Google is strengthening online security by transitioning from SMS-based authentication codes to more secure QR codes, providing a robust defense against current cyber threats. This shift comes as SMS codes, traditionally used for two-factor authentication (2FA), have proven to be vulnerable to various forms of attacks.
SMS authentication has long been a target for cybercriminals due to its susceptibility to phishing schemes and SIM swapping attacks. In SIM swapping, hackers clone a victim’s phone number, gaining unauthorized access to sensitive accounts, including banking and email. This reliance on SMS also exposes users to risks if the mobile network signal is weak or if service providers fail to ensure consistent security.
QR codes, on the other hand, offer a more secure alternative. These codes can be easily scanned using a smartphone camera, eliminating the need to manually input codes sent via SMS. This method reduces the risk of interception and reliance on network connectivity, as QR codes don’t require a continuous signal from the service provider. While the smartphone needs an internet connection for scanning and verification, QR codes are a more resilient option against network-dependent vulnerabilities.
One notable advantage of QR codes is their ability to function offline in certain situations, further reducing reliance on consistent server connectivity. However, for applications such as payment gateways, where real-time data transfer and fast transaction processing are essential, an active internet connection is still required. This presents an ongoing challenge, as maintaining high-speed, reliable connectivity is critical for efficient and secure online transactions.
Google’s initiative to integrate QR codes into their authentication process reflects their commitment to enhancing user security. By shifting away from SMS-based codes, the company aims to provide users with a safer, more reliable method of securing their online identities. This transition is part of Google’s broader efforts to address evolving cyber threats and offer cutting-edge solutions for online authentication.
In addition to these advancements, the FBI has recently issued a warning about an ongoing phishing scam targeting millions of Gmail users. The scam, which exploits tools like Astaroth, is designed to steal users’ credentials, passwords, and banking information. The scam works by redirecting victims to phony websites that harvest sensitive data.
To protect themselves, users are urged to activate email spam filters and be cautious when receiving emails from unknown senders. Clicking on links embedded in suspicious emails could lead to malicious websites designed to compromise personal information. Deleting such emails or marking them as spam not only protects individual users but also helps Google’s servers identify and isolate harmful threats before they reach a wider audience.
As cyber threats continue to evolve, it’s essential for internet users to stay vigilant and adopt security practices that mitigate the risks of online fraud and identity theft. With Google’s push for QR code authentication and the FBI’s warning about phishing scams, it’s clear that the fight against cybercrime is ongoing, and proactive measures are necessary to safeguard personal data in an increasingly digital world.
Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.
An image from one Chinese phishing group’s Telegram channel shows various toll road phish kits available.
If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.
These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.
People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.
If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.
CARDING REINVENTED
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device, and then selling those phones in bulk for hundreds of dollars apiece.
“Who says carding is dead?,” said Merrill, who presented about his findings at the M3AAWG security conference in Lisbon earlier today. “This is the best mag stripe cloning device ever. This threat actor is saying you need to buy at least 10 phones, and they’ll air ship them to you.”
One promotional video shows stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.
An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different UK financial institutions.
Merrill said one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on Stripe or Zelle and running transactions through those entities — often for amounts totaling between $100 and $500.
Merrill said that when these phishing groups first began operating in earnest two years ago, they would wait between 60 to 90 days before selling the phones or using them for fraud. But these days that waiting period is more like just seven to ten days, he said.
“When they first installed this, the actors were very patient,” he said. “Nowadays, they only wait like 10 days before [the wallets] are hit hard and fast.”
GHOST TAP
Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called “ZNFC” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.
“The software can work from anywhere in the world,” Merrill said. “These guys provide the software for $500 a month, and it can relay both NFC enabled tap-to-pay as well as any digital wallet. The even have 24-hour support.”
The rise of so-called “ghost tap” mobile software was first documented in November 2024 by security experts at ThreatFabric. Andy Chandler, the company’s chief commercial officer, said their researchers have since identified a number of criminal groups from different regions of the world latching on to this scheme.
Chandler said those include organized crime gangs in Europe that are using similar mobile wallet and NFC attacks to take money out of ATMs made to work with smartphones.
“No one is talking about it, but we’re now seeing ten different methodologies using the same modus operandi, and none of them are doing it the same,” Chandler said. “This is much bigger than the banks are prepared to say.”
A November 2024 story in the Singapore daily The Straits Timesreported authorities there arrested three foreign men who were recruited in their home countries via social messaging platforms, and given ghost tap apps with which to purchase expensive items from retailers, including mobile phones, jewelry, and gold bars.
“Since Nov 4, at least 10 victims who had fallen for e-commerce scams have reported unauthorised transactions totaling more than $100,000 on their credit cards for purchases such as electronic products, like iPhones and chargers, and jewelry in Singapore,” The Straits Times wrote, noting that in another case with a similar modus operandi, the police arrested a Malaysian man and woman on Nov 8.
Three individuals charged with using ghost tap software at an electronics store in Singapore. Image: The Straits Times.
ADVANCED PHISHING TECHNIQUES
According to Merrill, the phishing pages that spoof the USPS and various toll road operators are powered by several innovations designed to maximize the extraction of victim data.
For example, a would-be smishing victim might enter their personal and financial information, but then decide the whole thing is scam before actually submitting the data. In this case, anything typed into the data fields of the phishing page will be captured in real time, regardless of whether the visitor actually clicks the “submit” button.
Merrill said people who submit payment card data to these phishing sites often are then told their card can’t be processed, and urged to use a different card. This technique, he said, sometimes allows the phishers to steal more than one mobile wallet per victim.
Many phishing websites expose victim data by storing the stolen information directly on the phishing domain. But Merrill said these Chinese phishing kits will forward all victim data to a back-end database operated by the phishing kit vendors. That way, even when the smishing sites get taken down for fraud, the stolen data is still safe and secure.
Another important innovation is the use of mass-created Apple and Google user accounts through which these phishers send their spam messages. One of the Chinese phishing groups posted images on their Telegram sales channels showing how these robot Apple and Google accounts are loaded onto Apple and Google phones, and arranged snugly next to each other in an expansive, multi-tiered rack that sits directly in front of the phishing service operator.
The ashtray says: You’ve been phishing all night.
In other words, the smishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.
Notably, none of the phishing sites spoofing the toll operators or postal services will load in a regular Web browser; they will only render if they detect that a visitor is coming from a mobile device.
“One of the reasons they want you to be on a mobile device is they want you to be on the same device that is going to receive the one-time code,” Merrill said. “They also want to minimize the chances you will leave. And if they want to get that mobile tokenization and grab your one-time code, they need a live operator.”
Merrill found the Chinese phishing kits feature another innovation that makes it simple for customers to turn stolen card details into a mobile wallet: They programmatically take the card data supplied by the phishing victim and convert it into a digital image of a real payment card that matches that victim’s financial institution. That way, attempting to enroll a stolen card into Apple Pay, for example, becomes as easy as scanning the fabricated card image with an iPhone.
An ad from a Chinese SMS phishing group’s Telegram channel showing how the service converts stolen card data into an image of the stolen card.
“The phone isn’t smart enough to know whether it’s a real card or just an image,” Merrill said. “So it scans the card into Apple Pay, which says okay we need to verify that you’re the owner of the card by sending a one-time code.”
PROFITS
How profitable are these mobile phishing kits? The best guess so far comes from data gathered by other security researchers who’ve been tracking these advanced Chinese phishing vendors.
In August 2023, the security firm Resecurity discovered a vulnerability in one popular Chinese phish kit vendor’s platform that exposed the personal and financial data of phishing victims. Resecurity dubbed the group the Smishing Triad, and found the gang had harvested 108,044 payment cards across 31 phishing domains (3,485 cards per domain).
In August 2024, security researcher Grant Smith gave a presentation at the DEFCON security conference about tracking down the Smishing Triad after scammers spoofing the U.S. Postal Service duped his wife. By identifying a different vulnerability in the gang’s phishing kit, Smith said he was able to see that people entered 438,669 unique credit cards in 1,133 phishing domains (387 cards per domain).
Based on his research, Merrill said it’s reasonable to expect between $100 and $500 in losses on each card that is turned into a mobile wallet. Merrill said they observed nearly 33,000 unique domains tied to these Chinese smishing groups during the year between the publication of Resecurity’s research and Smith’s DEFCON talk.
Using a median number of 1,935 cards per domain and a conservative loss of $250 per card, that comes out to about $15 billion in fraudulent charges over a year.
Merrill was reluctant to say whether he’d identified additional security vulnerabilities in any of the phishing kits sold by the Chinese groups, noting that the phishers quickly fixed the vulnerabilities that were detailed publicly by Resecurity and Smith.
FIGHTING BACK
Adoption of touchless payments took off in the United States after the Coronavirus pandemic emerged, and many financial institutions in the United States were eager to make it simple for customers to link payment cards to mobile wallets. Thus, the authentication requirement for doing so defaulted to sending the customer a one-time code via SMS.
Experts say the continued reliance on one-time codes for onboarding mobile wallets has fostered this new wave of carding. KrebsOnSecurity interviewed a security executive from a large European financial institution who spoke on condition of anonymity because they were not authorized to speak to the press.
That expert said the lag between the phishing of victim card data and its eventual use for fraud has left many financial institutions struggling to correlate the causes of their losses.
“That’s part of why the industry as a whole has been caught by surprise,” the expert said. “A lot of people are asking, how this is possible now that we’ve tokenized a plaintext process. We’ve never seen the volume of sending and people responding that we’re seeing with these phishers.”
To improve the security of digital wallet provisioning, some banks in Europe and Asia require customers to log in to the bank’s mobile app before they can link a digital wallet to their device.
Addressing the ghost tap threat may require updates to contactless payment terminals, to better identify NFC transactions that are being relayed from another device. But experts say it’s unrealistic to expect retailers will be eager to replace existing payment terminals before their expected lifespans expire.
And of course Apple and Google have an increased role to play as well, given that their accounts are being created en masse and used to blast out these smishing messages. Both companies could easily tell which of their devices suddenly have 7-10 different mobile wallets added from 7-10 different people around the world. They could also recommend that financial institutions use more secure authentication methods for mobile wallet provisioning.
Neither Apple nor Google responded to requests for comment on this story.
In episode 37 of "The AI Fix", Google Gemini gets the munchies, the wettest country in the world can’t find any water, an escalator tries to eat Graham, o3-mini can’t rub two sticks together, and OpenAI invents an AI that can do “a single-digit percentage of all economically valuable tasks in the world” but nobody notices.
Graham wonders why his childhood was full of Triffids and quicksand, and discovers a way to trap overstepping AI crawlers in an endless maze, while Mark investigates the appalling state of DeepSeek security.
All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.
Artificial Intelligence (AI) has proven to be a tremendous asset to humanity. However, its impact hinges on the intentions of those who wield it. Simply put, AI can become a harmful force if it falls into the wrong hands, such as hackers or cybercriminals.
In light of this, Google’s parent company, Alphabet Inc., has made a pledge to restrict AI usage in surveillance and cyber warfare. The company is also urging others in the tech industry, including Meta, Twitter, and Amazon, to join in. By taking this pledge and adhering to certain principles, these companies can help prevent AI from being misused in ways that threaten global security and humanity.
As part of an update to its “AI Principles,” Google has reaffirmed its commitment to responsibly advancing AI technology. The company has promised not to develop or deploy AI-powered weapons or surveillance tools that violate internationally recognized ethical standards.
This position was further emphasized by James Manyika and Demis Hassabis, leaders of Google’s AI lab, DeepMind. They stressed that government support is also crucial to ensure the responsible use of AI in promoting national security.
However, behind closed doors, the situation is often more complicated. While businesses generally claim to prioritize data security and ethical use of AI, what actually happens in their research and development departments remains unclear. A notable example is the NSO Group’s Pegasus spyware, originally created to provide surveillance tools to governments and law enforcement. The company, however, sold the software to third parties, leading to a series of security scandals. One high-profile case involved Amazon CEO Jeff Bezos, whose private affair was exposed through Pegasus, allegedly planted on his phone by a Saudi prince via WhatsApp. Similarly, another Israeli company, Paragon, was involved in a similar surveillance scandal earlier this year.
If small-scale companies can engage in such questionable activities behind the scenes, it raises concerns about the potential misconduct hidden within the data centers of major tech giants.
With this in mind, it is hoped that Elon Musk, who now seems to play a pivotal role in shaping tech policy, will take note of these issues. As the owner of Twitter, Tesla, and Starlink, Musk could play a significant part in scrutinizing the data centers and R&D practices of major tech companies, including his own.
In episode 36 of The AI Fix, Graham and Mark take a long look at DeepSeek, an upstart AI out of China that was trained on a shoestring, shook up Wall Street, kneecapped Nvidia, and challenged America's AI hegemony.
Graham also discovers a remarkably f***ing effective way to remove AI snippets, a personal mobility robot gets a bit over-excited, some aliens regret installing an FTP server, and Mark explains what o3-mini owes to Spinal Tap.
All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.
Google has issued an urgent warning to its 2.5 billion active users about a sophisticated phishing campaign that, despite appearing legitimate, is entirely fraudulent.
This campaign began gaining attention in December 2024 across various tech forums, and its significance grew after Google officially addressed the issue last weekend.
According to Google’s Threat Intelligence teams, cybercriminal groups are now using artificial intelligence to carry out vishing (voice phishing) attacks. These attacks target Google account users with calls and messages that falsely claim their accounts have been compromised and locked. The scammers ask victims to provide their credentials to recover the account.
The reality is that these messages and calls are not from Google but are cleverly generated by AI to mimic customer support communications. They are designed to deceive users into believing the call is genuine, with the intent of stealing login details for Gmail accounts.
Google urges users not to trust such calls or messages. It’s advisable to avoid picking up calls from unknown or international numbers and never click on any links within suspicious messages. These links could lead to phishing sites aimed at collecting sensitive information. Google encourages users to report any suspicious activity to their support page to help combat these threats.
In response to this growing threat, Google plans to enhance its two-factor authentication (2FA) system in the coming weeks. Users will soon need to authenticate logins with biometrics—either a fingerprint, facial scan, or PIN—making accounts more secure.
FBI Disrupts Major Cybercrime Operations, Protects 17 Million U.S. Users
In a coordinated effort, the FBI, along with Europol and other international law enforcement agencies, launched “Operation Talent” to dismantle the infrastructure of the hacking group “Cracked” and protect over 17 million stolen online credentials from being sold on the dark web.
Simultaneously, the operation targeted another cybercrime network, “The Manipulators,” a notorious group operating out of Pakistan. The Manipulators have been linked to fraudulent activities and Chinese intelligence and were found to be behind a variety of online scams.
The operation resulted in the takedown of servers and websites associated with these groups, preventing sensitive personal data from being further exploited. This crackdown highlights the growing global commitment to combat cybercrime, with agencies like the FBI sharing intelligence from military and other sources to help coordinate actions across borders.
With these operations, it’s clear that law enforcement is ramping up efforts to tackle online threats and protect users worldwide from cybercriminal activities.
For years, Western nations have voiced concerns over cyberattacks from adversarial states. However, the situation has taken a new turn, as tech giant Google has publicly acknowledged that its AI-powered chatbot, Gemini, is being exploited by hackers from Iran, China, and North Korea.
In an ironic twist, Google’s statement revealed that Iranian hackers are leveraging Gemini AI for reconnaissance and phishing attacks. Meanwhile, Chinese cybercriminals are reportedly using the chatbot to identify vulnerabilities in various systems and networks.
North Korean hackers, on the other hand, have been found using Gemini AI to generate fake job offer letters, luring IT professionals into fraudulent remote or part-time work schemes.
Surprisingly, Google’s Threat Intelligence Group did not mention Russia, despite its reputation for cyber warfare. The omission raises questions—perhaps Russia’s involvement is still under investigation. However, Google did hint that an Asian nation is utilizing generative AI for spreading misinformation, generating malicious code, manipulating translated content, and using fake digital identities to propagate disinformation.
Given these developments, some may argue that generative AI poses a severe risk to humanity. However, the real issue lies not with the technology itself but with those who misuse it for malicious purposes. Can AI Tools Be Safeguarded from Malicious Use?
Preventing AI tools from falling into the wrong hands presents a complex challenge. One potential solution is to enforce user authentication, tracking those who access machine-learning tools. Additionally, implementing restrictions—such as filtering IP addresses or user identities—could help curb misuse.
However, such measures have their downsides. Cybercriminals may simply turn to open-source alternatives, escalating the competition between threat actors and making state-sponsored cyberattacks even harder to track. This, in turn, places an increasing burden on law enforcement agencies already struggling with talent shortages in cybersecurity and intelligence analysis. The Bigger Concern: AI’s Role in Digital Surveillance
With Google recently rolling out Gemini AI on Android smartphones globally, an unsettling question arises—could this technology be manipulated to function beyond its intended purpose? What if it starts recording audio and video from users’ surroundings without their knowledge?
As AI continues to evolve, ensuring its ethical use becomes increasingly critical. Striking the right balance between innovation and security remains one of the biggest challenges in the digital age.
Google, the web search giant owned by Alphabet Inc., has introduced a new security feature designed to protect your data in case your phone is stolen. At the moment, this feature is available on select Android devices, specifically Google Pixel models running Android 15 and certain Samsung Galaxy smartphones running One UI 7 and above.
The feature, called “Identity Check,” is aimed at enhancing your phone’s security by locking sensitive settings when the device is taken outside of trusted locations. However, it’s important to note that this feature does not come enabled by default—it must be manually activated by the user.
What Does the Identity Check Feature Do?
Once activated, the Identity Check feature ensures that only those with authorized access can make changes to sensitive settings on the device. These settings are protected through biometric authentication, such as fingerprint or facial recognition, which must be verified before any changes can be made. The feature activates when the device is taken out of trusted locations—locations you’ve previously set based on your 4G or 5G service provider’s geolocation services.
Sensitive Settings Protected by Identity Check:
Changing the Lock Screen, PIN, or Password: Unauthorized users can’t alter your security settings without biometric verification.
Changing Biometrics (e.g., fingerprint or face unlock): Any changes to biometric authentication settings will require authentication.
Accessing Password Manager: Passwords and passkeys saved in the Password Manager are locked from unauthorized access.
Performing a Factory Reset: Unauthorized users cannot reset the phone without the proper biometric authentication.
Disabling Theft Protection Features: Any anti-theft protections cannot be disabled without authentication.
Viewing or Changing Trusted Locations: Users cannot alter the list of trusted locations or disable the Identity Check feature.
Setting Up a New Device or Transferring Data: A new device setup or data transfer from a stolen or existing device will require biometric authentication.
Removing a Google Account: Unauthorized users cannot remove the Google account from the device.
Accessing Developer Options: Developer settings are locked from unauthorized access.
How Does It Work?
The Identity Check feature is activated whenever the phone’s geolocation changes and it moves outside of the trusted locations set by the user. For example, if the phone is stolen and moved to an unfamiliar location, the phone will prompt the user for biometric verification before allowing access to sensitive settings.
While this functionality isn’t entirely new (Android devices have always used location-based security features), the introduction of Identity Check focuses on making this kind of security feature more effective and reliable, especially in the case of theft.
Why It’s a Game Changer
In regions where smartphone thefts are on the rise, like London, this feature could be a major step forward in preventing unauthorized access to stolen devices. Mobile thefts have become an increasing problem, and this added layer of security could make it much harder for thieves to access or manipulate sensitive data on stolen phones.
By requiring biometric authentication when sensitive settings are accessed outside of trusted locations, Identity Check offers an additional layer of security that could potentially deter theft or reduce the likelihood of data breaches following a stolen device.
In short, Google’s new Identity Check feature is a proactive and effective solution to improve the security of Android devices, particularly when dealing with theft or unauthorized access.
The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.
A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.
From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].
All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “akam.ne.”
This tiny but potentially critical typo was discovered recently by Philippe Caturegli, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.
Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.
Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.
But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.
“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”
Meanwhile, Caturegli received a request submitted through Bugcrowd, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.
MasterCard’s request to Caturegli, a.k.a. “Titon” on infosec.exchange.
Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.
“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”
Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.
But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like Cloudflare and Google.
“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli said. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.
“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he said.
The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.
“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”
Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.
As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain az.mastercard.com. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s Azure cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.
“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”
One final note: The domain akam.ne has been registered previously — in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an “Ivan I.” from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.
This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “awsdns-06.ne” instead of “awsdns-06.net.” DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).
A Canadian man lost a $100,000 cryptocurrency fortune - all because he did a careless Google search.
Read more in my article on the Hot for Security blog.
