Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.

Source: Diana Vyshniakova via Alamy Stock Photo

Attackers are exploiting Google Tag Manager by planting malicious code within e-commerce sites built on the Magento platform. The code can steal payment card data, demonstrating a new type of Magecart attack that leverages Google's free, legitimate website marketing tool.

Researchers from Sucuri discovered an ongoing Magecart campaign in which attackers load code that appears to be a standard Google Tag Manager (GTM) and Google Analytics tracking script from a database onto e-commerce sites. These tracking scripts are typically used for website analytics and advertising purposes; however, the code used in the campaign has been tweaked to act as a card skimmer for the infected site, the researchers revealed in a recent blog post.

"Within the GTM tag, there was an encoded JavaScript payload that acted as a credit card skimmer," Sucuri security analyst Puja Srivastava wrote in the post. "This script was designed to collect sensitive data entered by users during the checkout process and send it to a remote server controlled by the attackers."

So far, Sucuri has uncovered at least six sites affected by the campaign, "indicating that this threat is actively affecting multiple sites," Srivastava wrote.

**Exploiting a Legitimate Google Tool for Card Skimming**

Related:Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

The attack demonstrates a nontypical Magecart attack that leverages a legitimate free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site's code directly. GTM eliminates the need for developer intervention each time a marketer aims to track or modify an ad or marketing campaign.

Sucuri researchers were alerted to the Magecart activity by a customer who found that someone was stealing credit card payment data from its e-commerce site. An investigation led to the discovery of malware being loaded from a database table cms\_block.content file for the website. The malware abused a GTM tag, which was altered by embedding an encoded JavaScript payload that acted as a credit card skimmer.

Attackers obfuscated the script using the technique function \_0x5cdc, which maps index values to specific characters in the array. This makes it difficult for someone to immediately understand the purpose of the script, Srivastava wrote.

The script also uses a series of mathematical operations in a loop, further scrambling the code, and also uses Base64 encoding. "This is a trick often used by attackers to disguise the true purpose of the script," she wrote.

The researchers also discovered an undeployed backdoor in one of the website's files that "could have been exploited to further infect the site, providing attackers with persistent access," Srivastava added. Indeed, Magecart attackers last year demonstrated a new tactic of stashing backdoors on websites to deploy malware automatically.

Related:Behavioral Analytics in Cybersecurity: Who Benefits Most?

Sucuri also previously investigated malicious activity that abused GTM to hide other types of malicious activity, including malvertising as well as malicious pop-ups and redirects.

**Mitigation & Remediation of Magecart Attacks**

"Magecart" refers to a loose collective of cybercriminal groups involved in online payment card-skimming attacks. These attacks typically inject card skimmers into websites to steal payment card data that can later be monetized. Big-name organizations that have been targeted by these attacks include Ticketmaster, British Airways, and the Green Bay Packers NFL team.

Once they identified the source of infection on their customer's site, Sucuri researchers removed the malicious code from any other compromised areas of the site, as well as cleaned up the obfuscated script and the backdoor to prevent the malware from being reintroduced.

To ensure an organization's e-commerce site has not been affected by the campaign, administrators should log in to GTM, and then identify and delete any suspicious tags that are being used on the site, Sucuri recommended. They also should perform a full website scan to detect any other malware or backdoors, and remove any malicious scripts or backdoor files.

Related:Cybercrime Forces Local Law Enforcement to Shift Focus

E-commerce sites built on Magento and their extensions also should be updated with the latest security patches, while all site administrators should regularly monitor e-commerce site traffic as well as GTM activity for anything unusual.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Magecart Attackers Abuse Google Ad Tool to Steal Data

For too long, we've treated our analysts as mere cogs in a machine, expecting them to conform to the limitations of our tools and processes. It's time to revolutionize security operations.

Source: Brain light via Alamy Stock Photo

COMMENTARY

In the battle against cyber threats, we're losing our most vital asset: our people. While the industry fixates on the latest tools and technologies, security analysts are burning out, crushed under the weight of an impossible mission. This isn't just a talent shortage, but an existential crisis threatening the future of cybersecurity defense. Until we prioritize supporting the humans at the heart of cyber operations, no tool or technology will be enough to keep us secure.

Security operations centers (SOCs), the heart of cybersecurity, have become pressure cookers of burnout and frustration. The numbers tell a dire story: More than half of SOC analysts have considered leaving the field, and with them goes the institutional knowledge and expertise that take years to develop. Each departure is a victory for malicious actors, who know that even the most sophisticated tools are only as effective as the humans behind them.

There's a tendency to frame this simply as a talent shortage. In one sense, it is. 53% of organizations report a critical lack of skilled cybersecurity workers. But this misses the direness of the current reality. We can't hire our way out of this disaster. It takes years to develop an analyst capable of detecting and responding to sophisticated threats. By the time junior analysts gain the expertise to handle advanced attacks, they're already burning out and searching for greener pastures. Cyber defenders need relief now.

The crisis extends beyond front-line defenders. Nearly a quarter of chief information security officers (CISOs) and IT security leaders are considering stepping down, with 93% citing unsustainable stress levels. They face mounting pressure to demonstrate return on investment (ROI) while navigating increasing legal and compliance risks, and even personal liability. It's no wonder the average tenure of a CISO is only 18 to 26 months — less than half of the general C-suite tenure.

Somehow, we've normalized this chaos. In any other critical operation, like the military, this level of systemic burnout would be considered an existential risk. Instead, we keep piling on more tools, more alerts, and more responsibilities, mistaking the symptoms for the disease.

Our industry has a blind spot. We've focused so much on software and hardware that we've forgotten about the "humanware" of security workflows. We've overlooked the frontline analysts, the threat hunters, and the managers whose judgment and intellectual horsepower are the real engine of modern security operations.

This matters so deeply to me on a personal level. In my Air Force career, I was a special operations helicopter pilot. Picture it: skimming treetops under night vision goggles, working with elite teams, pushing the boundaries of what seemed possible. Despite the intense pressure and risk, I never once thought about walking away. Why? Because I had cutting-edge equipment, unwavering support from my leadership, and a mission that made my heart race. I would have done it for free.

Today, cyber defenders are the pilots of the 21st century. It's the coolest job on the planet: battling sophisticated adversaries in real-time, protecting the critical infrastructure that powers our economy, and racing against the clock to stop attacks that could affect millions. They should be having the time of their lives. Instead, they're burning out.

**Technology Isn't the Solution — Reshaping Support Is**

The answer isn't just better technology — it's about fundamentally reshaping how we support our people. The industry talks constantly about analysts learning from AI, but we're missing something crucial: the AI must learn from our analysts as well. Their expertise, their pattern recognition, their hard-won instincts about what doesn't look quite right; this human judgment is irreplaceable. We need to give our humans AI partners that learn from them, support them, freeing them to focus on the high-level, intellectually stimulating work that drew them to cybersecurity in the first place.

Imagine SOCs where analysts focus on outsmarting adversaries instead of drowning in false positives. Where AI handles the repetitive tasks but learns from human insights, creating a virtuous cycle of improvement. Where the technology amplifies human expertise instead of trying to replace it. Where the job is as exhilarating as flying a combat mission, because you have tools that learn and evolve alongside you. (In a recent episode of CSO Perspectives, I go into depth of what that looks like.)

For too long, we've treated our analysts as mere cogs in a machine, expecting them to conform to the limitations of our tools and processes.

It's time to revolutionize security operations. When we get this right, we won't just solve our retention crisis. We'll create a field that the best and brightest are eager to join, where analysts don't just survive, but thrive in the mission of keeping us all safe. The future of cybersecurity belongs not to those who build better tools, but to those who best empower defenders to wield them.

**About the Author**

Chief Product Officer, Andesite

William MacMillan, Chief Product Officer at Andesite, is an experienced executive leader, advisor and trusted voice on cyber, digital transformation and national security. Prior to Andesite, he served as the Senior Vice President for Information Security at Salesforce. Before retiring from the federal government, William served as the CISO at the Central Intelligence Agency, where he led a sweeping transformation of the CIA’s cybersecurity strategy and organization. Before this, he held multiple senior leadership positions at the CIA, dealing with various aspects of intelligence, counterintelligence and cyber operations. Throughout his career, William focused significant attention on insider threat, supply chain risk and incident response issues, as well as the development of CIA’s Cybersecurity Operations Center (CSOC).

Analyst Burnout Is an Advanced Persistent Threat

The secret use of other people's generative AI platforms, wherein hijackers gain unauthorized access to an LLM while someone else foots the bill, is getting quicker and stealthier by the month.

Source: Sergio Delle Vedove via Alamy Stock Photo

Sophisticated "LLMjacking" operations have obtained stolen access to DeepSeek models, just weeks after their public release.

LLMjacking, like proxyjacking and cryptojacking, involves the illicit use of someone else's computing resources for one's own purposes. In this case, it's individuals using popular and otherwise expensive large language models (LLMs) from OpenAI, Anthropic, etc., to generate images, circumvent national bans, and more, while passing the bill along to someone else.

Most recently, researchers from Sysdig observed hyperactive LLMjacking operations integrating access to models developed by DeepSeek. After the company released its DeepSeek-V3 model on Dec. 26, it only took LLMjackers a few days to obtain stolen access. Similarly, DeepSeek-R1 was released on Jan. 20, and attackers had it in their hands the very next day.

"This isn't just a fad anymore," Sysdig cybersecurity strategist Crystal Morin says of LLMjacking. "This is far beyond where it was when we first discovered it last May."

**How LLMjacking Works**

At scale, LLM usage can grow rather expensive. For instance, according to Sysdig's back-of-the-envelope calculations, 24/7 usage of GPT-4 could cost an account holder north of half a million dollars (though DeepSeek, at present, is orders of magnitude less expensive).

Related:Researcher Outsmarts, Jailbreaks OpenAI's New o3-mini

In order to enjoy these models without having to incur their costs, attackers steal credentials for cloud services accounts, or application programming interface (API) keys associated with specific LLM apps. Then, they use scripts to verify that these do in fact provide access to a desired model.

Next, they incorporate that stolen authentication information into an "OAI" reverse proxy (ORP). ORPs bridge the user and the LLM, providing a layer of operational security.

The apparent forefather of ORPs, from which the name derives, was published on April 11, 2023. It has since been forked and configured on numerous occasions to incorporate new stealth features. Newer versions have incorporated password protections and obfuscation mechanisms — like making its website illegible until users disable CSS in their browsers — and eliminated prompt logging, covering up attackers' footsteps as they use the models. Proxies are further protected by Cloudflare tunnels, which generate random and temporary domains to shield the ORPs' actual virtual private server (VPS) or IP addresses.

New 4chan and Discord communities have flourished around ORPs, as people use illicit LLM access to generate NSFW content and imagery of other kinds, scripts of varying maliciousness, or just everyday stuff, like essays for school. And in countries like Russia, Iran, and China, regular people use ORPs to circumvent national bans on ChatGPT.

Related:'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

**The Cost of LLMjacking to Account Holders**

Somebody, in the end, is going to pay for all computing resources used to generate NSFW images and school papers.

ORP developers don't want these bills to be too high, necessarily, or else their users' anomalous activity will more than likely raise alarms. To account for this, they build their programs on dozens, or even hundreds of different sets of credentials associated with different accounts. One ORP Sysdig recorded, for example, had incorporated 55 separate DeepSeek API keys, in addition to those associated with other artificial intelligence (AI) apps. By possessing many keys across many apps, ORPs can perform load balancing, spreading illicit usage as thinly as possible.

It doesn't always work out this way, though.

As Morin recalls, "I spoke a little bit with a Twitter user whose personal AWS account was compromised through LLMjacking. He woke up one morning and his $2 average monthly AWS bill — he \[mainly\] used it for email — spiked to $730 in two or three hours."

Related:AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

Source: Crystal Morin via LinkedIn

Nobody knows exactly how the victim had his AWS credentials swiped, but he was already on his way to racking up a $20,000-plus bill. His lucky break was having cost alerts toggled on in AWS — they aren't on by default — allowing him to spot the anonymous activity early.

"He reached out to AWS customer support and asked them what was going on, and they had no idea. He did end up shutting off his account almost immediately, but there was a delay in the reporting of the cost. It ended up being, I think, between $10,000 to $20,000 total for about half a day's usage," Morin says.

AWS did end up bailing out the victim. Still, Morin warns, "You can imagine what a similar attack would do on an enterprise level, considering what could happen to just a single person."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

LLM Hijackers Quickly Incorporate DeepSeek API Keys

Five years after a Russian APT infiltrated a software update to gain access to thousands of SolarWinds customers, the board has voted unanimously to sell at a top valuation and plans for uninterrupted operations.

Source: SOPA Images Limited via Alamy Stock Photo

NEWS BRIEF

SolarWinds, the software and IT company that faced a major supply chain cyberattack in 2020, today announced that it will be acquired by Turn/River Capital for $4.4 billion, or $18.50 per share.

Along with unanimous approval from its board of directors, the transaction also received written approval from Thoma Bravo and Silver Lake, SolarWinds' majority shareholders with a combined 65% of the outstanding voting securities.

SolarWinds will become a privately held company, no longer listed on the New York Stock Exchange, though it will continue to operate under the name SolarWinds and stay headquartered in Austin, Texas.

"This successful transaction and exciting partnership are testaments to our employees' outstanding work of building exceptional solutions and delivering great customer success," said Sudhakar Ramakrishna, president and CEO of SolarWinds, in a statement. "We are confident that Turn/River's expertise and growth orientation will help us ensure SolarWinds continues to drive innovation and deliver even greater value for customers and stakeholders."

**The Sunburst Attack Continues to Burn**

In 2020, roughly 33,000 of SolarWinds' customers were impacted in a major supply chain attack, affecting thousands of organizations as well as the US government. The breach targeted the SolarWinds Orion management system, where it is believed that Nobelium, a nation-state hacking group, gained access to the company's networks in September 2019.

The attackers inserted malicious code, known as Sunburst, into the Orion system, infecting a software update that led to the compromise of all software builds for versions 2019.4 HF 5 through 2020.1.1. More than 18,000 SolarWinds customers installed these updates, creating a domino effect in those that fell victim to the attack. Years later, in 2023, the Securities and Exchange Commission (SEC) charged SolarWinds and its CISO Tim Brown with fraud and internal control failures, alleging that by ignoring warnings about the company's vulnerable cybersecurity posture, Brown knowingly left the company unprotected.

This breach has had lasting impacts in the cybersecurity industry, and though the attack occurred nearly five years ago, the SEC continues to review the details. Last October, the SEC charged four companies — Unisys, Avaya Holdings Corp., Checkpoint, and Mimecast — for what the regulator said were intentional attempts to minimize the impact of the hack to their systems. It also vowed to deter other companies from submitting vague data breach disclosures after major events like SolarWinds.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

SolarWinds to Go Private for $4.4B

Developers are pulling in publicly available ASP.NET keys into their environments, without realizing that cyberattackers can use them for clandestine code injection.

Source Hilda DeSanctis via Alamy Stock Photo

NEWS BRIEF

Website developers are unwittingly putting their companies at risk by incorporating publicly disclosed ASP.NET machine keys from code documentation and repositories into their applications, Microsoft is warning.

The tech giant has issued an alert on the insecure practice, after observing threat actors in December using a static, known ASP.NET machine key to deploy the Godzilla post-exploitation cyberattack framework, known for stomping all over corporate environments.

The attack vector involves manipulating ViewState, which represents the state of a webpage when it was last processed on the server. If threat actors can get ahold of ASP.NET keys, they can craft a malicious ViewState, send it to a targeted website via a POST request to be loaded, and can thus compromise the environment via code injection.

"Once it's processed by ASP.NET Runtime on the targeted server, the ViewState is decrypted and validated successfully because the right keys are used," a Microsoft post on the concern explained. "The malicious code is then loaded into the worker process memory and executed, providing the threat actor remote code execution capabilities on the target IIS Web server."

Microsoft has uncovered at least 3,000 publicly disclosed keys that could be used for these types of attacks, which lowers the bar for exploitation significantly.

"Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on Dark Web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification," according to the post.

To prevent attack, Microsoft recommends that organizations do not copy keys from publicly available sources and to regularly rotate keys in any event.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

PRESS RELEASE

A five-count criminal indictment was unsealed today in federal court in New York charging a Canadian man with exploiting vulnerabilities in two decentralized finance protocols to fraudulently obtain about $65 million from the protocols’ investors.

According to court documents, from 2021 to 2023, Andean Medjedovic, 22, allegedly exploited vulnerabilities in the automated smart contracts used by the KyberSwap and Indexed Finance decentralized finance protocols. Medjedovic borrowed hundreds of millions of dollars in digital tokens, which he used to engage in deceptive trading that he knew would cause the protocols’ smart contracts to falsely calculate key variables. Through his deceptive trades, Medjedovic was able to, and ultimately did, withdraw millions of dollars of investor funds from the protocols at artificial prices, rendering the victims’ investments essentially worthless.

Medjedovic also allegedly laundered the proceeds of his fraudulent schemes through a series of transactions designed to conceal the source and ownership of the funds, including through swap transactions, “bridging transactions,” and the use of a digital assets “mixer.” With others, Medjedovic also allegedly schemed to open accounts with digital assets exchanges using false and borrowed identifying information to conceal the source and true ownership of the proceeds. In around November 2023, after executing the KyberSwap exploit, Medjedovic also allegedly attempted to extort the victims of the KyberSwap exploit through a sham settlement proposal, in which he demanded complete control of the KyberSwap protocol and the decentralized autonomous organization that oversaw the KyberSwap protocol in exchange for returning 50 percent of the digital assets that he fraudulently obtained through his scheme.

Medjedovic is charged with one count of wire fraud, one count of unauthorized damage to a protected computer, one count of attempted Hobbs Act extortion, one count of money laundering conspiracy, and one count of money laundering. If convicted, he faces a maximum penalty of 10 years in prison on the unauthorized damage to a protected computer count and 20 years in prison on each of the other counts. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, U.S. Attorney John J. Durham for the Eastern District of New York, Chief Guy Ficco of IRS Criminal Investigation (IRS-CI), Special Agent in Charge William S. Walker of Homeland Security Investigations (HSI) New York, and Assistant Director in Charge James E. Dennehy of the FBI New York Field Office made the announcement.

IRS-CI, HSI, and the FBI New York Field Office are investigating the case, with valuable assistance provided by U.S. Customs and Border Protection’s New York Field Office and the Justice Department’s Office of International Affairs. The Justice Department also thanks the Netherlands’ Public Prosecution Service and Cybercrime Unit — the Hague of the Dutch National Police for their significant assistance with the investigation.

Trial Attorney Tian Huang of the Criminal Division’s Fraud Section, who is a member of the National Cryptocurrency Enforcement Team (NCET), and Assistant U.S. Attorneys Nicholas Axelrod and Andrew Reich for the Eastern District of New York are prosecuting the case. SEC Enforcement Attorney Daphna A. Waxman, formerly a member of the NCET, provided significant assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

PRESS RELEASE

With a staggering 5263 attacks, 2024 saw the highest volume of ransomware attacks observed since 2021, according to a new report from cybersecurity consulting firm, NCC Group.

In a turbulent year for the cyber landscape, with high-impact attacks on sophisticated nation-state espionage campaigns, attack volume continued to rise. 

LockBit remains top threat actor despite takedown

The infamous threat group LockBit was the top actor of 2024, accounting for 10% (526) of all attacks. However, it’s overall activity declined compared to 2023, with LockBit’s takedown earlier in 2024.

RansomHub followed closely behind. Accountable for 501 attacks, it became the most dominant threat actor in the second half of the year.

Uptick in most regions

North America experienced over half of all attacks in 2024 (55%). Overall, most regions witnessed a rise in attacks, including Asia, South America, and Oceania. Rising global geopolitical tensions and high payouts for ransomware attacks are likely to have attributed to increase across regions. 

Industrials remains a top target

With its crucial role in the global economy, Industrials experienced 27% (1424) of all ransomware attacks in 2024, increasing 15% from 2023. Attacks in the sector have caused mass disruption, affecting critical infrastructure and services and causing material downtime.

Law enforcement whack-a-mole 

There are some encouraging signs that the international community has stepped up efforts to recognise and address the threats posed by cyber adversaries. Notable examples include coordinated law enforcement actions against cybercriminal networks such as Operations Cronos, Magnus, Destabilise, and Serengeti.

Despite short term law enforcement crack downs, threat actors continued to emerge quickly after intervention - LockBit was operating again only five days after its takedown. And with warnings from the group that it will be back in full force by February 2025, it’s evident that governments and law enforcement need to do more to prevent the reemergence of these groups.

Matt Hull, global head of Threat Intelligence at NCC Group said: “The cyber security landscape in 2024 presented unprecedented challenges. The scale and complexity of cyber incidents tested the resilience of businesses and institutions globally. Looking ahead, these challenges are set to escalate as cyber criminals and nation-state actors increasingly exploit the growing integration of technology into all aspects of life.

“Key concerns such as third-party compromises, cloud vulnerabilities, and insecure APIs remain critical. We also can’t ignore the rapid advances in artificial intelligence (AI) that are giving rise to new cybercriminal tactics. And the geopolitical dimension of cyber security adds to the ever-changing threat landscape, with nation-states posing significant risks to critical infrastructure.

“In the face of these challenges, businesses, governments, and individuals must stay vigilant and proactive. By understanding the risks and acting today, we can collectively work towards a more secure digital future.”

2024 Breaks Records With Highest Ever Ransomware Attacks

**Databarracks Launches Air Gap RecoverDatabarracks Launches Air Gap Recover**

PRESS RELEASE

Databarracks has announced the launch of Air Gap Recover, a new service that provides enhanced protection against cyber threats, including ransomware attacks.

Designed specifically for cloud-native environments, Air Gap Recover provides isolated, air-gapped data protection and automated failover to guarantee rapid recovery from any cyber attack.

“Traditional data protection solutions don’t work for cloud-native systems and businesses,” said James Watts, Managing Director of Databarracks.

“Native cloud tools are designed more for simplicity than resilience and lack the functionality you need to fully protect your data. Enterprise backup solutions, on the other hand, struggle to scale and can’t handle the volume of data stored in modern cloud systems. Whichever you choose, your recovery is compromised – it either takes too long to restore operations or, in a worst-case scenario, you’re left with no clean copy of data to recover from at all.

“Air Gap Recover addresses these shortcomings. It’s equipped to protect the petabytes of data and globally distributed architectures within cloud-native environments – allowing for complex cloud-scale recovery.

“In 2025, cyber remains the number one threat to business continuity. We know it is no longer a question of “if” but “when”. But no matter the scale or severity of the cyber event – and cloud-native environments are not immune – Air Gap Recover ensures your critical data is protected. If the worst happens – your cloud account is breached, and your data is encrypted or deleted – you failover instantly to a secure and separate account. Your business stays operational while others would scramble to recover.”

Key features include:

*   Advanced air-gapped security: Data is stored in immutable, isolated cloud accounts to protect against ransomware and other cyber threats.
    
*   Automated failover: Provides immediate cross-region failover to a segregated cloud account, ensuring instant recovery with near-zero downtime.
    

Stepping in where traditional solutions fall short, Air Gap Recover sets a new standard for cloud-native data protection to further strengthen Databarracks’ IT resilience offering.

About Databarracks

Databarracks is the technology and business resilience specialist.

In 2003, we launched one of the world’s first managed Backup services to bring indestructible resilience to mission-critical data.

Today, we deliver award-winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

And we back this up with unbeatable support. There’s no such thing as ‘above and beyond’ for our engineers because they only work to one standard: to keep your systems running perfectly.

Enterprise-class continuity, security, and resilience. Accessible for all. 

You May Also Like

Databarracks Launches Air Gap Recover

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

Source: Tapati Rinchumrus via Shutterstock

A year after Google and Yahoo forced bulk email senders to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard, the rate of the adoption of DMARC among domains has doubled, although many of the same email threats continue to successfully deliver payloads or redirect unwary users to phishing sites.

The increase in adoption started in February 2024, when Google and Yahoo started requiring bulk email senders — defined as any company sending more than 5,000 email messages daily — to use DMARC. The email authentication standard uses two authentication specifications — Sender Policy Framework (SPF) and DomainsKeys Identified Mail (DKIM) — to confirm that an email comes from an authorized email server and on behalf of the purported sender. The technology makes it much more difficult to spoof email from a legitimate company or brand.

In the past year, adoption has increased by about 2.3 million domains, but that still leaves about 87% of domains without a DMARC record, according to data published by cyber-resilience firm Red Sift on Feb 5. Adoption is also uneven, with organizations in Austria, Japan, and Indonesia seeing some of the highest growth and publicly traded companies making the most significant gains.

Related:Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

While doubling the adoption rate of DMARC is a significant success, the private sector needs to do better, says Sean Costigan, managing director of resilience strategy at Red Sift.

"DMARC is considered an indicator of cyber maturity in many sectors, and we are still in the early days — healthcare, for example, is struggling to surpass 40% to 50% adoption," he says, adding that "widely, properly managed DMARC adoption will reduce spoofing, phishing and other forms of cybercrime."

Source: Red Sift

Google, for example, has seen a significant reduction in questionable email. In 2024, Gmail users saw 265 billion fewer unauthenticated emails, or about 65% less. During the 2024 holidays, a season that typically sees a massive spike in phishing attacks, users encountered 35% fewer scams, says Neil Kumaran, group product manager at Google.

"We think these improvements represent a huge boost in the health of the email ecosystem overall," he says. "We are actually seeing the industry embrace these requirements, seeing how important they are to increase the healthy ecosystem for everybody."

**DMARC Adoption Likely to Accelerate**

Large email senders are not the only groups quickening the pace of DMARC adoption. The latest Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires DMARC for all organizations that handle credit card information, while the European Union's Digital Operational Resilience Act (DORA) makes DMARC a necessity for its ability to report on and block email impersonation, Red Sift's Costigan says.

Related:Abandoned AWS Cloud Storage: A Major Cyberattack Vector

"Mandatory regulations and legislation often serve as the tipping point for most organizations," he says. "Failures to do reasonable, proactive cybersecurity — of which email security and DMARC is obviously a part — are likely to meet with costly regulatory actions and the prospect of class action lawsuits."

Overall, the authentication specification is working as intended, which explains its arguably rapid adoption, says Roger Grimes, a data-driven-defense evangelist at security awareness and training firm KnowBe4. Other cybersecurity standards, such as DNSSEC and IPSEC, have been around longer, but DMARC adoption has outpaced them, he maintains.

"DMARC stands alone as the singular success as the most widely implemented cybersecurity standard introduced in the last decade," Grimes says.

**Subdomain Attacks Exploit Gaps**

Yet that does not mean that threats have diminished. Attackers have adapted, Grimes says. Typically, attackers will just use lookalike domains — or use creative punctuation to create confusion — and fool the end user while still sending messages from an authenticated domain.

Related:Name That Toon: Incentives

"Since the creation and wide-scale adoption of DMARC, the percentage and number of phishing emails claiming to be from a particular legitimate domain are significantly less, perhaps just a few percent of what they used to be," Grimes says. "Unfortunately, phishers just created new illegitimate domains, often with lookalike names, that they then applied DMARC on so that the new, illegitimate domains passed DMARC inspection."

One technique used to dodge DMARC is "subdomail," where attackers seek out SPF records that include unregistered domains, and then take control of the orphaned domains as a way to conduct massive spamming campaigns. In one case, an SPF record for msnmarthastewartsweeps.com "included" two domains, allowing any authorized mail servers listed in those domain records to send authenticated email. In the Sender Policy Framework, the "include" keyword allows on domain to specify that those domains' lists of authenticated email servers should be trusted. For msnmarthastewartsweeps.com, that resulted in nearly 18,000 domains being authorized to send email on behalf of the domain.

Because the email messages make it past DMARC checks, they are more likely to successfully impersonate other companies, says Red Sift's Costigan.

"SubdoMailing exploits gaps in DMARC safeguards, allowing attackers to send emails from subdomains that pass both SPF and DMARC checks," he says. "These messages appear legitimate and are incredibly deceptive."

**BIMI on Deck for Email Security**

Still, companies gain much more visibility into their email by using DMARC, as the standard includes a reporting function that allows companies — or service providers on their behalf — to track email failures. Thus, companies should rapidly move from "none" to "quarantine" to "reject" as their policy, experts say.

In addition, companies should also look to take the next step, moving to Brand Indicators for Message Identification or BIMI, which allows companies to present a logo to email recipients. BIMI requires strict DMARC, however, and only about a third of domains currently comply, according to Red Sift's data.

While none of these technologies solve the problem of malicious emails, they all give companies and their email service providers more reliable signals to use to filter out unwanted messages and potential attacks, says Google's Kumaran. DMARC adoption does not boil down to "authenticated mail is good, and unauthenticated email is bad," he says.

"The idea is that authentication gives you confidence of the source of the message, and then you can start to do a better job of classification and actually providing protections to users," Kumaran says. "So I think it's a very desirable behavior if 100% of attacks are actually authenticated, because it makes the job of protecting people — and gives those the folks working in defending — stronger signals on which to operate."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Google's DMARC Push Pays Off, but Email Security Challenges Remain

As the cost of data breaches continues to climb, the role of user and entity behavioral analytics (UEBA) has never been more important.

Jackie Wyatt, Adjunct Professor of Cyber Studies, University of Tulsa

February 7, 2025

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

Last year, the cost of a data breach rose 10%, from $4.4 million to $4.8 million, as stated by IBM's annual "Cost of a Data Breach Report." According to cybersecurity firm Vectra AI, more than 70% of security operations center (SOC) leaders fear that a real attack will be hidden under an overwhelming flood of false-positive alerts and other security noise. The resulting burnout may be contributing to the labor shortage plaguing the industry. 

As the cost of data breaches continues to climb along with the deluge of meaningless alerts on an increasingly stressed workforce, the role of behavioral analytics in cybersecurity, or user and entity behavioral analytics (UEBA), has never been more important. That role is even more critical for schools, government agencies, and hospitals and other healthcare facilities. These entities play crucial roles in our day-to-day lives but operate with limited resources. They tend to have smaller cybersecurity teams and less money, amplifying the potential perils of a breach. In fact, the smaller the team, the greater the need for UEBA, which has a number of benefits.

**Weeds Out the Noise **

In the absence of behavioral analytics, every login and machine connection can result in an alert for the SOC. Without the ability to differentiate true threats from false positives, every threat detected is treated with high priority, which may cause the true positives to either get missed or not be addressed in a timely fashion. In places like schools, government offices, and medical facilities the consequences of missing an actual threat are monumental. These establishments thrive on their reputation while accumulating critical information that could mean life or death for a person.   

The danger of alert fatigue is real, causing SOC analysts to eventually ignore certain signals or attempt to address them all with no sense of which ones indicate actual risk. UEBA tracks access patterns across people, machines, and systems; eventually detecting and alerting the SOC only when there's a true risk. Not only does this approach cut out alert noise, it also limits the information bombarding the security team, reduces false positives, and virtually eliminates alert fatigue so analysts can focus on important alerts. Using behavioral analytics to detect the patterns that are normal makes it much easier to spot the ones that aren't. 

**Allows for Prioritization**

Using UEBA is already a no-brainer for many SOCs, but it has not been implemented for most hospitals, government institutions, and schools. Analyzing behavior patterns could have an even bigger payoff for those types of entities, in part because their teams are small. With a fully functioning, automated UEBA system, analysts know alerts are far more likely to be credible and worth their time to investigate. 

When discussing pattern detection and automation, AI naturally springs to mind. This makes perfect sense because UEBA is an excellent use case for AI. The kind of public sector/public good entities that have the most limited resources are best suited to leverage the power of AI combined with UEBA. It could virtually eliminate the disadvantage of fewer resources because a well-trained AI would only surface credible threats for human vetting. AI is not susceptible to alert fatigue, burnout, or the lure of a higher salary elsewhere. An automated system may be able to handle threat response, however its greatest potential lies in prioritizing potential threats for SOC analysts to analyze them more efficiently. This saves engineers and analysts countless hours, since they do not have to craft rules and queries to achieve the desired outcome.

**Reduces Risk **

It may be difficult for some executives to wrap their heads around placing an automated system at the heart of their security operations. Some worry about all the company data being in one place. Others fear AI might miss something, but it seems that the risk of a small and overwhelmed team subject to burnout is greater. While it's possible for a problem to surface with AI, it's more likely that a problem will arise with stressed out people.  

Some companies have already seen the benefit of involving AI in their security operations. About 70% of those that responded to a Vectra AI survey said AI has already reduced burnout and increased threat detection and response abilities. Imagine moving the needle that much for the places that instruct our kids, provide healthcare, and keep the lights on. 

**About the Author**

Adjunct Professor of Cyber Studies, University of Tulsa

Jackie Wyatt is an adjunct professor of cyber studies at the University of Tulsa and a cybersecurity operations analyst at QuikTrip. Jackie received a master’s degree in cybersecurity from Maryville University. She holds the Certified Enterprise Defender (GCED) certification and Coin from SANS, marking her as an expert in network defense and incident response. Her combination of advanced education and hands-on experience makes her a valuable figure in the cybersecurity field.

Source

DARKReading