This week on the Lock and Code podcast, we speak with Becky Holmes about how she tricks, angers, and jabs at romance scammers online.

_This week on the Lock and Code podcast…_

There’s a unique counter response to romance scammers.

Her name is Becky Holmes.

Holmes, an expert and author on romance scams, has spent years responding to nearly every romance scammer who lands a message in her inbox. She told one scammer pretending to be Brad Pitt that she needed immediate help hiding the body of one of her murder victims. She made one romance scammer laugh at her immediate willingness to take an international flight to see him. She has told scammers she lives at addresses with lewd street names, she has sent pictures of apples—the produce—to scammers requesting Apple gift cards, and she’s even tricked a scammer impersonating Mark Wahlberg that she might be experimenting with cannibalism.

Though Holmes routinely gets a laugh online, she’s also coordinated with law enforcement to get several romance scammers shut down. And every effort counts, as romance scams are still a dangerous threat to everyday people.

Rather than tricking a person into donating to a bogus charity, or fooling someone into entering their username and password on a fake website, romance scammers ensnare their targets through prolonged campaigns of affection.

They reach out on social media platforms like Facebook, LinkedIn, X, or Instagram and they bear a simple message: They love you. They know you’re a stranger, but they sense a connection, and after all, they just want to talk.

A romance scammer’s advances can be appealing for two reasons. One, some romance scammers target divorcees and widows, making their romantic gestures welcome and comforting. Two, some romance scammers dress up their messages with the allure of celebrity by impersonating famous actors and musicians like Tom Cruise, Brad Pitt, and Keanu Reeves.

These scams are effective, too, to sometimes devastating consequences. According to recent research from Malwarebytes, 10% of the public have been the victims of romance scams, and a small portion of romance scam victims have lost $10,000 or more.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Holmes about her experiences online with romance scammers, whether AI is changing online fraud, and why the rules for protection and scam identification have changed in an increasingly advanced, technological world.

>  ”I’ve seen videos of scammers actually making these real life video manipulation calls where you’ve got some guy sitting one side of the world pretending to be somewhere else completely, and he’s talking into his phone and it’s coming out on the other person’s phone as a different image with a different voice.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Corpse-eating selfies, and other ways to trick scammers (Lock and Code S06E14) 

Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.
The operation, the agency said, was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. Europol said the investigation into the syndicate

Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects

Palo Alto, California, 30th June 2025, CyberNewsWire

**Palo Alto, California, June 30th, 2025, CyberNewsWire**

Every security practitioner knows that employees are the weakest link in an organization, but this is no longer the case. SquareX’s research reveals that Browser AI Agents are more likely to fall prey to cyberattacks than employees, making them the new weakest link that enterprise security teams need to look out for. 

Browser AI Agents are software applications that act on behalf of users to access and interact with web content. Users can instruct these agents to automate browser-based tasks such as flight bookings, scheduling meetings, sending emails, and even simple research tasks. The productivity gains that Browser AI Agents provide make them an extremely compelling tool for employees and organizations alike. Indeed, a survey from PWC found that 79% of organizations have already adopted browser agents today. 

Yet, Browser AI Agents expose organizations to a massive security risk. These agents are trained to complete the tasks they are instructed to do, with little to no understanding of the security implications of their actions. Unlike human employees, Browser AI Agents are not subject to regular security awareness training. They cannot recognize visual warning signs like suspicious URLs, excessive permission requests, or unusual website designs that typically alert employees of a malicious site. Consequently, Browser AI Agents are more likely to fall prey to browser-based attacks than even a regular employee. Even if it is possible for users to add these guardrails, the overhead required to extensively write the security risk of every task performed by the agent in every prompt would probably outweigh the productivity gains. More importantly, employees using Browser AI Agents are unlikely to have enough security expertise to be able to write such a prompt in the first place.  

With the popular open-source Browser Use framework used by thousands of organizations, SquareX demonstrated how the Browser AI Agent, instructed to find and register for a file-sharing tool, succumbed to an OAuth attack. In the process of completing its task, it granted a malicious app complete access to the user’s email despite multiple suspicious signals – irrelevant permissions, unfamiliar brands, suspicious URLs – that likely would have stopped most employees from granting these permissions. In other scenarios, these agents might expose the user’s credit card information to a phishing site while trying to purchase groceries or disclose sensitive data when responding to emails from an impersonation attack. 

Unfortunately, neither browsers nor traditional security tools can differentiate between actions performed by users and these agents. Thus, it is critical for enterprises working with Browser AI Agents to provide browser-native guardrails that will prevent agents and employees alike from falling prey to these attacks.

> Vivek Ramachandran, Founder & CEO of SquareX, warns, “The arrival of Browser AI Agents have dethroned employees as the weakest link within organizations. Optimistically, these agents have the security awareness of an average employee, making them vulnerable to even the most basic attacks, let alone bleeding-edge ones. Critically, these Browser AI Agents are running on behalf of the user, with the same privilege level to access enterprise resources. Until the day browsers develop native guardrails for Browser AI Agents, enterprises must incorporate browser-native solutions like Browser Detection and Response to prevent these agents from being tricked into performing malicious tasks. Eventually, the new generation of identity and access management tools will also have to take into account Browser AI Agent identities to implement granular access controls on agentic workflows.”

To learn more about this security research, users can visit http://sqrx.com/browser-ai-agents .

SquareX’s research team is also holding a webinar on **July 11, 10am PT/1pm ET** to dive deeper into the research findings. To register, users can click here. 

**About SquareX**

SquareX’s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Find out more on www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Reveals that Employees are No Longer the Weakest Link, Browser AI Agents Are

We've seen several spikes in Android threats since the start of 2025. Here's how to protect yourself.

The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems .

Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%.

We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline. 

Perhaps even more alarming is a 692% spike in SMS-based malware between April and May, a jump that we can’t just chalk up to coincidence. It could be due to seasonal scams like those we always see around tax season, which hit consumers hard this year, or widespread campaigns like toll fee scams, which also come in surges.

These numbers reflect a shift in strategy: Attackers are scaling operations, fine-tuning delivery, and exploiting both human psychology and systemic weak points. Take Spyloan, for example, a threat that lures targets with incredible loan conditions (low rates, no pre-check) but ends up stealing from desperate people. We saw a significant spike in May of this predatory app, which could well signal a resurgence for the summer. We’ll continue to monitor this uptick.

Banking Trojans and spyware are now outpacing more traditional nuisances like adware and riskware, and what’s changed is the level of sophistication. Threat actors are actively distributing malware through both official and unofficial app channels, often cloaking malicious apps behind layers of legitimacy.

Fake financial tools, predatory loan apps, and cleverly disguised “updates” aren’t just slipping through the cracks, they are being engineered with that objective in mind. Peaks in their activity often coincide with periods of personal stress, like tax season or holiday travel, suggesting a methodical approach to targeting.

As Sr. Director, Research and Development, Online Platforms at Malwarebytes, Shahak Shalev explains:

> Attackers know we trust our mobile devices implicitly—we bank on them, authenticate with them, store our entire digital lives on them. Now attackers are amping up the volume and sophistication of mobile threats. When spyware jumps 147% in five months, that tells us attackers are moving beyond simple scams to building sustainable criminal enterprises. They’re playing the long game now — developing monetization strategies for every type of data they can harvest; every user behavior they can exploit. The February spike shows this isn’t random, it’s methodical business development in the cybercrime space. 

Smishing (SMS phishing) has quickly become one of the most effective tools in the attacker’s playbook. Using AI-generated text and increasingly well-crafted lures, these campaigns are harder to spot than ever. And while smishing is rising fast, it’s not alone. We’re also seeing a growing number of PDF phishing attacks, where malicious documents act as entry points for broader compromise.

But perhaps the most systemic issue is lack of updates, with over 30% of Android devices remaining stuck on outdated operating systems. These devices are sitting ducks, because they are unable to receive critical security patches, yet are still being actively used. Combine this with counterfeit or gray-market devices that come preloaded with malware, and you’ve got a recipe for widespread exposure.

What we’re seeing isn’t a collection of one-off scams. It’s infrastructure. The Android threat landscape has matured into a network of monetization schemes that thrive on scale, persistence, and user trust. Attackers aren’t just after quick wins—they’re building operations that last.

The takeaway? Mobile security can’t be an afterthought. Individuals and organizations alike need to treat Android threats with the same seriousness as traditional desktop attacks. That means prioritizing device hygiene, avoiding sideloaded apps (where you download an app not from the Google Play store), staying current with patches where possible, and educating users about the social engineering tactics that increasingly underpin these attacks.

**How to protect your Android device**

Google Play Protect is a built in security feature from Android that automatically protects users against apps that engage in malicious behavior. That’s great, but we still see malware campaigns that are spread, partially or as a whole, through the Google Play Store.

To keep your devices free from Android malware:

*   Get your apps from the Google Play store whenever you can.
*   Be careful about the permissions you allow a new app. Does it really need those permissions for what it’s supposed to do? Permissions like “Display over other apps” should particularly raise a red flag, because they can be used to intercept login credentials.
*   Don’t allow notifications as much as possible. Dubious ad sites often request permission to display notifications. Allowing this will increase the number of ads as they push them to the device’s notification bar.
*   Use up-to-date and active security software on your Android.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android threats rise sharply, with mobile malware jumping by 151% since start of year 

Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. Learn how simple vulnerabilities threaten critical infrastructure.

In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected.

According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second.

****Vulnerable Control Systems Highlighted****

The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway.

Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.

****Broader Threats to Essential Services****

This incident is not isolated as such intrusions into vital infrastructure have occurred in the past. For instance, Hackread.com reported in April 2023, that Israel faced a wave of cyberattacks, with authorities believing they were part of OpIsrael, a campaign by pro-Palestinian hackers.

Among the targets were Israel’s irrigation systems, which saw several water monitors malfunction. The targets included irrigation and wastewater treatment systems in areas like the Hula Valley, the Jordan Valley, and the Galil Sewage Corporation. These cases show how simple vulnerabilities, like easy-to-guess passwords, can be exploited by threat actors.

****Lessons for Critical Infrastructure Protection****

While this particular facility primarily serves a fish farm and is not connected to Norway’s power grid, the incident shows a critical security lesson for essential infrastructure worldwide. It demonstrates how easily basic security failures, especially weak credentials, can compromise vital systems.

It also highlights that remote access, proper authentication, and clear ownership of cyber-physical interfaces should be standard security practices. The fact that the attack persisted for four hours undetected also indicates the importance of sufficient monitoring for critical infrastructure like dams. Effective cybersecurity practices, including strong passwords and multi-factor authentication (requiring more than one way to prove identity), are crucial for protecting these essential services.

Norwegian Dam Valve Forced Open for Hours in Cyberattack

Grocery giant Ahold Delhaize USA faced a major data breach affecting over 2.2 million employees. Learn what sensitive info was stolen and the ransomware group behind the Nov 2024 attack.

A data breach at Ahold Delhaize USA Services, LLC, a company providing support to the major East Coast grocery retailer Ahold Delhaize USA, has affected more than 2.2 million (2,242,521) individuals (including over 95,000 Mainers).

The incident, which involved unauthorized access to internal US business systems, occurred between November 5th and 6th, 2024, leading to the theft of highly sensitive personal, financial, and health information primarily belonging to current and former employees.

Ahold Delhaize USA is a prominent name in the US grocery sector, operating popular brands such as Food Lion, Giant Food, The GIANT Company, Hannaford, and Stop & Shop. According to Ahold Delhaize USA’s official statement, the company is notifying those impacted and is providing two years of complimentary credit monitoring and identity protection services. A help desk has also been established to assist individuals with inquiries.

****Details of the Cyberattack****

Ahold Delhaize USA Services detected the cybersecurity issue on November 6, 2024, and swiftly launched an investigation with the help of leading external cybersecurity experts., also coordinated with US federal law enforcement.

The investigation revealed that an unauthorized third party had gained access to and obtained files from one of their internal US file repositories. While the company quickly took some systems offline to contain the issue, leading to temporary disruptions for online orders and pharmacy services, these systems were soon restored.

The stolen data varied from person to person but was extensive, as per the breach notification submitted to the Maine Attorney General. It included names, contact details, dates of birth, government-issued identification numbers like Social Security numbers, passport numbers, and driver’s license numbers. Financial account records, including bank account numbers, were also compromised.

Additionally, health information, specifically workers’ compensation details and medical records within employment histories, along with other employment-related data, were exposed.

“Our review of the impacted files is still ongoing. At this time, we believe that many associates who were working for Ahold Delhaize Group, Ahold Delhaize Europe & Indonesia (EBS), Albert Heijn, Etos, Gall & Gall and the Ahold Delhaize Coffee Company in the Netherlands and who were on the payroll in April 2021 may have been affected by this issue,” the company noted.

Ahold Delhaize confirms that it found “no indication that customer payment or pharmacy systems were compromised” and “no customer credit card numbers contained in the affected files,” suggesting the focus of the attack was on employee data.

****Ransomware Group Claims Responsibility****

In a development that surfaced on April 16, 2025, the INC ransomware group publicly claimed responsibility for breaching Ahold Delhaize on their dark data leak website and threatened to release it fully after providing samples.

INC Ransomware on its dark web leak blog (Image: Hackread.com)

This group, active since mid-2023, often uses tactics like phishing emails or exploit kit malware to gain access. They are known for avoiding attacks in Russia, possibly indicating a base there or in a neighbouring country.

Ahold Delhaize confirmed on April 17, 2025, that data had indeed been stolen and began reviewing the affected files to identify the personal information at risk. This complex investigation, which has taken seven months to identify affected US individuals and also uncovered some Dutch employment data from April 2021, highlights the intricate nature of responding to such cyber incidents.

“To date, this is one of the most significant data breaches following a ransomware attack, particularly within the food and beverage sector,” said Rebecca Moody, Head of Data Research at Comparitech. “In fact, since we began tracking ransomware attacks at the start of 2018, this attack on Ahold Delhaize is the largest within the food and beverage sector (based on records affected).”

“In most cases, attacks on this sector have focused on system encryption, as this is often where the most disruption is caused. For example, from 2018 to the present, the average number of records breached in a ransomware attack on a food and beverage company was 53,200,_“_ explained Rebecca.

_“_This highlights the severity of this breach as well as the new focus on data theft (as well as system encryption) for the majority of ransomware gangs. It is likely that we’ll see larger data breaches within the food and beverage industry going forward. We are also yet to see the extent of the breaches on the UK’s Marks & Spencer and Co-op attacks this year.”

Ahold Delhaize Confirms Data Breach of 2.2M amid INC Ransomware Claims

In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-358m-fq53-hp87: akka-cluster-metrics uses Java serialization for cluster metrics

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).

This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow.
This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0.

Users are recommended to upgrade to version 2.3.0, which fixes the issue.

GHSA-m964-fjrh-xxq2: Apache Seata Vulnerable to Deserialization of Untrusted Data

Plus: US feds charge alleged masterminds behind infamous forum, Scattered Spider targets airlines, and hackers open a valve at a Norwegian dam.

WIRED published a shocking investigation this week based on records, including audio recordings, of hundreds of emergency calls from United States Immigration and Customs Enforcement (ICE) detention centers. The calls—which include reports of incidents of staff sexual assaults, suicide attempts, and head injuries—indicate a system inundated by life-threatening incidents, delayed treatment, and overcrowding.

In a 6-3 decision on Friday, the US Supreme Court upheld a Texas porn ID law, finding that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned that this determination ignores First Amendment precedent and will have privacy implications for adults.

Looking at the US bombing of Iranian nuclear sites last weekend, President Donald Trump posted initial announcements of the strikes on the social Network Truth Social, which then began suffering intermittent outages. And WIRED reported on assessments of the damage to the nuclear sites based on satellite photos taken before and after the bombing.

Meanwhile, Taiwan is scrambling to make its own unmanned aerial vehicles domestically as drones increasingly become a crucial weapon of war. The urgency comes as a potential conflict with China looms. And Telegram launched a purge of Chinese cryptocurrency markets last month, banning black markets that sold tens of billions of dollars in crypto-scam-related services. Now, though, the markets are rebranding and bouncing back with no further action from the communication platform.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Immigration and Customs Enforcement (ICE) is now using a mobile app called Mobile Fortify that allegedly allows agents to identify individuals by pointing a smartphone at their face or capturing contactless fingerprints, 404 Media reports. The app reportedly taps into government databases, including Customs and Border Protection’s Traveler Verification Service and a DHS biometric intelligence system, in an attempt to match facial images taken in the field against prior government-collected records. ICE says the tool is intended to help officers identify “unknown subjects,” but civil liberties advocates tell 404 Media that it may open the door to surveillance-driven profiling and wrongful arrests.

Nathan Freed Wessler of the ACLU told the site, “Face recognition technology is notoriously unreliable, frequently generating false matches and resulting in a number of known wrongful arrests across the country. Immigration agents relying on this technology to try to identify people on the street is a recipe for disaster. Congress has never authorized DHS to use face recognition technology in this way, and the agency should shut this dangerous experiment down."

**US Feds Charge Group of Alleged Hackers Behind a Notorious Cybercrime Forum**

Global law enforcement this week announced the bust of a group of alleged cybercriminal hackers accused of carrying out years of profit-focused data breaches and running a notorious cybercriminal forum and market known as Breachforums. French authorities arrested four members of the group who went by the names “ShinyHunters,” “Hollow,” “Noct,” and “Depressed,” though the police sources who shared the news with the French newspaper Le Parisien didn’t reveal the suspects’ real names. The US Justice Department, meanwhile, criminally charged Kai West, a young British man, with carrying out a broad, years-long hacking spree under the handle “Intelbroker” that inflicted $25 million total damage against victims before he was arrested in February. In addition to hacking and selling vast troves of stolen data, the group—or at least some subset of its members—appears to have served as administrators for Breachforums, a notorious sales forum for cybercriminal information and tools that was shut down in a law enforcement operation in 2023 but was later relaunched by its staff.

**Scattered Spider Hackers Shift Their Targeting to the Airline Industry**

The loose cybercriminal gang known as Scattered Spider has carried out data theft and ransomware incidents for years, most recently targeting the grocery industry, other retailers, and the insurance industry in the US and the UK. Now cybersecurity analysts at Mandiant and Palo Alto Networks say the group is turning their attention to the aviation and transportation sector. Specifically, hackers were behind a cybersecurity incident last week that took down some IT systems and the mobile app for Canadian airline WestJet, Axios reports. Now Hawaiian Airlines has said it’s experiencing a “cybersecurity incident” affecting its network, though it hasn’t yet revealed more details or any evidence that Scattered Spider is responsible. Cybersecurity firms tracking the group warn that other potential aviation and transportation industry targets should be on the lookout for the group, which often uses sophisticated social engineering to trick staff into letting them bypass multi-factor authentication and gain a foothold on target systems.

**Hackers Breach a Norwegian Dam to Open Valve**

Here’s a curiosity that we missed a couple weeks ago: A rare industrial control system hijacking incident in which an unknown hacker appears to have messed with the computer systems that control the Lake Risevatnet dam in southwest Norway, opening a valve to its maximum setting. The tampering, the motivation for which was far from clear, increased the dam’s water flow by nearly 500 liters a second, but didn’t come close to approaching a dangerous level. No one appears to have spotted the change for close to four hours. Officials told the Norwegian energy news outlet Energiteknikk, which broke the story, that a weak password on a web-accessible control panel allowed the unauthorized access.

ICE Rolls Facial Recognition Tools Out to Officers' Phones

A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

Tag

#auth