Transcript
A (0:00)
TikTok videos push malware using click fix attacks, Europol shuts down SimPharm, powering 49 million bots and Microsoft discloses critical 9.9 ASP. Net Core vulnerability this is Cybersecurity today, and I'm your host David Shipley. Let's get started. Cybercriminals are at it again, this time turning TikTok into a delivery system for information stealing malware. Security researchers Xavier Mertens and ISC Handler recently spotted a campaign that's been circulating since at least May. It's the same kind of activity that Trend Micro warned about earlier this year. But this time the bad guys have gotten creative with how they're delivering their lures. They're using short TikTok videos that pretend to offer free activation guides for popular software like Windows, Microsoft 365, Photoshop Premiere, and Discord Nitro, even access to fake premium services like Netflix or Spotify. Each video promises viewers a quick way to unlock software without having to pay for it. But instead of legitimate advice, what users get is often far more dangerous. The trick leverages what's known as click fix. It's a social engineering tactic that shows people what looks like a harmless fix or command, and the video often features a short PowerShell command that users are told to enter using the Windows command prompt, and they're asked to run it as administrator, supposedly to activate the software. But instead the command connects their computer to a malicious server, downloads a further malicious PowerShell script, and usually leads to the infection of their device. Depending on which software the video is impersonating, the URL can change, so the fake Photoshop guide links to Photoshop, while the fake Windows video links to Windows. For example, the script that downloads two executables from cloudflare pages, and the first one is a variant of Aura Stealer, a well known infostealer. Malware quietly raids systems for save browser passwords, authentication cookies, crypto wallets, and stored credentials for apps like Discord or Steam. Once it's done, it uploads all that data to the attacker, giving them access to accounts, money, and identity. Mertens also found the infection chain includes a second payload called Source exe, which uses Microsoft's built in Visual C compiler to compile and inject new code. What the extra code does isn't exactly clear, but it's safe to assume it's not good. If someone has followed these steps or run any PowerShell commands they found in a random TikTok or YouTube video, they should assume their credentials are compromised. Make sure passwords are changed right away and if passwords are reused, change them everywhere. By the way, don't reuse passwords. If you're an IT admin and you can't lock down administrative rights to devices for your users, it is vital you educate your team to never copy and paste commands from the Internet into command prompt or for a Mac terminal. Law enforcement in Europe has scored a major win against organized cybercrime, taking down a massive SIM farm network that helped criminals create tens of millions of fake online accounts. Europol says the coordinated operation, codenamed Operation Sim Cartel, disrupted a sophisticated cybercrime as a service platform used for everything from phishing and investment fraud to smishing, extortion and even the distribution of child sex abuse material. The takedown was truly international. Police in Austria, Estonia, Finland and Latvia, working with Europol and eurojust, carried out 26 searches, arrested seven suspects and seized 1,200 Simbox devices containing around 40,000 active SIM cards. Authorities also seized five servers and took over two domains, gogetsms.com and apisim.com, which now display Europol seizure banners. Investigators froze nearly €700,000 in assets, including bank accounts, crypto wallets, and seized some luxury cars. According to Europol, this network was behind more than 49 million accounts created across social media and communications platforms worldwide. Those accounts were used to hide identities, run fraud, and lure victims into everything from bogus investment opportunities to family member impersonation scams on WhatsApp. The criminal platforms offered phone numbers from over 80 countries, real registered sims that criminals could use to rent or buy in order to appear legitimate. It marketed itself as a service for, quote, temporary phone numbers, end quote, to receive verification codes for more than 160 online services. It even encouraged users to monetize their own SIM cards, turning them into passive income generators for every SMS message received. Behind that facade, it was a fully operational fraud engine, selling anonymity and scale to anyone willing to pay. This is the second major bust of a massive SIM farm in the last month. In September, US Authorities uncovered another massive SIM farm operation in New York City capable of sending tens of millions of text messages per minute, enough to potentially overwhelm parts of the US Mobile network. That farm was reportedly linked to swatting campaigns and large scale SMS fraud using many of the same technologies found in the Europol SIM boxes, automation servers and rented cellular identities. While the New York bust raised alarms about infrastructure disruption, Europe's Sim cartel operation shows the other side of the coin how this technology fuels the global fraud economy, creating fake accounts by the millions, and weaponizing telecommunications infrastructure for deception at tremendous scale. Together, these stories paint a clear picture. The tools of telecommunications fraud have gone global, have been industrialized, and are accessible to anyone with a credit card and an Internet connection. For businesses and users alike, this story underscores how easy it is now to fake a digital identity. A single Service like GoGet SMS provided the raw material for potentially billions of fake logins, fraudulent messages and scam calls. And because these accounts use real phone numbers, they can slip by many verification systems that still rely on SMS based authentication. As long as SIM farming technology remains cheap and scalable, criminals will keep exploiting the gap between identity and verification. Microsoft has released an emergency patch for what it's calling the most severe ASP Net Core vulnerability it's ever disclosed, a flaw so serious it received a massive CBSS score of 9.9 out of 10. The bug, tracked as CBE2025 55315, affects the kestrel Web server, the engine that powers millions of web applications built with ASP NET Core. In simple terms, the vulnerability lets an attacker smuggle malicious web requests, pass normal security checks, and potentially act as another user, even one with higher privileges. The problem comes down to how ASP NetCore interprets HTTP requests. These are the fundamental messages that connect browsers and web servers. When those requests aren't handled consistently or properly, an attacker can sneak a second hidden request inside what looks like a legitimate one, a technique known as HTTP request smuggling. Once that happens, they can bypass authentication, dodge CSRF protections, or even inject malicious data into backend systems. Barry Dorens, Microsoft security lead for ASP NET Core, described it like this quote an attacker could use this vulnerability to log in as a different user, bypass cross site scripting, request forgery checks, or perform injection attacks. That sounds bad, and it is. But he also stressed that the actual risk depends heavily on how the applications were written and deployed. If your app didn't cut corners on validation or access control, the exposure may be more limited. How vulnerable apps were designed and how much preventative security was in play has created a bit of confusion on whether this 9.9 vulnerability is truly as bad as Microsoft is making it up. Developers have been asking, if the risk is conditional, why give it a near perfect 9.9? Dorans clarified that Microsoft's approach to scoring it measures the potential impact, not just the likelihood. The key phrase here is a security feature bypass, which changes scope even if most real world apps won't see the worst case scenario. The score reflects what could happen if everything lined up the wrong way. The vulnerability hits all supported versions of ASP net core from 8 to 10, and even legacy version 2.3 that still runs on Windows only. NET framework. If you're running any of the vulnerable versions, get patching. If your applications are framework dependent, patching the server itself can go a long way. But if they're self contained deployments where the runtime is bundled into the app, you'll need to rebuild and redeploy these apps manually. Those who invested in proactive security by design definitely will reap rewards on this particular vulnerability. If your applications sit behind a reverse proxy or API gateway, those may already strip out malformed or smuggled HTTP requests before they even reach Kestrel. But if your asp NET Core apps face the Internet directly, Microsoft says you should patch right now. There's no evidence this flaw is being exploited in the wild yet, but we know, and history shows that once patches are public, proof of concept exploits follow quickly. Again, we go back to the research from ESET. Probably within 15 minutes of this going public, it's already probably being exploited. Treat it with due care. Doran summed it up best. Only you can evaluate the risk to your application, but the cautious approach is to patch as soon as possible. Before we wrap up today's episode, a thank you to everyone who reached out after last week's episode to share their stories about how they're helping raise security awareness in their local communities. A shout out to the team at Gardley Security in Whitby, Ontario, who recently hosted their second public awareness session at Simcoe hall in the Durham region. Thank you Isaac Wanzama for sharing the story and well done to the presenter, security analyst James Ebo. Also, kudos to Stigs Andreas Gad in Denmark for delivering two sessions to his local community, including ones that focused on AI and deepfakes. Last but not least, an honorable mention and a shout out to the People's Call Center. I hadn't heard about this initiative until Charlie Beal reached out to me and the effort here with the People's Call center is awesome. They want to waste fraudsters time, discover their digital infrastructure and work to shut it down where they can. This year's event took place in the summer and moved from the US to London, England. I've included a video link about the People's Call center and the recent efforts in the show Notes well done to all the participants and a special shout out to Matthew Caldwell, a colleague of Charlie's and an anti fraud expert with Anydesk Anydesk is one of the major supporters for the People's Call Center. Awesome job everyone. And if your organization is doing cybersecurity awareness work in the community or you know someone who is and want to give them a shout out, let me know via LinkedIn or drop me a note through technewsday.com I'd love to highlight even more examples of this all month long. And most importantly to everyone listening who's out there in the community helping raise awareness. Well done. Thank you for doing that. Those are your Updates for Monday, October 20th and a nod here to the continued solid work by law enforcement. From the takedown recently of breach forums to the bust last week by Europol, police have had a number of significant wins in 2025. Remember, you can help them. Reporting cybercrime helps with the momentum here and helps lead to these big busts. Do your part and report so that police and others can do theirs and fight back against cybercrime. We're always interested in your opinion and you can contact us@technewsday.com or leave a comment under the YouTube video. I've been your host. David Shipley Jim Love we'll be back on Wednesday.