An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in…

An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in its email-based domain verification method.

Internet security relies on trust, and the Certificate Authority (CA) is a key player in this system as it verifies website identities, and issues SSL/TLS certificates, which encrypt communication between a computer and the website.

However, recently, a serious problem was found with one of these trusted CAs, SSL.com. Researchers discovered a flaw in how SSL.com was checking if someone requesting a certificate actually controlled the domain name, a process called Domain Control Validation (DCV).

SSL.com enables users to verify domain control and obtain a TLS certificate for encrypted HTTPS connections by creating a _validation-contactemail DNS TXT record with the contact email address as the value. SSL.com sends a code and URL to confirm the user’s control of the domain. However, due to this bug, SSL.com now considers the user as the owner of the domain used for the contact email.

This flaw stems from the way email is used to verify control, particularly with MX records, which indicate which servers receive email for that domain. It allowed anyone to receive email at any email address associated with a domain, potentially obtaining a valid SSL certificate for the entire domain. It is specifically related to the BR 3.2.2.4.14 DCV method aka ‘Email to DNS TXT Contact’.

This is a big deal because an attacker wouldn’t need to have complete control over a website e.g., google.com, to get a legitimate-looking certificate as just the email address of an employee or even a free email address that’s somehow linked to the domain is enough.

Malicious actors can use valid SSL certificates to create fake versions of legitimate websites, steal credentials, intercept user communication, and potentially steal sensitive information through a man-in-the-middle attack. A security researcher using the alias _Sec Reporter_ demonstrated this by using an @aliyun.com email address (a webmail service run by Alibaba) to get certificates for aliyun.com and www.aliyun.com.  

This vulnerability affects organizations with publicly accessible email addresses, particularly large companies, domains without strict email control, and domains using CAA (Certification Authority Authorization) DNS records.

SSL.com has acknowledged the issue and explained that besides the test certificate the researcher obtained, they had mistakenly issued ten other certificates in the same way. These certificates, starting as early as June 2024, were for the following domains:

*. medinet.ca, help.gurusoft.com.sg (issued twice), banners.betvictor.com, production-boomi.3day.com, kisales.com (issued four times), and medc.kisales.com (issued four times).

The company also disabled the ‘Email to DNS TXT Contact’ validation method and clarified that “this did not affect the systems and APIs used by Entrust.”

Even though SSL.com’s issue has been resolved, it shows the important steps to maintain website safety. CAA records should be used to tell browsers which companies can issue certificates, public logs should be monitored to catch unauthorised certificates, and email accounts linked to websites should be secure.

SSL.com Vulnerability Allowed Fraudulent SSL Certificates for Major Domains

Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that's based on Apache Airflow.
"This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which

GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages

All Google accounts could end up compromised by a clever replay attack on Gmail users that abuses Google infrastructure.

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials.

This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS).

Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

> Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got: pic.twitter.com/tScmxj3um6
> 
> — nick.eth (@nicksdjohnson) April 16, 2025

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did.

Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email.

If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials.

Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account.

The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

**How to avoid scams like this**

*   Don’t follow links in unsolicited emails or on unexpected websites
*   Carefully look at the email headers when you receive an unexpected mail
*   Verify the legitimacy of such emails through another, independent method
*   Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

**Technical details**

Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb.

DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication.

So, what the cybercriminals did was:

*   Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.”
*   Register an OAuth app and set the app name to match the phishing link
*   Grant the OAuth app access to their Google account which triggers a legitimate security warning from no-reply@accounts.google.com
*   This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name.
*   Forward the message untouched which keeps the DKIM signature valid.

Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com.

Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 All Gmail users at risk from clever replay attack 

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies.

Cybersecurity experts at Trustwave’s SpiderLabs have discovered an increase in malicious online activities originating from a Russian “bulletproof” hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025.

Researchers have detailed their findings in a two-part series. The first part highlights a major increase in “mass scanning, credential brute-forcing, and exploitation attempts” coming from Proton66’s network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale.

SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66’s network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021.

Traffic Volume Analysis (Source: SpiderLabs)

Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing “some of the latest critical priority exploits,” researchers noted in the blog post.

The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps.

The domain naming conventions used suggest targets speaking English (“us-playmarket.com“), French (“playstors-france.com“), Spanish (“updatestore-spain.com“), and Greek (“playstors-gr.com“).

SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025.

Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for “$2,000, transferred in BTC or USDT.”

Sample Ransom Note (Source: SpiderLabs)

Interestingly, SpiderLabs’ investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST.

SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a “CHANGWAY / HOSTWAY” theme. Still, technical connections between the infrastructures remained, suggesting an underlying link.

Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora\_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware.

It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks’ PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided.

Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise.

Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

In what has been described as an "extremely sophisticated phishing attack," threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials.
"The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com," Nick Johnson

Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials

Government-backed hacking groups from North Korea (TA427), Iran (TA450), and Russia (UNK_RemoteRogue, TA422) are now using the ClickFix…

Government-backed hacking groups from North Korea (TA427), Iran (TA450), and Russia (UNK\_RemoteRogue, TA422) are now using the ClickFix technique in their espionage campaigns. Learn about Proofpoint’s insights into this new wave of attacks.

Proofpoint has recently discovered a concerning development related to the ClickFix attack, a dangerous social engineering method. Reportedly, government-backed hacking groups are now using this technique, exploiting users’ trust by presenting fake error messages or security alerts from the operating system or familiar applications.

Users are tricked into downloading and running a code in their computer’s command line interface, believing it is a solution to their problem. However, when run, this code executes malicious commands on the victim’s machine.

Last year, Hackread.com raised an alarm about the rising popularity of the ClickFix attack among cybercriminals starting in March 2024, after groups like TA571 and ClearFake used it. In October 2024, Sekoia observed a rise in ClickFix attacks involving fake Google Meet, Chrome, and Facebook pages tricking users into downloading malware.

The latest wave of ClickFix attacks was observed between July 2024 and early 2025, with North Korea, Iran, and Russia-backed hackers incorporating ClickFix into their usual operations.

Attacks Timeline (Source: Proofpoint)

****North Korea (TA427)****

In early 2025, TA427 (Kimsuky, Emerald Sleet) targeted individuals from 5 organisations in the think tank sector working on North Korea affairs. They used deceptive meeting requests and fake websites to trick them into running PowerShell commands. One successful attack involved impersonating a Japanese diplomat (Ambassador Shigeo Yamada) and led to the installation of QuasarRAT malware.

Malicious email (Source: Proofpoint)

****Iran (TA450)****

In November 2024, TA450 (MuddyWater, Mango Sandstorm) targeted 39 organisations, mainly finance and government sectors, in the Middle East with fake Microsoft security update emails. They used ClickFix to persuade users to run PowerShell commands that installed the Level RMM tool, which the attackers intended to use for espionage and data theft. No further use of ClickFix by this group was observed afterwards.

****Russia (UNK\_RemoteRogue and TA422)****

UNK\_RemoteRogue used ClickFix once in December 2024, targeting individuals in two prominent arms manufacturing firms in the defence industry, sending emails with a link to a fake Microsoft Office page with Russian instructions to copy/paste code that executed JavaScript and then PowerShell linked to the Empire framework.

TA422 (Sofacy, APT28) employed ClickFix in October 2024, targeting Ukrainian entities, sending phishing emails with a link mimicking a Google spreadsheet sent out by CERT-UA that led to a reCAPTCHA, which, upon clicking, provided a PowerShell command to create an SSH tunnel and run Metasploit.

These groups, however, are not completely changing their attack methods. Instead, they are using ClickFix to replace certain steps in how they initially infect a target’s computer and run malicious software. Also, according to Proofpoint’s blog post, they have not observed any Chinese government-backed groups using ClickFix, possibly due to limited visibility into their activities.

Even though ClickFix is not yet a standard tool for state-sponsored actors, its increasing popularity suggests that this technique could become more common in government-backed cyber espionage campaigns in the coming months, researchers conclude.

North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks

Customs and Border Protection has broad authority to search travelers’ devices when they cross into the United States. Here’s what you can do to protect your digital life while at the US border.

Entering the United States has become more precarious since the start of the second Trump administration in January. There has been an apparent surge in both foreign visitors and US visa holders being detained, questioned, and even deported at the border. As the situation evolves, demand for flights from Canada and Europe has plummeted as people reevaluate their travel plans.

Many people, though, can’t avoid border crossings, whether they are returning home after traveling for work or visiting friends and family abroad. Regardless of the reason for travel, US Customs and Border Protection (CBP) officials have the authority to search people’s phones and other devices as they determine who is allowed to enter the country. Multiple travelers have reported being questioned or turned away at the US border in recent weeks in relation to content on their phones.

While not unique to the US border—other nations also have powers to inspect phones—the increasingly volatile nature of the Trump administration’s border policies is causing people to rethink the risks of carrying devices packed with personal information to and from the US. Canadian authorities have updated travel guidance to warn of phone searches and seizures, some corporate executives are reconsidering the devices they carry, some officials in Europe continue to receive burner phones for certain trips to the US, and the Committee to Protect Journalists has warned foreign reporters about device searches at the US border.

With this in mind, here’s the WIRED guide to planning for bringing a smartphone across the border. You should also use WIRED’s guide to entering the US with your digital privacy intact to get a broader view of how to minimize data and take precautions. But start here for everything smartphone.

**What Can CBP Access?**

Do CBP officials have the authority to search your phone at the border? The short answer is yes. Searches are either manual, with a border official looking through the device, or more advanced, involving forensic tools to extract data en masse. To get into your phone, border officials can ask for your PIN or biometric to unlock the phone. However, your legal status and right to enter the US will make a difference in what a search might look like at the border.

Generally, border zones—which includes US international airports—fall outside of Fourth Amendment protections that require a warrant for a device to be searched (though one federal court has ruled otherwise). As such, CBP has the power to search any traveler’s phone or other electronic devices, such as computers and cameras, when they’re entering the country. US citizens and green card holders can refuse a device search without being denied entry, but they may face additional questioning or temporary device seizure. And as the Trump administration pushes the norms of acceptable government conduct, it is possible that, in practice, green card holders could face new repercussions for declining a device search. US visa holders and foreign visitors can face detention and deportation for refusing a device search.

“Not everybody has the same risk profile,” says Molly Rose Freeman Cyr, a member of Amnesty International’s Security Lab. “A person’s legal status, the social media accounts that they use, the messaging apps that they use, and the contents of their chats” should all factor into their risk calculus and the decisions they make about border crossings, Cyr says.

If you feel safe refusing a search, make sure to disable biometrics used to unlock your device, like face or fingerprint scanners, which CBP officers can use to access your device. Instead, use only a PIN or an alphanumeric code (if available on your device). Make sure to keep your phone’s operating system up to date, which can make it hard to crack with forensic tools.

You should also consider factors like nationality, citizenship, profession, and geopolitical views in assessing whether you or someone you’re traveling with could be at higher risk of scrutiny during border crossings.

In short, you need to make some decisions before you travel about whether you would be prepared to refuse a device search and whether you want to make changes to your devices before your trips.

Keep in mind that there are simple steps anyone can take to keep your devices out of sight and, hopefully, out of mind during border crossings. It’s always a good idea to obtain a printed boarding pass or prepare other paper documents for review and then turn your phone off and store it in your bag before you approach a CBP agent.

**Traveling With an Alternate Phone**

There are two ways to approach device privacy for border crossings. One is to start with a clean slate, purchasing a phone for the purpose of traveling or wiping and repurposing your old phone—if it still receives software updates.

The device doesn’t need to be a true “burner” phone, in the sense that you will be carrying it with you as if nothing is out of the ordinary, so you don’t need to purchase it with cash or take other steps to ensure that it can’t be connected to you. The idea, though, is to build a sanitized version of your digital life on the travel phone, ideally with separate communication and social media accounts created specifically for travel. This way, if your device is searched, it won’t have the back catalog of data—old text messages, years of photos, forgotten apps, and access to many or all of your digital accounts—that exists on your primary phone and could reveal details of your political views, your associations, or your movements over time.

Starting with a clean slate makes it easy to practice “data minimization,” or reducing the data available to another person: Simply put the things you’ll need for a trip on the phone without anything you won’t need. You might make a travel email address, some alternate social media accounts, and a separate account for end-to-end encrypted communications using an app like Signal or WhatsApp. Ideally you would totally silo your real digital life from this travel life. But you can also include some of your regular personal apps, building back from the ground up while determining on a selective basis whether you have existing accounts that you feel comfortable potentially exposing. Perhaps, for example, you think that showing a connection to your employer or a community organization could be advantageous in a fraught situation.

Privacy and digital rights advocates largely prefer the approach of building a travel device from scratch, but they caution that a phone that is too squeaky clean, too much like a burner phone, can arouse suspicion.

“You have to ‘seed’ the device. Use the phone for a day or even for a few hours. It just can't be _clean_ clean. That’s weird,” says Matt Mitchell, founder of CryptoHarlem, a security and privacy training and advocacy nonprofit. “My recommendation is to make a finsta for travel, because if they ask you what your profile is, how are you gonna say ‘I don't use any social media’? Many people have a few accounts anyway. One ratchet, one wholesome—add one travel.”

Cyr, from Amnesty International, also points out that a true burner phone would be a “dumb” phone, which wouldn’t be able to run apps for encrypted communications. “The advantage that we all have with smartphones is that you can communicate in an encrypted way,” Cyr says. “People should be conscious that any nonencrypted communication is less secure than a phone call or a message on an application like Signal.”

While a travel device doesn’t need to use a prepaid SIM card bought with cash, it should not share your normal phone number, since this number is likely linked to most if not all of your key digital accounts. Buy a SIM card for your trip or only use the device on Wi-Fi.

**Traveling With Your Primary Phone**

The other approach you can take to protecting your device during border crossings is to modify your primary smartphone before travel. This involves removing old photos and messages and storing them somewhere else, cleaning out nonessential apps, and either removing some apps altogether or logging out of them with your main accounts and logging back in with travel accounts.

Mohammed Al-Maskati, digital security helpline director at the rights group Access Now, says that people should consider this type of clean-out before they travel. “I will look at my device and see what apps I need,” he says. “If I don't need the app, I just remove it.”

Al-Maskati adds that he suggests people particularly remember to remove dating apps and anything related to LGBTQI communities, especially if they consider themselves to be at higher risk of facing a device search. And generally, this approach is only safe if you are particularly diligent about removing every app that might expose you to risk.

You could use your own phone as a travel phone by backing it up, wiping it, building a travel device with only the apps you really need while traveling, going on your trip, and then restoring from the backup when you get home. This approach is doable but time consuming, and it creates more opportunities for operational security mistakes or what are known as “opsec fails.” If you try to delete all of your old, unwanted apps, but miss one, you could end up exposing an old social media account or other historic service that has forgotten data in it. Messaging apps can have easily searchable archives going back years and can automatically save photos and files without you realizing it. And if you back up all of your data to the cloud and take it off your device, but are still logged into the cloud account underpinning other services (like your main Google or Apple account), you could be asked to produce the data from the cloud for inspection.

Still, if you assess that you are at low risk of facing scrutiny during a border crossing or you don’t have access to an additional device for travel, modifying your main smartphone is a good option. Just be careful.

**What To Do, If Nothing Else**

Given all of this, you may be hyped up and ready to throw your phone in the ocean. Or you may be thinking there’s no way in hell that you’re ever going to take the time to deal with any of this. For those in the latter camp, you’ve come this far, so don’t click away just yet. If you don’t want to take the time to make a bunch of changes, and you don’t think you’re at particular risk during border crossings (though keep in mind that it’s possible your risk is higher than you realize), there are still a few easy things you can do to protect your digital privacy that are better than nothing.

First, as mentioned above, print a paper boarding pass and any other documents you might need. Even if you don’t turn your phone off and stow it in a bag for your entire entry or exit process, you can put it in your pocket and have your paper ticket and other documents ready while actually interacting with agents. And taking basic digital hygiene steps, like updating your phone and removing apps and data you no longer need, can go a long way.

“We all need to be recognizing that authorities may scrutinize your online presence, including social media activity and posts you’ve published,” says Danacea Vo, founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Since people have gotten more vocal on social media, they’re very worried about this. Some have even decided not to risk traveling to or from the US this year.”

How to Protect Yourself From Phone Searches at the US Border

Check out the top OSINT tools of 2025, an updated list featuring the best free and paid open-source…

Check out the top OSINT tools of 2025, an updated list featuring the best free and paid open-source intelligence tools for cybersecurity and investigations.

At HackRead.com, we have a long-standing tradition of publishing comprehensive lists of the **best OSINT tools** to help cybersecurity professionals and enthusiasts stay ahead in the game. Every year, we research and evaluate the latest tools, taking into account their features, usability, and effectiveness.

For 2025, we have compiled an updated list of the most powerful, highly creative and efficient OSINT tools available, including both new and established names in the field. Whether you’re looking for free, open-source options or premium solutions, this list has you covered.

****1\. FBI Watchdog****

**FBI Watchdog** is a new OSINT tool that tracks domain seizures and DNS record updates as they happen. It notifies users about law enforcement actions and other DNS changes through Telegram and Discord, and takes screenshots of domains that get seized.

**Price:** Free

****2\. Arrests.org****

**Arrests.org** is a public database that aggregates arrest records from various US states and counties. It allows users to search for mugshots, charges, and booking information. Useful for background checks and verifying arrest records as part of OSINT investigations.

**Price:** FREE

****3\. VenariX Ransomware Alert Bot****

**VenariX** is a next-gen OSINT tool designed for automated threat intelligence and reconnaissance. It scans public data sources, dark web forums, and social media for indicators of compromise (IOCs) and threat actor activity.

VenariX also features a **Telegram bot** that automatically sends updates on the latest ransomware attacks and claims made by ransomware gangs, keeping users informed in real time.

**PRICE:** Pricing for VenariX is tiered, offering a Free version ($0), Basic version ($21/month), Pro version ($69/month), and an Enterprise level with custom pricing and advanced features.

****4\. TheHarvester****

An open-source tool designed to gather information such as email addresses, subdomains, and domain names from various public sources. **TheHarvester** is particularly useful for reconnaissance during penetration testing and vulnerability assessments.

**PRICE:** FREE

****5\. SpiderFoot****

**SpiderFoot** is an automated OSINT collection tool that aggregates intelligence from over 100 different sources. It scans domains, IP addresses, and email addresses, generating detailed reports on potential risks or threats.

**PRICE:** FREE

****6\. Recon-ng****

**Recon-ng** is a web reconnaissance tool that automates data collection from multiple sources. It integrates modules for gathering information on domains, IPs, and social media profiles, streamlining the intelligence-gathering process.

**PRICE:** FREE

****7\. OSINT Framework****

**OSINT Framework** is a structured approach that helps professionals organise and streamline the process of gathering open-source intelligence. It focuses on utilising free tools and resources available on the internet, providing a comprehensive view of publicly accessible data.

**PRICE:** FREE

****8\. Shodan****

Dubbed the “search engine for the Internet of Things,” **Shodan** allows users to discover internet-connected devices, including servers, routers, and webcams. This tool helps identify exposed devices and potential vulnerabilities within networks.

**PRICE:** PRICE: Free, Membership – $49 (One-Time Payment), Freelancer – $69/Month, Small Business – $359/Month, Corporate – $1,099/Month and Enterprise – Custom Pricing.

****9\. Wayback Machin****

An archive of old versions of websites, allowing users to access historical data. **Wayback Machine (Archive.org)** is useful for uncovering outdated or sensitive content that may have been removed but still exists in the archives.

**PRICE:** FREE

****10\. Mitaka:****

**Mitaka** is a browser extension that provides intuitive access to diverse intelligence-gathering features for efficient reconnaissance and investigative tasks. It integrates multiple OSINT modules, enabling comprehensive analysis of target entities.

**PRICE:** FREE

****11\. XposedOrNot****

XposedOrNot is a free and privacy-focused tool that lets users check whether their email addresses or passwords have appeared in known data breaches. Scanning a large database of leaked credentials helps identify compromised information and provides details about the breaches involved, such as what data was exposed.

It also includes a secure password check feature that uses client-side hashing to ensure user input remains private. In addition to its web interface, XposedOrNot offers an API for developers who want to integrate breach monitoring into their own applications.

**PRICE:** FREE and Customised for Businesses.

****12\. BuiltWith****

BuiltWith is a tool that serves as a comprehensive profiler for identifying the various technologies deployed on websites, from server frameworks to analytics and content management systems. It delivers in-depth analysis of web setups, which is crucial for competitive intelligence and technology strategy development.

**PRICE:** Basic: $295, Pro: $495, Team: $995

****13\. Telegago****

**Telegago** is an OSINT tool focused on analysing Telegram channels and groups. It tracks public and private chats (with access), monitors message trends, and performs sentiment analysis. Ideal for tracking cybercriminal groups and gathering intelligence from Telegram communities.

**PRICE:** FREE

****14\. GHunt****

**GHunt** is an OSINT tool for gathering information from Google accounts. It can extract data like public photos, YouTube channels, connected services, and more, using just an email address. GHunt is useful for profiling targets and uncovering linked accounts.

**PRICE:** FREE

****15\. FOCA****

**FOCA** (Fingerprinting Organisations with Collected Archives) is an OSINT tool that extracts metadata from publicly available documents. It analyses files like PDFs, Word documents, and images to uncover sensitive information such as usernames, software versions, and server details. Ideal for footprinting and vulnerability assessment.

**PRICE:** FREE

****16\. SkopeNow****

**SkopeNow** is a modern OSINT tool designed for social media intelligence gathering. It collects and analyses data from multiple social platforms to track user activities, posts, and interactions. Useful for profiling individuals or groups, detecting fake accounts, and monitoring public sentiment in real time.

Skopenow’s platform includes several tools designed to assist with various investigative and security needs, including:

**Analyst Help**: Provides human assistance for complex cases

**Pre-Check**: An automated system for fraud and risk signalling.

**Workbench**: A tool for streamlined and accurate people and business searches.​

**Link Analysis**: Provides automated network, relationship, and link visualisations.​

**Grid**: Offers real-time situational awareness by integrating data from social media, traffic cameras, crime reports, satellite imagery, news, and more.

**PRICE:** Skopenow does not publicly list its pricing on its website. Instead, it offers customised plans tailored to the specific needs of organisations.

****17\. Metagoofil****

**Metagoofil** is an OSINT tool that extracts metadata from publicly accessible documents such as PDFs, Word, Excel, and PowerPoint files. It gathers information like usernames, software versions, and file paths, helping identify potential vulnerabilities and system configurations during reconnaissance.

**PRICE:** FREE

****18\. Paliscope****

A comprehensive OSINT platform designed for law enforcement and intelligence professionals. It assists in collecting, analysing, and visualising data from open sources and social media.

**Paliscope** has been instrumental in tracking victims of human trafficking by aggregating data from multiple sources and creating link analyses, making it an invaluable tool for investigations and victim recovery efforts.

**PRICE:** **PRICE:** The company offers three products: Paliscope Explore, Paliscope Explore Enterprise, and Paliscope Build. Pricing depends on the selected package. The Community edition is free, the Professional edition costs $3,995 per year, and pricing for the Advanced package is available upon request.

****19\. Hunchly****

A web capture tool designed for investigators to automatically save and organise web pages during OSINT investigations. It helps maintain an audit trail, preserving evidence while browsing social media, forums, or news sites. **Hunchly** is particularly useful for building cases and tracking changes on monitored pages.

**PRICE:** 30-Day Free Trial, Classic: $109.99 / yr, Cloud: $199.99 / yr. $19.99 / month.

****20\. Lullar****

**Lullar** is an OSINT tool focused on searching for social media profiles associated with a given email address or username. It quickly scans multiple platforms to find linked accounts, helping investigators piece together a target’s online presence. Useful for profiling individuals and gathering intelligence from social networks.

**PRICE:** FREE

As powerful and versatile as these OSINT tools are, it’s important to remember that with access to public data comes responsibility. Whether you’re a cybersecurity analyst, journalist, investigator, or just exploring for personal interest, always use these tools ethically and within the boundaries of the law. The goal of OSINT is to enhance security, transparency, and understanding, not to invade privacy or misuse sensitive information.

Stay curious, but most importantly, stay respectful in your use of these resources. For more tools, tips, and updates on the evolving world of cybersecurity and open-source intelligence, keep checking back at **HackRead.com**.

2025’s Top OSINT Tools: A Fresh Take on Open-Source Intel

Google on Wednesday revealed that it suspended over 39.2 million advertiser accounts in 2024, with a majority of them identified and blocked by its systems before it could serve harmful ads to users.
In all, the tech giant said it stopped 5.1 billion bad ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages last year. It also suspended over 5 million accounts for

Google Blocked 5.1B Harmful Ads and Suspended 39.2M Advertiser Accounts in 2024

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how this scam works and how to protect yourself.

Cybersecurity researchers at CloudSEK have a new campaign exploiting the popularity of PDFCandy.com, an online file conversion tool used by over two and a half million people, including over half a million from India alone.

As per their research, shared with Hackread.com, attackers are distributing ArechClient2 malware to steal private information like browser usernames and passwords. It is a SectopRAT family malware active since 2019 and is spread through deceptive online advertising via Google Ads or fake software updates.

Reportedly, attackers have created a fake PDF to DOCX converter that is similar to the legitimate pdfcandy.com. They have gone to great lengths to copy the look and feel of the real website. Such as they use similar web addresses to trick unsuspecting users and have “meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users,” CloudSEK’s researchers noted in the blog post.

Once a user lands on one of these fake sites, they are immediately asked to upload a PDF file for conversion, playing on a common need of many internet users. It even shows a fake loading animation as if a real conversion is happening, probably to build trust.

Then, unexpectedly, it presents a CAPTCHA verification, similar to what legitimate websites use for security. This marks a critical step in the attack where “social engineering transitions to system compromise,’ the report reads. This means the attack relies on manipulating how users typically interact with websites.

The Malicious Trap (Source: CloudSEK)

Introducing CAPTCHA serves two purposes: making the fake site appear more real and allowing users to click without thinking. Next, the website instructs users to run a command using Windows’ built-in tool PowerShell, leading to a system compromise. The command analysis reveals a series of redirects, starting with an innocent link and leading to a file named “adobe.zip,” hosted on 1728611543, which has been flagged as malicious by multiple security services.

The file contains a folder called “SoundBAND” with a dangerous executable file called “audiobitexe.” The attacker launches a multi-stage attack using a legitimate Windows program and a Windows tool, launching ArechClient2 information-stealing malware.

Fake PDFCandy websites involved in the scam (Screenshot: CloudSEK)

It is worth noting that the FBI warned on March 17, 2025, about malicious online file converters being used to distribute harmful software, so this threat is not new.

“Cybercriminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool,” the agency explained.

To protect against such threats, you should be cautious when using online file conversion services, verify website legitimacy before uploading files, pay attention to URLs, and be wary of unexpected prompts.

Tag

#google