Daily Brief

A large-scale fraudulent operation called 'Scallywag' capitalized on pirating and URL shortening sites using WordPress plugins to generate 1.4 billion ad requests daily. Scallywag was exposed by bot and fraud detection firm HUMAN, which identified a network of 407 domains involved in the scheme. Initially resulting in significant revenue loss, fraudulent activity declined by 95% following interventions by ad providers and HUMAN's detection efforts. Four primary WordPress plugins facilitated the ad fraud: Soralink, Yu Idea, WPSafeLink, and Droplink, each released between 2016 and 2022. The fraud-as-a-service model allowed multiple independent cybercriminals to adopt these plugins, setting up their own ad fraud networks. Visitors were redirected through multiple ad-heavy intermediary pages that generated fraudulent ad impressions before landing on the desired content. Despite a significant reduction in fraudulent activity, Scallywag actors continue to adapt, shifting strategies to evade detection.

Researchers detected heightened probing of Juniper Networks and Palo Alto Networks devices, indicating potential espionage, botnet building, or zero-day exploit attempts. Specifically, mass scans targeted default accounts in Juniper’s Session Smart Networking products using known default credentials, simplifying unauthorized access. Over 3,000 source IPs, likely part of a 'Mirai Type' botnet based on their history of SSH scanning, were involved in this suspicious activity between March 23 and March 28. GreyNoise observed significant probing activity aimed at Palo Alto Networks’s PAN-OS GlobalProtect remote access portals, with nearly 24,000 unique IPs involved over the past 30 days. This scanning activity has been linked to patterns seen in past espionage efforts, which often precede the discovery of new vulnerabilities by a few weeks. GreyNoise and Palo Alto Networks are actively investigating the scans for potential impacts and necessary mitigations, urging customers to use updated software versions. The firms involved have been advised to alter default credentials to mitigate unauthorized access risks, although users report difficulties in creating new credentials.

North Korean threat actors, known as the Lazarus Group, have launched a campaign targeting job seekers in the cryptocurrency sector using a social engineering technique called ClickFix. The campaign, dubbed ClickFake Interview by Sekoia, employs fake job offers to distribute malware, specifically the previously undocumented GolangGhost backdoor. This malware campaign targets major centralized finance entities by impersonating reputable firms like Coinbase and Kraken, a shift from previous attacks that focused on decentralized finance. Job candidates are contacted through platforms such as LinkedIn, invited to download video conferencing software laden with malware, which facilitates the theft of cryptocurrency and sensitive data. The malware, triggered by an error message asking users to download a 'necessary' driver during a setup for a video interview, executes through scripts that steal browser data and system information. The Lazarus Group’s tactics also include a fraudulent IT worker scheme in Europe, where North Koreans pose as workers from various nationalities to infiltrate organizations and siphon funds. These activities represent a significant evolution and expansion of North Korea's cyber operations worldwide, aimed at generating revenue in violation of international sanctions.

The European Union has unveiled the ProtectEU plan which proposes to implement backdoors in encryption by 2026 to enhance law enforcement capabilities. EU's Executive Vice-President Henna Virkkunen stated that these changes are necessary as law enforcement is losing ground to criminals due to restricted access to essential data. Critics argue that creating backdoors in encryption could lead to vulnerabilities that might be exploited by unauthorized entities, including foreign governments. Coinciding with EU's plans, Switzerland is considering laws that will intensify surveillance, potentially causing privacy-centered firms like Proton to leave the country. The EU also intends to establish a Security Research & Innovation Campus by 2026 to explore the technical specifics of these proposals. The broader security strategy includes deploying quantum cryptography by 2030, bolstering Europol, and enhancing cloud and datacenter security against external threats. These initiatives are part of a comprehensive EU strategy to combat terrorism, organized crime, surging cybercrime, and attacks on critical infrastructure.

Artificial intelligence (AI) is increasingly used in business, enhancing capabilities but also enabling advanced cybercrime. Cybercriminals are exploiting AI to conduct sophisticated attacks, including customizing phishing scams, voice cloning, and data model manipulation. Traditional security strategies are becoming obsolete as AI-driven threats require new defenses. The webinar titled "AI Uncovered: Re-Shaping Security Strategies for Resilience in the Era of AI" by Zscaler aims to address these evolving security challenges. Diana Shtil, Senior Product Marketing Manager at Zscaler, will provide expertise on adapting cybersecurity measures in response to AI advancements. Attendees will learn proactive steps to update their security strategies, ensuring resilience against complex AI-powered attacks. The session is targeted at both cybersecurity professionals and business decision-makers. Early registration is encouraged for this timely event, which will broadcast next week, focusing on practical, actionable solutions.

AI implementation in enterprises is frequently stalled by significant security, legal, and compliance challenges. Regulatory uncertainty, documentation inconsistencies, and a lack of expertise in translating compliance into practical controls are main obstacles. Misconceptions about AI governance create additional barriers, such as the belief that entirely new frameworks are needed, contrary to the reality that existing security controls are largely applicable to AI systems. Continual AI-related compliance updates and the necessity for ongoing monitoring represent genuine needs within AI governance to address real risks. Effective AI governance should focus on technical controls addressing real risks rather than creating unnecessary roadblocks. Examples of successful AI governance include JPMorgan Chase's AI Center of Excellence, which uses risk-based assessments and standardized frameworks to expedite the AI adoption process. Collaboration from the beginning among security, compliance, and technical teams is crucial for successful AI adoption. Practical strategies for AI vendors include making data processing transparent and integrating seamlessly with existing security tools to facilitate compliance and enable innovation.

Disaster recovery is increasingly complex due to sprawling IT environments spread across various platforms including on-premises equipment, public clouds, SaaS, and third-party ITaaS providers. Ransomware has become the leading cause of system outages, surpassing natural disasters, highlighting the vulnerability of IT systems to cyber threats. Homogeneous and standardized IT environments aid more straightforward disaster recovery; diversifying across different public clouds and ITaaS providers introduces significant recovery challenges. Organizations using ITaaS are particularly at risk during outages, as they rely on third-party vendors who may not meet robust disaster recovery expectations. Ransomware attacks can cripple the operations of outsourced service providers, as seen with the NHS pathology services and several US healthcare providers, causing widespread operational disruptions. Disaster recovery plans must include specific strategies for cyber incidents, ensuring all third-party suppliers have robust, tested recovery procedures and immutable data backups. Effective disaster recovery requires stringent synchronization of environment changes, regular testing of failover and failback processes, and validated plans that cover direct impacts and collateral damage from third-party failures.

Google's Quick Share utility for Windows patched to rectify a vulnerability allowing unauthorized file transfers and potential DoS attacks. The vulnerability, identified as CVE-2024-10668 with a CVSS score of 5.9, permits silent file transmission without user consent. This flaw was part of a group of 10 vulnerabilities, initially reported in August 2024, which could potentially allow arbitrary code execution on Windows hosts. Despite initial fixes, follow-up analysis revealed two vulnerabilities remained unaddressed, leading to application crashes and bypassing of user permissions for file acceptance. The DoS vulnerability is triggered by specific invalid UTF8 continuation bytes in the file name, causing the application to crash. The unauthorized file write vulnerability was initially mitigated by marking affected files as "unknown" and deleting them post-transfer, though this was bypassed by sending two files with the same payload ID in one session. The implications of these vulnerabilities are significant for the software industry, emphasizing the need for thorough resolution of underlying issues rather than superficial fixes.

Over 2,600 devices globally have been infected by a new version of Triada malware, predominantly in Russia. Triada, a modular Android malware, acts as a remote access trojan (RAT) capable of stealing sensitive information and integrating devices into a botnet. Historically, Triada spread through apps on the Google Play Store and mods on WhatsApp, but has now been found pre-installed in counterfeit smartphone’s system framework. The malware has evolved to exploit hardware supply chains and third-party developers, enabling remote control and further malware injection during device manufacturing stages. In 2019, Google identified a compromised vendor, potentially introducing malware during development of additional features like face unlock. Recent Kaspersky analysis highlighted that the latest Triada version allows threat actors comprehensive access to infected devices. The revised Triada variant has accrued about $270,000 in cryptocurrencies through its malicious activities from mid-2024 to early 2025. Discovery coincides with identification of other dangerous Android banking trojans targeting financial apps, showcasing an ongoing trend in sophisticated Android malware campaigns.

Britain's Royal Mail and Samsung Germany have been targeted by cybercriminals, with large sets of customer data purportedly stolen. The hacker group GHNA claims responsibility, having allegedly accessed the data through a compromised supplier, Spectos GmbH. Royal Mail confirmed ongoing investigations with Spectos to determine the extent of any data impact. Royal Mail operations remain unaffected. Information stolen includes names, addresses, phone numbers, and service details, along with Mailchimp mailing lists and WordPress databases. Samsung incident involves around 270,000 customer service tickets with detailed customer and purchase information. Cybersecurity experts link the breach to a previous Raccoon malware infection at Spectos that leaked employee login credentials. The incidents raise significant concerns over potential real-world threats to customers through targeted fraud or theft.

A web skimmer campaign exploits legacy Stripe API to verify stolen payment card details, increasing operational efficiency. Researchers from Jscrambler identified the campaign impacting an estimated 49 merchants, with ongoing activity traced back to at least August 2024. The skimmers intercept payment data on websites by mimicking legitimate payment interfaces, disguising the fraudulent operations. Fifteen affected merchants have addressed and removed the malicious scripts from their sites. The campaign primarily targets vulnerabilities in platforms like WooCommerce, WordPress, and PrestaShop to inject the skimming code. Malicious domains serve as the initial distribution points for the JavaScript skimmer, which then overlays legitimate Stripe payment forms. The attackers also experimented with skimmer scripts that impersonate other payment providers and offer transactions in various cryptocurrencies. This sophisticated strategy not only helps evade detection but ensures high-value data theft by predetermining the validity of card details.

In a major international effort, Europol has dismantled "Kidflix," a significant provider of child sexual abuse material (CSAM) with operations running from April 2022 to March 2025. As part of Operation Stream, authorities from 38 countries were involved, identifying 1,393 individuals linked to Kidflix through payment transaction analysis. To date, 79 arrests have been made, with some suspects prosecuted for both distribution and direct abuse of children. The platform, which began in 2021, had amassed approximately 91,000 unique videos and 190,000 registered users who engaged with the site by uploading CSAM and earning tokens for viewing. During the raid on March 11, 2025, law enforcement seized the server hosting around 72,000 videos at the time. Over 3,000 electronic devices were confiscated, and despite significant arrests, many users of the platform still remain unidentified. The European Commission is using these developments as part of a broader initiative termed ProtectEU aimed at enhancing cybersecurity and dealing effectively with encrypted data lawfully.

Keith O'Brien, the former global payroll compliance manager at Rippling, admitted to being co-opted into spying for Deel, a competitor. Deel's CEO Alex Bouaziz allegedly concocted a plan for O'Brien to provide confidential data from Rippling, offering him about 5000 euros monthly. The scheme included covert communications via Telegram, payment through Revolut, and documentation tactics to avoid a paper trail, later shifting to cryptocurrency. Rippling sued Deel in U.S. federal court and Ireland for theft of trade secrets and espionage, supported by O'Brien's affidavit detailing the covert operations. O'Brien attempted to destroy evidence by resetting and then physically damaging his phone as advised by a Deel attorney. Rippling set a trap using a Slack channel named “#d-defectors,” which successfully exposed O'Brien as the internal spy. Facing legal repercussions, O'Brien eventually cooperated with Rippling’s legal team, leading to his firing but sparing him from further prosecution. The ordeal culminated in O'Brien confessing to making false allegations under Deel’s direction and his decision to come clean reflecting severe personal turmoil.

openSNP, a platform for sharing genetic and phenotypic data, is set to shut down on April 30, 2025, due to heightened privacy concerns. The founder, Bastian Greshake Tzovaras, cited risks of data misuse potentially by authoritarian regimes as a key reason for the closure. Originally, openSNP aimed to democratize genetic data access, countering the dominance of commercial DNA testing firms. Despite being a crucial resource in research and education, the recent bankruptcy of 23andMe has significantly halted new data contributions to openSNP. The increase in interest from private forensics, law enforcement, and government in accessing such data has made it ethically and politically risky to maintain the platform. OpenSNP has decided deleting all stored data is the most responsible way to handle user submissions under current societal conditions. Users have until the shutdown date to download their data if needed; however, post-shutdown, no further access to the data will be available, reducing the risk of misuse through data scraping.

Verizon's Call Filter API vulnerability allowed unauthorized access to other users' incoming call histories. Discovered by security researcher Evan Connelly on February 22, 2025, with a fix implemented by Verizon in the following month. The Call Filter app comes pre-installed on Verizon Android and iOS devices and is used by millions. The flaw involved an unsecured endpoint that did not verify the phone number in the JWT payload against the requested call logs. This could have implications for privacy, enabling potential surveillance of a user’s routines, contacts, and relationships using their call metadata. The breach potentially exposed sensitive information of high-value targets like politicians, journalists, and law enforcement officials. It is unclear how long the vulnerability existed or if it was exploited, as no rate limiting or API gateway protection was noted. The API was hosted on a server by Cequint, raising concerns about the security practices around handling telecommunication data.