The agency asks the cybersecurity community to adopt "romance baiting" in place of dehumanizing language.

Source: Olga Yastremska via Alamy Stock Photo

NEWS BRIEF

Victims of online scams are being deterred from coming forward for fear of being associated with language like "pig butchering," a phrase used to describe long-con romance fraud schemes, according to Interpol, which has released an awareness campaign advocating for the use of "romance baiting" in its place.

Romance-baiting cybercrimes start with a fake relationship, in which the target "pig" is "fattened up" before they are scammed into sending money, then "butchered" and subsequently ghosted once they've handed over the "whole hog" of their assets. Once victims realize they've been manipulated and scammed, they're left heartbroken and embarrassed, and further labeling them as a pig isn't helpful, Interpol argues as part of its wider "Think Twice" campaign.

Run by sprawling international cybercrime operations, pig butchering scams cost victims billions every year. One large pig butchering operation was discovered to be running full-fledged call centers staffed by forced labor in Cambodia, Laos, and Myanmar, raking in more than $60 billion over the past three years. The pig butchering tactic has likewise been used in the war between Russia and Ukraine.

"Academic research clearly shows the links between the tactics of fraudsters and of perpetrators of domestic abuse and coercive control," Dr. Elisabeth Carter, associate professor of criminology and forensic linguist at Kingston University London, said in a statement from Interpol. "It is imperative that we do not adopt the terminology of these criminals but instead use terms that assist public protection and support victim reporting."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Interpol: Can We Drop the Term 'Pig Butchering'?

The National Defense Authorization Act passed today, but lawmakers stripped language that would keep the Trump administration from wielding unprecedented authority to surveil Americans.

The US Senate passed the National Defense Authorization Act (NDAA) on Wednesday after congressional leaders earlier this month stripped the bill of provisions designed to safeguard against excessive government surveillance. The “must-pass” legislation now heads to President Joe Biden for his expected signature.

The Senate’s 85–14 vote cements a major expansion of a controversial US surveillance program, Section 702 of the Foreign Intelligence Surveillance Act (FISA). Biden’s signature will ensure that the Trump administration opens with the newfound power to force a vast range of companies to help US spies wiretap calls between Americans and foreigners abroad.

Despite concerns about unprecedented spy powers falling into the hands of controversial figures such as Kash Patel, who has vowed to investigate Donald Trump’s political enemies if confirmed to lead the FBI, Democrats in the end made little effort to rein in the program.

The Senate Intelligence Committee first approved changes to the 702 program this summer with an amendment aimed at clarifying newly added language that experts had cast as dangerously vague. The vague text was introduced into the law by Congress in April, with Democrats in the Senate promising to correct the issue later this year. Ultimately, those efforts proved to be in vain.

Legal experts began issuing warnings last winter over Congress’s efforts to expand FISA to cover a vast range of new businesses not originally subject to Section 702’s wiretap directives. While reauthorizing the program in April, Congress changed the definition of what the government considers an “electronic communications service provider,” a term applied to companies that can be compelled to install wiretaps on the government’s behalf.

Traditionally, “electronic communications service providers” refers to phone and email providers, such as AT&T and Google. But as a result of Congress redefining the term, the new limits of the government’s wiretap powers are unclear.

It is widely assumed that the changes were intended to help the National Security Agency (NSA) target communications stored on servers at US data centers. Due to the classified nature of the 702 program, however, the updated text purposefully avoids specifying which types of new businesses will be subject to government demands.

Marc Zwillinger, one of the few private attorneys to testify before the nation’s secret surveillance court, wrote in April that the changes to the 702 statute mean that “any US business could have its communications \[wiretapped\] by a landlord with access to office wiring, or the data centers where their computers reside,” thus expanding the 702 program “into a variety of new contexts where there is a particularly high likelihood that the communications of US citizens and other persons in the US will be ‘inadvertently’ acquired by the government.”

Despite such warnings, Senate Democrats rushed to reauthorize the 702 program in April with the nebulous language attached. In a floor speech urging his colleagues to temporarily disregard the concerns, Mark Warner, chair of the Senate Intelligence Committee, vowed to amend the law again before the end of year. As of Wednesday it was clear he could no longer keep that pledge.

Text approved in June by Warner’s committee aimed to clarify the scope of the 702 program but was excised from the text of the NDAA earlier this month, reportedly at the urging of Ohio Republican Mike Turner, chair of the House Intelligence Committee, among others. WIRED reported in March that Turner had defended the 702 program during a closed briefing on Capitol Hill, using images of anti-war protesters at US universities to suggest that the spy powers were needed to ferret out potential ties between American students and Hamas. (No such ties have been reported.)

Wiretap orders issued under the 702 program permit the government to secretly eavesdrop on the calls and messages of foreigners, who generally lack any right to privacy under US law. The wiretaps, however, also routinely capture Americans in private conversation, despite constitutional limits that typically forbid such surveillance without a judge’s consent.

Notably, wiretap orders executed under Section 702 are never reviewed by a federal judge. Calls, texts, and emails collected under the program may be stored by the government for up to five years and will be accessed in some cases by the FBI. The bureau maintains its own Section 702 database, which is regularly used to develop leads in cases unrelated to why the wiretaps were originally collected.

An aide to Warner tells WIRED that the senator acknowledges that the changes to Section 702 this year are “overly broad,” adding that he’s aware the language must be “further narrowed.” Warner remains committed to fixing the law, said the aide, “whether it’s in this Congress or the next.”

The botched effort to check the government’s surveillance powers comes as the US national security establishment braces for what’s likely to be one of its most significant shakeups in decades. FBI director Chris Wray announced plans last week to voluntarily step down at the conclusion of Biden’s term, potentially clearing the way for a Republican-controlled Congress to fast-track Patel’s confirmation.

Patel has falsely accused Biden of rigging the 2020 presidential election and has vowed to bring cases “criminally or civilly” against members of the press. Trump has likewise pledged to investigate major news outlets that he has vaguely accused of “threatening treason.” Last week, Senate Republicans kneecapped an attempt by Democratic lawmakers to pass bipartisan legislation that would have shielded US journalists from government spying—likely a reaction to Trump issuing an command on Truth Social to “kill” the bill.

Privacy advocates on both sides of the aisle made failed attempts over the past year to limit the FBI’s access to Americans’ communications without a warrant. The calls for reform followed revelations that the 702 program had been inadvertently abused by FBI employees to conduct searches for the private messages of former and current federal officials, political commentators, and journalists. Other searches unlawfully performed at the FBI targeted a US senator, a state senator, and a state court judge.

According to the Privacy and Civil Liberties Oversight Board, US intelligence analysts have also abused the program to investigate potential sexual partners and potential tenants.

While the 702 program purportedly exists to exclusively further the government’s counterintelligence goals, surveillance experts say its scope likely extends far beyond terrorism and cyber threats, encompassing activities described as falling under the broad scope of US “foreign affairs.” Foreign journalists, government officials, and citizens of friendly nations never accused of a crime are just as likely to be deemed legitimate targets as foreign criminals and members of known terrorist organizations.

A separate amendment excised by congressional leaders from the NDAA, known as as the “Fourth Amendment Is Not For Sale Act,” was passed by the House of Representatives in April. Introduced initially as a standalone bill, the amendment would have banned the federal government from purchasing Americans’ location data without a warrant.

As WIRED has previously reported, US intelligence agencies have acknowledged purchasing large quantities of commercial data on US citizens, including information for which police normally require a warrant.

In a declassified report published last year, the Office of the Director of National Intelligence confirmed that the ocean of personal data being bought up by the government was highly sensitive, and that, in the wrong hands, it could be used to “facilitate blackmail” and other serious crimes.

Congress Again Fails to Limit Scope of Spy Powers in New Defense Bill

The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin's regime.

Source: JHG via Alamy Stock Photo

NEWS BRIEF

The Russian government has set a new precedent for itself by officially designating Recorded Future, the cyber threat intelligence (CTI) company, as "undesirable." It's a development that the company's CEO sees as a badge of honor.

The term is the country's official parlance for sanctioning, and it means that Recorded Future won't be able to operate within Russia or interact with any Russian companies or individuals. It's a status that was first introduced in 2015 as a way to cut off Russian citizens from the influence of nongovernmental organizations (NGO), media organizations, and other members of civil society that call out human rights abuses and other concerns about Vladimir Putin's regime, which is widely characterized as repressive and authoritarian.

Recorded Future is the first infosec organization and one of very few businesses to "earn" the designation, though the Russia Federation's Office of the Prosecutor General incorrectly labeled it as an NGO in its Dec. 18 announcement about the "undesirable" labeling.

Among the company's supposed crimes against the state: being funded by American businesses; providing services for searching, processing, and analyzing data including on the Dark Web; "specializing in cyber threats"; and actively interacting with the CIA and other foreign intelligence forces.

The Prosecutor General also called out the company, which incidentally is being acquired by Mastercard for $2.65 billion, for spreading "propaganda" and engaging in "offensive information campaigns" regarding its war with Ukraine, tracking Russian Army activities, and feeding intelligence to the Ukrainian authorities.

For his part, Recorded Future CEO Christopher Ahlberg took the news better than in stride, posting on X, "Some things in life are rare compliments. This being one."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…

****KEY SUMMARY POINTS****

*   **FBI Alert on HiatusRAT**: The FBI issued a Private Industry Notification (PIN) warning about HiatusRAT malware campaigns targeting Chinese-branded web cameras and DVRs, leveraging remote access for device infiltration.

*   **Evolving Cyber Threat**: HiatusRAT, active since 2022, has been used to exploit outdated network devices, Taiwanese organizations, and a US government server. Recent campaigns focus on webcams and DVRs across the US, Canada, the UK, Australia, and New Zealand.

*   **Exploitation of Vulnerabilities**: Hackers are exploiting unpatched security flaws in devices like Hikvision and D-Link using tools like Ingram and Medusa, targeting TCP ports such as 23, 554, and 8080.

*   **Mitigation Efforts**: The FBI recommends isolating vulnerable devices from networks, implementing multi-factor authentication, enforcing strong password policies, and promptly updating firmware and software.

*   **Collaborative Response**: Sonu Shankar, a former federal critical infrastructure official, is collaborating with CISOs to address the escalating threat posed by these campaigns.

The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting Chinese-branded web cameras and DVRs. These attacks leverage a remote access trojan (RAT) called HiatusRAT, which grants remote access to compromised devices. 

HiatusRAT has been evolving since at least July 2022, and cybercriminals have used it to infiltrate outdated network devices, Taiwanese organizations, and even a US government server. Previous HiatusRAT campaigns have targeted edge routers to collect traffic passively and function as a covert command-and-control network. In March 2024, HiatusRAT actors launched a large-scale scanning campaign focusing on webcams and DVRs in the US, Canada, UK, Australia, and New Zealand.

Hackers are exploiting security weaknesses in devices like Hikvision cameras and D-Link devices as many vendors haven’t addressed critical vulnerabilities like CVE-2017-7921 (Hikvision cameras), CVE-2020-25078 (D-Link devices), CVE-2018-9995, CVE-2021-33044, and CVE-2021-36260, among others.

They are exploiting unpatched flaws targeting devices with telnet access, an insecure remote access protocol, and even brute-forcing access. The actors targeted Xiongmai and Hikvision devices with telnet access using webcam-scanning tools Ingram and Medusa.

“They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access,” the **PIN** (PDF) read. Targeted TCP ports included 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.

The FBI advises companies to limit the use of devices mentioned in the PIN and isolate them from their network. They should regularly monitor networks and employ best cybersecurity practices, including reviewing security policies, user agreements, and patching plans.

Furthermore, companies should patch and update operating systems, software, and firmware as soon as manufacturer updates are available change network system and account passwords regularly, enforce a strong password policy, and require multi-factor authentication whenever possible.

1.  **FBI: Chinese Hackers Compromised US Telecom Networks**
2.  **Tech Support Courier Scam Aiming at Cash and Metals, FBI**
3.  **FBI Alert: Russian Hackers Target Ubiquiti Routers for Botnet**
4.  **FBI: Androxgh0st Malware Building Botnet for Credential Theft**
5.  **FBI Targets 764 Network: Man Faces 30 Years for Cyberstalking**

FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs

Many professionals juggle multiple document formats, leading to confusion and wasted time. Imagine a streamlined process that simplifies…

Many professionals juggle multiple document formats, leading to confusion and wasted time. Imagine a streamlined process that simplifies your tasks and enhances overall productivity, allowing you to focus on higher-priority tasks. Grasping online document solutions can be the game-changer you need, helping you manage your files easily and confidently while minimising errors and boosting efficiency.

****The Importance of Online Document Solutions****

Online document tools have revolutionised the way we work. Traditional methods of editing and sharing documents can be time-consuming and cumbersome. These tools offer a practical approach to managing various file formats, ensuring that tasks are completed swiftly and easily. Features like a PDF editor allow users to modify documents directly without converting them to another format, ensuring your workflow remains uninterrupted.

By integrating them into your work routine, you can greatly reduce the time spent on document-related issues, allowing you to focus on what truly matters: your core responsibilities.

Consider a professional who constantly handles contracts and proposals. Using a user-friendly document solution, they can quickly edit text, add signatures, and share files seamlessly with colleagues and clients. This saves time and enhances collaboration, making the entire process more efficient and streamlining communication across teams.

****Key Features That Enhance Your Workflow****

Several standout features make online document solutions indispensable for everyday tasks. These tools typically offer functionalities such as drag-and-drop editing, real-time collaboration, and secure cloud storage, which allow users to manage documents without extensive training or technical knowledge.

One of the most beneficial features is real-time collaboration. This aspect enables multiple users to edit a document simultaneously, fostering instant feedback and communication. For instance, a marketing team working on a presentation can collaboratively edit slides, ensuring contributions from all members are incorporated seamlessly. This speeds up the process and improves the final output’s quality, making teamwork more effective.

Another critical feature is secure cloud storage. With documents stored online, users can access their files from any device with internet connectivity. This flexibility is especially advantageous for remote work, where teams can stay connected regardless of geographical location. Proper security measures protect sensitive data from unauthorised access, giving users peace of mind when handling confidential information.

Moreover, these platforms often include conversion capabilities, enabling users to switch between different file formats without hassle. For example, converting a Word document to an editable format can be done in seconds, facilitating quick adjustments and updates. Incorporating these features into your routine can drastically reduce the friction often associated with document management.

****Unique Use Cases That Save Time and Resources****

Besides basic editing, online document solutions cater to various specific needs that can further streamline your work routine. One unique use case is the ability to create templates for frequently used documents. Teams can save and reuse these templates instead of starting from scratch each time, significantly reducing repetitive tasks.

For example, a human resources team might create onboarding templates for new hires that encompass essential forms and information. Using a standardised template can ensure consistency and completeness while saving valuable time.

Additionally, businesses often require document-signing capabilities, especially in sectors like real estate or legal services. Online solutions provide electronic signing options that are legally binding and secure. This feature allows quicker approvals and transactions without the delays of traditional signing processes.

Consider a sales team that sends contracts to clients for electronic signatures. This approach enables prompt responses that keep the sales cycle moving forward. This level of efficiency is beneficial for business and enhances customer satisfaction. Customers appreciate a smooth, quick process when engaging in transactions, leading to stronger relationships and increased loyalty.

****Best Practices for Implementing Online Solutions****

Integrating these document solutions into your everyday work life can seem daunting, but it can become second nature with a few steps. Start by identifying the tasks that consume the most time in your workflow. Explore the features of online solutions that can address these pain points and gradually adopt them in your daily tasks.

When beginning with online document tools, it’s advisable to prioritise learning the basics. Familiarise yourself with crucial functions like editing, sharing, and saving files. Most platforms provide tutorials, webinars, or help centres that can expedite the learning process. Engaging with these resources ensures you’re maximising the platform’s capabilities.

Customise your workspace to suit your preferences. Most online solutions allow users to adjust settings and layouts, making navigation more intuitive. Take time to set up your dashboard to highlight the tools you frequently use, minimising unnecessary clicks and improving overall efficiency.

Another best practice is to set clear guidelines for document organisation within your team or organisation. Establish a systematic approach to naming files and creating folders, ensuring everyone follows the same structure. This consistency makes it easier to locate documents quickly, reducing frustration during busy periods.

Moreover, consider hosting regular training sessions to update teams on new features and best practices. Sharing knowledge within the team helps everyone stay aligned and promotes a culture of continuous improvement. Encourage team members to share tips and shortcuts they discover, fostering a collaborative learning environment.

****Using Automation to Streamline Tasks****

Automation is another powerful feature found in many online document solutions. Automating repetitive tasks, such as sending reminders for document reviews or approvals, can significantly reduce manual workload. This allows teams to focus on higher-priority activities that require more strategic thinking.

For example, if a project involves multiple stakeholders needing to approve a proposal, setting up automated reminders can help keep everyone accountable. This ensures that documents move through the approval process smoothly without unnecessary delays.

Integrating automation with other tools can also enhance efficiency. Many online document platforms can connect with project management tools, email services, and calendars. This integration enables professionals to manage their workflow seamlessly, ensuring all processes remain interconnected and efficient.

By embracing automation and streamlining your routine, you can create a more agile workspace that adapts quickly to changing demands. As tasks become quicker and easier to manage, your overall productivity will improve, allowing you to achieve more with less effort.

1.  How to eSign Documents Online for Free
2.  Efficient Document Merging Strategies for Professionals
3.  5 PDF Tricks to Know To Improve Document Productivity
4.  Simple Yet Vital Tips to Send Documents Securely via Email
5.  PDF Security – How To Keep Sensitive Data Secure in a PDF File

Maximizing Productivity with Online Document Solutions

### Impact
An issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disconnects.

Because of this, if the following conditions are met a player may assume the login state of a previously connected player:
1. The server has UUID login enabled
2. An authenticated player disconnects
3. A subsequent player connects with a modified client that does not send the `ClientUUID#68` packet during connection
4. The server assigns the same `RemoteClient` object that belonged to the originally authenticated player to the newly connected player


### Patches
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.

### Workarounds
Implement a RemoteClient reset event handler in a plugin like so:
```csharp
public override void Initialize()
{
        On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}

private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
	client.ClientUUID = null;
        orig(client);
}
```



**Impact**

An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.

Because of this, if the following conditions are met a player may assume the login state of a previously connected player:

1.  The server has UUID login enabled
2.  An authenticated player disconnects
3.  A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection
4.  The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player

**Patches**

TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.

**Workarounds**

Implement a RemoteClient reset event handler in a plugin like so:

public override void Initialize()
{
        On.Terraria.RemoteClient.Reset += RemoteClient\_Reset;
}

private static void RemoteClient\_Reset(On.Terraria.RemoteClient.orig\_Reset orig, RemoteClient client)
{
	client.ClientUUID \= null;
        orig(client);
}

**References**

*   GHSA-hvm9-wc8j-mgrc
*   Pryaxis/TShock@5075997

GHSA-hvm9-wc8j-mgrc: TShock Security Escalation Exploit

Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.

Source: Anatolii Babii via Alamy Stock Photo

Attackers are spoofing Google Calendar invites in a fast-spreading phishing campaign that can bypass email protections and aims to steal credentials, ultimately to defraud users for financial gain.

The campaign, discovered by researchers at Check Point Software, relies on modified "sender" headings to make emails appear as if they were sent via Google Calendar on behalf of a legitimate entity, such as a trusted brand or individual, they revealed in a blog post published Dec. 17.

Initially, messages included malicious Google Calendar .ics files that would lead to a phishing attack, the threat hunters wrote. However, "after observing that security products could flag malicious Calendar invites," attackers began aligning those files with links to Google Drawings and Google Forms to better disguise their activity.

**Mass-Scale Financial Scamming Is the Goal**

Given that Google Calendar is used by more than 500 million people and is available in 41 different languages, the campaign provides a massive attack surface, so "it is no wonder it has become a target for cybercriminals" seeking to compromise online accounts for financial gain, the team noted.

"After an individual unwittingly discloses sensitive data, the details are then applied to financial scams, where cybercriminals may engage in credit card fraud, unauthorized transactions or similar, illicit activities," the researchers wrote in the post. Stolen data also can be used to bypass security measures on other victim accounts to lead to further compromise, they added.

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Attackers also are moving fast with the campaign, with researchers observing more than 4,000 emails associated it in a four-week period. In those messages, attackers used references to about 300 brands in their fake invites to make them appear authentic, they wrote.

**What a Google Calendar Phish Looks Like**

A message associated with the campaign looks like a typical invite from Google Calendar in which someone known to or trusted by the individual targeted shares a calendar invite with them. The appearances of the messages vary, with some that really look almost identical to typical Google Calendar notifications, "while others use a custom format," the team wrote.

As noted previously, the emails include a calendar link or file (.ics) that includes a link to Google Forms or Google Drawings in an attempt to bypass email-scanning tools. Once a user takes the bait, they are then asked to click on another link, "which is often disguised as a fake reCAPTCHA or support button," that forwards them to a page "that looks like a cryptocurrency mining landing page or bitcoin support page," according to the post.

Related:Wallarm Releases API Honeypot Report Highlighting API Attack Trends

"These pages are actually intended to perpetrate financial scams," the team wrote. "Once users reach said page, they are asked to complete a fake authentication process, enter personal information, and eventually provide payment details."

**How to Avoid Becoming a "Google" Phishing Cyber Victim**

Check Point contacted Google about the campaign, which recommended that Google Calendar users enable the "known senders" setting in the app to help defend against this type of phishing. This setting will alert a user when they receive an invitation from someone not in their contact list or someone with whom they have not interacted with from their email address in the past, the company said.

Corporate defenders can used advanced email security solutions that can identify and block phishing attacks that manipulate trusted platforms with the inclusion of attachment scanning, URL reputation checks, and AI-driven anomaly detection, the Check Point team wrote.

Organizations also should monitor the use of third-party Google Apps and use cybersecurity tools that can specifically detect and warn its security teams about suspicious activity on third-party apps.

Related:Texas Tech Fumbles Medical Data in Massive Breach

Finally, two often-cited pieces advice for organizations when recommending phishing defense — the use of multifactor authentication (MFA) across business accounts and employee training on sophisticated phishing tactics — also can work in cases like this to shore up security.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

Pallet liquidation is an attractive playing field for online scammers. Will you receive goods or get your credit card details stolen?

Pallet liquidation scams target people looking to purchase pallets of supposedly discounted merchandise, often from major retailers like Amazon.

Groups that engage in pallet liquidation sales are rampant on social media and it’s hard to discern the scammers from the legitimate ones (to be honest, I’ve always thought they were all scams, until someone told me there are legitimate ones), let alone the grey area in between.

The scams are based on the fact that many products are returned and can not be sold again for various reasons. But companies also offer overstock and out-of-season apparel for sale. Most of these companies have the first buyers sign non-disclosure agreements (NDAs) so when you scroll through different legitimate liquidation websites and marketplaces the origin of the pallet is almost never stated.

Depending on the reason of sale and the origin, the pallets may include a large quantity of one product or a mix of products, such as overstock or discontinued items, customer returns, or refurbished goods.

Given that the pallet liquidation market is a billion-dollar industry, it inevitably attracts scammers seeking to grab a piece of the action without putting in the work or risk.

In social media groups that specialize in pallet liquidation, you’ll find advertisements that promise valuable merchandise at significantly discounted prices, such as electronics, tools, or other high-demand items.

Facebook pallet liquidation ad

You’ll also see sponsored ads on social media about pallet sales (note: these are almost always fake).

The risk of not receiving what you have paid for is an obvious one, but some of these scammers will go the extra mile and set up fake websites where they will try and harvest payment details.

**How to steer clear of pallet liquidation scams**

If you’re really looking to try your luck at this, there are a few tips that can help you get your money’s worth.

The first thing to keep in mind is the higher up you are in the chain, the better your chances of making a profit are. It usually also means buying large quantities (I’m talking about truckloads) and larger investments. And most sellers do not have a return policy. I realize the large shipments are not for everyone, so here are some things to remember:

**Red flags:**

Unbelievable prices. The people you’re buying from are not stupid. If they are offering goods for unbelievable prices, don’t take their word for it.

Payment methods. Sellers who insist on payment methods that do not offer buyer protection are likely scammers.

Only payment options without buyer protection

Lack of manifest. Sellers that are unwilling to disclose any information about the content of a pallet shouldn’t be trusted. There is definitely a higher risk of damaged items.

Time pressure. Slogans like “Act now!” or “Only 3 left” are often used to create a false sense of urgency, hoping victims will purchase without applying the research below.

**Research the seller:**

Find **contact information** and check the validity. Legitimate liquidation sites provide clear and easily accessible contact details, including physical address, phone number, and email address. Be wary of sites that lack this information or provide vague or unreliable contact details.

Verify the **physical address** of the liquidation site through online maps or directories. A legitimate company is more likely to have a verifiable physical presence. After all, you can hardly receive these pallets in a PO box.

For a website you can use online tools to find the **domain age and registration**. Legitimate domains have a longer history so they are easier to research. New domains should be regarded as suspicious, since scammers have the habit of moving on to the next domain leaving bad reviews behind.

Check if the website is listed on the Better Business Bureau (BBB) website and **review their rating and any associated complaints**. It also allows you to check how long they’ve been in business.

Do an **online search** for the name of the company and combine it with terms like “scam” or “complaint” to help you find problems others may have run into in dealing with this company.

Don’t trust **sponsored ads.** We have heard of scammers that can afford to pay millions to advertise on Meta, Google, and other platforms and still make a handsome profit.

Use **web protection** like Malwarebytes Browser Guard. It flags malicious websites and credit card skimmers that steal your information.

**Too late?**

If you suspect that your payment card details have been stolen, these are the recommended actions:

*   Regularly check account and card statements and notify your bank about any suspicious activity.
*   Where possible, set up fraud alerts with your bank or payment card provider.
*   Change the password and enable multi-factor authentication if you haven’t already.
*   Freeze your credit so nobody can open any new accounts in your name.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#auth