I've noticed on some scam forums and subreddits I frequent that scammers have been using target site's own support searches to redirect users to scam phone numbers.
On both Ticketmaster and Facebook, and many other sites, when you perform a search on their support site it spits back your query in big letters at the top of the page. If you craft the correct search and then buy Google Ads pretending to be Ticketmaster, then you can redirect users to your call center and scam them. And because they link for your ad actually links to Ticketmaster the ad passes validation and appears to be a legit link in the eyes of Google.
So, I craft a search where the search query is “call 1 800 scam”, then I buy a google ad with key word of “ticketmaster help”, the ad links to real ticketmaster with my query, and google shows that ad to someone having trouble and hey presto they call my scam line at 4 quid a minute from their mobile?
Yuck all round. I mean ticketmaster is just a sin eater for greedy popstars but yuck ..
I've been seeing similar scams via PayPal. The scammers apparently add the target email address as a forwarding address on a compromised or created-for-purpose email account. And that bouncer email address is signed up for PayPal. So the scam email is actually from PayPal, bounced through some other inbox. The To name and address is of the bouncer email address PayPal sent it to.
One version involves sending money to someone with the PayPal account (so the target might think it was sent from their own account) with a "note" to the transaction recipient, which the target sees, which says PayPal has detected unusual activity and please call this phone number to request a refund.
Another involves a "Your ITEM NAME order is on its way" email where the item being ordered is called something like, "Some Company, Inc: Don't recognize the seller? Call us at SOME PHONE NUMBER".
A third is like the second, except it's a "You paid CURRENCY to SELLER" email. This one has the PayPal user's name at the top, so not as convincing perhaps.
A family member fell for this while trying to recover their hacked fb account. I was around and caught wind of the call and some of the absurd steps (absurd to me, anyways) they were proposing and pulled the plug on the "support" call. The phone number was in what seemed to be a cached result of a bad search or something. '"Call us at xxx-xxxx..." not found' is what I saw. (Finding a real support number is either difficult or impossible, which makes this a good trap)
No surprise, having worked in edu the following scenario was very common:
1) Researcher gets a grant for a project
2) Grad student sets up a Drupal site for the project
3) Things are maintained and updated for a couple of years
4) Grant runs out, project wraps up, student graduates, everyone forgets about the server which sits unattended and unmaintained.
Still happens, but most universites have really clamped down on the ability to just stand up a web server on the network. Many are requiring everything to be on a centrally managed enterprise CMS which is a PITA but that's the fallout for too much sloppy administration.
At my old university ~15 years ago, all IPs of all computers were public IPV4 addresses. Any computer plugged in to any ethernet port on campus was given such a "quasi-static" IP address. All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
> Norton, Kaspersky, Zscaler, F-secure, NordVPN, Virustotal, Palo Alto: all of them marked these links as safe.
This is sad to see, these tools are forced down so many companies in name of "compliance" while totally not worth the maintenance and cost overhead. Apparently they haven't got any better in the last decade.
I work for a cybersecurity company, and I think that the method they used to check these links with the mentioned security companies was not a reflection of how they detect. I'm sure that many of these companies do not have these domains in their DBs of bad sites but if you were to run these products and then visit the site then heuristic detection would have likely flagged the sites.
could someone with legal/data-privacy expertise comment if this would be something they have to disclose under data breach disclosure laws?
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?
These days most "cyber" crimes are commited by corporations against their customers/users (just like most theft is wage theft). These small fish/phish putting sites on exploited servers are a drop in the bucket. It is sad when some university resource gets shut down because they didn't mantain it after the grad student that set it up graduates though. We really need to teach the people that set up these things to use .html pages instead of dynamic languages and databases.
I have been advised not to disclose specific vulnerabilities since the parties involved are not most friendly and transparent in handling security reports. While most of these got reported and some even got fixed, I can only disclose high-level details of the compromise path. Some just ghosted me after conveniently fixing the flaws, and one even gave me a phone call, which was somewhat scary and perhaps not worth the adrenaline.
What an unprofessional sysadmin move, borderline infuriating.
I am surprised no one mentioned using LLMs to spell and grammar check their emails and vibe-code bank landing-pages to continue a more polished version of scamming elderly people out of their life savings.
Is it just me or is cybersecurity... Calming down? I feel like a few years ago there was constant news of ransomware, intrusions, vulnerabilities, etc, but more recently the defensive side seems to have the upper hand.
You only hear about the offensive side winning when the company can't prevent it from leaking. Rest assured, the only thing "calming down" in cybersecurity is the nihilism that nothing involving a human will ever be secure.
Not particularly. The only thing I have noticed in the past decade is the decline of the "American Hacker". Most groups are foreign but will partner with younger Americans for social engineering (ex. Scattered Spider). You just don't have people like Albert Gonzalez/Stephen Watt in America now. However, I suspect that many American hackers have shifted to targeting overseas countries that are not friendly with the US.
damn, i remember seeing old servers just getting dusty and full of holes after the student left. kinda crazy how much messy stuff is hiding in corners like that lol
fckgw|10 months ago
On both Ticketmaster and Facebook, and many other sites, when you perform a search on their support site it spits back your query in big letters at the top of the page. If you craft the correct search and then buy Google Ads pretending to be Ticketmaster, then you can redirect users to your call center and scam them. And because they link for your ad actually links to Ticketmaster the ad passes validation and appears to be a legit link in the eyes of Google.
Example of a crafted search term: https://help.ticketmaster.com/hc/en-us/search?utf8=%E2%9C%93...
lifeisstillgood|10 months ago
Yuck all round. I mean ticketmaster is just a sin eater for greedy popstars but yuck ..
Cyphase|10 months ago
One version involves sending money to someone with the PayPal account (so the target might think it was sent from their own account) with a "note" to the transaction recipient, which the target sees, which says PayPal has detected unusual activity and please call this phone number to request a refund.
Another involves a "Your ITEM NAME order is on its way" email where the item being ordered is called something like, "Some Company, Inc: Don't recognize the seller? Call us at SOME PHONE NUMBER".
A third is like the second, except it's a "You paid CURRENCY to SELLER" email. This one has the PayPal user's name at the top, so not as convincing perhaps.
temp0826|10 months ago
pnw|10 months ago
madacol|9 months ago
levocardia|10 months ago
redeux|10 months ago
unknown|10 months ago
[deleted]
RGamma|10 months ago
SoftTalker|10 months ago
> Outdated Wordpress plugins and CMS systems
No surprise, having worked in edu the following scenario was very common:
1) Researcher gets a grant for a project
2) Grad student sets up a Drupal site for the project
3) Things are maintained and updated for a couple of years
4) Grant runs out, project wraps up, student graduates, everyone forgets about the server which sits unattended and unmaintained.
Still happens, but most universites have really clamped down on the ability to just stand up a web server on the network. Many are requiring everything to be on a centrally managed enterprise CMS which is a PITA but that's the fallout for too much sloppy administration.
semi-extrinsic|10 months ago
kevin_thibedeau|10 months ago
notyourwork|10 months ago
We could also get external ips and connectivity without much supervision. Core security needs to be prioritized to avoid this from happening.
leftcenterright|10 months ago
This is sad to see, these tools are forced down so many companies in name of "compliance" while totally not worth the maintenance and cost overhead. Apparently they haven't got any better in the last decade.
markbeare|10 months ago
Muromec|10 months ago
charcircuit|10 months ago
DyslexicAtheist|10 months ago
gta 5 site:europa.eu https://www.google.com/search?q=gta+5+site%3Aeuropa.eu&hl=en
Watch full site:europa.eu https://www.google.com/search?q=Watch+full+site%3Aeuropa.eu&...
leftcenterright|10 months ago
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?
b0m|10 months ago
So, fixed now?
superkuh|10 months ago
neffy|10 months ago
3abiton|10 months ago
I have been advised not to disclose specific vulnerabilities since the parties involved are not most friendly and transparent in handling security reports. While most of these got reported and some even got fixed, I can only disclose high-level details of the compromise path. Some just ghosted me after conveniently fixing the flaws, and one even gave me a phone call, which was somewhat scary and perhaps not worth the adrenaline.
What an unprofessional sysadmin move, borderline infuriating.
wood_spirit|10 months ago
tim333|10 months ago
kazinator|9 months ago
yapyap|10 months ago
It’s very interesting to look at from the outside, thanks for sharing.
unknown|10 months ago
[deleted]
ValdikSS|10 months ago
mhuffman|10 months ago
curiousgal|10 months ago
Alex-Programs|10 months ago
candiddevmike|10 months ago
chelmzy|10 months ago
pjc50|10 months ago
gitroom|10 months ago