The IT Nerd

The Dutch Minister of Defence warns of a cyber campaign linked to Russia that targets accounts on messaging platforms such as Signal and WhatsApp, belonging to government officials, military staff, and journalists.

The Russian campaign is focused on persuading users to divulge their security verification- and pincodes, allowing the hackers to gain access to the users’ Signal or WhatsApp accounts. The most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes. The hackers can then use these codes to take over the user’s account. Another method used by the Russian actors takes advantage of the ‘linked devices’ function within Signal and WhatsApp.

Once an account has been successfully compromised, the hackers can read incoming messages, including messages in the victim’s chat groups. The Russian hackers likely gained access to sensitive information through this campaign.

Ömer Faruk Diken, cybersecurity researcher at SOCRadar:

“Messaging apps such as Signal and WhatsApp are widely used for private and professional communication. Many officials and journalists rely on them because they use end-to-end encryption. However, though encryption protects messages during transmission, it does not prevent attackers from accessing the account itself. If attackers gain control of the account or connect their own device, they can read conversations and collect information from chats and contact lists. For threat actors involved in espionage, this access can provide insight into discussions, contacts, and internal coordination.

“The warning from Dutch officials highlights a cyber campaign that targets messaging accounts used by people who handle sensitive information. By using social engineering and abusing messaging app features, attackers attempt to gain access to private conversations and contacts. Incidents like this also highlight the importance of basic security practices. Users should avoid clicking unknown links, never enter passwords or verification codes on suspicious pages, and always verify the source of requests for sensitive information. Email addresses can also be spoofed, so messages that ask users to click links or provide input should be checked carefully. When possible, organizations should enforce multi-factor authentication to add another layer of protection to communication accounts.

Lydia Atienza, Principal Threat Intelligence Researcher at Outpost24:

“Based on the techniques described in the advisory issued by Dutch intelligence agencies, there is little evidence of particularly novel tradecraft. The methods resemble the same social-engineering tactics long used by financially motivated cybercriminals to compromise messaging accounts. This serves as a reminder that state-linked actors do not always rely on highly sophisticated exploits. In many cases, the same techniques commonly seen in cybercrime can be just as effective in espionage campaigns.”

Additional Resources:

SOCRadar Blog: Russia Targets Signal and WhatsApp Accounts, Dutch Officials Warn

Researchers with Ontario Tech University, PureSquare, and CQR Cybersecurity have published a new study warning that consumers and businesses that use separate VPNs and password managers are susceptible to concurrent multi-vector attacks that put their data at risk.

The use of disparate password managers and VPNs from different vendors (security tool fragmentation) creates a previously unknown security gap. Threat actors exploit this gap and consumer ‘alert fatigue’ to steal credentials.

The measured cost of security tools fragmentation:

• 44% of users receive overlapping alerts.
• 38% receiving overlapping alerts say they ignore them.
• 29–34% of people leave tools disabled or miss paid features entirely.
• Redundant subscriptions account for 24% of annual security tool costs.
• The high cost of tool fragmentation and alert chaos: $400 million is lost every year to multi-surface attacks (see below).
• Personal pre-breach costs to consumers: duplicative “chaos tax” expenditures can cost more than $850 per consumer, per year.
• The average person now manages 3.4 security apps, spends up to 27 hours a year maintaining them, and wastes between $574 and $850 annually on redundant subscriptions and unmanaged risks.

Ironically, this results in people spend hundreds of dollars and dozens of hours every year managing overlapping, non-integrated security tools, but are actually spending more and working harder to be less secure.

The “alert fatigue” blind spot that stems from notification flood cycles became especially visible during the 2025 Google breach affecting 2.5 billion Gmail accounts. The breach drove individuals to flood forums and search engines with urgent “what to do” queries while scrambling across multiple apps.

One App, Complete Protection

Leading from this research, PureVPN has unified VPN, Password Manager, Dark Web Monitoring, Tracker & Ad Blocker, and Data Removal into a single unified platform. Instead of multiple apps competing for the consumer’s attention, users receive one alert stream, one workflow, and one place to act.

Notifications are consolidated and prioritized to reduce false alarms, while the new bottom navigation keeps breach-response tools easily accessible under stress.

You can read the study here.

I get phishing emails all the time. Such as my email address is about to be “deactivated” if I don’t re-authenticate to my server. Or I need to authenticate to my server to “keep my same password”. Since I run my own email server, I find these phishing attempts to be downright hysterical because there’s zero chance that they will work on me. But today I got this phishing attempt which is a bit more “interesting”, I got this email this morning:

Sidebar: Seeing as I am a company of two. The two being my wife and I, it’s funny that the threat actors think that we have an HR department. But I guess that a threat actor has to start someplace to try and phish you.

Now I obscured the QR code as I don’t want anyone scanning it. But in lieu of an attachment with a payload that executes on a target’s computer, or a link that the target clicks on, I got a QR code. Likely because it can evade spam filters and other security software or devices.

If you scan the QR code, which should be clear you should not scan the QR code if you get an email like this, it will take you to a phishing page that you are meant to enter your email address and your email password. This fits some other reports of this type of phishing that I have heard about. Here’s a quick list that I’ve posted on this blog in the past:

Fortra Discovers Sophisticated QR Code Phishing Campaign That Targets Office 365 Users

Abnormal Security Announces Enhanced Capabilities to Detect QR Code Attacks

C-Suite Receives 42x More QR Code Attacks Than Average Employee: Abnormal Security

New Report to Reveal QR Code Phishing Scams: Quishing You a Happy Holiday Season

INKY Discusses How Threat Actors Are Using QR Codes To Harvest Credentials

So what this means is that attacks like this one are becoming increasingly pervasive. Thus this is another attack vector that you need to be aware of to keep you and your organization safe.

Researchers have discovered two malicious NPM packages that register hidden HTTP endpoints to delete all files on command. The packages masquerade as legitimate utilities while implementing backdoors designed to destroy production systems.

You can get more details on this rather nasty malware here: https://socket.dev/blog/destructive-npm-packages-enable-remote-system-wipe

Jim Routh, Chief Trust Officer at Saviynt, commented:

“This is a case of a software supply chain compromise using malware designed to appear to be benign that then activates a back door once it is embedded. The key for enterprises is to improve the identity access management for everyone with access to the software build process including employees and contractors.”

This pretty much highlights why you need to sanity check anything and everything that goes into software so that you don’t become an unwitting transit mechanism for this type of attack.

Fun times.

After I posted this story on a client of mine who unfortunately was the victim of a SIM Swap Attack, I got a couple of emails asking why I said this:

Now while I was there, I helped my client to not only change his banking password as he was having difficulty doing that, but enable push notification based two factor authentication. I did that because a SIM Swap Attack relies on the target having two factor authentication codes coming over text message. If they come via push notification, then a SIM Swap Attack would be totally ineffective as those notifications are not connected to the SIM. In fact, I encourage anyone who reads this to see if you can move any two factor authentication codes to push notifications as a means to mitigate an attack like this should it happen to you.

Specially, they were asking about while they should switch to using push notifications for two factor authentication rather than relying on a text message. On the surface they seem to be the same. Both are messages that pop on your phone. Thus I can see why people would thing that they are the same. But there are a couple important differences.

A text message is sent over the air and is tied to your phone number. This is why SIM Swap Scams have become pervasive. Because if a threat actor already has your password to say your online bank account, and can get control of your SIM by swapping it to a SIM that they can control because the bank account requires you to type in a code that they send by text message, they can access your bank account. Thus it makes text messaging completely insecure for securing your online accounts. To go down the rabbit hole further, text messages have other liabilities:

• Your cellular carrier can see your text messages as they are completely unencrypted. So if you’re talking about anything sensitive or confidential via text message, that’s not a good idea.
• Criminals and the policecan see and intercept your text messages for the same reason as the previous point.

So before I get to why push notifications are the better way to go, let me get to messaging apps and standards like iMessage, RCS, Signal, WhatsApp and the like. iMessage is end to end encrypted. So anything that is sent over iMessage is going to be secure. That’s great but we live in a world where there are people who don’t use iPhones. So that’s not an option. RCS is what Android phones have been using as their default messaging standard, and that’s supported on iPhones. Thus isn’t that an option? No. Currently RCS support on iPhone doesn’t do encryption in the same way that iMessage does. So that’s a non-starter for authentication purposes. But that will change shortly. Having said that, some of what RCS supports depends on what cellular carriers and your handset manufacturer choose to support. So if you’re on a carrier that doesn’t support encryption of RCS messages, you’re out of luck. As for third party messaging apps like WhatsApp or Signal, they may or may not support encryption, but that means that it’s one more app that a bank for example would have to support.

This is where push notifications come in. Apple has APNS or Apple Push Notification Service. And there’s GCM or Google Cloud Messaging. Both create a 1 to 1 relationship with the device and not the SIM card. So a threat actor could execute a SIM Swap Attack, but be no further ahead as the two factor authentication codes are going to the device. On top of that, messages are encrypted in transit. Making this the better option for sending sensitive information like two factor authentication codes. Another option for app developers is to implement push notification support via Firebase. This is Google’s standard for the same thing as APNS and GCM. The thing is that it is cross platform. So you can reach Android and iOS users easily. And the other thing is that it too is encrypted. So it is secure while at the same time is easier to implement on both iOS and Android.

Now using push notifications should be something that any app developer that uses two factor authentication codes for any reason should implement ASAP while at the same time deprecating support for text messaging. Canadian Imperial Bank Of Commerce for example has sort of done this by having support for push notifications as an option. But they still for whatever reason support text messaging. This needs to change because if the most if not every app delivers two factor authentication codes this way, the world will be a safer place and SIM Swap Attacks will simply die because they simply will not work.

What do you think? Should consumers demand better from app developers when it comes to the delivery of two factor authentication codes? Leave a comment below and share your thoughts.

This past Friday, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, wrote an opinion piece for the Financial Times warning that ransomware was “wreaking havoc around the world,” and insurance companies must stop issuing policies that incentivize extortion payments in ransomware attacks.

The initial call for the practice to end was made at the end of the 4th annual International Counter Ransomware Initiative summit in the US last week, where the 68 members discussed tackling the problem.

“Some insurance company policies — for example covering reimbursement of ransomware payments — incentivize payment of ransoms that fuel cyber crime ecosystems. This is a troubling practice that must end,” Neuberger wrote.

The insurance industry could play a “constructive role” by “requiring and verifying implementation of effective cyber security measures as a condition of underwriting its policies, akin to the way fire alarm systems are required for home insurance,” Neuberger continued. 

Attempts to engage with the insurance industry have not yet delivered any promises or formal agreements.

Earlier this year, the UK’s NCSC announced that it would agree on guidance that expressed a joint view of how businesses should handle ransomware attacks. Furthermore, during the CRI summit, just 39 members and 8 insurance industry bodies from around the world endorsed a similar guidance encouraging “organizations to carefully consider their options instead of rushing to make payments.”

Despite the availability of other guidance on best practices in ransomware responses, attacks targeting victims in the UK and the US have roughly doubled over the past two years.

Steve Hahn, EVP Sales US, BullWall:

  “The global ransomware market has seen a 200% increase in successful cyber attacks in the last two years. They know global ransomware payments exceeded a billion dollars for the first time last year. This increase in money for the criminals gives them all the incentive they need to continue innovating their attack techniques. It’s clear many companies are seeing these events as inevitable, which is true, but relying on insurance to pay their way out of it. Unfortunately, even if they pay the ransom, their infrastructure was down for days or weeks and they are unlikely to recover more than 78% of their data even if they pay the ransom. 

United Healthcare paid at least $22 million in ransom payments, but that didn’t stop billions of dollars of downstream economic loss, including multiple healthcare companies that were forced out of business because of this event. Paying the ransom increases activity, increases funding, and throws gasoline on what is already a raging fire. Yes, these events are inevitable, but companies must focus on containing these events quickly, segmenting their environments, limiting the blast radius, and focusing on how to recover quickly from immutable backups. These strategies will ensure a quick recovery from the inevitable without lining the bloated coffers of the criminal underground.”

Ted Miracco, CEO, Approov:

  “Paying ransoms only fuels the ransomware economy, emboldening attackers, and encouraging future attacks. Businesses must focus on bolstering their fundamental cybersecurity practices— not adding more insurance coverage, as insurance is a reactive measure and often only provides temporary relief, while the underlying vulnerabilities remain unaddressed. Insurers should play a constructive role by mandating stricter cybersecurity practices as a prerequisite for coverage, much like requiring fire alarms in homes. This would help elevate overall security standards and reduce the attractiveness of ransomware as a profitable venture.”

I’ve said it before and I will say it again. These sorts of attacks are out of control. Everyone needs to do better when it comes to responding to attacks. And that includes not paying the ransom. Ever.

This week, cybersecurity experts from almost 70 countries are attending the fourth annual International Counter Ransomware Initiative meeting at the White House, and yesterday, the UK and Singapore released a voluntary guidance document designed to help victims respond to ransomware attacks and minimize the impact.

Under the new voluntary ransomware guidance, victims are encouraged to:

1. Report attacks on a more timely basis to law enforcement agencies
2. Record incident response decisions and data captured for post-incident reviews
3. Involve more advisers such as cyber insurance carriers and other outside firms that can assist 
4. Consider if the decision to pay the ransom “is likely to change the outcome”
5. Review local regulatory requirements for compliance

“External experts such as insurers, national technical authorities, law enforcement or cyber incident response companies familiar with ransomware incidents can improve the quality of decision-making,” according to the new guidance. 

During the event, the participants tackled several initiatives including:

• The completion of a project on secure software and labeling principles
• The launch of a member portal by Australia for information sharing 
• A new U.S. government fund to strengthen members’ cybersecurity capabilities

Morten Gammelgaard, EMEA, co-founder, BullWall had this comment:

  “The International Counter Ransomware Initiative is important, and the steps taken are crucial for improving the worlds collective response against ransomware. The new initiatives coming from the meet, together with new regulatory requirement for better Ransomware resilience will help to drive the fight against Ransomware.

  “However, Ransomware continues to successfully bring down organizations at pace. The world is experiencing a level of disruption and business risk from Ransomware never seen before, and the overall loss from ransomware is at an all-time high for the last 4 years. Some companies fare better than others when attacked and are therefore able to recover faster with less cost. Often, these are the companies that invest in being resilient. Ransomware resilience is directly related to:

1. The strength of the backup systems and are they available after the attack. Often the organizations that fare well have multiple different options in use such as Cloud back up and Tape backup.
2. How many files are encrypted during the attack. The less files encrypted the quicker the restoration and recovery time, which means, if the attack can be contained quickly, a organization can recover quickly 

   “Too few organizations test run restoring millions of files and therefore they don’t realize the time and costs associated with the process until it is too late. As a result, they often encounter very high recovery costs when attacked successfully. Companies must adopt an “Assume Breach” posture as all attack can no longer be prevented.

Here’s the thing. Making sure that your organization is in a place where you never have to pay the threat actor is not just good for you. It’s good for all of us as crime shouldn’t pay. I encourage organizations big and small to look at this document and follow it. And if that’s not enough, there’s a broader document which you can read here which gives additional guidance that is useful.

It has been announced that all major retail banks in Singapore must phase out the use of one-time passwords (OTPs) within the next three months. This initiative is being mandated by the Monetary Authority of Singapore (MAS) and was  developed in collaboration with the Association of Banks in Singapore (ABS). The move is intended to protect consumers from phishing and other scams.

The National Institute of Standards and Technology (NIST, US Department of Commerce) deprecated the use of SMS for 2FA as early as 2016 and the move away from OTP’s has been picking up steam since then.

CEO Ted Miracco of Approov, a mobile security company, offers insight:

   “OTPs, once seen as a robust two-factor authentication (2FA) method, are now frequently targeted by cybercriminals using advanced social engineering tactics and Android malware. Android malware can exploit permissions to intercept OTPs sent via SMS. Android users are often targeted by phishing campaigns that mimic legitimate banking apps or websites, tricking users into revealing their OTPs. Despite improvements in app store security, these fake apps can still infiltrate and deceive users while Google’s efforts to restrict certain permissions, malicious apps continue to find ways to bypass these controls.

   “The shift to digital tokens aims to offer a more secure alternative to OTPs, but it comes with its own set of challenges. Despite the significant security enhancements, ensuring the integrity of banking apps requires robust measures such as mobile app attestation and runtime application self-protection (RASP) to prevent tampered or cloned apps from functioning.

   “The long overdue phase-out of OTPs is a positive step towards enhancing the security of online banking in Singapore. However, banks must remain vigilant and proactive concerning Android vulnerabilities, to protect their customers effectively.

In a joint advisory, CISA, the FBI, and MS-ISAC has published new guidance, Understanding and Responding to Distributed Denial-Of-Service Attacks, for federal, state and local government agencies to help prevent disruption to critical services.

The advisory noted that DDoS attacks are difficult to trace and block and are commonly used by politically motivated attackers, with government websites often targeted by one of three types of DDoS attacks: Volume-based, Protocol-based attacks, and Application layer-based attacks. 

• The guidelines emphasized that there are steps that can be taken to mitigate the possibility of being hit. These include:
• Use risk assessments to identify potential vulnerabilities
• Implement robust network monitoring tools and detection systems 
• Integrate a Captcha challenges
• Configure your firewalls to filter out suspicious traffic 
• Regularly patch and update all software, operating systems and network devices
• Train employees about DDoS attacks, and how to recognize and report suspicious activities

The advisory also emphasized the importance of putting in place measures to maintain service availability during a DDoS attack such as increasing bandwidth capacity and implementing load balancing solutions to distribute traffic to handle sudden spikes in traffic during an attack. Also, establish redundancy and failover mechanisms to redirect traffic and regularly back up critical data to allow for fast recovery and minimize data loss.

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “Although volumetric DDoS attacks have been pretty much defeated by those who offer cloud-based DDoS defenses, protocol-based attacks and application layer-based attacks are still a resounding problem. These attacks are often low-and-slow attacks are extremely difficult to defeat in the cloud since defenses regularly end up blocking legitimate traffic.

   “For those who are concerned about DDoS attacks, the best approach is a hybrid one. Subscribe to cloud-based DDoS defensive services to defeat volumetric attacks and deploy specialty-built DDoS defenses on-premises in front of your border firewalls to defeat the low-and-slow attacks. This way, all types of DDoS attacks can be defeated.”

A DDoS attack can be highly disruptive if an organization isn’t prepared to defend against one. So it is in any organization’s interest to add this to the list that they need to have a playbook for. Fortunately this joint advisory will help with that.