Hackers in the Elusive Comet campaign exploit Zoom’s remote-control feature to steal cryptocurrency, and over $100K lost in…

Hackers in the Elusive Comet campaign exploit Zoom’s remote-control feature to steal cryptocurrency, and over $100K lost in social engineering scam.

A new cybercrime campaign called “Elusive Comet” is targeting professionals in the cryptocurrency space. But, instead of going after blockchain tech directly, the attackers are using Zoom’s remote-control features to gain access to targeted devices.

Cybersecurity firm Security Alliance (SEAL) broke down the details in a report published in March 2025. Security Alliance (SEAL) in March 2025.

The Elusive Comet campaign is a social engineering scam where cybercriminals impersonate legitimate figures to lure victims into Zoom meetings. They often use phishing emails or DMs on X to create a convincing scenario, posing as individuals wanting to interview the victim for a podcast or media feature by Aureon Capital, which claims to be a legitimate venture capital firm.

Once the victim accepts the Zoom invitation, the attackers manipulate their computer by requesting remote control access under the pretence of needing technical assistance or help with a presentation. They change their Zoom display name to “Zoom,” creating a false sense of trust.

Zoom remote-control request dialogue box showing Zoom as the requestor (Source: Trail of Bits)

For your information, Zoom’s remote-control feature is designed for accessibility and collaboration, allowing one participant to control another’s screen with explicit permission. When attackers gain remote control, they install malware onto the victim’s machine, often including infostealers and RATs (Remote Access Trojans), eventually obtaining unauthorized access to the compromised system, exfiltrating crucial information like cryptocurrency wallet credentials, personal data, and private keys.

The effectiveness of this attack is illustrated by the experience of Jake Gallen, CEO of Emblem Vault. Gallen lost over $100,000 in digital assets after falling victim to the Elusive Comet campaign. He agreed to a Zoom interview with a media personality and was granted remote control access following which “GOOPDATE” malware was installed, allowing the attacker to drain his cryptocurrency wallets.

> Working with @\_SEAL\_Org we were able to retrieve a malware file that was installed on my computer during a @Zoom call with a youtube personality of over 90k subs.
> 
> Below I will share details about that person, my experience, and this malicious software known as GOOPDATE ↓ https://t.co/xXoeSWLUXA
> 
> — jake (@jakegallen\_) April 14, 2025

Cybersecurity firm Trail of Bits also encountered the Elusive Comet campaign when their CEO received suspicious invitations to a fake “Bloomberg Crypto” series via Twitter. They identified the attackers’ refusal to communicate via email and the use of unofficial Calendly scheduling pages as key indicators of malicious intent.

SEAL highlighted similarities between these attacks and the notorious North Korean hacking collective Lazarus Group’s past operations but could not conclusively attribute the campaign to Lazarus.

SEAL and Trail of Bits recommend several mitigation strategies for cryptocurrency professionals to protect against cyberattacks. These include disabling Zoom’s Remote-Control feature by default and exercising extreme caution with unsolicited invitations.

Researchers also advise implementing strong authentication measures, considering alternative communication platforms like Google Meet, and restricting application controls over high-risk applications like Zoom by technically blocking remote control.

Max Gannon, Intelligence Manager at Cofense commented on the latest development, stating, “The malicious use of legitimate software is a growing trend we’ve continued to see in 2025. In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block.”

Elusive Comet Attack: Hackers Use Zoom Remote-Control to Steal Crypto

Free up space on your iPhone fast. Learn 5 proven ways to clear storage, remove clutter, and manage photos, apps, and files with no gimmicks, just results.

If your iPhone feels cramped and storage alerts show up like it’s on a schedule, it’s probably time for a cleanup. Below, we’ll go over easy ways to quickly free up space on iPhone – and talk a bit about storage management in general. These aren’t gimmicks; they’re time-tested methods and tricks that work for anyone, whether you’re rocking an older iPhone or the latest model.

****How to Check What’s Eating Up Space****

The first thing on the checklist is to figure out what’s taking up all that space. Before you start deleting stuff blindly, open up Settings on your iPhone, tap General, and then hit iPhone Storage.

Give it a second to load – once it does, you’ll see a full breakdown: apps, photos, media, messages, system files, and that “Other” section that never quite explains itself. You can read what all those mean in the official iPhone guide – we won’t stop on this too long.

What matters right now is _where_ your space is going. If Photos is at the top? You’ll want to start there. If it’s giant apps like TikTok, Instagram, or games you haven’t touched in months – yep, those might be the real problem. You might even get some auto-suggestions right there in the menu, like “Offload Unused Apps” or “Review Large Attachments.” Take those seriously – they’re built into the system for a reason.

****How to Free Up Storage on iPhone****

Now, we’ll go through the most popular methods from the overall list of methods to free up space on an iPhone, step by step. We’ll start with Photos first, since for most people (and maybe for you), this is where storage goes to die.

****1\. Clean Up Your Photos****

You probably already know how to manually delete photos or videos from the Photos app. You just tap **_Select_**, choose what you don’t need, and hit the **trash icon**. Simple. But also… kinda miserable. That’s hours of scrolling and second-guessing.

So let’s skip the obvious and talk about faster ways to handle photo cleanup.

First, your iPhone actually has a Duplicates album baked into the Photos app. It can help you spot and merge exact photocopies – like when you AirDropped yourself the same shot twice or saved it from Messages. That can be useful… but there are a couple of catches.

1.  It only works with **exact** duplicates – so if the two photos look nearly identical but aren’t pixel-for-pixel twins, they won’t show up.
2.  It takes time. As a lot of folks pointed out on Reddit, your iPhone doesn’t flag duplicates instantly. You might have to wait a few hours (or days) for the indexing to finish before anything appears in that folder.
3.  Even when it _does_ work, it doesn’t always make a huge dent. A few exact copies here and there usually won’t free up gigabytes.

That’s why a lot of us end up turning to third-party tools that offer broader and faster ways to clean up photos. Special attention should go to AI-powered cleaners – these apps use actual machine learning to spot stuff your iPhone can’t. Not just copies, but _similar_ photos. Like ten shots of the same person blinking… and only one where their eyes are open.

One of the best apps we’ve used for this is Clever Cleaner: AI CleanUp App. It’s 100% free, smart, clean, and surprisingly good at figuring out what’s worth keeping.

**Here’s how to use it:**

1.  Download Clever Cleaner from the App Store.
2.  Open the app, go to Similars, and let it group your lookalike photos.
3.  Tap Smart Cleanup.
4.  The AI picks the best shots to keep. Like the selection? Slide to delete. Want to tweak it? Tap a group, pick a different best shot, or skip it.
5.  When you’re done, Hit Move to Trash, then Empty Trash to clear it all out.

It also flags Heavies (your largest files, sorted big to small – something the Photos app _can’t_ do), Screenshots (easy bulk delete), and Lives (lets you convert Live Photos to stills to save space).

After each cleanup, it shows how much space you saved – and reminds you to empty the Recently Deleted album to actually free up space on your iPhone.

****2\. Offload or Delete Unused Apps****

The next way to potentially clear _a lot_ of space on an iPhone is Apps. Especially the ones you haven’t opened in six months but somehow still take up 1.2 GB.

To find and quickly delete the biggest unused apps, do this:

1.  Open Settings.
2.  Tap General.
3.  Go to iPhone Storage.
4.  Wait for the list to load (apps are sorted by size, largest at the top).
5.  Tap any app you don’t use.

Next, you’ve got two options:

*   **Offload**. This deletes the app itself but keeps all your data. If you reinstall later, everything’s still there. Best for apps you _might_ use again.
*   **Delete**. This wipes the app and its data. Good for things you know you’re done with.

Pro tip: if you’re cool with iOS doing this automatically, turn on Offload Unused Apps in iPhone Storage. It silently trims unused apps when space runs low – and puts a little download icon on them so you can grab them back anytime.

****3\. Clear Safari Cache****

If you’ve been using Safari for a while – browsing, shopping, reading articles at 2 a.m. – there’s a good chance it’s been quietly stockpiling data in the background. Website history, cookies, cached images… it all adds up. You won’t see it in the Photos app or under “Media,” but it’s there.

It’s easy to clear it, and no, it _won’t_ delete your saved passwords or bookmarks. It’ll just wipe the behind-the-scenes junk.

**To do it:**

1.  Open Settings.
2.  Scroll down and tap Safari.
3.  Scroll again and tap Clear History and Website Data.
4.  Confirm when it asks.

That’s it. Safari gets a clean slate, and you get a bit more breathing room.

It’s also a good idea to clear the cache in other apps you use often. Safari isn’t the only one. Apps like Chrome, Firefox, Snapchat, WhatsApp, and most social media or browser apps all store cached data too. But, you won’t find those cache-clearing options in iPhone’s main Settings menu.

Each app handles it differently, usually tucked away in the app’s own settings. Some call it “Clear Cache,” others go with “Storage Management” or “Data Usage.” If you’re not sure where to look, check the app’s help guide or support page – there’s usually a quick step-by-step there.

And if you can’t find a clear option at all? Easy fix: delete and reinstall the app. It’s the fastest way to wipe the cache and start fresh. You’ll need to log back in, but you’d be surprised how much space that one move can save.

****4\. Delete Large Message Attachments****

Yes, all those photos, videos, voice notes, and memes you’ve sent and received over the years stay on your iPhone’s local storage. Every single one. Doesn’t matter if it’s from last week or three months ago – they’re still there.

Luckily, there’s a built-in way to review and clear this stuff (at least the biggest offenders) quickly. Here’s how to do it:

1.  Open Settings.
2.  Go to General > iPhone Storage.
3.  Scroll down and tap Messages.
4.  Under _Documents_, tap Review Large Attachments.
5.  You’ll see a list of the bulkiest files buried in your message threads.
6.  Tap Edit, select the ones you don’t need, and hit Delete.

That’s it. Quick and painless (and your conversations stay intact).

If you want to go even further, head to _Settings > Messages > Keep Messages_ and switch it to 30 Days. iOS will automatically toss older messages and their attachments without you lifting a finger.

If you don’t see Review Large Attachments, it means iOS didn’t flag anything big enough in the Messages app to show there – _or_ you simply haven’t accumulated much yet (good for you).

But that doesn’t mean you’re out of options.

You can still clear attachments manually within most messaging apps. Just like with cache, many apps have their own settings to manage storage and remove media files without deleting your entire chat history. This works for the built-in Messages app, and also for third-party apps like WhatsApp, Telegram, and others.

****5\. Remove Downloaded Files****

This one flies under the radar for a lot of people. You download a file – maybe a PDF, a video, a ZIP, or a random invoice – and forget all about it. But your iPhone doesn’t. It quietly saves that file in the **Files** app, or tucked inside whatever app you used to open it.

**Start with the Files app:**

1.  Open Files.
2.  Tap Browse at the bottom.
3.  Go to On My iPhone.
4.  Check folders like _Downloads_, _Documents_, or anything app-specific (Chrome, Acrobat, etc.)
5.  Long-press to delete anything you don’t need.

Then think about apps that save content offline. Netflix, Spotify, YouTube Premium, and even Podcasts – they all store downloaded files locally. You won’t see this storage in the Files app, but you can manage it inside each app’s settings. Look for things like Downloads, Offline Media, or Storage Usage. Some let you clear everything in one tap.

****Final Words****

These 5 methods to clear space on the iPhone we covered above are the same ones we’ve used countless times – and the ones we regularly recommend to others. They’re reliable, and efficient, and cover the main sources of clutter on nearly every device.

Some additional methods/features can help in specific cases:

*   You can activate Optimize iPhone Storage if you use iCloud, this keeps smaller, device-friendly versions of your photos and shifts the full-resolution ones to the cloud. It’s a simple toggle that can save a lot of space without deleting anything.

*   Voice Memos is another one to check. If you use the app often, long or forgotten recordings can quietly take up storage in the background. Clearing them out occasionally can free up more room than you’d expect.

But those are more situational. The five methods in our guide cover the must-dos. They work across devices, they’re easy to repeat, and they don’t require any technical know-how. A simple cleanup with these steps will give any iPhone more breathing room.

If you found these methods helpful, use the buttons below to share on Facebook or tweet it on X – someone else is probably dealing with the same storage headache right now.

How to Clear iPhone Storage

Lattica’s cloud-based solution uses Fully Homomorphic Encryption to query encrypted data on AI models without decrypting it, preserving privacy and bolstering security.

Lattica, an FHE-based platform enabling secure and private use of AI in the cloud, has emerged from stealth. The company is backed by Konstantin Lomashuk’s Cyber Fund, and Sandeep Nailwal, co-founder of Polygon Network and Sentient: The Open AGI Foundation, among others.

Lattica’s technology represents a critical new standard for industries such as healthcare, finance and government sectors, where data privacy and security concerns have limited AI adoption. According to Cisco’s 2025 AI Briefing: CEO Edition, 70% of CEOs surveyed admitted being concerned about the state of their networks due to the rising adoption of AI, with 34% citing security as a major barrier to adoption. 

Fully Homomorphic Encryption (FHE) – the “holy grail” of cryptography in the last decade – ensures all communication between AI providers and end users remains encrypted, without needing to decrypt it, but due to longstanding computational inefficiencies, FHE has yet to be widely adopted. By capitalizing on the latest breakthroughs in the AI acceleration stack, Lattica leverages advanced acceleration techniques to operationalize FHE. 

Led by founder and CEO, Dr. Rotem Tsabary, who holds a PhD in lattice-based cryptography from the Weizmann Institute of Science, Lattica takes advantage of the foundational mathematical similarities between FHE and machine learning to offer a hardware-agnostic, cloud-based platform that utilizes FHE to deliver secure and private use of AI.

A key differentiator powering Lattica’s solution is its Homomorphic Encryption Abstraction Layer (HEAL), which enhances FHE performance and standardizes its acceleration. A cloud-based service, HEAL serves as a universal bridge connecting FHE applications and AI algorithms across a diverse range of hardware including GPUs, TPUs and CPUs, as well as dedicated accelerators like ASICs and FPGAs.

“By combining the advancements of hardware acceleration with software-based optimization, we realized that not only could we improve FHE efficiency to the point of commercial viability, but use it to solve critical data dilemmas holding back AI’s adoption in sensitive industries,“ said Dr. Rotem Tsabary, founder and CEO of Lattica. “We’re enabling practical FHE by developing a solution that is tailor-made for neural networks.”

As part of its emergence from stealth, Lattica has made demos of the platform available on its website, alongside insights from an in-depth survey within the FHE community. Survey results validate Lattica’s approach, revealing that a majority (71%) of respondents believe FHE adoption will be achieved through a combination of hardware and software. 

“Lattica is pushing the boundaries of Fully Homomorphic Encryption, solving one of the most critical challenges in AI security,” said Konstantin Lomashuk, Managing Partner at Cyber Fund. “Cyber Fund is proud to have led Lattica’s pre-seed round. This is the kind of deep-tech innovation that defines the future, and we’re excited to see Lattica leading the way.”

Lattica’s focus on healthcare and finance further underscores the platform’s relevance, with potential applications in secure data analysis for medical research and encrypted financial transactions.

“Lattica’s product-first approach fundamentally transforms sensitive data processing in the AI ecosystem,” said Sandeep Nailwal, co-founder of Polygon Network and investor in Lattica. “Lattica has made FHE a reality that is both practical and scalable, as Tsabary and her research team is proving that advances in the machine learning stack can significantly boost the performance of FHE and have an immediate impact on the market.”

****About Lattica****

Lattica enables querying AI models with Fully Homomorphic Encryption, offering FHE as a hardware-agnostic, cloud-based service. The platform leads in scientific innovation by ensuring that user queries remain encrypted throughout the entire machine-learning inference process.

Lattica’s Homomorphic Encryption Abstraction Layer (HEAL) connects FHE applications, algorithm implementations, and diverse hardware backends, making secure AI computation as accessible as traditional cloud-based AI services. The company is headquartered in Tel Aviv.

Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE

Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and…

Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and claims to boost cybersecurity measures.

British retailer Marks & Spencer (M&S), a company with over 140 years of history in food and clothing, experienced a major cybersecurity incident during the Easter break that disrupted some of its essential services.

This event impacted the ability of customers to make contactless payments in their stores and caused delays in the collection of online orders, known as the Click and Collect service. Many customers took to social media platforms to voice their frustrations regarding these issues.

Stuart Machin, the Chief Executive of M&S, issued an apology to customers, acknowledging the disruptions. He explained that the company had to implement temporary adjustments to their store operations as a protective measure for both their customers and the business itself. While the stores remained open and the M&S website and mobile application continued to function normally, the technical difficulties with contactless payments and Click and Collect caused considerable inconvenience.

Email sent by M&S

In response to this incident, M&S promptly engaged external cybersecurity specialists to conduct a thorough investigation and manage the situation effectively. The company also notified key regulatory bodies, including the Information Commissioner’s Office (ICO), the UK’s data protection authority, and the National Cyber Security Centre. An ICO spokesperson confirmed that they were aware of the incident and were in the process of assessing the information provided by M&S.

Furthermore, M&S assured its investors that they were taking proactive steps to enhance the security of their network and ensure the continuation of customer service. In their statement to the London Stock Exchange, M&S emphasized the paramount importance of customer trust and pledged to provide updates if the situation evolved. 

While M&S informed customers that they were actively working to resolve the “limited” delays affecting Click and Collect orders, some shoppers had reported issues even before the official announcement. These earlier complaints included difficulties using gift cards and vouchers within M&S stores. One customer described the situation as a “total failure for customers,” highlighting the lack of communication that could have prevented unnecessary trips to the stores.

The timeline of the incident indicates that while the main cyber incident impacting contactless payments and Click and Collect began on Monday, there was a separate technical problem affecting only contactless payments that occurred on the preceding Saturday. This suggests that M&S was dealing with technical difficulties throughout the weekend and it wasn’t the immediate aftermath of the main cyber incident.

Nevertheless, this incident follows a pattern of similar attacks on UK organizations in recent years. Transport for London had to shut down numerous online services after a cyberattack, Royal Mail faced severe disruptions to international mail services recently resulting in the attackers leaking 144GB of its internal files, and retailer WH Smith experienced a data breach compromising employee information.

James Hadley, Founder and Chief Innovation Officer, Immersive: “Breaches like M&S’s aren’t rare. While they communicated clearly and likely followed tested response plans, such attacks highlight the gap between perceived and actual cyber resilience. Regular cyber drills and realistic crisis simulations are vital for building real confidence and preparing teams to protect critical data in an increasingly high-risk environment.”

M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services

Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.

Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Following the death of Pope Francis, the Vatican is preparing to organize a new conclave in less than 20 days. This is how they’ll tamp down on leaks.

In 2005, cell phones were banned for the first time during the conclave, the process by which the Catholic Church elects its new pope. Twenty years later, after the death of Pope Francis, the election process is underway again. Authorities have two priorities: to protect the integrity of those attending the meeting, and to ensure that it proceeds in strict secrecy (under penalty of excommunication and imprisonment) until the final decision is made.

By 2025, the Gendarmerie corps guarding Vatican City faces unprecedented technological challenges compared to other conclaves. Among them are artificial intelligence systems, drones, military satellites, microscopic microphones, a misinformation epidemic, and a world permanently connected and informed through social media.

The conclave is scheduled to take place approximately 20 days after the pope's death. The Vatican and the Holy See are preparing for the arrival of the cardinals who will vote for the next leader of the Catholic faith. Emergency and control bodies are also working on it with state-of-the-art technology. So far, they have not shared details about their security arrangements, but they are not inexperienced in the task of safeguarding the integrity of high-profile figures in the face of today's technological risks.

In fact, the election in 2013 of Jorge Mario Bergoglio—the real name of Pope Francis—as supreme pontiff gives some indications of the rigorous security strategies that will be presented in the next conclave.

**Signal Jammers and Device Checks**

The Vatican has internet access, but within the areas where the cardinals will reside and vote for the new pope, there will be signal jammers. The technology prevents two devices from communicating with each other through radio frequency interference. The headquarters becomes an electronic bunker. Thus, if someone were to manage to introduce a microphone, telephone, or computer, they would be unable to transmit information.

However, the possibility of administrative staff or the cardinals themselves introducing technology is remote. Authorities inspect the building for days in search of unauthorized microphones or cameras, check every permitted attendee, and double-check participants.

**Privacy Film in the Windows**

Contemporary satellites are capable of taking pictures of people's faces from space, while AI can interpret lip movements. However, since there's currently no technology to see through walls with such high resolution, the best strategy against espionage in the conclave is to close doors and windows.

During meetings and in the sleeping quarters, voters are not allowed to look outside. In addition, before the cardinals arrive, Vatican staff place opaque film over windows so that no journalist, satellite, or drone can take pictures of the interior.

**Locked-Down Vatican**

The Vatican covers only 0.44 square kilometer in area. It is the smallest nation in the world. Until 2018, it had 650 cameras monitoring its streets from an underground command center. In addition, the Vatican City Gendarmerie, which functions as a conventional police force, and the Pontifical Swiss Guard, which acts as an army, are located within the territory. While in photographs they appear to be wearing antique costumes and carrying halberds, the latter group has highly trained personnel with heavy weapons, such as machine guns, rifles, and explosives.

An estimated 200,000 people are expected to be present in the small city-state once the conclave has determined the name of Pope Francis' successor.

_This story originally appeared on_ WIRED _en Español_ _and has been translated from Spanish._

The Tech That Safeguards the Conclave’s Secrecy

Terrance, United States / California, 22nd April 2025, CyberNewsWire

**Terrance, United States / California, April 22nd, 2025, CyberNewsWire**

**Joining Criminal IP at Booth S-634 | South Expo, Moscone Center | April 28 – May 1, 2025**

Criminal IP, the global cybersecurity platform specializing in AI-powered threat intelligence and OSINT-based data analytics, will exhibit at RSAC 2025 Conference, held from April 28 to May 1 at the Moscone Center in San Francisco. The company will welcome attendees at Booth S-634 in the South Expo Hall.

**Strengthening Its Global Presence Through Proven Success**

Following its impactful debut at RSAC 2023, Criminal IP has continued to expand its international footprint, establishing partnerships with over 40 global cybersecurity leaders, including Cisco, Tenable, Fortinet, VirusTotal, and Snowflake. Returning to RSAC 2025, the company will further strengthen its position in the global security market by showcasing its latest innovations in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI).

**Elevating Threat Intelligence with ASM at RSAC**

With a presence in over 150 countries, Criminal IP has positioned itself as a trusted leader in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI). At RSAC 2025, the company will highlight how its platform empowers security teams with real-time, actionable insights to proactively detect and respond to today’s most advanced cyber threats.

**Live Demonstrations & Strategic Dialogues**

Throughout the event, Criminal IP will host live demos and interactive sessions led by the CEO, senior developers, and global product experts. Visitors will gain exclusive insights into:

*   Real-world applications of ASM for enterprise security
*   Emerging threat trends and response tactics
*   Enhancing CTI workflows with AI and automation

Attendees will experience firsthand how Criminal IP uncovers exposed assets, detects abnormal behaviors, and delivers complete visibility across digital infrastructures.

**Connecting with the Criminal IP Team**

Attendees can arrange 1:1 meetings directly at Booth S-634 or pre-book sessions in advance through the Knowledge Hub > Conference section of the Criminal IP website. The team will be available to discuss how the platform can be tailored to support diverse cybersecurity goals.

The booth will also feature exclusive giveaways and a roulette-style prize draw for all on-site attendees.

> “RSAC continues to be a vital platform for exchanging ideas around proactive security,” said Byungtak Kang, CEO of AI SPERA. “We look forward to showcasing how our ASM-powered threat intelligence helps global organizations safeguard their external attack surfaces.”

**About Criminal IP**

Criminal IP is an all-in-one AI-driven threat intelligence platform that enables organizations to detect, assess, and respond to cyber threats in real time. Powered by massive-scale OSINT data and machine learning, the platform provides complete visibility into exposed assets, suspicious behaviors, and indicators of compromise.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP to Showcase Advanced Threat Intelligence at RSAC™ 2025

All Google accounts could end up compromised by a clever replay attack on Gmail users that abuses Google infrastructure.

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials.

This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS).

Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

> Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got: pic.twitter.com/tScmxj3um6
> 
> — nick.eth (@nicksdjohnson) April 16, 2025

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did.

Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email.

If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials.

Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account.

The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

**How to avoid scams like this**

*   Don’t follow links in unsolicited emails or on unexpected websites
*   Carefully look at the email headers when you receive an unexpected mail
*   Verify the legitimacy of such emails through another, independent method
*   Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

**Technical details**

Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb.

DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication.

So, what the cybercriminals did was:

*   Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.”
*   Register an OAuth app and set the app name to match the phishing link
*   Grant the OAuth app access to their Google account which triggers a legitimate security warning from no-reply@accounts.google.com
*   This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name.
*   Forward the message untouched which keeps the DKIM signature valid.

Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com.

Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 All Gmail users at risk from clever replay attack 

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated…

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated financial sector. Balancing innovation with responsibility is important as organizations harness AI’s potential while protecting data, ensuring fairness, and mitigating risks. 

Navigating this intersection of AI ethics, cybersecurity, and finance requires careful strategy.

****AI in Financial Systems****

AI has revolutionized financial systems by enhancing decision-making processes, optimizing resource allocation, and improving fraud detection capabilities. One prominent area where AI thrives is in trading and market analysis. Algorithms powered by AI can analyze massive datasets in real time, identifying trends and making predictions with remarkable accuracy. 

For example, traders often ask, Can you short futures effectively use AI? The answer lies in leveraging sophisticated machine learning models that evaluate market conditions, predict price movements, and execute trades with precision. 

However, employing AI in such high-stakes environments also brings ethical considerations, such as ensuring transparency in algorithmic decisions and addressing the potential for systemic risks caused by automation. Balancing these advancements with robust governance is essential to maintaining trust and stability in the financial sector.

****Why AI Ethics Matters****

AI Ethics emphasizes fairness, accountability, and transparency in developing and using artificial intelligence systems. It prompts questions like, “Is this decision fair?” or “What are the risks if this algorithm fails?” 

These issues are especially critical in finance, where AI-driven decisions can directly impact people’s financial well-being. Financial tools affect nearly every part of life from securing loans to managing investments making ethical practices essential. 

Financial platforms must ensure their AI systems don’t discriminate based on factors like ethnicity, gender, or socioeconomic status. For instance, algorithms used to determine creditworthiness or loan approvals should be carefully designed and tested to prevent bias. Accountability is just as important; companies need systems to evaluate their AI’s impact and correct mistakes. 

Transparency is another cornerstone of AI Ethics. Consumers should know how their data is collected, used, and analyzed. They also deserve clarity on AI-driven decisions and the reasoning behind them. By prioritizing fairness, accountability, and transparency, companies can build trust and ensure their tools serve users responsibly and equitably.

****The Financial Costs of Cyber Threats****

AI doesn’t just create opportunities; it generates risks too. Cybersecurity is a constant challenge. It’s already critical in finance, but AI raises the stakes further. Imagine someone hacking an AI-driven trading system. This could cause widespread market turmoil in minutes.

The costs don’t stop at financial losses. A data breach can damage a company’s reputation. People lose trust, and rebuilding that trust can take years. Businesses need strong security measures to protect against breaches and ensure their AI systems are strengthened.

****Finding Balance Between Tech and Security****

Innovation and security can often feel at odds. New technologies drive progress but can also create vulnerabilities, as cyber threats evolve just as quickly. Cybersecurity teams must not only respond to threats but also anticipate and address issues before they escalate. 

This challenge becomes even greater with AI-powered systems. While transformative, their complexity makes them prime targets for attacks like data poisoning, adversarial manipulation, or algorithm flaws any of which can have serious consequences. 

To secure these systems, organizations should take a layered approach: regular audits to find vulnerabilities, secure coding to reduce risks, and employee training on handling sensitive data. By acting proactively, businesses can innovate without compromising security.

****The Future of AI Responsibility****

The future of AI is tied to how well we manage its capabilities and risks. Industries must keep asking tough questions. How much control should AI have? How do we hold businesses accountable when things go wrong?

This future depends on a collaborative effort. Governments, businesses, and researchers need to work together. Clear regulations should guide how AI is developed and used. Companies should prioritize ethical practices without cutting corners in pursuit of profits. Transparency, fairness, and strong cybersecurity protocols must remain non-negotiable.

The future of AI is both exciting and daunting. While it holds immense potential to improve our lives, it also poses significant challenges that must be addressed. As we continue to integrate AI into our society, we must do so with caution and responsibility.

We must continue having open discussions about the ethical implications of AI and actively work towards creating regulations and guidelines that prioritize human well-being. We must also hold businesses accountable for their actions and ensure that they uphold ethical practices in the development and use of AI.

(Image by Gerd Altmann from Pixabay)

AI Ethics, Cybersecurity and Finance: Navigating the Intersection

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new MACE Credential Revocation app and a Microsoft error in handling user refresh tokens.

Recently, many companies experienced a problem where their employees suddenly couldn’t log into their Microsoft Entra accounts and expressed concern in a Reddit thread. Microsoft, the company behind Entra ID (previously called Azure Active Directory), has explained what happened.

It seems that a newly introduced component of Microsoft Entra ID called the MACE Credential Revocation app, which is designed to enhance security by identifying compromised credentials, mistakenly flagged many regular users as high risk. This led to widespread account lockouts.

Microsoft has traced the root cause to an internal logging issue with a feature called refresh tokens (how users stay logged), which were being logged within Microsoft’s own systems. Specifically, the standard process is to only log metadata about these short-lived tokens, and the problem arose when a subset of these tokens themselves were being logged internally “for a small percentage of users,” beginning on Friday, April 18th, 2025.

As soon as they realized this mistake on Friday, April 18th, 2025, Microsoft took action to fix it. To keep their customers safe, they decided to make these specific tokens invalid, meaning they would no longer work.

However, this process of making the tokens invalid mistakenly triggered alerts in Entra ID Protection. These alerts, sent out on Sunday, April 20th, 2025, between 4 AM and 9 AM UTC, made it seem like users’ login details might have been stolen.

Microsoft has stated that they don’t have any proof that anyone gained unauthorized access to these tokens. “We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes,” the tech giant noted.  

For companies whose users were locked out because they were wrongly marked as high-risk, Microsoft suggests a solution. Administrators can use a feature called Confirm User Safe within Entra ID. This tells the system that even though an alert was raised, the user’s account is actually okay. Microsoft has provided a link to their help documentation that explains how to use this feature and understand the risk alerts. 

Microsoft is still looking into exactly what went wrong and will share a detailed report, called a Post Incident Review (PIR), with all the affected customers and anyone who opened a support ticket.

To be notified when this report is available or to stay updated on any future problems with Azure services, Microsoft recommends setting up Azure Service Health alerts. These alerts can send notifications through email, text messages, and other methods. 

Jim Routh, Chief Trust Officer Saviynt, shared his thoughts on the situation with Hackread.com. He pointed out that even though this caused problems for some Microsoft business customers over the weekend, there were some positive aspects.

“The positive news is that the disruption occurred over the weekend, and today (Monday), customers have the facts along with the fix (corrective actions) necessary for recovery,” he said. ”The vulnerability and the action taken (token invalidation) were ultimately shared by Microsoft in an advisory relatively quickly. This is a sign of health or resilience despite the inconvenience to some enterprise customers over the weekend,” Routh added.

Tag

#mac