CloudSEK uncovers a Zendesk vulnerability allowing cybercriminals to exploit subdomains for phishing and investment scams. Learn about the…

CloudSEK uncovers a Zendesk vulnerability allowing cybercriminals to exploit subdomains for phishing and investment scams. Learn about the risks and needed fixes.

Cybersecurity researchers at CloudSEK have identified a security vulnerability in Zendesk’s SaaS platform. The platform’s subdomain registration feature can be exploited by cybercriminals to launch phishing and investment scams.

Zendesk, a widely-used customer support platform, offers free trial accounts and allows users to easily register subdomains. According to CloudSEK’s analysis, this functionality can be abused by threat actors to create subdomains resembling legitimate brands, enabling convincing phishing campaigns.

Researchers noted that the vulnerability could be exploited in “pig butchering” scams, a form of investment fraud where victims are groomed over time into investing in fraudulent schemes.

CloudSEK’s analysis found 1,912 instances of Zendesk websites since 2023, with some companies showing an unusually high number of registered subdomains. While intended to facilitate rapid business setup, this feature introduces a significant security risk.

Attackers can use Zendesk’s platform to create fake subdomains, launch phishing campaigns, and build trust through its professional appearance. Leveraging Zendesk’s communication features, they can send phishing emails disguised as legitimate customer support messages. These emails often include malicious links or attachments to lure victims into clicking.

A demo phishing disguising as an invitation reached Gmail inbox (via CloudSEK).

In one demo phishing attack against XYZ Company, an attacker registered a URL mimicking the target company’s address, provided email, name, and company size details, and named a Zendesk instance. They then registered a subdomain, obtained admin access, and sent an invitation email. Threat actors used this setup to link active phishing pages to users, pretending to assign tickets.

Malicious links within the emails redirected victims to fake investment platforms or support pages controlled by the attackers. These platforms were designed to manipulate victims into sharing sensitive information or transferring funds.

CloudSEK’s research shared with Hackread.com also points out a critical flaw in Zendesk’s email validation process. The platform lacks essential checks when adding users to subdomains, allowing attackers to target employees and customers with phishing attempts disguised as legitimate ticket assignments. Zendesk emails often land directly in users’ primary inboxes, increasing the likelihood of interaction.

CloudSEK responsibly disclosed the vulnerability to Zendesk, urging prompt action to mitigate its exploitation by cybercriminals.

1.  Geo Targetly URL Shortener Abused in Phishing Scam
2.  NuGet Packages Exploited to Target Developers with Malware
3.  Postman Workspaces Leak 30K API Keys and Sensitive Tokens
4.  US Govt Impersonated in Aggressive DocuSign Phishing Scams
5.  PayPal Phishing Exploits MS365 Tools with Genuine-Looking Emails

Zendesk’s Subdomain Registration Exposed to Phishing, Pig Butchering Scams

The pardon comes after 11 years in prison for Ross Ulbricht, who was sentenced to life without parole on several charges, including computer hacking, distribution of narcotics, and money laundering.

Source: White House Photo via Alamy Stock Photo

NEWS BRIEF

On just his second day in office, President Trump has pardoned Ross Ulbricht, the creator and owner of an underground criminal forum website known for cybercrime and drug trafficking.

Known as "Dread Pirate Roberts," Ulbricht operated the anonymous marketplace, known as "Silk Road," from 2011 to 2013, until law enforcement shut down the site and arrested him in California.

At 31, Ulbricht was convicted of distributing narcotics, engaging in a continuing criminal enterprise, conspiring to commit computer hackings, conspiring to create fake identities, and laundering money, all of which earned him life in prison without parole — a harsh sentence that law enforcement insisted would act as a deterrent to others.

The Justice Department pursued charges against Ulbricht's associates, who claimed to have murdered five people on his behalf, though there is no evidence of these murders taking place.

Silk Road at the time was described as "the most sophisticated and extensive criminal marketplace on the Internet" by US Attorney Preet Bharara, and it was considered a place for criminals to buy and sell illegal drugs and other illegal goods anonymously and outside the lens of law enforcement.

Libertarian activists have supported Ulbricht's release for years on the premise that Ulbricht's early writings on his ideas for Silk Road stemmed from his interest in creating a free and anonymous marketplace.

In May 2024, President Trump promised to commute Ulbricht's sentence. After being reminded by Ulbricht of his promise via social media platform X, Trump fulfilled this campaign promise.

"I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross," Trump posted to his Truth Social site yesterday. "The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!"

Prior to his sentencing, Ulbricht stated that Silk Road was a costly idea that he "deeply regrets" in a letter to the judge when seeking leniency, however, it remains unclear if he continues to maintain these beliefs more than a decade later.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Trump Pardons 'Silk Road' Dark Web Drug Market Creator

### Impact
This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. 

For example, if your shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored XSS in FO.

### Patches
The long term fix is to have all your modules maintained and updated.
The fix on ps_contactinfo will keep formatted addresses from displaying an xss stored in the database.

### Workarounds
none

### References
none

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-24027

**ps\_contactinfo has a potential XSS due to usage of the nofilter tag in template**

Moderate severity GitHub Reviewed Published Jan 22, 2025 in PrestaShop/ps\_contactinfo • Updated Jan 22, 2025

**Package**

composer prestashop/ps\_contactinfo (Composer)

**Affected versions**

<= 3.3.2

**Description**

**Impact**

This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned.

For example, if your shop has a third party module vulnerable to SQL injections, then ps\_contactinfo might execute a stored XSS in FO.

**Patches**

The long term fix is to have all your modules maintained and updated.  
The fix on ps\_contactinfo will keep formatted addresses from displaying an xss stored in the database.

**Workarounds**

none

**References**

none

**References**

*   GHSA-35pq-7pv2-2rfw
*   https://nvd.nist.gov/vuln/detail/CVE-2025-24027
*   PrestaShop/ps\_contactinfo@d60f9a5

Published to the GitHub Advisory Database

Jan 22, 2025

Last updated

Jan 22, 2025

GHSA-35pq-7pv2-2rfw: ps_contactinfo has a potential XSS due to usage of the nofilter tag in template

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

The payment card giant **MasterCard** just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.

From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider **Akamai** \[DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage\].

All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “**akam.ne**.”

This tiny but potentially critical typo was discovered recently by **Philippe Caturegli**, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.

Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.

Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.

But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.

“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”

Meanwhile, Caturegli received a request submitted through **Bugcrowd**, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.

MasterCard’s request to Caturegli, a.k.a. “Titon” on infosec.exchange.

Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.

“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”

Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.

But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like **Cloudflare** and **Google**.

“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli said. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.

“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he said.

The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.

“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”

Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.

As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain **az.mastercard.com**. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s **Azure** cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.

“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”

One final note: The domain akam.ne has been registered previously — in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an “Ivan I.” from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.

This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “**awsdns-06.ne**” instead of “**awsdns-06.net**.” DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).

MasterCard DNS Error Went Unnoticed for Years

The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.

Itzik Alvas, Co-Founder & CEO, Entro Security

January 22, 2025

3 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

A look back at 2024's top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft.

One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach, stemming from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise. 

While the attack was contained, the impact on Cloudflare was nonetheless significant. The company disclosed it had to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, perform forensic triages on 4,893 systems, and then reimage and reboot every machine in its global network.

As the year progressed, NHI breaches gained momentum.

In June, the New York Times made its own news when 270GB of its internal data and applications in 5,000 repositories were stolen from GitHub and published on the Web. 

How? The breach was executed using NHI when an exposed GitHub Personal Access Token, a machine-to-machine secret, allowed unauthorized access to the company's code repositories. The "All the News That's Fit to Print" outlet downplayed the story. Cybersecurity experts did not agree, however, arguing that source-code leaks can have wide-ranging implications.

**High-Profile Breach Disclosures**

The year ended with a spate of high-profile breach disclosures attributed to NHI during the fourth quarter. 

Thousands of online stores running Adobe Commerce (formerly Magento) software were hacked and infected with digital payment skimmers. The NHI attack used stolen cryptographic keys to generate an application programming interface (API) authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process.

AWS and Microsoft Azure machine-to-machine authentication keys found in Android and iOS apps used by millions were compromised, exposing user data and source code to security breaches. Exposing this type of credential can easily lead to unauthorized access to storage buckets and databases with sensitive user data. Apart from this, attackers could use them to manipulate or steal data.

Schneider Electric confirmed its development platform was breached after a hacker used exposed Jira credentials to steal data. The hacker gloated that the breach compromised critical data, including projects, issues and plug-ins, along with over 400,000 rows of user data, totaling more than 40GB of compressed data,

The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. This security flaw enabled threat actors to remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

A new sophisticated phishing tool targeting GitHub users was also revealed in the fourth quarter. It posed a significant threat to developers and organizations worldwide. Here's how this relates to NHIs: Bots used a compromised secret and set of permissions associated with that credential as the ingredients to make the API calls and create comments using a script.

The comments themselves convinced developers to use insecure scripts as validated solutions.

These scripts, in turn, could lead victims to phishing pages designed to steal login credentials, malware downloads, or rogue OAuth app authorization prompts granting attackers access to private repositories and data.

Finally, and bringing the year to a dramatic close, NHI was responsible for the US Treasury hack by Chinese threat actors, who gained access to "unclassified documents" after compromising the agency's networks. The attackers were able to exploit vulnerabilities in remote tech support software by misusing a leaked API key to gain unauthorized access.

The flurry of NHI attacks at the end of the year demonstrates extremely strong momentum heading into 2025. That does not bode well. 

Chief information security officers (CISOs) and security teams need to prioritize the emerging NHI threats roaring into the new year.

**About the Author**

Co-Founder & CEO, Entro Security

Itzik Alvas is co-founder and CEO at Entro Security and former healthcare organization CISO and information technology manager at Microsoft.

A cloud and security expert with more than 17 years of experience managing and building teams of hundreds of employees for both leading global enterprise companies and early-stage startups, always at the forefront of state-of-art security solutions used by governments, top intelligence agencies, data centers, cloud providers and industrial markets. Itzik served with the IDF's elite intelligence unit.

Will 2025 See a Rise of NHI Attacks?

A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows.

The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. The MotW is what triggers warnings that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices. 7-Zip added support for MotW in June 2022.

The MotW also makes sure that Office documents that are marked with the MotW will be opened in Protected View, which automatically enables read-only mode and means that all macros will be disabled until the user allows them.

MotW security warning in file properties

For years, attackers were able to bypass the MotW by putting their malicious files in archives. This worked because the MotW is in fact another file that is attached to the main file as an Alternate Data Stream (ADS), and over the years we have seen many vulnerabilities in archivers where the ADS didn’t pass on the individual files when the archive was decompressed.

The same is true this time. Only the attacker will have to prepare an especially crafted nested archive. A nested archive means there is an open archive inside another open archive. Exploitation of the vulnerability also requires user interaction, meaning the target will have to visit a malicious page or open a malicious file.

If you’re a Windows user, check whether you are using version 7-Zip 24.09 or later. If you’re not, then they’ll need to update.

7-Zip does not have an auto-update function, so you will have to download the version that is suitable for your system from the 7-Zip downloads page.

**Other security measures**

There are some general safety tips to keep in mind when you’re handling archived files on a regular basis:

*   Keep track of how and where you obtained the archive.
*   Always be careful when opening archived files that you downloaded from the internet.
*   Make sure you are using an updated anti-malware solution that is capable of scanning inside archives, and you have that setting enabled.

Malwarebytes scan within archives option enabled

*   Keep track of who accesses archived files and when. This can help identify unauthorized access attempts and help monitor unwanted changes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 7-Zip bug could allow a bypass of a Windows security feature. Update now 

President Trump pardons Silk Road founder Ross Ulbricht, slamming prosecutors as “scum.” The move reignites debates on cybercrime…

President Trump pardons Silk Road founder Ross Ulbricht, slamming prosecutors as “scum.” The move reignites debates on cybercrime justice, presidential power, and fairness.

U.S. President Donald Trump has issued a full pardon to Ross Ulbricht, the founder of the infamous dark web marketplace **Silk Road**. The decision has kicked off a debate across political, legal, and cybersecurity circles while raising questions about possible pardons for other high-profile figures such as Julian Assange and Edward Snowden.

****The Silk Road Story****

Launched in February 2011, Silk Road was an online marketplace accessible through the Tor network, designed to ensure user anonymity. The platform operated much like eBay but was primarily known for facilitating the trade of illegal goods, particularly drugs. Payments on Silk Road were conducted using Bitcoin, making transactions nearly untraceable.

Ross Ulbricht, operating under the pseudonym “Dread Pirate Roberts,” positioned himself as a libertarian ideologue, claiming the marketplace was a tool to undermine government overreach and provide individuals with greater personal freedoms. However, the site soon became a hub for illegal activities, including drug trafficking, weapons sales, and hacking tools.

****The Arrest****

Ulbricht was **arrested on October 1, 2013**, in the science fiction section of a public library in San Francisco. The dramatic takedown was part of a planned operation by federal agents who had been tracking Ulbricht for months including postings on online forums, metadata from server logs, and evidence found on Ulbricht’s laptop at the time of his arrest.

When captured, Ulbricht’s laptop was open and running, providing agents with incriminating evidence, including logs of Silk Road transactions, communications with administrators, and his personal journal. Ulbricht then faced a litany of charges, including:

*   **Conspiracy to traffic narcotics.**
*   **Conspiracy to commit computer hacking.**
*   **Conspiracy to commit money laundering.**
*   **Continuing a criminal enterprise** (a charge commonly used against organized crime figures).

While the charges focused on his role in enabling large-scale drug trafficking, federal authorities also accused him of attempting to arrange hits on individuals he perceived as threats to Silk Road. Although no murders were carried out, these allegations added significant weight to the prosecution’s case.

****The Sentencing****

In 2015, Ross Ulbricht was convicted on all charges and sentenced to **two life sentences plus 40 years** without the possibility of parole. The severity of the sentence shocked many observers, who argued that it was disproportionately harsh compared to other cases involving similar offenses. Civil liberties advocates and digital rights groups questioned whether the punishment was intended to set an example for others operating in the digital underground.

Seized Silk Road market (Screenshot: Hackread.com)

****The Pardon****

Trump’s decision to pardon Ross Ulbricht was announced on January 21, 2025. In a post on Truth Social, Trump described the prosecution and conviction of Ulbricht as a “scum,” criticizing the authorities involved in the case.

> _“I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross. The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!”_
> 
> Donald Trump

The Ulbricht pardon raises fundamental questions about justice in the digital age. How should courts balance technological innovation, personal freedom, and the responsibility for harm caused?

1.  **Obama Pardons** **Chelsea Manning**
2.  **CIA Whistleblower Guilty of Leaking Vault 7 Docs to WikiLeaks**
3.  **Dark Web Hydra Market Mastermind Sentenced to Life by Russia**
4.  **British judge says Julian Assange will not be extradited to the US**
5.  **23-Year-Old Arrested for Running 100M Incognito Dark Web Market**

Trump Pardons Silk Road Founder Ross Ulbricht, Calls Prosecutors ‘Scum’

As GenAI tools and SaaS platforms become a staple component in the employee toolkit, the risks associated with data exposure, identity vulnerabilities, and unmonitored browsing behavior have skyrocketed. Forward-thinking security teams are looking for security controls and strategies to address these risks, but they do not always know which risks to prioritize. In some cases, they might have

Discover Hidden Browsing Threats: Free Risk Assessment for GenAI, Identity, Web, and SaaS Risks

Despite lagging in technology adoption, African and Middle Eastern organizations are catching up, driven by smartphone acceptance and national identity systems.

Source: Ground Picture via Shutterstock

National governments and companies in the Middle East and Africa continue to push for more widely available digital identity systems to allow citizens to connect and authenticate to digital government services and commercial services.

In Morocco, the government issued more than 4.6 million electronic identity cards in 2024 and expanded its digital infrastructure with a trusted third-party authentication platform in an effort to offer new services and cut cybercrime rates. More than 7.2 million people are now enrolled in the United Arab Emirates' official digital ID, known as UAE Pass, and can authenticate to websites. And the National Bank of Egypt has adopted a single sign-on infrastructure that will allow its employees to use a variety of authentication methods, and which will eventually be rolled out to its millions of customers.

The increasing use of multifactor authentication, especially efforts tied to smartphones or biometrics, have had success in the region because — in many cases — organizations have no technical debt to overcome, says Jim Sullivan, senior vice president of strategy and compliance at BIO-Key, which provided the technology for the National Bank of Egypt, as well as the largest bank in South Africa and the government of Nigeria.

"These are greenfield opportunities — it's tremendous," he says. "There's national initiatives that are well funded that are really bringing more biometrics to the fore, more awareness of the power of this technology."

Better authentication and the use of biometrics has taken off in the Middle East and Africa due to government concerns over cybercrime and fraud and international concerns over the lack of legal identities for more than 540 million people in the region. In Africa, cyber-risk is the No. 1 concern among businesses leaders, with 61% aiming to mitigate the threat in 2025, according to PwC's "2025 Digital Trust Insights: South Africa and Africa" report. In the Middle East, cyber-risk has fallen to the second greatest concern, behind digital and technology risks and tied with inflation and macroeconomic volatility, with 42% of organizations making mitigation of the cyber risks a priority, according to PwC's "2025 Digital Trust Insights: Middle East" report.

Despite that, only 19% of companies in Africa and 12% of companies in the Middle East are prioritizing investments in identity and access management (IAM) technologies, according to the PwC reports. Most companies are prioritizing the acquisition of data protection technologies, generative AI systems, and network security in the region, with the Middle East also prioritizing the addition of cyber insurance for the business.

**Biometrics Embraced by Mideast, African Markets**

A shift to biometrics, however, could change that. The significant reliance of smartphones for Internet access and digital transactions is leading many governments and organizations to adopt biometric-based identity systems and to use biometrics as a second factor of authentication for digital services.

Digital identity platforms, such as UAE Pass in the United Arab Emirates and Nafath in Saudi Arabia, integrate with existing fingerprint and facial-recognition systems and can reduce the reliance on passwords, says Chris Murphy, a managing director with the cybersecurity practice at FTI Consulting in Dubai.

"With mobile devices serving as the primary gateway to digital services, smartphone-based biometric authentication is the most widely used method in public and private sectors," he says. "Some countries, such as the UAE and Saudi Arabia, are early adopters of passwordless authentication, leveraging AI-based facial recognition and behavioral analytics for seamless and secure identity verification."

African nations have also rolled out national identity cards based on biometrics. In South Africa, for example, customers can walk into a bank and open an account by using their fingerprint and linking it to the national ID database, which acts as the root of trust, says BIO-Key's Sullivan.

"After they verify that that person is who they say they are with the Home Affairs Ministry, they can store that fingerprint \[in the system\]," he says. "From then on, anytime they want to authenticate that user, they just touch a finger. They've just now started rolling out the ability to do that without even presenting your card for subsequent business."

**An Easy Upgrade Path**

While the links to national identity systems means biometrics make sense, companies do not need to jump feet first into biometric-based authentication, BIO-Key's Sullivan says. In many cases, enterprise customers start with a single sign-on system that then transitions to biometrics for identity or as a second factor.

"The use case is typically one where you have users that are moving around, and you don't want them to carry a phone or a token — finance, retail point-of-sale, banking, and manufacturing, where you have workforces that are roving around a manufacturing shop floor," he says. "We have to accommodate the fact that a lot of companies still use traditional technologies and don't want to just make a big-bang switch, so we we allow them to sort of start with what they're doing now ... \[and\] as they start to see the power of having a biometric option, they can evolve to that."

The push for stronger authentication is not limited to the Middle East and Africa. Worldwide, Microsoft sees 600 million identity attacks per day, of which 99.9% could be blocked with strong identity protections, such as multifactor authentication. Yet adoption has been slow: At the beginning of 2023, for example, Microsoft found that only 28% of the company's Azure Active Directory customers had turned on strong identity protections, up from 22% in 2022. Starting in February, the company will require MFA for all user accounts accessing the Microsoft 365 admin center, according to the company.

Saudi Arabia has established strong identity standards through its National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1:2018), while the UAE has implemented similar requirements through the Information Assurance Regulation (IAR), FTI Consulting's Murphy says.

Next up: AI-augmented identity platforms, he says. AI-driven authentication solutions, including liveness detection and real-time facial recognition, will likely be part of the mix.

"As digital identity ecosystems expand," Murphy says, "AI-based authentication and real-time identity verification will become critical components of cybersecurity, ensuring both security and usability across industries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mandatory MFA, Biometrics Make Headway in Middle East, Africa

Torrance, United States / California, 22nd January 2025, CyberNewsWire

**Torrance, United States / California, January 22nd, 2025, CyberNewsWire**

AI SPERA, a leading Cyber Threat Intelligence (CTI) provider, has collaborated with OnTheHub, a global provider of software in education, to deliver its integrated cybersecurity solution, Criminal IP, to students and educational institutions. This strategic initiative aims to enhance cybersecurity awareness and protection in the education sector by offering internationally compliant solutions at affordable prices.

Criminal IP will now extend its reach to educational institutions worldwide, reinforcing its growing presence in the global security market. Since its launch, Criminal IP has gained users in over 150 countries and formed strategic alliances with more than 40 global cybersecurity companies, including Cisco, Snowflake, Tenable, and VirusTotal.

(Criminal IP Lite Plan on OnTheHub)

OnTheHub is a worldwide operating platform that provides software and learning materials at discounted rates to educational organizations and their members. Through this collaboration, Criminal IP and OnTheHub seek to strengthen the cybersecurity frameworks of educational organizations on the platform, aligning with the ongoing digital transformation (DT) in education, particularly regarding Learning Management Systems (LMS). Students and researchers can access Criminal IP by redeeming coupons purchased through OnTheHub on the Criminal IP website, enabling them to utilize a globally recognized CTI platform at an affordable cost.

Criminal IP offers real-time risk analysis and vulnerability insights for global IP addresses and domains. Utilizing AI and machine learning technologies, the solution scans for security threats across various ports and devices, quickly identifying malicious IPs and domains while categorizing threat levels into five distinct tiers. Additionally, organizations can leverage Criminal IP ASM to oversee and manage IT assets, and Criminal IP FDS to detect unauthorized network access attempts during login or payment processes, all provided through a user-friendly SaaS model.

In terms of compatibility, Criminal IP offers an intuitive user interface (UI) and an integrated API, facilitating seamless integration with a variety of software and security solutions. This enables users to comprehensively evaluate security risks, including threat scores for IT assets, exposure of IoT devices, and phishing domain identification. Consequently, students and researchers associated with OnTheHub’s partner institutions will gain access to high-quality threat intelligence data and a robust platform for academic activities such as threat hunting, development, and research.

> AI SPERA CEO Byung-tak Kang commented, “Through this partnership, we are excited to provide more students and educational institutions with a globally recognized security solution at a reasonable price. We hope that Criminal IP will help students and researchers prevent security threats in educational environments and ensure a safe digital space for learning.”

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Tag

#web