Passwords are becoming things of the past. Passkeys are more secure, easier to manage, and speed up the log in process

And we agree. If there is a cybersecurity themed day that we would like to get rid as soon as possible it’s world password day. Sorry, old friend, but you’re outdated, and it looks like your days are numbered. Let’s switch to passkeys.

To quote Microsoft:

> “As the world shifts from passwords to passkeys, we’re excited to join the FIDO Alliance in leaving World Password Day behind to celebrate the very first World Passkey Day.”

In 2013, Intel introduced World Password Day to remind people of the importance of strong passwords. But over time, the number of passwords we use, and the necessary strengths have grown so much that the system has become practically unusable without a password manager. So, only a few years later, Microsoft introduced Windows Hello, a new way for users to securely sign in to their accounts with their face, fingerprint, or PIN.

For several good reasons we want to say goodbye to passwords, especially for the important sites and services. Passwords are:

*   Hard to create
*   Easy to forget
*   Often reused across sites
*   Vulnerable to hacking techniques like brute-force attacks and phishing.

**The alternative: passkeys**

Passkeys are an alternative, more modern authentication method designed to replace passwords with a safer, simpler alternative. Despite their clear advantages, many people hesitate to switch to passkeys due to unfamiliarity and misconceptions. This blog post will try to explain what passkeys are, how to use them, and why they are better than passwords, helping you embrace this next step in online security.

A passkey is a digital credential that replaces traditional passwords by using cryptographic keys stored locally, and securely, on your device, such as your phone or computer.

At your demand, a program on your device will create a passkey automatically when you set up an account or enable a passkey login. Basically, it’s a unique key that identifies you without ever leaving your device.

When you log in with a passkey, your device proves you are the legitimate user by using the passkey to solve a challenge without actually providing the passkey itself. As with passwords, it’s a way to prove you know the answer and with that who you are. But the difference is that, unlike passwords, passkeys can’t be stolen by fake or malicious websites.

OK. I heard some sighs in the back from the I-know-this-already crowd. There are plenty of technical explanations to be found. Feel free to try explaining cryptographic public and private keys to the people you do tech support for.

Because passkeys are tied to your device and cannot be shared or stolen like passwords, they offer a safer login experience.

**It’s not hard to use passkeys. Really!**

Using passkeys is straightforward and really not that hard:

*   **Create a passkey:** When you sign up or log into a website or app that supports passkeys, the system prompts you to create one. Your device automatically generates the cryptographic keys. This means there is truly no need to struggle with inventing a complicated 12-character password that meets confusing requirements for a site you might never use again. Your device does _all the work_.
*   **Log in:** Instead of typing a password, unlock your device using biometrics or a PIN. Your device then securely verifies your identity and tells the site or service it can trust you, without ever sending sensitive secrets over the internet.
*   **Sync across devices:** You can securely sync passkeys across your devices using encrypted cloud services or password managers. This lets you log in effortlessly from multiple devices and prevents the hassle of losing access if your device goes missing.

Having to create and memorize hundreds of complex, unique passwords is difficult and stressful. Passkeys remove this burden entirely. You don’t need to create anything or remember a lot. The authentication process is as simple as unlocking your device.

And it’s faster. Microsoft has seen that on average passkey sign-ins to their services take only 8 seconds, compared with 69 seconds to sign in using a traditional password and second factor. 

**Common misconceptions**

Many people shy away from using passkeys for the wrong reasons.

*   Your biometrics, like fingerprints or facial scans are not stored externally, the site you’re visiting never gets to see them. They are just meant for your device to verify it’s really you.
*   Using passkeys is not complicated as we explained above. Sure, the theory behind it is, but the user-experience may actually be simpler than password creation and management.
*   You are not losing the extra layer of 2FA security you set up for important sites and services. Passkeys inherently support two-factor authentication (2FA) without extra steps, since possession of your device plus biometric or PIN verification is required.

**There are downsides**

I have to be honest here. Some things are not ideal yet. But as we move forward and more people start using passkeys, these will improve soon enough.

As I hinted earlier, losing your device can pose a problem, since your key got lost along with it, unless you synchronize it. This is a problem that’s actively being worked on.

Many websites and services also don’t support passkeys yet. Developers and service providers are actively working to make passkey adoption smoother and more widespread, so you will see more websites and apps supporting passkeys soon.

Not every passkey system is equal. Due to the history of their development which is still ongoing, there are currently multiple flavors of passkey. These range from device-bound and physical token passkeys (that never leave the device) to synchronized passkeys that offer the option to use a device’s Credential Manager to back up and synchronize passkeys across the user’s other devices. This can confuse or frustrate users who just want the authentication to work, without having to worry about the nuances of the underlying technology. Industry groups (including the FIDO Alliance and W3C) are working on standards, guides, and tools to improve this situation for developers and users.

**Give it a try**

It doesn’t take a lot of effort to convince yourself of the benefits of passkeys.

Passkeys are created on, saved to, and synchronized across devices through a password manager. For example, passkeys created on a website on Chrome on Android are stored to the Google Password Manager by default, and then synchronized to different environments where Google Password Manager is available, such as Chrome on macOS, Windows, Linux, and ChromeOS. It’s up to the user which password manager to store a passkey to or to authenticate a passkey from depending on the environment.

To save a passkey to Google Password Manager, ensure you’re signed into your Google Account on an eligible device (Android, Chrome, or other supported platforms). When prompted by a website supporting passkeys, agree to create a passkey and follow the on-screen instructions.

MacOS allows you to save passkeys either in Google Password Manager or iCloud Keychain if you’re using macOS 13.5 or higher.

*   **Try passkeys today:** Look for websites and apps that offer passkey login options and give them a try. You’ll likely find the experience faster and easier than passwords.
*   **Educate yourself and others:** Share what you learn about passkeys with friends and family, especially those who find passwords confusing or frustrating.
*   **Advocate for passkey support:** Encourage your favorite sites and services to support passkeys to help make the internet safer for everyone.
*   **Use secure device authentication:** Enable biometrics or PINs on your devices to fully benefit from passkey security.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 On world password day, Microsoft says fewer passwords, more passkeys 

Joe talks about how helping the helpers can put a fire in you and the importance of keeping nonprofits cybersecure.

Thursday, May 1, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.  

I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos and help others who provide housing to the homeless, protect refugees or feed the hungry, damn right I’m gonna do it. And NGOs? They really need help.  

In today’s global humanitarian funding climate, money and grants are very scarce to come by_._ This means the competition for the dollars that remain is fierce, and that things like cybersecurity can fall by the wayside. But security in an NGO is incredibly important. We're talking about incredibly vulnerable and marginalized people who deserve aid, and the amazing volunteers who should have privacy without malicious interference. 

The hard truth is that cybersecurity can be a bleak space. We as professionals do not operate in the “good news” business. We work, and thrive, in adversarial conditions — actively searching for what the bad guys are doing and learning how they are coming after the good guys. They’re launching ransomware. They are extorting and causing real harm to others. This is day in and day out, and it can wear you down mentally. You have to endure and focus on the mission. After all, that’s the gig. 

This is why I enjoy volunteering by either giving some of my time and expertise to a mentee or to an NGO that has an outstanding mission to help others. It puts fuel in your soul and reminds you that others are fighting their own good fights. These organizations are some of the best. They have a thankless, often dangerous, mission to help others have better lives. The way I see it, volunteering is the least I could do. 

If you want to join me, there are some places that could use your help. Check out the Cyber Peace Institute, or Defcon Project Franklin.

**The one big thing **

This week is bittersweet because we’re discussing the final section of Talos' 2024 Year in Review report. Let’s jump into the abyss of AI-based threats together. 

**Why do I care? **

AI may not have upended the threat landscape last year, but it’s setting the stage for 2025, where agentic AI and automated vulnerability discovery could pose serious challenges for defenders. The future may bring:

1.  The use of agentic AI to conduct multi-stage attacks or find creative ways to access restricted systems 
2.  Improved personalization and professionalization of social engineering 
3.  Automated vulnerability discovery and exploitation 
4.  Capabilities to compromise AI models, systems and infrastructure that organizations around the world are building 

**So now what? **

Continue to stay informed and alert, and for more information, read Talos’ blog post about these threats or download the full Year in Review.

**Top security headlines of the week **

**AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover.** The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK. (SecurityWeek) 

**4 Million Affected by VeriSource Data Breach.** VeriSource says the stolen information belonged to employees and dependents of companies using its services. It has been working with its customers to “collect the necessary information to notify additional individuals affected by this incident.” (SecurityWeek) 

**SAP NetWeaver Visual Composer Flaw Under Active Exploitation.** CVE-2025-31324 is a critical vulnerability with a maximum CVSS score of 10 that affects all SAP NetWeaver 7.xx versions. It allows unauthenticated remote attackers to upload arbitrary files to Internet exposed systems without any restrictions. (DarkReading) 

**FBI shares massive list of 42,000 LabHost phishing domains.** The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. (BleepingComputer)

**Can’t get enough Talos? **

State-of-the-art phishing: MFA bypass. Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist. This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

TTP Episode 11. Craig, Bill and Hazel discuss three of the biggest callouts from Cisco Talos' latest Incident Response Quarterly Trends.

Talos Takes: Identity and MFA. Hazel and friends discuss how AI isn't rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side.

**Upcoming events where you can find Talos **

*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/    
Typical Filename: VID001.exe   
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Detection Name: Simple\_Custom\_Detection 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: VID001.exe    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Understanding the challenges of securing an NGO

Researchers found a set of vulnerabilities that puts all devices leveraging Apple's AirPlay at risk.

Researchers found a set of vulnerabilities in Apple’s AirPlay SDK that put billions of users at risk of their devices being taking over.

AirPlay is Apple’s proprietary wireless technology that allows you to stream audio, video, photos, and even mirror your device’s screen from an iPhone, iPad, or Mac to other compatible devices like Apple TV, HomePod, smart TVs, or speakers. It works over Wi-Fi, so you don’t need cables.

Apple added the necessary updates on April 28 to the March 31 update. The update—iOS 18.4 and iPadOS 18.4—was initially issued on March 31, but the additional security fixes were delivered through Rapid Security Responses, or minor patches that Apple incorporated after the initial release. Rapid Security Response (RSR) is a type of software patch delivering security fixes between Apple’s regular, scheduled software updates.

The good news is if you installed the March 31 update, you should be fine. Otherwise, check manually if any updates are available.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

*   The latest version of macOS is 15.4.1. Learn how to update the software on your Mac and how to allow important background updates.
*   The latest version of tvOS is 18.4.1. Learn how to update the software on your Apple TV.
*   The latest version of watchOS is 11.4. Learn how to update the software on your Apple Watch.
*   The latest version of visionOS is 2.4.1. Learn how to update the software on your Apple Vision Pro.

The AirPlay SDK (Software Development Kit) is a set of programming tools Apple provides to app developers to integrate AirPlay functionality into their apps. Using the AirPlay SDK, developers can add features that allow their apps to stream audio or video content wirelessly to AirPlay-compatible devices. This makes apps “AirPlay-ready” by handling the streaming and control behind the scenes.

Combining vulnerabilities allows an attacker on the local network to potentially take control of devices that support AirPlay—both Apple devices and third-party devices that leverage the AirPlay SDK.

Apple released updates to fix the vulnerabilities on April 29 for members of the Apple MFi Program, who are developers of Apple-compatible accessories or software.

The researchers who found and reported these flaws warn they can be exploited without any user interaction—or with just a single click—to execute remote code. Attackers could also use them for man-in-the-middle interceptions, denial-of-service disruptions, and to bypass access controls and user prompts. On top of that, these vulnerabilities may allow unauthorized access to sensitive data and local files, making them a serious risk that demands immediate attention.

**Technical details**

In total, the researchers responsibly disclosed 23 vulnerabilities to Apple, leading to 17 CVEs being issued. A complete list and description of these CVEs, as well as specific attack scenarios they enable, can be found on their blog.

The most important vulnerabilities are:

CVE-2025-24252: Successful exploitation of the use-after-free vulnerability could allow a remote attacker to execute arbitrary code. When exploited together with CVE-2025-24206, the attacker is able to perform zero-click remote code execution on other vulnerable AirPlay-enabled devices in the same network, without any user interaction. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

CVE-2025-24206: Successful exploitation of the vulnerability could allow an attacker to bypass authentication and conduct malicious activities without user interaction when exploited with other vulnerabilities.

CVE-2025-24132: Successful exploitation of the stack-based buffer overflow vulnerability could allow an attacker to perform zero-click remote code execution on vulnerable AirPlay SDK devices and potentially leak sensitive information by eavesdropping.

That the attacker does need to be on the same network, but exploitation require minimal to no interaction of the target.

**Possible protective actions**

These depend very much on the types of devices you are using, so I will try to give some general guidance and the reasons behind them.

*   As we said above, make sure your devices are fully updated
*   Use up-to-date and active malware protection
*   Disable AirPlay if you’re not using it, or set it to **Ask** as a minimum

*   Disable AirPlay Receiver if it is not in use.
*   Be extra careful on public networks. This vulnerability could theoretically spread in airports, offices, hotels, or conferences where many Apple devices are in close proximity. In such cases, avoid using unsecured Wi-Fi.
*   Restrict AirPlay settings: Change the **Allow AirPlay for** to **Current User**. While this does not prevent all of the issues, it does reduce the protocol’s attack surface.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple AirPlay SDK devices at risk of takeover—make sure you update 

### Summary
A critical performance vulnerability has been identified in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio_*|>, <|image_*|>) with repeated tokens based on precomputed lengths. Due to ​​inefficient list concatenation operations​​, the algorithm exhibits ​​quadratic time complexity (O(n²))​​, allowing malicious actors to trigger resource exhaustion via specially crafted inputs.

### Details
​​Affected Component​​: input_processor_for_phi4mm function.
https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model_executor/models/phi4mm.py#L1182-L1197

The code modifies the input_ids list in-place using input_ids = input_ids[:i] + tokens + input_ids[i+1:]. Each concatenation operation copies the entire list, leading to O(n) operations per replacement. For k placeholders expanding to m tokens, total time becomes O(kmn), approximating O(n²) in worst-case scenarios.

### PoC
Test data demonstrates exponential time growth:
```python
test_cases = [100, 200, 400, 800, 1600, 3200, 6400]
run_times = [0.002, 0.007, 0.028, 0.136, 0.616, 2.707, 11.854]  # seconds
```
Doubling input size increases runtime by ~4x (consistent with O(n²)).

### Impact
​​Denial-of-Service (DoS):​​ An attacker could submit inputs with many placeholders (e.g., 10,000 <|audio_1|> tokens), causing CPU/memory exhaustion.
Example: 10,000 placeholders → ~100 million operations.


### Remediation Recommendations​
Precompute all placeholder positions and expansion lengths upfront.
Replace dynamic list concatenation with a single preallocated array.
```python
# Pseudocode for O(n) solution
new_input_ids = []
for token in input_ids:
    if token is placeholder:
        new_input_ids.extend([token] * precomputed_length)
    else:
        new_input_ids.append(token)
```

**Summary**

A critical performance vulnerability has been identified in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio\__|>, <|image\__|>) with repeated tokens based on precomputed lengths. Due to ​​inefficient list concatenation operations​​, the algorithm exhibits ​​quadratic time complexity (O(n²))​​, allowing malicious actors to trigger resource exhaustion via specially crafted inputs.

**Details**

​​Affected Component​​: input\_processor\_for\_phi4mm function.  
https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model\_executor/models/phi4mm.py#L1182-L1197

The code modifies the input\_ids list in-place using input\_ids = input\_ids\[:i\] + tokens + input\_ids\[i+1:\]. Each concatenation operation copies the entire list, leading to O(n) operations per replacement. For k placeholders expanding to m tokens, total time becomes O(kmn), approximating O(n²) in worst-case scenarios.

**PoC**

Test data demonstrates exponential time growth:

test\_cases \= \[100, 200, 400, 800, 1600, 3200, 6400\]
run\_times \= \[0.002, 0.007, 0.028, 0.136, 0.616, 2.707, 11.854\]  \# seconds

Doubling input size increases runtime by ~4x (consistent with O(n²)).

**Impact**

​​Denial-of-Service (DoS):​​ An attacker could submit inputs with many placeholders (e.g., 10,000 <|audio\_1|> tokens), causing CPU/memory exhaustion.  
Example: 10,000 placeholders → ~100 million operations.

**Remediation Recommendations​**

Precompute all placeholder positions and expansion lengths upfront.  
Replace dynamic list concatenation with a single preallocated array.

\# Pseudocode for O(n) solution
new\_input\_ids \= \[\]
for token in input\_ids:
    if token is placeholder:
        new\_input\_ids.extend(\[token\] \* precomputed\_length)
    else:
        new\_input\_ids.append(token)

**References**

*   GHSA-vc6m-hm49-g9qg
*   https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model\_executor/models/phi4mm.py#L1182-L1197

GHSA-vc6m-hm49-g9qg: phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service

Darcula phishing platform adds AI to create multilingual scam pages easily. Netcraft warns of rising risks from Darcula-Suite…

Darcula phishing platform adds AI to create multilingual scam pages easily. Netcraft warns of rising risks from Darcula-Suite upgrade.

Cybersecurity researchers at Netcraft’s threat intelligence division have revealed that cybercriminals behind the phishing-as-a-service (PhaaS) platform Darcula have introduced a new upgrade to its toolkit, called Darcula-Suite. This update integrates artificial intelligence to enhance the capabilities of this already widely used phishing kit.

Ai Integration Announcement (Source: Netcraft)

According to Netcraft’s report shared with Hackread.com, in early 2025, Netcraft identified Darcula version 3, which introduced a redesigned admin dashboard and Darcula-Suite desktop application. This allowed users to create custom phishing kits, even without coding or web development skills.

The tool automatically copies a website URL, allowing attackers to target uncommon brands. This customization makes traditional detection methods less effective, Netcraft’s researchers noted, requiring dynamic, behaviour-based security approaches to counter this issue.

On April 23rd, Netcraft detected the integration of generative AI into Darcula-Suite, allowing users to generate phishing forms in any language, customize form fields, and automatically translate entire forms while maintaining the original layout.

This incorporation of AI technology is a game-changer because it significantly lowers the technical skills needed to create convincing fake websites designed to steal sensitive information.

Now, even individuals with limited technical knowledge can quickly develop customized scam pages with support for multiple languages and automatically generated forms, all without requiring any programming expertise.

It is worth noting that Netcraft had previously reported on Darcula’s platform, which is used for widespread and targeted smishing attacks, in March 2024 and February 2025. Over time, Darcula has evolved into a sophisticated, subscription-based system that offers tools and speed comparable to modern tech startups.

Darcula platform is operated by Smishing-Triad, a notorious Chinese cybercrime group known for carrying out mass-targeting attacks globally through SMS-based phishing, or “SMSishing.” Last year, Hackread.com reported Smishing Triad targeting online banking, e-commerce, and payment systems in the US, EU, UAE, KSA, and smartphone users in Pakistan.

Darcula is a service model designed for expansion. It offers users tools to imitate organizations in various countries, built using modern technologies like JavaScript frameworks, Docker, and Harbor, mirroring the setup of legit SaaS (software-as-a-service) firms. Operators use SMS, RCS (Rich Communication Services), and iMessage to spread phishing attempts, using advanced tactics like making links clickable on iOS devices to trick recipients into responding.

Netcraft has taken significant action against Darcula since March 2024, removing over 25,000 fake websites, blocking nearly 31,000 IP addresses, and detecting over 90,000 phishing domains. They predict the AI-enhanced Darcula-Suite will become more popular among cybercriminals.

To protect against this threat, Netcraft advises caution with messages in RCS groups, scepticism towards unknown numbers on RCS or iMessage, and caution when visiting less familiar websites.

Darcula Phishing Kit Uses AI to Evade Detection, Experts Warn

Records reviewed by WIRED show law enforcement agencies are eager to take advantage of the data trails generated by a flood of new internet-connected vehicle features.

Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers’ exposure to government surveillance and the likelihood of being caught up in police investigations.

A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of “connected cars,” with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement’s knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies—not the law—determine driver privacy.

“Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera,” one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. “If the vehicle has an active subscription,” they add, “it does create more data.”

The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely.

One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data—revealing its location—roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead.

Charlotte McCoy, a GM spokesperson, tells WIRED the company now requires a court order before handing over location data to law enforcement. “We review each request individually to assess the circumstances and the nature of the request before providing any information,” they say. “Connectivity offers many benefits—including navigation, communication, safety, and maintenance—and customers can mask their location or turn off connectivity at any time.”

Other car manufacturers listed in the CHP presentation, including Ford, did not respond to a request for comment.

“There's definitely a role being played by the companies in deciding what kind of standard they're going to insist on,” says Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. “And this is a dynamic we've seen in other areas of tech. Google and Facebook and Apple all played a role in saying, ‘We'll only provide this data in response to a warrant; other data we'll provide in response to a subpoena.’”

When police are investigating a specific suspect, they will often use a technique known as a “ping” to geographically locate a specific device known to belong to that individual. But when canvassing near a crime scene for an unknown perpetrator, authorities commonly rely on a procedure known as a “tower dump,” requesting that ISPs cast a wider net and identify virtually any devices that have connected to a specific cell tower during a certain window of time. Police analysts can then comb through this data and attempt to identify a culprit, often using surveillance footage or witness testimony about a vehicle’s color, make, or model.

Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car’s systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

In an August 2022 email, one detective noted: “In some vehicles, again \[it\] depends on manufacturer, the vehicle is still doing this despite the lack of an active subscription, and just sending the data back to the mother ship. This could be due to collecting user data for what the manufacturer sells it for, to providing this data to try to sell you on renewing your \[subscription\] package that lapsed.”

The “tower dump” technique is becoming increasingly unpopular in US courts following the US Supreme Court’s acknowledgement in 2018 that location data raises significant Fourth Amendment concerns. While the Supreme Court specifically avoided addressing tower dumps in its landmark _US v. Carpenter_ decision, a Fifth Circuit ruling last year placed the capability in great jeopardy, concluding that a warrant to “geofence” an area and collect evidence from a wide variety of individuals is inherently unconstitutional.

On the back of that decision, a federal magistrate in Mississippi ruled two months ago that tower dumps are likewise unconstitutional. While a “tower dump” and a “geofence” are not precisely the same—the latter relying on GPS coordinates obtained from internet companies such as Google, as opposed to a cell tower—the results are more or less identical: offering police a dragnet with which to accumulate vast amounts of location data on individuals, many if not most of whom are not suspected of committing a crime.

In response to the rapid changes in case law surrounding location data, Google—historically a frequent target of geofence warrants—announced technical changes to its software last year, making it effectively impossible to respond to these types of warrants.

“Location data is some of the most sensitive, revealing information that is generated by our devices, including our cars,” the EFF’s Crocker says. “It's extremely revealing of obviously where you go and where you've been, but also all the people you associate with and all the things you're doing. You can paint a very clear picture of someone's life with just a list of all the places they've been in their car. The Supreme Court has made that very clear.”

The police documents reviewed by WIRED alone demonstrate the arbitrary nature of vehicle surveillance upon this shifting legal landscape, with police noting, for instance, that while Verizon will refuse to allow police to define their own radius when requesting cell tower data, its competitors impose no such limitations. Another document notes that while AT&T will conduct “pings,” locating a device in real time, it will only do so for “voice devices.”

What is also clear from the documents is that US police are aware of the control corporations have over their ability to acquire vehicle location data, expressing fears that they could abruptly decide to kill off certain capabilities at any time.

In a letter sent in April 2024 to the Federal Trade Commission, US senators Ron Wyden and Edward Markey—Democrats from Oregon and Massachusetts, respectively—noted that a range of automakers, from Toyota, Nissan, and Subaru, among others, are willing to disclose location data to the government in response to a subpoena without a court order. Volkswagen, meanwhile, had its own arbitrary rules, limiting subpoenas to fewer than seven days’ worth of data. The senators noted that these policies stood in contrast to public pledges previously made by some automakers to require a warrant or court order before surrendering a customer’s location data.

Automakers “differ significantly on the important issue of whether customers are ever told they were spied on,” the senators wrote. At the time of the letter, only Tesla had a policy, they said, of informing customers about legal demands. “The other car companies do not tell their customers about government demands for their data, even if they are allowed to do so.”

“We respect our customers’ privacy and take our responsibility to protect their personal information seriously,” Bennet Ladyman, a T-Mobile spokesperson, says.

AT&T spokesperson Jim Kimberly says: “Like all companies, we are required by law to provide information to law enforcement and other government entities by complying with court orders, subpoenas, and other lawful discovery requests. In all cases, we review requests to determine whether they are valid. We require a search warrant based on the probable-cause standard for all government demands for real-time or historical location information, except in emergency situations. For government demands for cell tower searches, we require a probable-cause search warrant or a court order, except in emergency situations.”

Verizon did not respond to a request for comment.

“Especially now, with American civil liberties eroding rapidly, people should exercise great caution in granting new surveillance powers to law enforcement,” says Ryan Shapiro, executive director of Property of the People.

Jay Stanley, a senior policy analyst at the American Civil Liberties Union, notes that the police documents reviewed by WIRED contained substantial detail about car surveillance that appear to be publicly unavailable, suggesting that corporations are being far more open with law enforcement than they are with their own customers.

“It's an ongoing scandal that this kind of surveillance is taking place without people being aware of it, let alone giving permission for it,” Stanley says. “If they're carrying out surveillance on the public, the public should know. They should have meaningful knowledge and give meaningful consent before any kind of surveillance is activated, which clearly is not the case.”

Car Subscription Features Raise Your Risk of Government Surveillance, Police Records Show

After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

If you are worried about revealing your exact location—or if you maybe even fib about it at times—there are some good reasons to worry about what is visible in background photos, because Artificial Intelligence (AI) is getting very good at guessing where you are based on the smallest of clues. And that might even include audio clues, if given the right data.

Our curiosity was triggered by this article in TechRadar claiming that ChatGPT o3 can geo-guess your location from almost any photo. So, we decided to do some tests and removed the metadata from a few selected photographs that I took myself and never published anywhere (for quality reasons, obviously).

Metadata can include technical details like camera settings, date and time, location, and descriptive information like captions or keywords. And we wanted to test the AI’s capability on the picture itself—not on additional data included in the file. I also used a VPN so I didn’t give away my current location.

We started with an easy one. A landmark in a relatively large city, but from a strange perspective. The picture was part of a selfie taken through a window of an office building in Cork.

view over Cork, Ireland

It was no real surprise that ChatGPT got this right.

> “Alright, let’s break this one down — this does have some standout features that make it easier to geo-locate. Here’s the reasoning step by step:”

> **🧱 Architectural Clues:**
> 
> *   The old stone building in the foreground has **Georgian-style windows and masonry**, which are common in parts of the British Isles, especially in **Ireland** and **the UK**.
> *   The clock tower in the back-left with the **green copper dome** is particularly distinctive and often used in civic buildings in Ireland.
> *   The **mix of historical and modern buildings**, with the newer glass-fronted offices across a small river or canal, suggests urban regeneration in a historically rich city.

> **🌉 Infrastructure and Environment:**
> 
> *   The modern bridge with a **blue banner advertisement** and the **tree-lined waterfront** hints at a city that integrates riverways into its urban design.
> *   The road signs and general driving direction suggest **left-hand traffic**, supporting a guess of **Ireland or the UK**.

> **🏛** **Key Landmark:**
> 
> The building with the green dome in the background looks **very much like the clock tower of Cork City Hall in Ireland**. The angle of the shot shows the old Custom House building in front, and the modern offices across the **River Lee**, which runs through Cork.

This was spot on. But surely ChatGPT is not the only AI good at geo-guessing, so we used the same picture to test Perplexity as well.

> “This image provides several strong clues for geo-guessing:
> 
> The architecture of the foreground building is classic Georgian or early Victorian, with grey stone and sash windows—styles common in the British Isles, especially Ireland and the UK.
> 
> The river, modern glass buildings, and the steel bridge suggest a city that blends historical and contemporary elements.
> 
> The most distinctive feature is the clock tower with a green dome in the background. This is a well-known landmark: the Cork Courthouse clock tower in Cork, Ireland.
> 
> The bridge over the river and the combination of old and new buildings align with the area around the River Lee in Cork city centre.
> 
> **Conclusion**
> 
> This photo was taken in Cork, Ireland, looking out over the River Lee. The stone building in the foreground is part of the historic courthouse complex, and the green-domed clock tower is a prominent feature of Cork’s skyline. The modern glass buildings and bridge further confirm this as central Cork, a city known for its mix of heritage and modern development.”

Perplexity provided almost the same level of accuracy, so we decided to raise the difficulty level. A lot.

Landscaping in progress around Dutch holiday home

You’ll have to agree that this photo doesn’t give away a lot. But the AI tools took some unexpected clues from the picture.

Here is what ChatGPT determined:

> **🧩 Visual Clues:**
> 
> 1.  **Architecture:**
>     *   The buildings are modular and prefabricated in appearance, with light-colored paneling and dark window/door frames.
>     *   This type of house is common in northern Europe, especially in the Netherlands, Germany, Denmark, or parts of the UK.
> 2.  **Landscape:**
>     *   Very flat terrain with closely trimmed hedges and grassy areas.
>     *   This suggests low-lying regions—again pointing to places like the Netherlands or Belgium.
> 3.  **Infrastructure & Construction Tools:**
>     *   The pavers being laid and the wheelbarrows used (particularly the yellow color and shape) are very common in northern and western European construction.
> 4.  **Weather and Lighting:**
>     *   Overcast sky and soft, diffused lighting typical of northern Europe in autumn or early spring.
> 5.  **Small Details:**
>     *   The small shed in the back, the organization of tools, and cleanliness/horticulture are consistent with Dutch/German design sensibilities.
>     *   The wheelbarrow has the brand name “Fort”, which is a Dutch manufacturer—this is a **very strong clue**.
> 
> **🌍** **Likely Guess:**
> 
> **The Netherlands** 🇳🇱
> 
> **📍****Narrowing it Down:**
> 
> Given the modular housing, flat landscape, and Fort-brand wheelbarrow, this could be a holiday park, construction site, or suburban area in the Dutch countryside. Possibly in a province like **North Holland**, **South Holland**, or **Friesland** where such structures and environments are typical.

I must admit I was amazed that it mentioned South Holland which is where this photograph was taken.

Perplexity did not come as close as ChatGPT, but the tool did reach this conclusion:

> “Based on architectural style, landscaping, and contextual clues, this scene is almost certainly from the Netherlands. It showcases the country’s embrace of modular housing and practical, tidy outdoor spaces, reflecting broader trends in Dutch residential design and sustainable living.”

Which is still a lot better than I expected when I selected that picture.

**Bird songs**

So, modern AI tools can pick up visible clues. But then I had another idea—call it an epiphany if you will—which deserves a brief explanation. I use an app called Merlin Bird ID which is able to identify birds based on their singing.

Some bird species are a lot more local than others, so I asked Perplexity:

> “Would it be possible to do geo-guessing based on bird songs? And how many species do you think it would take to make a good guess?”

The answer:

> “How Many Species Are Needed?
> 
> One Species: Sometimes, a single species is enough if it’s highly range-restricted (e.g., endemic to an island or a small region). However, this is rare.
> 
> A Few Species (3–5): In most cases, hearing three to five distinct species can allow for a strong guess, especially if their ranges only overlap in a limited area.
> 
> More Species, More Precision: The more species you can identify, the more precisely you can geo-locate. With about 10–15 species, especially if some are local specialties, you can often narrow it down to a specific region, habitat, or even a particular park or reserve.”

So, I tried an experiment and offered both AI tools (ChatGPT and Perplexity) a list of bird song matches made from my Merlin Bird ID app. Here is the bird list, and what they tell us about where those birds are located:

**Latin Name**

**Common Name**

**Clue**

**Fringilla coelebs**

Chaffinch

Common across Europe

**Turdus merula**

Eurasian Blackbird

Also common across Europe

**Parus major**

Great Tit

Ubiquitous, widespread

**Grus grus**

Common Crane

Migratory — breeds in Scandinavia, Baltics, parts of Central Europe; passage bird elsewhere

**Carduelis carduelis**

European Goldfinch

Europe and western Asia

**Turdus viscivorus**

Mistle Thrush

Forests, open woodland — common in Europe

**Certhia brachydactyla**

Short-toed Treecreeper

Tells us something — this species avoids northern/colder parts of Europe (rare in the UK, absent in Scandinavia)

**Ardea alba**

Great Egret

Formerly rare in Europe, but now expanding — increasingly common in wetlands and rivers of Central and Southern Europe

**Sylvia atricapilla**

Eurasian Blackcap

Woodland; migratory in north, resident in south

**Anthus trivialis**

Tree Pipit

Breeds in open woodlands across Europe; migratory

**Vanellus vanellus**

Northern Lapwing

Farmland, wet grasslands; declining in the west but still widespread

In analyzing this list, Perplexity was the “winner,” able to more accurately guess my location:

> “Given all of these factors, my best guess is that you were somewhere in Northern Europe, likely Germany, Denmark, the Netherlands, or the UK. Without more information about habitat (e.g., forest, farmland, coast), it’s difficult to narrow it down further.”

Here was ChatGPT’s response to the same bird song list:

> **🗺️** **My Final Geo-Guess:**
> 
> You were likely in **Germany** — possibly in **northern or eastern Germany** (e.g., Brandenburg or Mecklenburg-Vorpommern), which is:
> 
> *   On the **Grus grus migration route**
> *   Rich in mixed forests and wetlands
> *   Within the range of **Certhia brachydactyla**
> *   Likely to host **all the species** you heard, in late April

In reality, the birds were recorded near the Dutch-German border, which put ChatGPT off by almost 400 miles, whereas Perplexity mentioned both countries I was in or close to, but covered a large area with its geo-guess.

**Conclusion**

If you’re making selfies or vlogging and you don’t want to give away your location, you’ll need to be very aware of your visual and auditory surroundings. A wheelbarrow of a specific brand or the sound of a bird with a limited habitat are enough to provide hints about your location. With enough hints, AI can deduce your exact location.

With social media being used for AI training, it is likely that these results will rapidly gain even more in accuracy.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 AI is getting “creepy good” at geo-guessing 

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

Protecting Your Phone—and Your Privacy—at the US Border

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

**How the attack works**

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

**Where did SuperCard X come from?**

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment framework**s** like Google Pay, Apple Pay, Samsung Pay, and som b**a**nk-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

**How to protect yourself**

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#ios