Google OAuth abused, Japan's trading scams, hijacking with Zoom - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – April 22, 2025

Host: CISO Series
Podcast: Cyber Security Headlines
Episode Title: Google OAuth Abused, Japan's Trading Scams, Hijacking with Zoom
Release Date: April 22, 2025
Host/Author: Rich Straffolino

1. Google OAuth Exploited in DKIM Replay Attack

In this episode, Rich Straffolino discusses a sophisticated phishing attack involving Google OAuth, as highlighted by developer Nick Johnson's recent experience.

At [02:15], Nick Johnson shared, “I received what looked like a legitimate security alert from Google, but something didn’t feel right when it referenced the sites.google support portal URL.” Upon closer inspection, Johnson discovered that the attacker had registered a domain and created a Google account using a deceptive email address (noreplyoogle.com). By developing a Google OAuth app named with whitespace characters, the phishing email could bypass DKIM signature validation since DKIM checks the message and headers, not the envelope.

This technique mirrors a similar attack targeting PayPal accounts last month, indicating a growing trend in exploiting OAuth mechanisms to deceive recipients and bypass security measures.

2. Surge in Unauthorized Trading Scams in Japan

The episode sheds light on a significant increase in unauthorized trading activities in Japan, as reported by the Financial Services Agency (FSA).

At [03:45], the FSA revealed, “As of April 16, 12 securities firms have reported fraudulent transactions totaling approximately $350 million across over 1,400 incidents.” The fraudulent activities stem from stolen customer credentials acquired through phishing sites. The typical modus operandi involves selling the victims' stocks and purchasing Chinese equities, exacerbating financial losses for the affected individuals.

Importantly, the FSA assured that brokerages would compensate customers for their losses, underscoring the severity of the threat and the regulatory response to safeguard investors.

3. North Korean Actors Exploit Zoom's Remote Control Feature

Rich Straffolino highlights alarming developments involving North Korean threat actors known as Illusive Comet, who are leveraging Zoom's remote control capabilities to perpetrate cybercrimes.

At [04:30], Straffolino explains, “These actors send phishing emails masquerading as podcast invites from Ariane Capital. Once a victim joins a pre-production call, an individual named Zoom attempts to gain remote control permissions under the guise of a system notification.” If the victim consents, the attackers deploy infostealer malware designed to harvest browser sessions, password manager vaults, and cryptocurrency seed phrases.

This exploitation of legitimate remote control features underscores the importance of vigilance and proper security protocols during virtual meetings to prevent unauthorized access and data breaches.

4. Leadership Changes in CISA’s Secure by Design Initiative

The podcast addresses significant personnel changes within the Cybersecurity and Infrastructure Security Agency (CISA) related to the Secure by Design initiative.

At [05:15], it was announced that two chief architects of the initiative are departing. Bob Lord, who joined CISA in 2022 to lead the initiative, stated in his departure post, “I will continue to contribute to Secure by Design work outside the agency.” Similarly, senior advisor Lorenz, who rejoined CISA in 2023, remarked, “Secure by Design has been one of the most meaningful experiences of my career, embodying the spirit of public-private partnerships and international collaboration.” Acting CISA Director Bridget Bean affirmed the agency's commitment to promoting secure product development, despite these departures.

5. Scallywag’s Large-Scale Ad Fraud Campaign via WordPress Plugins

The episode delves into a major ad fraud operation orchestrated by the Fraud-as-a-Service group Scallywag, as uncovered by bot detection firm Human.

At [05:50], Straffolino reports, “Scallywag developed multiple WordPress plugins that disguise as regular blog sites but function as intermediaries to generate fraudulent ad impressions.” These plugins are particularly attractive to piracy sites unable to sustain typical advertising models. At its zenith, Scallywag was generating up to 1.4 billion fraudulent ad requests daily.

Human collaborated with ad providers to identify and block these malicious ad requests, effectively cutting off the revenue streams for the threat actors and mitigating the widespread impact of their fraudulent activities.

6. Increased Malicious Activity from Proton 66 Hosting Provider

Furthering the cybersecurity concerns, the podcast covers a surge in malicious activities traced back to Proton 66, a Russian bulletproof hosting provider, based on analysis by Spider Labs.

At [06:25], the report states, “We observed an uptick in malware activities, including Gootloader, Spynote, Xworm, Strellastealer, and the ransomware Weezor, all hosted on Proton 66’s infrastructure.” Additionally, there have been attempts to exploit recent zero-day vulnerabilities in Palo Alto, Fortinet, and D-Link software. To counter these threats, researchers recommend blocking all classless interdomain routing (CIDR) ranges associated with Proton 66 to prevent further malicious exploitation.

7. Judicial Restrictions on Evidence in NSO Group vs. WhatsApp Trial

The episode highlights a pivotal court decision ahead of the high-profile lawsuit between WhatsApp and NSO Group.

At [06:55], Northern District of California Judge Phyllis Hamilton ruled, “Both parties are prohibited from presenting evidence regarding the identities of NSO Group’s customers or implying that WhatsApp users are criminal suspects.” This restriction aims to maintain the focus on the damages at stake without delving into the clients of NSO Group or linking WhatsApp users to criminal activities.

Furthermore, Judge Hamilton decided that WhatsApp cannot introduce evidence from other lawsuits involving NSO’s Pegasus spyware, specifically cases related to the death of Washington Post journalist Jamal Khashoggi. This trial, which originated in 2019, is now set to commence on April 28, 2025.

8. Microsoft’s Progress on Security Initiatives Post-Exchange Online Breach

Rich Straffolino reviews Microsoft’s latest security advancements following the investigation into the 2023 Exchange Online breach by the Cyber Safety Review Board (CSRB).

At [07:10], Straffolino summarizes, “The CSRB identified multiple operational failures, including poor key management and inadequate logging, which facilitated the breach by Chinalink's Storm O558.” In response, Microsoft launched the Secure Future Initiative, and the current progress report outlines significant improvements:

Phishing-Resistant MFA: Implemented across 92% of employee accounts.
Asset Inventory: 99% of production assets now inventoried.
Token Validation: Transitioned to hardened SDKs.
Tenant Management: Removal of over 6 million inactive tenants.

However, the CSRB noted that recommendations regarding transparency and refinements to victim notification processes remain partially addressed. Additionally, surveys indicate a disconnect between consumer support for data minimization laws and the ability of security professionals to advocate for data minimization as a corporate competitive advantage, a topic slated for deeper exploration in the episode.

9. The Disconnect Between Consumer Data Privacy Desires and Corporate Data Practices

In the concluding segment, Straffolino touches upon the prevailing challenge in aligning individual desires for data privacy with corporate data handling practices.

At [07:35], he poses, “Why isn't the individual desire for data privacy translating to the corporate level?” The discussion points to a significant barrier where, despite consumer support for data minimization laws, most security professionals feel unable to persuade their organizational boards to view data minimization as a strategic advantage. This misalignment highlights the ongoing struggle within corporations to prioritize data privacy amidst competing business interests.

Conclusion

This episode of Cyber Security Headlines provides a comprehensive overview of the latest cybersecurity threats and developments, ranging from sophisticated phishing attacks and unauthorized trading scams to significant legal rulings and corporate security advancements. Host Rich Straffolino effectively breaks down complex issues, offering listeners valuable insights into the evolving landscape of information security.

For more detailed stories and in-depth analysis, visit CISOseries.com.

Reporting for the CISO Series, I'm Rich Straffolino, reminding you to have a super sparkly day.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, April 22, 2025. I'm Rich Straffolino Google OAuth abused in DKIM Replay Attack Developer Nick Johnson received a security alert that seemed to come from Google with a Message showing a noreplyoogle.com address. Gmail sorted this message with other security alerts, and Johnson only realized it was fishy when it listed a sites.google do support portal URL. Johnson discovered that the sender registered a domain and created a Google account for a meomain address, then made a Google OAuth app with the entire phishing message, including Whitespace as the app's name. Because dkim checks on the message and the headers, not the envelope, the email can pass signature validation checks in a recipient's inbox. We saw a similar technique used to target PayPal accounts last month. Japan warns of sharp rise in Unauthorized Trading Japan's Financial Services Agency, or FSA, said that as of April 16, 12 securities firms reported fraudulent transactions totaling about $350 million across over 1400 fraudulent transactions. This rise comes from stolen customer credentials bought and sold on phishing sites, the regulator said. The general scheme in these cases is to sell stocks held by the victims and then buy Chinese stocks, the FSA noted brokerages will cover losses suffered by customers. North Koreans Hijacking Zoom's Remote Control Zoom's remote control feature allows a user to take control of another call participant's screen. In a meeting, the nonprofit Security alliance and the tech research firm Trail of Bits issued advisories of North Korean threat actors known as Illusive Comet, weaponizing the feature to steal cryptocurrency. The threat actors send phishing emails that look like invites to speak on a podcast run by Ariane Capital. When invited onto a pre production call to show work for the show, the organizers will have a participant on the call named Zoom, which will ask for remote control permissions and attempt to look like a system notification. If accepted, the threat actor will install infostealer malware to obtain browser sessions, password manager vaults and seed phrases. Secure by Design leaders leave CISA two of the chief architects of CISA's Secure by Design initiatives announced they were leaving the agency. Senior Technical advisor Bob Lord joined CISA in 2022 to head up the initiative. In his departure post, he said he will keep contributing to Secure by Design work. After a short break, senior advisor Lorenz joined CISA back in 2023, calling the initiative one of the most meaningful experiences of my career, one that truly embodies the spirit of public private partnerships and both interagency and international collaboration. Acting CISA Director Bridget Bean said the agency will continue to urge companies to develop products that are secure by design and now a huge thanks to our sponsor for today dropzone AI security threats don't clock out at 5pm, but your analysts need to sleep sometime. Dropzone AI delivers around the clock alert investigations with the same attention to detail at midnight at at noon. Their AI SOC analyst ensures no more morning backlogs and no more off hours blind spots. Just reliable continuous protection that ensures every alert gets the attention it deserves regardless of when it arrives. See how SOC teams are achieving true 24. 7 coverage with their AI SOC analyst without the staffing challenges at DropZone AI. That's D R O P Z O N E AI Scallywag using ad fraud WordPress plugins the bot detection firm Human released details about a large scale fraud campaign from the Fraud as a service operation known as Scallywag. Over the years, this operation created several WordPress plugins designed for sites that appear to be regular blogs but actually act as intermediary sites as part of a redirect process to generate fraudulent ad impressions. These are popular with piracy sites that can't run typical advertising. These will redirect to sites with Scallywag plugins to generate ad revenue. At its peak, Scallywag generated 1.4 billion fraudulent ad requests per day. Once Human detected the network, it worked with ad providers to stop bidding on their ad requests and essentially cut off revenue threat actors. Using Russian bulletproof hosting provider Trustwave, Spider Labs published an analysis showing a surge in malicious activity from IP addresses associated with Proton 66, a Russian bulletproof hosting provider. The researchers found that the malware families Gootloader, Spynote, Xworm, Strellastealer, and the ransomware Weezor host various infrastructure components on Proton 66. They also found campaigns attempting to exploit recent zero days on Palo Alto Fortinet and D Link software. To avoid these threats, the researchers recommend blocking all of the classless interdomain routing ranges associated with Proton 66. Judge limits evidence about NSO Group customers ahead of Trial Ahead of the trial on damages in its lawsuit between WhatsApp and NSO Group, Northern District of California Judge Phyllis Hamilton ruled that both parties will be prohibited from presenting evidence about customer identities. This includes any implications that Those users of WhatsApp were suspected criminals. In this ruling, Judge Hamilton said NSO cannot present itself as both helping its clients fight terrorism and child exploitation and and on the other hand, say that it has nothing to do with what its client does with the technology. The judge also ruled that WhatsApp cannot bring evidence about other lawsuits about NSO Pegasus spyware used in relation to the death of Washington Post journalist Jamal Khashoggi. This case was first brought in 2019 and is now set to start trial on April 28, 2025. Microsoft's latest security Progress Report when the Cybersafety review board investigated Microsoft's 2023 Exchange Online breach, it concluded that the intrusion by Chinalink's Storm O558 was preventable and the result of a cascade of operational failures, including poor key management, inadequate logging and a deprioritized security culture. Microsoft launched its Secure Future Initiative as a result and has now issued its second progress report on the effort. The report shows that Microsoft implemented phishing resistant MFA, now covering 92% of employee accounts, 99% of production assets are now inventoried, token validation has shifted to hardened SDKs, and over 6 million inactive tenants have been removed. The progress report goes into details about technical and cultural shifts in how Microsoft handles security, but the CSRB recommendations around transparency and victim notification process refinements remain largely incomplete. Surveys show that most consumers support data minimization laws. However, the vast majority of security professionals don't think they can convince their boards to see data minimization as a competitive advantage. Why isn't the individual desire for data privacy translating to the corporate level? That's one of the segments we'll dig into in our latest episode of the CISO Series Podcast. Look for data minimization means we don't tell you what we're collecting wherever you get your podcasts. Reporting for the CISO Series, I'm Rich Stroffolino, reminding you to have a super sparkly day.
[07:44]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.