PRESS RELEASE

PRINCETON, N.J., Jan. 6, 2025 /PRNewswire/ -- Palindrome Technologies has been conditionally approved as a Cybersecurity Label Administrator (CLA) for the Federal Communications Commission's (FCC) voluntary Internet of Things (IoT) Cybersecurity Labeling Program.

As a CLA, Palindrome will evaluate and certify IoT products that meet FCC cybersecurity standards.  
Qualified products will bear the "U.S. Cyber Trust Mark" label.  
This program is designed to incentivize manufacturers to meet higher cybersecurity standards and differentiate trustworthy products in the marketplace, and most importantly, help consumers make informed decisions about the products they use in their homes.

Peter Thermos, Palindrome CEO, stated, "We are honored to support the FCC's efforts in strengthening IoT security and building consumer trust. Our expertise in security assurance testing of network devices and products positions us well for this role."

Palindrome will provide manufacturers with:

*   Streamlined application review and management for FCC IoT Label usage authorization
    
*   Assistance with preparation for certification
    
*   Guidance throughout the certification process
    
*   Testing and certification of IoT products
    

The program offers benefits to manufacturers, connected infrastructure, and consumers by raising cybersecurity standards and providing clear information about device security.

For more information, visit the Palindrome Technologies website.

About Palindrome Technologies:  
Since 2005, Palindrome Technologies has been a trusted cybersecurity partner to Fortune 500 companies and growing organizations that want to engineer cyber resilience in emerging threat environments. With a focus on excellence, curiosity, and integrity, Palindrome helps clients defend against cyberattacks across all attack surfaces, including hardware, software, network-to-cloud, people, and emerging technologies.

Palindrome Technologies Approved as Cybersecurity Label Administrator for FCC's IoT Program

Cyberattackers injected the NFL Wild Card team's online Pro Shop with malicious code to steal credit card data from 8,500 fans.

Source: Cal Sport Media via Alamy Stock Photo

Fans of the Green Bay Packers football franchise have been tackled by a payment-card skimmer; people who bought merch at the Packers Pro Shop website last fall may have had their personal data harvested.

In a data-breach notification letter to the 8,514 "cheeseheads" affected, the NFL juggernaut noted that its security staff was alerted to the code on Oct. 23, just as the team was gearing up to play the Jacksonville Jaguars in Week 8 of the 2024 season.

"We were alerted to the presence of malicious code inserted on the Pro Shop website by a third-party threat actor," reads the notice, which added that the team immediately asked the outside vendor that hosts the store to take the e-commerce site offline. "The malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website."

Fortunately, the skimmer was active in only two windows: Between Sept. 23-24, and Oct. 3-23, 2024. And, fans who used a gift card, a Pro Shop website account, PayPal, or Amazon Pay weren't exposed.

Cybercriminals were able to score on everyone else though, collecting names, addresses (billing and shipping), emails, and full payment-card information, according to the notice.

Related:Hacking Group 'Silk Typhoon' Linked to US Treasury Breach

According to an analysis from Sansec, a Dutch e-commerce security company that notified Green Bay about the attack, the threat actors abused a JSONP callback and YouTube's oEmbed feature, which allows users to embed content from one website into another website. Ultimately, the skimmers were able to bypass the Content Security Policy (CSP) for the Pro Shop website, and "a script was injected from https://js-stats.com/getInjector. This script harvested data from input, select, and text area fields on the site, exfiltrating the captured information."

**A Pick 6 for Magecart & Other Cybercrime Carders?**

While there's no public attribution available for the incident, the cyberattack has all the hallmarks of a classic "Magecart" attack. Magecart is an umbrella term for a loose confederation of groups that steal credit cards by exploiting a vulnerability within a website to inject a malicious piece of code, which simply exfiltrates any data the users put into checkout pages on e-commerce sites.

Lately, these types of attacks have been on the rise, with scores of groups beyond classic Magecart actors running skimmer plays, researchers warn; the Packers are just the latest victim in the pass rush of maliciousness.

Related:Ransomware Targeting Infrastructure Hits Telecom Namibia

"There's no solid theory about why there's been an uptick in skimmer attacks,” says Javvad Malik, lead security awareness advocate at KnowBe4. "It could be a case of low-hanging fruit, a lot of e-commerce transactions over the holiday period when people are searching for deals, and also the ease through which some third parties can be compromised without triggering alarms."

According to the Recorded Future Payment Fraud Intelligence group, digital e-skimming will remain a top threat to e-commerce going forward, with bad actors relying on easy-to-use skimmer kits and persistent CMS security vulnerabilities. Plus, smaller security organizations (including those used by many sports franchises) are at particular risk.

"Payment Card Industry Data Security Standard (PCI DSS) requirements will continue aiming to improve security, but the impact will remain limited as many small and medium-sized retailers fail to adhere," said Boris Ivanov, principal malware researcher at Recorded Future, via email. "This gap will worsen the already serious problem of attackers exploiting vulnerable platforms and compromising payment data."

Meanwhile, Malik notes that sports teams might be in the cybercrime sites as a top target in part due to fan exuberance.

Related:CISA: Third-Party Data Breach Limited to Treasury Dept.

"Technically, sports organizations probably don't have any different challenges than others," he says. "What makes them attractive to criminals though is the fact that they have a loyal fan base that is willing to spend money on tickets and merchandise. Often during busy periods when tickets are released, there is a rush, so people will often ignore any security warnings in a bid to complete their purchase."

**The Payment-Skimmer Ground Game Is Hard to Defend Against**

Skimmers are also having a moment because the back-end complexity of the code running e-stores is on the rise, which offers cover for malware infestation and makes defense more porous.

"These are difficult to detect by nature, especially when these attacks take place by compromising third-party components, which can end up in organizations' blind spots," explains Malik. "Complexity and the reliance on many third parties is perhaps the biggest challenge to keep modern Web applications secure."

In the Packers' case, the Pro Shop is hosted by a third party, which complicates things even further.

"In the case of organizations outsourcing many components and hosting, security responsibility cannot be outsourced, so many organizations end up with a lack of skilled resources within the organization to keep an eye over the end-to-end security — something that is often fueled by budget constraints," Malik notes.

Ultimately, e-commerce organizations of all stripes, including those catering to Wisconsin NFL fans, need to balance security with business agility and the user experience, which creates a series of challenges. Technical complexity, resource constraints, skills shortages, and organizational culture can all affect how organizations approach Web security, Malik cautions.

"It's about embedding security into the very fabric of the business, rather than treating it as an afterthought," he says. "Some of the things you can do include implementing robust content security policies, undertaking regular security audits and penetration testing, employing real-time monitoring that can detect unusual code or behavior patterns, and finally, educating staff and fostering a culture of cybersecurity."

Dane Sherrets, staff innovation architect at HackerOne, notes that, from a coding standpoint, user input should be considered suspect until proven otherwise.

"Firstly, it's important to remind everyone never to explicitly trust user input and to treat all such inputs as potentially malicious," he says. "The Green Bay Packers incident, in particular, highlights the threat of exploiting a loophole in the site's CSP."

The Green Bay Packers did not immediately return a request for comment.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Green Bay Packers' Online Pro Shop Sacked by Payment Skimmer

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-cjgq-5qmw-rcj6: keras Path Traversal vulnerability

"Where Warlocks Stay Up Late" project speaks to hackers who have played pivotal roles in shaping the field of cybersecurity. The video interviews are complemented by an encyclopedia and an anthropological map.

Nathan Sportsman, the CEO of offensive security company Praetorian, had a grim epiphany in the summer of 2023: We're beginning to lose some of the hackers and visionaries who laid the foundation of the cybersecurity industry.

"When Kevin Mitnick passed, I realized that he would never be able to tell his story again," Sportsman says. "We're running out of time to tell these stories."

So he decided to document the history of hackers and preserve the stories of those early trailblazers and their groundbreaking contributions. The title of his docuseries project, "Where Warlocks Stay Up Late," pays homage to Katie Hafner and Matthew Lyon's 1996 book, Where Wizards Stay Up Late, which chronicles the origins of the Internet and spotlights the stories of the pioneers responsible for shaping it.

Each month, two long-form video interviews will be released on the Warlocks project's YouTube channel, featuring candid conversations in which cybersecurity pioneers share their technical achievements, as well as their personal journeys, challenges, and ethical dilemmas they faced along the way.

Sportsman and his team — Emmy-winning producer Matthew Wallis, filmmaker Tyson Culver, anthropologist Gabriella Coleman, and historian Matt Goerzen — plan to capture the stories of over 200 cybersecurity pioneers who helped shape the hacking scene of the 1980s and 1990s. These were the hackers who testified before the US Congress in 1998 and claimed they could take down the Internet in 30 minutes. They also exposed vulnerabilities in early wireless networks and were early advocates for encryption. Some of their stories have never been told before, Sportsman says.

Related:Black Hat 2024: Praetorian CEO Teases 'Warlock' Series on Cyber Pioneers

"This is going to be a three- to five-year commitment," Sportsman notes.

The list features prominent groups like L0pht Heavy Industries, Germany's Chaos Computer Club, w00w00, and the Legion of Doom. Smaller yet interesting groups, such as TESO and ADM, will also be represented. Some of the hackers from these groups went on to build successful careers in cybersecurity, becoming CISOs or CEOs, while others found roles in policymaking or intelligence.

Each interviewee is encouraged to bring along a historical artifact that represents their journey or contributions to hacking culture.

"It could be anything," Sportsman says. "It could be an old version of Phrack magazine. It could be a floppy disk, a motherboard."

The goal is to donate the artifacts to a physical museum at some point, maybe the Smithsonian, he says.

"Maybe they create a cyber wing where these stories can be held and all these artifacts can be kept," Sportsman adds.

**Mapping Hacking Groups**

The overall goal of the Warlocks project is to create a 360-degree view on the origins of the cybersecurity industry. The video interviews will be supplemented by an encyclopedia, which will provide context, and an anthropological map, which will offer a visual representation of the underground groups and the connections among them. By selecting a hacker's name, viewers will be able to access a wealth of information, including biographical details and contributions to the field.

Coleman, a professor in the Department of Anthropology at Harvard University, was "instantly drawn to the Warlocks, like a moth to flame," she says, because the project complements her focus on the politics and cultures of hacking and online activism. Over the years, she has studied distinct hacker communities, such as Anonymous.

"Combining visual data \[maps, videos, and pictures\] with written and oral histories allows us to make more sturdy, sound, or compelling arguments," Coleman says.

To capture the full picture of the hacking scene, the team plans to talk to all kinds of pioneers "from the no-malicious yet unorthodox underground scene," as Coleman puts it, regardless of where they are located.

"Those studying hackers know there were important waypoints in the transition from underground hacking to professional security, but the full stories of their members still need to be charted," Coleman adds.

Although she has studied hacker communities for over two decades, Coleman admits that some of the names that appear on the anthropological map were initially unfamiliar to her — a reflection of the secrecy that has long shrouded the scene.

"This terra incognita reminds us of the power and importance of what some philosophers call 'epistemic humility,'" she says. "This map both charts known territory and reveals what still needs to be studied."

**A (Digital) Museum of Hackers**

One of Sportsman's first interviews for the Warlocks project was with Mike Schiffman, editor-in-chief of hacker e-zine Phrack. During the taping, Schiffman and Sportsman reminisced about the early days of IRC channels where hackers hung out to share ideas and cutting-edge research. They discussed how hacker culture has evolved over the years.

"Back then, \[Shiffman\] would just kick/ban me out of the channel because I was a kid and I was annoying, but I looked up to him because of everything he had already done to that point," Sportsman says.

Schiffman recalls a bizarre incident from his youth, when his phone switch was hijacked and all of his calls were forwarded to a bridge. Anyone trying to reach him was told he had died. While doing some research for the project, Schiffman was able to identify the exact person who hacked his phone switch 25 years ago.

"I'll be interviewing him for Warlocks in February," Schiffman says.

For Schiffman, working on the Warlocks project has been both nostalgic and thought-provoking. He serves as a producer, interviewer, and planner, making sure the project authentically captures the "rich cultural history of the hacking scene."

The motivation to talk about the old days is deeply personal.

"I want my children to know my story," Schiffman says. "They're currently quite young, and I expect them to get different things from this as they watch it at different ages."

**More Than Just Hacker Nostalgia**

The stories hackers will share on camera offer glimpses into their personal journeys, but they also weave together a collective narrative that will help the next generation understand how everything started.

"There's not a single person in this industry that achieved any type of long-term success without the help of others," says cybersecurity expert Ralph Logan, an adviser to the project.

The desire to tap into the collective memory of the cybersecurity community and capture the stories for the new generation of people entering the cybersecurity workforce is deep-seated. In the past few years, a number of projects have been developed to tell the background stories of major cybersecurity events — an oral history of L0pht and a book on the Cult of the Dead Cow, to name a few. The Computer History Museum and the International Spy Museum also have exhibits highlighting cybersecurity researchers and stories.

The collective aspect of the narrative resonates deeply with Harvard's Coleman, who views hackers as collaborative individuals who embrace partnerships that further their goals. This is why their stories should be told in a way that highlights the intricate web of interactions, collaborations, and shared ambitions that define the community, she says.

"While many industry histories, like those of Walter Isaacson, elevate individual 'tech heroes,' this project showcases how diverse, interconnected hacker collectives worldwide transformed security from an afterthought into a critical priority," Coleman says.

The anthropologist hopes the project will also serve as a template for other areas of technology, including hacktivism, a topic she holds close to her heart. By applying the same methods, researchers could one day uncover groundbreaking insights into the inner workings, cultural dynamics, and broader impacts of groups like the Cult of the Dead Cow, the Electronic Disturbance Theater, or the Xnet collective.

"Like the underground, much material connected to hacktivist circles has either remained historically hidden, is hard to access, or is precariously stored," Coleman says, noting that this is an ideal time for projects like this. "Many \[hackers\] are seeking and willing to publicize their past. Many have expressed interest in ensuring this history does not get lost to time, while we still have access to firsthand accounts."

New Docuseries Spotlights Hackers Who Shaped Cybersecurity

The White House has launched the Cyber Trust Mark to assist consumers in their quest to buy cybersecure internet connected devices.

The White House announced the launch of the US Cyber Trust Mark which aims to help buyers make an informed choice about the purchase of wireless internet-connected devices, such as baby monitors, doorbells, thermostats, and more.

The cybersecurity labeling program for wireless consumer Internet of Things (IoT) products is voluntary but the participants include several major manufacturers, retailers, and trade associations for popular electronics, appliances, and consumer products. The companies and groups said they are committed to increase cybersecurity for the products they sell.

Justin Brookman, director of technology policy at the consumer watchdog organization Consumer Reports, lauded the government effort and the companies that have already pledged their participation.

“Consumer Reports is eager to see this program deliver a meaningful U.S. Cyber Trust Mark that lets consumers know their connected devices meet fundamental cybersecurity standards,” Brookman said in a news release. “The mark will also inform consumers whether or not a company plans to stand behind the product with software updates and for how long.”

The Federal Communications Commission (FCC) proposed and created the labelling program and hopes it will raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.

The idea is that the Cyber Trust Mark logo will be accompanied by a QR code that consumers can scan for easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.

The program is challenging because of the wide variety of consumer IoT products on the market that communicate over wireless networks. These products are built on different technologies, each with their own security pitfalls, so it will be hard to compare them, but at least the consumer will be able to find some basic—but important—information.

Even though participation is voluntary, manufacturers will be incentivized to make their smart devices more secure to keep the business of consumers who will choose products that only have the Cyber Trust Mark.

As we explained recently, the “Internet of Things” is the now-accepted term to describe countless home products that connect to the internet so that they can be controlled and monitored from a mobile app or from a web browser on your computer. The benefits are obvious for shoppers. Thermostats can be turned off during vacation, home doorbells can be answered while at work, and gaming consoles can download videogames as children sleep.”

And in 2024 we saw several mishaps ranging from privacy risks to downright unacceptable abuse. So, if we can avoid these incidents from happening again, then it surely is worth the trouble.

The testing of whether a product deserves the Cyber Trust Mark will be done by accredited labs and against established cybersecurity criteria from the National Institute of Standards and Technology (NIST).

The Cyber Trust Mark has been under constructions for quite a while was approved in a bipartisan unanimous vote last March, but we can expect the first logos to show up this year. And Anne Neuberger, deputy national security adviser for cyber, revealed that there are plans to release another executive order saying that, beginning in 2027, the Federal government will only buy devices that have the Cyber Trust Mark label on them.

For now, the program does not apply to personal computers, smartphones, and routers.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 US Cyber Trust Mark logo for smart devices is coming 

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.

Source: Robert Wilkinson via Alamy Stock Photo

An unconventional phishing campaign convincingly impersonates online payments service PayPal to try to trick users into logging in to their accounts to make a payment; in reality, the login allows attackers to take over an account. The novel part of the attack is the abuse of a legitimate feature within Microsoft 365 to create a test domain, which then allows the attackers to create an email distribution list that makes the payment-request messages appear to be legitimately sent from PayPal.

Carl Windsor, CISO for Fortinet Labs, discovered the campaign when he himself was targeted by it, he revealed in a blog post published today.

Windsor received a request in his inbox from a sender with a nonspoofed PayPal email address seeking a payment of $2,185.96. The person requesting the money was someone called Brian Oistad, and aside from the "to" address not being Windsor's email address —  it was addressed to Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com —  there were few obvious signs it was not a genuine email, he said.

"What's interesting about this attack is that it doesn’t use traditional phishing methods," Windsor wrote. "The email, the URLs, and everything else are perfectly valid."

That validity might persuade an average email user to click on the link in the email, which redirects them to a PayPal login page showing a request for payment.

Related:PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

At this point, "some folks might be tempted to log in with their account details, however, this would be extremely dangerous," he wrote. That's because the login page links the target's PayPal account address with the address it was sent to — Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com, controlled by the attacker — not their own email address.

**Abusing Microsoft 365 Test Domains for Cybercrime**

The campaign works because the scammer appears to have registered a Microsoft 365 test domain — which is free for three months — and then created a distribution list containing target emails. This allows any messages sent from the domain to bypass standard email security checks, Windsor explained in the post.

Then, "on the PayPal Web portal, they simply request the money and add the distribution list as the address," he wrote.

This money request is then distributed to the targeted victims, and the Microsoft 365 Sender Rewrite Scheme (SRS) rewrites the sender to, for example, "bounces+SRS=onDJv=S6\[@\]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check," Windsor added.

"Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account," he wrote. "The scammer can then take control of the victim's PayPal account — a neat trick … \[that\] would sneak past even PayPal’s own phishing check instructions."

Related:Thousands of BeyondTrust Systems Remain Exposed

Indeed, abusing a vendor feature to deliver the phishing message does give the attackers a stealthy advantage when it comes to bypassing typical email security, a security expert notes.

"The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request," says Elad Luz, head of research at Oasis Security, a provider of non-human identity management. "This makes them difficult for mailbox providers to distinguish from genuine communications."

**Cyber Defense: Create a "Human Firewall" Against Phishing**

Because the attack appears to be a genuine email, the best solution to avoid falling prey to it is what Windsor calls the "human firewall," or "someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look," he wrote in the post.

"This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves — and your organization — safe," Windsor noted.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

It is also possible to create a rule within email security scanners to "look for multiple conditions that indicate that this email is being sent via a distribution list," to help detect a campaign that uses this vector, he added.

Another potential mitigation is to use artificial intelligence (AI)-based security tools that use neural networks to analyze social graph patterns, among other techniques, "to help spot these hidden interactions by analyzing user behaviors more deeply than static filters," Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, tells Dark Reading.

"That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks," he says. "A thorough inspection of user interaction metadata will catch even this sneaky approach."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Fortinet uncovers a new PayPal phishing scam exploiting legitimate platform features. Learn how this sophisticated attack works and how to protect yourself from falling victim.

****SUMMARY****

*   **Phishing Scam Targets PayPal**: Scammers exploit PayPal’s system to link victim accounts to unauthorized addresses.

*   **Legitimate-Looking Emails**: The scam uses real-looking emails and valid PayPal login pages to deceive users.

*   **Microsoft365 Exploit**: Attackers use MS365 domains to send PayPal money requests, bypassing phishing filters.

*   **Account Takeover**: Victims unknowingly link their PayPal accounts to the scammer, risking financial loss.

*   **Stay Safe**: Avoid unsolicited emails, verify URLs, and enable 2FA to protect your PayPal account.

Fortinet’s FortiGuard Labs has identified a sophisticated PayPal phishing scam targeting unsuspecting users by exploiting a loophole in the platform’s system. According to Fortinet’s CISO (Chief Information Security Officer) Carl Windsor, the scam leverages legitimate PayPal functionality to trick users into linking their accounts to unauthorized addresses, potentially granting attackers control over their finances.

The attack utilizes a seemingly legitimate email, often with a valid sender address and a genuine-looking URL. However, the true danger lies within the email’s content. It directs recipients to a legitimate PayPal login page, prompting them to log in to investigate a supposed payment request.

Screenshot of the actual phishing email (Via Fortinet’s FortiGuard Labs)

Further probing revealed that the scammer registered an MS365 test domain and created a Distribution List containing victim emails (Billingdepartments1gkjyryfjy876.onmicrosoft.com), then sent a legitimate PayPal money request to all recipients. 

They added the list to the PayPal web portal and distributed it to targeted victims. The Microsoft365 SRS rewrite scheme rewrites the sender to pass the SPF/DKIM/DMARC check. It is worth noting that Microsoft365 SRS (Sender Rewriting Scheme) is a feature in Microsoft 365 that rewrites the sender address of an email message.

Once the victim logs in, the scammer’s account is linked to the victim’s account, allowing them to take control of the victim’s PayPal account, a trick that bypasses PayPal’s phishing check instructions.

“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look,” Windsor wrote in a blog post.

This new phishing scam highlights the importance of cybersecurity awareness. Users must be cautious of unsolicited emails, avoid clicking on links or attachments from unknown senders, hover over links to verify URLs, and never enter login credentials on websites unless certain of the authenticity. Enabling two-factor authentication (2FA) on PayPal accounts can further enhance security.

1.  **PayPal Notifies 35,000 Users of Data Breach**
2.  **PayPal Users hit with “Suspicious Activity” Phishing Scam**
3.  **Microsoft, PayPal, Facebook most targeted brands in phishing**
4.  **World Bank SSL Certificate Hacked to Host PayPal Phishing Scam**
5.  **DocuSign API Abused to Evade Spam Filters with Phishing Invoices**

New PayPal Phishing Scam Exploits MS365 Tools and Genuine-Looking Emails

SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools…

****SUMMARY****

*   **Sophisticated Scam in the Middle East**: Cybercriminals are posing as government officials to carry out refund scams, using remote access tools like AnyDesk and TeamViewer to steal victims’ personal and financial information.

*   **Scam Process**: Victims are contacted via phone, asked to download legitimate remote access software, and unknowingly grant access to their devices, exposing sensitive data such as card details and OTPs.

*   **Targeted Victims and Impact**: The scam focuses on individuals who have lodged complaints with government services portals, making it easier for scammers to gain their trust. Average losses per victim are around $1,300, with some losing as much as $5,000.

*   **Potential Inside Job**: The scam’s effectiveness suggests possible insider involvement, as scammers appear to have access to government complaint data.

*   **Prevention and Awareness**: Individuals should avoid downloading remote access software or sharing sensitive information during unsolicited calls. Government and financial institutions must enhance security measures and educate the public about social engineering risks.

Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools and software to steal personal and financial information from victims in the Middle East.

The modus operandi of the scam involves these scammers posing as government officials, gaining the trust of their targets by offering to help them claim refunds for unsatisfactory purchases. In return, scammers end up collecting personal details from victims including personal information, card data, and the one-time passwords (OTPs) necessary for online transactions.

****The Call****

The scam begins with a phone call from scammers claiming to be a government representative. The victim is required to download a legitimate remote access application, such as AnyDesk or TeamViewer, which allows them to access the victim’s device. Once access is granted, these scammers can view the victim’s screen and capture sensitive information, including credit card details and one-time passwords (OTPs).

How it works (Via Group-IB)

The scammers use this information to make online purchases or recharge local e-wallets, often using 3D-secured transactions to avoid detection. The average loss per transaction is estimated to be around $1,300, although some victims have reported losses of up to $5,000.

The scam is particularly effective because it targets individuals who have previously submitted complaints to government services portals. The scammers use this information to gain the victim’s trust, making it more likely that they will cooperate with the scam.

Although it’s unclear how the scammers gained access to the complainant, it suggests the possibility of an inside job involving government officials. Group-IB has been tracking this scam and reports that it is widespread in the Middle East. The company believes that having access to customers’ real-time information can also be possible due to the widespread use of inforstealers like META, Redline, Vidar and Formbook.

The company’s analysts have identified several key features of the scam, including the use of remote access software and the targeting of victims who have submitted complaints to government services portals.

Screenshot of two of the genuine complaints (Via Group-IB)

To avoid falling victim to this scam, individuals are advised to be careful when receiving unsolicited phone calls from government officials. It is also important to be wary of requests to download remote access software or provide sensitive information over the phone.

Tools like AnyDesk and TeamViewer, originally developed for legitimate assistance purposes, can become major threats in the wrong hands. Last year, thousands of compromised AnyDesk login credentials were sold on the dark web. Similarly, TeamViewer has been exploited in several high-profile cyberattacks, including the attempted water supply poisoning in Oldsmar, Florida, in 2021.

Government agencies and financial institutions can also take steps to prevent this scam. This includes implementing stronger security measures to protect against account breaches and theft, as well as educating customers about the risks of social engineering attacks.

1.  **Hackers Sending Fake Tax Refund Emails with Malware**
2.  **Black Basta Ransomware Uses MS Teams to Spread Malware**
3.  **FireScam Infostealer Spyware Hits Android via Fake Telegram**
4.  **Fake TeamViewer download ads distributing new ZLoader variant**
5.  **TeamViewer Abused to Obtain Remote Access, Deploy Ransomware**

Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at  https://openmeetings.apache.org/Clustering.html  doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

GHSA-mjf9-4pcv-vfg7: Apache OpenMeetings vulnerable to Deserialization of Untrusted Data 

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.

This issue affects Apache Airflow Fab Provider: before 1.5.2.

When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from [CVE-2023-40273](https://github.com/advisories/GHSA-pm87-24wq-r8w9) which was addressed in Apache-Airflow 2.7.0


Users are recommended to upgrade to version 1.5.2, which fixes the issue.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-45033

**Apache Airflow Fab Provider Insufficient Session Expiration vulnerability**

Low severity GitHub Reviewed Published Jan 8, 2025 to the GitHub Advisory Database • Updated Jan 8, 2025

**Package**

pip apache-airflow-providers-fab (pip)

**Affected versions**

< 1.5.2

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.

This issue affects Apache Airflow Fab Provider: before 1.5.2.

When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 which was addressed in Apache-Airflow 2.7.0

Users are recommended to upgrade to version 1.5.2, which fixes the issue.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-45033
*   apache/airflow#45139
*   https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st

Published to the GitHub Advisory Database

Jan 8, 2025

Tag

#web