CTRL + ALT + SEC

Tag: smishing

What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 10/6/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: The Salesloft-Drift Breach: Analyzing the Biggest SaaS Breach of 2025

Analysis of The Salesloft-Drift SaaS Supply Chain Breach

This article effectively spotlights the most critical emerging threat in enterprise security: the SaaS supply chain attack leveraging unmonitored SaaS-to-SaaS integrations. The breach of Salesloft and Drift, attributed to sophisticated groups like ShinyHunters and Scattered Spider, serves as a powerful case study for a fundamental shift in risk. Since most modern businesses rely on an interconnected ecosystem of applications like Salesforce and Gmail, a compromise in a single low-profile third-party vendor offers a “10x force multiplier” for attackers, allowing them to pivot laterally into hundreds of downstream customer environments. This risk profile—where a company’s sensitive data is accessed not through a firewall failure but through a trusted connection and persistent OAuth token—is highly relevant to all LinkedIn professionals, especially those in leadership and IT/DevOps roles responsible for vendor risk and cloud security architecture.

The analysis of why “traditional SaaS security failed” underscores the growing SaaS Security Gap. Legacy security tools, designed for on-premise networks or simple SaaS usage, are blind to the five critical attack vectors: the persistent nature of compromised OAuth tokens, the ability for attackers to conduct SaaS-to-SaaS lateral movement, and the complete lack of visibility into these third-party connections. This is a direct challenge to the common belief that simply having an identity and access management (IAM) solution is sufficient, as IAM often trusts OAuth tokens by design. The article thus compels organizations to shift their focus from protecting the network perimeter to continuously monitoring the permissions, configurations, and behavioral patterns within and across their interconnected cloud applications.

The proposed solution, Dynamic SaaS Security from the article’s publisher, Reco, frames the next necessary evolution in defense. It details a multi-layered strategy that directly counters each attack vector by providing instant discovery of risky SaaS-to-SaaS connections, continuous monitoring of OAuth token usage, and cross-SaaS threat detection.¹ For security professionals, this translates into actionable steps: prioritizing the active scanning and removal of secrets and API keys embedded in SaaS environments and implementing real-time behavioral policies that look for anomalous activity that spans multiple applications.² Ultimately, the Salesloft-Drift breach is presented not just as a news event, but as a watershed moment proving that static, siloed security is obsolete in the era of hyper-connected cloud workflows.

Projects
- TryHackMe – IDS Fundamentals – Complete
- TryHackMe – Vulnerability Scanner Overview – In Progress
Videos

Articles
- Discord discloses data breach after hackers steal support tickets – Hackers stole partial payment information and personally identifiable data, including names and government-issued IDs, from some Discord users after compromising a third-party customer service provider.
- CometJacking: One Click Can Turn Perplexity’s Comet AI Browser Into a Data Thief – Cybersecurity researchers have disclosed details of a new attack called CometJacking targeting Perplexity’s agentic AI browser Comet by embedding malicious prompts within a seemingly innocuous link to siphon sensitive data, including from connected services, like email and calendar.
- ParkMobile pays… $1 each for 2021 data breach that hit 22 million – ParkMobile has finally wrapped up a class action lawsuit over the platform’s 2021 data breach that hit 22 million users.
- Hacking group claims theft of 1 billion records from Salesforce customer databases – A notorious predominantly English-speaking hacking group has launched a website to extort its victims, threatening to release about a billion records stolen from companies who store their customers’ data in cloud databases hosted by Salesforce.
- The Salesloft-Drift Breach: Analyzing the Biggest SaaS Breach of 2025 – Supply chain attacks that exploit unmonitored SaaS-to-SaaS integrations affect ten times more companies than traditional credential-based breaches.
- DraftKings warns of account breaches in credential stuffing attacks – Sports betting giant DraftKings has notified an undisclosed number of customers that their accounts had been hacked in a recent wave of credential stuffing attacks.
- California enacts law giving consumers ability to universally opt out of data sharing – California Gov. Gavin Newsom on Wednesday signed a bill which requires web browsers to make it easier for Californians to opt-out of allowing third parties to sell their data.
- Fake ‘Inflation Refund’ texts target New Yorkers in new scam – An ongoing smishing campaign is targeting New Yorkers with text messages posing as the Department of Taxation and Finance, claiming to offer “Inflation Refunds” in an attempt to steal victims’ personal and financial data.
October 13, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 4/14/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: CVE, global source of cybersecurity info, was hours from being cut by DHS

This near-miss scenario involving the potential defunding of the CVE program by the DHS serves as a stark reminder of the precarious nature of critical cybersecurity infrastructure. The article highlights the indispensable role the CVE repository plays as the bedrock of vulnerability management. The cascading effects described by Brian Martin – the fragmentation of vulnerability data, the rise of incomplete databases, and the increased exposure of organizations – underscore the global reliance on this standardized system for identifying, tracking, and addressing security flaws. The fact that even this foundational element was at risk of disruption due to governmental budgetary shifts and political headwinds should galvanize the community to recognize the need for more resilient and independent stewardship of such vital resources.

The swift action by CVE board members to establish the CVE Foundation as a nonprofit represents a proactive and commendable step towards ensuring the long-term stability of the program. This move acknowledges the inherent vulnerabilities of relying solely on government funding and demonstrates a commitment to the cybersecurity ecosystem’s well-being. The involvement of major tech players and international organizations as CNAs further emphasizes the collaborative and global nature of vulnerability disclosure and management that the CVE program facilitates.

Projects
- TryHackMe – Networking Secure Protocols – In Progress
Videos

Articles
- Don’t delete that mystery empty folder. Windows put it there as a security fix – Copilot vibe coding for OS development? Why not
- Hertz confirms customer info, drivers’ licenses stolen in data breach – Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks.
- China admitted its role in Volt Typhoon cyberattacks on U.S. infrastructure – China admitted in a secret meeting with U.S. officials that it conducted Volt Typhoon cyberattacks on U.S. infrastructure, WSJ reports.
- 1.6 Million People Impacted by Data Breach at Laboratory Services Cooperative – Laboratory Services Cooperative says the personal and medical information of 1.6 million was stolen in an October 2024 data breach.
- National Social Security Fund of Morocco Suffers Data Breach – Threat actor ‘Jabaroot’ claims breach of National Social Security Fund of Morocco, aiming to steal large volumes of sensitive citizen data.
- AI hallucinations lead to a new cyber threat: Slopsquatting – Attackers can weaponize and distribute a large number of packages recommended by AI models that don’t really exist.
- Notorious image board 4chan hacked and internal data leaked – Notorious internet forum 4chan was hacked on Tuesday.
- CVE, global source of cybersecurity info, was hours from being cut by DHS – The Common Vulnerability and Exposures, or CVE, repository holds the answers to some of information security’s most vital questions. Namely, which security issue are we talking about, exactly, and how does it work?
- Cisco Webex bug lets hackers gain code execution via meeting links – Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
- The Shadow AI Surge: Study Finds 50% of Workers Use Unapproved AI Tools – With unapproved AI tools entrenched in daily workflows, experts say it’s time to shift from monitoring to managing Shadow AI use across the enterprise.
- Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States – Cybersecurity researchers are warning of a “widespread and ongoing” SMS phishing campaign that’s been targeting toll road users in the United States for financial theft since mid-October 2024.
Podcasts
April 21, 2025
What’s New in Cybersecurity This Week: Projects, Videos, Articles & Podcasts I’m Following – 3/31/25
Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured article analysis

This weeks feature article analysis is from: https://www.bleepingcomputer.com/news/security/toll-payment-text-scam-returns-in-massive-phishing-wave/

This recent E-ZPass smishing campaign highlights several evolving tactics cybercriminals are employing to bypass security measures and exploit user trust. The attackers leverage high-volume, automated messaging systems originating from seemingly random email addresses, a method designed to circumvent standard carrier-based SMS spam filters that primarily target phone numbers. By impersonating official bodies like E-ZPass or the DMV and instilling a false sense of urgency with threats of fines or license suspension, they effectively employ social engineering. A particularly noteworthy technique involves instructing users to reply to the message, cleverly bypassing Apple iMessage’s built-in protection that disables links from unknown senders. This user interaction effectively marks the malicious sender as “known,” activating the phishing link and demonstrating how attackers exploit platform features and user behavior in tandem.

The sophistication extends beyond the delivery mechanism, with the phishing landing pages themselves designed to appear legitimate and, significantly, often configured to load only on mobile devices, evading desktop-based security analysis. The sheer scale suggests the involvement of organized operations, potentially utilizing Phishing-as-a-Service (PaaS) platforms like the mentioned Lucid or Darcula. These services specialize in abusing modern messaging protocols like iMessage and RCS, which offer end-to-end encryption and different delivery paths, making detection harder and campaign execution cheaper than traditional SMS. This underscores the ongoing challenge for defenders: attacks are becoming more targeted, evasive, and leverage platform-specific features, necessitating continuous user education (don’t click, don’t reply, verify independently) alongside technical defenses and prompt reporting to platforms and authorities like the FBI’s IC3.

Projects
- TryHackMe – Networking Core Protocols – Complete
- TryHackMe – Networking Secure Protocols – In Progress
Videos

Articles
- Twitter (X) Hit by 2.8 Billion Profile Data Leak in Alleged Insider Job – Massive Twitter (X) profile data leak exposes details of 2.8 billion users; alleged insider leak surfaces with no official response from the company.
- Fake Snow White Movie Torrent Infects Devices with Malware – Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has ever released. It’s such an embarrassment that the movie isn’t even available on Disney’s own streaming platform, Disney+.
- T-Mobile Coughed Up $33 Million in SIM Swap Lawsuit – T-Mobile paid $33 million in a private arbitration process over a SIM swap attack leading to cryptocurrency theft.
- FBI and DOJ seize $8.2 Million in romance baiting crypto fraud scheme – The U.S. DOJ seized over $8.2 million in USDT stolen through ‘romance baiting’ scams, where victims are tricked into fake investments promising high returns.
- OpenAI just made its first cybersecurity investment – Generative AI has vastly expanded the toolkit available to hackers and other bad actors. It’s now possible to do everything from deepfaking a CEO to creating fake receipts.
- UK’s attempt to keep details of Apple ‘backdoor’ case secret… denied – Last month’s secret hearing comes to light
- Food giant WK Kellogg discloses data breach linked to Clop ransomware – US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks.
- Google Pushing ‘Sec-Gemini’ AI Model for Threat-Intel Workflows – Experimental Sec-Gemini v1 touts a combination of Google’s Gemini LLM capabilities with real-time security data and tooling from Mandiant.
- A member of the Scattered Spider cybercrime group pleads guilty – A 20-year-old man linked to the Scattered Spider cybercrime group has pleaded guilty to charges filed in Florida and California.
- Oracle privately notifies Cloud data breach to customers – Oracle confirms a cloud data breach, quietly informing customers while downplaying the impact of the security breach.
- Expert used ChatGPT-4o to create a replica of his passport in just 5 minutes bypassing KYC – A researcher used ChatGPT-4o to create a replica of his passport in just five minutes, realistic enough to deceive most automated KYC systems.
- 39 Million Secrets Leaked on GitHub in 2024 – GitHub has announced new capabilities to help organizations and developers keep secrets in their code protected.
- North Korea’s IT Operatives Are Exploiting Remote Work Globally – The global rise of North Korean IT worker infiltration poses a serious cybersecurity risk—using fake identities, remote access, and extortion to compromise organizations.
- One of the last of Bletchley Park’s quiet heroes, Betty Webb, dies at 101 – Tip-lipped for 30 years before becoming an ‘unrivaled advocate’ for the site
April 7, 2025
Smishing Example
What is Smishing?

Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.

I received this lately and I wanted to share it so you see a real-life example. I’ve blocked out the link for safety.

I did not go to this website, but you can bet they copied the look of USPS’s website along with a login page. This login page will not work for you to login, because this is a fake site. What it will do is capture you’re password and email.

So what, right? No harm done. Well here is another term to learn. Credential stuffing.

What is Credential Stuffing?

Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.

Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.

Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.
https://owasp.org/www-community/attacks/Credential_stuffing

This is exactly what these bad guys or hackers will do. They might also sell the list that they get to other hackers. which will then in turn try the same thing. So use a password manager and don’t use the same password on more than one site. Don’t click on anything you are not expecting. If you’re unsure, contact the source directly. In this case, I am not expecting anything from USPS, and I see so many red flags on this I know it is smishing.

Those red flags are:
- I’m not expecting it.
- The senders address – It is not usps.gov which is what I would expect instead it is ups.gidaew24lw@usps.tw. What the heck is that?!
- The URL didn’t make sense either. I would expect usps.gov, but it is a .com and it wasn’t usps.com either. So strange, right?
November 10, 2023