Kaspersky’s Securelist exposes the GitVenom campaign involving fake GitHub repositories to distribute malware. Targeting developers with seemingly legitimate…

Kaspersky’s Securelist exposes the GitVenom campaign involving fake GitHub repositories to distribute malware. Targeting developers with seemingly legitimate open-source projects, GitVenom steals credentials, cryptocurrency, and more.

In modern software development, open-source code is crucial as it offers a vast library of projects for developers to avoid redundant work and accelerate project completion. However, this widespread availability has attracted malicious actors, including state-sponsored groups and cybercriminals, who exploit the model to distribute malware.

A recent campaign, dubbed GitVenom, targeting GitHub users with deceptive projects exemplifies this trend, as detailed in Kaspersky’s Securelist latest research authored by Georgy Kucherin and Joao Godinho.

GitVenom involves the creation of numerous fake repositories on GitHub, masked as legitimate projects. These repositories contain malicious code disguised within seemingly useful tools, such as Instagram automation software, a Telegram Bitcoin wallet bot, and a Valorant hacking tool. 

Researchers observed that the perpetrators have invested significant effort in making these repositories appear genuine. They utilize well-crafted README.md files, potentially generated with AI assistance, providing project descriptions and compilation instructions.  Furthermore, they employ tactics like adding numerous tags and artificially inflating commit counts through timestamp manipulation to enhance the illusion of authenticity.

Excerpts from README.md pages describing fake projects (Source: Kaspersky’s Securelist)

Interestingly, the malicious code within these projects varies depending on the programming language used, which includes Python, JavaScript, C, C++, and C#.  While the projects promise specific functionalities, they ultimately perform meaningless actions and harbour hidden malware.

In Python projects, for example, malicious code is concealed within lengthy lines of tab characters (around 2000), which then decrypt and execute a secondary Python script.  JavaScript projects feature malicious functions invoked from the main file, while C, C++, and C# projects embed malicious batch scripts within Visual Studio project files, configured to run during the build process.

Despite the diverse implementation, the payloads share a common objective: to download additional components from a designated attacker-controlled GitHub repository.  These components include a Node.js information stealer designed to harvest sensitive data like passwords, banking details, credentials, cryptocurrency wallet information, and browsing history.  This data is then compressed and exfiltrated to the attackers via Telegram. 

Additionally, the downloaded components often include remote administration tools like AsyncRAT and Quasar RAT, enabling attackers to seize control of compromised systems.  A clipboard hijacker is also deployed, designed to replace cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses, redirecting funds to the perpetrators.  One such Bitcoin wallet associated with this activity received about 5 BTC (485,000 USD) in November 2024.

The GitVenom campaign has been active for at least two years, and its effectiveness is evident in the global reach of infection attempts, with a concentration in Russia, Brazil, and Turkey. Given the popularity of code-sharing platforms like GitHub, malicious actors will continue to exploit this avenue. 

Therefore, exercising caution with third-party code is crucial. Thoroughly examining the actions performed by any code before execution or integration is essential for identifying fake projects and preventing compromise.

Hackers Exploit Fake GitHub Repositories to Spread GitVenom Malware

Background check provider DISA has disclosed a major data breach which may have affected over 3 million people.

Employment screening company DISA Global Solutions has filed a data breach notification after a cyber incident on their network.

DISA says a third party had access to its environment between February 9, 2024, and April 22, 2024. The attacker may have accessed over three million files containing personal information.

DISA is a third-party administrator of employment screening services, including drug and alcohol testing and background checks. DISA discovered the breach on April 22, 2024, and has since conducted an investigation with the help of third-party forensic experts.

This is one of these cases where a company most people have never heard of has amassed a mountain of information about many people. These data brokers gather information from several sources and sell them on to interested buyers. DISA provides these services to over 55,000 companies.

During the investigation, DISA was unable to determine the specifics of the stolen data, but everyone whose data may have been compromised will get a detailed breach notification letter, specifying the type of data.

This letter will also include details about free access to 12 months of credit monitoring and identity restoration services through Experian for which you must enrol by June 30, 2025.

Given the field that DISA is active in, that information could interest cybercriminals for use as background information for targeted phishing attempts or extortion. The Massachusetts breach report tracker that at least some Social Security Numbers were involved.

SSN Breached: yes

DISA states that it’s not aware of any attempts to abuse the stolen information:

> “While we are unaware of any attempted or actual misuse of any information involved in this incident, we are providing you with information about the incident and steps you can take to protect yourself, should you feel it necessary.”

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Background check provider data breach affects 3 million people who may not have heard of the company 

An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.

A Bangladeshi worker was eager to get started at their new OpenAI job—completing basic online tasks in exchange for consistent income, while getting into cryptocurrency investing at the same time. After connecting with the startup on Telegram and creating an account through a ChatGPT\-branded app, they invested crypto into the platform and began a months-long job working for “Aiden” from “OpenAI.”

The work was performed through the website “OpenAi-etc,” and internal conversations were held on Telegram. It was simple: Invest some crypto, complete a few tasks, and earn daily profits based on what was invested.

Over the course of this worker’s time with the company, mentors continuously encouraged them to invest more money into the fund and recruit more Bangladeshi people to the team. When the worker convinced over 150 to join and the mentors split the growing team of “brokers” into a hierarchy based on seniority, it all felt very real. The total crypto-investment fund for their team was around $50,000. After a devastating cyclone hit Bangladesh in May, company leaders supposedly helped those in need, further earning the trust of employees.

All seemed well until the morning of August 29, 2024, when everyone woke up to find that the website, all of their money, Aiden, and the other fake OpenAI employees had vanished overnight. The job, of course, was never with OpenAI at all, former workers say.

“I’ve seen similar scams where, at the beginning, you think you are making profit, and then basically you invest more and more,” says Shirin Nilizadeh, an associate professor at the University of Texas at Arlington who focuses on security and privacy. “Then, suddenly, you lose everything.”.

The story of the scammed “OpenAI” worker is from just one of 11 complaints about OpenAi-etc submitted to the US Federal Trade Commission by workers from Bangladesh last year, seven of which mention “Aiden.” Analysis of the complaints, obtained by WIRED through a public records request, reveal a potentially widespread job scam that used OpenAI’s name recognition to allegedly trick low-wage workers out of their savings. While some people describe getting started with OpenAi-etc in June or July, others believed they were working for the company for around six months.

The first FTC complaint obtained by WIRED, lodged over two months before the August 29 rug pull, says the complainant was invited by OpenAi-etc to invest around $170 in crypto. The person mentions an American registration number for the business, confirming it was in good standing with Colorado regulators and listing a physical office in Denver. The complaint also highlights a legitimate-looking money service business registered with the US Treasury’s Financial Crimes Enforcement Network, which lists the company’s location as an office inside the Empire State Building in New York City.

A WIRED review of domain name system records for the now-defunct OpenAi-etc website shows that it appears to have been hosted by a China-based web hosting company.

Jay Mayfield, a senior public affairs specialist at the FTC, declined WIRED’s request to confirm whether the group is looking into OpenAi-etc, saying that investigations are nonpublic. Mayfield did not answer additional questions about what steps the FTC is taking to prevent similar scams or provide better assistance for international victims.

“Regrettably, I found no available source online to know more about this organization except for those registrations,” wrote the complainant. “They are collecting huge amounts of investment from third world countries in Asia.”

One of the FTC complaints alleges that over 6,000 people in Bangladesh were potentially impacted by the OpenAi-etc job scam. The ages listed in the FTC complaints range from teenagers to people in their fifties, with locations spread across multiple Bangladesh cities, from Dhaka to Khulna.

“My next trading date was 29 August, 2024,” wrote another complainant. “I made the trade with my whole amount in the evening. But, suddenly, the OpenAI company vanished. I didn’t withdraw any money but lost both capital and profit. Now, I am in a great economic crisis, as I am a normal school teacher.”

Niko Felix, a spokesperson for OpenAI, declined to answer questions about whether the startup was previously aware of the “OpenAi-etc” scam, or if they planned to take action against the fraudsters. But he did share that OpenAI is investigating the matter. The alleged scam website is no longer available online, and WIRED was not able to contact the people behind "OpenAi-etc" prior to publication.

A Telegram spokesperson using the name Remi Vaughn tells WIRED that the company monitors its platform for scams, such as those allegedly carried out by OpenAi-etc, which used the messaging app to communicate with people who believed they were working for the company.

"Telegram actively moderates harmful content on its platform, including scams," Vaughn says in a statement sent to WIRED through the messaging platform. "Moderators empowered with custom Al and machine learning tools proactively monitor public parts of the platform and accept reports from users and organizations in order to remove millions of pieces of harmful content each day."

The usual pattern of a crypto job scam is to trick people into depositing some kind of digital currency into a fake account the victim believes they have control over, until the perpetrator drains it one day without warning. While this specific rug pull used OpenAI’s branding to allegedly dupe its victims, a crypto job scam can happen with the name of any company that has enough widespread recognition for criminals to capitalize on.

“These social engineering scams are designed to lower our natural suspicion and to make us complicit in our own deception,” says Arun Vishwanath, a cybersecurity expert and author of _The Weakest Link_. “For job scams, they try to turn our ambitions and inherent trust in brands into a vulnerability.” Similar to so-called pig butchering investment scams, a key component often includes direct messages over a long period of time to cultivate a sense of trust with the targets.

Although comparable job scams happen all over the world, Vishwanath believes that Asian cultural norms of so-called high power distance, where there’s more acceptance of interpersonal hierarchies, are a contributing factor. "Authorities are expected to ask you things and make you do things," he says. "And you just comply." Scammers are taking advantage of this by imitating authority figures and leaning into the sense of urgency inherent to searching for a job.

Bangladeshi citizens on the difficult hunt for reliable work have increasingly been targeted by job scammers in recent years. Lies about international job opportunities have left throngs of would-be workers stranded in Malaysia, and at least three cases of kidney organ theft were reported by people lured to India with false promises of work.

‘OpenAI’ Job Scam Targeted International Workers Through Telegram

There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.

Tuesday, February 25, 2025 06:17

*   There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. 
*   Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
*   Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
*   Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
*   There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.

The emergence of online marketplaces has facilitated the convenient exchange of goods between individuals and organizations around the world. It has also provided a means for people to easily resell items, enabling them to recapture value from assets they may not otherwise wish to maintain ownership of. The type of new and used items sold via marketplaces varies widely, and platforms such as Ebay, Facebook Marketplace, Reverb, and others are extremely popular avenues for selling everything from $15 vintage tissue boxes to $40,000 Gibson Les Paul guitars. You can even find $70,000,000 domains targeting affluent individuals with above-average BMIs being sold on online marketplaces.

When we think about online safety in the context of these platforms, we often concentrate the majority of our efforts and recommendations on the threats targeting buyers. In many cases, scammers are also actively targeting the people selling items on these platforms as well. From an adversarial perspective, it makes sense to target sellers, as these are likely to be individuals with large amounts of cash sitting in their accounts as they frequently receive payments for items they sell. Likewise, adversaries can easily monitor the public listings of seller accounts to identify when high-value items are listed, as well as when they are sold, so that they can identify when a target could reasonably be expected to receive an influx of cash into their accounts. 

Likewise, many platforms train their sellers to expect frequent, unsolicited account verification prompts delivered in any number of ways, which provides the perfect pretext for scammers seeking to take advantage of this pool of targets. From a detection and analysis standpoint, these types of attacks are often difficult to effectively combat, as platform providers, intelligence analysts, and law enforcement agencies are forced to primarily rely on self-reporting from victims to quantify the scope and impact of these types of threats. Let’s break down a few examples of some of the most common scams that target the individuals or organizations selling products on online marketplaces.

We created this handy guide for you to share with anyone you know who sells online:

**Phishing and malware scams**

While some scams attempt to fraudulently steal items, others are primarily aimed at stealing financial information from sellers by leveraging the platform’s messaging feature(s) as a mechanism to directly communicate with them for the purposes of phishing or malware distribution. In some cases, phishing is used to compromise the seller account itself, enabling the attacker to manipulate listings, shipments, modify automated payout settings, and communicate with current and previous buyers to conduct additional fraudulent activities. In other cases, phishing is used to obtain financial information, such as bank account or credit card information, that can be used to steal money from the seller.

**Payout account verification scams**

In a recent example, a /r/guitarpedals user reported that they had received a suspicious direct message on their Reverb seller account. The message was crafted to appear as if it was sent from the Reverb team itself. It informs the seller that their item has sold and prompts them to complete account verification to ensure that they receive payment for the item(s) they have sold.

A hyperlink, present in the message (and shown below), attempts to leverage Reverb’s own redirection functionality to direct victims who click on the hyperlink to a malicious web server under the attacker’s control.

This technique uses percent encoding, an obfuscation technique, to mask the destination of the redirect and make it appear as if the link is pointing to the legitimate Reverb website.

This URL, when accessed, returns an HTTP/302 redirection to another attacker-controlled web server, but ultimately the victim receives the following landing page. The attacker has put effort into making sure it appears legitimate and mimics what the victim expects to see. A chat message prompts the victim to complete the verification process by following the on-screen instructions.

A “Receive Funds” button has been positioned behind the chat popup shown in the previous screenshot. When the victim clicks this button, they are presented an input form and prompted to provide the credit card information necessary to verify their desired payout account. Throughout this process, additional chat message popups are delivered to lend credibility to the process.

Since this is the account the seller would like to use to receive payments for items sold on the platform, it likely also contains any funds associated with previous sales, and will likely frequently receive lump sums when future items are sold, presenting a myriad of opportunities for attackers to monetize the account and assets within it, now or in the future. For example, if a threat actor successfully obtains credit card details for a seller account with multiple high-value items actively listed, they can simply wait until an item sells before attempting to monetize it.

Assuming the victim enters valid credit card details, a message will be displayed requesting additional information.

The additional information in this case is the balance of the account that is being “verified.” A new chat message appears, prompting the user to enter the balance in their account, presumably so that the attacker can more effectively prioritize which accounts to empty first.

Assuming the victim enters their balance information, they are presented with the following message letting them know that it will take a period of time before they notice any changes to their accounts.

At this point, the adversary has obtained credit card details that they can then monetize however they choose. It’s important to note that while this particular example targeted sellers using the Reverb platform, most other online marketplaces experience similar threats as well. We have also observed Reverb often taking rapid response actions when attempting to send messages containing percent-encoded hyperlinks, indicating that the platform is aware of the issue and has put in place some mechanisms to help reduce the frequency and quantity of these types of messages on the platform.

Reverb also presents warning messages to let users know when they are being redirected to a third-party domain, as shown in the screenshot below. 

It is important to always validate the destination of hyperlinks received from unsolicited sources and to limit access to off-platform resources when conducting business on online marketplaces.

It is also important to note that direct messaging within marketplaces is not the only mechanism used for this type of scam. Below is a screenshot of an email received by a Shopify storefront owner attempting to convince them to verify their payout account information, similar to the previous example described above.

Below is another example. In this case, the threat actor has sent an email claiming that the seller has received a chargeback claim from a customer and prompting them to take action. Since chargebacks are often received for a variety of reasons, sellers may be more easily convinced to provide account or credit card information when prompted with a claim related to a chargeback.

If an email is received from an online marketplace, the platform will typically also provide warning messages, banners, and other mechanisms to alert sellers of the same issue. In the case that a seller receives an unexpected email related to payment issues, sellers should attempt to resolve issues directly on the platform rather than accessing content or responding to the email. 

**Scams to remove seller protection**

When selling new or used items using online marketplaces, one of the most important elements influencing platform and payment method selection for many people are the seller protection policies in place. These policies often provide protection from common types of fraudulent claims that may be made by buyers, such as non-receipt, damage, etc. In order to remain in effect, they generally require both the buyer and seller to perform the transaction following certain requirements that enable proper resolution should an issue arise. 

In an effort to remove these protections and make it easier to successfully monetize their scam(s), scammers posing as buyers will often attempt to convince sellers to conduct portions of the transaction “off-platform,” as this will void the protection policy that would otherwise be in place using a variety of different pretexts and themes. Likewise, some scammers target the shipping part of the transaction process, attempting to convince sellers to modify the shipping to void the seller protection policy afforded by the platform. By removing the ability for the seller to leverage the protection policy afforded by the platform used to sell the item, many of the normal recourse steps usually taken when dealing with fraudulent buyers are no longer available to the seller.

**Off-platform transactions**

Scammers also frequently use a variety of pretexts to attempt to convince sellers to perform the financial transaction associated with an item purchase using third-party platforms separate from the one on which an item was originally listed. They will attempt to trick victims into moving to an alternative mechanism for performing the transaction so that the seller loses most of the protection(s) afforded by the marketplace. 

In many cases, scammers will use additional pressures, such as time sensitivity, urgency, or manipulated screenshots showing failed transaction attempts, to convince sellers to perform transactions using alternative means, such as wire transfers or money transfer platforms, where seller protections are limited and—in the case of fraud—most recourse options are no longer available. 

There are countless examples of different pretexts being used in varying capacities, all ultimately for the same purpose, to convince sellers to leave the marketplace to perform the transaction elsewhere so that seller protections against fraudulent activity on the part of the buyer are removed.

**Shipment detail changes**

Since a seller account’s past and current item listings are easily accessible from the seller’s profile, it is easy for adversaries to leverage information contained within these listings (**_including photos_**) when building pretexts that are used to target the individual operating the seller account. One common way that adversaries leverage this information is by tailoring their messaging to account for both active and recently sold listings related to the seller they are communicating with. 

In the screenshot below, a scammer is contacting sellers on Ebay claiming to be an individual who purchased an item recently sold by the seller(s). The scammer hopes that by timing their message properly, they can take advantage of sellers who may not be paying close attention to the username listed in the message. For many sellers who are managing large numbers of listings, it can often be overwhelming to maintain many different streams of communication and/or multiple transactions simultaneously, leading them to respond quickly or otherwise take action (like modifying shipping instructions) without properly validating the content of the message.

Online reports indicate that it is not uncommon to receive these types of unsolicited messages, regardless of whether a seller has recently sold an item, which may be due to some level of automation being used to generate and transmit the messages. 

If the seller is convinced to change the destination address for the shipment due to receipt of one of these scam messages, the item that was sold may be shipped to an address under the attacker’s control. The attacker is then able to monetize the item while the original buyer does not receive the item that they purchased. Many of the protections afforded by online marketplace are lost when the shipping address used does not reflect what was present on the order at time of purchase, opening the seller to additional exposure as the buyer’s loss will still need to be resolved.

**The "friends and family" option**

Social media sites like Reddit have become very popular for posting used items to solicit interest from other users of a given subreddit. In some subreddits, there are even official or unofficial “Want to Buy / Want to Sell” (WTB/WTS) threads, where users can list items they are selling or items they would like to purchase. This creates an ideal pool of potential victims for scammers seeking to target users of these platforms.

Since Reddit is not an online marketplace, the transactions associated with this activity typically take place using money transfer platforms, such as Paypal, Zelle, or Venmo. Scammers will often leverage compromised accounts on these money transfer platforms when communicating with sellers (or buyers), often attempting to convince them to use the “friends and family” (or equivalent) payment option available on many of these platforms. Often, sending or receiving money with this option enabled removes many of the mechanisms in place to protect sellers from chargebacks and other fraudulent activity. Sellers should never enable this option when processing payments for goods they may sell via online marketplaces, social media sites, or in any transaction where protection against fraud is desired. 

In some cases, this method may be combined with other methods seeking to convince sellers to perform transactions outside of established platforms, then once the seller has agreed, scammers can leverage this option to further remove seller protections.

**Recommendations**

Most of the online literature related to defending against the scams pervasive on online marketplaces is geared towards the buyer experience. Recent trends in social media reporting indicate that sellers are also being increasingly targeted. While some of the scams faced by sellers resemble those faced by buyers, there are many that are unique. It is important that individuals or organizations leveraging online storefronts and/or marketplaces be aware of these threats so that they can prevent themselves from falling victim. 

It is extremely important that online marketplace accounts be protected with multi-factor authentication (MFA) whenever the platform supports this capability. This will provide an enhanced layer of security in cases where the account credentials are compromised as an additional authentication factor will still be needed to successfully access the account. 

When posting listings for items, be mindful of any photos that accompany the listing. Not unlike posting images to other social media platforms, items or objects in the background may unintentionally disclose sensitive information that could be used for malicious purposes. The information provided could also be leveraged to create more convincing or effective pretexts for later scam activities targeting the seller(s).

Avoid using third party services or platforms when conducting business transactions on online marketplaces. Take advantage of the protections afforded by the platform and avoid taking any actions that may jeopardize them. Reasonable buyers will be willing and able to conduct business following the standard platform transaction process. Sellers should avoid feeling pressured or worried about losing a sale and insist that the transaction take place in accordance with the policies of the online marketplace platform.

Verify the account associated with any messages received on online marketplaces. Always spend the time to validate that the message was actually received from the account of the buyer who purchased any recently sold items. Likewise, most platform support teams will not contact users via direct messaging for account verification or other sensitive processes as most of the time, these processes are directly supported by the platform itself. If a seller receives a direct message purporting to be from the platform itself, caution should be exercised and the message should be validated by contacting the support team separately using the information published on the marketplace website.

Sellers should also avoid modifying destination shipping addresses after orders have been placed. If a buyer asks to change the shipping address for an item they recently purchased, sellers should consider suggesting that they change their address using the online marketplace itself and contact support facilitate the change prior to shipping. This helps ensure that the seller is not deviating from the order that was placed, and helps ensure that they do not lose the seller protections afforded by the platform.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**Indicators of Compromise**

IOCs for this research can also be found at our Github repository here.

Your item has sold! Avoiding scams targeting online sellers

Cary, NC, 25th February 2025, CyberNewsWire

**Cary, NC, February 25th, 2025, CyberNewsWire**

 INE, the leading provider of networking and cybersecurity training and certifications, today announced its recognition as an enterprise and small business leader in online course providers and cybersecurity professional development, along with its designation as the recipient of G2’s 2025 Best Software Awards for Education Products. This category of awards ranks the world’s top 50 software education products based on authentic reviews from more than 100 million G2 users. 

> “We are thrilled to be recognized for a second consecutive year by G2’s Best Software Awards,” said Dara Warn, CEO of INE. “This is not only a testament to INE’s robust educational offerings but also underscores our dedication to empowering enterprise teams and professionals with the skills they need to thrive in a challenging digital landscape. We are proud to set the standard for quality and effectiveness in cybersecurity and technical education, as evidenced by the success of our students.”

G2’s Best Software Awards rank the world’s best software companies and products based on verified user reviews and publicly available market presence data. Fewer than 1% of vendors listed on G2 are named to the list. 

> “The 2025 Best Software Award winners represent the very best in the industry, standing out for their exceptional performance and customer satisfaction. The stakes for choosing the right business software are higher than ever,” said Godard Abel, co-founder & CEO at G2. “With over 180,000 software products and services listings and 2.8 million verified user reviews in the G2 marketplace, we’re proud to help companies navigate these critical choices with insights rooted in authentic customer feedback. Congratulations to this year’s honorees!”

G2 badges, released quarterly, recognize INE’s strong performance compared to competitors in specific areas, including its enterprise cybersecurity training and certification offerings, the depth and breadth of its online learning library, and global impact. INE earned the following G2 badges for Winter 2025:

*   **Fastest Implementation, Online Course Providers**
*   **Leader, Cybersecurity Professional Development**
*   **Leader, Online Course Providers**
*   **Leader, Technical Skills Development**
*   **Enterprise Leader, Online Course Providers**
*   **Small Business Leader, Online Course Providers**
*   **Leader, Asia Online Course Providers**
*   **Leader, Asia Pacific Online Course Providers**
*   **Momentum Leader, Technical Skills Development**
*   **Momentum Leader, Online Course Providers**
*   **Small Business High Performer, Technical Skills Development**
*   **High Performer, India Online Course Providers**
*   **High Performer, Europe Online Course Providers**
*   **High Performer, Asia Technical Skills Development**

INE was recently named to Security Boulevard’s list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications. The list showcases some of the best ethical hacking certifications for cybersecurity professionals. 

In reviewing the eCPPT, reviewers noted: 

*   The realistic experience
*   A robust training program
*   Its credentials to boost employability in Europe (specifically noted as “remarkable”). 

In reviewing the eWPTX, reviewers applaud: 

*   The challenging nature of the exam
*   Requiring advanced methodologies and skills in creating exploits that “modern tools couldn’t fathom.” 

With a suite of the best cybersecurity certifications and training programs designed for teams and individuals, INE continues to lead in developing cybersecurity professionals equipped with real-time, hands-on experience to manage cyber threats and security incidents. Our award-winning cybersecurity software and comprehensive training in network security, cloud security, and risk management, prepare learners to become certified ethical hackers (CEH), certified information systems security professionals (CISSP), and more, solidifying our reputation as the trusted partner in cybersecurity excellence and threat intelligence.

**About INE:** 

INE is the premier provider of online technical training for the IT industry. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE is the top training choice for Fortune 500 companies worldwide, and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE is committed to delivering the most advanced technical training on the planet, while also lowering the barriers worldwide for those looking to enter and excel in an IT career. 

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Secures Spot in G2’s 2025 Top 50 Education Software Rankings

In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.

This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called

The stolen information included listed contacts, call logs, text messages, photos, and the device’s location.

A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending.

Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site.

So, it gives them a much larger audience, they can lean on the trust we invest in the official app stores and users don’t have to do anything they might perceive as suspicious.

While Google has enhanced security measures in place—including AI-powered threat detection and real-time scanning— that are designed to detect and block malicious apps more effectively, the cat-and-mouse game between cybercriminals and security measures continues, with each side trying to outsmart the other.

In this case, the loan app evaded detection on Google Play, by loading a WebView to redirect users to an external website from where they could download the app hosted on an Amazon EC2 server.

Predatory lending is any lending practice where the borrower is taken advantage of by the lender. Predatory lenders impose lending terms that are unfair or abusive.

The apps in the SpyLoan family offer attractive loan terms with virtually no background checks. But when the apps are installed, they steal information from the victim’s device that can be used to blackmail the victim. Especially when they miss any payments on the loan.

Among the stolen information are listed contacts, call logs, text messages, photos, and the device’s location.

Although the app has now been removed from Google Play, it may continue to run on affected devices, collecting sensitive information in the background.

The researchers found that the app only targets users in India with the recommended loan applications and the redirect to an external website.

The information stolen from users could well be used for malicious purposes or sold to other cybercriminals.

Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage:

*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail 

### Impact
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

### Patches
Version 4.0.5 fixes this issue

### Workarounds
Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

### References
This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

**Impact**

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

**Patches**

Version 4.0.5 fixes this issue

**Workarounds**

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

**References**

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

**References**

*   GHSA-c6gw-w398-hv78
*   golang/go#71490
*   go-jose/go-jose@99b346c
*   https://go.dev/issue/71490

GHSA-c6gw-w398-hv78: DoS in go-jose Parsing

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-wr88-x8cm-7cgq: Moodle has a stored XSS risk in admin live log

The question bank filter required additional sanitizing to prevent a reflected XSS risk.

Tag

#auth