cybersecurity

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign.

Romance fraud is increasingly common and campaigns can extort large sums from victims, who are often quite vulnerable and lonely.

If you found this page because you think that you might be being targeted, speak to Crimestoppers or Action Fraud.

When stories of romance fraud hit the news, we often hear that the victim had become extremely attached to the scammer, but very little on how they got engineered into that position.

At it's heart, romance fraud relies on social engineering and I was curious to see what techniques were actually being used. I'm no particular stranger to scam baiting, so I decided to masquerade as a mark and see how the campaign was run (as well as what, if anything, I could engineer out of the fraudster).

The emails that I'd received were all associated with one persona: "Aidana", who claimed to be a dentist in Kazakhstan.

This post analyses the scammers approach, systems and material, sharing some of what I was able to learn over the course of a few weeks of back and forth.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

In a barebones advisory, Facebook warned that the security defect was found in FreeType versions 2.13.0 and below and provides a pathway for arbitrary code execution attacks.

“This vulnerability may have been exploited in the wild,” Facebook said, without providing any details on the reported attacks. The bug has been tagged as CVE-2025-27363 and carries a CVSS severity score of 8.1 out of 10.

I'm half expecting representatives from the Russian FSB to be brought in to "consult" on security within Homeland Security...

Mozilla is warning Firefox users to update their browsers to the latest version to avoid facing disruption and security risks caused by the upcoming expiration of one of the company's root certificates. [...] Users need to update their browsers to Firefox 128 (released in July 2024) or later and ESR 115.13 or later for 'Extended Support Release' (ESR) users.

Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. As of February 2025, this campaign is ongoing.

This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency.

In the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware. This need for user interaction could allow an attack to slip through conventional and automated security features. In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.

Non-password-protected, unencrypted 108GB database…what could possibly go wrong

Tenable Research examines DeepSeek R1 and its capability to develop malware, such as a keylogger and ransomware. We found it provides a useful starting point, but requires additional prompting and debugging.

In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups.

The attackers continue to refine their methods, employing both familiar tools from past Head Mare incidents and new PowerShell-based tools.

This report analyzes the software and techniques observed in recent Head Mare attacks and how these overlap with Twelve’s activities. The focus is on Head Mare’s TTPs and their evolution, with notes on commonalities with Twelve’s TTPs.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.