Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn…

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn how they’re stealing messages and what you can do to defend yourself.

Russian state-backed actors are increasingly targeting secure messaging applications like Signal to intercept sensitive communications, reveals a recent report by Google’s Threat Intelligence Group. These groups, often aligned with Russian intelligence services, are focusing on compromising accounts used by individuals of interest, including military personnel, politicians, journalists, and activists. While the initial focus appears to be related to the conflict in Ukraine, researchers believe that these tactics will spread to other regions and threat actors.  

A primary method employed by these actors in this campaign involves exploiting the “linked devices” feature of Signal. By using phishing techniques, they trick users into scanning malicious QR codes, which then secretly link the victim’s account to a device controlled by the attacker. This allows the attacker to receive all messages in real-time, effectively eavesdropping on conversations without needing to compromise the entire device.

These malicious QR codes are often disguised as legitimate Signal resources, such as group invites, security alerts, or even device pairing instructions. In some cases, they are incorporated into phishing pages designed to mimic specialized applications, such as those used by the Ukrainian military.

The screenshot shows a Signal app phishing site and one of the malicious QR codes used in the attack (via Google).

In some cases, malicious QR codes are used in close-access scenarios, such as when Russian military forces capture devices on the battlefield.  This method lacks centralized monitoring and can go unnoticed for extended periods, which makes it hard to detect.

One group, identified as UNC5792 (also known as UAC-0195), has been observed modifying legitimate Signal group invite links. These altered links redirect victims to fake pages that initiate the unauthorized linking of their devices to the attacker’s control. The phishing pages are designed to closely resemble official Signal invites, making detection challenging. 

Another group, UNC4221 (UAC-0185), has targeted Ukrainian military personnel by embedding malicious QR codes within phishing sites that mimic artillery guidance applications. They have also used fake Signal security alerts to deceive victims. 

Beyond phishing, APT44 (Sandworm) utilizes malware and scripts to extract Signal messages from compromised Windows and Android devices. Their WAVESIGN script retrieves recent messages, while Infamous Chisel malware searches for Signal database files on Android devices.  

Other groups, like Turla and UNC1151, target the desktop application, using scripts and tools to copy and exfiltrate stored messages. UNC4221 has also used a JavaScript payload called PINPOINT to gather user information and geolocation data.

The popularity of secure messaging apps makes them prime targets for adversaries and other platforms, such as WhatsApp and Telegram, are also facing similar threats.

“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term,” researchers warned.

Therefore, users are advised to stay cautious. It is important to use strong screen locks with complex passwords, keep operating systems and apps updated, and ensure Google Play Protect is enabled. Regularly auditing linked devices, exercising caution with QR codes and links, and enabling two-factor authentication are also recommended. iPhone users at high risk should consider enabling Lockdown Mode.

Hackers Tricking Users Into Linking Devices to Steal Signal Messages

Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

In the ongoing saga that is Google’s struggle to replace tracking cookies, we have entered a new phase. But whether that’s good news is another matter.

For years, Google has been saying it will phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

But it’s not been straight forward for Google. As we reported in July, 2024, the tech giant said that due to feedback from authorities and other stakeholders in advertising, Google was looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The announcement read:

> “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”

It’s not hard to see why this is scary. Apple’s App Tracking Transparency (ATT) feature caused a significant upset in the mobile advertising industry. When introduced in April 2021, it allowed users to opt out of being tracked across apps and websites. This led to an estimated 96% of US users choosing to opt out of tracking. With three billion Chrome users around the world, that might easily be an advertiser’s worst nightmare.

Google promised to kill tracking cookies by introducing a one-time global prompt upgrade that would present users with the choice of being tracked or not. By third-party cookies that is.

But ahead of fulfilling that promise, Google has introduced digital fingerprinting. Digital fingerprinting is like creating a unique digital ID for you or your device based on various pieces of information collected when you browse the internet, like:

*   Operating System (OS): Windows, Android, iOS, etc.
*   Browser type and version
*   IP address
*   Installed browser plugins
*   Time zone
*   Language settings
*   …and so on.

With all these pieces of information, it’s possible to create a unique fingerprint by which websites can recognize you, even if you clear your cookies. They will even be able to make an informed guess if you visit the same site with a different browser.

Google itself, at one point, said that fingerprinting was undesirable:

> “Unlike cookies, users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

But, per Google’s announcement on December 19, 2024, organizations that use its advertising products can use fingerprinting techniques from last Sunday, February 16, 2025. Well, as far as Google is concerned that is.

The UK information commissioner’s office (ICO) reminded businesses they do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.

But the OK from Google is likely the start of an intermediate period where we will be bothered with both fingerprinting and third-party cookies until the advertising industry has had the time to transition.

**What can I do?**

Countering fingerprinting is a lot harder than keeping cookies at a minimum. But there are some things you can do to make it harder to get your fingerprint taken.

*   However hard it may be, the time may have come to consider switching to a browser that provides built-in features to resist fingerprinting
*   Or look for anti-fingerprinting tools in the form of browser extensions
*   Use a VPN that can mask your IP address and location, which are very significant pieces of information for fingerprinting
*   Keep your browser updated, so your old version will not give away your data
*   Disabling JavaScript can break a website’s functionality, but it also significantly reduces the data websites can gather about you.

We don’t just write about privacy, we can help you improve yours. Try Malwarebytes Privacy VPN.

 Google now allows digital fingerprinting of its users 

Info stealers are thriving on Mac, with one specific variant accounting for 70% of all info stealer detections at the end of 2024.

The latest, major threats to Mac computers can steal passwords and credit card details with delicate precision, targeting victims across the internet based on their device, location, and operating system.

These are the dangers of “infostealers,” which have long plagued Windows devices but, in the past two years, have become a serious threat for Mac owners. And in 2024, one malicious program in particular is responsible for the lion’s share of infostealer activity—racking up 70% of known infostealer detections on Mac.

These findings come from the 2025 State of Malware report. While many of the threats detailed in the report target companies and businesses, this latest wave of infostealers makes no distinction between Mac computers in an office and Mac computers at home. Unlike ransomware, which is deployed against large businesses that cybercriminals hope can pay hefty ransoms, infostealers can deliver illicit gains no matter the target.

With the right cybersecurity practices, everyday Mac users can stay safe from these emerging threats.

****The threat of infostealers****

“Infostealers” are a type of malware that do exactly as they say—they steal information from people’s devices. But the variety of information that these pieces of malware can steal makes them particularly dangerous.

With stolen credit card details, hackers can attempt fraudulent purchases online. With stolen passwords, the impact is even broader; hackers could wire funds from a breached online banking account into their own, or masquerade as someone on social media to ask friends and family for money. Some infostealers don’t even require an additional step—they can take cryptocurrency directly from a victim’s online accounts. 

But there is another threat to infostealers that comes from their recent history. They are wildly adaptable.

In 2016, Malwarebytes first discovered an infostealer called TrickBot that, when implanted on a person’s device, would steal online banking credentials. But over time, the developers behind TrickBot began adding alarming new features, including the capabilities to steal Outlook credentials, disable Windows Defender, and even to download and deliver additional, separate malware onto infected devices.

By 2018, TrickBot was the largest threat to businesses.

Now, in 2025, another infostealer is raising red flags all across cyberspace, and this time, it isn’t interested in Windows devices.

****The next Mac malware****

Malware is “malicious software,” and just like legitimate software, malware has to be developed for specific operating systems. That means that, for instance, ransomware that works on a Windows laptop doesn’t automatically work on a Mac laptop, and likewise, a phishing app developed for Android devices doesn’t work on iPhones.

For years, then, a great deal of malware activity has focused on Windows devices. The common cybercriminal calculus was that, if there were more Windows users in the world, there was more reason to target those users with cyberattacks.

During this time, most Mac threats were bothersome pieces of malware that would hijack a victim’s web browser to deliver annoying ads and wayward links. But as Mac computers have become standard within businesses—and as demand for Windows computers has waned—cybercriminals have readjusted their thinking.

In 2023, a new infostealer on Mac called Atomic Stealer (AMOS) made its debut, and since its launch, it has not only showcased new features—much like TrickBot—it has also been gussied up with some of the markings of a legitimate business.  

For instance, AMOS can be “licensed” out to other cybercriminals, much like how genuine companies offer their own software for a monthly subscription price. For AMOS, that price was initially $1,000 a month, and with that access, cybercriminals didn’t just buy a productivity tool or communications app, they bought access to an information stealer that can crack into Mac computers to steal a variety of sensitive information.

By January 2024, AMOS had increased its price to $3,000 a month. The developers ran a holiday promotion—seriously—and even released an AMOS update that would better obfuscate the infostealer from being detected by cybersecurity software.

But in the world of cybercrime, malware _features_ only mean so much. Another important piece of cybercrime is getting malware _onto_ a device to begin with. And in 2023, malware delivery evolved hand-in-hand with Mac infostealers.

Rather than trying to deliver malware through clumsy email attachments, cybercriminals have recently turned to “malicious advertising” or “malvertising.” This means that cybercriminals will create bogus versions of websites that will rank highly during regular Google searches, tempting victims into clicking the first, ad-supported link they see online, and unknowingly reaching a website controlled entirely by cybercriminals.

On these websites, cybercriminals advertise a piece of high-demand software and trick users into a download. But instead of receiving the desired software, victims receive, in these cases, infostealers.

This one-two punch of malvertising and advanced infostealers paved the way last year for the next, big Mac threat, called Poseidon.

As we warned in the State of Malware report:

> “Poseidon boasts that it can steal cryptocurrency from over 160 different wallets, and passwords from web browsers, the Bitwarden and KeePassXC password managers, the FileZilla file transfer app, and VPN configurations including Fortinet and OpenVPN.”

Poseidon is the most active infostealer on Mac today, and it accounted for 70% of all infostealer detections on Mac in the final months of 2024, an impressive feat considering the malware barely launched last summer.

Interestingly, Poseidon is just another “fork” of AMOS, meaning that another hacker took AMOS, built upon it, and released it in the wild. Already, Malwarebytes has uncovered consumer-targeted campaigns to infect Mac owners with Poseidon, including a malvertising website disguising Poseidon behind a download for a buzzy new web browser called Arc.

Poseidon represents a sea change in Mac malware, and with the type of advanced targeting that cybercriminals can achieve through malvertising—hackers can target malicious ads based on a potential victim’s location, operating system, software, and search terms—Mac users must be on watch.

****How to stay safe****

In 2025, Mac users don’t need to just watch out for infostealers. They also have to watch out for malvertising in general, as cybercriminals use the malware delivery method for all sorts of threats online.

Here’s how you can stay safe:

*   Use cybersecurity software that offers always-on protection against Mac malware including infostealers, adware, and the rare instances of ransomware.
*   Use Malwarebytes Browser Guard to securely browse the web and to be notified when visiting known, malicious websites that are in control of cybercriminals.
*   Beware the first, ad-supported result on Google searches and other search engines. Cybercriminals have successfully placed their own, malicious ads in these top rankings to trick victims into downloading malware.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Macs targeted by infostealers in new era of cyberthreats 

Google warns that hackers tied to Russia are tricking Ukrainian soldiers with fake QR codes for Signal group invites that let spies steal their messages. Signal has pushed out new safeguards.

For more than a decade now, Russian cyberwarfare has used Ukraine as a test lab for its latest hacking techniques, methods that often target Ukrainians first before they're deployed more broadly. Now Google is warning of a Russian espionage trick that's been used to obtain Ukrainians' messages on the encrypted platform Signal—and one that both Ukrainians and other Signal users worldwide should protect themselves against with a new update to the app.

Google's threat intelligence team on Wednesday released a report revealing how multiple hacker groups that serve Russian state interests are targeting Signal, the end-to-end encrypted messaging tool that has become widely accepted as a standard for private communications and is now often used by Ukrainians, including in the Ukrainian military's battlefield communications. Those Russia-linked groups, which Google has given the working names UNC5792 and UNC4221, are taking advantage of a Signal feature that allows users to join a Signal group by scanning a QR code from their phone. By sending phishing messages to victims, often over Signal itself, both hacker groups have spoofed those group invites in the form of QR codes that instead hide javascript commands that link the victim's phone to a new device—in this case, one in the hands of an eavesdropper who can then read every message the target sends or receives.

“It looks exactly like a group invite, and everything would function exactly like that, except when you scan it, it links the device out,” says Dan Black, a Google cyberespionage researcher and former NATO analyst. “It instantly pairs your device with theirs. And all your messages are now, in real time, being delivered over to the threat actor while you're receiving them.”

Two months ago, Google began warning the Signal Foundation that maintains the private communications platform about Russia's use of the QR code phishing technique, and Signal last week finished rolling out an update for iOS and Android designed to counter the trick. The new safeguard warns users when they link a new device and checks with them again at a randomized interval a few hours after that device is added to confirm that they still want to share all messages with it. Signal now also requires a form of authentication such as entering a passcode or using FaceID or TouchID on iOS to add a new linked device.

In fact, Signal had already been working to update those forms of phishing protections aimed specifically at exploitation of its linked device feature prior to Google's warning, says Signal's senior technologist, Josh Lund. But Google's report about Russia's spying in Ukraine provided an “acute” example of the problem that pushed them to move quickly to protect users, he says.

“We're really grateful to the Google team for their help in making Signal more resilient to this type of social engineering,” says Lund, using the cybersecurity term for tricks that deceive victims into giving hackers sensitive information or access to their systems.

Both Google and Signal emphasized that the phishing technique Google has seen in use in Ukraine doesn't suggest that Signal's encryption is broken or that the app's messages can otherwise be eavesdropped in transit. Instead, the trick essentially combines two legitimate features—QR-code group invites and QR-code device linking that pairs a smartphone with a laptop—invisibly swapping one with the other to deceive users. “Phishing is a big problem on the internet, and it's never nice to hear that someone has fallen victim to one of these attacks,” Lund says. “But we're trying to do our best to keep users safe, and we think these recent improvements will really help.”

Google notes that it's seen Russia use similar techniques to target other communications platforms like WhatsApp and Telegram, too. But the hackers tied to Russia's military have focused on Signal because of its widespread tactical use in the Ukrainian military. One of the two hacker groups that has exploited the QR code phishing technique, for instance, has disguised the codes as invites to groups associated with an artillery guidance app used by the Ukrainian military called Kropyva. In other instances, the spoofed QR codes have impersonated invites to other groups from a trusted contact, or security alerts from Signal itself.

Russia's hackers have targeted Signal as part of the country's war efforts in Ukraine since as early as 2023, a year into its full-scale invasion, says Google's Black. That's when the Russian hacker group known as Sandworm, a notorious unit of Russia's GRU military intelligence agency, began pivoting from disruptive cyberattacks to tactical espionage that included penetrating tablet computers used by the Ukrainian military. In some cases, Sandworm's hackers have also aided front-line Russian troops in off-loading Signal messages from captured devices, including by using the linked-device feature to pair compromised phones with their own PCs. Google says that Turla, a hacker group linked to Russia's FSB security agency, has also targeted Signal messages on PCs that it's infected with malware.

Google's Black says that the company's analysts nonetheless waited to highlight Russia's use of the QR-code phishing technique to target Signal until the Signal Foundation could push out new protections, in part to prevent other hackers from copying the technique. Black warns, in fact, that Russia's targeting of Signal in Ukraine shouldn't be seen as a problem limited to Ukraine nor to military conflicts in general. The trick is just as likely to be used for targeting dissidents and activists who use Signal worldwide, or even a broader set of targets. In December, for instance, US officials recommended Americans use end-to-end encrypted apps in response to the Chinese hacker group Salt Typhoon's widespread penetrations of US telecom networks.

“The use case for these techniques is just so wide," says Black. “We've seen history tell us a very particular story in terms of tradecraft, that the things that happen in Ukraine don't seem to stay confined there.”

A Signal Update Fends Off a Phishing Technique Used in Russian Espionage

Carding -- the underground business of stealing, selling and swiping stolen payment card data -- has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

An image from one Chinese phishing group’s Telegram channel shows various toll road phish kits available.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the **U.S. Postal Service** to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “**smishing**” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the **Apple iMessage** service and through RCS, the functionally equivalent technology on **Google** phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.

**CARDING REINVENTED**

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device, and then selling those phones in bulk for hundreds of dollars apiece.

“Who says carding is dead?,” said Merrill, who presented about his findings at the M3AAWG security conference in Lisbon earlier today. “This is the best mag stripe cloning device ever. This threat actor is saying you need to buy at least 10 phones, and they’ll air ship them to you.”

One promotional video shows stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different UK financial institutions.

Merrill said one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on **Stripe** or **Zelle** and running transactions through those entities — often for amounts totaling between $100 and $500.

Merrill said that when these phishing groups first began operating in earnest two years ago, they would wait between 60 to 90 days before selling the phones or using them for fraud. But these days that waiting period is more like just seven to ten days, he said.

“When they first installed this, the actors were very patient,” he said. “Nowadays, they only wait like 10 days before \[the wallets\] are hit hard and fast.”

**GHOST TAP**

Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called “**ZNFC**” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“The software can work from anywhere in the world,” Merrill said. “These guys provide the software for $500 a month, and it can relay both NFC enabled tap-to-pay as well as any digital wallet. The even have 24-hour support.”

The rise of so-called “ghost tap” mobile software was first documented in November 2024 by security experts at **ThreatFabric**. **Andy Chandler**, the company’s chief commercial officer, said their researchers have since identified a number of criminal groups from different regions of the world latching on to this scheme.

Chandler said those include organized crime gangs in Europe that are using similar mobile wallet and NFC attacks to take money out of ATMs made to work with smartphones.

“No one is talking about it, but we’re now seeing ten different methodologies using the same modus operandi, and none of them are doing it the same,” Chandler said. “This is much bigger than the banks are prepared to say.”

A November 2024 story in the Singapore daily _The Straits Times_ reported authorities there arrested three foreign men who were recruited in their home countries via social messaging platforms, and given ghost tap apps with which to purchase expensive items from retailers, including mobile phones, jewelry, and gold bars.

“Since Nov 4, at least 10 victims who had fallen for e-commerce scams have reported unauthorised transactions totaling more than $100,000 on their credit cards for purchases such as electronic products, like iPhones and chargers, and jewelry in Singapore,” _The Straits Times_ wrote, noting that in another case with a similar modus operandi, the police arrested a Malaysian man and woman on Nov 8.

Three individuals charged with using ghost tap software at an electronics store in Singapore. Image: The Straits Times.

**ADVANCED PHISHING TECHNIQUES**

According to Merrill, the phishing pages that spoof the USPS and various toll road operators are powered by several innovations designed to maximize the extraction of victim data.

For example, a would-be smishing victim might enter their personal and financial information, but then decide the whole thing is scam before actually submitting the data. In this case, anything typed into the data fields of the phishing page will be captured in real time, regardless of whether the visitor actually clicks the “submit” button.

Merrill said people who submit payment card data to these phishing sites often are then told their card can’t be processed, and urged to use a different card. This technique, he said, sometimes allows the phishers to steal more than one mobile wallet per victim.

Many phishing websites expose victim data by storing the stolen information directly on the phishing domain. But Merrill said these Chinese phishing kits will forward all victim data to a back-end database operated by the phishing kit vendors. That way, even when the smishing sites get taken down for fraud, the stolen data is still safe and secure.

Another important innovation is the use of mass-created Apple and Google user accounts through which these phishers send their spam messages. One of the Chinese phishing groups posted images on their Telegram sales channels showing how these robot Apple and Google accounts are loaded onto Apple and Google phones, and arranged snugly next to each other in an expansive, multi-tiered rack that sits directly in front of the phishing service operator.

The ashtray says: You’ve been phishing all night.

In other words, the smishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

Notably, none of the phishing sites spoofing the toll operators or postal services will load in a regular Web browser; they will only render if they detect that a visitor is coming from a mobile device.

“One of the reasons they want you to be on a mobile device is they want you to be on the same device that is going to receive the one-time code,” Merrill said. “They also want to minimize the chances you will leave. And if they want to get that mobile tokenization and grab your one-time code, they need a live operator.”

Merrill found the Chinese phishing kits feature another innovation that makes it simple for customers to turn stolen card details into a mobile wallet: They programmatically take the card data supplied by the phishing victim and convert it into a digital image of a real payment card that matches that victim’s financial institution. That way, attempting to enroll a stolen card into Apple Pay, for example, becomes as easy as scanning the fabricated card image with an iPhone.

An ad from a Chinese SMS phishing group’s Telegram channel showing how the service converts stolen card data into an image of the stolen card.

“The phone isn’t smart enough to know whether it’s a real card or just an image,” Merrill said. “So it scans the card into Apple Pay, which says okay we need to verify that you’re the owner of the card by sending a one-time code.”

**PROFITS**

How profitable are these mobile phishing kits? The best guess so far comes from data gathered by other security researchers who’ve been tracking these advanced Chinese phishing vendors.

In August 2023, the security firm Resecurity discovered a vulnerability in one popular Chinese phish kit vendor’s platform that exposed the personal and financial data of phishing victims. Resecurity dubbed the group the **Smishing Triad**, and found the gang had harvested 108,044 payment cards across 31 phishing domains (3,485 cards per domain).

In August 2024, security researcher **Grant Smith** gave a presentation at the DEFCON security conference about tracking down the Smishing Triad after scammers spoofing the U.S. Postal Service duped his wife. By identifying a different vulnerability in the gang’s phishing kit, Smith said he was able to see that people entered 438,669 unique credit cards in 1,133 phishing domains (387 cards per domain).

Based on his research, Merrill said it’s reasonable to expect between $100 and $500 in losses on each card that is turned into a mobile wallet. Merrill said they observed nearly 33,000 unique domains tied to these Chinese smishing groups during the year between the publication of Resecurity’s research and Smith’s DEFCON talk.

Using a median number of 1,935 cards per domain and a conservative loss of $250 per card, that comes out to about $15 billion in fraudulent charges over a year.

Merrill was reluctant to say whether he’d identified additional security vulnerabilities in any of the phishing kits sold by the Chinese groups, noting that the phishers quickly fixed the vulnerabilities that were detailed publicly by Resecurity and Smith.

**FIGHTING BACK**

Adoption of touchless payments took off in the United States after the Coronavirus pandemic emerged, and many financial institutions in the United States were eager to make it simple for customers to link payment cards to mobile wallets. Thus, the authentication requirement for doing so defaulted to sending the customer a one-time code via SMS.

Experts say the continued reliance on one-time codes for onboarding mobile wallets has fostered this new wave of carding. KrebsOnSecurity interviewed a security executive from a large European financial institution who spoke on condition of anonymity because they were not authorized to speak to the press.

That expert said the lag between the phishing of victim card data and its eventual use for fraud has left many financial institutions struggling to correlate the causes of their losses.

“That’s part of why the industry as a whole has been caught by surprise,” the expert said. “A lot of people are asking, how this is possible now that we’ve tokenized a plaintext process. We’ve never seen the volume of sending and people responding that we’re seeing with these phishers.”

To improve the security of digital wallet provisioning, some banks in Europe and Asia require customers to log in to the bank’s mobile app before they can link a digital wallet to their device.

Addressing the ghost tap threat may require updates to contactless payment terminals, to better identify NFC transactions that are being relayed from another device. But experts say it’s unrealistic to expect retailers will be eager to replace existing payment terminals before their expected lifespans expire.

And of course Apple and Google have an increased role to play as well, given that their accounts are being created en masse and used to blast out these smishing messages. Both companies could easily tell which of their devices suddenly have 7-10 different mobile wallets added from 7-10 different people around the world. They could also recommend that financial institutions use more secure authentication methods for mobile wallet provisioning.

Neither Apple nor Google responded to requests for comment on this story.

How Phished Data Turns into Apple & Google Wallets

Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

Researchers earned a $50,500 **Bug Bounty** after uncovering a critical supply chain flaw in a newly acquired firm, highlighting security risks in business acquisitions.

Two cybersecurity researchers have walked away with a $50,500 bug bounty after finding a critical vulnerability in a major company’s software supply chain. The exploit targeted a recently acquired company, exposing a flaw that could have widespread ramifications.

The duo, Lupin (Roni Carta) and Snorlhax, have a history of collaboration; recently turned their focus to the often-overlooked area of business acquisitions. They noticed that these integrations frequently present security gaps as newly acquired entities may not always uphold the same rigorous security standards as their parent companies. This insight guided their hunt for a “game-changing” vulnerability.

Their approach began with a detailed examination of the acquired company’s online presence, including its code repositories and package registries. The researchers employed advanced techniques, transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis to identify dependencies and uncover possible flaws. This investigation led them to a DockerHub organization linked to the acquisition.

The real breakthrough occurred after the researchers downloaded and examined a Docker image. Inside, they discovered the complete source code for the company’s backend systems. But the story did not end there, as the researchers unearthed even more sensitive information.

According to Lupin’s technical blog post, the duo discovered that a “.git” folder was still included in the image. Within the folder, they found an authorization token for GitHub Actions (GHS). This token, if exploited, could have given the attacker the capability to manipulate the company’s build pipelines. The token could have allowed them to inject malicious code, tamper with software releases, or even gain access to additional repositories.

Further investigation revealed that the Docker image had removed the .npmrc configuration file, but the researchers recognized that earlier layers of the image could still hold traces of it. They leveraged tools like Dive and Dlayer to explore these layers, ultimately locating a private npm token. This token provided read-and-write access to the target company’s private packages.

The team realized they now had a path to insert malicious code into one of the private packages, which the company’s developers, pipelines, and production systems would then automatically fetch. Since these were private packages, the attack would bypass security scans, enabling them to compromise systems at every level leading to large-scale data theft and data breaches.

Software supply chain vulnerabilities have affected thousands of businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to be exploited, impacting organizations worldwide.

The good news is that the duo documented their findings and demonstrated the vulnerability’s impact to the impacted company’s security team. Their report outlined how attackers could use a poisoned npm package to harvest secrets, infiltrate into internal systems, and compromise CI/CD pipelines. As a result, the company awarded the researchers a $50,500 bug bounty, recognizing the severity of the vulnerability.

This incident shows how attacks can succeed when multiple overlooked flaws come together. In this case, the issue originated from software supply chain gaps and security flaws in a newly acquired company. The team pointed out the importance of securing every part of the build process, from the code itself to the components and external packages involved. It’s an example of how protecting a software development pipeline isn’t simple; it requires careful attention to every detail.

1.  Multichain hack: Hacker returns $1m, keeps $150k as bug bounty
2.  Apple Launches ‘Apple Intelligence’ – $1M Bug Bounty for Security
3.  Google Launches $250,000 kvmCTF Bug Bounty for KVM Exploits

Duo Wins $50K Bug Bounty for Supply Chain Flaw in Newly Acquired Firm

Welcome to this week’s Cybersecurity News Recap. Discover how cyber attackers are using clever tricks like fake codes and sneaky emails to gain access to sensitive data. We cover everything from device code phishing to cloud exploits, breaking down the technical details into simple, easy-to-follow insights.
⚡ Threat of the Week
Russian Threat Actors Leverage Device Code Phishing to Hack

⚡ THN Weekly Recap: Google Secrets Stolen, Windows Hack, New Crypto Scams and More

Google is working on a new security feature for Android that blocks device owners from changing sensitive settings when a phone call is in progress.
Specifically, the in-call anti-scammer protections include preventing users from turning on settings to install apps from unknown sources and granting accessibility access. The development was first reported by Android Authority.
Users who attempt

Android's New Feature Blocks Fraudsters from Sideloading Apps During Calls

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

Scammers are once again using AI to take over Gmail accounts.

In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams.

At the time, FBI Special Agent in Charge Robert Tripp said:

> “Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”

This warning should not be taken lightly. This is especially because the AI tools that cybercriminals have at their disposal are relatively low cost: In one study, researchers found that the cost of advanced and sophisticated email attacks starts at just $5.

The FBI has also warned users to be cautious when receiving unsolicited emails or text messages. Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. They are also using AI-powered tools to create emails that can bypass security filters. Combine that with deepfake supported robocalls, and these methods could trick a lot of people.

None of the elements used in the attacks are novel, but the combination might make the campaign extremely effective.

In a campaign targeting Gmail users some of these elements all came together. These often start with a call to users, claiming their Gmail account has been compromised. The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account.

Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft.

When we warn about agentic AI attacks this is the type of campaigns that are examples of what we can expect.

The FBI added a warning about unsolicited emails and text messages which contain a link to a seemingly legitimate website that asks visitors to log in, but the linked websites are fakes especially designed to steal the credentials.

As we have seen in the past these sites can even be designed to steal session cookies. Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system. And if cybercriminals manage to steal the session cookie, they can log in as you, change the password and grab control of your account.

**How to avoid AI Gmail phishing**

*   Never click on links or download files from unexpected emails or messages.
*   Don’t enter personal information on a website unless you are certain it is legitimate.
*   Use a password manager to autofill credentials only on trusted sites.
*   Monitor your accounts for signs of unauthorized access or data leaks.
*   Verify security alerts by visiting your Google Account page directly instead of using links in emails.
*   Use multi-factor authentication (MFA) for all accounts
*   Protect your devices with up-to-date security software (such as Malwarebytes Premium Security), and use text protection and text message filtering on your mobile device.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#google