Torrance, United States / California, 9th January 2025, CyberNewsWire

**Torrance, United States / California, January 9th, 2025, CyberNewsWire**

Criminal IP, a globally recognized Cyber Threat Intelligence (CTI) solution by AI SPERA, has launched its **Criminal IP Malicious Link Detector** add-in on the Microsoft Marketplace. This cutting-edge tool provides real-time phishing email detection and URL blocking for Microsoft Outlook, adding an essential layer of email security in the face of increasing cyber threats.

Advances in generative AI have driven a surge in sophisticated phishing attacks that are increasingly difficult to distinguish from legitimate communications. The Criminal IP Malicious Link Detector combats these threats by analyzing email links in real-time, detecting and blocking phishing URLs and malicious domains. Fully integrated with Microsoft Outlook and available for free, it provides robust protection for both individuals and organizations.

**Case Study: Phishing Email Targeting Cryptocurrency Wallet Users**

In one instance, Criminal IP detected a phishing email targeting Trust Wallet users. The email contained links disguised as official pages, aiming to deceive users into downloading malware. The Criminal IP Malicious Link Detector swiftly identified and blocked these malicious URLs in real-time, averting potential harm.

**Getting Started with the Criminal IP Malicious Link Detector**

Using the tool is straightforward:

1.     **Signing Up:** Creating an account on the Criminal IP platform.

2.    **Installing the Add-In:** Downloading and integrating the add-in from Microsoft Marketplace.

3.    **Start Scanning:** Email links are automatically scanned upon login, with results displayed instantly.

As cyber threats evolve rapidly, the **Criminal IP Malicious Link Detector** ensures the users’ emails are protected against phishing links and malicious URLs. Download it today to stay ahead of emerging cyber risks and strengthen email security.

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Criminal IP Launches Real-Time Phishing Detection Tool on Microsoft Marketplace

CISOs need to recognize the new threats AI can present — while also embracing AI-powered solutions to stay ahead of those threats.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

Security teams have always had to adapt to change, but new developments that will play out over the next year could make 2025 particularly challenging. The accelerating pace of AI innovation, increasingly sophisticated cyber threats, and new regulatory mandates will require chief information security officers (CISOs) to navigate a more complex landscape.

Vendors are rapidly adding AI-enabled features to existing products, and the foundational large language models (LLMs) they are using present a new attack surface that malicious actors will try to exploit. CISOs will need to understand their level of exposure to these threats and how to mitigate them.

Simultaneously, the dynamic landscape of cybersecurity regulations, particularly in regions like the European Union and California, demands enhanced collaboration between security and legal teams to ensure compliance and mitigate risks. This convergence of new technologies and laws means CISOs must balance board-level compliance needs with novel security challenges to protect their organizations.

Despite the potential security challenges posed by generative AI (GenAI), it also offers opportunities to improve the security of software development processes. By proactively identifying vulnerabilities and enabling greater automation, AI will help close the gap between developers and security teams. 

Below are three trends that will dominate the enterprise security landscape in 2025. 

**Trends to Watch in 2025****1\. Vulnerabilities in Proprietary LLMs Open the Possibility of Broad-Impact Security Incidents**

Software vendors are rushing to add AI-enabled features to their products, often by leveraging proprietary foundational LLMs. As attackers start to find vulnerabilities in these models, they will open a new attack vector with potentially wide-scale consequences. Industry consolidation increases risk.

Proprietary models reveal little information about their provenance or internal guard rails, making them much harder for security professionals to understand and manage. As such, attackers can embed malware or exploit lesser-known attack surfaces in a model's feature space. 

Because the industry relies heavily on a few proprietary LLMs, these attacks could have cascading effects throughout the software ecosystem, potentially leading to wide-scale outages or impacts. 

**2\. AI and Cloud-Native Workloads Will Increase Demand for Highly Adaptive Identity Management **

The growth of cloud-native and AI applications creates new challenges for identity management systems. This year, access control must become more adaptive to deal with the increase in non-human, service-based identities. 

Systems that manage identity and permissions have already been transitioning from their traditional, static state to a more ephemeral and adaptable framework, reflecting the agility required for modern digital interactions. These needs will become even greater in the year ahead. 

AI-driven applications, in particular, demand a solid understanding of transitive identities. These applications require systems that provide secure and efficient access, even as roles and needs constantly evolve.

**3\. AI Will Help Scale Security Within DevOps**

In a recent survey, 58% of developers said they feel some degree of responsibility for application security. However, the demand for security-skilled DevOps professionals still outpaces supply. 

AI will continue democratizing security expertise within DevOps teams by automating routine tasks, providing smart coding recommendations, and further bridging the skills gap. Security will be integrated throughout the build pipeline, enabling the early identification of potential vulnerabilities at the design stage by leveraging reusable security templates that can be integrated into developer workflows.

Authentication and authorization will also be improved, with AI automatically assigning roles and permissions as services are deployed across cloud environments. 

The net result will be improved security outcomes, reduced risk, and enhanced collaboration between developers and their security peers. 

**Embracing AI-Powered Solutions to Secure the Threat Landscape **

As the technology landscape continues to evolve and cyber threats become increasingly sophisticated, CISOs must recognize the new threats that AI can present while embracing AI-powered solutions to stay ahead of them. 

By leveraging AI to automate security tasks, identify vulnerabilities, and respond to threats in real-time, organizations can strengthen their security posture and stay ahead of the fast-evolving threat landscape.

**About the Author**

CISO, GitLab

Josh Lemos is the CISO at GitLab Inc., where he brings 20 years of experience leading information security teams to his role. He is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, fortifying the GitLab DevSecOps platform and ensuring the highest level of security for customers. A talented security practitioner and technology leader, Josh is widely recognized for his strategic vision, his ability to drive growth and innovation, and his passion for building and empowering teams. He believes in technology's potential to transform the world and the need to secure it against emerging threats. Josh has led security teams at numerous high-growth technology companies including ServiceNow, Cylance, and most recently Block (formerly known as Square).

New AI Challenges Will Test CISOs &amp; Their Teams in 2025

This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes Malwarebytes recently uncovered...

_This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes_

Malwarebytes recently uncovered a widespread cyberattack—referred to here as the “zqxq” campaign as it closely mirrors NDSW/NDSX-style malware behavior—that compromised GroupGreeting\[.\]com, a popular platform used by major enterprises to send digital greeting cards.  

Upon learning of the attack, GroupGreeting quickly responded and resolved the threat.

This attack is part of a broader malicious campaign that takes advantage of trusted websites with high traffic, especially those that could experience a spike in visitors during busy seasons like the winter holidays. That includes greeting card websites, like GroupGreeting\[.\]com, that allow users to send group e-cards for birthdays, retirements, weddings, and, of course, holidays like Christmas and New Year’s.  

According to public data, over 2,800 websites have been hit with similar malicious code. The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors. 

****Explaining the “zqxq” malware****

Understanding this cybercriminal campaign requires a little bit of understanding of the web. Online today, nearly every single modern webpage uses a programming language called JavaScript. JavaScript allows developers to make interactive webpages, but it can also be vulnerable to attacks, as cybercriminals can “inject” pieces of JavaScript into a website that are not approved by the site’s developers. 

At the core of this breach is an obfuscated JavaScript snippet designed to blend in with legitimate site files. Hidden within themes, plugins, or other critical scripts, the malicious code uses scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis. 

Despite its complexity, the malware performs some very typical functions seen in large-scale JavaScript injection campaigns: 

*   **Token generation and redirection**. Generates random tokens (rand() + rand()) for queries or URLs, a technique often used in Traffic Direction Systems (TDS) to disguise malicious links. 

*   **Conditional checks and evasion**. References properties in navigator, document, window, or screen to determine if the user has visited before, or to avoid re-infecting the same machine. This helps keep the campaign under the radar by reducing repeated alerts. 

*   **Remote payload retrieval**. Uses an XMLHttpRequest (labeled as HttpClient in the code) to silently fetch further malicious scripts or to redirect visitors to exploit kits, phishing sites, or other malicious destinations. 

****Overlap with NDSW/NDSX and TDS Parrot campaigns** **

Though Malwarebytes recently discovered the attack on GroupGreeting\[.\]com, the malware campaign bears similarities to another malware injection campaign that is referred to as both “NDSW/NDSX” and “TDS Parrot.” 

According to security researchers from Sucuri, who label these attacks under the “NDSW/NDSX” moniker, this campaign accounted for 43,106 detections in 2024. Similar research was published by Unit 42, which refers to the campaign as “TDS Parrot.”  

From these analyses, we can identify the following parallels to known **NDSW/NDSX** or **TDS Parrot** malware campaigns: 

*   **Obfuscated redirect scripts**. Much like NDSW/NDSX, the zqxq script deeply obfuscates its variables, methods, and flow. The layering of functions (Q, d, rand, token) and the repeated usage of base64-like decoding are standard indicators of TDS JavaScript-based threats. 

*   **Traffic Distribution System behavior**. After running checks (e.g., domain name, cookies), these scripts funnel traffic to external pages hosting additional malware payloads or phishing sites. This is precisely how TDS Parrot campaigns divert user traffic across multiple malicious domains to maximize infection rates. 

*   **Large-scale website infections**. Both NDSW/NDSX and the zqxq campaign have infected thousands of websites, suggesting a systematic approach—possibly automated—that exploits vulnerabilities in popular CMS platforms (like WordPress, Joomla, or Magento) or outdated plugins, similar to documented TDS Parrot behaviors. 

****Analysis of the breach and why GroupGreeting was a prime target** **

Cybercriminals hardly strike at random. Instead, the attack on GroupGreeting was likely coordinated because of its potential for success. Here are a few reasons why: 

*   **High-profile site**. GroupGreeting boasts over 25,000 workplace clients, including major brands like Airbnb, Coca-Cola, and eBay, making it a lucrative target. Visitors are more inclined to trust links from a service they deem reputable. 

*   **Seasonal traffic spikes**. During holidays and other high-traffic periods, the site sees a surge in e-card use. Cybercriminals exploit this surge to maximize the spread of redirects and malware. 

*   **Sophisticated persistence**. Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur. 

*   **Potential consequences**. Once the malware activates in a user’s browser, it typically redirects them to external domains that host secondary payloads. These payloads can range from phishing pages—designed to steal credentials—to more devastating forms of malware like info stealers or ransomware. Attackers often generate random or “tokenized” URLs, making it difficult for basic blocklists to keep pace. 

*   **Timely patching and updates**. Attacks often succeed by exploiting vulnerabilities in outdated CMS installations or plugins, underscoring the importance of regular updates. 

*   **File integrity checks**. Automated monitoring systems can detect and flag any unauthorized file changes, prompting swift action. 

*   **User training**. Educate users on potential risks and signs of compromise—even “safe” or well-known websites can be hijacked. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 GroupGreeting e-card site attacked in “zqxq” campaign  

The inside story of the teenager whose “swatting” calls sent armed police racing into hundreds of schools nationwide—and the private detective who tracked him down.

The School Shootings Were Fake. The Terror Was Real

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-22445

**Mattermost has Improper Check for Unusual or Exceptional Conditions**

Low severity GitHub Reviewed Published Jan 9, 2025 to the GitHub Advisory Database • Updated Jan 9, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 10.0, < 10.3.0

< 8.0.0-20250102081831-64c566a8280b

**Patched versions**

10.3.0

8.0.0-20250102081831-64c566a8280b

**Description**

Published to the GitHub Advisory Database

Jan 9, 2025

GHSA-7rgp-4j56-fm79: Mattermost has Improper Check for Unusual or Exceptional Conditions

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-20033

**Mattermost Improper Validation of Specified Type of Input vulnerability**

Moderate severity GitHub Reviewed Published Jan 9, 2025 to the GitHub Advisory Database • Updated Jan 9, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 9.11.0, < 9.11.16

\>= 10.0.0, < 10.0.4

\>= 10.1.0, < 10.1.4

\= 10.2.0

< 8.0.0-20250102081831-64c566a8280b

**Patched versions**

9.11.16

10.0.4

10.1.4

10.2.1

8.0.0-20250102081831-64c566a8280b

Published to the GitHub Advisory Database

Jan 9, 2025

GHSA-2549-xh72-qrpm: Mattermost Improper Validation of Specified Type of Input vulnerability

The country awaits implementation guidelines for a framework that gives Indians greater autonomy and security over their personal data — and recognizes a right to personal privacy.

Source: Wavebreakmedia Ltd IFE-240405\_3 via Alamy Stock Photo

The government of India has drafted rules that will define how companies inside and outside of the country must handle its citizens' data privacy.

A year and a half ago, India enacted its first ever comprehensive national data protection law: the Digital Personal Data Protection (DPDP) Act. The act defined key privacy rights for Indian citizens — to access, update, correct, challenge, port, and erase their data, plus additional safeguards for children's data — and various obligations of data stewards to secure user data, maintain its accuracy, limit how it's used, and more.

Organizations have not yet been forced to adjust their data trafficking practices, as the act was waiting on a set of clearly defined rules of implementation. On Jan. 3, India's Ministry of Electronics and Information Technology (MeitY) released those draft rules, designed to operationalize DPDP. In 22 provisions and seven schedules, the DPDP Rules provide businesses with a framework for complying with the act once the government begins to enforce it.

For years leading up to this point, "As the digital infrastructure in India has grown exponentially, the absence of safety mechanisms for individuals has left citizens vulnerable," says Pankit Desai, CEO and co-founder of Sequretek. That makes DPDP "a landmark regulation, long overdue. It's not just a regulatory framework — it is a signal of India's readiness to prioritize citizen welfare in the digital age."

**India's Long Road to Data Privacy**

In 1941, Khrarak Singh, a citizen of India's northern state of Uttar Pradesh, was tried for gang robbery (dacoity). He was let off thanks to an absence of evidence, but police kept an eye on him nonetheless. They visited his home at night, kept tabs on his movements, and monitored various aspects of his personal life: his employment, social life, and habits, for example.

Eventually Singh filed a petition, arguing that the surveillance violated his constitutional rights. On Dec. 18, 1962, six judges of India's Supreme Court ruled that though some of the police tactics amounted to harassment, many of their surveillance measures were legally permissible. Privacy, they argued, was not a fundamental right under the country's constitution.

That remained the case until 2017, after India's government proposed the "Aadhaar" project, giving all citizens identification numbers backed with various demographic and biometric data. Overseeing a challenge to Aadhaar, Chief Justice of India JS Khehar explained, “It is essential for us to determine whether there is a fundamental right to privacy in the Indian Constitution," citing the Kharak Singh case. In August 2017, a nine-judge bench declared that privacy was a right given to India's citizens under its constitution.

Their ruling opened the floodgates to data protection legislation, first and most notably the proposed Personal Data Protection Bill of 2019. However, the bill was proved both expansive and restrictive. The bill covered both personal and non-personal data, but was stringent in mandating that sensitive personal data not leave the borders of the country, yet also lenient in allowing the government to exempt itself for various reasons. Regardless, the bill was withdrawn in August 2022. It was followed in spirit by the more neutral DPDP, which will finally become operational once the latest proposed rules are finalized.

**New Rules of the Road**

The DPDP rules are mostly industry standard: companies must notify customers about the data they collect, and if it's breached, encrypt it at rest and in transit, delete it after three years of inactivity, and so on.

"Most notably, they grant substantial control to the data principal (individual) over their personal data, including the ability to determine when, how, where, and for what purpose their data is used," notes Rama Krishna Gudipati, head of customer success at CloudSEK. "Additionally, the introduction of penalties for non-compliance adds an important layer of accountability." Failing to notify customers of a breach, for example, or betraying obligations around children's data, could cost companies up to INR 200 crore (around $23 million).

Certain provisions are more debatable, though, like the continued exceptions afforded to government agencies. Sequretek's Desai says that "The exemption granted to the government from these rules raises questions about fairness and accountability, especially given the government's significant role as a service provider," says Sequretek's Desai. "India's digital infrastructure is heavily influenced by government-led initiatives, unlike in the West, where private enterprises dominate," making the rule more impactful than it would be in other countries.

The deadline for submitting feedback on the new draft rules is Feb. 18. After the rules are activated, MeitY stated in a Jan. 5 press release, "An adequate period would be provided so that all stakeholders, from small enterprises to large corporates, may transition smoothly to achieve compliance with the new law."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

India Readies Overhauled National Data Privacy Rules

PRESS RELEASE

DALLAS, Jan. 7, 2025 /PRNewswire/ -- Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today announced a new collaboration with Intel® (NASDAQ: INTC) designed to help joint enterprise customers protect critical systems from stealthy threats, including fileless malware and advanced ransomware.

When Trend's proactive security platform and Intel's technology are used together, the integrated solution can better determine if encryption behavior is legitimate—such as a user backing up files or malicious—ensuring the appropriate action is taken to protect critical systems.

This news coincides with the CES 2025 (Consumer Electronics Show), which is the most influential tech innovation event for enterprises and society as a whole, where Intel and Trend will be present. Trend invites corporate attendees to join a panel discussion on Thursday, January 9th, entitled "Data Collection, Privacy and Why You Should Care," to learn how to safeguard a digital footprint as cybercriminals increasingly target critical data. Register now at: https://spr.ly/6044vmkSQ.

Carla Rodriguez, Intel VP: "Threat actors are increasingly targeting endpoints with sophisticated attacks that evade traditional software-based security. Trend's integration of Intel® Threat Detection Technology provides a hardware-accelerated detection layer to uncover stealthy threats. This technology, deployed across a billion PCs, is the only AI-based silicon security solution of its kind. Our mutual customers will benefit from enhanced protection with Trend's AI-powered Trend Vision One™ – Endpoint solutions on Intel AI PCs."

Protecting critical assets across endpoints, email, networks, and cloud workloads is increasingly challenging as malicious actors favor covert threats such as fileless malware, which was reportedly present in 40% of attacks in 2023. These can be used to deploy ransomware, steal sensitive data, and cause significant financial and reputational damage.

Fileless attacks are particularly dangerous as they rely on in-memory execution, reside in the registry, or abuse legitimate tools like PowerShell and Windows Management Instrumentation.

That's why Trend and Intel are teaming up by combining the AI-powered Trend Vision One. This collaboration provides organizations with powerful tools to detect and respond to ransomware and fileless attacks before they can cause damage.

Rachel Jin, Chief Enterprise Platform Officer at Trend: "Proactive security has long been desired but just recently feasible. Through our work with Intel, we're redefining what's possible in cybersecurity—empowering enterprises to proactively safeguard their systems, data, and operations against an increasingly complex threat landscape."

How AMS works:

*   Intel® TDT offloads advanced memory scanning (AMS) workloads from CPU to GPU.
    
*   This enables Trend endpoint security solutions to scan more deeply and more often to uncover fileless attacks before they can launch malicious payloads.
    
*   Using fewer CPU resources enhances threat detection and response without affecting performance, slowing down PCs, or reducing battery life.
    

Trend Vision One™ – Endpoint Security leverages AMS to improve memory scanning capacity by 7 to 10X1. This means that organizations can scan more and detect more threats.

CPU-based threat detection:

Advanced ransomware is increasingly capable of evading EDR detection thanks to packing and obfuscation techniques and VM cloaking. EDR solutions are too often playing catchup with behavior-based approaches, which take time to get up to speed.

Intel® TDT augments Trend's behavioral analysis, runtime machine learning, and expert rules by providing critical visibility into the hardware layer, increasing ransomware detection efficacy by 24% over software alone.

It does this by:

*   Using CPU telemetry and Intel® AI, offloading Intel AI and memory scanning from the CPU to the integrated GPU to provide a detection assist to Trend's ransomware defenses which won't disrupt the user experience.
    
*   Integrating Intel TDT source code directly into the Trend Micro agent to deliver deeper insights from CPU telemetry. This enables instant discovery of zero-day attacks and new, fast-moving variants.
    

About Trend Micro  
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's AI-powered cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, Trend's platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 70 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

Trend Micro and Intel Innovate to Weed Out Covert Threats

Cyberattackers injected the NFL Wild Card team's online Pro Shop with malicious code to steal credit card data from 8,500 fans.

Source: Cal Sport Media via Alamy Stock Photo

Fans of the Green Bay Packers football franchise have been tackled by a payment-card skimmer; people who bought merch at the Packers Pro Shop website last fall may have had their personal data harvested.

In a data-breach notification letter to the 8,514 "cheeseheads" affected, the NFL juggernaut noted that its security staff was alerted to the code on Oct. 23, just as the team was gearing up to play the Jacksonville Jaguars in Week 8 of the 2024 season.

"We were alerted to the presence of malicious code inserted on the Pro Shop website by a third-party threat actor," reads the notice, which added that the team immediately asked the outside vendor that hosts the store to take the e-commerce site offline. "The malicious code may have allowed an unauthorized third party to view or acquire certain customer information entered at the checkout that used a limited set of payment options on the Pro Shop website."

Fortunately, the skimmer was active in only two windows: Between Sept. 23-24, and Oct. 3-23, 2024. And, fans who used a gift card, a Pro Shop website account, PayPal, or Amazon Pay weren't exposed.

Cybercriminals were able to score on everyone else though, collecting names, addresses (billing and shipping), emails, and full payment-card information, according to the notice.

Related:Hacking Group 'Silk Typhoon' Linked to US Treasury Breach

According to an analysis from Sansec, a Dutch e-commerce security company that notified Green Bay about the attack, the threat actors abused a JSONP callback and YouTube's oEmbed feature, which allows users to embed content from one website into another website. Ultimately, the skimmers were able to bypass the Content Security Policy (CSP) for the Pro Shop website, and "a script was injected from https://js-stats.com/getInjector. This script harvested data from input, select, and text area fields on the site, exfiltrating the captured information."

**A Pick 6 for Magecart & Other Cybercrime Carders?**

While there's no public attribution available for the incident, the cyberattack has all the hallmarks of a classic "Magecart" attack. Magecart is an umbrella term for a loose confederation of groups that steal credit cards by exploiting a vulnerability within a website to inject a malicious piece of code, which simply exfiltrates any data the users put into checkout pages on e-commerce sites.

Lately, these types of attacks have been on the rise, with scores of groups beyond classic Magecart actors running skimmer plays, researchers warn; the Packers are just the latest victim in the pass rush of maliciousness.

Related:Ransomware Targeting Infrastructure Hits Telecom Namibia

"There's no solid theory about why there's been an uptick in skimmer attacks,” says Javvad Malik, lead security awareness advocate at KnowBe4. "It could be a case of low-hanging fruit, a lot of e-commerce transactions over the holiday period when people are searching for deals, and also the ease through which some third parties can be compromised without triggering alarms."

According to the Recorded Future Payment Fraud Intelligence group, digital e-skimming will remain a top threat to e-commerce going forward, with bad actors relying on easy-to-use skimmer kits and persistent CMS security vulnerabilities. Plus, smaller security organizations (including those used by many sports franchises) are at particular risk.

"Payment Card Industry Data Security Standard (PCI DSS) requirements will continue aiming to improve security, but the impact will remain limited as many small and medium-sized retailers fail to adhere," said Boris Ivanov, principal malware researcher at Recorded Future, via email. "This gap will worsen the already serious problem of attackers exploiting vulnerable platforms and compromising payment data."

Meanwhile, Malik notes that sports teams might be in the cybercrime sites as a top target in part due to fan exuberance.

Related:CISA: Third-Party Data Breach Limited to Treasury Dept.

"Technically, sports organizations probably don't have any different challenges than others," he says. "What makes them attractive to criminals though is the fact that they have a loyal fan base that is willing to spend money on tickets and merchandise. Often during busy periods when tickets are released, there is a rush, so people will often ignore any security warnings in a bid to complete their purchase."

**The Payment-Skimmer Ground Game Is Hard to Defend Against**

Skimmers are also having a moment because the back-end complexity of the code running e-stores is on the rise, which offers cover for malware infestation and makes defense more porous.

"These are difficult to detect by nature, especially when these attacks take place by compromising third-party components, which can end up in organizations' blind spots," explains Malik. "Complexity and the reliance on many third parties is perhaps the biggest challenge to keep modern Web applications secure."

In the Packers' case, the Pro Shop is hosted by a third party, which complicates things even further.

"In the case of organizations outsourcing many components and hosting, security responsibility cannot be outsourced, so many organizations end up with a lack of skilled resources within the organization to keep an eye over the end-to-end security — something that is often fueled by budget constraints," Malik notes.

Ultimately, e-commerce organizations of all stripes, including those catering to Wisconsin NFL fans, need to balance security with business agility and the user experience, which creates a series of challenges. Technical complexity, resource constraints, skills shortages, and organizational culture can all affect how organizations approach Web security, Malik cautions.

"It's about embedding security into the very fabric of the business, rather than treating it as an afterthought," he says. "Some of the things you can do include implementing robust content security policies, undertaking regular security audits and penetration testing, employing real-time monitoring that can detect unusual code or behavior patterns, and finally, educating staff and fostering a culture of cybersecurity."

Dane Sherrets, staff innovation architect at HackerOne, notes that, from a coding standpoint, user input should be considered suspect until proven otherwise.

"Firstly, it's important to remind everyone never to explicitly trust user input and to treat all such inputs as potentially malicious," he says. "The Green Bay Packers incident, in particular, highlights the threat of exploiting a loophole in the site's CSP."

The Green Bay Packers did not immediately return a request for comment.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Green Bay Packers' Online Pro Shop Sacked by Payment Skimmer

### Impact
Application passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users to upload files with `.php` extension in an folder that allows `include` or `require` to read it, then they are at risk of arbitrary code ran on their servers.

### Patches
- [3.8.4](https://github.com/briannesbitt/Carbon/releases/tag/3.8.4)
- [2.72.6](https://github.com/briannesbitt/Carbon/releases/tag/2.72.6)

### Workarounds
Any of the below actions can be taken to prevent the issue:
- Validate input before calling `setLocale()`, for instance by forbidding or removing `/` and `\`
- Call `setLocale()` only with a locale from a whitelist of supported locales
- When uploading files, rename them so they cannot have a `.php` extension (this is recommended even if you're not affected by this issue)
- Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)

### References
https://en.wikipedia.org/wiki/File_inclusion_vulnerability

### Credits
Thanks to **Szczepan Hołyszewski** who reported the issue and to Tidelift to coordinate the resolution

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-22145

**Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale**

Moderate severity GitHub Reviewed Published Jan 8, 2025 in CarbonPHP/carbon • Updated Jan 8, 2025

**Package**

composer nesbot/carbon (Composer)

**Affected versions**

\>= 3.0.0, < 3.8.4

< 2.72.6

**Patched versions**

3.8.4

2.72.6

**Impact**

Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.

**Patches**

*   3.8.4
*   2.72.6

**Workarounds**

Any of the below actions can be taken to prevent the issue:

*   Validate input before calling setLocale(), for instance by forbidding or removing / and \
*   Call setLocale() only with a locale from a whitelist of supported locales
*   When uploading files, rename them so they cannot have a .php extension (this is recommended even if you're not affected by this issue)
*   Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)

**References**

https://en.wikipedia.org/wiki/File\_inclusion\_vulnerability

**Credits**

Thanks to **Szczepan Hołyszewski** who reported the issue and to Tidelift to coordinate the resolution

**References**

*   GHSA-j3f9-p6hm-5w6q
*   briannesbitt/Carbon@129700e
*   https://nvd.nist.gov/vuln/detail/CVE-2025-22145

Published to the GitHub Advisory Database

Jan 8, 2025

Tag

#git