PRESS RELEASE

WASHINGTON, Jan. 30, 2025 /PRNewswire/ -- DNSFilter announced today the release of its 2025 Annual Security Report, showcasing an uptick in malicious requests from 2023 to 2024. At internet scale, threats are relentless, but so is the right combination of intel and security strategy. Each malicious request blocked represents a real attack prevented, real harm avoided and real people and organizations protected.

The DNSFilter network processes about 170 billion DNS queries daily, 200 million of which are categorized as threats and blocked. These numbers represent phishing campaigns that never reached their targets, ransomware that never infiltrated networks and malware that never had the chance to spread.

Key findings from the report include:

*   One in every 174 requests is malicious: Most people make 5,000 DNS requests daily, which means a single person could encounter as many as 29 threat inquiries in a single day. This represents a significant increase from last year's findings, where one in every 1,000 queries was a threat.
    
*   AI domains increased by 15% but drove a significant amount of traffic: DNSFilter's researchers found that between October 2023 and September 2024, overall traffic to AI-related sites increased 786% and the number of individual AI domains rose 15%. This shows that a small number of domains account for a significant amount of traffic.
    
*   Phishing queries increased by 203%: While the relative distribution of threats remained consistent over time, phishing and malware inquiries increased (up 14%). This is in-line with a marked increase in ransomware seen across the industry.
    

Ken Carnesi, CEO and co-founder, DNSFilter, said: "Even as the threat landscape changes, our mission remains the same: to defend organizations and people from the worst of the internet. The data from our report makes it clear that DNS continues to be a critical threat gateway. It's also a reminder of the crucial role DNSFilter fills as a frontline defender on the DNS layer. We'll continue to improve, innovate and stand in the gap between our customers and the real-world harm bad actors are trying to cause."

About the company:

DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. DNSFilter is making the Internet safer and workplaces more productive by blocking threats at the DNS layer. DNSFilter resolves upwards of 170 billion daily queries. With 79% of attacks using Domain Name System (DNS), DNSFilter provides the world's fastest protective DNS powered by AI, blocking threats an average of 10 days faster than traditional threat feeds. Over 35 million users trust DNSFilter to protect them from phishing, malware, and advanced cyber threats.

You May Also Like

DNSFilter's Annual Security Report Reveals Worrisome Spike in Malicious DNS Requests

PRESS RELEASE

LONDON, UK – 30 January, 2025 – Cybersecurity leaders at large enterprises are planning to ramp up spending on cloud security in 2025 and want channel partners to help them maximise their return on investment, according to new research by Westcon-Comstor.

The global technology provider and specialist distributor surveyed 500 CISOs (Chief Information Security Officers) and other senior security executives at end-user organisations with at least 1,000 employees across five countries: France, Germany, Italy, UAE and the UK. 

Among the key findings is that 83% of security leaders intend to invest in Cloud-Native Application Protection Platform (CNAPP) and other cloud security technologies over the next 12 months. This propensity to invest was most pronounced in Italy and the UAE.

Across all geographic markets, the top three priority areas for investment are AI Security Posture Management (AI-SPM), Cloud Security Posture Management (CSPM) and Application Security Posture Management (ASPM).

This appetite to invest creates significant growth opportunities for channel partners in specific areas. 

The vast majority (95%) of those surveyed currently engage with channel partners, including resellers and managed security service providers, when procuring and deploying such solutions.

Training and enablement emerged as the most valued benefit from channel partners in the eyes of security leaders as they embrace CNAPP, with 40% singling this out as their main requirement – suggesting strong demand for knowledge-building support to maximise cloud security capabilities. 

A third (32%) highlighted cost-effective access to new solutions as the primary reason for engaging with channel partners, while 28% said what they value from partners above all else is assistance when navigating the cloud security market and identifying the best solutions. 

When asked about the main drivers of CNAPP adoption, security leaders emphasised the need to consolidate capabilities into a single unified platform, reducing the complexity and blind spots that come from using multiple cybersecurity vendors and tools.

Other motivating factors include the need to integrate security and compliance testing seamlessly, and a desire to unify risk visibility across cloud environments and the application development lifecycle.

Three quarters (75%) of security leaders agree on the need to adopt a DevSecOps approach to align with the ‘shift left’ trend that is seeing operational responsibilities shift toward developers and cloud architects.

Publication of the research comes as Westcon-Comstor announces its intention to establish a new X2C (everything to cloud) cybersecurity go-to-market in 2025, driving partner and vendor growth across the four pillars of code to cloud, infrastructure to cloud, data to cloud and identity to cloud.  

“CNAPP offers a holistic approach to securing cloud infrastructure, bringing together various security functions and capabilities in a single, unified platform to provide comprehensive security across the entire software development lifecycle, from code to cloud,” said Daniel Hurel, Senior Vice President, Westcon EMEA Cybersecurity & Next-Generation Solutions at Westcon-Comstor. “As the cloud security market continues to evolve, we’re seeing CNAPP become the go-to solution for securing cloud workloads. Our research suggests that this presents an opportunity for the IT channel, with particularly strong demand for training and enablement. Partners who establish themselves in this high-growth area stand to reap the rewards in 2025 and beyond.”

About Westcon-Comstor

Westcon-Comstor is a global technology provider and specialist distributor, operating in more than 50 countries. It delivers business value and opportunity by connecting the world’s leading IT vendors with a channel of technology resellers, systems integrators and service providers. It combines industry insight, technical know-how and more than 30 years of distribution experience to deliver value and accelerate vendor and partner business success. It goes to market through two lines of business: Westcon and Comstor.

EMEA CISOs Plan 2025 Cloud Security Investment

PRESS RELEASE

MONTREAL, January 29, 2025 (Newswire.com) - Flare, the global leader in Threat Exposure Management, has introduced Flare Academy, an educational hub featuring interactive online training offered free-of-charge to cybersecurity professionals.

Led by Flare's team of subject matter experts, Flare Academy offers a variety of online training modules on the latest cybersecurity threats to enhance the education and knowledge of cybersecurity practitioners. These sessions will highlight a variety of important topics, including investigation and intelligence gathering on cybercrime forums, techniques for deanonymizing threat actors, and ransomware analysis and infiltration.

Through interactive training sessions, security professionals can upgrade their skills and knowledge on a variety of cybercrime and cybersecurity topics, and earn CPE credits toward security certifications. And with the Flare Academy Discord Community, members can build relationships with other practitioners for continuous learning and engagement.

"Flare Academy will provide cybersecurity professionals with access to training, collaborative discussions, and cutting-edge resources," said Mathieu Lavoie, CTO & Research Team Lead at Flare. "We've launched this program with the goal of helping to empower security professionals with the training and information they need to stay ahead of threats and build a stronger, safer digital world."

A number of training modules are currently available for registration, including:

For more information about Flare Academy, and to register for upcoming modules, visit https://flare.io/trainings/.

About Flare

Flare is the leader in Threat Exposure Management, helping organizations of all sizes detect high-risk exposure found on the clear and dark web. Combining the industry's best cybercrime database with an incredibly intuitive user experience, Flare enables customers to reclaim the information advantage and get ahead of threat actors. For more information, visit https://flare.io.

You May Also Like

Interactive Online Training for Cybersecurity Professionals; Earn CPE Credits

Anthropic says its Constitutional Classifiers approach offers a practical way to make it harder for bad actors to try and coerce an AI model off its guardrails.

Source: Tada Images via Shutterstock

Researchers at Anthropic, the company behind the Claude AI assistant, have developed an approach they believe provides a practical, scalable method to make it harder for malicious actors to jailbreak or bypass the built-in safety mechanisms of a range of large language models (LLMs).

The approach employs a set of natural language rules — or a "constitution" — to create categories of permitted and disallowed content in an AI model's input and output, and then uses synthetic data to train the model to recognize and apply those content classifiers.

**"Constitutional Classifiers" Anti-Jailbreak Technique**

In a technical paper released this week, the Anthropic researchers said their so-called Constitutional Classifiers approach was as effective against universal jailbreaks, withstanding more than 3,000 hours of human red-teaming by some 183 white-hat hackers through the HackerOne bug bounty program.

"These Constitutional Classifiers are input and output classifiers trained on synthetically generated data that filter the overwhelming majority of jailbreaks with minimal over-refusals and without incurring a large compute overhead," the researchers said in an related blog post. They have established a demo website where anyone with experience jailbreaking an LLM can try out their system for the next week (Feb. 3 to Feb. 10).

Related:AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

In the context of generative AI (GenAI) models, a jailbreak is any prompt or set of prompts that causes the model to bypass its built-in content filters, safety mechanisms, and ethical constraints. They typically involve a researcher — or a bad actor — crafting specific input sequences, using linguistic tricks and even role-playing scenarios to trick an AI model into escaping its protective guardrails and spewing out potentially dangerous, malicious, and incorrect content.

The most recent example involves researchers at Wallarm extracting secrets from DeepSeek, the Chinese generative AI tool that recently upended long held notions of just how much compute power is required to power an LLM. Since ChatGPT exploded on the scene in November 2022, there have been multiple other examples including one where researchers used one LLM to jailbreak a second, another involving the repetitive use of certain words to get an LLM to spill its training data and another through doctored images and audio.

**Balancing Effectiveness With Efficiency**

In developing the Constitutional Classifiers system, the researchers wanted to ensure a high rate of effectiveness against jailbreaking attempts without drastically impacting the ability for people to extract legitimate information from an AI model. One simplistic example was ensuring the model could distinguish between a prompt asking for a list of common medications or for explaining the properties of household chemicals versus a request on where to acquire a restricted chemical or purifying it. The researchers also wanted to ensure minimal additional computing overhead when using the classifiers.

Related:DeepSeek Jailbreak Reveals Its Entire System Prompt

In tests, researchers had a jailbreak success rate of 86% on a version of Claude with no defensive classifiers, compared to 4.4% on one using a Constitutional Classifier. According to the researchers, using the classifier increased refusal rates by less than 1% and compute costs by nearly 24% compared to the unguarded model.

**LLM Jailbreaks: A Major Threat**

Jailbreaks have emerged as a major consideration when it comes to making GenAI models with sophisticated scientific capabilities widely available. The concern is that it gives even an unskilled actor the opportunity to "uplift" their skills to expert-level capabilities. This can become an especially big problem when it comes to trying to jailbreak LLMs into divulging dangerous chemical, biological, radiological, or nuclear (CBRN) information, the Anthropic researchers noted.

Related:Code-Scanning Tool's License at Heart of Security Breakup

Their work focused on how to augment an LLM with classifiers that monitor an AI model's inputs and outputs and blocks potentially harmful content. Instead of using hard-coded static filtering, they wanted something that would have a more sophisticated understanding of a model's guardrails and act as a real-time filter when generating responses or receiving inputs. "This simple approach is highly effective: in over 3,000 hours of human red teaming on a classifier-guarded system, we observed no successful universal jailbreaks in our target...domain," the researchers wrote. The red-team tests involved the bug bounty hunters trying to obtain answers from Claude AI to a set of harmful questions involving CBRN risks, using thousands of known jailbreaking hacks.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

Everyone's all about working in the cloud, but what's happening with these folks? What are they doing, and what do they want? Send us a cybersecurity-related caption to describe the above scene. Our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Feb. 25, 2025, deadline:

*   Via social media: BlueSky (new!), Facebook, LinkedIn, and X.
    

If you win, we'll respond to you on the same platform, requesting your email address to send you the gift card.

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Trey Rose for sending us the winning caption for January's "Greetings and Salutations" Edge cartoon. Some noteworthy contenders included "I guess that’s one way to prove you’re not a robot," "I always thought man-in-the-middle was something else," and "This has got to be your worst attempt at a Trojan Horse yet." A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: In the Cloud

Though Windows, iOS, and macOS users won't need to make any changes, Android users are advised to remove their Defender VPN profiles.

Source: CryptoFX via Alamy Stock Photo

NEWS BRIEF

Microsoft is notifying users that it will no longer support the Privacy Protection VPN feature within the Microsoft Defender app. The feature will be removed on Feb. 28.

Microsoft Defender checks files or apps downloaded and installed on a device for any malicious software, as well as runs scans of files already on a system. It works alongside third-party anti-malware solutions and is included as part of a Microsoft 365 Personal or Family subscription.

Microsoft plans to eliminate only the VPN feature and will still provide device protection, identity theft monitoring, and credit monitoring in the US.

The support update document announcing the change did not have a lot of detail but stated that removing the privacy protection benefit will allow the company to "invest in new areas that will better align to customer needs." The document also notes the company routinely evaluates the effectiveness of its features.

Though Windows, iOS, and macOS users won't have to take any action, Microsoft provided instructions for Android users to follow because the VPN profile must be removed from devices manually.

"Not removing the Defender VPN profile on your Android device will not cause any impact to your device but it's recommended to remove it as it won't be used by Defender to provide protection," Microsoft stated.

Android users can follow the steps below to remove their Defender VPN profiles:

3.  Users should see a "Microsoft Defender" VPN profile in the list of VPN profiles if they've onboarded to privacy protection.
    
4.  Click on the "Info" icon and remove the profile.
    

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Microsoft Sets End Date for Defender VPN

Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.

Source: ifeelstock via Alamy Stock Photo

Researchers have found malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that's probably not the only platform loaded with fake, malicious DeepSeek packages, and that developers should proceed with care.

Researchers with Positive Technologies discovered the malicious packages, labeled "deepseekai" and "deepseeek," trying to trick developers into thinking they were legit.

"The attack targeted developers, machine learning \[ML\] engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems," the Positive Technologies researchers wrote in an analysis.

The account behind the attack, "bvk," was created in June 2023 and sat dormant until the campaign sprang to life on Jan. 29, according to the report. When executed, the researchers noted both "deepseeek" and "deepseekai" drop infostealers to steal sensitive data, including API keys, database credentials, and permissions.

The malicious PyPi packages have been deleted, but there's evidence they were downloaded 36 times using the pip package manager and the bandersnatch mirroring tool, and 186 times using the browser, the researchers reported.

"Sometimes API keys aren’t leaked, they’re just plain stolen," Tim Erlin, vice president of product at Wallarm says. "This incident is a good example of attackers taking advantage of the prevailing news cycle. Anytime you’re doing something popular, whether clicking on a link or installing a PyPi package, it’s best to approach the task with a healthy dose of skepticism."

Related:'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

That mindset can help developers avoid making similar cybersecurity slip-ups, according to Mike McGuire, senior security solutions manager with Black Duck.

"In their eagerness to leverage DeepSeek in their tasks, many developers missed the 'red flag' that they were downloading packages from an account with a limited, poor reputation, and had their environment variables and secrets compromised as a result," McGuire says.

Ironically given how advanced DeepSeek's capabilities are touted to be, the attack itself was a fairly low-tech affair, Michael Lieberman, CTO at Kusari, notes.

"Typosquatting attacks are popular because they work," Kusari points out. "It's easy for a developer to mistype a word or use something with a similar-sounding name and suddenly their application is pulling in malicious code. Popular or trendy technologies are at particular risk since the pool of potential victims is larger."

Related:DeepSeek Jailbreak Reveals Its Entire System Prompt

**Adversaries Using AI to Write Code Faster Too**

In a novel twist, the researchers found evidence the threat actors used AI to write the malicious code.

"There are clear indications that the compromised code was written with AI assistance, providing a real-world example of AI being used for malicious intent," Wallarm's Erlin says.

Erlin adds that developers should expect similar malicious packages to be scattered among various platforms.

"Developers, with malintent or not, are heavily invested in using AI to be more efficient." he adds. "AI lets developers write more code, faster. We should expect to see the volume of malicious code expand at the same rate as code in general."

To protect their environments from these threats, Raj Mallempati, CEO of BlueFlag Security, says developers need to implement strong security practices throughout the software development lifecycle (SDLC). That means using software composition analysis (SCA) tools, as well as automated vulnerability scanning, limiting the use of unverified packages in developer environments, and threat intelligence monitoring.

"This recent incident underscores the need for developers to specifically protect against threats like OSS typosquatting," Mallempati explains. "Double checking package names and verifying package sources that come from DeepSeek will be key here. As well, developers should enable dependency scanning tools like Github dependabot to ensure they are not downloading malicious packages."

Related:Code-Scanning Tool's License at Heart of Security Breakup

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

Cybercriminals posted nearly 6,000 breaches to data-leak sites last year — and despite significant takedowns, they continued to thrive in a record-breaking year for ransomware.

Source: VectorFusionArt via Shutterstock

A surge in ransomware groups in 2024 left companies facing increased attacks, even as law enforcement ramped up investigations against well-known groups such as LockBit, and dismantled popular cybercriminal services, such as phishing-as-a-service provider LabHost and the encrypted messaging platform Ghost.

A pair of new studies outlines the state of play. Overall, more than 75 ransomware groups were actively compromising targets in 2024, compared to only 43 the prior year, according to a recent Rapid7 analysis. As a result, more than half of organizations suffered a successful attack, and the majority of those impacted shut down some operations leading to significant revenue loss, according to a large survey of IT and cybersecurity practitioners conducted by the Ponemon Institute.

As long as extortion continues to be profitable, organizations will have to contend with significant threats, says Trevor Dearing, director of critical infrastructure solutions at Illumio, a zero-trust security firm and sponsor of the Ponemon report.

"When some of those gangs were taken down, there was a dip in activity, but they get very quickly replaced, and that's the challenge," he says. "It's a battle that is is worth fighting and it does slow them down, but this is only part of the response we have to have."

Related:1-Click Phishing Campaign Targets High-Profile X Accounts

The pace of compromises appears to be only accelerating, with about 15% more ransomware attacks in 2024, compared to the previous year, according to data collected by both NCC Group and Rapid7. Their tallies differed slightly, but trended in the same direction. And last month, the number of successful attacks claimed by ransomware groups averaged 18 per day, up from less than 15 in December, according to Rapid7's data.

RansomHub, LockBit, and Play were the most prolific ransomware groups in 2024, as measured by the number of breach posts. Source: Author based on Rapid7 data

Overall, cybercriminals compromised nearly 6,000 victims, posting their information to public data-leak sites, with well-known ransomware groups — such as RansomHub, LockBit, and Play — making tens of millions of dollars each in ransom payments from victims, even as fewer victims paid lower average ransoms, the company found.

**Laying Down the Law on Cybercrime**

The ransomware gains came despite increased law enforcement activity. In September, European law enforcement disrupted the Ghost encrypted communications platform used by organized crime groups. In November, Canadian authorities arrested the hacker behind the compromise of 165 firms' Snowflake instances, who had demanded ransoms ranging from $300,000 to $5 million. And, in December, Israeli law enforcement arrested a 51-year-old LockBit developer in Israel.

Related:Can AI & the Cyber Trust Mark Rebuild Endpoint Confidence?

While law enforcement efforts are having an impact on cybercriminal operations, their efforts appear to be fracturing the ecosystem, as more groups and a greater number of providers offer cybercriminal services, says Christiaan Beek, senior director of threat analytics for Rapid7.

"Law enforcement is really fighting hard to take on the biggest groups \[that are causing businesses\] a lot of problems, and we highly applaud those initiatives," he says. "But the money is really attracting people, and especially if you are in certain countries where you're hard to catch or protected by the government ... then \[becoming a ransomware operator\] almost feels like a safe option."

**Paying Ransoms Is No Guarantee of Cyber Safety**

Estimates of the ransom amounts paid by companies varied significantly, with ransomware specialist Coveware estimating that the victims paid a median of $200,000 in Q3 2024, while a survey of more than 2,500 companies conducted by the Ponemon Institute estimated the average ransom demanded to be $1.2 million.

And those figures do not include investigation and clean up costs, Illumio's Dearing says.

"There was almost a doubling in the \[share of companies\] that lost significant revenue, and that reflects something that we're seeing across the board — both from financially motivated ransomware attackers, nation-states, or hacktivists — they are just trying to disrupt things," he says, adding, "Organizations need to think a lot more about incident response, about containing attacks, about trying to make sure that they actually stay in business if there's an attack."

Related:PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?

The survey also found that paying a ransom rarely solves the problem of lost data nor ends the targeting by attackers. Half of all companies (51%) suffered a ransomware attack in 2024, but less than half received a decryption key, and the attacker demanded more money in a third of cases. In the end, only 13% of companies eventually recovered all of their data, according the Ponemon Institute report.

**Plan for Alternate Operations for Business Continuity**

Early detection and a plan to continue operations in the face of disruption matter most when it comes to minimizing the impact of a cyberattack. Of the companies that did not pay a ransom, nearly half had backups from which they could recover data, while a similar number deemed the data not important enough to pay the ransom.

In the best case scenario, companies can quickly move to cloud operations — or another plan for business continuity — giving them the best chance of recovering without drastic impacts, Rapid7's Beek says.

"We saw one company flip the switch, and suddenly the whole business was running on cloud resources while they were restoring the day-to-day operations," he says. "So the ransomware incident hardly impacted the business."

Companies that have a lack of visibility into — and a lack of security controls protecting — their networks face the most damaging disruption, says Illumio's Dearing.

"Things that allow lateral movement within organizations — like unpatched systems and weak passwords and open RDP ports — help attackers," he says. "So there's an amount of basics that companies need to take."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Groups Weathered Raids, Profited in 2024

In an attack vector that's been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims.

Source: Ronstik via Alamy Stock Photo

An active, one-click phishing campaign is targeting the X accounts of high-profile individuals — including journalists, political figures, and even an X employee — to hijack and exploit them to commit cryptocurrency fraud.

Researchers at SentinelLabs uncovered the campaign, which they said appears to be most prominent on X but is not limited to a single social media platform, they revealed in a recent blog post. The goal of attackers is ultimately to use the potential reach of the high-impact accounts — which also include technology and cryptocurrency organizations as well as owners of accounts with valuable, short usernames — to target people with crypto scams for financial gain, the researchers said.

"Once an account is taken over, the attacker swiftly locks out the legitimate owner and begins posting fraudulent cryptocurrency opportunities or links to external sites designed to lure additional targets, often with a crypto theft-related theme," SentinelLabs threat researchers Tom Hegel, Jim Walter, and Alex Delamotte wrote in the post.

Ultimately, this compromise of high-profile accounts — a tactic used before by cybercriminals, most notably in targeting celebrity Twitter accounts in 2020 — enables the attacker to reach a broader audience of potential secondary victims, maximizing their financial gains, the researchers noted.

Related:Can AI & the Cyber Trust Mark Rebuild Endpoint Confidence?

Indeed, the campaign is also similar to one uncovered last year that compromised the Linux Tech Tips X account along with other high-profile users. The researchers discovered related infrastructure and similar phishing messages used in both campaigns, evidence that suggests the same threat actor is behind both, they said. However, at this time it's not known from which region of the world the actor hails, or who might be behind the campaign.

**Classic Fake Crypto Lures & Adaptable Infrastructure**

SentinelLabs observed a variety of phishing lures being used in the campaign, including a "classic account login notice" that targets people with an email informing them that someone logged into their account from a new device. The email includes a link suggesting they "take steps to protect" their account which actually leads to a site that phishes X credentials, according to the post.

Other email-based lures use copyright-violation themes to get users to click on a phishing page that ask them to enter their X credentials. In recent cases, the phishing page to which victims were redirected abused Google’s “AMP Cache” domain cdn.ampproject\[.\]org to evade common email detections, according to SentinelLabs.

Related:PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?

Infrastructure used in the account suggests that the actor behind the campaign is "highly adaptable, continuously exploring new techniques while maintaining a clear financial motive," the researchers wrote.

Recent activity used the domain securelogins-x\[.\]com to deliver emails and x-recoverysupport\[.\]com to host phishing pages. As "any of these domains can be considered email delivery or phishing-page hosting," the activity indicates "a level of informality and flexibility of infrastructure use," the researchers observed.

Attackers also hosted a flurry of recent activity on an IP associated with a Belize-based VPS service called Dataclub. The domains associated with the campaign have been predominantly registered through Turkish hosting provider Turkticaret, but this alone is not enough to confirm that the attackers are from Turkey, the researchers added.

**Protect Your Corporate Social Accounts**

High-profile X accounts are often targets for threat actors because controlling them can help them reach a wider audience with fraudulent activity. Often this activity involves crypto scams aimed at financial fraud, such as a case last year in which security firm Mandiant temporarily lost control of its X account to cryptocurrency drainer malware operators.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

"The cryptocurrency landscape offers financially-motivated threat actors multiple opportunities for profit and fraud," the researchers noted in the post. "While marketing for coins and tokens has long been irreverent and meme-driven, recent developments have further blurred the line between legitimate projects and scams."

To protect an X account, the researchers recommended the obvious: users should maintain good password hygiene by using a unique password, enabling two-factor authentication (2FA), and avoiding credential sharing with third-party services.

People also should be especially wary of messages containing links to account alerts or security notices, and always verify URLs before clicking on them. If their accounts do need a password reset for security purposes, these should be initiated only directly through the official website or app rather than relying on unsolicited links, the researchers advised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

1-Click Phishing Campaign Targets High-Profile X Accounts

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and Informa

**TechTarget and Informa Tech’s Digital Business Combine.**

Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.

*   Home
*   Events
*   Black Hat USA

Black Hat USA

Aug 2, 2025 TO Aug 7, 2025

|

Mandalay Bay Convention Center, Las Vegas, USA

Ready to level up your cybersecurity knowledge? Join us at the industry’s top cybersecurity event, where professionals and hackers of all levels gather to learn the latest risks, research, and trends in information security. Black Hat USA features top cybersecurity experts from across the globe, delivering their cutting-edge work and discoveries in a welcoming, vendor-neutral atmosphere. Don't miss out on this must-attend event!

**Editor's Choice**

Reports

*   The State of Firewall Security: Challenges, Risks, and Solutions for Modern Networks
    
    Jan 10, 2025
*   Industrial Networks in the Age of Digitalization
    
    Jan 6, 2025
*   Zero-Trust Adoption Driven by Data Protection, Cloud Access Control, and Regulatory Compliance Requirements
    
    Jan 6, 2025
*   Threat Hunting's Evolution: From On-Premises to the Cloud
    
    Jan 6, 2025
*   How Enterprises Secure Their Applications
    
    Jan 6, 2025

Webinars

*   Uncovering Threats to Your Mainframe & How to Keep Host Access Secure
    
    Feb 13, 2025
*   Securing the Remote Workforce
    
    Feb 20, 2025
*   Emerging Technologies and Their Impact on CISO Strategies
    
    Feb 25, 2025
*   How CISOs Navigate the Regulatory and Compliance Maze
    
    Feb 26, 2025
*   Where Does Outsourcing Make Sense for Your Organization?
    
    Feb 27, 2025

White Papers

*   Driving the Future of Work Through Enterprise-Wide SASE
    
*   4 Best Practices for Hybrid Security Policy Management
    
*   Social Engineering: New Tricks, New Threats, New Defenses
    
*   Understanding Social Engineering Attacks and What To Do About Them
    
*   Solution Brief: Introducing the runZero Platform
    

Events

*   Black Hat USA - August 2-7 - Learn More
    
    Aug 2, 2025
*   Black Hat Asia - April 1-4 - Learn More
    
    Apr 1, 2025
*   Cybersecurity's Most Promising New and Emerging Technologies
    
    Mar 20, 2025

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Source

DARKReading