Earlier this year, Google ditched its plans to abolish support for third-party cookies in its Chrome browser. While privacy advocates called foul, the implications for users is not so clear cut.

The apparent death of cookies also won’t matter much to Google, which has a ton of data from multiple services in addition to Chrome and can target people without cookies.

According to Google's 2023 earnings report, $237.86 billion of the firm’s $307.39 billion in revenue came from ads. Ads on its search engine results page and other products including Gmail, Google Maps, and Google Play are the highest earner at a collective $175.03 billion, or 56.9 percent of overall revenue. YouTube ads bring in $31.51 billion (10.3 percent of the total), and Google Network ads including ads on Google’s partner sites come in at $31.31 billion, 10.2 percent of revenue. Network ad revenues were down by 4.5 percent last year, showing Google reliance on this area is reducing.

Google knows it’s quite possible privacy-conscious users will opt out of Chrome cookies, just as they did with Apple’s ATT, which saw Facebook taking a $10 billion hit. Now, ATT opt-in rates range from 12 percent to 40 percent across different app categories.

The mobile advertising industry has boomed over recent years, even with Apple’s ATT in place, says Jake Moore, global cybersecurity adviser at security outfit ESET. He calls the results of ATT “impressive” and suggests Google has been watching the outcome of Apple’s rules before implementing its own version.

Meanwhile, Google is already advising developers to act as if they don’t have cookies. The tech giant is working under the assumption that even if 80 percent do opt out, 20 percent of Chrome’s more than 3 billion users isn’t a bad result.

Ensuring users have a conscious choice over whether they use cookies or not is “a good step in practice,” says Simon Bain, CEO at data and analytics platform OmniIndex. But Google needs to consider how easy it is to opt out, he says.

“And is there a negative impact on opting out for users?” Bain says. “These are crucial because if opting out is buried in the privacy settings and there is a reduction in functionality or workflow as a result of not having them, then it is not really a fair or legitimate choice.”

**Informed Choice**

Google says its updated approach allows people to “make an informed choice that applies across their web browsing,” and says you’ll be able to “adjust that choice at any time.”

The plan is for this to be as usable as possible. Sources familiar with the matter confirmed Google’s current plan would be a prominent global prompt, meaning users would not be asked to make choices on a site-by-site basis.

Yet some experts question Google’s motives. Sean Wright, an independent security researcher, points out that Google has “an enormous amount of data on individuals,” which gives a lot of power to “a single entity.”

This level of control could put user privacy at risk, Wright says. “My concern is that you have a large company that is already well established, developing its own ecosystem with little competition. There seems little incentive to enhance the privacy of users.”

But Google argues that it has received feedback from “a wide variety of stakeholders,” including regulators such as the UK’s Competition and Markets Authority, publishers, web developers and standards groups, civil society, and participants in the advertising industry. “This has helped us craft solutions that aim to support a competitive and thriving marketplace that works for publishers and advertisers, and encourage the adoption of privacy-enhancing technologies,” the company says.

Even so, privacy is a difficult balance to strike for the world’s biggest browser whose business model is designed to rely on advertising.

This is already well known, and if you care about your privacy, it’s possible you’ve already ditched Chrome for another browser. If you haven’t, Chrome alternatives include Apple’s Safari, Brave, Vivaldi, Firefox, and the DuckDuckGo browser. Brave and Vivaldi and based on the same Chromium engine as Chrome, so they include some of the same functionality.

What Google's U-Turn on Third-Party Cookies Means for Chrome Privacy

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work…

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected.

The cybersecurity researchers at Morphisec Threat Labs have uncovered and thwarted multiple variants of Lua malware specifically targeting the educational sector. These attacks exploit the popularity of **Lua-based gaming engine supplements**, which are widely used by student gamers. Even more concerning, the malware campaigns were observed targeting unsuspecting users globally including across North America, South America, Europe, Asia, and Australia.

The malware strain was first reported in March 2024 (do not confuse Lua malware with the infamous **Luabot DDoS malware** identified in 2016). Over the past months, the delivery methods of Lua malware have changed to become simpler, possibly to evade detection mechanisms. Instead of using compiled Lua bytecode, which can easily raise suspicion, the malware is now frequently delivered through obfuscated Lua scripts.

****Malicious ZIP Files****

The malware is typically distributed in the form of an installer or a ZIP archive and often disguised as game cheats or other gaming-related tools, making it particularly lucrative to students who are searching for ways to enhance their gaming experience.

According to Morphisec Threat Labs’ detailed technical **blog post** shared with Hackread.com ahead of publishing on Tuesday, when a user downloads the infected file, typically from platforms like GitHub, they receive a ZIP archive containing four key components: Lua51.dll: A runtime interpreter for Lua, Compiler.exe: A lightweight loader, Obfuscated Lua Script: The malicious code and Launcher.bat: A batch file that executes the Lua script.

Upon execution, the batch file runs the Compiler.exe, which loads the Lua51.dll and interprets the obfuscated Lua script. This script then establishes communication with a Command and Control (C2) server, sending detailed information about the infected machine. The C2 server responds with tasks, which can be categorized into two types: Lua Loader Tasks: Actions such as maintaining persistence or hiding processes. Task Payloads: Instructions to download and configure new payloads.

Attack flow (Via Morphisec Threat Labs)

****Lua Malware and SEO Poisoning****

The delivery techniques used in these attacks include **SEO poisoning**, where search engine results are manipulated to lead users to malicious websites. For instance, advertisements for popular cheating script engines like Solara and Electron, often associated with Roblox, have been found to direct users to GitHub repositories hosting various Lua malware variants. These repositories frequently use github.com/user-attachments push requests to distribute the malware.

****Additional InfoStealer Like Redline****

The infection chain does not end with Lua malware infection. The malware ultimately leads to the deployment of infostealers, notably Redline Infostealers. For your information, infostealers like **Redline, Vidar and Formbook** are gaining prominence as the harvested credentials are sold on the dark web **especially ChatGPT credentials**, opening the door to more attacks in the future.

SEO poisoning in action (Via Morphisec Threat Labs)

****Watch Out Students and Gamers****

Gamers, educational institutions, and students should be cautious of Lua and other malware threats by avoiding downloads from untrustworthy sources. Keeping security software up to date and informing users about the **cybersecurity risks of downloading game cheats** and unverified content can help reduce the chances of these attacks.

1.  **Fake League of Legends Download Ads Drop Lumma Stealer**
2.  **Global malspam targets hotels, spreading Redline, Vidar stealers**
3.  **Fake Windows site dropped Redline malware as Windows 11 upgrade**
4.  **Fake CAPTCHA Verification Pages Spreading Lumma Stealer Malware**
5.  **Ransomware Hidden as a Game: Kransom’s Attack Via DLL Side-Loading**

Lua Malware Targeting Student Gamers via Fake Game Cheats

The massive outage involving a faulty Falcon update is an excellent illustration of what happens when organizations neglect security fundamentals.

Source: Tero Vesalainen via Alamy Stock Photo

UPDATE  
Back in July, 8 million Windows devices around the world went offline after CrowdStrike released a threat intelligence update with a buggy content validator. Hospitals could not access patient records, interrupting patient care. Airlines were forced to delay or cancel thousands of flights. Some payment platforms were unavailable, resulting in people not being paid on time. The Emergency Alert System in the United States was affected, which, in turn, disrupted 911 services in several states.

The problem ultimately boiled down to an inadvertent systems failure, intensified by poor update management issue and processes that violated third-party risk management policies and procedures. CrowdStrike's quality-control testing did not catch the bug beforehand. The outage highlighted what happens when basic IT rules are forgotten, ignored, or simply abbreviated.

Cloud-based endpoint detection and response (EDR) security tools, such as CrowdStrike's solution, work best when the sensors can process real-time intelligence from the cloud, says Eric O'Neill, a cybersecurity consultant and former undercover FBI counterintelligence operative, noting that this was mainly a update management issue. Ideally, a vendor would roll out updates to a subset of its customers, then continue the rollout in stages to ensure there were no issues. In this case, he says, all customers received the update at the same time. From a third-party risk management perspective, organizations should test updates they receive before deploying them to their systems.

In this case, most CrowdStrike customers opted for the popular automatic update installation instead of the more complex and time-consuming staged rollout, which is rarely done for endpoint applications. Because such an anomaly has never happened before with an update, the decision to forgo testing was understandable, O'Neill notes. In light of this incident, he expects to see major changes in how organizations roll out and install updates in the future.

Crowdstrike takes exception with O'Neill's assessment that testing was incomplete, and noted in a statement to Dark Reading that, "as stated in the Root Cause Analysis report: A stress test of the IPC Template Type with a test Template Instance was executed in our test environment, which consists of a variety of operating systems and workloads. The IPC Template Type passed the stress test and was validated for use, and a Template Instance was released to production as part of a Rapid Response Content update."

**Reducing the Risk**

John Young, a consulting CISO and former cloud and data center executive at IBM, likens the impact of the unintended outage to previous cyberattacks on SolarWinds and Kaseya but without the malicious intent, as with ransomware and other malware. Instead, this became an eye-opening event for boards to ensure they are conducting appropriate business risk and interruption analyses. Here, only one operating system (OS), Windows, was affected. Organizations could reduce their vulnerabilities if they spread their operational risk over multiple OSes, he says.

"If we use different operating systems \[for hot backup systems\], we could run it at 25% service delivery level," Young says. "We'd limp along, but we would have a real-time objective that we would recover in two days."

Young likens this approach to enterprises having servers around the world that run multiple OSes, so that companies can protect themselves from regional threats and vulnerabilities. While running multiple OSes could protect against similar, OS-specific vulnerabilities, the arguments against it are the high cost and the unlikeliness of such an event occurring again, he adds.

While it makes sense to trust key software vendors, Young notes, basic security practices indicate that software should not be trusted simply because it is from a known source and is identified as a security update. Many of the system failures were because "they didn't really follow best practices. There was no compartmentalization. There was no business continuity planning. There was no impact analysis on the critical system," he says. "There was too much integration with their third party."

**The Impact on Cyber Insurance**

While the outage clearly was not a cyberattack, some cyber insurance policies could include coverage for dependent systems failures that are not brought on by a malicious attacker, says David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage. While addressing insurance coverage, in general, he says a property policy might address such losses, but it depends on the negotiated policy, any extra coverages the company might have selected, and the policy's specific language.

"A system failure event is absolutely different than a network interruption or business interruption event, which is always tied to a malicious attack," Anderson says. "It's important to know that not every cyber insurance policy affirmatively includes system failure coverage; you have to have purchased the enhancement in order for this event to be covered."

This alone could get the attention of general counsels or whichever corporate executive is responsible for their company's cyber insurance policy. While not all incidents are always covered — generally, that is based on the severity of the incident, the amount of loss, and the amount of time the company was affected — this could be a watershed moment for an organization to reevaluate its existing insurance policies.

What would be an interesting question, he notes, is: Does a property policy that clearly includes data processing equipment breakdown coverage, which are non-malicious events, have some coverage to include here? Larger commercial property policies often include human errors, errors and omissions, and unplanned failures coverage within the property policy.

"It all is going to depend if the coverage is considered mechanical breakdown, which I don't think this would be, or if it was truly a human error and unplanned outage," Anderson notes. Again, the final decisions will be up to the insurance companies, which could interpret the situation differently.

This story was updated at 3 p.m. ET on Oct. 9 to clarify that the catalyst for the CrowdStrike outage was not a software patch or bug fix, but rather an update to its threat intelligence engine with the latest threat signatures, known as Rapid Response Content.

**About the Author**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

The Perils of Ignoring Cybersecurity Basics

Red Hat Security Advisory 2024-7701-03 - An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7701.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git security updateAdvisory ID:        RHSA-2024:7701-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7701Issue date:         2024-10-07Revision:           03CVE Names:          CVE-2024-32004====================================================================Summary: An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.Security Fix(es):* git: RCE while cloning local repos (CVE-2024-32004)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32004References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2280428

Red Hat Security Advisory 2024-7701-03

San Francisco, CA, 8th October 2024, CyberNewsWire

**San Francisco, CA, October 8th, 2024, CyberNewsWire**

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**Badge Inc****.**, the award-winning privacy company enabling Identity without Secrets™, today announced a partnership with CyberArk and the public release of its integration in the CyberArk Marketplace.

According to the CyberArk website: The Badge CyberArk Identity integration allows specified users to authenticate into CyberArk Identity and its downstream apps and services, using Badge. This enables user-centric privacy, allowing users to issue and revoke digital identity and keys on-demand using biometrics and/or other factors.

The blog post mentions that privileged users hold highly sensitive access credentials and face an ever-increasing threat surface. This has made these users and their credentials prime targets for cyber-attacks. By leveraging Badge’s technology to eliminate the storage of user credentials, organizations benefit unprecedented security, while maintaining a great user experience.

> Archit Lohokare, CyberArk’s GM for Workforce Solutions, “CyberArk is excited to partner with Badge and offer this new integration. It is an important step forward in our mission to deliver comprehensive identity security solutions across all identities and all environments. Badge’s expertise in eliminating stored secrets and removing friction in difficult use cases complements our identity security platform.”

**Integration to CyberArk Marketplace**

Badge and CyberArk are launching a new integration that: 

1.  Enables unprecedented multi-factor authentication experience across all channels, including new and shared devices,
2.  Offers next-generation privacy technology and a more streamlined user experience to customers
3.  Brings phishing-resistant authentication to account recovery workflows.

> “We’re proud to partner with CyberArk. This integration represents a pivotal step forward in the quest to defeat cyber threats targeting privileged accounts. Stored privileged credentials are a high-target vulnerability, and eliminating this weak point is a big step forward. It also underscores the importance of innovative cybersecurity solutions and demonstrates how advancements in technology can be leveraged to enhance security measures across the board,” said Dr. Tina P. Srivastava, Badge Co-founder. “By addressing the vulnerabilities associated with traditional authentication methods like passwords, organizations can protect their most critical assets more effectively, ensuring that their ‘keys to the kingdom’ remain out of reach from cyber adversaries.”

As cyber threats evolve, so are the approaches to cybersecurity. Together, Badge and CyberArk are helping businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**About CyberArk** 

CyberArk is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud environments and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

**About Badge**

Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services. To learn more: **www.badgeinc.com****.**

**Contact**

**Media Contact**  
**John O’Brien**  
**SBS Comms**  
**\[email protected\]**

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho.
"The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems," Kaspersky said, detailing a new campaign that began in June 2024 and continued at least until

Cyber Threat / APT Attack

Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed **Awaken Likho**.

"The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems," Kaspersky said, detailing a new campaign that began in June 2024 and continued at least until August.

The Russian cybersecurity company said the campaign primarily targeted Russian government agencies, their contractors, and industrial enterprises.

Awaken Likho, also tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in connection with cyber attacks directed against defense and critical infrastructure sectors. The group is believed to be active since at least August 2021.

The spear-phishing attacks involve distributing malicious executables disguised as Microsoft Word or PDF documents by assigning them double extensions like "doc.exe," ".docx.exe," or ".pdf.exe," so that only the .docx and .pdf portions of the extension show up for users.

Opening these files, however, has been found to trigger the installation of UltraVNC, thereby allowing the threat actors to gain complete control of the compromised hosts.

Other attacks mounted by Core Werewolf have also singled out a Russian military base in Armenia as well as a Russian research institute engaged in weapons development, per findings from F.A.C.C.T. earlier this May.

One notable change observed in these instances concerns the use of a self-extracting archive (SFX) to facilitate the covert installation of UltraVNC while displaying an innocuous lure document to the targets.

The latest attack chain discovered by Kaspersky also relies on an SFX archive file created using 7-Zip that, when opened, triggers the execution of a file named "MicrosoftStores.exe," which then unpacks an AutoIt script to ultimately run the open-source MeshAgent remote management tool.

"These actions allow the APT to persist in the system: the attackers create a scheduled task that runs a command file, which, in turn, launches MeshAgent to establish a connection with the MeshCentral server," Kaspersky said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools

A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.
Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.
"The ultimate goal of

A little-known threat actor tracked as **GoldenJackal** has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.

Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.

"The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," security researcher Matías Porolli noted in an exhaustive analysis.

GoldenJackal first came to light in May 2023, when Russian security vendor Kaspersky detailed the threat cluster's attacks on government and diplomatic entities in the Middle East and South Asia. The adversary's origins stretch back to at least 2019.

An important characteristic of the intrusions is the use of a worm named JackalWorm that's capable of infecting connected USB drives and delivering a trojan dubbed JackalControl.

While there is insufficient information to conclusively tie the activities to a specific nation-state threat, there is some tactical overlap with malicious tools used in campaigns linked to Turla and MoustachedBouncer, the latter of which has also singled out foreign embassies in Belarus.

ESET said it discovered GoldenJackal artifacts at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. Of particular interest is how the threat actor also managed to deploy a completely revamped toolset between May 2022 and March 2024 against an E.U. government entity.

"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems," Porolli pointed out. "This speaks to the resourcefulness of the group."

The attack against the South Asian embassy in Belarus is said to have made use of three different malware families, in addition to JackalControl, JackalSteal, and JackalWorm -

*   **GoldenDealer**, which is used to deliver executables to the air-gapped system via compromised USB drives
*   **GoldenHowl**, a modular backdoor with capabilities to steal files, create scheduled tasks, upload/download files to and from a remote server, and create an SSH tunnel, and
*   **GoldenRobo**, a file collector and data exfiltration tool

The attacks targeting the unnamed government organization in Europe, on the other hand, have been found to rely on an entirely new set of malware tools mostly written in Go. They are engineered to collect files from USB drives, spread malware via USB drives, exfiltrate data, and use some machine servers as staging servers to distribute payloads to other hosts -

*   **GoldenUsbCopy** and its improved successor **GoldenUsbGo**, which monitor USB drives and copy files for exfiltration
*   **GoldenAce**, which is used to propagate the malware, including a lightweight version of JackalWorm, to other systems (not necessarily those that are air-gapped) using USB drives
*   **GoldenBlacklist** and its Python implementation **GoldenPyBlacklist**, which are designed to process email messages of interest for subsequent exfiltration
*   **GoldenMailer**, which sends the stolen information to attackers via email
*   **GoldenDrive**, which uploads stolen information to Google Drive

It's currently not known as to how GoldenJackal manages to gain initial compromise to breach target environments. However, Kaspersky previously alluded to the possibility of trojanized Skype installers and malicious Microsoft Word documents as entry points.

GoldenDealer, which is already present in a computer connected to the internet and delivered via an as-yet-undetermined mechanism, springs into action when a USB drive is inserted, causing itself and an unknown worm component to be copied into the removable device.

It's suspected that the unknown component is executed when the infected USB drive is connected to the air-gapped system, following which GoldenDealer saves information about the machine to the USB drive.

When the USB device is inserted into the aforementioned internet-connected machine a second time, GoldenDealer passes the information stored in the drive to an external server, which then responds with appropriate payloads to be run on the air-gapped system.

The malware is also responsible for copying the downloaded executables to the USB drive. In the last stage, when the device is connected to the air-gapped machine again, GoldenDealer takes the copied executables and runs them.

For its part, GoldenRobo is also executed on the internet-connected PC and is equipped to take the files from the USB drive and transmit them to the attacker-controlled server. The malware, written in Go, gets its name from the use of a legitimate Windows utility called robocopy to copy the files.

ESET said it has yet to uncover a separate module that takes care of copying the files from the air-gapped computer to the USB drive itself.

"Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets," Porolli said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GoldenJackal Target Embassies and Air-Gapped Systems Using Malware Toolsets

Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an “evil twin” disaster. Read the full real-life case study here.

The Invisible Threat in Online Shopping
When is a checkout page, not a checkout page? When it's an “evil twin”! Malicious redirects can send unsuspecting shoppers to these perfect-looking

Web Security / Payment Fraud

**Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. Read the full real-life case study here.******The Invisible Threat in Online Shopping****

When is a checkout page, not a checkout page? When it's an "evil twin"! Malicious redirects can send unsuspecting shoppers to these perfect-looking fake checkout pages and steal their payment information, so could your store be at risk too? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. (You can read the full case study here)

****Anatomy of an Evil Twin Attack****

In today's fast-paced world of online shopping, convenience often trumps caution. Shoppers quickly move through product selection to checkout, rarely scrutinizing the process. This lack of attention creates an opportunity for cybercriminals to exploit.

****The Deceptive Redirect****

The attack begins on a legitimate shopping site but uses a malicious redirect to guide shoppers to a fraudulent checkout page. This "evil twin" page is meticulously designed to mimic the authentic site, making it nearly impossible for the average user to detect the deception.

****The Devil in the Details****

The only telltale sign might be a subtle change in the URL. For example:

*   Legitimate: Fabulousclothingstore.com
*   Fraudulent: Fabulousclothingstre.com/checkout

Did you spot the missing 'o'? This technique, known as typosquatting, involves registering domain names that closely resemble legitimate websites.

****The Data Heist****

Once on the fake checkout page, unsuspecting shoppers enter their sensitive financial information, which is then forwarded to the attackers. This stolen data can be used for fraudulent transactions or sold on the dark web, potentially leading to significant financial losses for the victims.

****The Infection Vector: How Websites Get Compromised****

While the specific infection method in this case study remains unclear (a common scenario in cybersecurity incidents), we can infer that the attackers likely employed a common technique such as a cross-site scripting (XSS) attack. These attacks exploit vulnerabilities in website code or third-party plugins to inject malicious scripts.

****Evading Detection: The Art of Obfuscation****

Malicious actors use code obfuscation to bypass traditional security measures. Obfuscation in programming is analogous to using unnecessarily complex language to convey a simple message. It's not encryption, which renders text unreadable, but rather a method of camouflaging the true intent of the code.

****Example of Obfuscated Code****

Developers routinely use obfuscation to protect their intellectual property, but hackers use it too, to hide their code from malware detectors. This is just part of what the Reflectiz security solution found on the victim's website:

\*note: _for obvious reasons, the client wants to stay anonymous. That's why we changed the real url name with a fictional one._

This obfuscated snippet conceals the true purpose of the code, which includes the malicious redirect and an event listener designed to activate upon specific user actions. You can read more about the details of this in the full case study.

****Unmasking the Threat: Deobfuscation and Behavioral Analysis****

Traditional signature-based malware detection often fails to identify obfuscated threats. The Reflectiz security solution employs deep behavioral analysis, monitoring millions of website events to detect suspicious changes.

Upon identifying the obfuscated code, Reflectiz's advanced deobfuscation tool reverse-engineered the malicious script, revealing its true intent. The security team promptly alerted the retailer, providing detailed evidence and a comprehensive threat analysis.

****Swift Action and Consequences Averted****

The retailer's quick response in removing the malicious code potentially saved them from:

1.  Substantial regulatory fines (GDPR, CCPA, CPRA, PCI-DSS)
2.  Class action lawsuits from affected customers
3.  Revenue loss due to reputational damage

****The Imperative of Continuous Protection****

This case study underscores the critical need for robust, continuous web security monitoring. As cyber threats evolve, so too must our defenses. By implementing advanced security solutions like Reflectiz, businesses can protect both their assets and their customers from sophisticated attacks.

For a deeper dive into how Reflectiz protected the retailer from this common yet dangerous threat, we encourage you to read the full case study here.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Case Study: The Evil Twin Checkout Page 

Introduction 
Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately. 
In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management

Machine Learning / Data Security

**Introduction**

Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately.

In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management systems. AI-powered identity lifecycle management is at the vanguard of digital identity and is used to enhance security, streamline governance and improve the UX of an identity system.

**Benefits of an AI-powered identity**

AI is a technology that crosses barriers between traditionally opposing business area drivers, bringing previously conflicting areas together:

*   AI enables better operational efficiency by reducing risk and improving security
*   AI enables businesses to achieve goals by securing cyber-resilience
*   AI facilitates agile and secure access by ensuring regulatory compliance

**AI and unified identity**

AI-powered identity delivers the intelligence needed to repel attacks and correct access anomalies impacting our identity infrastructure. However, a key enabler of AI within an identity lifecycle management system is the unification of identity. AI can find applications across a unified identity surface, working symbiotically to meet the requisites of the business drivers.

**AI-powered identity in practice**

When applied appropriately, AI technologies have the power to mitigate access errors and tackle the current onslaught of identity-centered cyberattacks. AI-powered identity can leverage machine learning models to identify signals of an attack, such as behavioral anomalies, that point to a data exfiltration event.

One Identity has capitalized on the power of AI models to enhance and enable various aspects of identity security:

**Risk detection for identity governance and administration (IGA)**

AI-powered identity governance and administration (IGA) offers a method to identify unusual behavior and spot the signals of data exposure and data exfiltration events. One Identity Safeguard uses an AI model known as "Random Forests," a machine learning algorithm combining the output from multiple decision trees to deliver insights. Safeguard analyzes data from such events as mouse movement, keystroke dynamics, login time and command analytics to identify behavioral anomalies and automate attack. Human operators then interact with a dashboard to interpret and make decisions based on the AI-generated output to allow an organization to effectively lower the cybersecurity skills barrier.

**Access management**

Data from access management authentication events can be leveraged to identify a signal of cyberattack and credential compromise. The access event data (e.g., identity, location, device, etc.) is gathered when someone logs in. An authorization decision is made, and security requirements may then use step-up authentication rather than deny access.

However, AI advances this simple model. One Identity OneLogin uses Vigilance AI™ Threat Engine15 to analyze large volumes of data to identify threats. By utilizing User and Entity Behavior Analytics (UEBA), a profile of typical user behavior is created as a baseline. This is then used to identify anomalies and prevent risk.

OneLogin can feed the data from access requests, as well as its derived analytical insights, in the form of rich syslogs into SIEM and SOC systems.

**Entitlement management**

Role-based access is a fundamental principle of identity security. But managing those roles manually can pose a challenge. Machine learning has been used in identity "role mining" or "role discovery" for some time, but a novel application from One Identity delivers the role mining insights directly to the relevant person for streamlined entitlement management.

For example, you can use AI to optimize team role policies on an ongoing basis, making entitlement management an ongoing, automated task that provides accurate insights into access requirements across the organization.

**Conclusion**

Identity management systems must respond to the increasing volume of sophisticated identity-based threats. The response comes in the form of system augmentation through AI, with authoritative, high-quality identity data feeding the AI models used to enhance identity lifecycle management. This capability enhancement is essential in developing and delivering entitle management and IGA for a robust security posture and cyber resilience. With the unification of identity-related services making identity management simpler and more effective, adding AI to a unified identity platform endows an organization with the resilience to resist even the most complex identity-related threats.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Value of AI-Powered Identity

The largest publicly traded water utility in the US was forced to disconnect some of its online systems, and its website and telecommunications system remained unavailable as of Tuesday morning, Oct. 8.

Source: Juri Samsonov via Alamy Stock Photo

The website of the largest publicly traded water utility in the US remained offline this morning after a cyberattack Oct. 3 forced the company to shut down some of its connected systems and services.

American Water is a significant supplier of water in the US, serving more than 14 million customers across 14 states and 18 military installations. The company employees about 6,500 people across its facilities. It discovered "unauthorized activity within its computer networks and systems" on Oct. 3 that turned out to be the result of a cybersecurity incident, the company reported in a Form 8-K filing with the US Securities and Exchange Commission.

The company activated incident-response protocols and enlisted third-party cybersecurity experts to help it contain and mitigate the attack, which included disconnecting and deactivating "certain" systems to "protect" systems and data, it reported.

**Online, Telecom Systems Affected**

The outages appear to have included the company's online customer-facing sites, as the American Water website as well as its "MyWater" customer portal served up white pages with "Forbidden 403" text today.

An attendant who answered a Dark Reading phone call to American Water's headquarters in Camden, N.J., early on Oct. 8 said she was unable to connect to a member of the media relations team, nor leave a message for anyone because the telecommunications system also "is down."

At this time, it seems that none of the company's water or wastewater facilities or operations have been negatively affected by the incident, although it's too soon to predict the full impact and material effect it will have on the company, according to the filing. An investigation alongside law enforcement officials remains ongoing as to the exact cause and extent of the damage.

**Utilities Under Attack**

Critical infrastructure such as the public water supply and electricity grid both in the US and overseas face increasing risk of attack from threat actors, incidents that have the potential to not only affect network infrastructure or financial coffers, but also cause supply shortages or even physical harm.

The now-infamous May 2021 ransomware attack on Colonial Pipeline is a prime example of the former, while a February 2021 attack on a Florida water-treatment facility, which potentially could have poisoned the water supply if an employee hadn't acted quickly, demonstrates the latter.

“We often overlook how vulnerable our everyday essentials are to digital threats," observes Akhil Mittal, senior manager of cybersecurity strategy and solutions at Black Duck (formerly known as Synopsys Software Integrity Group). "We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day. A cyber incident like this could disrupt water services, delay safety checks, and potentially risk public health."

**Regulatory Effort Stalled**

Unsurprisingly concerned, US federal authorities have put a concerted effort into to doing more to ensure cybersecurity measures at water utilities are a mandatory effort, as nearly 70% of the United States' community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA).

In fact, the EPA planned to ramp up efforts to enforce the act and other regulatory efforts to ensure better cybersecurity safety across water utilities in May. However, the agency had to roll back these actions last year after it faced litigation from Republican lawmakers and industry groups. Other agencies like CISA have advanced cybersecurity guides for the water sector in the wake of that failed effort.

Prevention of cybersecurity attacks through infrastructure security is indeed the key to ensuring critical services such as the ones utilities offer remain safe, as "protecting these systems is no longer optional now," but "critical to keep things running smoothly and safely," Mittal says.

As this is too late in the case of American Water, he adds, the key to recovering quickly from the incident now will be in taking quick actions to contain the attack, getting all systems back online in a reasonable time frame, and being transparent with the public about what happened.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#git