Weekly summary 20-26 Feb

Have I Been Pwned adds 284 million accounts stolen by malware

Data breach notification service Have I Been Pwned (HIBP) has added more than 284 million accounts compromised by infostealer malware, found in a Telegram channel called “ALIEN TXTBASE.” According to founder Troy Hunt, the data comes from 1.5 TB logs with 23 billion rows, including 493 million unique email and website combinations. In addition, HIBP added 244 million unpublished passwords and updated information on another 199 million. To verify the authenticity of the data, Hunt tested whether the leaked emails triggered password reset requests. The platform now allows domain owners and web operators to identify compromised credentials through new APIs. Users subscribed to HIBP can check to see if their accounts appear in these logs, but will only know which websites are affected if they use the notification feature. Hunt noted that these tools will help prevent attacks before they cause damage.

OpenAI blocks North Korean hacker accounts on ChatGPT 

OpenAI has announced that it blocked several accounts on ChatGPT used by North Korean hacking groups to research potential targets and improve their cyberattack techniques. According to its February 2025 intelligence report, the accounts were linked to malicious actors such as VELVET CHOLLIMA and STARDUST CHOLLIMA, known for their espionage activities and financial cyberattacks. The hackers used ChatGPT to research attack tools, gather information about cryptocurrencies and obtain programming assistance to develop and debug malware. They also sought methods to breach remote access protocols and phishing techniques against cryptocurrency investors. In addition, OpenAI identified accounts used in a fraudulent employment scheme, where North Korean workers posed as IT professionals to earn income for the Pyongyang regime. These accounts used ChatGPT to perform work tasks and create cover stories to justify suspicious behaviour. Since October 2024, OpenAI has detected and dismantled Chinese and Iranian cyberespionage campaigns, confirming the use of artificial intelligence in covert operations and global disinformation.  

App on Google Play facilitates financial fraud and extortion  

Cybersecurity researchers have identified a dangerous app on the Google Play Store called Finance Simplified, which is actually malware called SpyLend. The app masquerades as a financial tool, but actually redirects users to unauthorized lending apps, especially in India. These apps collect personal information, access photos and contacts and use extortion tactics, such as creating fake images to blackmail those affected. The malware has managed to bypass Play Store security controls by using WebView to load external content. In addition, it was found to be linked to a command and control (C2) server with indications of management by Chinese-speaking attackers. The app also gains access to sensitive data such as call logs, SMS and real-time locations, amplifying its coercive capabilities. Despite numerous complaints and negative reviews on the Play Store, the app has seen a rapid increase in downloads, surpassing 100,000 installs in just a few days.

Darcula-Suite 3.0: Empowering DIY Phishing for Any Brand   

The criminal organization known as Darcula has unveiled "darcula-suite 3.0," an advanced Phishing-as-a-Service (PhaaS) platform that enables even non-technical individuals to create sophisticated phishing kits targeting any brand. This suite utilizes browser automation tools to clone legitimate websites, facilitating the rapid deployment of customized phishing campaigns. Since March 2024, Darcula's previous platform impacted over 200 brands worldwide, with Netcraft identifying and blocking more than 95,000 malicious URLs and taking down over 20,000 fraudulent domains. The latest version, expected to launch in mid-February 2025, represents a significant escalation in phishing capabilities, lowering the barrier for cybercriminals to execute complex attacks.   estratégicos.  

Business executives, new targets for Pegasus spyware   

A recent report by mobile security firm iVerify reveals that Pegasus spyware is more widespread than previously thought, affecting executives in industries such as real estate, logistics and finance. In December, iVerify detected Pegasus on 11 out of 18,000 devices tested. The spyware, developed by Israel's NSO Group, has been the subject of controversy for its use on civilian phones, despite claims that it is only sold to governments to fight crime. Pegasus installs without user interaction and has spied on some victims for years. The report notes that only half of those affected received security alerts from Apple. According to Rocky Cole, co-founder of iVerify, the world is still unprepared to deal with this threat, which now extends into the private sector, putting financial information and strategic deals at risk.