A departmentwide initiative has now led to five major law enforcement actions, in an attempt to curb the increasingly common trend of North Korean hackers posing as IT job applicants.

Source: Sean Hawkey via Alamy Stock Photo

Two Americans, two North Koreans, and a Mexican man have been indicted for their roles in an IT worker scam.

According to the Department of Justice (DoJ), Pak Jin-Song, Jin Sung-Il, and other North Korean co-conspirators secured IT jobs with at least 64 different American companies. They managed it using fake identities facilitated by Pedro Ernesto Alonso De Los Reyes, a Mexican citizen living in Sweden, and carried out their jobs with the help of laptop farms maintained by US citizens Emanuel Ashtor and Erick Ntekereze Prince.

The ruse lasted from April 2018 to last August. For a sense of how lucrative it was, the DoJ noted that earnings from just 10 of the 64 affected companies yielded the scammers $866,255.

**Breakdown of a North Korean IT Scam**

The IT worker scam, now tried and true, developed as a workaround for trade and economic sanctions imposed by the US on the Democratic People's Republic of Korea (DPRK). North Koreans under the employ of sanctioned DPRK government ministries, under assumed identities and relocated in places like China and Russia, apply for remote jobs in America's lucrative tech industry. They perform their jobs adequately enough, but funnel their earnings back to their shriveled government. And some portion of that money, inevitably, ends up funding its notorious nuclear and missile development programs.

Related:CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

But getting a high-paying tech job is no simple, overnight process. To facilitate these scams, by trick or by trade, North Korea recruits Americans and other foreign nationals to help them implement the plan. In this case, the help came from a few central individuals.

In some cases, Alonso lent the hungry job seekers his identity, which they presented as their own in job applications and interview processes. In other cases, the North Koreans stole real US citizens' government identification documents, then superimposed their own headshots on them. In other cases, they solicited help with forgeries from the Web.

After securing sometimes six-figure gigs, the North Korean workers would have company laptops delivered to Ashtor or Prince. By a certain point, the Americans were running full-on laptop farms from their homes in North Carolina. To enable North Koreans in China to work from laptops on the US East Coast, they covertly downloaded and installed remote access software onto these corporate devices. And to conceal where the salaries were actually going, they used their own registered companies to invoice employers. Payments would then be laundered through Chinese bank accounts.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Ashtor and Prince were arrested in North Carolina, and Alonso in the Netherlands. All five men are now charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. The two named North Koreans have earned a bonus charge of conspiracy to violate the International Emergency Economic Powers Act. Convictions could entail prison sentences of up to 20 years.

**Are Recent Arrests Having an Impact on Cybercrime?**

Last March, the DoJ launched its DPRK RevGen: Domestic Enabler Initiative, focused on shutting down the laptop farms crucial to facilitating North Korean IT worker scams. In the time since, authorities have made notable arrests and seizures on four separate occasions.

"They've been warned about this for two years, and we're finally just now starting to see the United States government starting to form a defensive policy, \[with\] routine arrests and sanctions," says Roger Grimes, data-driven defense evangelist at KnowBe4, a company that accidentally hired a North Korean employee last year.

Grimes hasn't yet observed any noticeable decline in these scams since the DoJ initiative began. In fact, he reports, KnowBe4 has received applications from fake IT workers even since its first, widely publicized incident. Any Americans joined up with Kim might consider, though, that besides the threat of arrest, the gig isn't always as lucrative as it seems.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

"A lot of them have been cheated," Grimes notes. While cases have varied widely, he claims, "Many \[Americans have been\] promised a lot more, and either only got paid partially, or some of them didn't get paid at all. So they were really cheated."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

DoJ Busts Up Another Multinational DPRK IT Worker Scam

At Black Hat and DEF CON, cybersecurity experts were asked to game out how Taiwan could protect its communications and power infrastructure in case of invasion by China.

Source: Kevin M. Law via Alamy Stock Photo

If China attacked Taiwan, how could Taiwan defend its critical communications infrastructure from cyberattack?

Last year, Dr. Nina A. Kollars and Jason Vogt — both associate professors at the US Naval War College (USNWC) Cyber and Innovation Policy Institute (CIPI) — designed a war game to inspire some novel strategies. They enlisted government and private sector cybersecurity experts at Black Hat and DEF CON to participate, and presented the results at ShmooCon earlier this month.

The scenario was this:

August 6, 2030. Relations between the PRC and Taiwan had deteriorated to the breaking point due to the re-election of a liberal, pro-independence party. Rhetoric towards independence was at an all-time high, and several government representatives had openly called for UN recognition of Taiwan as an independent state. The Central Committee of the Communist Party (CCCP) decided that the risk of Taiwan declaring independence was high enough to warrant military intervention. They began preparations for an invasion. With little chance of surprise, the PRC decided to do their utmost to disrupt Taiwan’s military and civilian communications prior to the assault.

The experts came up with 65 ways Taiwan's government could prepare for such a war, ranging from the low tech, like using ham radio when mobile networks go down, to the ambitious, such as investing in modular nuclear reactors or tidal power generation, to the outlandish, for example using civilians or cultural artifacts as deterrents against military strikes.

Related:Thai Police Systems Under Fire From 'Yokai' Backdoor

**Taiwan's Unique Indefensibility**

In designing the war game, "We put very specific emphasis on what we call the 'Zelensky playbook,'" Kollars says. Ukrainian President Volodymyr Zelensky made certain that communications could occur between his own people and the capital, and between the capital and the rest of the world. "We went into designing the war game specifically to answer the question: Could the Taiwanese play Zelensky? Even under any kind of duress, could they find a way to keep communicating?"

What was clear early on is that political and geographic factors make Taiwan much more vulnerable to blockade. Ukraine is in mainland Europe, with a long border through which it can receive resources of one kind or another — fuel, Internet connectivity, and food, for example. Taiwan's highly connected populus is served by 16 undersea cables, three of which run through China, making them eminently cuttable. Meanwhile, it imports nearly all of its energy from overseas, and has been phasing out domestic nuclear power, which might otherwise provide a balance. "So pretty quickly you get this pretty dire picture, where it's just a fundamentally different kind of battle," Kollars explains.

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

"Taiwan is in a very vulnerable position because of its geography, but also because of a million little micro-decisions, which ultimately give you the telecommunications and power system that you have," Vogt says. At the time of Russia's invasion, "Ukraine had a much more diverse set of mobile providers, and the power was much more distributed — there's a lot more connections to other countries. So the Russians were probably never in a position where they could digitally isolate Ukraine, writ large. They tried to do it to the capital, but it was always going to be very hard for them. I think in the Taiwan–China scenario, China has the potential to be much more damaging."

**How to Defend Taiwan from China**

Initially, players devised strategies to combat aggressive but ultimately tempered cyberwarfare: ransomware attacks against data centers, severed submarine fiber optic cables, and forced power outages. Only then did China kick up its game with kinetic strikes, including PRC strikes on Taiwanes aircraft and ensuring that nothing can fly in Taiwanese airspace. In the scenario, PRC also destroyed bridges and key routes to coastal defenses, while also targeting Taiwan's command-and-control systems and all manner of communications systems.

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

How could a small island nation possibly protect its infrastructure against the combined might of the world's second greatest military power?

More than two-thirds (70%) of the solutions proposed by players involved investing in infrastructure for communications, power generation, storage, and data backup and distribution. Some 20% of the ideas focused on recovery — preparing civilians with technical skills, and stockpiling spare resources, for example. Only 10% of recommendations focused on straight cybersecurity.

The physical location of critical resources was also of utmost importance. Some suggested that Taiwan take advantage of its geography by building and stockpiling equipment along its far coast, in forests, and nestled in its eastern mountain range. Some suggested decentralizing its infrastructure, spreading it out in smaller chunks all around the country using solar power and cheap radio systems. Others argued for the opposite: concentrating communications and power systems in fewer, denser areas that China might be reticent to destroy.

"There were some ideas I thought, from a military perspective, were pretty risky," Kollars admits. "One of them was to colocate all of Taiwan's precious assets — like the TSMC semiconductor plant, all of its antiquities from China, large populations, and a nuclear power plant — assuming an adversary wouldn't strike a target that had everything stacked on top of it. That's a heck of a gamble."

Ultimately, the most popular ideas were those that were cheap and practical, like using Bluetooth or Raspberry Pi mesh networks as backups to cellular connectivity. "The thing that surprised us most about this exercise," Vogt recalls, "was how much time they spent talking about the civilian population, and what needed to be done to prepare them: everything from public messaging campaigns on how to be cyber secure to full-on training programs to create civilian cyber cores that could not just protect themselves but also operate and maintain equipment when there's no government around, and keep the communications going for longer periods of time."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

War Game Pits China Against Taiwan in All-Out Cyberwar

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

While employees want to take advantage of the increased efficiency of GenAI and LLMs, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations.

Anuj Jaiswal, Chief Product Officer, Fortanix

January 23, 2025

3 Min Read

Source: LuckyStep48 via Alamy Stock Vector

COMMENTARY

The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI.

Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company's IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung.

Unfortunately, enforcing such a policy is an uphill battle. According to a recent report, non-corporate accounts make up 74% of ChatGPT use and 74% of Gemini and Bard use at work. Employees can easily skirt corporate policies to continue their AI use for work, potentially opening up security risks.

The greatest among these is the lack of protection for sensitive data. As of March 2024, 27.4% of data inputted into AI tools would be considered sensitive, an increase from 10.7% at the same time last year. Protecting this information once it is put into a GenAI tool is virtually impossible.

The uncontrolled risk of shadow AI usage reveals the need for stringent privacy and security practices when employees use AI.

It all boils down to data. Data is the fuel of AI, but it is also the most valuable asset to organizations. Stolen, leaked, or corrupted data causes real, tangible harm to a business — regulatory fines from leaking personally identifiable information (PII), costs associated with leaked proprietary information like source code, and an increase in severe security breaches like hacks and malware.

To mitigate risk, organizations must secure their data while it's at rest, in transit, and in use. The counter to risky shadow AI use is having fine control over the information employees feed into large language models (LLMs).

**How Can CISOs Secure GenAI and Company Data?**

Securing sensitive company data is a challenging balancing act for chief information security officers (CISOs) as they weigh the desire for their organizations to take advantage of the perceived value of GenAI while also protecting the sole asset that makes these benefits possible — their data.

So, the question becomes: How do you do this? How do you get the balance right? How do you extract positive business outcomes while protecting the enterprise's most valuable asset?

At a high level, CISOs should look at protecting data through its entire life cycle. This includes:

*   Protecting the data before it is even ingested into the GenAI model
    

*   Ensuring that the data output is completely secured, as this new data will drive the business outcomes and create true value
    

If the data life cycle isn't secure, this becomes a business-critical exposure.

More specifically, a multifaceted approach is necessary to protect sensitive data from being leaked, and though it starts with limiting shadow AI as much as possible, it is just as important to preserve data security and privacy with some basic best practices:

*   Encryption: Data encryption across its life cycle is vital, but it's equally important to manage and store encryption keys securely and separately from the data itself.
    
*   Obfuscation: Use data tokenization to anonymize any sensitive or PII data that could be fed to an LLM. This prevents data that enters the AI pipeline from being corrupted or leaked.
    
*   Access: Apply granular, role-based access controls to data so that only authorized users can see and use the data in plain text.
    
*   Governance: Commit to ethical business practices, embed data privacy across all operations, and remain current on data privacy regulations.
    

As is often the case with most tech advancements, GenAI's ease and convenience come with some fallbacks. While employees want to take advantage of the increased efficiency of GenAI and LLMs for work, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations to prevent sensitive data from entering the AI system. Along with making sure workers know the importance of data protection, it is key to mitigate potential risks by taking all measures to encrypt and secure data from the start.

**About the Author**

Chief Product Officer, Fortanix

Anuj Jaiswal is chief product officer at Fortanixa. He is seasoned product and engineering leader with an impressive track record spanning more than 20 years. Anuj previously served as vice president of engineering at Embrace.io and was a pivotal figure at Arkin, a company that caught the attention of VMware and was subsequently acquired in 2016. During his time at Arkin, Anuj played a critical role in the acquisition process, showcasing his strategic vision and technical insight. Before Arkin, Anuj worked as a senior leader at FrontRange Solutions (acquired by Ivanti) and DBO2 (acquired by Predictive Solutions).

Anuj's domain knowledge is extensive, covering crucial areas such as cloud security, network security, cybersecurity, data security and application performance monitoring (APM) for both cloud and mobile applications. His approach to product management — vision, strategy, customer-centric, roadmapping, partnerships, and UX — has consistently resulted in products that drive revenue and growth for organizations while meeting customer needs. Anuj holds a master's degree in computer applications and a bachelor's degree in business administration.

The Security Risk of Rampant Shadow AI

Such routers typically lack endpoint detection and response protection, are in front of a firewall, and don't run monitoring software like Sysmon, making the attacks harder to detect.

Source: LJSphotography via Alamy Stock Photo

Dozens of organizations have been infected with router malware that uses a packet-sniffing technique to minimize its footprint.

Rather than their far more popular Cisco counterparts, the campaign, which Black Lotus Labs named "J-magic," hones in on Juniper-brand routers at the edge of high-value networks. Exposed enterprise routers are tapped with a variant of a quarter-century-old backdoor, "cd00r," which stays dormant until it receives an activation phrase — a "magic packet." Only then does it grant access to a reverse shell, from which its attackers can steal data, manipulate configurations, and spread to more devices.

"There's been a lot of emphasis on small office/home office (SOHO) devices, but attackers are just as active in the enterprise space," warns Danny Adamitis, principal information security engineer with Black Lotus Labs. "It's just that they're living on these devices that don't really have endpoint detection and response (EDR), that are in front of a firewall, and don't really run things like Sysmon, so it's a little bit harder for people to detect these attacks."

**Backdoor Malware Infests Juniper Routers**

Exactly how the hackers obtained initial access to affected routers is unknown, but the openings they exploited are clear. Around half the Juniper routers victimized by J-magic were configured as virtual private network (VPN) gateways, and the other half possessed exposed Network Configuration Protocol (NETCONF) ports, which allow administrators to remotely manage and configure network settings, but also allow attackers to sneak through and do the same. These routers served as points of entry and control for much larger networks, affording attackers a wide canvas for their malicious deeds.

Related:Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

To exploit these prized devices, the attackers install their malware, cd00r, in a position where it can observe all TCP traffic coming into the edge device. Then it waits for one of five predefined packets meeting highly specific conditions, which act like an activation phrase. When a packet meeting one of these presets is received, the program will spawn a reverse shell connected to the attacker's IP address, through the port specified in the magic packet.

The technique works because it circumvents the already limited methods defenders have for picking up on edge malware. In a typical infection, Adamitis says, "If you're able to monitor traffic from a firewall or router, you can see that there is a beacon that occurs at a set interval. And if you perform a time series analysis, you can see activity continuously occurring with that interval, and it kind of stands out. With something like this, you don't have that consistent call out. This will evade that form of detection."

Related:Automox Releases Endpoint Management With FastAgent

A J-magic attack isn't entirely complete upon reception of the magic packet, though. To confirm that the handler is the intended attacker — not just some passerby trying to piggyback on their work — cd00r sends out a "challenge" string encrypted with a hardcoded public key. Only if the attacker passes this test — by returning the string back using their associated private key — do they obtain control over the reverse shell, and with it the power to control the infected device, steal enterprise data, and deploy further malware.

Evidence of these J-magic infections dates back to September 2023, but the majority of cases appear to have popped up in the spring and summer of 2024. In that year or so, cd00r spread to the US, the UK, Russia, Norway, India, and more countries in between, affecting organizations in construction, bioengineering, insurance, and IT services, among others.

**Blind Spot in Edge Network Cybersecurity**

Easily overlooked is the fact that cd00r, though updated with new features, is a 25-year-old program. It was originally developed and released in 2000, as a proof-of-concept (PoC) for an "invisible" backdoor, on the information security website Packet Storm.

Related:15K Fortinet Device Configs Leaked to the Dark Web

That such an old, and in some ways atavistic, malware would still suffice in 2025 speaks to just how much attackers can get away with in edge networks.

"On your corporate laptop, you probably have Windows Defender and something from your favorite EDR vendor. There tend to be a lot of vendors for end-user workstations, but edge devices don't really seem to have anything on them. So by living in those blind spots, attackers are able to get away with using this 20-year-old malware, because there's no one and nothing on that particular device to actually capture that sort of user interaction," Adamitis says.

"The reporting around these kinds of enterprise-grade routers tends to be a lot more sparse," he adds. "What we're trying to say is: We think there might be this low visibility spot in the perimeter."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Black 'Magic' Targets Enterprise Juniper Routers With Backdoor

iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

After TikTok was briefly banned in the US last weekend, an unusual phenomenon unearthed. Reportedly, people are selling iPhones that have TikTok installed for up to $25,000.

This may require some explanation, so bear with me.

TikTok has had a rough time in the US the last weeks. The ban we mentioned originates from back in March, when the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

Despite an overruled emergency injunction to stop or postpone the planned ban on the platform in the US, the ban took effect on January 19.

But TikTok’s messaging was clear, they were coming back.

> “Sorry TikTok isn’t available right now
> 
> A law banning TikTok has been enacted in the U.S. Unfortunately that means you can’t Use TikTok for now.
> 
> We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!

And it was indeed back for millions of US users as of January 19 and 20. That is to say, for those that had the app installed.

Update 3

> Welcome back!
> 
> Thanks for your patience and support. As a result of President Trump’s efforts, TikTok is back in the U.S.!
> 
> You can continue to create, share, and discover all the thing you love on TikTok.

However, anyone that deleted or never had the app installed are unable to download it as the Apple and Google app stores in the US still don’t have it available. And despite an executive order to delay enforcing the ban, it is unclear when it will be available for download again.

**Second hand iPhones for sale**

Some people have seized on this as a money-making opportunity, selling their iPhones for thousands of dollars on eBay. But is that a smart thing to do?

According to Apple’s Support pages, there is a recommended procedure to follow before you sell, give away, or trade in your iPhone or iPad. One of those steps is to **Erase All Content and Settings**. From that page:

> “When you tap **Erase All Content and Settings**, it completely erases your device, including any credit or debit cards you added for Apple Pay and any photos, contacts, music, or apps. It will also turn off iCloud, iMessage, FaceTime, Game Center, and other services. Your content won’t be deleted from iCloud when you erase your device.”

If you want to leave an app like TikTok behind, you will have to manually erase all the other items on that list to make sure the buyer will not get hold of other private information about you. This is tough to do and is highly likely you would leave some of your data behind.

If you’re considering buying a second hand iPhone so you can use TikTok, how can you be sure that TikTok is the only thing that’s left behind? I wouldn’t put it past cybercriminals to sell devices they can still access, or even malware.

Another bad idea is to roam the internet for unofficial TikTok apps (in the form of IPA or APK files). Installing an unsigned app requires a jailbreak and it can pose significant risks to your device and personal data. Files from unreliable sources may contain malware, spyware, or information stealers and, once installed, these malicious programs can compromise your device’s security.

My advice would be to exercise some patience. TikTok may well reappear in app stores or it’ll be completely removed from access, so everyone will be in the same boat.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Warning: Don&#8217;t sell or buy a second hand iPhone with TikTok already installed 

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

Source: Thomas Bethge via Alamy Stock Photo

Highlights:

*   Consumer survey shows that the most common security issues are phishing attacks, such as text or emails seeking personal information, as well as malware and physical theft. 
    

*   Hands-on device testing shows that Samsung S24 offers the best anti-phishing protection, while the Google Pixel 9 Pro leads in many other areas. 
    

*   The iPhone 16 Pro and other premium Android smartphones from Honor, Xiaomi, and OnePlus lack security features and protections. 
    

COMMENTARY  
New research from Omdia shows that the security capabilities on several of the latest consumer smartphones, including top devices from Apple, Google, and Samsung, fail to detect several types of common phishing attacks.

As part of the fourth-annual Omdia Mobile Device Security Scorecard, Omdia surveyed 1,572 consumers across 13 major countries in the Americas, Asia and Oceania, and Europe, in October 2024. This survey covered the demographics of smartphone users, their security concerns and attitudes, their perception of the most common security threats, and the key smartphone purchasing drivers.

Consumers reported that the most common security issue they encountered was phishing scams and attacks (texts, emails or calls which use false pretenses to try to get the target to give away valuable personal information), with 24% reporting to have experienced phishing. 

Omdia also asked consumers to rate how important various security features were, with anti-phishing having the largest net-importance rating. In fact, over the four years Omdia has conducted its Mobile Device Security Scorecard research, anti-phishing has been rising in importance. This is no surprise, as phishing not only becomes more common, but also as consumers become more familiar with the attacks and the potential for personal information theft or financial loss. 

The next most common security issue was malware and viruses. The third most common was physical theft, such as pickpocketing, mugging or snatching. 

**Mobile Device Security Testing Results**

For each of these security issues, Omdia tested leading premium smartphones to determine availability and effectiveness of security features and capabilities. Google's Pixel 9 Pro and Samsung's Galaxy S24 both scored highly, ahead of Apple's iPhone 16 Pro and other leading Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro.

Despite the importance consumers place on phishing prevention on mobile devices, the anti-phishing features failed to some degree on every device Omdia tested. No device caught all the attempted phishing texts, calls, and emails initiated as part of the testing.  

Several of the devices did catch simulated spam calls: All Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung, which have voice call protection, flagged suspected spam calls before the recipient could answer the call. The iPhone 16 Pro, however, did not have the same protections and did not catch the simulated spam call. 

Text messages with malicious short links were sent from an unknown number and sender ID, but these were not successfully caught by the test devices. Simulated phishing emails were sent from both Gmail and Google's Mail Delivery subsystem, but no device caught the phishing emails from Gmail; the messages were only identified as spam when sent from Google's SMTP. 

Despite not all phishing texts and emails being caught, once malicious links were opened on the devices, those that use Google Safe Browsing protections successfully blocked the link from opening. A warning screen was raised, forcing the user to bypass it to proceed.

Yet not all Android devices performed similarly: Samsung Internet blocked most links except the more sophisticated custom URLs, while the Xiaomi Mii and OnePlus Internet browsers failed to warn the user even when loading known malicious links. 

In previous years' testing, smartphones have been able to detect and successfully block or warn against the attempted phish. However, the difference year-on-year showcases the ever-changing nature of threats.

**Lack of Mobile Security Impacts Consumer Trust**

The lack of effective security protections on mobile devices, particularly against the growing threat of phishing attacks, is eroding consumer trust.

When Omdia asked consumers if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer. 

Despite some manufacturers' efforts to ensure the latest mobile device security protections are in place, Omdia notes that it is difficult to protect against 100% of phishing attempts. This highlights the severity of the issue and potential impact to consumers.

That said, Omdia asserts that smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities on the market) and should have more effective baseline phishing protection in place — such as voice call protection, and all Android devices making use of Google’s Safe Browsing protections. 

Omdia sees the value in the phishing protection features implemented by the leading smartphone vendors, and how this can help to protect consumers — at least in most instances, based on Omdia's latest round of testing.

However, these features need to be paired with awareness activity from manufacturers, as well as the wider industry, to help consumers be vigilant and prepared for the instance when a security threat evades a protection mechanism. Such awareness adds an important additional layer of protection against the rising number of scams targeting consumers through their mobile devices.

**About the Authors**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Senior Analyst, Smartphones, Omdia

Aaron West provides expertise and analysis of the smartphone market, joining Omdia in 2022. His areas of reporting include the active smartphone installed base, eSIM development, mmWave 5G, sustainability, and the foldable smartphone market.

Aaron has a range of research and publishing experience. He graduated with a degree in theoretical physics before moving into consumer product testing, with a focus on sustainability and the environment.

In this role, he was responsible for research project management, including comparative testing of technology products and consumer surveys. He also reported on the energy efficiency and longevity of home appliances, as well as the product lifecycle and obsolescence of smartphones.

Phishing Attacks Are the Most Common Smartphone Security Issue for Consumers

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

After an opaque and uncertain saga, TikTok went dark on millions of phones across the United States on Saturday evening around 10:30 pm EST. Google Play and Apple’s App Store both pulled the app late Saturday as well. If it was already installed prior to Saturday evening, the app is still there on your phone, but launching it only reveals a pop-up warning about the ban. As the deadline loomed, TikTok users had been bracing for the change and flooding other platforms, including the Chinese social app Xiaohongshu or “RedNote.” But if you’re not quite ready to give up the latest skin-care hacks, budgeting tips, and pet tortoise influencers, there are some options for circumventing the ban and continuing to use the platform.

“Sorry, TikTok isn’t available right now,” the app alert reads. “A law banning TikTok has been enacted in the U.S. Unfortunately, that means you can’t use TikTok for now. We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!” Other ByteDance-owned apps, including CapCut and Lemon8, also disappeared from US app stores.

Such a ban has never existed in the US before, so the technical methods being employed to implement it are still evolving, and circumvention techniques may need to change as well. The law driving the situation, the Protecting Americans From Foreign Adversary Controlled Applications Act (PAFACA), doesn’t make it illegal to have TikTok on your phone. And, notably, it also doesn’t say that TikTok itself has to stop the app from working in the US.

Nonetheless, the company said in the days before the law took effect that it planned to make the app inaccessible to US users—a level of cooperation and accommodation that the outgoing Biden White House called a “stunt” on Saturday afternoon. Even if TikTok itself had obligations under the law, the Biden White House had signaled that it did not plan to enforce the ban before Trump took office on Monday.

Rather than putting the pressure on TikTok, PAFACA requires app stores and cloud hosting services to stop doing anything to “distribute, maintain or update” TikTok. That puts the pressure on Apple and Google to stop new users from downloading TikTok, as well as infrastructure providers like Oracle to keep new content or software updates from reaching the app’s users. Over time, TikTok would likely degrade and become unusable.

Officials in India banned TikTok in 2020, and the company also proactively blacked out the app in that case. When Indian users who already had the app installed tried to launch it, a pop-up appeared telling them that they couldn’t access the service.

Devashish Gosain, a network analysis researcher and assistant professor at the Indian Institute of Technology Bombay, says that in India, TikTok users must remove their Indian SIM card from their phone or use an international SIM card and then run a VPN in order to load content in the app.

“Even VPNs do not lead to circumvention” in India, Gosain told WIRED.

In the early hours of the US ban, it was unclear exactly how feasible it would be to get around the restrictions for US accounts. It seemed that TikTok had taken a more extreme approach, turning any US builds of the app dark—blacking out versions of the TikTok app software that had been made to be downloaded and used by US users. It also seemed that US-linked accounts were being blocked regardless of IP address or SIM country information.

Running a VPN alone was certainly not enough to circumvent the ban and get back on TikTok. But seemingly using a non-US TikTok account after removing a SIM (or on a device without a US SIM card/US phone number) worked when combined with a VPN. Similarly, using a VPN with a desktop browser or the Tor Browser was enough to get a non-US TikTok account to load in the US early on Sunday morning, though TikTok’s desktop version has always been much more limited than its mobile app.

“TikTok inspects the source IP of the network packets—if the source IP belongs to India, it drops the packets,” Gosain explains, of the restrictions in India. “Also, the TikTok app fetches the country information embedded in the SIM card, and if the country code is ‘IN,’ it filters the network connection. When we remove the SIM card, the TikTok app fails to identify Indian users from the SIM card, and when we use VPNs, the IP address changes, and it no longer belongs to the Indian IP range. Thus, TikTok again fails to identify that the user is accessing from India. This is how we bypass the filtering.”

Virtual private networks, or VPNs, work by passing your internet traffic through servers that are physically maintained in locations around the world, so you can select an IP address that is tied to a different location than where you physically are. For example, American TikTok users can use VPNs to make it look like they are accessing the internet from outside the US. VPNs also stop your internet service provider (ISPs) from seeing your browsing data, adding an extra potential layer of privacy. When you’re using a VPN, your ISP will simply see connections to the VPN instead of having access to the detailed list of all the websites you’re visiting.

As a result of these capabilities, VPNs are frequently used in attempts to get around digital geolocation restrictions, like those on Netflix or other streaming platforms. They’re also an important, and familiar, tool for circumventing internet censorship programs for people living under authoritarian regimes like those in Russia, China, and Iran.

Using a VPN comes with caveats, though. Some commercial VPNs log people’s browsing history, which essentially just shifts data collection from ISPs to VPN makers. This means that the data isn’t more protected, and that law enforcement could request it from a VPN provider in the same way that they make requests to ISPs. As a result, picking a free VPN is generally not a good idea—with some even selling access to your home internet connections. But some VPNs publish no-logging policies and offer third-party audits and other transparency features in an attempt to show their compliance.

For now, it seems that TikTok’s efforts to block US users are extremely draconian, and even a non-US SIM card or no SIM card plus a VPN may not be a workable path to getting back on the app with a US TikTok account. But the restrictions may only be temporary anyway. In practice, there seems to be little appetite for a permanent ban in the US. And, in spite of originating the idea, President Trump has said in recent days that he doesn’t want the app to be banned.

“My decision on TikTok will be made in the not too distant future, but I must have time to review the situation,” Trump said in a Truth Social post on Friday. “Stay tuned!”

How to Get Around the US TikTok Ban

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

Source: JHVEPhoto via Alamy Stock Photo

Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.

On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that's still making waves today.

Back then, Fortinet published an urgent security warning regarding CVE-2022-40684, an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a "critical" 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as exploitation attempts climbed and climbed.

On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre "Belsen Group" released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, "Once they exhausted its use for themselves (either by selling or using the access), the threat actor(s) decided to leak it in 2025."

Related:Extension Poisoning Campaign Highlights Gaps in Browser Security

**Possible Clues to Belsen Group's Origins**

"2025 will be a fortunate year for the world," the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.

Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.

On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is represented in the data, except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it's in Ukraine's annexed Crimea region.

Related:Trend Micro and Intel Innovate to Weed Out Covert Threats

These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded "with high confidence" that it has been around for at least three years now, and that "They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet."

**What's the Cyber-Risk?**

The leaked listings contain two types of folders. The first, "config.conf," contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization's firewall rules. This data was stolen via CVE-2022-40684. In the other folder, "vpn-password.txt," are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, CVE-2018-13379.

Though the data is all rather aged by now, Beaumont wrote, "Having a full device config including all firewall rules is … a lot of information." CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations' internal network structures that may still apply today.

Related:Zivver Report Reveals Critical Challenges in Email Security for 2025

Organizations also often don't cycle out usernames and passwords, allowing old ones to continue to cause problems. In examining a device included in the dump, Beaumont reported that the old authentications matched those still in use.

Fortinet, for its part, tried to quell concerns in a security analysis published on Jan. 16. "If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor's disclosure is small," it explained.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

15K Fortinet Device Configs Leaked to the Dark Web

A highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.

Source: Daniren via Alamy Stock Photo

A suspected Russia-nexus threat actor has been executing convincing spear phishing attacks against diplomatic entities in Kazakhstan.

UAC-0063, active since at least 2021, was first documented by Ukraine's Computer Emergency Response Team (CERT-UA) in 2023. With medium confidence, CERT-UA tied it to APT28 (aka Fancy Bear, Forest Blizzard, Strontium, Sofacy), from the General Staff Main Intelligence Directorate (GRU) Military Unit 26165. APT28 is best known for its high-profile attacks against Western governments: the Democratic National Committee (DNC) hack of 2016, campaigns against parliamentary bodies in Germany, Norway, and the Netherlands, and much more.

UAC-0063, specifically, has used cyber operations to collect intelligence from government entities, nongovernmental organizations (NGOs), academic institutions, and energy and defense organizations in Eastern Europe — most notably Ukraine — as well as Central Asia, including Kazakhstan, Kyrgyzstan, Tajikistan, and other countries in the vicinity, including Israel and India.

Its latest ongoing campaign, which, in a blog post, researchers from Sekoia date back to at least 2022, may fold into a broader effort by Vladimir Putin's government to gain strategic insights into, and advantage over, a former Soviet state that has sought to broaden its diplomatic horizons in recent years.

**Phishing Kazakh Diplomats**

On Oct. 16, 2024 — one month after it'd been deployed in the wild — researchers spotted a diplomatic document uploaded to VirusTotal. It appeared to be a legitimate draft of a joint declaration between the chancellor of Germany and heads of Central Asian countries.

"The first step, when you open this document, is that it asks you to enable macros," recalls Amaury Garçon, cyber threat intelligence (CTI) analyst at Sekoia Threat Detection & Research (TDR), adding that the document was obscured by "shapes" at first sight. "Some phishing documents look really ugly or have a bad shape \[at first\] — they prompt the user to enable macros, because if you don't enable macros you can't write text in the document, can't move images, etc.," he notes.

Clicking "enable" would trigger various malicious, unseen commands on a target device. While the user was made privy to the full, unadulterated lure document, in the background their security settings would be downgraded so as to remove the need for future "enable macros" prompts. Next a second, blank document was created and opened by a hidden instance of Microsoft Word. The Visual Basic (VB) code associated with this hidden document — now enabled by default, of course — dropped and executed a malicious HTML application (HTA) containing a backdoor named "HatVibe."

The purpose of HatVibe is to receive and execute code from a remote server. Though Sekoia couldn't identify the payloads associated with this phishing campaign, CERT-UA has previously observed HatVibe downloading and executing a more complex Python backdoor named "CherrySpy."

**What This Means for Kazakhstan and Russia**

Six weeks after researchers spotted the first VirusTotal upload associated with this campaign, on Nov. 27, Putin went on a two-day state visit to the country he deemed Russia's "true ally," Kazakhstan. He and Kazakhstan's president, Kassym-Jomart Tokayev, used the opportunity afforded by the Collective Security Treaty Organization (CSTO) summit to discuss various areas for economic partnership — particularly around the energy sector — and signed agreements over energy, education, and transportation.

"Central Asia is a real point of interest for Russian influence," Maxime Arquillière, senior CTI analyst at Sekoia TDR explains. "We know that Kazakhstan is a close ally, but since the beginning of the Ukraine war, Kazakhstan has distanced itself a little bit from Russia, trying to develop new connections with both Western states and also China."

Kazakhstan's centrality in the Asian continent positions it nicely as a trade bridge between China and Europe, particularly while Ukraine and Russia are consumed by war. And as Sekoia notes in its blog, the country's gradually broadening geopolitical ties are evident in recent agreements with Mongolia and Afghanistan's new Taliban government, and, most notably, its balanced position on the war in Ukraine — supporting Ukraine's right to territorial integrity without outright condemning Russia's invasion.

This latest cyber campaign, then, fits neatly into Russia's broader initiatives with regard to its Central Asian neighbor. Sekoia identified 11 lure documents in all, each one legitimate and likely having originated with Kazakhstan's Ministry of Foreign Affairs, pertaining to diplomatic business between Kazakhstan and potential partner nations.

Exactly how the threat actor obtained these documents is not known. They include, for example:

*   Letters from Kazakhstan's embassies in Afghanistan and Belgium, regarding diplomatic and economic developments.
    
*   A draft of a joint statement between Germany and Central Asian states, following a Sept. 16, 2024, summit in Astana.
    
*   Administrative reports and briefings on the Kazakh president's visits to Mongolia and New York.
    

"It's really coherent with the \[need for\] Russian intelligence to conduct this kind of cyber espionage, to know about the strategic interests between Kazakhstan and European states," Arquillière says.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Tag

#apple