By Waqas
All infected websites are using the WordPress CMS.
This is a post from HackRead.com Read the original post: Adsense abused: 11,000 sites hacked in a backdoor attack

The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.

Sucuri researchers have reported a backdoor that has successfully infected around 11,000 websites in recent months. Here are the details shared by Sucuri in its technical report.

It is a fact that, lately, several Google products have been exploited and abused to spread malware and other malicious components, including **Google Ads**, **Google Home**, and **Google Drive**.

In fact, **a study revealed** that Google Drive accounted for 50% of malicious Office document downloads in 2022.

**Backdoor Redirecting Visitors to Hacked Sites**

According to Sucuri’s research, the backdoor redirects users to sites that show fraudulent views of **Google AdSense ads**. The company’s SiteCheck remote scanner has detected more than 10,890 infected sites. The activity has further intensified recently, with 70 new malicious domains disguised as legitimate in 2023 and 2,600 infected sites discovered on the web.

All the infected websites detected by Sucuri were using **WordPress CMS**. These had an obfuscated PHP script injected into the legitimate files on the websites, such as index.php, wp-activate.php, wp-signup.php, and wp-cron.php, etc.

**How Does the Attack Work?**

In the past two months, Sucuri researchers have identified over 75 pseudo-short URL domains linked with redirected traffic. It must be noted that almost all of the malicious URLs appear to belong to the same **URL-shortening service**. Some even mimic the names of popular shortening services, such as Bitly.

The visitors are redirected to a range of low-quality websites developed on the Question2Answer CMS, and the discussion topics are mostly related to cryptocurrency or **blockchain**.

Researchers believe it could be intentional to advertise new cryptocurrencies in a pump-and-dump, ICO fraud. However, researchers are certain that the primary objective of this ad fraud is to inorganically increase traffic to sites that contain the AdSense ID so that **Google ads** can be displayed for revenue generation.

Image source: Sucuri

**How does It Evade Detection?**

Some of these malicious sites also inject obfuscated code into “wp-blog-header.php.” This code works as a backdoor to ensure the malware evades disinfection attempts. It performs this by loading itself into files that run as soon as the targeted server is restarted.

“Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

The malware hides its presence by suspending redirections when a visitor logs in as an administrator or visits an infected site within 2 to 6 hours. The malicious code is hidden using Base64 encoding.

**How URL Shorteners Abused in the Attack?**

When the user enters any domain names in their browser, they are redirected to a real URL shortening service, e.g., Cuttly or Bitly, but these are not genuine public URL shorteners. Each domain has a few working URLs that redirect visitors to spammy Q&A sites featuring AdSense monetization.

In a **blog post**, Sucuri researcher Ben Martin stated that the “backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestacklive and place them in files with random names in wp-includes, wp-admin, and wp-content directories.”

The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.

“At this point, we haven’t noticed malicious behaviour on these landing pages. However, at any given time, site operators may arbitrarily add malware or start redirecting traffic to other third-party websites,” researchers noted.

1.  **Google Docs exploit to spread phishing** **links**
2.  **Google, Microsoft and Oracle generated most flaws**
3.  **Malware-infected Minecraft modpacks hit Play Store**
4.  **Ad-blocker extension injected ads in Google searches**
5.  **Fake Brave browser site drops malware from Google Ads**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Adsense abused: 11,000 sites hacked in a backdoor attack

By Deeba Ahmed
Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. 
This is a post from HackRead.com Read the original post: Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys

ReversingLabs has published an advisory to share details of a **malicious package** discovered in the PyPI (Python Package Index) while performing a routine inspection of open-source repositories.

Researchers Lucija Valentic and Karlo Zanki noted that the malicious package, dubbed Aabquerys, was discovered in the open-source **JavaScript NPM repository** and can download second and third-stage malware payloads onto infected systems.

**Typosquatting – A Growing Threat**

Aabquerys use the **typosquatting technique** to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. The malicious package contained two files, one of which was obfuscated through a JavaScript obfuscator.

_Since you are here, remember _“_**it’s Google.com, not ɢoogle.com**.”_

“In the case of aabquerys, the obfuscated code in question was easily de-obfuscated. That revealed a file with clearly malicious behaviour,” the **advisory/blog post** read.

Valentic and Zanki assert that it is a critical issue since open-source codes are viewable by everyone, so it is essential to investigate the attempt to disguise or hide such functionality on an open-source module.

**Aabquerys Package Analysis**

Aabquerys could download second and third-stage malware payloads onto infected devices from a remote server. It also contains an Avast proxy binary (wscproxy.exe) vulnerable to DLL sideloading attacks.

The third stage payload is identified as Demon.bin, which boasts conventional RAT functionalities generated using a post-exploitation, open-source C2 framework called **Havoc**, authored by C5pider.

Infection chain

A concerning issue is that the author of Aabquerys has published various versions of Aabquerys, namely aabquery and nvm jquery, which could be earlier versions of Aabquerys.

After its discovery, the Aabquerys package was promptly removed from the **NPM repository**. Nevertheless, the findings highlight the growing threat of malicious packages hidden in open-source repositories like PyPI, GitHub, and NPM that can have lasting adverse consequences for the software supply chain.

1.  **Typosquatting: 700 libraries in Ruby repository trojanized**
2.  **Typosquatting: Malicious packages swap out crypto addresses**
3.  **Typosquatting: Official Python repositories plagued with malware**

Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys

By Deeba Ahmed
An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.
This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm

However, the APT group has failed to cause any harm to the Singapore-based cybersecurity giant.

An advanced persistent threat (**APT**) group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This attempt has also failed. The attack occurred in June 2022, whereas the first one occurred in March 2021.

**Incident Details**

According to Group-IB, they detected and blocked **malicious phishing emails** that targeted their employees. Group-IB’s team detected malicious activity on June 20, 2022, and its XDR solution triggered an alert after blocking the emails sent to two of its employees.

Screenshot of the alerts in Group IB- Managed XDR

Further **investigation** revealed that the Tonto Team threat actors posed as an employee from a legitimate firm and used a fake email created with a free email service called GMX Mail. The phishing emails were the initial phase of the attack. Attackers used them to deliver malicious MS Office documents created using the **Royal Road Weaponizer**.

Moreover, the actors used their own developed Bisonal.DoubleT backdoor, along with a new downloader that Group-IB researchers named TontoTeam.Downloader (aka QuickMute).

**How Did the Attack Occur?**

Attackers created a Rich Text Format (RTF) file with the Royal RTF Weaponizer. It is worth noting that this weaponizer is mainly used by **Chinese APT** (Advanced Persistent Threat) groups.

The file allowed attackers to create malicious RTF exploits with decoy content for Microsoft Equation Editor vulnerabilities tracked as **CVE-2017-11882**, **CVE-2018-0802**, and **CVE-2018-0798**. The decrypted payload, a malicious PE32 format EXE file, could be classified as a Bisonal DoubleT backdoor.

**Bisonal. Backdoor FunctionalitiesDoubleT**

Static analysis of the Bisonal.DoubleT sample was conducted and compared with its old version discovered in 2020. Similar strings were identified, and researchers also detected traces of a C2 server communication.

Additionally, they conducted a dynamic comparison analysis of the sample from 2022 and other samples of the same malware family. Researchers concluded that this backdoor could collect information about the compromised host, such as the proxy server address, system language encoding, the account name for the file currently running, hostname, time since system boot, and local IP address.

It encourages remote access to a compromised device, and the attacker can easily execute various commands. It can stop a specified process, obtain a list of processes, download files from the control server and run them, and create a file on the disk using the local language encoding.

**Tracking the Tonto Team**

The Tonto Team is also referred to as Karma Panda, HeartBeatm, Bronze Huntley, CactusPete, and Earth Akhlut. It is a cyberespionage group, possibly from China.

This APT group has mainly targeted military, government, finance, energy, education, technology, and healthcare organizations since 2009. Initially, it targeted companies in South Korea, Taiwan, and Japan and later expanded its operations to the USA.

The group frequently used **spear-phishing attacks** and delivered malicious attachments created using the RTF exploitation toolkit to drop backdoors, such as ShadowPad, Dexbia, and Bisonal.

1.  **Leading Cybersecurity Firm Kaspersky Hacked**
2.  **Google buys cybersecurity firm Mandiant for $5b**
3.  **Cybersecurity firm exposes 5B data breach records**
4.  **User data stolen in Stormshield cybersecurity breach**
5.  **Cybersecurity firm CloudSEK blames rival over breach**

Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm

By Deeba Ahmed
Namecheap users should remain cautious, as hackers are using its inbox to scam users through phishing emails designed…
This is a post from HackRead.com Read the original post: Hackers Aim at Crypto Wallets with Hacked Namecheap Phishing Emails

Namecheap users should remain cautious, as hackers are using its inbox to scam users through phishing emails designed to appear as if they were sent from DHL or MetaMask cryptocurrency hot wallet.

For your information, **Namecheap** is a popular domain name registrar with more than 15 million domains issued thus far.

According to the company, the incident may have occurred due to a supplier-related issue. Namecheap released its official statement regarding the hack on Sunday, confirming that its upstream system was abused to send out malicious emails.

This means a third party is involved in “mailing unsolicited emails to our clients.” “As a result, some unauthorized emails might have been received by you,” the statement **read**.

The DHL emails inform the recipient that they need to pay a delivery fee for receiving their parcel, whereas the **MetaMask email urges** the recipient to complete the Know-Your-Customer (**KYC**) process. The email then warns victims that if the due process is not completed, they may lose access to their wallets.

Screenshot of the phishing email shared by a Twitter user @h4x0r\_dz

MetaMask **took to Twitter** to ensure that it doesn’t collect KYC information and would never send an email to get details of its users’ accounts. Hence, the company suggested that users shouldn’t enter the Secret Recovery Phrase on any website server and ignore any emails from Namecheap or MetaMask.

Namecheap assured its customers that its internal systems weren’t breached and that their personal information and account-related data were secure. However, the company has urged customers to avoid clicking on any links.

The company stated that it has temporarily suspended all emails. This includes emails delivering authentication codes, password resetting, and verifying trusted devices.

“We are glad to let you know that the mail delivery has been restored, so you should receive emails from Namecheap as usual from now on,” Namecheap CEO, Richard Kirkendall, confirmed. However, the CEO didn’t name the upstream system that was compromised. 

Speculation is rife that it could be SendGrid’s email delivery service. However, it is worth noting that the third party has denied being compromised. Twilio, which owns SendGrid and **got hacked last year**, said that the incident isn’t a result of a compromise of the Twilio network, but they are investigating it and will provide additional details over time.

1.  **PayPal Notifies 35,000 Users of Data Breach**
2.  **Geo Targetly URL Shortener Abused in Phishing Scam**
3.  **Reddit Hacked After Employee Bites on Phishing Scam**
4.  **Sophisticated SMS Phishing scam Dupes Zendesk Staff**
5.  **Scammers Using Microsoft Team GIFs in Phishing Scam**

Hackers Aim at Crypto Wallets with Hacked Namecheap Phishing Emails

By Habiba Rashid
The Trickbot botnet was dismantled in 2019, but its use by ransomware gangs evolved over the years.
This is a post from HackRead.com Read the original post: Trickbot Hacking Group Jointly Sanctioned By the US and Britain

The US and Britain have sanctioned seven members of the notorious Trickbot gang, which, according to authorities, is based in Russia.

The Trickbot ransomware bot **was dismantled** by cybersecurity companies in 2022, but somehow it managed to re-emerge. Now, the United States and the United Kingdom have come together for historic joint cyber sanctions against seven members of the notorious Russian hacking group known as **Trickbot**, officials announced on Friday.

These sanctions are the first for the UK, with officials stating that it was just the first wave of new, coordinated action against cyber criminals.

Malicious emails used in one of the Trickbot attacks

“The United States is taking action today in partnership with the United Kingdom because international cooperation is key to addressing Russian cybercrime,” U.S. Secretary of State Antony Blinken said in a statement on February 9th, 2023.

It is worth noting that, despite Trickbot’s absence in the past couple of years, the individuals behind it remain active and coordinate other attacks. According to experts, Trickbot’s operations were taken over by another ransomware gang known as **Conti**. The group was first identified in the latter half of December 2019 using TrickBot to drop its payload.

U.S. and British authorities have accused Trickbot and Conti of being associated with Russian intelligence services. Not only that, but the **leak of Conti gang chats** also revealed its soft corner for Russia. Additionally, Conti declared its support for Russia soon after the country sent its troops to Ukraine on February 28th,2022.

“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centres, launching a wave of ransomware attacks against hospitals across the United States,” read the **announcement** by the U.S. Department of the Treasury. 

Along with other major ransomware attacks **orchestrated by the Trickbot gang**, the press release gives details, including their names, involvement with the Trickbot gang, and online monikers, regarding the seven individuals designated by the U.S. 

1.  **Emotet reemerged with botnet via Trickbot**
2.  **TrickBot crashes devices to evade analysis**
3.  **BLM movement exploited to spread Trickbot**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Trickbot Hacking Group Jointly Sanctioned By the US and Britain

By Waqas
The hackers disrupted the State TV broadcast and instead aired the slogan “Death to Khamenei” and urged people to withdraw their money from government banks. 
This is a post from HackRead.com Read the original post: Iranian State TV Hacked During President’s Speech on Revolution Day

The Ali’s Justice (Edalat-e Ali) hacker group has claimed responsibility for hacking the live transmission of an Iranian state-run TV and radio station to disrupt and deface the speech of Iranian president Ebrahim Raisi during the Revolution Day ceremonies.

On February 11th, 2023, the President of **Iran**, Ebrahim Raisi, was delivering a speech at Azadi Square in Tehran, where a massive crowd had gathered to mark the country’s 44th anniversary. It was an opportunity for the government to show its popularity, but its efforts were sabotaged by the hacktivist collective Ali’s Justice (Edalat-e Ali).

The hackers disrupted the State TV broadcast and instead aired the slogan “Death to Khamenei” and urged people to withdraw their money from government banks. Furthermore, they encouraged the citizens to participate in antigovernment protests, due to be held on February 16th, 2023.

Watch as hackers from the Edalat-e Ali group interrupt the live transmission.

The cyberattack was also **confirmed** by Germany-based Iranian journalist Bamdad Esmaili on his Twitter account. On the other hand, the Edalat-e Ali group used its Telegram channel to announce the hack. In a statement seen by Hackread.com, the group claimed responsibility for hacking TV and radio transmissions.

> “We the Adalat Ali group hacked the Islamic Republic of Iran’s TV and Radio transmission. First of all, the Adalat Ali group offers its condolences to the entire freedom-loving nation on the decade of dawn and the impure arrival of Khomeini the executioner to Iran.”
> 
> Edalat-e Ali

**Who are Edalat-e Ali Hackers?**

It is worth noting that Edalat-e Ali is a prominent group of hacktivists who have been working against the Iranian government for the past few years. Some of their recent hacks have involved the interruption of Iran State-Run TV’s live transmission **in October 2022**.

**In August 2021**, the same group breached the computer system and security cameras at a prison facility in northern Tehran, resulting in the leaking of live footage of the grim conditions and grave human rights abuses taking place inside.

**Iran, Protests, Hackers and Hacktivists**

Iran has been rattled by cyberattacks since September 2022, when **Anonymous hacktivists launched Operation OpIran** to support Iranians protesting against the death of 22-year-old Kurdish-Iranian Masha Amini.

Amini died while under detention by Tehran’s morality police, called the Guidance Patrol. She was arrested for wearing her hijab improperly.

Amini’s death sparked clashes between authorities and protestors, resulting in arrests and deaths. The latest hack from the Edalat-e Ali group was also part of its support for the protestors in Iran.

Nevertheless, the Iranian government vows to tackle protesters, while hacktivists from different parts of the world aim at the country’s critical infrastructure.

1.  **Iran’s protest detainees hit by spyware**
2.  **Iran’s Fars News Agency website hacked**
3.  **Iran’s atomic energy agency emails stolen**
4.  **Hackers turn to Dark Web to help Iranians**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Iranian State TV Hacked During President’s Speech on Revolution Day

By Waqas
Gustaffo Digital Service GmbH has been leaking personal and contact details of its customers since last month.
This is a post from HackRead.com Read the original post: Austrian ‘mobile concierge’ app Gustaffo leaking 100k customers’ data

Gustaffo was alerted about the data leak last week, but the company did not respond. Meanwhile, the misconfigured database is being updated with new and fresh customer data each day.

Austria, Vienna-based digital hospitality company Gustaffo has been caught in a data leak which saw over 100,000 customer records exposed. The cause of the data leak is its misconfigured database which is publically available without any password or security authentication.

What’s worse, the server is still live, and at the time of writing, new details of customers were being uploaded, including the following information:

1.  Full name
2.  Mobile numbers
3.  Email Addresses
4.  Booking Details
5.  Booking Links and information

Data that is being currently leaked and increasing

**So What is Gustaffo?**

According to this **press release**, Gustaffo was launched in 2016 and had 30 hotels in eight countries using the service. Its first customer was Austria’s largest hotel management company, Vienna House.

A look at Gustaffo’s **LinkedIn page** explains how the company functions and what services it offers. The company states it provides a “secure” and contactless Digital Guest Journey to Hotels and Hotel Groups.

“From the Check-In online to services during the stay including elevator and room access via the mobile app, and furthermore with Payment and Check-Out never having to go to the reception Via a white-labelled mobile app integrated with all major Property Management Systems your guests can directly access their assigned room via the mobile app instead of the usual key card,” says the About Us section of the company’s LinkedIn page.

Gustaffo was alerted to the security incident last week; however, there has been no response whatsoever, risking the personal details of unsuspecting customers at risk. This was revealed to Hackread.com by independent security researcher **Anurag Sen** working along with Hieu Minh, a Vietnamese researcher from **Chongluadao**.

It is worth noting that the researchers discovered the misconfigured cloud database on Shodan while searching for misconfigured cloud databases. For your information, **Shodan is an OSINT tool** and a specialized search engine used by cybersecurity researchers to locate vulnerable Internet of Things (IoT) devices, including servers and misconfigured databases on the internet.

Since Gustaffo has not responded to researchers nor have they secured the data, chances are that the company is completely unaware of the issue. Not only is it bad news for customers, but for Gustaffo itself, as the General Data Protection Regulation **(GDPR) is directly effective** in every country that is part of the European Union, including Austria.

In September 2021, the Austrian Data Protection Authority Österreichische Datenschutzbehörde **issued** a €9 million ($9.6 million) fine to the Austrian Post for violations of GDPR. This fine was among the largest fines ever imposed under the GDPR and served as an example of how seriously the law takes data privacy.

However, the fine was overturned by the Federal Administrative Court on December 2nd, 2020. Nevertheless, this fine was among the largest fines ever imposed under **the GDPR** and served as an example of how seriously the law takes data privacy.

While it’s unclear whether any malicious actors accessed the data or not, researchers are warning customers of Gustaffo to be on their guard against potential **phishing attempts** or identity theft scams.

**Misconfigured Databases – Threat to Privacy**

As we know, misconfigured or unsecured databases have become a major privacy threat to companies and unsuspecting users. **In 2020**, researchers identified over 10,000 unsecured databases that exposed more than 10 billion (10,463,315,645) records to public access without any security authentication.

**In 2021**, the number of exposed databases increased to 399,200. The top 10 countries with the most database leaks due to misconfiguration in 2021 included the following:

*   USA – 93,685 databases
*   China – 54,764 databases
*   Germany – 11,177 databases
*   France – 9,723 databases
*   India – 6,545 databases
*   Singapore – 5,882 databases
*   Hong Kong – 5,563 databases
*   Russia – 5,493 databases
*   Japan – 4,427 databases
*   Italy – 4,242 databases

1.  **579 GB of users website activity leaked in server messup**
2.  **Misconfigured AWS bucket leaked 350m email addresses**
3.  **Misconfigured baby monitors exposing video stream online**
4.  **Microsoft Power apps misconfiguration leaked 38m records**
5.  **Misconfigured backup leaked 50.5m GOMO Mobile user data**

****

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Austrian ‘mobile concierge’ app Gustaffo leaking 100k customers’ data

By Deeba Ahmed
Threat actors are targeting unsuspecting users with tailored phishing scam attacks based on victims' location, making it more convincing than ever.
This is a post from HackRead.com Read the original post: Geo Targetly URL Shortener Abused in Phishing Scam

Geo Targetly is a legitimate online service that offers its own URL shortening service, similar to Bitly, called Geo Link.

Researchers at Check Point Software Company’s security firm, Avanan, have discovered a new wave of **phishing attacks** in which actors use the Geo Targetly product, Geo Link, to redirect users to malicious links.

What’s worse, following this modus operandi, scammers can launch targeted attacks according to the victim’s region and language through this service.

> The latest Reddit hack teaches us one major lesson: Do not underestimate phishing attacks.
> 
> Hackread.com

For your information, Geo Targetly is a legitimate website that lets businesses and advertisers redirect users to ads or pages in their local markets. Its Geo Link service is essentially a URL shortener, according to the company, just like **Bitly**.

Threat actors use Geo Targeting to target potential victims at specific locations through phishing emails. This could be a massive blow to the cybersecurity fraternity, as exploitation of get targeting may be the ultimate game-changer for cybercriminals.

“In this attack, hackers redirect users via Geo Targetly … and provide them with customized, localized phishing pages,” Avanan researchers stated.

The said tool is used to display ads based on the user’s location. So, the ads viewed by someone in France would be different than those shown to someone in the US. Now, hackers can launch **geo-specific phishing** content and send malicious emails customized by region and language to their targets.

**Email Content**

One of the emails Avanan researchers **analyzed** was in Spanish and was sent to users in Colombia. It appears to be about a speeding subpoena. The email’s subject line translation is as follows:

“Subject: Notification of subpoena for excess of maximum speed allowed on urban roads of 60 km/h.”

The email contains a link. When the recipient clicks on “See Compared,” they are redirected to the Geo Targetly page. Since the user is in Colombia, the email will redirect them to a Colombian page.

Phishing email screenshot provided by Avanan

But that’s not the exciting part. The customization that hackers perform to attack their targets according to their location is the exciting part. With this trick, they can target multiple users in different parts of the world simultaneously.

By exploiting Geo Targetly, attackers can create **phishing URLs** that redirect users in certain regions to inauthentic login pages that appear legitimate. Due to this personalization, victims will be trapped and click on the link. This technique is based on the “spray-and-pray” method, in which thousands of phishing emails are sent at once.

**How to Stay Protected?**

Researchers recommend users check the URLs included in their emails and browsers before clicking on them. Avanan’s cybersecurity researcher Jeremy Fuchs stated that this is a widespread attack campaign.

Since there is no security flaw in Geo Targetly that threat actors have exploited, the only line of defence is staying vigilant. Geo Targetly has confirmed that hackers used its service to target users.

The company removed Geo Link from its free trial, considerably reducing its exploitation in phishing campaigns. Geo Targetly has also limited the creation of new accounts unless the user shares their legitimate company email account and domain.

1.  **SMS Phishing scam Dupes Zendesk Staff**
2.  **Phishing Attacks Using Unicode Characters**
3.  **Zoom Phishing Scam Steals MS Exchange Data**
4.  **Gmail Phishing Scam Stole Data Using Attachment**
5.  **Phishing: Microsoft & PayPal, most targeted brands**

Geo Targetly URL Shortener Abused in Phishing Scam

By Deeba Ahmed
According to Reddit, the breach took place after one of its employees fell for a phishing scam email sent through a malicious fake website.
This is a post from HackRead.com Read the original post: Reddit Hacked After Employee Bites on Phishing Scam

Reddit has become a victim of yet another data breach, in which threat actors have accessed the company’s internal documents, dashboards, business systems, and more.

On Thursday, Reddit confirmed that the platform had become a target of a sophisticated phishing attack on February 5th, 2023. The company revealed that the attackers targeted its employees by sending out plausible-sounding prompts via a website that looked exactly like Reddit’s intranet gateway. The objective of this attack was to steal credentials and second-factor tokens.

According to Reddit, Several employees received malicious emails sent via a fake website. One of the employees entered their credentials into this cloned website, which allowed the attacker(s) to hack into Reddit. Reddit asserts that its primary production system wasn’t breached, where Reddit stores most of its data.

After the affected employee informed the Security team, the team learned about the attack, and Reddit then launched an investigation into the incident. The company responded to the incident by removing the invader’s access to its system.

“We’re continuing to closely investigate and monitor the situation and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain,” Reddit wrote in its blog.

Reddit CTO Christopher Slowe wrote that the attacker could access internal documents, dashboards, and business systems. Exposed data includes limited contact information of company contacts, which are currently in the hundreds, and current/former employees’ data. Reddit noted that limited advertiser info was also exposed.

The company, however, has assured Redditors that their data is secure and was not affected in this incident. “Based on our investigation so far, Reddit user passwords and accounts are safe,” the company’s spokesperson stated.

They further noted that after several days-long investigations by security, engineering, and data science (and friends), the company didn’t find any evidence that its customers’ non-public data was accessed or Reddit’s data was published/distributed online.

Reddit recommends that users switch to two-factor authentication. Slowe also hosted an AMA to answer queries related to the incident and confirmed that the employee who had self-reported the incident wasn’t fired but had been shifted to stocks as a punishment.

Reddit Hacked After Employee Bites on Phishing Scam

By Habiba Rashid
It turns out that the intelligence in Google's newly-announced ChatGPT rival, Bard AI, is a bit artificial at this moment.
This is a post from HackRead.com Read the original post: Bard AI Causes Google Losses of $100 Billion

One incorrect answer to a query by Bard AI has cost Google $100 billion.

Google’s **newly announced** experimental conversational Bard AI, has caused the tech giant to lose rather than gain profits. Google’s parent company, Alphabet, experienced a 7.7% stock plunge as it lost more than $100 billion in market value on Wednesday. 

This comes as a direct result of Bard’s ad, which shows the tool providing a factually inaccurate response to a query asking: “what new discoveries from the James Webb Space Telescope can I tell my 9-year-old about?” The third suggestion written by Bard AI states that “JWST took the very first pictures of a planet outside of our own solar system.”

However, Grant Tremblay, an American astrophysicist at the Harvard-Smithsonian Center for Astrophysics, pointed out the error in that response.

“I’m sure Bard AI will be impressive, but for the record: JWST did not take “the very first image of a planet outside our solar system”. the first image was instead done by Chauvin et al. (2004) with the VLT/NACO using adaptive optics,” **he tweeted**. 

> Not to be a ~well, actually~ jerk, and I'm sure Bard will be impressive, but for the record: JWST did not take "the very first image of a planet outside our solar system".
> 
> the first image was instead done by Chauvin et al. (2004) with the VLT/NACO using adaptive optics. https://t.co/bSBb5TOeUW pic.twitter.com/KnrZ1SSz7h
> 
> — Grant Tremblay (@astrogrant) February 7, 2023

According to **NASA’s report**, the first picture of a planet outside the Milky Way was taken by the Very Large Telescope in 2004, almost 19 years before NASA’s Webb telescope.

A Google spokesperson told **New Scientist**: “This highlights the importance of a rigorous testing process, something that we’re kicking off this week with our Trusted Tester program. We’ll combine external feedback with our own internal testing to make sure Bard’s responses meet a high bar for quality, safety and groundedness in real-world information.”

In **another tweet**, Tremblay also noted how a Google search using the regular search engine yields the correct information. This further sheds light on the fact that the error was able to slip through the system because AI models rely on plausible answers, depending on statistical analysis, and are not designed to give accurate answers.

This news comes after Microsoft launched its own AI results service for its Bing search engine on February 7th. Chinese search engine Baidu also recently announced plans for a similar project.

1.  **Fields of application of artificial intelligence**
2.  **AI-based Model to Predict Extreme Wildfire Danger**
3.  **How Artificial intelligence (AI) Stops Cybercriminals**
4.  **Microsoft patent reveals chatbot to talk to dead people**
5.  **AI-Powered Glasses Give Deaf People Power of Speech**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Source

HackRead