The most recent iteration of the open source infostealer skates by antivirus programs on Macs, using an encryption mechanism stolen from Apple's own antivirus product.

Source: Charles Walker Collection via Alamy Stock Photo

The macOS infostealer "Banshee" has been spotted skating by antivirus programs using a string encryption algorithm it stole from Apple.

Banshee has been spreading since July, primarily via Russian cybercrime marketplaces, where it was sold as a $1,500 "stealer-as-a-service" for Macs. It's designed to steal credentials from browsers — Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex, and Opera — and browser extensions associated with cryptocurrency wallets — Ledger, Atomic, Wasabi, Guarda, Coinomi, Electrum, and Exodus. Plus, it lifts additional information about targeted systems, including software and hardware specifications, and the password needed to unlock the system.

It was far from a perfect tool, widely detected by antivirus programs, thanks in part to its being packaged entirely in plaintext. But on Sept. 26, researchers from Check Point observed a more potent variant. This more successful variant remained otherwise undetected for months, primarily because it was encrypted with the same algorithm used by Apple's Xprotect antivirus tool for macOS.

**Banshee Malware Steals From XProtect**

XProtect is Apple's decade-and-a-half-old anti-malware engine for macOS. To detect and block malware, it uses "Remediator" binaries, which combine various methods and tools for antivirus-ing, including YARA rules, which contain patterns and signatures associated with known threats.

Check Point found that the same encryption algorithm that protects XProtect's YARA rules also concealed the September variant of Banshee.

It's not clear how the malware author — nom de guerre "0xe1" or "kolosain" — gained access to that algorithm.

"It could be that they performed a reverse engineering of the XProtect binaries, or even read relevant publications, but we can't confirm it," Antonis Terefos, reverse engineer at Check Point Research, speculates. "Once the string encryption of macOS XProtect becomes known — meaning the way the antivirus is storing the YARA rules is reverse-engineered — threat actors can easily 'reimplement' the string encryption for malicious purposes," he says.

Either way, the effect was significant. "The majority of the antivirus solutions in VirusTotal detected the initial Banshee samples using plaintext, but once the developer introduced this novel string encryption algorithm, none of the approximately 65 antivirus engines in VirusTotal detected it," he says.

That remained the case for around two months. Then, on Nov. 23, Banshee's source code was leaked on the Russian language cybercrime forum "XSS." 0xe1 shuttered his malware-as-a-service (MaaS) operation, and antivirus vendors incorporated associated YARA rules in due course. But even after that point, Terefos reports, the encrypted Banshee remained undetected by most engines on VirusTotal.

**How Banshee Stealer Is Spreading in Cyberattacks**

Since late September, Check Point has identified more than 26 campaigns spreading Banshee. Broadly speaking, they can be grouped into two clusters.

In three waves of campaigns lasting from mid-October to early November, threat actors spread the infostealer via GitHub repositories. The repositories promised users cracked versions of popular software, like Adobe programs and various image and video editing tools. The malware was concealed behind generic file names such as "Setup," "Installer," and "Update." This same cluster of activity also targeted Windows users with the popular Lumma Stealer.

The remaining campaigns spread Banshee via phishing sites, of one form or another. In these cases, the attackers disguised the malware as various popular software programs, including Google Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. If a visitor was using macOS, they'd get a download link.

More, varying campaigns could be on the way, now that Banshee has been leaked. Thus, Terefos says, "Despite macOS traditionally being regarded as more secure, Banshee’s success demonstrates the importance for macOS users to remain vigilant and aware of the threats."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.

Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like _Candy Crush_ and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening without users’ or even app developers’ knowledge.

“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.

The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples’ mobile phones.

“This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards says.

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps.

The list includes dating sites Tinder and Grindr; massive games such as _Candy Crush_, _Temple Run_, _Subway Surfers_, and _Harry Potter: Puzzles & Spells_; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.

The full list can be found here. Multiple security researchers have published other lists of apps included in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to search for apps they have installed.

Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.

Much of the location data attached to these app names does not have a time stamp. But there are indications it dates from 2024. One of the apps listed is _Call of Duty: Mobile_, and specifically its Season 5 iteration, which launched in May 2024.

Gravy is a company that powers much of the rest of the location data industry. It collates mobile phone location data from various sources, then sells that to commercial companies or, through its subsidiary Venntel, to US government agencies. Norwegian outlet NRK and I previously revealed the flow of location data from a handful of ordinary apps to Gravy and then to Venntel. Venntel’s clients have included Immigration and Customs Enforcement, Customs and Border Protection, the IRS, the FBI, and the Drug Enforcement Administration.

Venntel has also provided the underlying data for another government-bought surveillance tool called Locate X. 404 Media and a group of other outlets showed last year how that tool, made by a company called Babel Street, could be used to monitor visitors to out-of-state abortion clinics.

But the newly hacked data shows for the first time just how many apps could be part of a location data supply chain, even if their developers are not aware of it. Most app developers and companies included in the list did not respond to a request for comment. Flightradar24 said in an email that it had never heard of Gravy, but that it does display ads, which “help keep Flightradar24 free.”

Tinder said in an email that “Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app” but did not answer questions about ads inside the app.

Muslim Pro, one of the Muslim prayer apps included in the list, said in an email that it was not aware of Gravy. “Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users,” the email said. That does not necessarily mean that a member of the advertising ecosystem can’t extract such data, though. (In 2020 I revealed Muslim Pro was selling its users’ location data to a company called X-Mode, whose clients included US military contractors; Muslim Pro stopped the practice after my reporting.)

A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data.

It’s important that the data appears to be sourced through real-time bidding, because that dictates who is responsible (rogue members of the advertising industry and the tech giants that facilitate that industry), how users can protect themselves (attempting to block ads), and the fact that massive app publishers may not even be aware their users’ data is being harvested and therefore might not know how to stop it. An app developer will know if it implemented location-data-gathering code itself. It might not know that some company, somewhere, is silently listening in on the advertising process and siphoning data from their app.

Surveillance firms can obtain RTB data by acquiring ad tech companies and posing as prospective advertisers. The spy-run location data company doesn’t need to successfully place an ad; instead, it is able to gather data on devices by simply being plugged into that industry. Location data in this case can also include a users’ IP address, which is then geolocated to give their coarse location.

Last January, 404 Media reported on an Israeli surveillance company called Patternz, which was sourcing masses of location data through the RTB process.

In an exposed training video, Patternz showed some of the popular apps it got location data from: 9GAG, Kik, sports app FUTBIN, caller ID apps such as CallApp and Truecaller; and various word, sudoku, and solitaire puzzle games. Every one of these apps are also in the Gravy data. This suggests that Gravy, or wherever Gravy got that data from, also sourced it from interacting with the advertising system rather than location-tracking code baked into the apps.

404 Media shared some of the location data with another security researcher with knowledge of the advertising and location data industries. “It appears that at least some of this data would likely have been sourced from advertising related, real-time bidding,” Krzysztof Franaszek, founder of Adalytics, a digital forensics firm, told 404 Media after reviewing the data. He pointed out some of the user-agents in the file, which show how a user’s device connected to a service, referenced “afma-sdk.” That is a string used by Google’s Mobile Ads SDK (software development kit). In other words, in some cases, it is Google’s advertising platform that is delivering the ads that are eventually leading to this tracking by outside companies and potentially government contractors.

Google did not respond to multiple requests for comment for this article. Neither did Apple.

Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS \[Global Navigation Satellite System\]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”

“What we’re seeing here in this data appears to me to be a huge diversity of apps,” Edwards says. “That’s not what you see from an SDK ingestion; that’s what you see from bulk RTB ingestions.”

In December the Federal Trade Commission banned another location data company called Mobilewalla from collecting consumer data “from online advertising auctions for purposes other than participating in those auctions.” In other words, the agency banned Mobilewalla from participating in the RTB process for building datasets on peoples’ devices. The FTC also said Venntel and Gravy collected data without obtaining user consent, ordered the company to delete historical location data, and banned it from selling data related to sensitive areas like health clinics and places of worship, except in “limited circumstances” involving national security or law enforcement.

404 Media has verified the hacked Gravy data in various ways. Some files include credentials for Gravy’s Snowflake instances, a data warehousing tool. 404 Media checked that the URLs in the hacked files do correspond to real Snowflake instances. One file called “users” contains a long list of companies. Some of these firms denied having any relationship with Gravy; Cuebiq, another location data firm mentioned in the file, told 404 Media it “routinely evaluates available data in the market to determine if they are an appropriate fit for our business. Most do not make it past the evaluation stage to production, as was the case here. Cuebiq tested a limited data sample, which was never made available to our customers, and the data was deleted at the end of the limited trial.”

404 Media also sent a section of the data to another data broker called Datonics. “We investigated the matter described in your email, and the segment IDs in those files are those of Gravy, not Datonics,” the company said in an email.

Unacast, which merged with Gravy in 2023, did not respond to multiple requests for comment, both on the hack and whether it or any of its suppliers have derived location data from the real-time bidding process.

Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

Torrance, United States / California, 9th January 2025, CyberNewsWire

**Torrance, United States / California, January 9th, 2025, CyberNewsWire**

Criminal IP, a globally recognized Cyber Threat Intelligence (CTI) solution by AI SPERA, has launched its **Criminal IP Malicious Link Detector** add-in on the Microsoft Marketplace. This cutting-edge tool provides real-time phishing email detection and URL blocking for Microsoft Outlook, adding an essential layer of email security in the face of increasing cyber threats.

Advances in generative AI have driven a surge in sophisticated phishing attacks that are increasingly difficult to distinguish from legitimate communications. The Criminal IP Malicious Link Detector combats these threats by analyzing email links in real-time, detecting and blocking phishing URLs and malicious domains. Fully integrated with Microsoft Outlook and available for free, it provides robust protection for both individuals and organizations.

**Case Study: Phishing Email Targeting Cryptocurrency Wallet Users**

In one instance, Criminal IP detected a phishing email targeting Trust Wallet users. The email contained links disguised as official pages, aiming to deceive users into downloading malware. The Criminal IP Malicious Link Detector swiftly identified and blocked these malicious URLs in real-time, averting potential harm.

**Getting Started with the Criminal IP Malicious Link Detector**

Using the tool is straightforward:

1.     **Signing Up:** Creating an account on the Criminal IP platform.

2.    **Installing the Add-In:** Downloading and integrating the add-in from Microsoft Marketplace.

3.    **Start Scanning:** Email links are automatically scanned upon login, with results displayed instantly.

As cyber threats evolve rapidly, the **Criminal IP Malicious Link Detector** ensures the users’ emails are protected against phishing links and malicious URLs. Download it today to stay ahead of emerging cyber risks and strengthen email security.

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Criminal IP Launches Real-Time Phishing Detection Tool on Microsoft Marketplace

**Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?**

This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.

CVE-2025-21380: Azure Marketplace SaaS Resources Information Disclosure Vulnerability

CVE-2025-21385: Microsoft Purview Information Disclosure Vulnerability

PRESS RELEASE

DALLAS, Jan. 7, 2025 /PRNewswire/ -- Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today announced a new collaboration with Intel® (NASDAQ: INTC) designed to help joint enterprise customers protect critical systems from stealthy threats, including fileless malware and advanced ransomware.

When Trend's proactive security platform and Intel's technology are used together, the integrated solution can better determine if encryption behavior is legitimate—such as a user backing up files or malicious—ensuring the appropriate action is taken to protect critical systems.

This news coincides with the CES 2025 (Consumer Electronics Show), which is the most influential tech innovation event for enterprises and society as a whole, where Intel and Trend will be present. Trend invites corporate attendees to join a panel discussion on Thursday, January 9th, entitled "Data Collection, Privacy and Why You Should Care," to learn how to safeguard a digital footprint as cybercriminals increasingly target critical data. Register now at: https://spr.ly/6044vmkSQ.

Carla Rodriguez, Intel VP: "Threat actors are increasingly targeting endpoints with sophisticated attacks that evade traditional software-based security. Trend's integration of Intel® Threat Detection Technology provides a hardware-accelerated detection layer to uncover stealthy threats. This technology, deployed across a billion PCs, is the only AI-based silicon security solution of its kind. Our mutual customers will benefit from enhanced protection with Trend's AI-powered Trend Vision One™ – Endpoint solutions on Intel AI PCs."

Protecting critical assets across endpoints, email, networks, and cloud workloads is increasingly challenging as malicious actors favor covert threats such as fileless malware, which was reportedly present in 40% of attacks in 2023. These can be used to deploy ransomware, steal sensitive data, and cause significant financial and reputational damage.

Fileless attacks are particularly dangerous as they rely on in-memory execution, reside in the registry, or abuse legitimate tools like PowerShell and Windows Management Instrumentation.

That's why Trend and Intel are teaming up by combining the AI-powered Trend Vision One. This collaboration provides organizations with powerful tools to detect and respond to ransomware and fileless attacks before they can cause damage.

Rachel Jin, Chief Enterprise Platform Officer at Trend: "Proactive security has long been desired but just recently feasible. Through our work with Intel, we're redefining what's possible in cybersecurity—empowering enterprises to proactively safeguard their systems, data, and operations against an increasingly complex threat landscape."

How AMS works:

*   Intel® TDT offloads advanced memory scanning (AMS) workloads from CPU to GPU.
    
*   This enables Trend endpoint security solutions to scan more deeply and more often to uncover fileless attacks before they can launch malicious payloads.
    
*   Using fewer CPU resources enhances threat detection and response without affecting performance, slowing down PCs, or reducing battery life.
    

Trend Vision One™ – Endpoint Security leverages AMS to improve memory scanning capacity by 7 to 10X1. This means that organizations can scan more and detect more threats.

CPU-based threat detection:

Advanced ransomware is increasingly capable of evading EDR detection thanks to packing and obfuscation techniques and VM cloaking. EDR solutions are too often playing catchup with behavior-based approaches, which take time to get up to speed.

Intel® TDT augments Trend's behavioral analysis, runtime machine learning, and expert rules by providing critical visibility into the hardware layer, increasing ransomware detection efficacy by 24% over software alone.

It does this by:

*   Using CPU telemetry and Intel® AI, offloading Intel AI and memory scanning from the CPU to the integrated GPU to provide a detection assist to Trend's ransomware defenses which won't disrupt the user experience.
    
*   Integrating Intel TDT source code directly into the Trend Micro agent to deliver deeper insights from CPU telemetry. This enables instant discovery of zero-day attacks and new, fast-moving variants.
    

About Trend Micro  
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's AI-powered cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, Trend's platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 70 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

Trend Micro and Intel Innovate to Weed Out Covert Threats

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.

Source: Robert Wilkinson via Alamy Stock Photo

An unconventional phishing campaign convincingly impersonates online payments service PayPal to try to trick users into logging in to their accounts to make a payment; in reality, the login allows attackers to take over an account. The novel part of the attack is the abuse of a legitimate feature within Microsoft 365 to create a test domain, which then allows the attackers to create an email distribution list that makes the payment-request messages appear to be legitimately sent from PayPal.

Carl Windsor, CISO for Fortinet Labs, discovered the campaign when he himself was targeted by it, he revealed in a blog post published today.

Windsor received a request in his inbox from a sender with a nonspoofed PayPal email address seeking a payment of $2,185.96. The person requesting the money was someone called Brian Oistad, and aside from the "to" address not being Windsor's email address —  it was addressed to Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com —  there were few obvious signs it was not a genuine email, he said.

"What's interesting about this attack is that it doesn’t use traditional phishing methods," Windsor wrote. "The email, the URLs, and everything else are perfectly valid."

That validity might persuade an average email user to click on the link in the email, which redirects them to a PayPal login page showing a request for payment.

Related:PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

At this point, "some folks might be tempted to log in with their account details, however, this would be extremely dangerous," he wrote. That's because the login page links the target's PayPal account address with the address it was sent to — Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com, controlled by the attacker — not their own email address.

**Abusing Microsoft 365 Test Domains for Cybercrime**

The campaign works because the scammer appears to have registered a Microsoft 365 test domain — which is free for three months — and then created a distribution list containing target emails. This allows any messages sent from the domain to bypass standard email security checks, Windsor explained in the post.

Then, "on the PayPal Web portal, they simply request the money and add the distribution list as the address," he wrote.

This money request is then distributed to the targeted victims, and the Microsoft 365 Sender Rewrite Scheme (SRS) rewrites the sender to, for example, "bounces+SRS=onDJv=S6\[@\]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check," Windsor added.

"Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account," he wrote. "The scammer can then take control of the victim's PayPal account — a neat trick … \[that\] would sneak past even PayPal’s own phishing check instructions."

Related:Thousands of BeyondTrust Systems Remain Exposed

Indeed, abusing a vendor feature to deliver the phishing message does give the attackers a stealthy advantage when it comes to bypassing typical email security, a security expert notes.

"The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request," says Elad Luz, head of research at Oasis Security, a provider of non-human identity management. "This makes them difficult for mailbox providers to distinguish from genuine communications."

**Cyber Defense: Create a "Human Firewall" Against Phishing**

Because the attack appears to be a genuine email, the best solution to avoid falling prey to it is what Windsor calls the "human firewall," or "someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look," he wrote in the post.

"This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves — and your organization — safe," Windsor noted.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

It is also possible to create a rule within email security scanners to "look for multiple conditions that indicate that this email is being sent via a distribution list," to help detect a campaign that uses this vector, he added.

Another potential mitigation is to use artificial intelligence (AI)-based security tools that use neural networks to analyze social graph patterns, among other techniques, "to help spot these hidden interactions by analyzing user behaviors more deeply than static filters," Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, tells Dark Reading.

"That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks," he says. "A thorough inspection of user interaction metadata will catch even this sneaky approach."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Fortinet uncovers a new PayPal phishing scam exploiting legitimate platform features. Learn how this sophisticated attack works and how to protect yourself from falling victim.

****SUMMARY****

*   **Phishing Scam Targets PayPal**: Scammers exploit PayPal’s system to link victim accounts to unauthorized addresses.

*   **Legitimate-Looking Emails**: The scam uses real-looking emails and valid PayPal login pages to deceive users.

*   **Microsoft365 Exploit**: Attackers use MS365 domains to send PayPal money requests, bypassing phishing filters.

*   **Account Takeover**: Victims unknowingly link their PayPal accounts to the scammer, risking financial loss.

*   **Stay Safe**: Avoid unsolicited emails, verify URLs, and enable 2FA to protect your PayPal account.

Fortinet’s FortiGuard Labs has identified a sophisticated PayPal phishing scam targeting unsuspecting users by exploiting a loophole in the platform’s system. According to Fortinet’s CISO (Chief Information Security Officer) Carl Windsor, the scam leverages legitimate PayPal functionality to trick users into linking their accounts to unauthorized addresses, potentially granting attackers control over their finances.

The attack utilizes a seemingly legitimate email, often with a valid sender address and a genuine-looking URL. However, the true danger lies within the email’s content. It directs recipients to a legitimate PayPal login page, prompting them to log in to investigate a supposed payment request.

Screenshot of the actual phishing email (Via Fortinet’s FortiGuard Labs)

Further probing revealed that the scammer registered an MS365 test domain and created a Distribution List containing victim emails (Billingdepartments1gkjyryfjy876.onmicrosoft.com), then sent a legitimate PayPal money request to all recipients. 

They added the list to the PayPal web portal and distributed it to targeted victims. The Microsoft365 SRS rewrite scheme rewrites the sender to pass the SPF/DKIM/DMARC check. It is worth noting that Microsoft365 SRS (Sender Rewriting Scheme) is a feature in Microsoft 365 that rewrites the sender address of an email message.

Once the victim logs in, the scammer’s account is linked to the victim’s account, allowing them to take control of the victim’s PayPal account, a trick that bypasses PayPal’s phishing check instructions.

“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look,” Windsor wrote in a blog post.

This new phishing scam highlights the importance of cybersecurity awareness. Users must be cautious of unsolicited emails, avoid clicking on links or attachments from unknown senders, hover over links to verify URLs, and never enter login credentials on websites unless certain of the authenticity. Enabling two-factor authentication (2FA) on PayPal accounts can further enhance security.

1.  **PayPal Notifies 35,000 Users of Data Breach**
2.  **PayPal Users hit with “Suspicious Activity” Phishing Scam**
3.  **Microsoft, PayPal, Facebook most targeted brands in phishing**
4.  **World Bank SSL Certificate Hacked to Host PayPal Phishing Scam**
5.  **DocuSign API Abused to Evade Spam Filters with Phishing Invoices**

New PayPal Phishing Scam Exploits MS365 Tools and Genuine-Looking Emails

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112). The vulnerability is from the December Microsoft Patch Tuesday. Three weeks later, on January 1, researchers from SafeBreach released a write-up on this vulnerability, labeled as LDAPNightmare, and an exploit PoC. The exploit causes a forced reboot of Windows servers. One prerequisite: the […]

**About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112).** The vulnerability is from the December Microsoft Patch Tuesday. Three weeks later, on January 1, researchers from SafeBreach released a write-up on this vulnerability, labeled as **LDAPNightmare**, and an exploit PoC.

The exploit causes a forced reboot of Windows servers. One prerequisite: the victim domain controller’s DNS server must have Internet connectivity.

The attack flow starts with sending a DCE/RPC request to the victim server, causing the LSASS (Local Security Authority Subsystem Service) to crash and force a reboot when an attacker sends a specially crafted CLDAP (Connectionless Lightweight Directory Access Protocol) referral response packet.

But this is all about DoS, why RCE? 🤔 Researchers note that RCE can be achieved by modifying the CLDAP packet.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)

The deal will enhance 1Password Extended Access Management offering with capabilities to address challenges around software-as-a-service sprawl and shadow IT.

Source: blickwinkel via Alamy Stock Photo

NEWS BRIEF

1Password on Monday announced that it has acquired software-as-a-service (SaaS) access management provider Trelica. Although terms of the transaction were not disclosed, 1Password said it is the largest acquisition by company revenue in its 18-year history.

1Password provides password management and other online identity-based services. This acquisition will build on 1Password's effort to expand its Extended Access Management offering, a platform that secures, identities, and manages access and permissions applications and devices, the company said. Launched last year, the platform is designed to ensure that employee devices, identities, and apps are trusted before granting access to enterprise resources.

Founded in 2018, UK-based Trelica offers a suite of tools for managing and securing SaaS applications, such as tools for employee onboarding and offboarding, discovering shadow IT deployments, SaaS operations, spend optimization, and access management. With shadow IT and SaaS sprawl increasing the risk of security breaches, security teams rely on automated application discovery tools to identify unmanaged apps, streamline user provisioning and access governance, and enforce security policies.

"Trelica addresses critical challenges that haven't been solved by traditional solutions like single sign-on (SSO), mobile device management (MDM) and SaaS security posture management (SSPM)," wrote 1Password CEO Jeff Shiner in a blog post announcing the deal. "These include provisioning and de-provisioning users, reclaiming unused licenses, monitoring permission drift, and adjusting access during role changes. Trelica prioritizes IT administrators' most time-consuming tasks while maintaining a secure environment."

With Shadow IT discovery capabilities from Trelica, the 1Password Extended Access Management platform will provide organizations with a repeatable framework for bringing unmanaged apps into full compliance under IT and security management, while empowering employees to use the tools that enhance their productivity, 1Password said in a statement.

Besides 1Password, Trelica lists over 300 SaaS integrations with SaaS providers, including Adobe, Atlassian, Cisco, Google, HubSpot, JFrog, LastPass, ManageEngine, Marketo, Microsoft, Okta, Pax8, Salesforce, SAP, ServiceNow, Snyk, Sophos, TeamViewer, Workday, Workspace One, and Zoom.

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Tag

#microsoft