Avery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.

The consequences of a wave of credit card skimmers—which is normal around the holidays—are starting to show.

Label maker Avery has filed a data breach notification, saying 61,193 people may have had their credit card details stolen.

On December 9, Avery said it became aware of an attack on its systems. An investigation showed that cybercriminals had inserted malicious software that was used to “scrape” credit card information used on its website. This credit card skimmer was active between July 18, 2024, and December 9, 2024.

Avery has sent emails to affected customers to let them know their data has been stolen.

The information potentially included:

*   First and last name
*   Billing and shipping address
*   Email address
*   Phone number if provided
*   Payment card information including CVV number and expiration date
*   Purchase amount

Avery says it has received a number of reports from affected customers who said that they incurred a fraudulent charge and/or received a phishing email.

A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses. 

When visiting a site that has a card skimmer on it, you’re unlikely to even know it is there. Card skimmers are experts in injecting JavaScript code, especially on web shops which heavily rely on that type of code, which increases the chance that the extra code will not stand out. Sadly, card skimmers are all too commonplace, but there are things you can do to prevent your details being caught by one.

**How to protect yourself from card skimmers**

*   **Run a security solution and keep it up to date**. Most antivirus products—including Malwarebytes Premium—offer some kind of web protection that detects malicious domains and IP addresses.
*   **Enable in-browser protection**. Malwarebytes Browser Guard—a browser extension available for Chrome, Edge, Firefox and Safari—blocks card skimmers. It also stops annoying ads and trackers, warns about breaches, and flags malicious websites. You can see it in action here, blocking a piece of JavaScript hosted on an otherwise legitimate site:

Malwarebytes Browser Guard blocks credit card skimmer JavaScript

*   **Keep an eye on your financial statements**. Regularly check your online bank and credit card statements. Flag anything that seems suspicious.
*   **Set up identity and credit monitoring**. Identity monitoring alerts you if your personal information is found being illegally traded online, and helps you recover after. Credit monitoring tracks your credit report and borrowing behavior and alerts you if anything changes. A breached company may offer this as a service to you (like Avery is), but you can also get different levels of monitoring solutions, depending on your individual need.

More information on how to act after falling victim to a data breach can be found in our article: **Involved in a data breach? Here’s what you need to know**.

 Avery had credit card skimmer stuck on its site for months 

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

The digital era has revolutionized how businesses operate, bringing unprecedented opportunities and challenges. Among the most pressing challenges are the ever-growing and sophisticated cyber threats. From crippling ransomware attacks to insidious phishing campaigns, organizations face a mounting need to defend their digital assets effectively.

In this complex landscape, threat detection, investigation, and response (TDIR) has become a cornerstone of modern cybersecurity. Unlike traditional, siloed approaches, TDIR integrates advanced technologies, skilled professionals, and well-defined processes into a unified framework. This holistic strategy empowers organizations to anticipate, identify, and address threats swiftly, fortifying both their security posture and operational resilience.

**Threat Detection: The First Line of Defense**

Cybersecurity begins with visibility — the ability to identify anomalies before they evolve into full-blown incidents. Threat detection serves as a digital sentinel, continuously monitoring systems for suspicious activities or deviations from the norm.

Take, for example, an instance where an employee's account starts downloading large volumes of sensitive data during non-business hours. While this may appear routine, sophisticated detection tools like security information and event management (SIEM) or endpoint detection and response (EDR) systems can flag such behavior as potentially malicious. These tools analyze vast amounts of data in real-time, enabling security teams to prioritize and respond to critical alerts.

**Real-World Applications of Threat Detection**

*   Phishing attacks: A SIEM solution identifies multiple failed log-in attempts from international IP addresses, signaling a targeted phishing campaign.
    
*   Ransomware: EDR platforms detect unusual file encryption patterns, catching ransomware in its early stages.
    
*   Insider threats: User and entity behavior analytics (UEBA) uncover unauthorized attempts to access sensitive files, potentially indicating insider malfeasance.
    

**Investigation: Unveiling the Bigger Picture**

Detection alone is not enough. Once a potential threat is identified, the investigation phase provides the context necessary to understand its origin, scope, and potential impact. This process is akin to piecing together a digital jigsaw puzzle to form a coherent narrative of the attack.

**Case Study**

A supply chain attack compromises an organization's network via a vulnerable third-party vendor. An investigation reveals that attackers exploited outdated software in the vendor's systems to gain unauthorized access.

During this phase, security teams leverage tools such as extended detection and response (XDR) platforms to correlate events, validate alerts, and construct a detailed timeline of the incident.

**Key Techniques in Threat Investigation**

*   Root cause analysis: Identifying vulnerabilities such as unpatched software or weak passwords.
    
*   Event correlation: Connecting seemingly unrelated events, such as unusual file transfers and login attempts, to reveal a coordinated attack.
    
*   Threat intelligence integration: Enriching investigations with external threat data to understand attacker tactics and methodologies.
    

**Response: Neutralizing the Threat**

The final phase of TDIR is response — an organized effort to contain, mitigate, and recover from the threat. The success of this phase hinges on speed, precision, and collaboration across teams.

**Example Scenario**

A university detects a ransomware attack encrypting files across its network. The incident response team acts swiftly to isolate infected systems, restore critical data from secure backups, and patch vulnerabilities exploited by the attackers. Post-incident, the university implements enhanced email filtering and endpoint protection to prevent future attacks.

**Key Response Strategies**

*   Containment: Isolating affected accounts or systems to limit the threat's impact.
    
*   Remediation: Eliminating malicious code, closing security gaps, and strengthening defenses.
    
*   Recovery: Restoring normal operations through reliable backups while leveraging lessons learned to refine future response protocols.
    

**The Value of TDIR in Modern Cybersecurity**

Organizations that adopt a comprehensive TDIR framework gain a competitive edge in cybersecurity. Here are some of the key benefits:

*   Enhanced visibility: Continuous monitoring across endpoints, networks, and cloud environments ensures a clear understanding of the security landscape.
    
*   Faster response times: Automated workflows and well-defined playbooks reduce the time taken to address incidents, minimizing damage.
    
*   Cost savings: Early detection and efficient response mechanisms lower the financial and reputational costs of breaches.
    
*   Regulatory compliance: A robust TDIR framework supports adherence to compliance standards like GDPR, HIPAA, and CCPA by ensuring effective threat management.
    

**TDIR in Action: Learning From Real-World Scenarios**

*   Healthcare data breach: A hospital responds to a ransomware attack by isolating compromised systems, restoring data from secure backups, and enhancing access controls to prevent recurrence.
    
*   Retail supply chain attack: A retailer mitigates a breach caused by a third-party vendor by implementing stronger third-party risk management practices and network segmentation.
    
*   Insider threat in banking: A financial institution uncovers unauthorized actions by an employee, leading to immediate corrective measures and stricter privileged access management.
    

**Proactive Defense Through TDIR**

In today's threat-filled digital landscape, TDIR is not merely a cybersecurity option — it's an imperative. By adopting a proactive, unified approach, organizations can build resilience against a diverse array of threats, from phishing and ransomware to insider attacks.

TDIR's strength lies in its integration of advanced technology, human expertise, and strategic processes, enabling organizations to navigate the evolving cyber threat landscape with confidence. As the battle against cybercrime continues, those who embrace TDIR will not only safeguard their operations but also strengthen their reputations and ensure long-term resilience.

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

**About the Author**

Lead Engineer/IAM Architect, Paramount Global

Sameer Bhanushali is an experienced IAM Architect with more than 16 years of expertise in information security, identity and access management (IAM), cloud services, and system architecture. Recognized for his ability to lead end-to-end IAM initiatives, Sameer leverages cutting-edge technologies and industry best practices to design and implement tailored solutions for both on-premises and cloud environments.

Sameer has been instrumental in aligning technical strategies with organizational goals, optimizing system performance, and enhancing cybersecurity defenses throughout his career. His consultancy excellence across diverse sectors has consistently delivered scalable IAM solutions that drive business growth while ensuring robust security.

A holder of advanced IAM and cybersecurity certifications, Sameer excels in navigating complex cybersecurity challenges, strengthening security postures, and exploring innovative technologies to deliver transformative outcomes. His dedication to the field is reflected in his thought leadership and unwavering commitment to protecting sensitive information in an evolving threat landscape.

Strategic Approaches to Threat Detection, Investigation &amp; Response

The digital world is exploding. IoT devices are multiplying like rabbits, certificates are piling up faster than you can count, and compliance requirements are tightening by the day. Keeping up with it all can feel like trying to juggle chainsaws while riding a unicycle.
Traditional trust management? Forget it. It's simply not built for today's fast-paced, hybrid environments. You need a

Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical. Just as I wrote that nothing had been heard about this vulnerability for a month since it was first published in Microsoft’s December Patch Tuesday, a public exploit for it appeared on January 15th. 🙂 It was developed by […]

**The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical.** Just as I wrote that nothing had been heard about this vulnerability for a month since it was first published in Microsoft’s December Patch Tuesday, a public exploit for it appeared on January 15th. 🙂 It was developed by Alessandro Iandoli from HN Security. The source code and video demonstrating the exploit are available on GitHub: a local attacker runs an exe file in PowerShell and, after a second, becomes “nt authority/system”. The researcher tested the exploit on Windows 11 23h2. He also promises to publish a blog post with a detailed analysis of the vulnerability.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

The Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138) has become more critical

Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?

European governments wonder if Trump will continue US support of Ukraine and NATO in a conflict with Russia that has partly played out in cyberspace. Fick’s team was instrumental in establishing a process for rapidly delivering cyber-defense aid to Ukraine’s battered government.

“I was in Ukraine right before Christmas, I was in Poland, I was in Estonia, kind of up and down NATO's eastern flank,” he says, adding that he sensed “both a deep desire for the United States to stay engaged and a recognition that European partners are going to need to do their share—which they, by the way, increasingly are doing.”

More broadly, Fick has heard “a strong desire among many allies and partners” for the US to continue going toe to toe with China and Russia in tech and cyber discussions in international bodies like the UN and the Group of 20.

“Without the United States deeply involved, you're going to see the Chinese more deeply involved, you're going to see the Russians more deeply involved,” Fick says. “There's a pretty broad view \[globally\] that the US needs to, for its own interests and for the interests of our allies and partners, stay engaged in multilateral organizations.”

Fick sympathizes with Republicans who consider these multilateral organizations too slow and timid, but he wants Trump’s team to “recognize that the alternative is not diminished influence of these organizations; the alternative is simply that they become playgrounds for our competitors and our adversaries.”

**Celebrating “a Sea Change”**

Looking back on his time as America’s cyber ambassador—which saw him spend a total of more than 200 days traveling the world on nearly 80 trips to visit key US allies and partners—Fick is proud of how his team launched an entirely new bureau inside the State Department, grew it to around 130 employees, and delivered results that he says are transforming digital diplomacy.

One of his biggest accomplishments was the launch of a foreign cyber aid fund that will support programs to deploy security assistance to hack-stricken allies, subsidize new undersea cables, and train foreign diplomats on cyber issues.

The security-assistance project saw an early test in November when Costa Rica faced another major ransomware attack. “We had people on a plane the next morning, Thanksgiving morning, with hands on keyboards alongside Costa Rican partners that night,” Fick says. “That’s amazing. That is a sea change in how we do this, and it’s going to strengthen our hand in providing support to these middle-ground states.”

Fick has also focused on preparing the Foreign Service for the modern world, meeting his goal of training at least one tech-savvy diplomat for every foreign embassy (around 237 total) and successfully lobbying to add digital fluency to the State Department’s criteria for career ambassador positions. He has also helped State counterbalance the Pentagon in White House discussions about foreign tech issues—putting “American diplomacy literally back at the table in the Situation Room on technology topics.”

And then there’s his team’s support for US cyber aid to Ukraine, from security software to satellite communications to cloud migration for vital government data—work that he says offers a template for future public-private foreign-aid partnerships.

**One Final Warning**

Fick has shared his thoughts about China, 5G, AI, deterrence, and other cyber issues with Trump’s transition team, and he says there’s still more to do to keep cyber diplomacy “front and center” at State. But as he prepares to leave government, he has one major piece of advice for the incoming administration.

“It is essential to have a bias for action,” he says. “We end up admiring a problem for too long rather than taking a decisive step to address it … That decisive step may be imperfect, but indecision is a decision, and the world moves on without you.”

Put another way: In an era of rapidly evolving technologies and intensifying geopolitical competition, massive bureaucracies like the State Department sometimes need to be jolted into action.

“The job of the leaders in these big organizations,” Fick says, “is to move the org to change a little bit faster than it would on its own.”

Biden's Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep…

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep up, businesses need to understand that while complex regulations may sound difficult to deal with; cybersecurity threats are the real danger to their credibility and success. Here are six strategies that showcase how the change in financial technology impacts expansion and security.

**1\. **Using Data Analytics for Smarter Security and Personalization****

Fintech companies have access to a treasure trove of user data, making data analytics a key to both innovation and security. Predictive analytics can detect fraud in real time by spotting unusual transaction patterns, while personalization algorithms offer customized financial solutions to users.

Take PayPal, for instance, which uses machine learning to track fraud attempts while ensuring seamless user experiences. By investing in platforms like Tableau or Splunk, companies can not only improve data-driven decisions but also strengthen their cybersecurity protection.

**2\. **Optimizing Customer Journeys Through AI and Automation****

Customer retention in fintech depends on efficient, user-friendly platforms. AI-driven Client Lifecycle Management (CLM) tools not only enhance customer experience but also fortify compliance with data protection laws like GDPR.

For example, automated KYC (Know Your Customer) processes can validate user identities within minutes, reducing conflict while maintaining security. Companies that leverage AI to simplify operations position themselves as leaders in convenience and trust, two critical factors in the digital financial world.

**3\. **Expanding Beyond Payments: Diversification in Fintech Offerings****

Successful fintech companies are moving beyond basic services like payments and lending to offer a wider range of products. Digital wallets, cryptocurrency trading, BNPL (Buy Now, Pay Later) options, and even ESG (Environmental, Social, and Governance)-focused investment tools are becoming standard offerings.

For instance, Square (now Block) transitioned from payment processing to include cash apps, crypto wallets, and merchant solutions. This diversification not only strengthens market positioning but also hedges against disruptions in individual sectors.

**4\. **Automating Security Protocols to Counter Cyber Threats****

While cybersecurity threats grow more sophisticated, automation in fintech security has become a necessity. Tools like automated anomaly detection, real-time threat intelligence, and AI-driven incident response systems ensure swift responses to breaches.

Take Stripe, which integrates advanced monitoring tools to detect and neutralize suspicious activity before it escalates. Automation in security protocols not only protects sensitive financial data but also boosts consumer confidence in the platform.

**5\. **Sustainability in Fintech: Balancing Growth with Responsibility****

The fintech sector is embracing sustainability through green technologies and ethical financial practices. Blockchain-based carbon credit platforms, eco-friendly payment cards, and renewable energy-backed investments are paving the way for a greener future.

Consider Mastercard’s sustainable card program, which uses biodegradable materials and supports reforestation initiatives. By integrating eco-conscious elements, fintech companies are appealing to the growing demographic of socially responsible consumers and investors.

**6\. **Risk Management with Predictive Technologies****

Managing risk (risk management) is critical in fintech, where markets and regulations can change overnight. Predictive technologies like machine learning are revolutionizing risk management by identifying vulnerabilities before they become liabilities.

For example, Robinhood employs real-time analytics to manage liquidity risks and safeguard user assets during volatile market conditions. This approach not only ensures operational stability but also reinforces trust in the brand.

The worlds of technology and finance are changing like never before, with advancements in AI, blockchain, and sustainable solutions building the future of fintech. By using data-driven security, improving operations through automation, and focusing on sustainable practices, companies can remain competitive. For fintech firms, the message is clear: innovate, adapt, and protect your operations, or risk falling behind.

1.  **Cybersecurity, Big Data and Automation Tools**
2.  **Top 9 Compliance Automation Software in 2024**
3.  **Fortifying FinTech: Building Resilient APIs for Security**
4.  **Digital Transformation in Financial Industry: The Role of Fintech**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/Featured Image via Marvin Meyer/Unsplash

6 Strategic Innovations Transforming the Fintech Industry

Over a dozen programs used by creators of nonconsensual explicit images have evaded detection on the developer platform, WIRED has found.

“When we look at intimate image abuse, the vast majority of tools and weaponized use have come from the open source space,” says Ajder. But they often start with well-meaning developers, he says. “Someone creates something they think is interesting or cool and someone with bad intentions recognizes its malicious potential and weaponizes it.”

Some, like the repository disabled in August, have purpose-built communities around them for explicit uses. The model positioned itself as a tool for deepfake porn, claims Ajder, becoming a “funnel” for abuse, which predominantly targets women.

Other videos uploaded to the porn-streaming site by an account crediting AI models downloaded from GitHub featured the faces of popular deepfake targets, celebrities Emma Watson, Taylor Swift, and Anya Taylor-Joy, as well as other less famous but very much real women, superimposed into sexual situations.

The creators freely described the tools they used, including two scrubbed by GitHub but whose code survives in other existing repositories.

Perpetrators on the prowl for deepfakes congregate in many places online, including in covert community forums on Discord and in plain sight on Reddit, compounding deepfake prevention attempts. One Redditor offered their services using the archived repository’s software on September 29. “Could someone do my cousin,” another asked.

Torrents of the main repository banned by GitHub in August are also available in other corners of the web, showing how difficult it is to police open-source deepfake software across the board. Other deepfake porn tools, such as the app DeepNude, have been similarly taken down before new versions popped up.

“There’s so many models, so many different forks in the models, so many different versions, it can be difficult to track down all of them,” says Elizabeth Seger, director of digital policy at cross-party UK think tank Demos. “Once a model is made open source publicly available for download, there’s no way to do a public rollback of that,” she adds.

One deepfake porn creator with 13 manipulated explicit videos of female celebrities credited one prominent GitHub repository marketed as a “NSFW” version of another project encouraging responsible use and explicitly asking users not to use it for nudity. “Learning all available Face Swap AI from GitHUB, not using online services,” their profile on the tube site says, brazenly.

GitHub had already disabled this NSFW version when WIRED identified the deepfake videos. But other repositories branded as “unlocked” versions of the model were available on the platform on January 10, including one with 2,500 “stars.”

“It is technically true that once \[a model is\] out there it can’t be reversed. But we can still make it harder for people to access,” says Seger.

If left unchecked, she adds, the potential for harm of deepfake “porn” is not just psychological. Its knock-on effects include intimidation and manipulation of women, minorities, and politicians, as has been seen with political deepfakes affecting female politicians globally.

But it’s not too late to get the problem under control, and platforms like GitHub have options, says Seger, including intervening at the point of upload. “If you put a model on GitHub and GitHub said no, and all hosting platforms said no, for a normal person it becomes harder to get that model.”

Reining in deepfake porn made with open source models also relies on policymakers, tech companies, developers and, of course, creators of abusive content themselves.

At least 30 US states also have some legislation addressing deepfake porn, including bans, according to nonprofit Public Citizen’s legislation tracker, though definitions and policies are disparate, and some laws cover only minors. Deepfake creators in the UK will also soon feel the force of the law after the government announced criminalizing the creation of sexually explicit deepfakes, as well as the sharing of them, on January 7.

GitHub’s Deepfake Porn Crackdown Still Isn’t Working

US president Joe Biden just issued a 40-page executive order that aims to bolster federal cybersecurity protections, directs government use of AI—and takes a swipe at Microsoft’s dominance.

Four days before he leaves office, US president Joe Biden has issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers.

The 40-page executive order unveiled on Thursday is the Biden White House’s final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems.

The order “is designed to strengthen America’s digital foundations and also put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters on Wednesday.

Looming over Biden’s directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems that the order identifies.

Trump hasn’t named any of his top cyber officials, and Neuberger said the White House didn’t discuss the order with his transition staff, “but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period.”

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.

The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.

Another part of the directive focuses on the protection of cloud platforms’ authentication keys, the compromise of which opened the door for China’s theft of government emails from Microsoft’s servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days.

To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.

Another part of the order boosts CISA’s ability to watch for cyberattacks across the government by tapping into the security software that other agencies operate. It’s an attempt to reduce visibility gaps that adversaries have successfully exploited in many intrusions, especially the 2020 SolarWinds hack. The order requires agencies to give CISA direct access to their security platforms and to allow CISA to conduct unannounced threat-hunting activities on their networks.

“If we find one particular technique that a foreign government is using to hack one particular federal agency,” Neuberger said, “this now … gives CISA centralized visibility to hunt across all agency systems to ensure we're defending against this attack broadly.”

The security risks and opportunities of AI play a major role in the executive order. The document directs the departments of Energy and Homeland Security to launch a pilot program to use AI to help protect energy infrastructure, with the goal of automating things like vulnerability detection and patching. The Defense Department would have to launch a program to use “advanced AI models” for cyber defense.

Biden also wants DHS, Commerce, and the National Science Foundation to prioritize research on topics like how humans and AI tools can coordinate to analyze cyber threat data, how to ensure the security of AI-generated code, how to design secure AI models, and how to prevent and recover from cyber incidents involving AI systems.

Biden’s order attempts to expedite agencies’ use of digital identity documents to streamline citizen services and reduce waste and fraud. The directive asks agencies to “consider accepting digital identity documents” as proof of eligibility for public benefits. Commerce would have 270 days to issue guidance to help agencies do so.

Other provisions in the executive order require government recommendations for securing open-source software; updates to cyber requirements in contracts for space systems; contracting changes to ensure that new technology supports post-quantum cryptography; and the use of encryption in DNS technologies, email systems, and voice and video conferencing platforms. There is also a provision requiring OMB to help agencies reduce risks associated with concentration in the IT market—a not-so-veiled shot at Microsoft.

The order also lowers the bar for the government to be able to sanction people who launch cyberattacks on US critical infrastructure, potentially easing barriers to deploying one of Washington’s favorite responses to major hacks.

A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More

Cybercriminals are exploiting the California wildfires by launching phishing scams. Learn how hackers are targeting victims with fake domains and deceptive tactics, and how to protect yourself from these cyber threats.

****SUMMARY****

*   **Cybercriminals are exploiting the California wildfires to launch phishing campaigns.**

*   **Veriti Research found fake domains like “malibu-firecom” designed to mimic legitimate services.**

*   **These domains aim to steal personal information or install malware under the guise of fire-related assistance.**
*   **Scammers are using fear and urgency to deceive victims into clicking fraudulent links.**

*   **Veriti urges heightened vigilance, though no active email campaigns have been detected yet.**

The recent California wildfires have not only devastated communities but have also become a lucrative event for cybercriminals. Exploiting the chaos and uncertainty surrounding the disaster, these malicious actors are employing sophisticated phishing tactics to take advantage of the situation.

Cybersecurity researchers at Veriti have identified numerous newly registered domains closely linked to the fires. These domains, such as “malibu-firecom” and “fire-reliefcom,” mimic legitimate services, luring unsuspecting victims with promises of fire evacuation assistance, recovery permits, and even fire coverage.

Screenshot of the homepage of one of the fake sites (Via Veriti Research)

“These domains exhibit patterns typical of phishing campaigns. Some aim to mimic official services like fire evacuation assistance, while others target specific localities, such as Malibu and Pacific Palisades. Early indications suggest these sites are being prepared to host fraudulent activities, including phishing attacks, fake donation requests, and malicious downloads,” the Veriti Research team noted in the blog post.

As per their research, these domains are likely being used to host phishing emails and websites designed to steal personal information, such as login credentials and financial details. Hackers leverage social engineering techniques, creating a sense of urgency and fear to manipulate victims into clicking on fraudulent links or downloading malicious software.

For example, a subdomain might offer “fire-related assistance” while secretly attempting to install malware on the victim’s device. This exploitation of disaster-related fears highlights the vulnerability of individuals and organizations during these critical times.

While no email campaigns utilizing these phishing domains have been identified yet, Veriti Research is actively monitoring them for any malicious activity.

The team stresses the need for people to stay alert and informed about these threats. Understanding how cybercriminals operate can help individuals and organizations protect themselves and reduce the chances of becoming victims. Here is the full list of domains Veriti Research identified within 72 hours:

fire-reliefcom

malibu-firecom

boca-on-firecom

palisades-firecom

Calfirerestorationstore

palisadesfirecoveragecom

fire-evacuation-servicecom

Pacificpalisadesrecoverycom

Lacountyfirerebuildpermitscom

1.  **Zika Virus Exploited by Scammers to Spread Malware**
2.  **#JeSuisCharlie Being Used by Hackers To Spread Malware**
3.  **Viral Facebook Links on Missing Malaysia Jet Are Malicious**
4.  **Hackers Sending Fake Ebola Virus reports in emails with Malware**
5.  **Online Scam Alert Associated with the Nepal Earthquake Disaster**
6.  **Florida Hurricane Victims Hit with Fake FEMA Claims, Malware Files**
7.  **Photos of Drowned Syrian Boy Exploited by Spammers on Facebook**
8.  **Russian Hackers hacked MH17 Crash investigators in phishing attack**

Scammers Exploit California Wildfires, Posing as Fire Relief Services

It's an especially brazen form of malvertising, researchers say, striking at the heart of Google's business; the tech giant says it's aware of the issue and is working quickly to address the problem.

Source: Primakov via Shutterstock

In an especially brazen tactic, multiple threat actors are impersonating Google Ads login pages to trick advertisers into handing over their account credentials.

The attackers — from regions as geographically dispersed as South America, Asia, and Eastern Europe — are then using the hijacked accounts in real-time to buy and distribute malicious advertisements and malware via Google Ads.

**'Most Egregious' Malvertising Campaign Ever**

The scammers appear to be succeeding in many cases because their ads are allowed to show an ads.google.com URL. This makes them virtually indistinguishable from legitimate Google ads, according to researchers at Malwarebytes, who spotted the malicious activity recently.

"This is the most egregious malvertising operation we have ever tracked, getting to the core of Google's business and likely affecting thousands of their customers worldwide," Malwarebytes researcher Jerome Segura wrote in a blog post this week. "We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication."

Google Ads is an advertising platform that enables businesses and individuals to display targeted ads across Google's search results, websites, mobile apps, and other online properties, based on user search behavior and interests. Often, the top search results are sponsored, meaning someone paid for that high visibility. For context, Google Search generated some $175 billion in ad revenue in 2023.

Related:CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

According to Segura, there has been a recent flood of fake sponsored ads for Google Ads directed at businesses and individuals looking to advertise on Google Search or wanting to sign in to their Google Ads accounts. The ads appear to be from Google and purport to either help people sign up for a Google Ads account or to sign in to an existing account. Users clicking on these ads are directed to a fake Google Ads home page from which they are directed to external sites designed specifically to steal usernames and passwords to the advertiser's Google accounts.

The attackers are using Google's free website creation platform, Google Sites, to host the lure pages. It is a tactic that Segura says allows them to trivially bypass a Google policy that allows advertisers to include a URL in their ads only if the URL matches the domain name of the advertiser. "Looking back at the ad and the Google Sites page, we see that \[the\] malicious \[ads do\] not strictly violate the rule since sites.google.com uses the same root domains as ads.google.com," Segura said. "In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC."

Related:OWASP's New LLM Top 10 Shows Emerging AI Threats

**Google Is Actively Investigating Cyberattacks**

In an emailed comment, a Google spokesman said the company is currently "actively investigating" the issue and working on a quick fix for the problem. "We expressly prohibit ads that aim to deceive people in order to steal their information or scam them," the spokesperson said.

As context, the spokesperson pointed to the growing sophistication and scale of malvertising campaigns and noted instances where threat actors have created thousands of malicious accounts simultaneously to distribute malicious ads on Google properties. Often these actors are using techniques such as text manipulation to get around automation detection mechanisms. In other instances, they use cloaking tactics to show Google reviewers and systems different ads from the ones that users end up seeing. "To provide a sense of the scale of our enforcement efforts in 2023, we removed over 3.4 billion ads, restricted over 5.7 billion ads, and suspended over 5.6 million advertiser accounts," the spokesman said.

**Impersonating Google Ads: Simple & Effective Social Engineering**

Related:Apple Bug Allows Root Protections Bypass Without Physical Access

In comments to Dark Reading, Segura says the most notable part of the new malicious activity is the impersonation of the Google Ads brand by combining Google Sites URLs with the ads. "It's a simple and yet effective trick that makes those ads incredibly hard to differentiate from the real ones," Segura says. Complicating matters is the fact that bad actors are often using compromised Google Ads accounts to place even more fake ads in Google Search, making the activity challenging to stop.

Google should be making it harder for bad actors to pull off such impersonation schemes, he says. "The 'how' is more complicated, as it involves reviewing business practices and … existing security policies."

Segura says Malwarebytes is tracking and reporting each malvertising incident it comes across via a live tracker that the Google Ads team can access. "This has been a helpful tool for us, not only to make the reporting process easier but also to keep a historical record," he notes. Google's response has consisted of taking action on ads that Malwarebytes report. "\[But\] the threat actors are able to get right back as if the campaign never stopped. We are talking about dozens of accounts that get burned but yet there are enough to keep this going indefinitely."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#git