### Impact
The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user.

### Patches
The vulnerability has been patched in matrix-appservice-irc version 3.0.4.

### For more information
If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-27146

**Matrix IRC Bridge allows IRC command injection to own puppeted user**

**Package**

npm matrix-appservice-irc (npm)

**Affected versions**

< 3.0.4

**Description**

**Impact**

The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user.

**Patches**

The vulnerability has been patched in matrix-appservice-irc version 3.0.4.

**For more information**

If you have any questions or comments about this advisory, please email us at security at matrix.org.

**References**

*   GHSA-5mvm-89c9-9gm5
*   matrix-org/matrix-appservice-irc@74f02c8

Published to the GitHub Advisory Database

Feb 25, 2025

Last updated

Feb 25, 2025

**EPSS score**

GHSA-5mvm-89c9-9gm5: Matrix IRC Bridge allows IRC command injection to own puppeted user

Cybersecurity threats in crypto are rising, from the Bybit hack to fake wallets stealing funds. Learn how to…

Cybersecurity threats in crypto are rising, from the Bybit hack to fake wallets stealing funds. Learn how to protect your assets with secure wallets and best practices.

Cryptocurrency has revolutionized finance forever, but it has also exposed users to cybercriminals and scams. From large-scale exchange breaches to malicious wallets sneaking into app stores, the risks are growing. If you’re in crypto, securing your assets is no longer optional; it’s a necessity.

****The Bybit Hack: A Wake-Up Call****

Just recently, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a massive security breach. Hackers from the North Korean Lazarus Group managed to steal $1.4 billion in assets, once again proving that even well-established platforms are vulnerable. While Bybit has since taken action to reinforce security, this incident clearly shows why leaving funds on exchanges is a risk.

But, it’s not just ByBit. No exchange is “unhackable”. Even giants like Binance, KuCoin, and Mt. Gox have suffered devastating hacks in the past. These breaches highlight the importance of self-custody; if you don’t control your private keys, you don’t fully own your crypto.

****Malicious Wallets: A Silent but Growing Threat****

While exchange hacks grab headlines, a more stealthy and growing problem is the rise of fake and malicious crypto wallets on iOS and Google Play Store. These malicious apps pose as legitimate wallets but are designed to steal funds the moment users deposit their assets.

Researchers have found a surge in these fraudulent wallets, often disguised as clones of popular apps. They look identical to trusted wallets like MetaMask, Trust Wallet, or Coinbase Wallet, tricking unsuspecting users into transferring their funds straight to hackers.

This issue isn’t just limited to scam wallets, even some browser extensions and fake dApps have been caught injecting malicious scripts to drain wallets. The takeaway? Never download a crypto wallet without verifying its authenticity through the official website or developer page.

****A Booming Crypto Market Means More Targets for Hackers****

According to researchers at Best Wallet, a popular crypto wallet, as of January 2025, approximately 562 million people worldwide own cryptocurrencies, with 28% of adults in the United States, equating to 65 million people, holding crypto.

With such rapid adoption, hackers have more targets than ever. From phishing scams to SIM swap attacks, crypto theft is at an all-time high. If you own crypto, taking cybersecurity seriously is no longer an option, it’s a must.

****How to Protect Your Crypto From Hacks & Scams****

Securing your cryptocurrency is essential in an era of increasing cyber threats. Here are some must-follow security tips to protect your digital assets from hacks and scams.

****1\. Use a Reliable Crypto Wallet****

One of the safest ways to store your crypto is by using a self-custodial wallet. Avoid keeping funds on exchanges, as they are frequent targets for hackers. Instead, opt for hardware wallets like Ledger, Trezor, or Coldcard, which provide offline storage and enhanced security.

If you prefer a mobile or desktop wallet, stick to reputable providers such as MetaMask, Trust Wallet, or Exodus. However, before downloading any wallet, always verify the source; ensure it’s from the official website or developer page to avoid fake apps.

****2\. Enable Multi-Factor Authentication (MFA)****

Adding an extra layer of security with Multi-Factor Authentication (MFA) can protect your exchange and wallet accounts. Use Google Authenticator, YubiKey, or similar tools to prevent unauthorized access.

Avoid using SMS-based 2FA, as it’s vulnerable to SIM swap attacks, where hackers hijack your phone number to gain control of your accounts.

****3\. Beware of Phishing Attacks****

Phishing remains one of the most common tactics used by cybercriminals. Hackers often impersonate wallet providers or exchanges, tricking users into entering their credentials on fake websites or downloading malware-infected software.

To stay safe, always type the official website URL yourself instead of clicking on links sent via email or messages. If an offer or security alert seems suspicious, double-check with the official source before taking any action.

****4\. Keep Private Keys & Seed Phrases Offline****

Your private keys and seed phrases are the most critical elements of your crypto security. Never store them digitally or on cloud storage, as they can be easily compromised. Instead, write them down on paper and keep them in a secure location.

For even greater security, consider using metal backup storage instead of paper. This protects your seed phrase from damage due to fire, water, or physical deterioration.

****5\. Regularly Update Your Security Software****

Keeping your wallet software, antivirus, and operating system updated is crucial for patching security vulnerabilities. Cybercriminals exploit outdated software to gain access to systems, so regular updates help keep your assets safe.

Additionally, consider using privacy tools like VPNs and hardware firewalls to enhance your online security. These tools help protect against tracking, phishing attempts, and potential malware attacks targeting crypto users.

The Bybit hack and the rise of malicious crypto wallets show that crypto security is more critical than ever. If you own crypto, you’re a target, but with the right precautions, you can keep your funds safe.

Remember: Not your keys, not your crypto. Invest in a secure, reliable wallet, stay cautious with online downloads, and always double-check security measures before making transactions.

_**Editor’s Note:** This article is for informational purposes only and does not constitute investment or financial advice. Always do your own research before making financial decisions._

Crypto and Cybersecurity: The Rising Threats and Why Reliable Wallets Matter

Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.

For instance, `?text=<svg/onload=alert(1)>` would trigger XSS here.
```js
  const [text] = createResource(() => {
    return new URL(getRequestEvent().request.url).searchParams.get("text");
  });

  return (
    <>
      Text: {text()}
    </>
  );
  ```

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-27109

**Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)**

High severity GitHub Reviewed Published Feb 21, 2025 in solidjs/solid • Updated Feb 25, 2025

**Package**

npm solid-js (npm)

**Affected versions**

< 1.9.4

**Description**

Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.

For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.

  const \[text\] \= createResource(() \=> {
    return new URL(getRequestEvent().request.url).searchParams.get("text");
  });

  return (
    <\>
      Text: {text()}
    </\>
  );

**References**

*   GHSA-3qxh-p7jc-5xh6
*   https://nvd.nist.gov/vuln/detail/CVE-2025-27109
*   solidjs/solid@b93956f

Published to the GitHub Advisory Database

Feb 25, 2025

Last updated

Feb 25, 2025

GHSA-3qxh-p7jc-5xh6: Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

### Impact

Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are influenced.

LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities.

### Patches

None.

### Workarounds

None.

### References

- [This code segment](https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164) didn't validate a JWT signature.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-mcgx-2gcr-p3hp: LTI JupyterHub Authenticator does not properly validate JWT Signature

Kaspersky’s Securelist exposes the GitVenom campaign involving fake GitHub repositories to distribute malware. Targeting developers with seemingly legitimate…

Kaspersky’s Securelist exposes the GitVenom campaign involving fake GitHub repositories to distribute malware. Targeting developers with seemingly legitimate open-source projects, GitVenom steals credentials, cryptocurrency, and more.

In modern software development, open-source code is crucial as it offers a vast library of projects for developers to avoid redundant work and accelerate project completion. However, this widespread availability has attracted malicious actors, including state-sponsored groups and cybercriminals, who exploit the model to distribute malware.

A recent campaign, dubbed GitVenom, targeting GitHub users with deceptive projects exemplifies this trend, as detailed in Kaspersky’s Securelist latest research authored by Georgy Kucherin and Joao Godinho.

GitVenom involves the creation of numerous fake repositories on GitHub, masked as legitimate projects. These repositories contain malicious code disguised within seemingly useful tools, such as Instagram automation software, a Telegram Bitcoin wallet bot, and a Valorant hacking tool. 

Researchers observed that the perpetrators have invested significant effort in making these repositories appear genuine. They utilize well-crafted README.md files, potentially generated with AI assistance, providing project descriptions and compilation instructions.  Furthermore, they employ tactics like adding numerous tags and artificially inflating commit counts through timestamp manipulation to enhance the illusion of authenticity.

Excerpts from README.md pages describing fake projects (Source: Kaspersky’s Securelist)

Interestingly, the malicious code within these projects varies depending on the programming language used, which includes Python, JavaScript, C, C++, and C#.  While the projects promise specific functionalities, they ultimately perform meaningless actions and harbour hidden malware.

In Python projects, for example, malicious code is concealed within lengthy lines of tab characters (around 2000), which then decrypt and execute a secondary Python script.  JavaScript projects feature malicious functions invoked from the main file, while C, C++, and C# projects embed malicious batch scripts within Visual Studio project files, configured to run during the build process.

Despite the diverse implementation, the payloads share a common objective: to download additional components from a designated attacker-controlled GitHub repository.  These components include a Node.js information stealer designed to harvest sensitive data like passwords, banking details, credentials, cryptocurrency wallet information, and browsing history.  This data is then compressed and exfiltrated to the attackers via Telegram. 

Additionally, the downloaded components often include remote administration tools like AsyncRAT and Quasar RAT, enabling attackers to seize control of compromised systems.  A clipboard hijacker is also deployed, designed to replace cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses, redirecting funds to the perpetrators.  One such Bitcoin wallet associated with this activity received about 5 BTC (485,000 USD) in November 2024.

The GitVenom campaign has been active for at least two years, and its effectiveness is evident in the global reach of infection attempts, with a concentration in Russia, Brazil, and Turkey. Given the popularity of code-sharing platforms like GitHub, malicious actors will continue to exploit this avenue. 

Therefore, exercising caution with third-party code is crucial. Thoroughly examining the actions performed by any code before execution or integration is essential for identifying fake projects and preventing compromise.

Hackers Exploit Fake GitHub Repositories to Spread GitVenom Malware

Background check provider DISA has disclosed a major data breach which may have affected over 3 million people.

Employment screening company DISA Global Solutions has filed a data breach notification after a cyber incident on their network.

DISA says a third party had access to its environment between February 9, 2024, and April 22, 2024. The attacker may have accessed over three million files containing personal information.

DISA is a third-party administrator of employment screening services, including drug and alcohol testing and background checks. DISA discovered the breach on April 22, 2024, and has since conducted an investigation with the help of third-party forensic experts.

This is one of these cases where a company most people have never heard of has amassed a mountain of information about many people. These data brokers gather information from several sources and sell them on to interested buyers. DISA provides these services to over 55,000 companies.

During the investigation, DISA was unable to determine the specifics of the stolen data, but everyone whose data may have been compromised will get a detailed breach notification letter, specifying the type of data.

This letter will also include details about free access to 12 months of credit monitoring and identity restoration services through Experian for which you must enrol by June 30, 2025.

Given the field that DISA is active in, that information could interest cybercriminals for use as background information for targeted phishing attempts or extortion. The Massachusetts breach report tracker that at least some Social Security Numbers were involved.

SSN Breached: yes

DISA states that it’s not aware of any attempts to abuse the stolen information:

> “While we are unaware of any attempted or actual misuse of any information involved in this incident, we are providing you with information about the incident and steps you can take to protect yourself, should you feel it necessary.”

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Background check provider data breach affects 3 million people who may not have heard of the company 

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to…

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to healthcare security and patient data.

Forescout’s Vedere Labs’ latest investigation, shared with Hackread.com, reveals that the notorious Chinese advanced persistent threat (APT) group, Silver Fox, has launched a sophisticated new campaign in which the group is exploiting DICOM (Digital Imaging and Communications in Medicine), commonly used for patient medical imaging, to distribute malicious software. 

The Silver Fox group has been active since at least 2024 and Hackread.com has followed its activities ever since. Initially, it focused on Chinese-speaking victims, distributing malware through various channels like SEO poisoning and social media usually disguised as AI applications or VPN software.

Over time, their targets broadened to include government institutions, cybersecurity companies, e-commerce, finance, and even gaming applications. Recent research suggests the group’s expansion into the healthcare sector, with malware samples originating from the US and Canada.

The current campaign uses trojanised versions of the Philips DICOM viewer‘s (PDF) executable file, which acts as a first-stage payload, checks connectivity to its command and control (C2) server using standard Windows commands, and uses PowerShell scripts to weaken Windows Defender’s defences. It then downloads encrypted payloads disguised as image files from an Alibaba Cloud storage bucket, which includes tools to disable antivirus software, auxiliary files, and shellcode.

The downloaded components are decrypted and a second-stage malicious executable is created, designed to persist on the system through scheduled tasks. This second stage disables security software and downloads another encrypted file, which after decryption reveals the core payload: the ValleyRAT backdoor.  

“During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used to gain control of victim computers,” researchers noted in the blog post.

ValleyRAT provides attackers with extensive control over the compromised machine, potentially allowing access to sensitive hospital networks.  In addition to the backdoor, the malware also installs a keylogger to capture user input and a cryptominer to generate digital currency for the attackers. All these components are designed to persist on the system, ensuring continued operation even after reboot.

The Multi-Stage Infection Process (Source: Forescout)

The malware uses various techniques to evade detection and analysis, including obfuscation methods like API hashing and indirect retrieval, long sleep intervals, system fingerprinting, and masked DLL loading. The addition of random bytes complicates detection. Researchers found Alibaba Cloud storage buckets accessible during analysis, despite the C2 server being offline.

Researchers warn that compromised DICOM viewers pose a grave risk to healthcare delivery organizations (HDOs), as infected devices could provide an entry point into hospital networks. To mitigate these risks, HDOs should avoid downloading software from untrusted sources, restrict file loading from patient devices, implement robust network segmentation, maintain up-to-date endpoint protection, monitor network traffic, and actively search for malicious activity.

Malware Alert Icon Via Flaticon/Kliwir Art

Silver Fox APT Hides ValleyRAT in Trojanized Medical Imaging Software

There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.

Tuesday, February 25, 2025 06:17

*   There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. 
*   Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
*   Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
*   Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
*   There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.

The emergence of online marketplaces has facilitated the convenient exchange of goods between individuals and organizations around the world. It has also provided a means for people to easily resell items, enabling them to recapture value from assets they may not otherwise wish to maintain ownership of. The type of new and used items sold via marketplaces varies widely, and platforms such as Ebay, Facebook Marketplace, Reverb, and others are extremely popular avenues for selling everything from $15 vintage tissue boxes to $40,000 Gibson Les Paul guitars. You can even find $70,000,000 domains targeting affluent individuals with above-average BMIs being sold on online marketplaces.

When we think about online safety in the context of these platforms, we often concentrate the majority of our efforts and recommendations on the threats targeting buyers. In many cases, scammers are also actively targeting the people selling items on these platforms as well. From an adversarial perspective, it makes sense to target sellers, as these are likely to be individuals with large amounts of cash sitting in their accounts as they frequently receive payments for items they sell. Likewise, adversaries can easily monitor the public listings of seller accounts to identify when high-value items are listed, as well as when they are sold, so that they can identify when a target could reasonably be expected to receive an influx of cash into their accounts. 

Likewise, many platforms train their sellers to expect frequent, unsolicited account verification prompts delivered in any number of ways, which provides the perfect pretext for scammers seeking to take advantage of this pool of targets. From a detection and analysis standpoint, these types of attacks are often difficult to effectively combat, as platform providers, intelligence analysts, and law enforcement agencies are forced to primarily rely on self-reporting from victims to quantify the scope and impact of these types of threats. Let’s break down a few examples of some of the most common scams that target the individuals or organizations selling products on online marketplaces.

We created this handy guide for you to share with anyone you know who sells online:

**Phishing and malware scams**

While some scams attempt to fraudulently steal items, others are primarily aimed at stealing financial information from sellers by leveraging the platform’s messaging feature(s) as a mechanism to directly communicate with them for the purposes of phishing or malware distribution. In some cases, phishing is used to compromise the seller account itself, enabling the attacker to manipulate listings, shipments, modify automated payout settings, and communicate with current and previous buyers to conduct additional fraudulent activities. In other cases, phishing is used to obtain financial information, such as bank account or credit card information, that can be used to steal money from the seller.

**Payout account verification scams**

In a recent example, a /r/guitarpedals user reported that they had received a suspicious direct message on their Reverb seller account. The message was crafted to appear as if it was sent from the Reverb team itself. It informs the seller that their item has sold and prompts them to complete account verification to ensure that they receive payment for the item(s) they have sold.

A hyperlink, present in the message (and shown below), attempts to leverage Reverb’s own redirection functionality to direct victims who click on the hyperlink to a malicious web server under the attacker’s control.

This technique uses percent encoding, an obfuscation technique, to mask the destination of the redirect and make it appear as if the link is pointing to the legitimate Reverb website.

This URL, when accessed, returns an HTTP/302 redirection to another attacker-controlled web server, but ultimately the victim receives the following landing page. The attacker has put effort into making sure it appears legitimate and mimics what the victim expects to see. A chat message prompts the victim to complete the verification process by following the on-screen instructions.

A “Receive Funds” button has been positioned behind the chat popup shown in the previous screenshot. When the victim clicks this button, they are presented an input form and prompted to provide the credit card information necessary to verify their desired payout account. Throughout this process, additional chat message popups are delivered to lend credibility to the process.

Since this is the account the seller would like to use to receive payments for items sold on the platform, it likely also contains any funds associated with previous sales, and will likely frequently receive lump sums when future items are sold, presenting a myriad of opportunities for attackers to monetize the account and assets within it, now or in the future. For example, if a threat actor successfully obtains credit card details for a seller account with multiple high-value items actively listed, they can simply wait until an item sells before attempting to monetize it.

Assuming the victim enters valid credit card details, a message will be displayed requesting additional information.

The additional information in this case is the balance of the account that is being “verified.” A new chat message appears, prompting the user to enter the balance in their account, presumably so that the attacker can more effectively prioritize which accounts to empty first.

Assuming the victim enters their balance information, they are presented with the following message letting them know that it will take a period of time before they notice any changes to their accounts.

At this point, the adversary has obtained credit card details that they can then monetize however they choose. It’s important to note that while this particular example targeted sellers using the Reverb platform, most other online marketplaces experience similar threats as well. We have also observed Reverb often taking rapid response actions when attempting to send messages containing percent-encoded hyperlinks, indicating that the platform is aware of the issue and has put in place some mechanisms to help reduce the frequency and quantity of these types of messages on the platform.

Reverb also presents warning messages to let users know when they are being redirected to a third-party domain, as shown in the screenshot below. 

It is important to always validate the destination of hyperlinks received from unsolicited sources and to limit access to off-platform resources when conducting business on online marketplaces.

It is also important to note that direct messaging within marketplaces is not the only mechanism used for this type of scam. Below is a screenshot of an email received by a Shopify storefront owner attempting to convince them to verify their payout account information, similar to the previous example described above.

Below is another example. In this case, the threat actor has sent an email claiming that the seller has received a chargeback claim from a customer and prompting them to take action. Since chargebacks are often received for a variety of reasons, sellers may be more easily convinced to provide account or credit card information when prompted with a claim related to a chargeback.

If an email is received from an online marketplace, the platform will typically also provide warning messages, banners, and other mechanisms to alert sellers of the same issue. In the case that a seller receives an unexpected email related to payment issues, sellers should attempt to resolve issues directly on the platform rather than accessing content or responding to the email. 

**Scams to remove seller protection**

When selling new or used items using online marketplaces, one of the most important elements influencing platform and payment method selection for many people are the seller protection policies in place. These policies often provide protection from common types of fraudulent claims that may be made by buyers, such as non-receipt, damage, etc. In order to remain in effect, they generally require both the buyer and seller to perform the transaction following certain requirements that enable proper resolution should an issue arise. 

In an effort to remove these protections and make it easier to successfully monetize their scam(s), scammers posing as buyers will often attempt to convince sellers to conduct portions of the transaction “off-platform,” as this will void the protection policy that would otherwise be in place using a variety of different pretexts and themes. Likewise, some scammers target the shipping part of the transaction process, attempting to convince sellers to modify the shipping to void the seller protection policy afforded by the platform. By removing the ability for the seller to leverage the protection policy afforded by the platform used to sell the item, many of the normal recourse steps usually taken when dealing with fraudulent buyers are no longer available to the seller.

**Off-platform transactions**

Scammers also frequently use a variety of pretexts to attempt to convince sellers to perform the financial transaction associated with an item purchase using third-party platforms separate from the one on which an item was originally listed. They will attempt to trick victims into moving to an alternative mechanism for performing the transaction so that the seller loses most of the protection(s) afforded by the marketplace. 

In many cases, scammers will use additional pressures, such as time sensitivity, urgency, or manipulated screenshots showing failed transaction attempts, to convince sellers to perform transactions using alternative means, such as wire transfers or money transfer platforms, where seller protections are limited and—in the case of fraud—most recourse options are no longer available. 

There are countless examples of different pretexts being used in varying capacities, all ultimately for the same purpose, to convince sellers to leave the marketplace to perform the transaction elsewhere so that seller protections against fraudulent activity on the part of the buyer are removed.

**Shipment detail changes**

Since a seller account’s past and current item listings are easily accessible from the seller’s profile, it is easy for adversaries to leverage information contained within these listings (**_including photos_**) when building pretexts that are used to target the individual operating the seller account. One common way that adversaries leverage this information is by tailoring their messaging to account for both active and recently sold listings related to the seller they are communicating with. 

In the screenshot below, a scammer is contacting sellers on Ebay claiming to be an individual who purchased an item recently sold by the seller(s). The scammer hopes that by timing their message properly, they can take advantage of sellers who may not be paying close attention to the username listed in the message. For many sellers who are managing large numbers of listings, it can often be overwhelming to maintain many different streams of communication and/or multiple transactions simultaneously, leading them to respond quickly or otherwise take action (like modifying shipping instructions) without properly validating the content of the message.

Online reports indicate that it is not uncommon to receive these types of unsolicited messages, regardless of whether a seller has recently sold an item, which may be due to some level of automation being used to generate and transmit the messages. 

If the seller is convinced to change the destination address for the shipment due to receipt of one of these scam messages, the item that was sold may be shipped to an address under the attacker’s control. The attacker is then able to monetize the item while the original buyer does not receive the item that they purchased. Many of the protections afforded by online marketplace are lost when the shipping address used does not reflect what was present on the order at time of purchase, opening the seller to additional exposure as the buyer’s loss will still need to be resolved.

**The "friends and family" option**

Social media sites like Reddit have become very popular for posting used items to solicit interest from other users of a given subreddit. In some subreddits, there are even official or unofficial “Want to Buy / Want to Sell” (WTB/WTS) threads, where users can list items they are selling or items they would like to purchase. This creates an ideal pool of potential victims for scammers seeking to target users of these platforms.

Since Reddit is not an online marketplace, the transactions associated with this activity typically take place using money transfer platforms, such as Paypal, Zelle, or Venmo. Scammers will often leverage compromised accounts on these money transfer platforms when communicating with sellers (or buyers), often attempting to convince them to use the “friends and family” (or equivalent) payment option available on many of these platforms. Often, sending or receiving money with this option enabled removes many of the mechanisms in place to protect sellers from chargebacks and other fraudulent activity. Sellers should never enable this option when processing payments for goods they may sell via online marketplaces, social media sites, or in any transaction where protection against fraud is desired. 

In some cases, this method may be combined with other methods seeking to convince sellers to perform transactions outside of established platforms, then once the seller has agreed, scammers can leverage this option to further remove seller protections.

**Recommendations**

Most of the online literature related to defending against the scams pervasive on online marketplaces is geared towards the buyer experience. Recent trends in social media reporting indicate that sellers are also being increasingly targeted. While some of the scams faced by sellers resemble those faced by buyers, there are many that are unique. It is important that individuals or organizations leveraging online storefronts and/or marketplaces be aware of these threats so that they can prevent themselves from falling victim. 

It is extremely important that online marketplace accounts be protected with multi-factor authentication (MFA) whenever the platform supports this capability. This will provide an enhanced layer of security in cases where the account credentials are compromised as an additional authentication factor will still be needed to successfully access the account. 

When posting listings for items, be mindful of any photos that accompany the listing. Not unlike posting images to other social media platforms, items or objects in the background may unintentionally disclose sensitive information that could be used for malicious purposes. The information provided could also be leveraged to create more convincing or effective pretexts for later scam activities targeting the seller(s).

Avoid using third party services or platforms when conducting business transactions on online marketplaces. Take advantage of the protections afforded by the platform and avoid taking any actions that may jeopardize them. Reasonable buyers will be willing and able to conduct business following the standard platform transaction process. Sellers should avoid feeling pressured or worried about losing a sale and insist that the transaction take place in accordance with the policies of the online marketplace platform.

Verify the account associated with any messages received on online marketplaces. Always spend the time to validate that the message was actually received from the account of the buyer who purchased any recently sold items. Likewise, most platform support teams will not contact users via direct messaging for account verification or other sensitive processes as most of the time, these processes are directly supported by the platform itself. If a seller receives a direct message purporting to be from the platform itself, caution should be exercised and the message should be validated by contacting the support team separately using the information published on the marketplace website.

Sellers should also avoid modifying destination shipping addresses after orders have been placed. If a buyer asks to change the shipping address for an item they recently purchased, sellers should consider suggesting that they change their address using the online marketplace itself and contact support facilitate the change prior to shipping. This helps ensure that the seller is not deviating from the order that was placed, and helps ensure that they do not lose the seller protections afforded by the platform.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**Indicators of Compromise**

IOCs for this research can also be found at our Github repository here.

Your item has sold! Avoiding scams targeting online sellers

Cary, NC, 25th February 2025, CyberNewsWire

**Cary, NC, February 25th, 2025, CyberNewsWire**

 INE, the leading provider of networking and cybersecurity training and certifications, today announced its recognition as an enterprise and small business leader in online course providers and cybersecurity professional development, along with its designation as the recipient of G2’s 2025 Best Software Awards for Education Products. This category of awards ranks the world’s top 50 software education products based on authentic reviews from more than 100 million G2 users. 

> “We are thrilled to be recognized for a second consecutive year by G2’s Best Software Awards,” said Dara Warn, CEO of INE. “This is not only a testament to INE’s robust educational offerings but also underscores our dedication to empowering enterprise teams and professionals with the skills they need to thrive in a challenging digital landscape. We are proud to set the standard for quality and effectiveness in cybersecurity and technical education, as evidenced by the success of our students.”

G2’s Best Software Awards rank the world’s best software companies and products based on verified user reviews and publicly available market presence data. Fewer than 1% of vendors listed on G2 are named to the list. 

> “The 2025 Best Software Award winners represent the very best in the industry, standing out for their exceptional performance and customer satisfaction. The stakes for choosing the right business software are higher than ever,” said Godard Abel, co-founder & CEO at G2. “With over 180,000 software products and services listings and 2.8 million verified user reviews in the G2 marketplace, we’re proud to help companies navigate these critical choices with insights rooted in authentic customer feedback. Congratulations to this year’s honorees!”

G2 badges, released quarterly, recognize INE’s strong performance compared to competitors in specific areas, including its enterprise cybersecurity training and certification offerings, the depth and breadth of its online learning library, and global impact. INE earned the following G2 badges for Winter 2025:

*   **Fastest Implementation, Online Course Providers**
*   **Leader, Cybersecurity Professional Development**
*   **Leader, Online Course Providers**
*   **Leader, Technical Skills Development**
*   **Enterprise Leader, Online Course Providers**
*   **Small Business Leader, Online Course Providers**
*   **Leader, Asia Online Course Providers**
*   **Leader, Asia Pacific Online Course Providers**
*   **Momentum Leader, Technical Skills Development**
*   **Momentum Leader, Online Course Providers**
*   **Small Business High Performer, Technical Skills Development**
*   **High Performer, India Online Course Providers**
*   **High Performer, Europe Online Course Providers**
*   **High Performer, Asia Technical Skills Development**

INE was recently named to Security Boulevard’s list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications. The list showcases some of the best ethical hacking certifications for cybersecurity professionals. 

In reviewing the eCPPT, reviewers noted: 

*   The realistic experience
*   A robust training program
*   Its credentials to boost employability in Europe (specifically noted as “remarkable”). 

In reviewing the eWPTX, reviewers applaud: 

*   The challenging nature of the exam
*   Requiring advanced methodologies and skills in creating exploits that “modern tools couldn’t fathom.” 

With a suite of the best cybersecurity certifications and training programs designed for teams and individuals, INE continues to lead in developing cybersecurity professionals equipped with real-time, hands-on experience to manage cyber threats and security incidents. Our award-winning cybersecurity software and comprehensive training in network security, cloud security, and risk management, prepare learners to become certified ethical hackers (CEH), certified information systems security professionals (CISSP), and more, solidifying our reputation as the trusted partner in cybersecurity excellence and threat intelligence.

**About INE:** 

INE is the premier provider of online technical training for the IT industry. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE is the top training choice for Fortune 500 companies worldwide, and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE is committed to delivering the most advanced technical training on the planet, while also lowering the barriers worldwide for those looking to enter and excel in an IT career. 

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Secures Spot in G2’s 2025 Top 50 Education Software Rankings

The stolen information included listed contacts, call logs, text messages, photos, and the device’s location.

A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending.

Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site.

So, it gives them a much larger audience, they can lean on the trust we invest in the official app stores and users don’t have to do anything they might perceive as suspicious.

While Google has enhanced security measures in place—including AI-powered threat detection and real-time scanning— that are designed to detect and block malicious apps more effectively, the cat-and-mouse game between cybercriminals and security measures continues, with each side trying to outsmart the other.

In this case, the loan app evaded detection on Google Play, by loading a WebView to redirect users to an external website from where they could download the app hosted on an Amazon EC2 server.

Predatory lending is any lending practice where the borrower is taken advantage of by the lender. Predatory lenders impose lending terms that are unfair or abusive.

The apps in the SpyLoan family offer attractive loan terms with virtually no background checks. But when the apps are installed, they steal information from the victim’s device that can be used to blackmail the victim. Especially when they miss any payments on the loan.

Among the stolen information are listed contacts, call logs, text messages, photos, and the device’s location.

Although the app has now been removed from Google Play, it may continue to run on affected devices, collecting sensitive information in the background.

The researchers found that the app only targets users in India with the recommended loan applications and the redirect to an external website.

The information stolen from users could well be used for malicious purposes or sold to other cybercriminals.

Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage:

*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#git