Google OAuth abused in DKIM replay attack
Developer Nick Johnson received a security alert that seemed to come from Google, with the message showing a “no-reply@google.com” address. Gmail sorted this message with other security alerts, with Johnson only realizing it was fishy when it listed a sites.google.com support portal URL. Johnson discovered that the sender registered a domain and created a Google account for a me@domain address, then made a Google OAuth app with the entire phishing message, including white space, as the app’s name. Because DKIM checks on the message and the headers, not the envelope, the email can pass signature validation checks in a recipient’s inbox. We saw a similar technique used to target PayPal accounts last month.
Japan warns of sharp rise in unauthorized trading
Japan’s Financial Services Agency, or FSA, said that as of April 16th, 12 securities firms reported fraudulent transactions totaling about $350 million across over 1,400 fraudulent transactions. This rise comes from stolen customer credentials bought and sold on phishing sites. The regulator said the general scheme in these cases is to sell stocks held by victims and buy Chinese stocks. The FSA noted brokerages will cover losses suffered by customers.
North Koreans hijacking Zoom’s Remote Control
Zoom’s Remote Control feature allows a user to take control of another call participant’s screen in a meeting. The non-profit Security Alliance and the research firm Trail of Bits issued advisories of North Korean threat actors known as Elusive Comet weaponizing the feature to steal cryptocurrency. The threat actors send phishing emails that look like invites to speak on a podcast run by Aureon Capital. When invited onto a pre-production call to show work for the show, the organizers will have a participant on a call named “Zoom,” which will ask for Remote Control permissions and attempt to look like a system notification. If accepted, the threat actor will install infostealer malware to obtain browser sessions, password manager vaults, and seed phrases.
Secure by Design leaders leave CISA
Two of the chief architects of CISA’s Secure by Design initiatives announced they were leaving the agency. Senior technical advisor Bob Lord joined CISA in 2022 to head up the initiative. In his departure post, he said he will keep “contributing” to Secure by Design work after a short break. Senior advisor Lauren Zabierek joined CISA in 2023, calling the initiative “one of the most meaningful experiences of my career, one that truly embodies the spirit of public-private partnership and both interagency and international collaboration.” Acting CISA director Bridget Bean said the agency will “continue to urge companies to develop products that are secure by design.”
Huge thanks to our sponsor, Dropzone AI
Scallywag using ad-fraud WordPress plugins
The bot detection firm HUMAN released details about a large-scale fraud campaign from the fraud-as-a-service operation called “Scallywag.” Over the years, this operation created several WordPress plugins designed for sites that appear to be regular blogs but act as intermediary sites as part of a redirect process to generate fraudulent ad impressions. These are popular with piracy sites that can’t run typical advertising. These will redirect to sites with Scallywag plugins to generate revenue. At its peak, Scallywag generated 1.4 billion fraudulent ad requests per day. Once HUMAN detected the network, it worked with ad providers to stop bidding on their ad requests and essentially cut off revenue.
Threat actors using a Russian bulletproof hosting provider
Trustwave SpiderLabs published an analysis showing a surge in malicious activity from IP addresses associated with Proton66, a Russian bulletproof hosting provider. The researchers found that the malware families GootLoader, SpyNote, XWorm, StrelaStealer, and the ransomware WeaXor host various infrastructure components on Proton66. They also found campaigns attempting to exploit recent zero-days on Palo Alto, Fortinet, and D-Link software. To avoid these threats, the researchers recommend blocking all the Classless Inter-Domain Routing (CIDR) ranges associated with Proton66.
Judge limits evidence about NSO Group customers ahead of trial
Ahead of the trial on damages in its lawsuit between WhatsApp and NSO Group, Northern District of California Judge Phyllis Hamilton ruled that both parties will be prohibited from presenting evidence about their customers’ identities. This includes any implications that those users were suspected criminals. In this ruling, Judge Hamilton said NSO cannot present itself as both helping “its clients fight terrorism and child exploitation, and on the other hand say that it has nothing to do with what its client does with the technology.” The judge also ruled that WhatsApp cannot bring evidence about other lawsuits about NSO’s Pegasus spyware use related to the death of Washington Post journalist Jamal Khashoggi. This case was first brought in 2019 and now set to start trial on April 28, 2025.
Microsoft’s latest security progress report
When the Cyber Safety Review Board investigated Microsoft’s 2023 Exchange Online breach, it concluded that the intrusion by China-linked Storm-0558 was “preventable” and the result of a cascade of operational failures, including poor key management, inadequate logging, and a deprioritized security culture. Microsoft launched its Secure Future Initiative (SFI) as a result and has now issued its second progress report. The report shows that Microsoft implemented phishing-resistant MFA, now covering 92% of employee accounts, 99% of production assets are now inventoried, token validation has shifted to hardened SDKs, and over 6 million inactive tenants have been removed. The progress report goes into details about technical and cultural shifts in how Microsoft handles security, but the CSRB recommendations around transparency and victim notification process refinements remain largely incomplete.