
ATM Hacking Banks Group IB Hackers Raspberry Pi

Hackers Use 4G-Connected Raspberry Pi to Breach Bank’s ATM Network

 





A cybercriminal group has used a surprising method to infiltrate a bank’s internal systems, by planting a tiny Raspberry Pi computer inside the bank’s network. The attackers reportedly used the device to gain access to critical parts of the bank’s infrastructure, including systems that control ATM transactions.

The incident was reported by cybersecurity firm Group-IB, which called the approach “unprecedented.” The attackers managed to bypass all external cybersecurity defenses by physically placing the small computer inside the bank’s premises and connecting it to the same switch that handles ATM traffic. This gave them direct access to the bank’s internal communications.

The Raspberry Pi was fitted with a 4G modem, which allowed the hackers to control it remotely over mobile networks, meaning they didn’t need to be anywhere near the bank while carrying out their attack.

The main target was the bank’s ATM switching server — a system responsible for processing ATM transactions, and its hardware security module (HSM), which stores sensitive information like encryption keys and passwords. By gaining access to these systems, the attackers hoped to manipulate transaction flows and extract funds undetected.

The hacking group behind the attack, known in cybersecurity circles as UNC2891, has been active since at least 2017. They are known for targeting financial institutions and using custom-built malware, especially on Linux, Unix, and Solaris systems.

In this latest attack, the group also compromised a mail server within the bank to maintain long-term access. This mail server had continuous internet connectivity and acted as a bridge between the Raspberry Pi and the rest of the bank’s network. A monitoring server, which had access to most internal systems, was used to route communications between the devices.

During their investigation, Group-IB researchers noticed strange behavior from the monitoring server. It was sending signals every 10 minutes to unknown devices. Further analysis revealed two hidden endpoints, the planted Raspberry Pi and the compromised mail server.

The attackers had gone to great lengths to stay hidden. They disguised their malware by giving it the name “lightdm,” which is the name of a legitimate Linux display manager. They even mimicked normal command-line behavior to avoid raising suspicion during forensic reviews.

To make detection harder, the hackers used a lesser-known technique called a Linux bind mount, typically used in system administration, but now added to the MITRE ATT&CK cybersecurity database under “T1564.013.” This allowed the malware to function like a rootkit — a type of software that hides its presence from both users and security tools.

This incident is your call to be hyperaware of how attackers are becoming more creative, blending physical access with advanced software tactics to infiltrate secure environments.

Read more »
job seekers
apprenticeships Bank Bengaluru Cyber Crime Government Hackers job seekers

Hackers Tamper Govt Portal, Pocket ₹1.4 Lakh in Apprentice Stipends

 



Bengaluru — A government portal designed to support apprenticeships in India has become the latest target of cybercriminals. Hackers reportedly accessed the site and changed the bank details of several registered candidates, redirecting their stipend payments into unauthorized accounts.

The breach took place on the apprenticeshipindia.gov.in website, which is managed by the Ministry of Skill Development and Entrepreneurship. The platform is used by students and job seekers to apply for apprenticeship programs and receive government-backed financial support. Employers also use the site to onboard trainees and apply for partial stipend reimbursements under the National Apprenticeship Promotion Scheme (NAPS).

The issue came to light after a Bengaluru-based training institute, Cadmaxx Solution Education Trust, filed a complaint with the cybercrime police. According to Arun Kumar D, the organization’s CEO and director, the hacking activity spanned several months between January 3 and July 4, during which the attackers managed to manipulate banking information for six enrolled candidates.

Once the fraudulent bank account numbers were entered into the portal, the stipend funds were transferred to accounts held with HDFC Bank, State Bank of India, Axis Bank, and NSDL Payments Bank. The total amount diverted was ₹1,46,073, according to the complaint.

The cybercrime division in West Bengaluru registered an official case on July 26. Police have charged the unidentified perpetrators under multiple sections of the Information Technology Act, including those related to data tampering, unauthorized system access, and identity theft.

A senior officer involved in the case said investigators are working to trace the flow of funds by gathering account details from the banks involved. They are also reviewing server logs and IP addresses to understand how the portal was accessed whether it was through an external cyberattack or due to internal misuse.

Authorities mentioned that, if necessary, the matter will be escalated to CERT-In (Indian Computer Emergency Response Team), which handles major cybersecurity incidents at the national level.

This incident raises serious concerns about the protection of financial and personal data on public service websites, especially those used by students and job seekers. It also highlights the growing trend of hackers targeting official government platforms to exploit funding systems.

Read more »
Hackers
AI AI Assistant Amazon Q coding Data Breach Hackers

Amazon’s Coding Tool Hacked — Experts Warn of Bigger Risks

 



A contemporary cyber incident involving Amazon’s AI-powered coding assistant, Amazon Q, has raised serious concerns about the safety of developer tools and the risks of software supply chain attacks.

The issue came to light after a hacker managed to insert harmful code into the Visual Studio Code (VS Code) extension used by developers to access Amazon Q. This tampered version of the tool was distributed as an official update on July 17 — potentially reaching thousands of users before it was caught.

According to media reports, the attacker submitted a code change request to the public code repository on GitHub using an unverified account. Somehow, the attacker gained elevated access and was able to add commands that could instruct the AI assistant to delete files and cloud resources — essentially behaving like a system cleaner with dangerous privileges.

The hacker later told reporters that the goal wasn’t to cause damage but to make a point about weak security practices in AI tools. They described their action as a protest against what they called Amazon’s “AI security theatre.”


Amazon’s response and the fix

Amazon acted smartly to address the breach. The company confirmed that the issue was tied to a known vulnerability in two open-source repositories, which have now been secured. The corrupted version, 1.84.0, has been replaced with version 1.85, which includes the necessary security fixes. Amazon stated that no customer data or systems were harmed.


Bigger questions about AI security

This incident highlights a growing problem: the security of AI-based developer tools. Experts warn that when AI systems like code assistants are compromised, they can be used to inject harmful code into software projects or expose users to unseen risks.

Cybersecurity professionals say the situation also exposes gaps in how open-source contributions are reviewed and approved. Without strict checks in place, bad actors can take advantage of weak points in the software release process.


What needs to change?

Security analysts are calling for stronger DevSecOps practices — a development approach that combines software engineering, cybersecurity, and operations. This includes:

• Verifying all updates through secure hash checks,

• Monitoring tools for unusual behaviour,

• Limiting system access permissions and

• Ensuring quick communication with users during incidents.

They also stress the need for AI-specific threat models, especially as AI agents begin to take on more powerful system-level tasks.

The breach is a wake-up call for companies using or building AI tools. As more businesses rely on intelligent systems to write, test, or deploy code, ensuring these tools are secure from the inside out is no longer optional, it’s essential.

Read more »
Salesforce
Data Data Breach Hackers Ransomware Salesforce

Cybercriminals Exploit Fake Salesforce Tool to Steal Company Data and Demand Payments

 



A group of hackers has been carrying out attacks against businesses by misusing a tool that looks like it belongs to Salesforce, according to information shared by Google’s threat researchers. These attacks have been going on for several months and have mainly focused on stealing private company information and later pressuring the victims for money.


How the Attack Happens

The hackers have been contacting employees by phone while pretending to work for their company’s technical support team. Through these phone calls, the attackers convince employees to share important login details.

After collecting this information, the hackers guide the employees to a specific page used to set up apps connected to Salesforce. Once there, the attackers use an illegal, altered version of a Salesforce data tool to quietly break into the company’s system and take sensitive data.

In many situations, the hackers don’t just stop at Salesforce. They continue to explore other parts of the company’s cloud accounts and sometimes reach deeper into the company’s private networks.


Salesforce’s Advice to Users

Earlier this year, Salesforce warned people about these kinds of scams. The company has made it clear that there is no known fault or security hole in the Salesforce platform itself. The problem is that the attackers are successfully tricking people by pretending to be trusted contacts.

Salesforce has recommended that users improve their account protection by turning on extra security steps like multi-factor authentication, carefully controlling who has permission to access sensitive areas, and limiting which locations can log into the system.


Unclear Why Salesforce is the Target

It is still unknown why the attackers are focusing on Salesforce tools or how they became skilled in using them. Google’s research team has not seen other hacker groups using this specific method so far.

Interestingly, the attackers do not all seem to have the same level of experience. Some are very skilled at using the fake Salesforce tool, while others seem less prepared. Experts believe that these skills likely come from past activities or learning from earlier attacks.


Hackers Delay Their Demands

In many cases, the hackers wait for several months after breaking into a company before asking for money. Some attackers claim they are working with outside groups, but researchers are still studying these possible connections.


A Rising Social Engineering Threat

This type of phone-based trick is becoming more common as hackers rely on social engineering — which means they focus on manipulating people rather than directly breaking into systems. Google’s researchers noted that while there are some similarities between these hackers and known criminal groups, this particular group appears to be separate.

Read more »
phishing
anime AttackonTitan Cyber Security DemonSlayer GenZ Hackers Kaspersky Naruto OnePiece phishing

Hackers Use Popular Anime Titles to Lure Gen Z into Malware Traps, Warns Kaspersky

 

Cybercriminals are increasingly camouflaging malware as anime content to exploit the growing global fascination with Japanese animation, according to cybersecurity firm Kaspersky. Their recent analysis of phishing incidents between Q2 2024 and Q1 2025 revealed over 250,000 attacks leveraging anime themes to deceive victims.

Anime, a stylized form of animated entertainment that originated in Japan, has become immensely popular, particularly among Gen Z — individuals born in the early 2000s. Kaspersky’s research highlights that anime is now more mainstream than ever, especially with younger audiences. Approximately 65% of Gen Z reportedly consume anime regularly, a trend that has made them prime targets for themed phishing campaigns.

“They connect to the characters,” Kaspersky noted, adding that viewers often become “emotionally invested” in the shows. This emotional connection is being weaponized by threat actors who are tricking fans into clicking on malicious links under the pretense of offering “exclusive episodes”, “leaked scenes”, or “premium access”.

Among the anime franchises most frequently used in these scams, Naruto topped the list with around 114,000 attack attempts. Demon Slayer followed with 44,000 incidents, trailed by other popular titles like Attack on Titan, One Piece, and Jujutsu Kaisen.

However, anime isn’t the only bait being used. Hackers have also disguised malicious content using names from other pop culture phenomena including Shrek, Stranger Things, Twilight, Inside Out, and Deadpool & Wolverine, with these non-anime themes accounting for an additional 43,000 phishing attempts. A notable spike in such attacks occurred in early 2025, coinciding with the release of the latest Shrek trailer.

As a precaution, Kaspersky advises users to steer clear of suspicious links or downloads, especially when the offer appears too good to be true. Instead, viewers looking for the latest episodes should use verified platforms such as Netflix, Hulu, or Disney+ to avoid falling victim to cyber scams.
Read more »
IT desk
Data Breach Dior Hackers harrods IT desk

Hackers Are Fooling IT Help Desks — Here’s How You Can Stay Protected

 


IT support teams, also known as service desks, are usually the first people we call when something goes wrong with our computers or accounts. They’re there to help fix issues, unlock accounts, and reset passwords. But this helpfulness is now being used against them.

Cybercriminals are targeting these service desks by pretending to be trusted employees or partners. They call in with fake stories, hoping to trick support staff into giving them access to systems. This method, called social engineering, relies on human trust — not hacking tools.


Recent Examples of These Attacks

In the past few months, several well-known companies have been hit by this kind of trickery:

1. Marks & Spencer: Attackers got the IT team to reset passwords, which gave them access to personal data. Their website and online services were down for weeks.

2. Co-Op Group: The support team was misled into giving system access. As a result, customer details and staff logins were stolen, and some store shelves went empty.

3. Harrods: Hackers tried a similar trick but were caught in time before they could cause any damage.

4. Dior: An unknown group accessed customer information like names and shopping history. Thankfully, no payment details were leaked.

5. MGM Resorts (2023): Hackers phoned the help desk, pretending to be someone from the company. They convinced the team to turn off extra security on an account, which led to a major cyberattack.


Why Hackers Target Support Desks

It’s often much easier to fool a person than to break into a computer system. Help desk workers are trained to respond quickly and kindly, especially when someone seems stressed or claims they need urgent access.

Hackers take advantage of this by pretending to be senior staff or outside vendors, using pressure and believable stories to make support agents act without asking too many questions.


How These Scams Work

• Research: Criminals gather public details about the company and employees.

• Fake Identity: They call the support team, claiming to be locked out of an account.

• Create Urgency: They insist the situation is critical, hoping the agent rushes to help.

• Avoiding Security: They make up excuses for not being able to use two-step login and ask for a reset.

• Gain Access: Once the reset is done, they log in and start their attack from the inside.


What Can Be Done to Prevent This

Companies should train their support teams to slow down, ask the right questions, and always verify who they’re talking to — no matter how urgent the request sounds. It’s also smart to use extra security tools that help confirm a person’s identity before giving access.

Adding clear rules and multi-layered checks will make it harder for attackers to slip through, even when they try their best to sound convincing.

Read more »
Telecom
China Cyber Security Hackers Telecom

China Launches Advanced Quantum Security Network Said to Be “Unhackable”

 


A major Chinese telecom company has launched what it claims is the first commercial security system that can protect digital communication from even the most powerful future hackers — including those using quantum computers.

China Telecom Quantum, a state-owned firm, recently introduced a new kind of encryption system that combines two advanced technologies to create strong protection for data, phone calls, and user identity. This system was successfully used to make a secure phone call between Beijing and Hefei  a distance of more than 1,000 kilometers — without risking any data leaks or breaches.


The Problem: Quantum Computers Could Break Today’s Encryption

As quantum computing continues to develop, it is expected to pose a serious threat to current cybersecurity systems. These new types of computers are extremely fast and powerful, and experts believe they could one day crack the encryption used to protect sensitive information like passwords, bank data, and government records.

To stay ahead of these threats, China Telecom has built a new system that combines:

1. A quantum-based method that sends encryption keys using the principles of quantum physics, making them nearly impossible to steal or intercept.

2. A mathematics-based method that protects data using very difficult equations that even quantum computers would find hard to solve.


This two-layer approach forms a highly secure framework to protect digital communication.


Tested in Real Conditions and Ready to Use

China Telecom says the system has been tested successfully and is ready to be used on a large scale. The company has already created secure quantum networks in 16 cities, including Beijing, Shanghai, Guangzhou, and Hefei.

These networks now make up a nationwide secure communication system. Among them, Hefei’s network is the largest and most advanced in the world, with eight main hubs and over 150 connection points spread across 1,147 kilometers. It is already being used by around 500 government departments and nearly 400 publicly owned companies.


Extra Tools for Safe Messaging and Document Management

The company has also introduced two new secure tools:

• Quantum Secret — a messaging and teamwork app designed to keep communication safe from even advanced hackers.

• Quantum Cloud Seal — a platform made for secure digital approvals, auditing, and managing documents for businesses and government offices.

Both tools are already being used across different industries in China.

With this launch, China has taken a major step toward building a future-ready cybersecurity system — one that can stay strong even as quantum computing technology continues to grow.

Read more »
Hackers
Cactus ransomware Cyber crimes elastic Google Hackers

Cybercriminals Are Dividing Tasks — Why That’s a Big Problem for Cybersecurity Teams

 



Cyberattacks aren’t what they used to be. Instead of one group planning and carrying out an entire attack, today’s hackers are breaking the process into parts and handing each step to different teams. This method, often seen in cybercrime now, is making it more difficult for security experts to understand and stop attacks.

In the past, cybersecurity analysts looked at threats by studying them as single operations done by one group with one goal. But that method is no longer enough. These days, many attackers specialize in just one part of an attack—like finding a way into a system, creating malware, or demanding money—and then pass on the next stage to someone else.

To better handle this shift, researchers from Cisco Talos, a cybersecurity team, have proposed updating an older method called the Diamond Model. This model originally focused on four parts of a cyberattack: the attacker, the target, the tools used, and the systems involved. The new idea is to add a fifth layer that shows how different hacker groups are connected and work together, even if they don’t share the same goals.

By tracking relationships between groups, security teams can better understand who is doing what, avoid mistakes when identifying attackers, and spot patterns across different incidents. This helps them respond more accurately and efficiently.

The idea of cybercriminals selling services isn’t new. For years, online forums have allowed criminals to buy and sell services—like renting out access to hacked systems or offering ransomware as a package. Some of these relationships are short-term, while others involve long-term partnerships where attackers work closely over time.

In one recent case, a group called ToyMaker focused only on breaking into systems. They then passed that access to another group known as Cactus, which launched a ransomware attack. This type of teamwork shows how attackers are now outsourcing parts of their operations, which makes it harder for investigators to pin down who’s responsible.

Other companies, like Elastic and Google’s cyber threat teams, have also started adapting their systems to deal with this trend. Google, for example, now uses separate labels to track what each group does and what motivates them—whether it's financial gain, political beliefs, or personal reasons. This helps avoid confusion when different groups work together for different reasons.

As cybercriminals continue to specialize, defenders will need smarter tools and better models to keep up. Understanding how hackers divide tasks and form networks may be the key to staying one step ahead in this ever-changing digital battlefield.

Read more »
Public Sector
Critical Infrastructure Cyber Attacks Cyber Warfare DDoS Hacker attack Hackers Indian Cyber Security Malware Attack Military Data Public Sector

India Faces Cyber Onslaught After Operation Sindoor Military Strikes

 

In the aftermath of India’s military action under Operation Sindoor, Pakistan responded not only with conventional threats but also with a wave of coordinated cyberattacks. While India’s defense systems effectively intercepted aerial threats like drones and missiles, a simultaneous digital assault unfolded, targeting the nation’s critical infrastructure and strategic systems. 

Reports from The Times of India indicate that the cyberattacks were focused on key defense public sector units (PSUs), their supporting MSMEs, and essential infrastructure including airports, ports, the Indian Railways, power grids, and major telecom providers such as BSNL. Additionally, digital financial platforms—ranging from UPI services to stock exchanges and mobile wallets—were also in the crosshairs. 

Sources suggest these cyber intrusions aimed to steal classified military data, disrupt daily life, and damage India’s global standing. Allegedly, the attackers sought intelligence on missile defense systems and military readiness. In retaliation, India reportedly struck back at Pakistani military infrastructure, although the cyber battlefield remains active. 

Cybersecurity expert and Interpol trainer Pendyala Krishna Shastry confirmed the attacks involved a range of methods: malware deployment, denial-of-service (DoS) strikes, phishing schemes, and website defacements. These tactics targeted multiple sectors, including finance, telecom, and public services, aiming to breach systems and sow confusion. 

Website tracking portal Zone-H recorded several government domain breaches. Notable targets included the websites of the National Institute of Water Sports (niws.nic.in) and nationaltrust.nic.in, both of which were defaced before being restored. The Central Coalfields Ltd (CCL) website also experienced a breach, displaying a message from a group calling itself “Mr Habib 404 – Pakistani Cyber Force,” declaring, “You thought you were safe, but we are here.” 

Although CCL’s Public Relations Officer Alok Gupta dismissed the breach as a technical issue with no data loss, cybersecurity experts warn that downplaying such incidents could weaken national digital defense. 

This escalation underscores how cyber warfare is now being integrated into broader military strategies. Experts argue that India must urgently strengthen its cyber defenses to address the growing threat. Priorities include deploying AI-based threat detection, reinforcing CERT-In and sector-specific Security Operation Centres (SOCs), enforcing strong cybersecurity practices across public systems, and expanding collaboration on global cyber intelligence. 

As state-sponsored attacks become more sophisticated and frequent, India’s ability to defend its digital frontier will be just as crucial as its military strength.
Read more »
WordPress Plugin
data access Hackers malware WordPress Plugin

Harmful WordPress Plugin Posing as Security Tool Grants Hackers Full Access

 



A newly discovered cyberattack is targeting WordPress websites by using a plugin that pretends to improve security but actually opens a backdoor for criminals. This fake plugin secretly gives attackers full control of affected sites.


How the Infection Begins

Security researchers at Wordfence found this malware while cleaning an infected website earlier this year. They noticed that a key WordPress system file named ‘wp-cron.php’ had been tampered with. This edited file was creating and activating a hidden plugin on its own, without the website owner’s permission.

This plugin has appeared under various names such as:

• wp-antymalwary-bot.php

• addons.php

• wpconsole.php

• wp-performance-booster.php

• scr.php

Even if the plugin is deleted manually, the altered ‘wp-cron.php’ file automatically brings it back the next time someone visits the website. This allows the malicious code to keep coming back.


How Hackers Might Be Gaining Entry

It’s still not clear how the hackers are getting into these websites in the first place. Experts believe they may be using stolen login credentials for hosting accounts or file transfer services like FTP. Unfortunately, no server logs were available to confirm exactly how the breach happens.


What the Plugin Allows Attackers to Do

Once active, the plugin checks if it's running correctly and then silently gives the attacker admin-level control. By using a special hidden function, attackers can log in as an administrator without using the usual login page. All they need is a specific web address and a password to take over the site.

The plugin also opens a secret door (called an API route) that doesn’t require login access. This lets attackers do things like:

• Add harmful code into theme files

• Clear plugin cache data

• Carry out other hidden tasks via special web requests

In updated versions of the malware, the plugin can also add harmful JavaScript to the website’s code. This can be used to show spam, redirect users to risky websites, or collect data from site visitors.


What Site Owners Should Watch For

Website managers should check the ‘wp-cron.php’ file and their theme’s ‘header.php’ file for any unfamiliar edits. Also, log entries with keywords like “emergency_login” or “urlchange” should be seen as warning signs of a possible attack.

Regular monitoring and cleanup can help prevent these kinds of silent takeovers.

Read more »
VPN
Breach Cyber Security DomainControllers Hackers Ransomware Reconnaissance VPN

Majority of Human-Operated Cyberattacks Target Domain Controllers, Warns Microsoft

 

Microsoft has revealed that nearly 80% of human-operated cyberattacks involve compromised domain controllers, according to a recent blog post published on Wednesday. Alarmingly, in over 30% of these incidents, attackers use the domain controller—a central system in corporate IT networks—to spread ransomware across the organization.

A breached domain controller can give hackers access to password hashes for every user in the system. With these credentials, cybercriminals can identify and exploit privileged accounts, including those held by IT administrators. Gaining control of these accounts allows attackers to escalate their access levels.

"This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack," Microsoft stated.

One such attack, observed by the tech giant, involved a group known as Storm-0300. The hackers infiltrated a company’s systems by exploiting its virtual private network (VPN). After acquiring administrator credentials, they tried to access the domain controller through the remote desktop protocol (RDP). Once inside, they carried out a series of actions including reconnaissance, bypassing security measures, and escalating their privileges.

Despite the growing frequency of attacks, Microsoft emphasized the difficulty in protecting domain controllers due to their critical role in network management and authentication.

Defenders often face the challenge of “striking the right balance between security and operational functionality,” the blog noted.

To improve protection, Microsoft suggested enhancing domain controllers’ ability to differentiate between legitimate and malicious activity—an essential step toward minimizing server compromises.

Jason Soroko, senior fellow at cybersecurity firm Sectigo, stressed the importance of proactive security measures.

"Ultimately, even the most advanced defense mechanisms may falter if misconfigured or if legacy systems create vulnerabilities. Hence, vigilant customer-side security practices are critical to fortifying these systems against modern cyberthreats," Sectigo said.

While Microsoft offers strong protective tools, their success hinges on users maintaining up-to-date systems and activating features like multifactor authentication.


Read more »
Technology
Artificial Intelligence Digital Identity Hackers Technology

AI-Powered Tools Now Facing Higher Risk of Cyberattacks

 



As artificial intelligence becomes more common in business settings, experts are warning that these tools could be the next major target for online criminals.

Some of the biggest software companies, like Microsoft and SAP, have recently started using AI systems that can handle office tasks such as finance and data management. But these digital programs also come with new security risks.


What Are These Digital Identities?

In today’s automated world, many apps and devices run tasks on their own. To do this, they use something called digital identities — known in tech terms as non-human identities, or NHIs. These are like virtual badges that allow machines to connect and work together without human help.

The problem is that every one of these digital identities could become a door for hackers to enter a company’s system.


Why Are They Being Ignored?

Modern businesses now rely on large numbers of these machine profiles. Because there are so many, they often go unnoticed during security checks. This makes them easy targets for cybercriminals.

A recent report found that nearly one out of every five companies had already dealt with a security problem involving one of these digital identities.


Unsafe Habits Increase the Risk

Many companies fail to change or update the credentials of these identities in a timely manner. This is a basic safety step that should be done often. However, studies show that more than 70% of these identities are left unchanged for long periods, which leaves them vulnerable to attacks.

Another issue is that nearly all organizations allow outside vendors to access their digital identities. When third parties are involved, there is a bigger chance that something could go wrong, especially if those vendors don’t have strong security systems of their own.

Experts say that keeping old login details in use while also giving access to outsiders creates serious weak spots in a company's defense.


What Needs to Be Done

As businesses begin using AI agents more widely, the number of digital identities is growing quickly. If they are not protected, hackers could use them to gain control over company data and systems.

Experts suggest that companies should treat these machine profiles just like human accounts. That means regularly updating passwords, limiting who has access, and monitoring their use closely.

With the rise of AI in workplaces, keeping these tools safe is now more important than ever.


Read more »
Ransomware
Cyber Crime Everest Gang Hackers Personal Data Ransomware

Cybercriminal Group's Website Taken Over by Unknown Hacker

 


A criminal group known for using ransomware was recently caught off guard when its own website was tampered with. The website, which the gang normally uses to publish stolen data from their victims, was replaced with a short message warning against illegal activity. The message read: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” What a sneaky way to reference gossip girl, isn't it? 

At the time of this report, the website remained altered. It is not yet known if the person or group behind the hack also accessed any files or data belonging to the ransomware gang.

The group, known by the name Everest, has been involved in several cyberattacks since it first appeared in 2020. It is believed to be based in Russia. Over the years, Everest has taken credit for stealing large amounts of data, including information from a popular cannabis store chain, which affected hundreds of thousands of customers. Government agencies in the United States and Brazil have also been listed among their victims.

Ransomware attacks like these are designed to scare companies and organizations into paying money in exchange for keeping their private information from being made public. But recent reports suggest that fewer victims are giving in to the demands. More businesses have started refusing to pay, which has made these attacks less profitable for criminals.

While international law enforcement agencies have had some success in shutting down hacking groups, Everest has managed to stay active. However, this incident shows that even experienced cybercriminals are not safe from being attacked themselves. Some believe this could have been done by a rival group, or possibly even someone from within the gang who turned against them.

It’s also not the first time that cybercrime groups have been sabotaged. In the past few years, other well-known ransomware gangs have faced setbacks due to both police actions and internal leaks.

This unusual case is forces us to face the inevitable reality that no one is completely untouchable online. Whether it’s a company or a hacker group, all digital systems can have weak points. People and organizations should always keep their online systems protected and stay alert to threats.

Read more »
phishing
CAPTCHA CAPTCHA Security Cyber Attacks cybercriminals Fake Captcha Hacker attack Hackers Malware attacks phishing

Fake CAPTCHAs Are the New Trap: Here’s How Hackers Are Using Them to Install Malware

 

For years, CAPTCHAs have been a familiar online hurdle—click a box, identify a few blurry images, and prove you’re human. They’ve long served as digital gatekeepers to help websites filter out bots and protect against abuse. But now, cybercriminals are turning this trusted security mechanism into a tool for deception. Security researchers are sounding the alarm over a growing threat: fake CAPTCHAs designed to trick users into unknowingly installing malware. 

These phony tests imitate the real thing, often appearing as pop-up windows or embedded verification boxes on compromised websites. At first glance, they seem harmless—just another quick click on your way to a webpage. But a single interaction can trigger a hidden chain reaction that compromises your device. The tactic is subtle but effective. By replicating legitimate CAPTCHA interfaces, attackers play on instinct. Most users are conditioned to complete CAPTCHAs without much thought. That reflexive click becomes the entry point for malicious code. 

One reported incident involved a prompt asking users to paste a code into the Windows Run dialog—an action that launched malware installation scripts. Another campaign tied to the Quakbot malware family used similar deception, embedding CAPTCHAs that initiated background downloads and executed harmful commands with a single click. These attacks, often referred to as ClickFix CAPTCHA scams, are a form of social engineering—a psychological manipulation tactic hackers use to exploit human behavior. 

In this case, attackers are banking on your trust in familiar security prompts to lower your guard. The threat doesn’t stop at just fake clicks. Some CAPTCHAs redirect users to infected web pages, while others silently copy dangerous commands to the clipboard. In the worst cases, users are tricked into pressing keyboard shortcuts that launch Windows PowerShell, allowing attackers to run scripts that steal data, disable security software, or hijack system functions. 

Experts warn that this method is particularly dangerous because it blends in so well with normal browsing activity. Unlike more obvious phishing scams, fake CAPTCHA attacks don’t rely on emails or suspicious links—they happen right where users feel safe: in their browsers. To defend against these attacks, users must remain skeptical of CAPTCHAs that ask for more than a simple click. 

If a CAPTCHA ever requests you to enter text into system tools, press unusual key combinations, or follow unfamiliar instructions, stop immediately. Those are red flags. Moreover, ensure you have reliable antivirus protection installed and keep your browser and operating system updated. Visiting lesser-known websites? Use an ad blocker or security-focused browser extension to reduce exposure to malicious scripts. 

As CAPTCHA-based scams grow more sophisticated, digital vigilance is your best defense. The next time you’re asked to “prove you’re not a robot,” it might not be your humanity being tested—but your cybersecurity awareness.
Read more »
Subscribe to: Comments (Atom)