Security questionnaires take a lot of time and repetitively answering the same questions manually chews up business time…

Security questionnaires take a lot of time and repetitively answering the same questions manually chews up business time but automation can make the process faster. In this article, we will see what is security questionnaire automation and how you can use it to reduce response time.

**Table of Contents**

1.  Why Automate Security Questionnaires?
2.  Steps to Automate Security Questionnaires
3.  1\. Centralize Your Security Documentation
4.  2\. Use a Standardized Response Library
5.  3\. Take Advantage of Automation Tools
6.  4\. Integrate with Compliance and Security Systems
7.  5\. Assign Roles and Responsibilities
8.  Benefits of Automating Security Questionnaires
9.  How to Get Started with Automation?
10.  Conclusion 

Security questionnaire automation is the method of using technology to automate and accelerate the filling out of security questionnaires. Rather than repeatedly answering the same compliance and security questions manually, companies use automation software to auto-populate answers, handle document requests, and unify security policies easily.

****Why Automate Security Questionnaires?****

Automation accelerates the process and makes it less stressful and more efficient. Following are the reasons why companies are opting for automation:

*   **Saves Time:** It decreases the time taken to fill out questionnaires.
*   **Improves Accuracy:** Avoids human error and inconsistencies.
*   **Enhances Productivity:** Allows security teams to concentrate on critical tasks.
*   **Speeds Up Vendor Assessments:** Helps in quicker deal closures by minimizing delays.

****Steps to Automate Security Questionnaires****

Here are some steps to automate the security questionnaires:

****1\. Centralize Your Security Documentation****

Establish a centralized location for all security policies, certifications, and compliance documents. This allows easy pulling of answers in a rush.

*   Keep documents in a safe cloud-based environment.
*   Control and limit access to authorized staff.
*   Update documents frequently to account for changes in security controls.

****2\. Use a Standardized Response Library****

The majority of security questionnaires use similar questions. Rather than duplicating effort every time:

*   Develop a pre-approved response library.
*   Classify answers according to compliance frameworks (SOC 2, ISO 27001, GDPR, etc.).
*   Make answers concise, clear, and current.

****3\. Take Advantage of Automation Tools****

There are various tools to automate security questionnaires. These tools are able to:

*   Auto-populate answers based on previous submissions.
*   Provide the most appropriate answers based on your response library.
*   Integrate with compliance management platforms.

Popular automation tools are:

*   OneTrust – Orchestrates compliance and security questionnaires.
*   SecurityScorecard – Automates vendor risk assessments.
*   Loopio – Centralizes security questionnaire responses.

****4\. Integrate with Compliance and Security Systems****

Integrate your automation tool with current security systems. This guarantees:

*   Real-time synchronization of data.
*   Automatic updates when security policies are modified.
*   Quicker and more precise questionnaire answers.

****5\. Assign Roles and Responsibilities****

Human supervision is still important despite automation. Designate particular roles:

*   Security Team: Verifies responses for correctness.
*   Legal Team: Guarantees compliance with laws.
*   IT Team: Handles integration with security tools.

Well-defined accountability avoids mistakes and guarantees quality responses.

****Benefits of Automating Security Questionnaires****

The four benefits of automating security questionnaires are:

**1\. Quick Response Time**

No longer the rush to look for information. Automation drastically minimizes response time and enables companies to seal deals in less time.

**2\. Uniformity of Responses**

Automated processes provide uniform and accurate responses to every questionnaire, hence it minimizes confusion and misinterpretation.

**3\. Lower Security Team Workload**

Automation liberates security teams from repetitive security questions to undertake more strategic initiatives.

**4\. Higher Client and Partner Trust**

Quick and reliable security questionnaire responses show clients that your company prioritizes cybersecurity and compliance.

****How to Get Started with Automation?****

If you’re new to automation, start with these simple steps:

*   Audit your current questionnaire process. Identify bottlenecks.
*   Choose an automation tool that fits your needs and budget.
*   Build a response library with pre-approved answers.
*   Train your team on how to use automation tools effectively.
*   Continuously update responses to keep up with security changes.

****Conclusion** **

Security questionnaires do not have to be challenging. Companies can save time, increase accuracy, and expedite vendor approvals after automating the process of security questionnaires. The secret is to consolidate data, utilize automation tools, and institute human review. The outcome includes a quicker, more well structured security questionnaire process for all.

Featured, Top Image via Freepik

How to Automate Security Questionnaires and Reduce Response Time

FortiGuard Labs discovers an advanced attack using modified Havoc Demon and SharePoint. Explore the attack's evasion techniques and security measures.

A new cyberattack campaign discovered by FortiGuard Labs, Fortinet’s threat intelligence and research unit, leverages a combination of social engineering, multi-stage malware, and the manipulation of trusted cloud services to achieve control over compromised systems.

According to FortiGuard’s investigation, shared with Hackread.com ahead of its publishing on Monday, the campaign targets Microsoft Windows users and has a high severity level. Their most crucial observation is that the attackers have innovated by integrating a modified version of the Havoc framework, Havoc Demon Agent, with the Microsoft Graph API, effectively hiding their malicious communications within the legitimate traffic of well-known cloud services.

For your information, Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to obtain full control of the target system.

The initial point of entry for this attack is a carefully crafted phishing email, which contains an HTML attachment designed to deceive the recipient into executing a malicious PowerShell command.

The Phishing Email (Source: FortiGuard Labs)

Through a technique known as “ClickFix,” in which users are tricked into executing malicious commands, the attachment presents a fake error message, prompting the recipient to copy and paste a seemingly harmless command into their system’s terminal. However, this command initiates a chain of events that leads to the downloading/execution of further malicious scripts, which are strategically hosted on a SharePoint site, probably to obscure the malicious operation within a trusted cloud environment.

The initial PowerShell script performs checks to evade sandbox detection and then proceeds to download/execute a Python script, also hosted on SharePoint. This Python script acts as a shellcode loader and injects and executes a malicious DLL, KaynLdr, which reflectively loads an embedded DLL, and further complicates analysis by using API hashing.

The core of the attacker’s C2 infrastructure relies on the modified version of the Havoc Demon DLL as it leverages the Microsoft Graph API to establish communication channels that blend seamlessly with legitimate cloud traffic. The “SharePointC2Init” function within the DLL obtains access tokens for the Microsoft Graph API and creates two files within the victim’s SharePoint document library, each named with a unique identifier derived from the compromised system.

These files act as channels for transmitting victim information and receiving C2 commands, while the entire communication is handled by the modified “TransportSend” function and encrypted using AES-256 in CTR mode. The agent then parses and executes these commands, which include a wide range of post-exploitation capabilities, such as information gathering, file operations, and token manipulation.

FortiGuard Labs’s discovery highlights the evolution of open-source C2 frameworks to create new, difficult-to-detect attacks and the growing need for adopting advanced security measures against such attacks.

“In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands,” FortiGuard’s researchers concluded.

The attack Flow (Source: FortiGuard Labs)

In a comment to Hackread.com, Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based application security provider, noted that hackers are using trusted Microsoft services to evade detection, showing a high level of sophistication, but what stands out is that their attack method requires more manual action from the victim than usual.

_“_These bad actor groups aim for obfuscation so they can achieve their goals. It’s not unusual to see them use open-source frameworks, however, the use of legitimate Microsoft services shows a level of sophistication that is concerning. Using those services allows them to hide in plain sight and have the benefits of being trusted servers,_“_ Thomas explained. _“_What is surprising about this is the level of manual intervention needed on the victim for the attack to be a success. Usually with these campaigns, the bad actors want as little interaction as possible on the victim’s part aside from clicking on a link._“_

New Malware Campaign Exploits Microsoft Graph API to Infect Windows

Firefox’s new Terms of Use spark user backlash over data rights. Learn how Mozilla responded to concerns about…

Firefox’s new Terms of Use spark user backlash over data rights. Learn how Mozilla responded to concerns about broad language and possible data misuse.

In the Internet era, where our online activities leave behind a trail of data, trust between users and the software they use is more important than ever. That trust is often buried in long legal agreements and complex terms and conditions, but it can quickly disappear if people feel their privacy is being violated. Mozilla, a company historically lauded for its commitment to user privacy, recently found itself at the center of such a trust dispute.

What happened is that the Firefox browser introduced new Terms of Use, which instead of promoting clarity, sparked a major controversy. The update meant to “formalize” user agreements, triggered a wave of user backlash, driven by language perceived as overly broad and potentially granting the company extensive rights over user data. Despite the company’s insistence that the terms were intended to clarify existing data practices and formalize user agreements, the unclear wording caused a lot of confusion and pushback.

The issue centered on a specific clause that granted Mozilla a “nonexclusive, royalty-free, worldwide license” to use information inputted or uploaded through Firefox. Critics, including figures from rival browser companies, interpreted this as an attempt to claim ownership of user data and potentially monetize it for purposes like AI development or targeted advertising. Mozilla, however, refuted these interpretations, stating that the new terms did not signify a change in how user data is handled.

> W T Fhttps://t.co/ifx7R9rBMV
> 
> "When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of… https://t.co/Zvbif4TWzz
> 
> — BrendanEich (@BrendanEich) February 27, 2025

In response to the intense criticism, Mozilla clarified its intentions and provided further explanations for the controversial wording as well as revised the clause with clearer wording. Here’s the difference between the original and revised clause:

**Previous:** “When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.”

**Revised:** “You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content.”

Talking to TechCrunch, the company’s VP of Communications, Brandon Borrman, emphasized that the license was necessary to enable basic browser functionalities, such as processing user input. They stressed that the terms did not grant them ownership of user data or the right to use it beyond the scope outlined in their existing Privacy Notice.

According to Mozilla’s explanation of the reasoning behind the specific terms used, “Nonexclusive” was intended to indicate that users retain the right to use their data independently, “Royalty-free” reflected the browser’s free nature, and “worldwide” acknowledged its global availability. The company also confirmed that user data is not sent to third-party AI companies and that any data shared with advertisers is de-identified or aggregated.

The situation has raised fundamental questions about data ownership and the boundaries of digital consent. The initial confusion and backlash emphasize the potential consequences of poorly worded terms, even when intentions are benign. Still, Mozilla’s swift response and subsequent revisions demonstrate the company’s attempt to address user concerns and maintain trust.

1.  Mozilla Rushes to Fix Critical Flaw in Firefox and Thunderbird
2.  Mozilla permanently shuts down Notes & Send over malicious use
3.  Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature
4.  Google & Mozilla ban Avast security extensions over data snooping
5.  Mozilla’s ‘Track This’ lets you choose fake identity to deceive advertisers

Mozilla Tweaks Firefox Terms After Uproar Over Data Use Language

QR phishing is on the rise, tricking users into scanning malicious QR codes. Learn how cybercriminals exploit QR codes and how to protect yourself.

QR codes have become an everyday convenience, allowing quick access to websites, payment platforms, and digital menus with a simple scan. However, as their popularity has grown, so has the interest of cybercriminals looking to exploit them. A not-so-new but lesser-known wave of phishing attacks known as “QR phishing” or “quishing” is on the rise, tricking unsuspecting users into scanning malicious codes that can steal personal information, install malware, or redirect to fraudulent websites.

****How QR Phishing Works****

Cybercriminals have found multiple ways to manipulate QR codes for their scams. One of the most common methods involves placing fake QR codes over legitimate ones. This can happen at restaurants, parking meters, or public spaces where businesses commonly use QR codes for services. When a user scans the fake code, they might be taken to a website that looks legitimate but is designed to steal login credentials, financial information, or other sensitive data.

A real-time example of a malicious QR code on a parking meter in Kirklees, West Yorkshire, England. (Via  Kirklees Council)

Another approach involves sending QR codes via email or text messages, claiming to be from a trusted source like a bank, delivery service, or tech support team. These messages often create a sense of urgency, telling users that their account has been compromised or that they must verify a payment. Once scanned, the user is unknowingly handing over their private information to hackers.

According to Online QR Code, a QR code generating tool, there are different types of QR codes and almost every type of code can be abused by scammers. This means that no matter how a QR code is presented, on a poster, in an email, or even on an official-looking document; there’s always a risk if the source isn’t verified.

****Why QR Phishing Is So Effective****

QR phishing works so well because QR codes themselves don’t immediately show where they lead. Unlike a traditional link, which allows users to hover over and preview the URL, scanning a QR code often takes users directly to the intended site without any immediate warning. On mobile devices, where most QR scans happen, this makes it even easier for scammers to operate undetected.

Additionally, many people trust QR codes because they are widely used by legitimate businesses and organizations. Scammers take advantage of this trust by placing their malicious codes in places where people wouldn’t normally question their authenticity. This is why even the FBI had to issue warnings about QR phishing.

****How to Protect Yourself from QR Phishing****

While QR phishing is a growing threat, there are simple steps you can take to stay safe:

1.  **Verify Before Scanning** – If you see a QR code in a public place, check for signs of tampering. If a sticker looks like it’s been placed over another code, avoid scanning it.
2.  **Preview the URL** – Some smartphone cameras and QR scanner apps allow you to preview the link before opening it. If the URL looks suspicious or doesn’t match the expected destination, don’t proceed.
3.  **Avoid Scanning Codes from Emails or Texts** – Be cautious with QR codes sent via email or text, especially if the message is unexpected or urgent. Instead of scanning, visit the official website of the organization by typing the address directly into your browser.
4.  **Use a QR Code Scanner with Security Features** – Some security apps and QR scanners come with built-in protection that can detect and warn users about malicious links.
5.  **Check for HTTPS and Official Domains** – If you do scan a QR code, look at the URL before entering any personal information. Legitimate websites should have “https” in the address, and the domain should match the official website of the company.
6.  **Be Skeptical of Unsolicited QR Codes** – If you receive a QR code claiming to offer a prize, discount, or urgent security alert, treat it with suspicion. Scammers often use these tactics to lure victims into scanning.
7.  **Keep Your Phone’s Security Updated** – Ensure that your phone’s operating system and security software are up to date. This can help prevent malware infections from malicious sites.

QR codes aren’t going away anytime soon. They’ve become a vital tool in marketing, payments, and everyday interactions. But just like with email phishing and other cyber threats, awareness is key to staying safe. By taking a few extra seconds to verify the source of a QR code before scanning, you can protect yourself from falling victim to these increasingly sophisticated scams.

1.  YouTube Scammers Rake in $600K with QR Codes
2.  Hackers Exploit QR Codes with QRLJacking for Malware
3.  Unicode QR Code Phishing Bypasses Traditional Security
4.  QR Code Scam: Fake Voicemails Hit 1000 Users in 14 Days
5.  Top Barcode Scanner app infected 10m users with malware

The Rise of QR Phishing: How Scammers Exploit QR Codes and How to Stay Safe

Microsoft exposes Storm-2139, a cybercrime network exploiting Azure AI via LLMjacking. Learn how stolen API keys enabled harmful…

Microsoft exposes Storm-2139, a cybercrime network exploiting Azure AI via LLMjacking. Learn how stolen API keys enabled harmful content generation and Microsoft’s legal action

Microsoft has taken legal action against a cybercriminal network, known as Storm-2139, responsible for exploiting vulnerabilities within its Azure AI services. The company publicly identified and condemned four individuals central to this illicit operation. Their names are as follows:

1.  Arian Yadegarnia aka “Fiz” of Iran
2.  Phát Phùng Tấn aka “Asakuri” of Vietnam
3.  Ricky Yuen aka “cg-dot” of Hong Kong, China
4.  Alan Krysiak aka “Drago” of the United Kingdom

According to Microsoft’s official report, shared exclusively with Hackread.com, these individuals used various online aliases to operate a scheme called LLMjacking. It is the act of hijacking Large Language Models (LLMs) by stealing API (Application Programming Interface) keys, which act as digital credentials for accessing AI services. If obtained, API keys can allow cybercriminals to manipulate the LLMs to generate harmful content.

Storm-2139’s core activity involved leveraging stolen customer credentials, obtained from publicly available sources, to gain unauthorized access to AI platforms, modify the capabilities of these services, circumvent built-in safety measures, and then resell access to other malicious actors. They provided detailed instructions on how to generate illicit content, including non-consensual intimate images and sexually explicit material, often targeting celebrities.

Microsoft’s Digital Crimes Unit (DCU) initiated legal proceedings in December 2024, initially targeting ten unidentified individuals. Through subsequent investigations, they identified the key members of Storm-2139. The network operated through a structured model, with creators developing the malicious tools, providers modifying and distributing them, and users generating the abusive content.

“Storm-2139 is organized into three main categories: creators, providers, and users. Creators developed the illicit tools that enabled the abuse of AI-generated services. Providers then modified and supplied these tools to end users often with varying tiers of service and payment. Finally, users then used these tools to generate violating synthetic content,” Microsoft’s blog post revealed.

Visual Representation of Storm-2139 (Source: Microsoft)

The legal actions taken by Microsoft, including the seizure of a key website, resulted in significant disruption to the network. Members of the group reacted with alarm, engaging in online chatter, attempting to identify other members, and even resorting to doxing Microsoft’s legal counsel, highlighting the effectiveness of Microsoft’s strategy in dismantling the criminal operation.

Microsoft employed a multi-faceted legal strategy, initiating civil litigation to disrupt the network’s operations and pursuing criminal referrals to law enforcement agencies. This approach aimed to both halt the immediate threat and establish a deterrent against future AI misuse.

The company is also addressing the issue of AI misuse to generate harmful content, implementing stringent guardrails and developing new methods to protect users. It also advocates for modernizing criminal law to equip law enforcement with the necessary tools to combat AI misuse.

Security experts have highlighted the importance of stronger credential protection and continuous monitoring in preventing such attacks. Rom Carmel, Co-Founder and CEO at Apono told Hackread that companies who use AI and cloud tools for growth must limit access to sensitive data to reduce security risks.

_“_As organizations adopt AI tools to drive growth, they also expand their attack surface with applications holding sensitive data. To securely leverage AI and the cloud, access to sensitive systems should be restricted on a need-to-use basis, minimizing opportunities for malicious actors._“_

Top/Featured Image via Pixabay/BrownMantis

Microsoft Disrupts Storm-2139 for LLMjacking and Azure AI Exploitation

Not getting enough views or traffic to your podcasts? Try this stunning AI audio-to-video generator to transform your…

Not getting enough views or traffic to your podcasts? Try this stunning AI audio-to-video generator to transform your podcasts into must-watch videos.

Is the audience viewing count of your podcasts lower than you expect? Many content creators deal with the problem of maintaining viewer interest because video content popularity is increasing in digital spaces. Being excellent in audio content delivery isn’t sufficient to thrive. The solution? Convert audio to video! 

An AI audio-to-video generator enhances podcasts by turning them into multimedia presentations that catch viewers’ attention. This article showcases a proven solution to convert your audio content into compelling video materials that people will watch.

Let’s dive in!

**Table of Contents Hide**

1.  Part 1: Why You Should Turn Podcasts into Videos?
    1.  Expand Your Reach
    2.  Increase Accessibility
    3.  Boost Engagement
    4.  Enhance SEO
    5.  Leverage Trends
2.  Part 2: Key Elements of Must-Watched Podcast Video
    1.  High-Quality Video
    2.  Clear Audio
    3.  Subtitles
    4.  Captions
    5.  Engaging Thumbnails
    6.  Brand Elements
3.  Part 3: Wondershare Filmora: Best Tool to Help You Transform Podcasts into Videos
4.  Conclusion

**Part 1: Why You Should Turn Podcasts into Videos?**

You gain several benefits when you transform your podcast content into video format.

**Expand Your Reach**

The broadcast of video content allows you to extend your presence toward wider audiences through YouTube and social media channels.

**Increase Accessibility**

Through video format, you provide learning opportunities for visual learners as well as auditory learners simultaneously.

**Boost Engagement**

The combination of visual elements surpasses audio content in grabbing viewers’ attention, which results in higher chances of sharing and liking activities.

**Enhance SEO**

Your content benefits from improved SEO rankings when video content is included because search engines prefer video content. This practice drives more traffic to your material.

**Leverage Trends**

The usage of videos has gained extreme popularity across all digital platforms. You should design your content to align with the ways people use and consume media during the present period.

Thus, your podcast will reach its full potential when you turn from audio to video.

**Part 2: Key Elements of Must-Watched Podcast Video**

To develop an interesting podcast video, you need to focus on essential elements.

**High-Quality Video**

The quality of your video content should include clear images and sharp visual elements for improved viewer engagement.

**Clear Audio**

The quality of your audio must be exceptional because poor sound will cause viewers to leave your content.

**Subtitles**

The addition of subtitles establishes accessibility for your content to viewers who have hearing challenges alongside other listener groups.

**Captions**

The inclusion of subtitles, known as captions, enables powerful message transmission to viewers who listen without sound.

**Engaging Thumbnails**

Attractive thumbnails must be designed to attract more viewers and raise the number of clicks on your content.

**Brand Elements**

Employ branding elements that include consistent logos and visual color schemes to achieve better recognition.

The implementation of these elements leads to a major enhancement of your podcast’s aesthetic quality.

Let’s get straight to the tool named Wondershare Filmora, using which you can easily transform your podcasts into must-watch videos. This AI audio-to-video generator provides you with an effortless solution to implement your audio content alongside compelling visual features that maximize your podcast effects. Through its simple interface together with multiple features, Filmora enables users to manage dynamic graphics along with audio enhancement and animations easily and with enjoyment.

**Key Features of Filmora**

**AI Audio to Video**: Users can easily turn their audio files into dynamic video content using a basic automated, multi-step procedure. Filmora’s AI analysis evaluates your audio as it generates exceptional visual content to match your content perfectly.

**AI Image to Video**: Through its AI tool, Filmora converts ordinary images into lively video content. This feature matches the needs of users who need exceptional media content for social promotions or product visuals along with slide decks.

**AI Video Enhancer:** Filmora enables users, through its great functionality, to modify video elements like brightness, contrast, and saturation to achieve professional results.

**AI Video Translation**: Filmora contains an advantageous feature that benefits people who operate beyond national borders. The tool enables the translation of video content into various languages at once.

**AI text-to-speech**: The software enables users to convert written content into lifelike speech via AI technology.

Using the above-mentioned features in Filmora, users can easily edit their videos in a professional manner.

**Step-by-step guide to transform your audio content into video:**

**Step 1**: When you download the latest version of Filmora from its official website and open it up, you will see an option “Audio to Video” in the toolbox. Tap on it.

**Step 2**: Now you can upload the media file of size up to 1 GB with a duration of 10 seconds to 120 minutes.

**Step 3**: Users must specify their video language selection after uploading. Users must choose their video content type first, then add specified ratio and duration parameters for a defined number of generated videos. Users have the option to adjust screen settings.

**Step 4**: When the setup is complete, tap on Generate.

**Step 5**: Now you will see the multiple results of videos generated by the system. Press the play button to experience the generated results. You may export the video right away after ensuring you like how it turned out. Click “Edit” from the interface to transition to Filmora’s main editing timeline if you wish to implement more modifications.

**Step 6**: Click on the “Export” button located in the top-right section to finalize your video. Users access social media sharing through the top-right corner of the interface. Select the “Local” option to save the video to your device and set parameters for its title and description as well as category and resolution.

And that’s all it takes! The audio-to-video AI converter, together with powerful editing features from Filmora, makes it effortless to convert audio into video content at no cost. Using this tool will enable you to generate exceptional video content in a short period.

**Conclusion**

Converting audio content into video means more engagement and views! All you need is a tool like Filmora and the rest is just the magic it will create. Your content will get better when you use high-quality visuals and clear audio. Also, include subtitles, eye-catching thumbnails, and unique brand elements. Begin utilizing Filmora right now and discover how audio conversion creates videos that improve your podcasting capabilities significantly. 

Image by AstralEmber from Pixabay

Convert Audio to Video: How to Transform Your Podcasts into Must-Watch Videos

360XSS campaign exploits Krpano XSS to hijack search results & distribute spam ads on 350+ sites, including government,…

360XSS campaign exploits Krpano XSS to hijack search results & distribute spam ads on 350+ sites, including government, universities, and news outlets.

A widespread campaign exploiting a vulnerability within a virtual tour framework Krpano has been uncovered by cybersecurity researcher Oleg Zaytsev. The attack, dubbed “360XSS,” involved search engine manipulation and mass advertisement distribution.

For your information, Krpano is a widely used software tool that enables the creation of immersive 360° experiences, allowing users to explore panoramic images and videos in a virtual environment.

Zaytsev’s research, shared with Hackread.com, revealed that the attack leverages a reflected cross-site scripting (XSS) flaw in the Krpano VR library tracked as CVE-2020-24901. The vulnerability resided in a configuration setting within the Krpano framework (passQueryParameter) that, by default, allowed query parameters to be passed directly into the framework’s configuration.

This enabled attackers to inject arbitrary XML, leading to the reflected XSS. The default setting enabled this flaw, leading to widespread exploitation until patches were released. Unfortunately, it remained unpatched on numerous websites, including the framework developer’s own site.

The campaign’s discovery began with an unexpected search result for adult content appearing under a prestigious university’s domain. Further investigation revealed that the site was utilizing the Krpano framework for virtual tours and that a specific parameter within the URL was being exploited to inject malicious code. This code redirected users to spam advertisements, indicating a sophisticated attack beyond simple website defacement.

The scale of the campaign was significant, with hundreds of websites, including government portals, educational institutions, news outlets, and major corporations, being compromised. Attackers used the XSS vulnerability to inject malicious scripts that manipulated search engine results, pushing spam advertisements to the top of search listings. This technique, known as SEO poisoning, allowed them to leverage the authority of compromised domains to boost the visibility of their advertisements.

The campaign had a wide-reaching impact, compromising over 350 websites across diverse sectors. This included sensitive government portals and state government sites, major American universities, prominent hotel chains, reputable news outlets like CNN and Geo.tv, car dealerships and Fortune 500 companies. Attackers’ focus on advertisement distribution, rather than direct attacks on user data, suggested a calculated approach probably by an Arab group.

Image via Oleg Zaytsev

“The people behind this campaign remain a mystery, but from what I’ve seen, many clues suggest it was run by an Arab group—based on the ads, patterns, and random breadcrumbs I found during my investigation,” Zaytsev noted in their blog post.

He further notes that efforts to report the vulnerability to affected organizations proved challenging, with many lacking formal disclosure programs. However, some organizations responded positively, and the Krpano developers addressed the issue with a patch in a subsequent release. Organizations using the Krpano framework are advised to update to the latest version and disable the vulnerable configuration setting.

Eran Elshech, Field CTO at Seraphic Security, highlights that attackers are shifting from malware to exploiting browser vulnerabilities and web frameworks. The 360XSS campaign demonstrates how easily a known XSS flaw was used to compromise trusted sites, manipulate search results, and hijack web properties for spam ads.

He warns that the scalability and stealth of such attacks make them highly effective, as attackers infiltrate high-traffic sites with minimal effort, reaching large audiences without direct access to user devices.

Over 350 High-Profile Websites Hit by 360XSS Attack

Louis Donald Mendonsa, 62, was sentenced following a guilty plea for distributing child sexual abuse materials (CSAM) via…

Louis Donald Mendonsa, 62, was sentenced following a guilty plea for distributing child sexual abuse materials (CSAM) via Dark Web and other online networks after 6,5000 explicit images were found on his devices.

A California resident, Louis Donald Mendonsa (62), has been sentenced to 24 years and four months in federal prison for his involvement in managing four illegal websites on the dark web that shared explicit images and videos of children.

Mendonsa, a Sacramento native, played a key role in maintaining these platforms, which were active from December 2021 until his arrest in November 2022. He received his sentence on February 27, 2025, after pleading guilty in April 2024 to seven counts of distributing CSAM and one count of possession.

The websites, which operated on the dark web, a hidden part of the internet often used for illegal activities only accessible through the Tor browser, allowed users to advertise, distribute, and trade disturbing content involving children. According to the US Department of Justice’s press release, one of the sites even featured material depicting infants and toddlers.

Mendonsa not only managed these platforms but also actively promoted and shared illegal content himself. His activities came to light after law enforcement discovered his actions while he was using public Wi-Fi at a local coffee shop.

Upon arrest, a search of Mendonsa’s electronic devices revealed approximately 6,500 explicit images, confirming the identities of several known victims. This case is part of Project Safe Childhood, a nationwide initiative launched by the Department of Justice in 2006 to combat the alarming rise in child sexual exploitation. 

The project brings together federal, state, and local law enforcement agencies to track down, arrest, and prosecute individuals who exploit children online, while also working to rescue victims.

Man Jailed 24 Years for Running Dark Web CSAM Sites from Coffee Shop

A hacker using the alias GHOSTR, linked to 90+ data breaches, was arrested in a joint effort by law enforcement in Thailand, Singapore, and cybersecurity firm Group-IB.

A coordinated effort between law enforcement in Thailand, Singapore, and cybersecurity firm Group-IB has led to the arrest of a prolific hacker tied to more than 90 data breaches worldwide.

The individual, operating under multiple online identities such as GHOSTR, ALTDOS, DESORDEN, and 0mid16B, reportedly stole and sold over 13 terabytes of sensitive information including government agency records on dark web markets. The accused hacker was also an active member of the infamous cybercrime and data breach platform Breach Forums.

GHOSTR Hacker banned from Breach Forums for multi-accounting (Screenshot credit: Hackread.com)

Active since at least 2020; the hacker targeted organizations across Asia-Pacific nations like Thailand, Singapore, Malaysia, Pakistan and India, later expanding to Europe, North America, and the Middle East. Victims spanned industries like healthcare, finance, e-commerce, and logistics.

Initially, they pressured companies by threatening to leak stolen data unless paid, often alerting media or regulators if demands were ignored. Later, they moved to selling databases on dark web forums, gaining a reputation for high-quality leaks and commanding premium prices. In some cases, they even emailed customers directly to force companies into compliance.

According to Group-IB’s press release published on Thursday, the hacker exploited common vulnerabilities to infiltrate systems. They used tools like sqlmap to execute SQL injections, a method that exploits websites to access backend databases and breached poorly secured Remote Desktop Protocol (RDP) servers.

Once inside, they deployed a modified version of the penetration-testing tool CobaltStrike to maintain control of compromised networks. The extracted data was then copied to cloud servers for extortion purposes.

****Multiple Identities, Difficult to Track****

Investigators faced challenges as the hacker frequently changed aliases and tactics. Group-IB’s teams linked the identities by analyzing writing styles, post formats, and target preferences across dark web forums. For example, the ALTDOS persona focused on Thai victims in 2020, while DESORDEN later targeted organizations in the following sectors:

*   Retail
*   Finance
*   Logistics
*   Insurance
*   Healthcare
*   Hospitality
*   Recruitment
*   Technology
*   E-commerce
*   Property investment

Despite bans from forums for scams and fake accounts, the hacker continued operations under new names until their trails of online activity led authorities to their real-world identity.

During the arrest, Thai authorities confiscated several laptops, electronic devices, and numerous luxury items purchased with proceeds from the data sales.

Seized content (Via Group-IB)

Group-IB’s role in mapping the hacker’s activity across aliases demonstrates how behavioural patterns and technical clues can unmask even the most persistent cyber criminals. The company’s threat intelligence also brings to mind the Brazilian hacker USDoD, who was tracked down after CrowdStrike exposed his real identity, leading to his arrest.

GHOSTR Hacker Linked to 90+ Data Breaches Arrested

Strong eCommerce customer service builds trust, boosts loyalty, and drives sales. Learn key strategies, best practices, and tools to enhance online support.

Great online customer support starts with the fundamentals that make shoppers feel valued and understood when they can’t see your face or walk into your store. The basics include responding quickly across multiple channels, writing in a friendly human tone (not corporate-speak), and making it super easy for customers to find help when they need it.

Mastering these foundational elements builds trust with online shoppers and sets the stage for turning one-time buyers into loyal repeat customers. According to WOW24-7, an e-commerce customer service outsourcing provider, recent studies highlight the impact of customer service quality on online shopping behaviour. In April 2024, reports indicated that 79% of consumers may choose not to buy from a brand again after a poor post-purchase experience.

****What is eCommerce Customer Service?****

Generally speaking, e-commerce customer service is a special department that helps and supports online businesses as you are shopping online. Think of it as the digital version of that helpful store employee, but instead of being face-to-face, they’re helping you through chat, email, or phone when you have questions about products, shipping issues, returns, or just need advice before buying something.

****Advantages of a Good eCommerce Customer Service****

Good online customer service is a total game-changer! It builds trust (super important when you can’t see products in person), turns angry customers into happy ones (like when your headphones arrived broken and they shipped new ones overnight), and makes people spend more money.

Plus, happy customers tell their friends – “one of our customer’s customers switched to a new skincare brand just because her friend raved about how they helped her find the right products for her skin type.”

****How To Provide a Stellar Customer Service: Tips For Online Support********1\. Prioritize Multiple Communication Channels****

To provide excellent customer service, be available wherever your customers want to reach you. That means providing various channels of support, including social media support. 

Some people hate phone calls but love texting, while others want to shoot a quick email or DM you on Instagram. The best online stores let me choose – like that clothing shop that lets me track my order through text, ask sizing questions on chat, or call them about complicated returns. It shows they respect how you prefer to communicate instead of forcing you to use their one preferred channel.

So, good customer service plays a key role in customer satisfaction, and it should be multichannel customer support. And what about you, how many channels does your brand offer to contact your team?

****2\. Empower Your Team with Knowledge****

Make sure your support team knows your products inside and out – they can’t help customers if they’re clueless themselves. Indeed, the product knowledge is essential. Create a searchable knowledge base where your team can quickly find answers instead of saying “Let me check on that” for every question.

Our customer, a tea company, has weekly “sip and learn” sessions where staff try new products and discuss common questions, which has cut their average response time in half. The ability to deliver almost instant answers to the customers’ questions. That’s what we call a start for the exceptional customer service. 

****3\. Implement a Full Self-Service System****

Give customers ways to help themselves with detailed FAQs, video tutorials, and searchable help centers available 24/7. That is super important for customer retention.

One of our customers, an electronics ecommerce business has this amazing interactive troubleshooting tool that walks you through fixing common issues before the customers even need to contact them. Just make sure to keep these resources updated – nothing’s more frustrating than outdated information that wastes customers’ time.  

****4\. Track Key Metrics and Analyze Performance****

You can’t improve what you don’t measure, so keep tabs on response times, customer satisfaction scores, and first-contact resolution rates. Look for patterns in customer complaints to fix underlying issues – like when that clothing store noticed a spike in size questions and added better measurement guides. Set goals for your customer service team based on these metrics, but don’t obsess over speed at the expense of actually solving problems properly.

Moreover, track and analyze your customer reviews and work with both positive customer reviews and negative ones. Here’s a tip for you: the leading ecommerce platforms also work with the so-called ‘middle customers’ (the ones that are neither positive nor negative. They are the easiest ones to become your true brand enthusiasts. 

****5\. Personalize the Customer Experience****

Use customer purchase history and preferences to make interactions feel special and relevant. One ecommerce brand, a book subscription service, remembers what genres you love and what you have already read, making their recommendations useful.

Simple touches made by your customer service representative like addressing customers by name and referencing their previous orders make people feel valued instead of just another ticket number in the queue. That is crucial if you want to be the brand that comes with the best customer service for ecommerce. 

****6\. Proactively Address Customer Issues****

A great customer service company does not wait for complaints, it reaches out when its support agents know there might be a problem. For instance, a clothing store emails you before you even notice that your package was delayed due to weather, offering options and a small discount or a free trial. 

Therefore, your customer service agent must watch social media mentions of your brand to catch issues before they escalate into full-blown problems. This customer service strategy builds trust and loyalty. 

****7\. Embrace Technology and Automation****

If you want to offer good customer service experiences, use chatbots to handle simple questions and AI to route complex issues to the right specialist. Add the frequently asked questions section to let your customers find all the answers to their questions without waiting for your reply and the personalization to help them if they contact you. 

A simple example: there’s a tech shop that uses automation to send perfectly timed setup guides after purchase, preventing tons of support calls. Just make sure there’s always an easy escape hatch to reach your ecommerce customer service team when the bot can’t help. That’s crucial if you want to deliver an excellent customer service. 

****8\. Offer Easy Returns and Exchanges****

Make returns painless with prepaid labels, clear instructions, and quick processing. Yes, in the world of e-commerce, you have to provide the customer with the possibility to return in a fast, easy and free manner.

Here’s an example. There’s a shoe company that includes a return label right in the box and lets you start the return process with a single text message. And here comes an interesting fact: Good return policies increase sales because people feel safer trying new products. 

****9\. Solicit and Respond to Feedback****

Actively ask customers how they’re doing through quick surveys after purchases or support interactions. Every ecommerce business will benefit from customer service tools or special support software that collects data about the quality of service and customer communications. 

Just a simple case from our experience. There’s a coffee subscription that sends a three-question survey after each delivery, and when somebody mentioned their packaging was excessive in the comments, they changed it within a month. Show customers that the feedback matters by implementing changes and letting them know. There’s a necessity to adapt to the changing world of customer satisfaction. 

****10\. Invest in Ongoing Training and Development****

Keep your ecommerce customer support team sharp with regular product training and customer service skill development. My cousin works at an online beauty store where they spend Friday afternoons practising tough customer scenarios and learning about new product ingredients. Well-trained agents solve problems faster and make customers happier.

****11\. Foster a Culture of Customer-Centricity****

Make customer happiness everyone’s job, not just the support team’s. One of our customers, a small electronics brand, believes that excellent service is critical and so it invites its engineers to join support calls monthly to hear customer struggles firsthand. Then their support system analyses the available customer needs and the online shopping experience and thinks of ways to improve service to customers.

Celebrate team members who go above and beyond for customers, and use customer stories in company meetings to keep their needs front and center.

****An Effective eCommerce Customer Service: Key Takeaways****

Great online customer service is crucial as it talks to your customers directly. It’s all about being focused on customer wants, needs, and expectations. Plus, since great service is important for brand success, multi-channel customer support has become the new normal for companies who want to boost the customer’s lifetime value. Response speed matters hugely, but the quality and personal touch of those responses turn one-time buyers into loyal fans who spread the word.

The best online stores use the right software like Intercom and technology to handle routine stuff while freeing up humans to solve complex problems with empathy and creativity to improve their customer experience. Track what’s working (and what isn’t) through customer feedback and solid metrics, then actually use that info to keep improving. Remember that in the digital world where competitors are just a click away, exceptional service isn’t just nice to have – it’s often your biggest competitive advantage. 

Therefore, these are the eCommerce Customer Service Best Practices that help you improve customer service and provide an amazing customer service experience. Just remember that true customer service means the real care of your customers, not just words.

****Customer Service Channels FAQ********Why is customer service important for e-Commerce businesses?****

It’s your digital storefront’s personality! Without face-to-face interaction, it’s hard to make your customers happy. When one of our customers launched her handmade jewellery store, her amazing response time and personalized packaging notes turned first-time buyers into repeat customers who shared her store all over social media. Plus, in a world where switching to a competitor takes one click, great service is often the only thing keeping customers loyal.

****What are the key challenges of providing online customer support?****

The biggest headache is managing customer expectations for instant 24/7 help when you’re a small team (or solo entrepreneur). Then there’s the challenge of explaining products people can’t touch or try on, handling shipping issues you don’t directly control, and building trust without in-person connections. For instance, a hot sauce company can struggle with international customers who fail to understand the cause of shipping delays until they create a visual tracking system that shows exactly where packages are stuck.

****How can I improve response times for customer inquiries?****

*   Create templates for common questions so you’re not typing the same shipping policy explanation fifty times a day.
*   Set up auto-responses that acknowledge messages immediately even if you’ll answer fully later.
*   Use a smartphone app connected to your help desk so you can quickly answer simple questions while on the go.
*   You can dramatically cut response times by creating a shared Google Doc where all staff will document weird questions and answers for everyone to reference.

****What are the best tools for managing eCommerce customer service?****

For small shops, Zendesk or Freshdesk are solid starting points that won’t break the bank. Gorgias is amazing if you’re on Shopify since it shows order history right alongside customer conversations. Help Scout has a super clean interface that’s easy for non-tech folks. The gaming stores often Intercom so they can chat with the customers right on their website while they are browsing, which saves from abandoning the cart multiple times.

****How can I handle difficult customers effectively?****

First, take a deep breath and remember it’s rarely personal. Listen fully before responding – sometimes people just want to be heard. Offer concrete solutions instead of excuses. Know when to give a little (like a small discount) to solve a bigger problem.

One more tip to keep in mind: if you have a super angry customer about shipping damage, remember that customer service is important and it’s imperative to react instantly. So, immediately send a replacement with a small bonus. That can help you turn your angry customer into the biggest Instagram advocate.

****What role does automation play in e-Commerce customer support?****

Automation handles the repetitive stuff so humans can focus on complex problems. Think automatic order confirmations, shipping updates, and chatbots that answer basic questions like “What’s your return policy?” The smart plant shop I order from automatically emails care instructions based on what I purchased and sends reminders when it’s time to report – this prevents tons of support questions while making me feel taken care of.

****How can live chat improve customer satisfaction?****

Live chat catches customers right when they’re considering a purchase but have questions – like when I was about to abandon a pricey camera purchase until their chat agent explained why it was worth the investment. It feels more immediate than email but less intrusive than phone calls. 

****What are the best practices for handling returns and refunds?****

Make your policy crystal clear and easy to find. Don’t make customers jump through hoops – include return labels in the original package if possible. Process refunds quickly once items are received. Be flexible when it makes sense – that clothing store that gave me store credit past their return window earned way more of my money long-term. The best companies view returns as opportunities to learn product issues and improve, not as losses to minimize.

****How can I measure the success of my ecommerce customer service?****

Track obvious stuff like response time and resolution time, but also watch customer satisfaction scores (quick post-interaction surveys) and Net Promoter Score (would they recommend you?). Look at repeat purchase rates after service interactions – my favourite coffee subscription saw that customers who had a resolved issue spent 20% more in the following six months than those who never had problems. Also, track how many support tickets you get per 100 orders – this should decrease as you improve product descriptions and FAQs.

****What are some common mistakes to avoid in online customer support?****

The biggest fails include: making customers repeat their problem to multiple agents, hiding contact information so people can’t easily reach you, using robotic templated responses without personalizing them, promising unrealistic shipping/delivery times, and not following up after resolving issues. My worst experience was with that electronics store that transferred me three times, made me re-explain my issue each time, then promised to call back and disappeared forever – I’ll never shop there again!

Featured Image via Pixabay

1.  The Basics of Ecommerce Cybersecurity
2.  Enhance customer experiences with Generative AI
3.  How Payment Orchestration Enhances Business Efficiency
4.  Software Support: 7 Essential Reasons You Can’t Overlook
5.  Future of eCommerce: Emerging Tech Shaping Online Retail in 2024

Source

HackRead