Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Exposed Training Opens the Gap for Crypto Mining in Cloud Enviornments

Purposely flawed training apps are largely used for security education, product demonstrations, and internal testing. Tools like bWAPP, OWAS...

All the recent news you need to know
Vulnerabilities and Exploits
AI agent security risk Clawdbot Moltbot MCP security vulnerability Model Context Protocol Vulnerabilities and Exploits

Model Context Protocol Security Crisis Deepens as Exposed AI Agents Create Massive Attack Surface

 

The Model Context Protocol (MCP) continues to face mounting security concerns that show no signs of fading. When vulnerabilities were first highlighted last October, early research already pointed to serious risks. Findings from Pynt indicated that installing just 10 MCP plug-ins results in a 92% likelihood of exploitation, with even a single plug-in introducing measurable exposure.

The emergence of Clawdbot significantly altered the threat landscape. The fast-growing personal AI assistant — capable of managing inboxes and generating code autonomously — operates entirely on MCP. Developers who deployed Clawdbot on virtual private servers without reviewing security documentation may have unintentionally exposed their organizations to the protocol’s full attack surface.

(The project rebranded from Clawdbot to Moltbot on January 27 after Anthropic issued a trademark request over the similarity to "Claude.")

Security entrepreneur Itamar Golan anticipated this trajectory. After selling Prompt Security to SentinelOne for an estimated $250 million last year, he issued a public warning on X this week: "Disaster is coming. Thousands of Clawdbots are live right now on VPSs … with open ports to the internet … and zero authentication. This is going to get ugly."

Subsequent internet scans by Knostic reinforced those concerns. Researchers identified 1,862 MCP servers publicly accessible without authentication. Out of 119 servers tested, every single one responded without requesting credentials.

The implication is straightforward: any function automated by Clawdbot can potentially be repurposed by attackers.

Recent vulnerabilities are not isolated anomalies — they stem from fundamental design choices within MCP. Three major CVEs illustrate this pattern:
  • CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector enabled unauthenticated communication between its web interface and proxy server, making full system compromise possible through a malicious webpage.
  • CVE-2025-6514 (CVSS 9.6): A command injection flaw in mcp-remote — an OAuth proxy downloaded 437,000 times — allowed system takeover when connected to a malicious MCP server.
  • CVE-2025-52882 (CVSS 8.8): Widely used Claude Code extensions exposed unauthenticated WebSocket servers, permitting arbitrary file access and remote code execution.
Three high-severity vulnerabilities within six months, each exploiting different attack vectors, all trace back to the same core issue: authentication in MCP was optional, and many developers treated optional controls as unnecessary.

Further analysis by Equixly found systemic weaknesses across popular MCP implementations. Their review revealed that 43% contained command injection flaws, 30% allowed unrestricted URL fetching, and 22% exposed files beyond intended directories.

Forrester analyst Jeff Pollard summarized the concern in a blog post: "From a security perspective, it looks like a very effective way to drop a new and very powerful actor into your environment with zero guardrails."

The risk is substantial. An MCP server with shell access can enable lateral movement, credential harvesting, and ransomware deployment — all triggered through prompt injection hidden within documents processed by AI agents.

Known Flaws, Slow Mitigation

Security researcher Johann Rehberger disclosed a file exfiltration vulnerability last October, demonstrating how prompt injection could manipulate AI agents into transmitting sensitive files to attacker-controlled accounts.

Anthropic’s launch of Cowork this month extended MCP-based agents to a broader and potentially less security-aware audience. The same vulnerability remains exploitable. PromptArmor recently demonstrated how a malicious document could trick an agent into uploading confidential financial information.

Anthropic’s mitigation guidance states that users should watch for "suspicious actions that may indicate prompt injection."

Investor Olivia Moore of a16z highlighted the broader disconnect after testing Clawdbot over a weekend: "You're giving an AI agent access to your accounts. It can read your messages, send texts on your behalf, access your files, and execute code on your machine. You need to actually understand what you're authorizing."

The challenge is that many users — and many developers — do not fully grasp the scope of access they grant. MCP’s architecture never required them to.

Five Immediate Steps for Security Leaders

Security experts recommend urgent action:
  • Audit MCP deployments immediately. Standard endpoint detection tools often overlook MCP servers because they appear as legitimate Node or Python processes. Specialized visibility is required.
  • Make authentication mandatory. While the MCP specification recommends OAuth 2.1, its SDK does not enforce built-in authentication. All production deployments should require authentication by default.
  • Limit network exposure. MCP servers should bind to localhost unless remote access is strictly necessary and secured. The large number of exposed servers suggests misconfiguration is widespread.
  • Design for inevitable prompt injection. Assume agents will be compromised. Implement access controls accordingly, especially if servers wrap cloud credentials, filesystems, or deployment pipelines.
  • Enforce human approval for sensitive actions. Require explicit confirmation before agents send external communications, delete data, or access confidential resources. AI agents should be treated like fast but literal junior employees who will execute instructions exactly as given.
While security vendors quickly capitalized on MCP-related risks, many enterprises lagged behind. Clawdbot adoption surged in Q4 2025, yet most 2026 security roadmaps lack dedicated AI agent controls.

The divide between developer enthusiasm and organizational governance continues to grow. As Golan warned, "This is going to get ugly."

The pressing question is whether organizations will secure their MCP infrastructure before attackers exploit the opportunity.
Read more »
Microsoft Outlook security
Customer Data Cyber Attacks Cyber Phishing Data Theft Hijacking Microsoft Microsoft Outlook Microsoft Outlook security

Malicious Outlook Add-In Hijack Steals 4,000 Microsoft Credentials

 

A breach transformed the AgreeTo plug-in for Microsoft Outlook - once meant for organizing meetings - into a weapon that harvested over four thousand login details. Though built by a third-party developer and offered through the official Office Add-in Store starting in late 2022, it turned against its intended purpose. Instead of simplifying calendars, it funneled user data to attackers. What began as a practical tool ended up exploited, quietly capturing credentials under false trust. 

Not every tool inside Office apps runs locally - some pull data straight from web addresses. For AgreeTo, its feature lived online through a link managed via Vercel. That address stopped receiving updates when the creator walked away, even though people kept using it. With no one fixing issues, the software faded into silence. Yet Microsoft still displayed it as available for download. Later, someone with harmful intent took control of the unused webpage. From there, they served malicious material under the app’s trusted name. A login screen mimicking Microsoft’s design appeared where the real one should have been, according to analysts at Koi Security. 

Instead of authentic access points, users faced a counterfeit form built to harvest credentials. Hidden scripts ran alongside, silently sending captured data elsewhere. After approval in Microsoft’s marketplace, the add-in escaped further checks. The company examines just the manifest when apps are submitted - nothing beyond that gets verified later. Interface components and features load externally, pulled from servers run by developers themselves. 

Since AgreeTo passed initial review, its updated files came straight from machines now under malicious control. Oversight ended once publication was complete. From inside the attacker’s data pipeline, Koi Security found over 4,000 Microsoft login details already taken. Alongside these, information such as credit card records and responses to bank verification questions had also been collected. While analyzing activity, experts noticed live attempts using the breached logins unfolding in real time. 

Opening the harmful AgreeTo add-on in Outlook displayed a counterfeit Microsoft login screen within the sidebar rather than the expected calendar tool. Resembling an authentic authentication portal, this imitation proved hard to recognize as fraudulent. Once victims submitted their details, those credentials got sent through a Telegram bot interface. Following that transfer, individuals saw the genuine Microsoft sign-in page appear - helping mask what had just occurred. Despite keeping ReadWriteItem access, which enables viewing and editing messages, there's no proof the tool tampered with any emails. 

Behind the campaign, investigators spotted a single actor running several phishing setups aimed at financial services, online connectivity firms, and email systems. Notable because it lives inside Microsoft’s official store, AgreeTo stands apart from past threats that spread via spam, phishing, or malvertising. This marks the first time a verified piece of malware has appeared on the Microsoft Marketplace, according to Oren Yomtov at Koi. He also notes it is the initial harmful Outlook extension spotted actively used outside test environments. 

A removal of AgreeTo from the store was carried out by Microsoft. Anyone keeping the add-in should uninstall it without delay, followed by a password change. Attempts to reach Microsoft for input have been made; no reply came so far.
Read more »
supply chain attacks
Blockchain Security Threats Cryptocurrency Cybersecurity Konni APT malware North Korean Hackers Phishing Campaign PowerShell Backdoor supply chain attacks

Emerging AI Built Malware Used in Targeted Attacks on Blockchain Engineers


In the shadows of geopolitics, KONNI has been operating quietly for more than a decade, building on its playbook of carefully staged spear-phishing campaigns and political lures targeted at South Korean institutions.


In the past, KONNI's operations followed the fault lines between diplomacy and regional security, targeting government agencies, academic institutions, non-governmental organizations, and individuals involved in inter-Korean affairs. However, new findings from Check Point Research indicate the organization is no longer restricted to this familiar territory.

In a marked departure from its traditional approach, KONNI is currently conducting phishing campaigns targeted at blockchain developers throughout the Asia-Pacific region — including Japan, Australia, and India — signaling the company's intention of expanding geographically and recalibrating its strategic approach.

As part of the campaign, in addition to shifting attention to individuals with access to blockchain infrastructure, a novel AI-based backdoor is also introduced, illustrating a refinement of the group's technical capabilities and operational priorities. In Check Point's analysis, the campaign appears to be the product of the North Korean threat group Konni (also tracked as Opal Sleet and TA406), which researchers believe has operational overlaps with activity clusters such as APT37 and Kimsuky. 

As of at least 2014, the group has been engaged in espionage operations against South Korean entities, Russian entities, Ukrainian entities, and multiple European countries. The telemetry generated by recent analyzed samples, however, indicates that the current wave of malware is concentrated in Asia-Pacific, with submissions originating from Japan, Australia, and India. 

This confirms the assessment of a deliberate geographic pivot. Infection chains are carefully staged and multilayered, indicating that they are designed to infect in a controlled manner. There is a Discord link provided to victims that serves a ZIP archive which contains a decoy PDF along with a malicious Windows shortcut file (LNK). 

By executing the shortcut, an embedded PowerShell loader will be invoked to extract additional components, including a DOCX lure and a CAB archive. Several payload components are contained in the cabinet file, including a PowerShell-based backdoor, two batch scripts for automating User Account Control (UAC), and an executable for bypassing User Account Control. 

Upon opening the shortcut, a decoy document is displayed while covertly executing a batch file embedded within, thereby ensuring the malicious activity is concealed in legitimate documentation. The lure content itself indicates that attackers intend to penetrate development environments, allowing them access to infrastructure repositories, API credentials, wallet configurations, and possibly cryptocurrency holdings.

An initial batch script establishes a staging directory for persistent storage, deposits the backdoor and secondary scripts and configures a scheduled task designed to run on an hourly basis in order to avoid detection by OneDrive. This procedure consists of retrieving PowerShell payloads from disk, decrypting them at runtime and subsequently removing them from the system in an effort to minimize forensic visibility and complicate incident response. 

A Check Point Research report further indicated that KONNI's operators have been contacting IT technicians and developers directly, using carefully constructed phishing emails that appear to be legitimate project requirements. It is the firm's belief that the objective is not limited to compromising individual systems, but is intended to gain access to cloud infrastructure, source code repositories, APIs, and blockchain credentials as well. 

It has been reported that a successful compromise results in the deployment of a PowerShell backdoor that is artificial intelligence-assisted, providing persistent access to infected systems and sensitive assets within development environments. The apparent use of artificial intelligence in designing the backdoor is a distinguishing feature of the campaign. 

According to Check Point, the malware's modular architecture, structured formatting, embedded developer-style comments, including placeholders indicating that AI tooling was used during development, as well as its embedded developer-style comments. 

Instead of introducing fundamentally new exploitation techniques, it appears that the use of artificial intelligence simplifies the generation of code, accelerates iteration cycles, and enables rapid customization while maintaining established delivery methods. 

Despite the lack of determination of the exact initial access vector, the intrusion chain unfolds through a multi-stage process that uses ZIP archives hosted by Discord's content delivery network. Each archive contains an innocent-looking PDF decoy in addition to a malicious LNK shortcut. 

A shortcut is executed, launching an embedded PowerShell loader that generates an embedded Word document to serve as a distraction, as well as a CAB archive that contains the primary payload components. These include a PowerShell backdoor, two batch scripts, and an executable specifically designed for bypassing User Account Control.

Using the first batch script, the execution environment is prepared, persistence is established by way of scheduled tasks, and the backdoor is staged and launched, and it is then deleted to reduce forensic artifacts. PowerShell implants perform a number of anti-analysis and sandbox-evasion checks prior to profiling the host system and then attempt to gain access to the host system by using FodHelper UAC bypass. 

A secondary batch script is executed by the malware after elevation, which removes the dropped UAC bypass binary, configures Microsoft Defender exclusions for the "C:/ProgramData" directory, and replaces the original scheduled task with an elevated task version. 

A backdoor is used to maintain remote access by deploying SimpleHelp, a legitimate remote management and monitoring tool. A command-and-control server is connected via an encryption gate to filter non-browser traffic, enabling the backdoor to communicate with it continuously. This channel is used to transmit system metadata periodically and to execute PowerShell instructions provided by the server to the compromised host. 

Using this layered approach, Check Point assesses that the campaign's main purpose is to establish footholds within development ecosystems, rather than targeting isolated end users. It combines malicious activity with legitimate administrative tooling to reinforce persistence. Through the use of development environments, multiple projects, services, and digital asset platforms can be leveraged downstream. 

As researchers argue, the integration of AI-assisted tooling demonstrates the use of standardization and speed up of malware production while continuing to rely on proven social engineering strategies. North Korea-related operations have been observed in recent months that align with these findings. 

A number of campaigns have deployed JavaScript encoded scripts disguised as Hangul Word Processor documents as a means of enabling remote access to Visual Studio Code, while others have distributed LNK files masquerading as PDF documents to deliver the MoonPeak remote access trojan following virtual environment verification.

As a result of activities associated with the Andariel subgroup in 2025, TigerRAT was used against a European law firm. An update mechanism of a South Korean ERP software vendor was compromised, allowing the distribution of multiple Trojans — StarshellRAT, JelusRAT, and GopherRAT — to downstream customers. 

According to WithSecure, this ERP vendor was previously utilized in supply chain intrusions in 2017 and 2024 to propagate malware families including HotCroissant and Xctdoor. Several of the newly identified implants demonstrate technical diversity. JelusRAT, developed in C++, is capable of retrieving plugins from command servers; StarshellRAT, created in C#, allows command execution, file transfers, screenshot capture, and GopherRAT, developed in Golang, is capable of enumerating file systems, executing commands, and exfiltrating data. 

There has been a continuous display of strategic adaptability on the part of North Korea-related threat groups. Several objectives have been pursued by these groups, ranging from theft of cryptocurrency as a form of financial motivation to gathering intelligence aligned with government priorities. 

Through the incorporation of artificial intelligence-assisted development techniques in conjunction with operational flexibility, a sustained evolution in tooling and targeting is evident — particularly in light of adversaries' increasing pursuit of operational areas of high value, such as software supply chains and blockchain ecosystems.

Throughout this campaign, security teams are urged to treat developer workstations, build pipelines, and repository access with the same rigor traditionally reserved for production systems as they represent one of the most strategically valuable attack surfaces in the digital economy. 

Multifactor authentication is enforced on source control and cloud platforms by enforcing hardware-backed authentication, restricting local administrative privileges, monitoring schedule creation and PowerShell execution, and auditing endpoint security exclusions to ensure unauthorized changes have not occurred. 

Additionally, organizations operating within blockchain-based and digital asset ecosystems should have a strict system of network segmentation, continuous credential rotation, and behavior monitoring capabilities that can detect anomalous behavior involving legitimate remote management tools. In addition, it is necessary to strengthen defenses at the human layer of the attack given the campaign's reliance on convincingly themed project documentation and developer-centered lures.

As a result, targeted phishing simulations and secure code environment awareness training should be prioritised for engineers. Defensers must also anticipate faster tooling cycles and increasingly modular payloads with the emergence of AI-assisted malware development. 

Taking proactive measures to mitigate downstream impact will require telemetry correlation across endpoints and cloud environments, as well as rapid incident containment procedures. Resilience will be equally dependent upon integrating security controls directly into the development lifecycle rather than treating them as a downstream safeguard as adversaries continue to recalculate their targeting of high-value technical roles and software supply chains.
Read more »
Stanley
Chrome Web Store Maas Hack malware Phising Campaign Stanley

Stanley Malware Service Bypasses Chrome Web Store Safeguards

 

Researchers at Varonis have discovered a new malware-as-a-service (MaaS) offering, dubbed "Stanley," which allows malicious Chrome extensions to evade Google’s review process and be listed on the official Chrome Web Store. Dubbed after the alias of the seller, Stanley is also designed to target other popular browsers like Edge and Brave, making it easier for phishing attacks to be deployed. The service is offered at high-end pricing tiers, going up to $6,000, and is designed to make it easier for malicious actors with less technical knowledge. 

The main functionality is achieved through the use of a full-screen iframe overlay of phishing content on top of legitimate websites, with the browser’s address bar still visible to maintain a level of authenticity. The user is presented with interfaces for trusted websites, such as banking websites, but their interactions are instead routed to attacker-controlled pages that are designed for phishing. Other functionalities include IP targeting, geographic filtering, cross-device session correlation, and Chrome-native push notifications to improve user engagement.

The attackers use a web-based control panel to dynamically change hijacking rules, poll command-and-control (C2) servers every ten seconds, and change backup domains to make it more difficult to take down. The service offers subscription plans, with the final option being a "Luxe" plan that includes full support for publication to the Web Store and customization options. Despite the code being described as "rudimentary" with Russian-language comments and poor error handling, the step-by-step implementation of known techniques seems to offer high levels of effectiveness. 

This development exacerbates ongoing issues with the Chrome Web Store, where malicious extensions have repeatedly evaded detection, as noted in recent Symantec and LayerX reports. Varonis highlights Stanley's distribution promise as its standout feature amid rising browser add-on threats. Google has been contacted for comment, but such incidents underscore persistent vetting gaps in the ecosystem serving billions. 

Users must adopt vigilant habits: install only essential extensions, scrutinize developer reputations and reviews, and enable browser protections like Enhanced Safe Browsing. Enterprises should enforce extension whitelisting and monitor for anomalous behavior via endpoint detection tools. As MaaS evolves, staying proactive against store-approved threats remains critical for cybersecurity in 2026.
Read more »
Windows
BYOVD Attack cloud storage Cyber Attacks Linux phishing Ransomware Reynolds Windows

New Ransomware Uses Trusted Drivers to Disable Security Defenses

 


Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data.

The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years.

In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations.

Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect.

Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems.

Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.

Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult.

Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services.

Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point.

Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect.

Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.

Read more »
Linkedin
Corporate Cyber Crime Fake Job Job Scam Linkedin

Threat Actors Pose As Remote IT Workers on LinkedIn to Hack Companies


The IT workers related to the Democratic People's Republic of Korea (DPRK) are now applying for remote jobs using LinkedIn accounts of other individuals. This attack tactic is unique. 

According to the Security Alliance (SEAL) post on X, "These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate.”

The IT worker scare has been haunting the industry for a long time. It originates from North Korea, the threat actors pose as remote workers to get jobs in Western organizations and other places using fake identities. The scam is infamous as Wagemole, PurpleDelta, and Jasper Sleet. 

The end goal?

To make significant income to fund the country’s cyber espionage operations, weapons programs, and also conduct ransomware campaigns. 

In January, cybersecurity firm Silent Push said that the DPRK remote worker program is a “high-volume revenue engine" for the country, allowing the hackers to gain administrative access to secret codebases and also get the perks of corporate infrastructure.  

Once the threat actors get their salaries, DPRK IT workers send cryptocurrency via multiple money laundering techniques. 

Chain-hopping and/or token swapping are two ways that IT professionals and their money laundering colleagues sever the connection between the source and destination of payments on the chain. To make money tracking more difficult, they use smart contracts like bridge protocols and decentralized exchanges.

What should individuals do?

To escape the threat, users who think their identities are being stolen in fake job applications should post a warning on their social media and also report on official communication platforms. SEAL advises to always “validate that accounts listed by candidates are controlled by the email they provide. Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account.”

The news comes after the Norwegian Police Security (PST) released an advisory, claiming to be aware of "several cases" in the last 12 months in which IT worker schemes have affected Norwegian companies. 

PST reported last week that “businesses have been tricked into hiring what are likely North Korean IT workers in home office positions. The salary income North Korean employees receive through such positions probably goes to finance the country's weapons and nuclear weapons program.”

Read more »
Subscribe to: Comments (Atom)

Featured