The security researcher who notified the media of the breach will be free from the city's lawsuit, but not without a caveat.

Source: Gregg Vignal via Alamy Stock Photo

The city of Columbus, Ohio, has come to a settlement with whistleblower David Leroy Ross, also known as Connor Goodwolf, after he alerted the local media of compromised personal information of the city's residents in a cyberattack.

The breach was discovered on July 18, when the city found that a foreign cyber-threat actor attempted to disrupt its IT infrastructure in a potential effort to install ransomware and demand a payment from the city.

The threat actors in question belonged to Rhysida ransomware gang, the information they managed to glean involving names, dates of birth, addresses, bank account information, driver's licenses, Social Security numbers, and other identifying information. This information was posted on the Dark Web, according to the notice of data breach letter that the city sent out to 500,000 victims whose information was compromised in the breach.

After learning of the disruption, Columbus' Department of Technology identified the threat and blocked unauthorized users from accessing its systems, launching an investigation into the matter. It also took the usual steps of engaging third-party cybersecurity experts to resolve the issue, as well as notifying law enforcement.

In August, the city sued independent security researcher David Ross, seeking damages greater than $25,000, as well as slamming him with an order to stop discussing the data leak. Now, nearly two months later, both sides have come to an agreement and the case will soon be dropped.

Goodwolf wanted a dismissal with prejudice, which means the city of Columbus cannot try him again for the same reason, and will have his wish be granted but with a catch: He had to agree to a permanent injunction in which he will only be allowed to publicly share data considered public record, and only with written approval from the city.

"It's good to see the city of Columbus dropping the case, partly in response to outcry from the security community back in July," Casey Ellis, founder and adviser at Bugcrowd, wrote in an emailed statement to Dark Reading. "This is another example of shooting the messenger, and the potential for this suit to have a chilling effect on others who'd do likewise in the interest of the public is something governments, agencies, and companies should be working hard to avoid."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

City of Columbus Drops Case on Cyberattack Whistleblower

The bug affected accounts with 52-character user names, and had several pre-conditions that needed to be met in order to be exploited.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Okta has addressed an authentication bypass bug that affects those with long usernames or employers with wordy domain names.

The security hole could have allowed cybercriminals to pass Okta AD/LDAP delegated authentication (DelAuth) using just a username. However, it could only be exploited if a series of conditions were met, one of those conditions being a username that had 52 characters or more.

Though unusual, some individuals opt to use their email addresses as their usernames, making the possibility of a 52-character username not entirely out of the question.

Other conditions that needed to be met were if the user previously authenticated, creating a cache of the authentication; and if the cache was used first, which could occur "if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic," according to the authentication company in its advisory of the flaw.

The vulnerability was discovered by Okta on Oct. 30, after lurking in the system for three months. While it has since been fixed, the company recommended that customers check their logs for any odd authentication attempts dating back to July 23.

Okta also recommended that customers implement multifactor authentication (MFA) at a minimum, as this was not applied as part of the exploitation preconditions.

It is unclear whether there were any in-the-wild exploitation attempts. Okta did not respond immediately to a request for comment from Dark Reading.

**About the Author**

Okta Fixes Auth Bypass Bug After 3-Month Lull

Companies are attaching the term "AI" to everything these days, but in cybersecurity, machine learning is more than hype.

Artificial intelligence and machine learning tools are gaining traction in enterprises, and the rate of adoption is particularly notable in cybersecurity operations, where these technologies are being used to improve enterprise security posture, according to Dark Reading’s latest research on enterprise cybersecurity.

Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity survey found that enterprises are using AI and ML in a range of cybersecurity technologies, such as firewalls, endpoint detection and response platforms, security information and event management systems, and network traffic analyzers. Antivirus/anti-malware was the only security technology enhanced with AI and ML that was used by more than half of the respondents (51%). This is not surprising, as back in 2017, practitioners were already beginning to implement AI/ML in corporate antivirus measures.

Cybersecurity professionals have to match the bad actors who are sourcing AI/ML technologies for their purposes. The arms race between CISOs and their adversaries may be driving adoption of tools with AI and ML capabilities in areas such as phishing detection (49%), threat detection and response (45%), and endpoint security (40%). One third of the AI/ML integration in real-world security teams comes in the form of malware analysis (38%), intrusion detection and prevention (35%), threat intelligence (35%), identity and access management (34%), network security/network traffic analysis (33%), vulnerability management (32%), and security information and event management (31%).

About a quarter of respondents mentioned using AI/ML in user behavior analytics/predictive analytics (27%), fraud detection (27%), automated security operations (26%), and automated incident response (25%). While that is still a sizeable chunk of companies, the slightly lower adoption rate suggests that this grouping represents developing features.

For more on the impact of AI/ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

Antivirus, Anti-Malware Lead Demand for AI/ML Tools

As businesses worry over deepfake scams and other AI attacks, organizations are adding guidance for cybersecurity teams on how to detect, and respond to, next-generation threats. That includes Exabeam, which was recently targeted by a deepfaked job candidate.

Source: Family Stock via Shutterstock

Deepfakes and other generative artificial intelligence (GenAI) attacks are becoming less rare, and signs are pointing to a coming onslaught of such attacks: Already, AI-generated text is becoming more common in emails, and security firms are finding ways to detect emails likely not created by humans. Human-written emails have declined to about 88% of all emails, while text attributed to large language models (LLMs) now accounts for about 12% of all email, up from around 7% in late 2022, according to one analysis.

To help organizations develop stronger defenses against AI-based attacks, the Top 10 for LLM Applications & Generative AI group within the Open Worldwide Application Security Project (OWASP) released a trio of guidance documents for security organizations on Oct. 31. To its previously released AI cybersecurity and governance checklist, the group added a guide for preparing for deepfake events, a framework to create AI security centers of excellence, and a curated database on AI security solutions.

While the previous Top 10 guide is useful for companies building models and creating their own AI services and product, the new guidance is aimed at the users of AI technology, says Scott Clinton, co-project lead at OWASP.

Those companies "want to be able to do AI safely with as much guidance as possible — they're going to do it anyway, because it's a competitive differentiator for the business," he says. "If their competitors are doing it, \[then\] they need to find a way to do it, do it better ... so security can't be a blocker, it can't be a barrier to that."

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

**One Security Vendor's Job Candidate Deepfake Attack**

In an example of the kinds of real-world attacks that are now happening, one job candidate at security vendor Exabeam had passed all the initial vetting and moved onto the final interview round. That's when Jodi Maas, GRC team lead at the company, recognized that something was wrong.

While the human resources group had flagged the initial interview for a new senior security analyst as "somewhat scripted," the actual interview started with normal greetings. Yet, it quickly became apparent that some form of digital trickery was in use. Background artifacts appeared, the female interviewee's mouth did not match the audio, and she hardly moved or expressed emotion, says Maas, who runs application security and governance, risk, and compliance within Exabeam's security operations center (SOC).

"It was very odd — just no smile, there was no personality at all, and we knew right away that it was not a fit, but we continued the interview, because \[the experience\] was very interesting," she says.

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

After the interview, Maas approached Exabeam's chief information security officer (CISO), Kevin Kirkwood, and they concluded it had been a deepfake based on similar video examples. The experience shook them enough that they decided the company needed better procedures in place to catch GenAI-based attacks, embarking on meetings with security staff and an internal presentation to employees.

"The fact that it got past our HR group was interesting. ... They passed them through because they had answered all the questions correctly," Kirkwood says.

After the deepfake interview, Exabeam's Kirkwood and Maas started revamping their processes, following up with their HR group, for example to let them know to expect more such attacks in the future. For now, the company advises its employees to treat video calls with suspicion. (Half-jokingly, Kirkwood requested this correspondent to turn on my video midway through the interview as proof of humanness. I did.)

"You're going to see this more often now, and you know these are the things you can check for, and these are the things that you will see in a deepfake," Kirkwood says.

Related:Okta Fixes Auth Bypass Bug After 3-Month Lull

**Technical Anti-Deepfake Solutions Are Needed**

Deepfake incidents are capturing the imagination — and fear — of IT professionals, with about half (48%) very concerned over deepfakes at present, and 74% believing deepfakes will pose a significant future threat, according to a survey conducted by email security firm Ironscales.

The trajectory of deepfakes is quite easy to predict — even if they are not good enough to fool most people today, they will be in the future, says Eyal Benishti, founder and CEO of Ironscales. That means that human training will likely only go so far. AI videos are getting eerily realistic, and a fully digital twin of another person controlled in real time by an attacker — a true "sock puppet" — is likely not far behind.

"Companies want to try and figure out how they get ready for deepfakes," he says. "The are realizing that this type of communication cannot be fully trusted moving forward, which ... will take people some time to realize and adjust."

In the future, since the telltale artifacts will be gone, better defenses are necessary, Exabeam's Kirkwood says.

"Worst case scenario: The technology gets so good that you're playing a tennis match — you know, the detection gets better, the deepfake gets better, the detection gets better, and so on," he says. "I'm waiting for the technology pieces to catch up, so I can actually plug it into my SIEM and flag the elements associated with deepfake."

OWASP's Clinton agrees. Rather focus on training humans to detect suspect video chats, companies should create infrastructures for authenticating that a chat is with a human who is also an employee, building processes around financial transactions, and creating an incident-response plan, he says.

"Training people on how to identify deepfakes — that's not really practical, because it's all subjective," Clinton says. "I think there have to be more unsubjective approaches, and so we went through and came up with some tangible steps that you can use, which are combinations of technologies and process to really focus on a few areas."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

OWASP Beefs Up GenAI Security Guidance Amid Growing Deepfakes

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records…

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records on Breach Forums. Data includes full names, email addresses, and activity details, posing risks for phishing and targeted scams.

In a new data breach disclosed today, the hacker known as Intel Broker claims to have stolen the personal data of 290,762 individuals from MIT’s _Technology Review_ website via a third-party contractor. The data, which could be the website’s newsletter subscribers list, was posted on Breach Forums, a popular cybercrime platform, earlier today.

Intel Broker, notorious for **recent attacks on high-profile organizations**, alleges that the data includes Personally Identifiable Information. Hackread.com analyzed the leaked data and can confirm it includes personal details, which, while not as sensitive as financial data, could be leveraged in phishing attempts or targeted scams. Here is what the hacker has leaked:

*   **Full names**
*   **Dates of activity**
*   **Educational details**
*   **Email addresses (3,924 – After removal of duplicates: 1,343)**

Screenshot from the leaked data (Credit: Hackread.com)

Though the leak does not appear to contain highly sensitive information like passwords, social security numbers or financial data, the compromised data is still a privacy risk, as it could be exploited for phishing scams or identity verification attacks.

It is worth noting that this is not the first time Intel Broker has targeted a technology publication. In June 2024, an affiliate of Intel Broker **breached the “Tech in Asia” news outlet**, leaking the personal data of 221,470 users.

MIT Technology Review, an esteemed publication from the Massachusetts Institute of Technology, is known for its analysis of emerging technologies and their impact on society. This data breach potentially exposes readers and contributors who engaged with the platform, a situation that may lead to reputational challenges for the publication, as well as privacy concerns for its user base.

**Recent Activity of Intel Broker**

The alleged breach of Technology Review comes on the heels of another claim by Intel Broker, who recently advertised the sale of **sensitive internal data from Nokia** on the same forum, allegedly obtained through a similar contractor vulnerability. In the Nokia case, the hacker reportedly set a price of $20,000 for access to the stolen data, which included SSH keys, source code, and login credentials.

**Privacy Implications and MIT’s Response**

With names, email addresses, and activity data accessible, cybercriminals may use this information to craft sophisticated schemes aimed at those connected with the platform. Hackread.com has reached out to MIT’s Technology Review for a response regarding the data breach. Updates will be provided as more information becomes available. Stay tuned.

1.  **US Microchip Giant Cyberattack Disrupts Operations**
2.  **Hacker IntelBroker Leaks Sensitive US DoD Documents**
3.  **IntelBroker Apple Breach: Steals Source Code for Internal Tools**
4.  **AMD Data Breach: IntelBroker Steals Employee and Product Info**
5.  **Europol Hacked: IntelBroker Claims Major Law Enforcement Breach**

Hackers Leak 300,000 MIT Technology Review Magazine User Records

An issue in the `createTempFile` method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-r7mv-mv7m-pjw3: hornetq vulnerable to file overwrite, sensitive information disclosure

This week on the Lock and Code podcast, we speak with Cait Conley about CISA's election security measures and why your vote can't be hacked.

_This week on the Lock and Code podcast…_

The US presidential election is upon the American public, and with it come fears of “election interference.”

But “election interference” is a broad term. It can mean the now-regular and expected foreign disinformation campaigns that are launched to sow political discord or to erode trust in American democracy. It can include domestic campaigns to disenfranchise voters in battleground states. And it can include the upsetting and increasing threats made to election officials and volunteers across the country.

But there’s an even broader category of election interference that is of particular interest to this podcast, and that’s cybersecurity.

Elections in the United States rely on a dizzying number of technologies. There are the voting machines themselves, there are electronic pollbooks that check voters in, there are optical scanners that tabulate the votes that the American public actually make when filling in an oval bubble with pen, or connecting an arrow with a solid line. And none of that is to mention the infrastructure that campaigns rely on every day to get information out—across websites, through emails, in text messages, and more.

That interlocking complexity is only multiplied when you remember that each, individual state has its own way of complying with the Federal government’s rules and standards for running an election. As Cait Conley, Senior Advisor to the Director of the US Cybersecurity and Infrastructure Security Agency (CISA) explains in today’s episode:

“There’s a common saying in the election space: If you’ve seen one state’s election, you’ve seen one state’s election.”

How, then, are elections secured in the United States, and what threats does CISA defend against?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Conley about how CISA prepares and trains election officials and volunteers before the big day, whether or not an American’s vote can be “hacked,” and what the country is facing in the final days before an election, particularly from foreign adversaries that want to destabilize American trust.

>  ”There’s a pretty good chance that you’re going to see Russia, Iran, or China try to claim that a distributed denial of service attack or a ransomware attack against a county is somehow going to impact the security or integrity of your vote. And it’s not true.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Why your vote can&#8217;t be &#8220;hacked,&#8221; with Cait Conley of CISA (Lock and Code S05E23) 

A ransomware attack against the City of Columbus, Ohio—which drew public scrutiny following the city government’s attempt to silence a researcher...

A ransomware attack against the City of Columbus, Ohio—which drew public scrutiny following the city government’s attempt to silence a researcher who told the public about the attack—has received a little more detail from an unexpected source: The Attorney General for the state of Maine.

In a data breach notification filed by the Attorney General for the state of Maine, the cybersecurity incident that affected Columbus, Ohio impacted half a million people.

The City of Columbus was attacked by a ransomware group on July 18, 2024. Due to the timing, it was at first unclear whether the disruption in the public facing services was caused by the CrowdStrike incident or if it was in fact an attack. The attack was later claimed by the Rhysida ransomware group on their leak site, where the group posts information about victims that are unwilling to pay.

On September 12, 2024, the city of Columbus issued a notice of breach that was sent to its clients. The notice reads:

> “On July 18, 2024, the city discovered that it had experienced a cybersecurity incident in which a foreign cyber threat actor attempted to disrupt the City’s IT infrastructure, in a possible effort to deploy ransomware and solicit a ransom payment from the City.”

Until now, though, the public at large did not know how many people were affected by the attack. Because of the data breach notification from Maine’s Attorney General, that number now has a little more clarity.

During the incident, the cybercriminals may have gained access which included data in connection to the Columbus City Auditor.

The City Auditor’s Office examines City operations to identify an opportunity to reduce costs, increase efficiency, quality and effectiveness, or otherwise improve management of a city function, program, service or policy.

According to the official statement, the ransomware group was also able to view and access certain sensitive personal information, which may have included first and last name, date of birth, address, bank account information, City employee account number and position, City employment and payroll records, Social Security Number (SSN), and other identifying information.

Later, a security researcher disclosed information about the content of the stolen data with the media. From what the researcher shared it became clear that the data contained unencrypted personal information not only of city employees but also residents.

At which point the City of Columbus decided to sue the researcher for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. With half a million affected people, it like safe to say the attack did not just impact City employees.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 City of Columbus breach affects around half a million citizens 

If you searched for your bank's login page via Bing recently, you may have visited a fraudulent website enabling criminals to get your credentials and even your two-factor security code.

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result. We have reported the fraudulent sites to Microsoft already.

While Microsoft’s Bing only has about 4% of the search engine market share, crooks are drawn to it as an alternative to Google. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one.

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication.

**Bing search engine poisoning**

We first noticed a phishing campaign coming from Bing’s search engine and targeting Keybank customers on November 29. A malicious link is displayed as the first result and pretends to be Keybank’s login page.

The domain name used is _ixx-kexxx\[.\]com_ which was registered on November 15. Given that it is only two weeks old and yet came up before _ibx.key.com_ (the real website), we surmise that the attackers are abusing Bing’s search algorithms.

**Indexing and cloaking in one go**

Upon clicking on the link, users are redirected to a friendly and helpful website before getting redirected again to the actual phishing page. However, we need to pause right here in order to see a couple of “blackhat” techniques.

That first page is only meant for crawlers and scanners (and users who aren’t of interest) which will both scrape the content and index it, as well as see that the page is clean. This technique is fairly common, and we actually see similar examples with ad fraud. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Actual victims do not get to see that page because they are immediately redirected to another website, this time completely malicious. The redirect happens server-side based on user attributes such as their browser profile, IP address and others.

That page uses the official branding and is a login portal for KeyBank. Once a victim types their user ID and password, criminals will receive the data immediately. Note that the phishing site is using https, which means strictly nothing here (the information will be encrypted while in transit but received in clear text by the recipient).

**Bypassing multi factor authentication**

In some phishing campaigns, criminals are notified in real time when a new victim attempts to login into their fraudulent page. One thing we noticed on the phishing page after the first screen, was a message claiming that the internet connection was poor. This is a disguise for what’s happening behind the scenes:

It’s often necessary for criminals to get past a few hurdles first. They need to login from the same location as the victim (their fake site gives them the IP address and they can use a proxy) and they may need to get through multi-factor authentication. Sometimes, the easiest thing to do is simply to ask for it.

Multi-factor authentication is still highly recommended, but users should be aware that criminals can directly ask for verification codes while pretending to be the real bank. We should also note that SMS verification is one of the weakest methods for two-factor authentication.

Security questions (usually 3 of them) are also used to either reset a password or for some other verification purpose (maybe a login from a new browser or location). This phishing kit also asks the victims to enter that information:

**Conclusion**

Phishing is one of the biggest threats consumers face every day. Malicious links can be sent to them via email, text message, social media or they may simply come across them via a search engine.

In this particular example, Bing was tricked into indexing a website that looked legitimate but turned out to be a gateway to a phishing portal. As the domain name was unknown to Microsoft at the time, it failed to protect users.

We highly recommend anyone to adopt more phishing-proof ways to login into important websites. Passkeys come to mind immediately since they do not involve passwords at all. In other words, if you don’t need to type a password… there’s no password to steal.

Unfortunately, not all websites offer the latest technologies to protect their customers. While it is important to add a second factor for authentication, you may want to upgrade to an Authenticator app, instead of the less trustworthy SMS verification. Perhaps the most important thing to remember is that criminals can also try to request those one-time codes from you and you should always be extremely vigilant before entering them in any online website (or replying to an unknown text).

Malwarebytes Browser Guard already protected users from this phishing campaign without having seen the malicious websites before. This is because of the built-in anti-phishing heuristic rules which intercept the connection and display a warning message:

If you suspect your banking information has already been stolen, try to take action as quickly as possible by contacting your financial institution(s) and resetting all your passwords (especially if you reused any of them for different websites).

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Indicators of Compromise**

Cloaking domains

ixx-kexxx\[.\]com

Phishing domains

xxx-ii-news\[.\]net  
xxx-ii-news\[.\]com  
ixxx-blognew\[.\]com  
xxx-ii-news\[.\]net  
new-bllog-i\[.\]com  
info-blog-news\[.\]com  
xv-bloging-info\[.\]com  
xxx-new-videos\[.\]com

Hosting server

200.107.207\[.\]232

 Crooks bank on Microsoft&#8217;s search engine to phish customers 

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). This is the source code release.

Latest News