Banana Squad hid data-stealing malware in fake GitHub repos posing as Python tools, tricking users and targeting sensitive info like browser and wallet data.

ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru.

ReversingLabs team, including Principal Malware Researcher Robert Simmons, found over 60 fake project folders, called repositories, on GitHub. These folders looked like real computer hacking tools written in Python, but they were actually trojanized, meaning they contained hidden malicious code.

Malicious code was placed in the top section of the repository, while the lower part appeared harmless (Image via ReversingLabs)

In their earlier attacks, starting in April 2023, Banana Squad put out hundreds of bad software packages under various usernames, researchers noted in their blog post shared with Hackread.com. These programs were designed for Windows computers and aimed to “steal extensive amounts of sensitive data,” including information from computers, apps, web browsers, and even cryptocurrency wallets by redirecting money.

These bad packages were downloaded nearly 75,000 times before they were found and removed. More recently, in November 2024, a harmful project from Banana Squad, found at dieserbenniru, showed a new trick. They used a GitHub feature where long lines of code don’t wrap.

Additionally, attackers added many spaces to push their malicious code off the screen, making it invisible to someone just looking at the code. This makes it much harder to spot the hidden danger. Fake user accounts, often with only one project listed, are commonly used by Banana Squad to host these harmful repositories.

Beyond Banana Squad’s specific activities, the overall increase in OSS risk points to ongoing problems. A new report for 2025 from ReversingLabs shows a changing picture in the safety of open-source software (OSS).

While overall malware found in OSS repositories significantly dropped in 2024 – a 70% decrease across platforms like npm, PyPI, and RubyGems compared to 2023 – the risk to software development from OSS is actually growing.

These threat actors are getting smarter. They are using more hidden and complex ways to attack, especially on platforms like GitHub, instead of just uploading simple malware. This positive trend in malware reduction is partly thanks to better security measures, including mandatory two-factor authentication (2FA) and the OpenSSF’s Malicious Packages Repository, launched in 2023.

Other reports indicate issues like a rise in secret leaks in 2024, where sensitive login details are exposed. Also, a look at top OSS packages revealed many security holes and code rot – a reliance on old, unmaintained code. This means popularity does not equate to security. The evolving threat means everyone using open-source software needs to be more watchful and use better tools to stay safe from groups like Banana Squad and other emerging threats.

Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories

Cybercriminals are injecting fake support phone numbers onto official sites like Bank of America and Netflix. Learn how 'search parameter injection' scams work and protect yourself now.

Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands.

This trick has been seen affecting companies like:

1.  HP
2.  Apple
3.  Netflix
4.  PayPal
5.  Microsoft
6.  Facebook
7.  Bank of America

****How the Search Parameter Injection Works****

The scam typically starts with a sponsored advertisement on Google, which directs users to the real company website. It is worth noting that instead of creating a fake website, these scammers use a clever technique called a search parameter injection attack.

This means they create a special, malicious web address that embeds their scam phone number into the real website’s search function. When a user clicks on a poisoned search result, they land on the brand’s actual support page. The web address in their browser will show the legitimate site, giving no cause for alarm.

However, the scammer’s fake phone number appears prominently within what looks like an official search result on the page itself. For instance, on Netflix, the site’s search function “blindly reflects whatever users put in the search query parameter without proper sanitization or validation,” creating a weakness the scammers exploit, Malwarebytes’ Pieter Arntz explained in the report shared with Hackread.com.

Source: Malwarebytes

Once a victim calls the fake number, the scammers pretend to be company representatives. Their goal is to get personal details, credit card information, or even gain remote access to the victim’s computer. If it’s a financial company like Bank of America or PayPal, the scammers aim to empty bank accounts.

Malwarebytes Browser Guard proved effective in catching these scams, displaying a warning about Search Hijacking Detected and explaining that unauthorized changes have occurred. However, some instances are harder to spot such as, on Apple’s support page, the fake number appears alongside a message stating no search matches were found, urging users to call the displayed number.

Source: Malwarebytes

****Stay Safe: Spotting the Red Flags****

To avoid falling victim, always be suspicious if a phone number appears directly in the web address bar, or if search terms like Call Now or Emergency Support are visible there. Watch out for many strange characters (like %20 or %2B) mixed with phone numbers in the URL. If a website shows a search result before you even type anything, that’s another warning sign. Any urgent language like Account suspended should also raise an alarm.

Moreover, before calling any support number, always look up the official contact details from a trusted source, like their social media pages, and compare it to the number you found. If they don’t match, investigate further. Finally, if during a call, you’re asked for personal or banking details unrelated to your issue, hang up immediately.

Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages

North Korean hackers deploy PylangGhost malware through fake crypto job interviews targeting blockchain professionals with phishing and remote access tools.

A new series of cyber attacks is targeting professionals in the crypto and blockchain industries using fake recruitment scams, according to new research by Cisco Talos. The attackers, linked to a North Korea-aligned group known as Famous Chollima, are impersonating legitimate companies to trick victims into installing malware disguised as video drivers.

The group has been active since at least mid-2024, previously known for tactics like fake developer job postings and fraudulent interview processes. This latest development shows the operation evolving in sophistication, now with a new Python-based malware called PylangGhost, a variant of the previously identified GolangGhost trojan.

****Real Jobseekers, Fake Companies****

Victims are approached by fake recruiters offering positions at companies that appear to be in the crypto sector. Targets are often software developers, marketers and designers with cryptocurrency experience.

Once contact is made, the victim is directed to a fake skill-assessment page designed to look like it belongs to a real company, including well-known names like Coinbase, Robinhood, Uniswap and others.

These pages use the React framework and closely mimic real corporate interfaces. After filling out personal information and completing the test, applicants are told they must record a video introduction for the hiring team. To do so, they’re asked to install “video drivers” by copying and pasting commands into their terminal.

That step downloads the malware.

****How the Malware Works****

According to Cicso Talos’ blog post, if the victim follows instructions on a Windows or MacOS system, a malicious ZIP file is pulled down. It contains the Python-based PylangGhost trojan and related scripts. The malware then unpacks itself, runs in the background and gives attackers remote access to the victim’s machine.

Screenshot of MacOS instructions prompting the user to copy, paste and run a malicious command line script (Image via Cisco Talos)

The Python version functions almost identically to its Go-based counterpart. It installs itself to run every time the system starts, collects system info, and connects to a command and control server. Once active, it can receive and execute remote commands, harvest credentials, and steal browser data, including passwords and crypto wallet keys.

According to Talos, it targets more than 80 different browser extensions, including widely used password managers and digital wallets like MetaMask, 1Password, NordPass and Phantom.

The malware uses RC4 encryption for communication with its server. Though the data stream is encrypted, the encryption key is sent along with the data, limiting the security of that method. Still, the setup helps it blend in with regular traffic and makes detection harder.

The goal of this operation is twofold. First, it allows attackers to gather sensitive personal data from real jobseekers. Second, it opens the door for fake employees to be placed inside real companies, which could lead to long-term infiltration and access to valuable financial data or software infrastructure.

Only a small number of victims have been confirmed so far, mostly in India. Linux users are not affected in this particular campaign. No Cisco customers appear to have been impacted at this time.

Talos notes that the malware’s development does not seem to involve AI code generation, and the structure of both the Python and Go versions suggests the same developers created both.

****Stay Safe****

If you’re applying for roles in crypto or tech, be cautious with job listings that ask you to install software or run terminal commands as part of an interview. Legitimate companies will not require this.

Cybersecurity teams should review employee onboarding processes, especially for remote hires, and educate staff about these types of social engineering attacks. Monitoring for unexpected outbound connections or strange ZIP downloads can also help catch early signs of compromise.

N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam

Zimperium zLabs reveals GodFather malware’s advanced virtualization that hijacks mobile banking and crypto apps. Learn how it steals data on your phone.

Cybersecurity researchers at Zimperium zLabs, led by Fernando Ortega and Vishnu Pratapagiri, have uncovered a dangerous new version of the GodFather Android malware using an advanced technique called on-device virtualization to take over legitimate mobile apps. It especially targets banking and cryptocurrency apps, effectively turning your own device into a spy.

****The Virtualization Trick****

Instead of just showing a fake image, the malware installs a hidden host app, which then downloads and runs a real copy of your banking or crypto app inside its own controlled space, a sandbox. When you try to open your actual app, the malware redirects you to this virtual version.

The malware then monitors and controls every action, tap, and word you type in real time, making it nearly impossible for you to notice anything wrong, since you are interacting with the real app, just in a manipulated environment. This sophisticated technique allows attackers to obtain usernames, passwords, and device PINs, obtaining complete control of your accounts.

This method gives attackers a huge advantage. They can steal sensitive data as you enter it, and even change how the app works, bypassing security checks including those that detect rooting a phone. Notably, the GodFather banking malware is built by repurposing several legitimate open-source tools, such as VirtualApp and XposedBridge, to execute its deceptive attacks and evade detection.

****Global Targets and Evasive Manoeuvres****

While GodFather employs its advanced virtualization, it also continues to use traditional overlay attacks, placing deceptive screens directly over legitimate applications. This dual approach shows the threat actors’ remarkable ability to adapt their methods.

According to the company’s blog post, the GodFather Android malware campaign is widespread, targeting 484 applications globally, though the highly advanced virtualization attack currently focuses on 12 specific Turkish financial institutions. This broad reach includes not just banking and cryptocurrency platforms, but also major global services for payments, e-commerce, social media, and communication.

The malware also uses clever tricks to avoid being found by security tools. It changes the way APK files (Android app packages) are put together, tampering with their structure to make them look encrypted or adding misleading information like $JADXBLOCK. It also moves much of its harmful code to the Java part of the app and makes its Android manifest file harder to read with irrelevant information.

Further probing revealed that GodFather still uses Android’s accessibility services (designed to help users with disabilities) to trick users into installing hidden parts of its application. It uses deceptive messages like “You need permission to use all the features of the application,” and once it gains accessibility permissions, it can secretly grant itself more permissions without user knowledge.

Also, the malware hides its important information, like where it connects to its control server (C2), in encoded form, making it harder to track. Once active, it sends details of your screen to the attackers, giving them a real-time view of your device. This discovery, hence, highlights the ongoing challenge in mobile security as threats become more complex and harder to spot.

_“_This is definitely a novel technique and I can see its potential,_“_ said Casey Ellis, Founder at Bugcrowd. _“_It will be interesting to see how effectively it actually is in the wild, whether or not the threat actors decide to deploy it outside of Turkiye, and if other threat actors attempt to replicate a similar approach._“_

GodFather Android Malware Runs Real Apps in a Sandbox to Steal Data

Miami, Florida, 18th June 2025, CyberNewsWire

**Miami, Florida, June 18th, 2025, CyberNewsWire**

**Halo Security’s Attack Surface Management Platform Honored for Exceptional Innovation and Successful Deployment Through The Channel**

Halo Security today announced that its attack surface management solution has been named a 2025 MSP Today Product of the Year Award winner by TMC, a leading global media company recognized for building communities in technology and business through live events and digital marketing platforms. 

The MSP Today Product of the Year Award honors standout products and services that are reshaping the managed services landscape—delivered through the Channel and purpose-built to meet the evolving needs of end users. The Halo Security platform was selected for its innovation, performance, and its measurable impact on customers and partners alike.

The Halo Security Attack Surface Management Platform enables organizations and managed service providers (MSPs) to discover, monitor, and secure their internet-facing assets. The platform combines attacker-like discovery methods with ongoing security monitoring, vulnerability scanning, and expert-led penetration testing services to help organizations of all sizes identify and remediate security risks before they can be exploited.

Designed with the Channel in mind, the platform offers easy-to-use client management and reporting, along with seamless integrations into tools like Slack, Jira, and major cloud providers. The platform empowers MSPs to deliver scalable, high-impact security services with minimal setup and configuration. With built-in PCI compliance reporting, dark web monitoring, and dynamic application security testing (DAST), Halo Security gives partners and clients alike the visibility needed to stay ahead of evolving threats and meet their compliance goals.

> “Our mission has always been to give organizations and our channel partners deep visibility into their digital presence,” said Lisa Dowling, CEO of Halo Security. “This award is a testament to the innovation behind our platform, the dedication of our team, and the success our MSP partners are driving for their clients every day.”

> “It gives me great pleasure to recognize Halo Security as a 2025 recipient of TMC’s MSP Today Product of the Year Award for their innovative attack surface management solution,” said Rich Tehrani, CEO of TMC. “Our judges were thoroughly impressed not only by the strength and features of the product, but by Halo Security’s commitment to the Channel—empowering partners to deliver exceptional service and drive meaningful results for their clients.” 

Winners of the 2025 MSP Today Product of the Year Award will be featured on MSP Today, the definitive resource for managed service providers, as well as across TMCnet’s media platforms.

**About Halo Security**

Halo Security is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. Users can learn more at halosecurity.com.

**About MSP Today**

MSP Today is the premier online destination for MSPs (Managed Service Providers) and IT service providers worldwide. As the industry’s leading web portal, we are committed to delivering timely and relevant news, cutting-edge product information, and invaluable insights to empower MSPs and IT professionals to thrive in today’s rapidly evolving technology landscape. Whether you’re seeking in-depth articles on emerging technologies, comprehensive product reviews, or actionable tips to optimize your IT services, MSP Today is your go-to resource for all things MSP-related. Users can learn more at www.msptoday.com.

**About TMC**

For more than 20 years, TMC has been honoring technology companies with awards in various categories. These awards are regarded as some of the most prestigious and respected awards in the communications and technology sector worldwide. Winners represent prominent players in the market who consistently demonstrate the advancement of technologies. Each recipient is a verifiable leader in the marketplace. TMC also provides global buyers with valuable insights to make informed tech decisions through our editorial platforms, live events, webinars, and online advertising. Users can learn more at www.tmcnet.com.

**Contacts**

**Director of Partnerships**  
**Lauren Ladra**  
**Halo Security**  
**\[email protected\]**  
**415-799-4568**  
**Manager, TMC Awards**  
**Stephanie Thompson**  
**TMC**  
**\[email protected\]**  
**203-852-6800**

Halo Security Honored with 2025 MSP Today Product of the Year Award

A CVSS 8.8 AgentSmith flaw in LangSmith's Prompt Hub exposed AI agents to data theft and LLM manipulation. Learn how malicious AI agents could steal API keys and hijack LLM responses. Fix deployed.

Cybersecurity researchers at Noma Security have disclosed details of a critical vulnerability within LangChain‘s LangSmith platform, specifically affecting its public Prompt Hub. This critical flaw, dubbed AgentSmith with a CVSS score of 8.8 (indicating a high severity), could allow malicious AI agents to steal sensitive user data, including valuable OpenAI API keys, and even manipulate responses from large language models (LLMs).

****The AgentSmith Threat Explained****

LangSmith is a popular LangChain platform used by major companies like Microsoft and DHL for managing and collaborating on AI agents. The Prompt Hub, its key feature, is a public library for sharing/reusing pre-configured AI prompts, many of which function as agents.

The AgentSmith vulnerability exploited how these public agents could be set up with harmful proxy configurations. A proxy server acts as an intermediary for network requests. In this case, an attacker could create an AI agent with a hidden malicious proxy.

When an unsuspecting user adopts and runs this agent from the Prompt Hub, all their communications, including private data like OpenAI API keys, uploaded files, and even voice inputs, would be secretly sent through the attacker’s server.

As per Noma Security’s investigation, shared with Hackread.com, this Man-in-the-Middle (MITM) interception could lead to severe consequences. Attackers could gain unauthorized access to a victim’s OpenAI account, potentially downloading sensitive datasets, inferring confidential information from prompts, or even causing financial losses by exhausting API usage quotas.

In more advanced attacks, the malicious proxy could alter LLM responses, potentially leading to fraud or incorrect automated decisions.

****AgentSmith’s Proof of Concept (PoC)****

****Prompt Response and Future Safeguards****

Noma Security responsibly disclosed the vulnerability to LangChain on October 29, 2024. LangChain confirmed the issue and swiftly deployed a fix on November 6, 2024, prior to this public disclosure.

Along with that, the company introduced also new safety measures, warning messages, and a persistent banner on agent description pages for users attempting to clone agents with custom proxy settings.

Both Noma Security and LangChain found no evidence of active exploitation, and only users who directly engaged with a malicious agent were at risk. LangChain also clarified that the vulnerability was limited to the Prompt Hub’s public sharing feature and did not affect their core platform, private agents, or broader infrastructure.

The incident highlights the need for organizations to enhance their AI security practices. Researchers suggest organizations should maintain a centralized inventory of all AI agents, using an AI Bill of Materials (AI BOM) to track their origins and components. Implementing runtime protections and strong security governance for all AI agents is also crucial to protect against evolving threats.

AgentSmith Flaw in LangSmith’s Prompt Hub Exposed User API Keys, Data

As SEO leans towards AI, site owners are more in need of third-party tools, and agencies and updating…

As SEO leans towards AI, site owners are more in need of third-party tools, and agencies and updating their own strategy. These fast changes to stay on top of optimisation can become a hotbed for security mistakes, particularly as last-ditch desperation can kick in when you are tanking in the rankings. 

Brand integrity, personal data, strategy, and proprietary data must all be protected, along with having a strategy that minimises risks like being penalised by Google.

****What “unsafe” SEO looks like in 2025****

Unsafe SEO can come in a few forms. Black-hat practices can present a big risk, as Google may penalise your rankings. For example, producing AI content en masse to maximise the number of pages you have within a niche can bloat your sitemap, but may also be flagged outright by Google. Or, the overuse of backlinks to low-quality, irrelevant sites.

In 2025, SEO performance is leaning more towards trustworthiness, and so many turn to agencies to help build backlinks. If such agencies are providing data or partners to drive SEO, it must be reliable. The collaboration presents another risk, as both you and the agency must protect your personal data, but also the campaign strategy and keywords, which an attack could target.

Using insecure third-party tools, such as Chrome Extensions for SERP analysis, can also pose a security risk if they collect and log your data.

****Pillars of a secure SEO strategy** **

A resilient and secure SEO strategy in 2025 has a few core pillars. Firstly, to avoid being penalised by Google, there must be a commitment to acquiring only high-authority and contextually relevant backlinks. Adhering to guidelines and ethical practices is the bread and butter of SEO risk management.

The selection of partners and service providers should involve rigorous due diligence, prioritising those with verifiable security credentials and transparent methodologies. Ensure _they_ aren’t using black-hat techniques, but also that they’re keeping your data safe with strong data governance protocols. 

****Safeguarding your SEO data and strategy****

Unvetted or inadequately secured tools can become a vehicle for data exfiltration, and these can expose campaign blueprints and keyword strategies, perhaps even selling them to competitors or malicious actors. 

In the world of link building, it’s common to rely on platforms that act as intermediaries between publishers and site owners. Some, like LEOlytics, have introduced onboarding steps that help structure this connection more effectively. While each platform has its own approach, having some level of oversight can contribute to a more secure and organized process overall.

Another protocol to employ when working directly with freelance writers is to ask for an NDA signature, helping secure the confidence of your work. And, if sharing strategic or client information with AI assistants, be sure to turn on data privacy settings so your information isn’t used during their next model training. 

****Security in SEO is needed for longevity****

SEO demands more thought on security than ever before. Because of its changing demands, many are turning to specialists and AI to help. But, in such unstable times, it’s more important than ever to remain vigilant about being blacklisted, using unsecure tools, or collaborating with unreliable agencies.

The importance of managing your SEO strategy in a safe way

Cato CTRL uncovers new WormGPT variants on Telegram powered by jailbroken Grok and Mixtral. Learn how cybercriminals jailbreak top LLMs for uncensored, illegal activities in this latest threat research.

Despite its reported shutdown in 2023, the WormGPT a type of uncensored artificial intelligence (AI) tool for illegal acts, is making a comeback. New research from Cato CTRL, the threat intelligence team at Cato Networks, reveals that WormGPT is now exploiting powerful large language models (LLMs) from well-known AI companies, including xAI’s Grok and Mistral AI’s Mixtral.

This means cybercriminals are using jailbreaking techniques to bypass the built-in safety features of these advanced LLMs (AI systems that generate human-like text, like OpenAI’s ChatGPT). By jailbreaking them, criminals force the AI to produce “uncensored responses to a wide range of topics,” even if these are “unethical or illegal,” researchers noted in their blog post shared with Hackread.com.

****The Evolution of a Malicious Tool****

WormGPT first appeared in March 2023 on an underground online forum called Hack Forums, with its public release following later in mid-2023, as reported by Hackread.com. The creator, known by the alias Last, reportedly started developing the tool in February 2023.

WormGPT was initially based on GPT-J, an open-source LLM developed in 2021. It was offered for a subscription fee, typically between €60 to €100 per month, or €550 annually, with a private setup costing around €5,000.

However, the original WormGPT was shut down on August 8, 2023, after investigative reporter Brian Krebs published a story identifying the person behind Last as Rafael Morais, leading to widespread media attention.

Despite this, WormGPT has now become a recognized brand for a new group of such tools. Security researcher Vitaly Simonovich from Cato Networks stated, “WormGPT now serves as a recognizable brand for a new class of uncensored LLMs.”

He added that these new versions aren’t entirely new creations but are built by criminals cleverly changing existing LLMs. They do this by altering hidden instructions called system prompts and possibly by training the AI with illegal data.

****New Variants and Their Power****

Cato CTRL’s research found previously unreported WormGPT variants advertised on other cybercrime forums like BreachForums. For example, a variant named “xzin0vich-WormGPT” was posted on October 26, 2024, and “keanu-WormGPT” appeared on February 25, 2025. Access to these new versions is via Telegram chatbots, also on a subscription basis.

WormGPT Advert (Source: Cato CTRL)

Through their testing, Cato CTRL confirmed that keanu-WormGPT is powered by xAI’s Grok, while xzin0vich-WormGPT is based on Mistral AI’s Mixtral. This means criminals are successfully using top-tier commercial LLMs to generate malicious content like phishing emails and scripts for stealing information.

keanu-WormGPT reveals the malicious chatbot has been powered by Grok (Screenshot: CATO Networks)

The emergence of these tools, alongside other uncensored LLMs like FraudGPT and DarkBERT, shows a growing market for AI-powered crime tools and highlights the constant challenge of securing AI systems.

J Stephen Kowski, Field CTO at SlashNext Email Security+ commented on the latest development stating, _“_The WormGPT evolution shows how criminals are getting smarter about using AI tools – but let’s be honest, these are general-purpose tools and anyone building these tools without expecting malicious use in the long term was pretty naive._“_

_“_What’s really concerning is that these aren’t new AI models built from scratch – they’re taking trusted systems and breaking their safety rules to create weapons for cybercrime,_“_ he warned. _“_This means organizations need to think beyond just blocking known bad tools and start looking at how AI-generated content behaves, regardless of which platform created it._“_

WormGPT Makes a Comeback Using Jailbroken Grok and Mixtral Models

Scattered Spider targets US insurance firms after UK retail attacks, using social engineering to breach help desks and disrupt services, Google warns.

A hacker group known for high-profile attacks on retail giants is now turning its attention to the insurance sector, according to a new warning from Google’s Threat Intelligence Group. The group, known as **Scattered Spider**, has been linked to a series of recent cyber attacks that disrupted access for insurance customers across the United States.

The alert follows a series of data breaches at major UK retailers earlier this year. After that wave of attacks, Google analysts noted that Scattered Spider had begun targeting US-based retailers. Now, researchers say the group is showing a clear interest in insurance firms and is actively exploiting their workforce through **social engineering**.

****Focused Targeting, Familiar Tactics****

“Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry, they have a habit of working their way through a sector,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group. In a **post** on X, he noted that Scattered Spider relies heavily on social engineering, especially schemes aimed at help desks and call centers.

> Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry. They have a habit of working their way through a sector. Insurance companies should be on the lookout for social engineering schemes targeting their call centers.
> 
> — John Hultquist (@JohnHultquist) June 16, 2025

The tactic isn’t new, but it remains effective. Rather than relying on complex exploits or malware, the group frequently poses as employees or contractors to convince staff to reset passwords or share sensitive access credentials. This approach gives attackers a way in, without having to breach security

****Erie Insurance and Scania Affected****

While Google hasn’t publicly named the companies affected in this latest wave of attacks, Erie Insurance, a Pennsylvania-based provider, **reported** a breach on June 7. The company has not confirmed who was behind it, but the timing aligns with Google’s warning. Erie has been issuing updates to customers but has yet to share details about the full extent of the intrusion.

Meanwhile, Scania’s insurance division was also reportedly affected, adding weight to concerns that the group’s focus on insurers is well underway.

> 🚨Data Breach Alert‼️
> 
> 🇸🇪Sweden – Scania Financial Services
> 
> A threat actor using the alias "hensi" claims to have breached the subdomain insurance.scaniacom, allegedly gaining access to and exfiltrating a full set of files.
> 
> The actor states this is a first-time intrusion… pic.twitter.com/aPP09wSjhB
> 
> — Hackmanac (@H4ckmanac) June 12, 2025

****Expert View: Social Engineering Remains a Core Threat****

**Dave Gerry,** CEO at Bugcrowd, says the recent activity highlights long-standing risks in the way companies handle internal support systems.

“They’ve been exploiting vulnerabilities with social engineering tactics, focusing on help desks and call centers, where the human is oftentimes the weakest link,” Gerry said. “Incidents like the one at Erie Insurance show how important it is for the insurance sector to revisit its defenses and incident response strategies. These aren’t one-off events. This is targeted, and it’s ongoing.”

****Why Insurers?****

Insurers hold sensitive financial and personal data, a tempting target for attackers. But what makes them especially vulnerable is the combination of high-value information and complex customer support systems, which often require staff to handle urgent access requests or account changes.

When threat actors can impersonate staff or customers convincingly enough, help desk employees may unknowingly hand over access to internal tools or user accounts.

Organizations should review how support teams verify identity and manage account access. Multi-step verification, better training, and limiting permissions can help reduce the risk of a successful social engineering attack.

Scattered Spider Aims at US Insurers After UK Retail Hit, Google Warns

Cybersecurity researchers at Netcraft have discovered a series of new SEO poisoning related attacks exploiting Google’s search results…

Cybersecurity researchers at Netcraft have discovered a series of new SEO poisoning related attacks exploiting Google’s search results to spread malicious content and other scams. According to researchers, an “organized” network of attackers is using compromised websites to boost the visibility of malicious content in search rankings.

Behind this operation is Hacklink, a black market platform that allows scammers to inject links to phishing pages and fraudulent services into unsuspecting websites, with search engines doing the rest.

****Hijacked Sites, Invisible Links, Manipulated Results****

Instead of defacing websites or stealing data, attackers using Hacklink insert invisible code into the source of compromised sites. These links are designed to match keywords searched by users, especially in the gambling, pharmaceutical, and adult content sectors. When someone searches for a related term, the attacker’s sites show up high in the results, often outranking legitimate businesses.

The content is prepared to be hidden from everyday users but fully visible to search engine crawlers. By doing this, the attacker piggybacks on the reputation of the compromised site, especially those ending in .gov, .edu, or popular country code domains. This tactic tricks search algorithms into treating scam sites as credible, giving them an increase in visibility.

****Hacklink: SEO Fraud as a Service****

Hacklink is an online shop for scammers. Attackers can browse a list of already-compromised domains, select keywords and target URLs, and pay to have their content injected.

According to Netcraft’s report shared with Hackread.com ahead of publishing on Tuesday, prices vary, but listings often start around $1, with premium domains costing more. All of this is done through a web-based control panel, making large-scale manipulation of search rankings accessible to anyone with money and malicious intentions.

In many cases, the website owner remains unaware. Their site looks and functions normally, even as it silently boosts fraudulent sites selling fake products, redirecting to phishing pages, or spreading malware.

Hacklink Market’s website (Screenshot: Hackread.com)

****Targeting Online Gambling in Turkey****

Netcraft’s report also notes an increase in attacks targeting the online gambling sector in Turkey. Groups like “Neon SEO Academy” and “SEOLink” are offering services to manipulate search rankings for gambling-related keywords. These operators claim access to over 15,000 compromised websites and actively market their offerings through platforms like Telegram and WhatsApp.

These groups offer much more than link injection. Some provide access to admin panels of vulnerable sites, allowing more extensive and long-term control. Others use private blog networks to further boost the legitimacy of malicious links, an approach that mixes pushy SEO tactics with questionable ethics.

****Real-Time Ranking Manipulation****

Researchers also noted that attackers are able to dynamically change the text that appears in search results by adjusting anchor text across their link network. This means they can remotely influence how a compromised site appears in Google’s results, even without full control of that site.

In more advanced setups, this method can even take search users to phishing pages or cloned versions of real websites. Users who think they’re visiting a trusted service may be entering passwords or payment information into a trap.

Screenshot shows the compromised website of the LifeBridge Christian Church – Colorado, United States

While online gambling is the most visible victim today, this method could be applied to almost any industry that relies on search engine visibility, including banking, healthcare, crypto trading, and charitable fundraising. The tactic targets both user trust and brand integrity, making it difficult for victims to even detect the problem.

****What To Do?****

Organizations should security admin panels, apply patches, and monitor file changes regularly. But awareness is just as important. SEO poisoning isn’t just a search engine problem, it’s a growing part of the cybercrime economy.

Site owners should review how their domains appear in search results, audit for unauthorized outbound links, and monitor their domain’s reputation. If suspicious links are detected, use disavow tools and report abuse to search engines promptly.

For users, verify URLs carefully, especially when dealing with financial transactions or personal information. And when in doubt, go directly to a known domain rather than trusting search engine links alone.

And most importantly, follow Hackread.com for more cybersecurity-related news and security tips!

Source

HackRead