Posted in Commentary with tags Hacked on August 28, 2025 by itnerd
Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States. According to a filing submitted to the Office of the Maine AG, the breach occurred on July 28, 2025, and was discovered two days later.
Paul Bischoff, Consumer Privacy Advocate at Comparitech had this comment:
“For context, the TransUnion breach compromised 4.4 million people. The 2017 Equifax breach compromised 147 million. It’s not as big, but it’s just as serious for those 4.4 million people. TransUnion does more than just generate credit reports. Other businesses that suffer data breaches frequently enlist TransUnion to provide credit monitoring and identity theft protection to breach victims. This breach could dissuade victims of other breaches from enrolling in those protective services.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had this to say:
“Another data breach? “Only” involving single millions of digits? It’s almost a non-event. Data breaches involving hundreds of millions of records barely make the news anymore. How worried can you be about one “little” data breach when the information revealed to the hackers has likely been stolen many times? My only problem is why the breach was confirmed in late July and not reported to consumers until late August? Four weeks to publicly report, while likely legal, seems like a lot of time to let involved compromised users go around blindly without knowing about the additional risk, whether big or small. I’ve seen this lately…data breaches that must be reported publicly, taking a month or many months before they are publicly reported to those who are impacted. In today’s instant online world is seems more and more unacceptable.”
When the company that helps to protect people from getting taken advantage of after a breach gets breached, we’re all in deep trouble. These companies need to ensure that everything they do is beyond reproach or consumers will stop trusting them.
KnowBe4 today released a comprehensive resource kit in support of Cybersecurity Awareness Month 2025. The toolkit aligns with this year’s theme “Secure Our World” and supports the global movement to emphasize the importance of securing our digital lives. Cybersecurity Awareness Month, established in 2004 through a joint effort by the U.S. Department of Homeland Security and the National Cyber Security Alliance, provides organizations worldwide an opportunity to strengthen their security culture through education and awareness. This year’s focus is on simple, effective practices like using strong passwords, enabling non-phishable multifactor authentication (MFA), recognizing and reporting phishing attempts, and keeping software up to date.
EnGenius Technologies Inc., a global leader in advanced connectivity and cloud-managed networking solutions, today announced the official launch and immediate availability of the ECW510 Wi-Fi 7 indoor access point. Expanding the company’s line of affordable Wi-Fi 7 access points, the ECW510 makes next-generation wireless networking even more accessible for small businesses. Ideal for deployments in small offices, retail shops, motels, apartments, and cafés or small restaurants, the ECW510 delivers enterprise-grade Wi-Fi 7 performance in everyday business environments.
EnGenius ECW510: Reliable Wi-Fi 7 Made Simple for Small Businesses
Powered by the Qualcomm® Networking Pro 1220 platform, the ECW510 delivers dual band 2×2 Wi-Fi 7 performance with aggregated speeds up to 5 Gbps. At an MSRP of just $129, the ECW510 redefines value in professional-grade networking—empowering IT professionals, managed service providers (MSPs), and integrators to deliver reliable, future-ready connectivity at a disruptive price point.
The ECW510 is equipped with essential features including:
Affordable Wi-Fi 7: High-speed tri-band performance (up to 5 Gbps) for less than the cost of many Wi-Fi 6 access points.
Easy to Set Up: Use the free EnGenius Cloud To-Go app—most networks are running in under 5 minutes.
No Hidden Fees: Centralized cloud management comes license-free, saving ongoing costs.
Coverage & Capacity: Delivers strong Wi-Fi across up to 1,000 sq. ft. and supports up to 400 connected devices at once.
Built for Growth: Supports multiple access points, making it easy to expand as your business grows.
Secure and Reliable: WPA3 Enterprise-grade security and a 5-year warranty for peace of mind.
Cybercriminals are always looking for new ways to trick people, using exploitative tactics to steal money, data, and sensitive information. Netcraft has observed a recent shift in how they have been leaning on a subtle but clever tactic that exploits how we visually process text using the Japanese Hiragana character ん. Netcraft uncovered novel attacks targeting cryptocurrency wallets and exchanges, prominent travel websites, large cloud services, and as we’ve also seen, security researchers use it in testing.
Initial reports earlier in August have identified that campaigns are leveraging this abuse against Booking.com. However, our own investigation revealed that this technique can be tracked back to November 25, 2024, beginning with the domain ioんhardware-wallet[.]best. Netcraft later identified more than 600 related domains using this technique.
Figure 1: The Hiragana character “ん” (Latin “n”) deployed in a URL
By using carefully chosen lookalike Unicode characters in domain names, attackers can make fake websites URLs that look almost identical to legitimate ones. This type of attack, often called a homoglyph attack, works because different scripts or writing systems have characters that look similar; think about a Latin ’a’ and a Greek ‘α’ (alpha). This is not a new attack vector, dating back to the early 2000s, but threat actors have found a new twist exploiting an edge case in the processing rules designed to prevent confusion.
These attacks rely on the use of “confusable” characters like Unicode symbols that resemble Latin letters or symbols but are encoded differently. Recent activity has begun to use the Japanese character “ん” (hiragana ‘n’). At a quick glance, it is intended to look like a forward slash “/”. And when it’s dropped into a domain name, it’s easy to see how it can be convincing. That tiny swap is enough to make a phishing site domain look real, which is the goal of threat actors trying to steal logins and personal information or distribute malware.
Figure 2: How Hiragana ん appears in Chrome’s URL display. The host domain name is “comprehensive-protection[.]guru” in the example shown.
To make these deceptive domains functional, threat actors rely on Punycode, a way to encode Unicode characters into ASCII so they can be used in DNS. For instance, a domain like example.comんlogin would be encoded as example.xn--comlogin-0o4g, allowing it to be registered and resolved like any other domain.
Tracing the Campaign’s Early Activity
Our investigation revealed that the majority of the 600 domains leveraging this deceptive character technique were aimed at cryptocurrency users. These domains frequently impersonated legitimate browser extensions, particularly fake versions of the Google Chrome Web Store, as part of an effort to lure victims into downloading malicious wallet applications. These wallets include Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust.
Mapping the Infrastructure Behind New Domain Activity
Days after the Booking.com domains were uncovered, we identified a wave of newly registered domains that appeared shortly after the initial public reporting:
First, we took chromewebstore[.]google[.]comんdetailんokx-wallet.comprehensive-protection[.]guru and examined the contents of the phishing page, which mimicked Google’s Chrome Web Store to download the OKX cryptocurrency wallet browser extension. Clicking “Add to Chrome” prompted us to add the OKX Wallet as an extension, however, this was fake. Instead, it redirected to /welcome, which prompted us to either create or import a wallet.
Figure 4: Navigation path leading to fake OKX Wallet import page
Once a seed phrase was entered, we tracked that the phrase was sent to process.php, which appeared to validate the phrase before harvesting it. After validation, the seed phrase was leaked, giving threat actors unlimited access to the victim’s Bitcoin wallet.
While this page looks nearly identical to the example above, the outcome is quite different. Clicking ‘Add to Chrome’ did not redirect us to a web-based seed phrase stealer. Instead, it immediately downloaded an .exe file named “acmacodkjbdgmoleebbolmdjsighsdch.exe,” a malicious file that the page implies is a browser extension for Chrome named Rabby Wallet (a commonly available wallet for the Ethereum and EVM cryptocurrencies). After the download, the page presents a fake error message appears, claiming the installation failed and instructing the page visitor to manually open the downloaded file.
Figure 6: Error message used to trick users into running the malicious file
Upon closer analysis, the .exe appears to be malicious. The file is signed with a valid cryptographic signature, issued to OLAN LLC, which introduces a new layer of uncertainty. It is possible that the certificate belongs to a legitimate IT services company, and that the threat actors are now leveraging it for malicious activity, as other campaigns have abused other commercial IT administration tools, such as ConnectWise.
Further investigation revealed that the malware communicates with 826exe.carnegie.workers[.]dev. In communication we intercepted between the executable and this address, the program transmitted profile data about the infected system to its command & control service, including the logged-in user account name, machine name, operating system version, and other parameters.
Figure 7: The initial C2 check-in communication with profile data masked out
Subsequent connections to the C2 address revealed that the program self-identifies as “Performance Enhancement Tool v.3.7.2” and deploys a payload into a folder named PerformanceModules under the logged in user’s AppData\Local folder path.
Figure 8: The “Performance Enhancement Tool” executable communicates with its C2 that it has deployed a payload under the MyTestExtension folder
Inside that folder, the malware placed a subfolder named Module_ with eight random hexadecimal characters appended to the folder name, and inside that folder, creates a folder named MyTestExtension that contains more than 900 files that appear to contain some of the actual Rabby Wallet code, as well as scripts, images, and text that seems to have nothing to do with Rabby Wallet, including references to online Web games. Some of the graphics embedded in this code appear to prompt the user with guidance on how to change the cryptocurrency wallet address their currency is contained within.
Figure 9: The “Rabby Wallet” code appears inside this MyTestExtension folder the file drops into the user’s AppData path
Additionally, we identified a malicious payload hosted at storage.googleapis[.]com/8-26b/acmacodkjbdgmoleebbolmdjsighsdch.exe. This suggests a well-orchestrated setup that blends certificate abuse, cloud-hosted payloads, and evasive infrastructure to facilitate data theft or remote access.
Following the initial wave of phishing domains targeting Booking.com and popular cryptocurrency wallets, our investigation uncovered a broader and rapidly evolving infrastructure leveraging the deceptive character. While many of these domains initially focused on impersonating cryptocurrency platforms, we have since identified a growing number of domains that extend beyond crypto and travel sectors.
A significant portion of these newly observed domains currently lack active content, but their structural patterns, registration timing, and thematic similarities suggest they are likely part of a coordinated setup. Notably, we saw these domains that do not target cryptocurrency, begin appearing shortly after public reporting on August 14, 2025, indicating that threat actors may be quickly adopting this tactic across multiple verticals.
Some of the newly discovered domains appear to target major tech platforms. For instance, we found several Microsoft-themed domains such as:
This domain is impersonating Cloudflare’s access control feature. Interestingly, both the original Booking.com phishing domain hxxps://account[.]booking[.]comんdetailんrestric-access[.]www-account-booking[.]com/en/ and the Cloudflare domain share the same hostname segment: restric-access. This reuse of hostname structure across different brands likely suggests a shared domain generation pattern or toolkit, possibly indicating a common threat actor or automated infrastructure setup.
Other domains seem to target educational services. Examples include:
sdu[.]edu[.]cnんcasんlogin[.]pass-sdu-edu[.]cn
These resemble login portals for universities and could be used in credential harvesting campaigns targeting students.
We also observed additional crypto-related domains like booth[.]pmんgiftsん8f53a3a2-adbc-4d10-9d03-f338215de494ん[.]sakurayuki[.]dev, which appears to be themed around digital gifts or giveaways, a common lure in crypto phishing. Another domain www[.]revolut[.]comんviewんtransactionんb3edf3638c29m4qdl5kdlx3んstatus[.]online, mimics the all-in-one finance application, likely intended to exploit user trust and familiarity with financial platforms.
In addition to these, we found several domains that are likely test cases or proof-of-concept setups, possibly created by researchers or security teams:
These domains contain keywords such as “test”, “donot[.]press”, and “webphishing”, which suggest they are likely not part of active malicious campaigns but rather used for experimentation or awareness.
While these domains are not currently serving malicious content, their existence highlights how quickly this tactic is spreading. It’s common for threat actors to register domains in advance, either to avoid detection or to prepare infrastructure for future campaigns. The consistent use of the ん character across both malicious and experimental domains reinforces its potential as a tool for visual deception.
Implications for Defenders
One of the challenges with tracking these kinds of phishing campaigns is that Unicode makes detection and monitoring more complex than traditional Latin characters. Characters like ん are visually similar to Latin letters but are coded differently, meaning it is possible that they can slip past basic string-matching filters or regex-based detection rules.
Chrome’s IDN policy allows certain scripts, such as Latin and Hiragana to be used within a single label. This is permitted to support multilingual domain names, but with some exceptions to prevent abuse. For example, Chrome restricts combinations that are known to be highly confusable or deceptive. However, the policy still allows enough flexibility that threat actors can exploit visually similar characters like ん in phishing domains.
Many security tools and URL scanners aren’t configured to normalize or visually compare Unicode characters, which allows these domains to evade automated detection.
Outpacing Confusable Character Threats
The use of confusable Unicode characters in phishing domains isn’t new but is evolving. The abuse of Hiragana ん is just one example of how subtle character swaps can bypass filters and fool even vigilant users. Netcraft will continue to monitor this tactic, track emerging infrastructure, and share updates as attackers refine their methods.
TransUnion Gets Hit By A Data Breach
Posted in Commentary with tags Hacked on August 28, 2025 by itnerdConsumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States. According to a filing submitted to the Office of the Maine AG, the breach occurred on July 28, 2025, and was discovered two days later.
Paul Bischoff, Consumer Privacy Advocate at Comparitech had this comment:
“For context, the TransUnion breach compromised 4.4 million people. The 2017 Equifax breach compromised 147 million. It’s not as big, but it’s just as serious for those 4.4 million people. TransUnion does more than just generate credit reports. Other businesses that suffer data breaches frequently enlist TransUnion to provide credit monitoring and identity theft protection to breach victims. This breach could dissuade victims of other breaches from enrolling in those protective services.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had this to say:
“Another data breach? “Only” involving single millions of digits? It’s almost a non-event. Data breaches involving hundreds of millions of records barely make the news anymore. How worried can you be about one “little” data breach when the information revealed to the hackers has likely been stolen many times? My only problem is why the breach was confirmed in late July and not reported to consumers until late August? Four weeks to publicly report, while likely legal, seems like a lot of time to let involved compromised users go around blindly without knowing about the additional risk, whether big or small. I’ve seen this lately…data breaches that must be reported publicly, taking a month or many months before they are publicly reported to those who are impacted. In today’s instant online world is seems more and more unacceptable.”
When the company that helps to protect people from getting taken advantage of after a breach gets breached, we’re all in deep trouble. These companies need to ensure that everything they do is beyond reproach or consumers will stop trusting them.
Leave a comment »