Aggregator

Is there really a cybersecurity talent shortage, or are we just looking in all the wrong places? This week on the Shared Security Podcast, we tackle the buzz around the so-called cybersecurity skills gap. Host Tom Eston welcomes Katie Soper, Senior Consultant at Avetix Cyber and co-founder of the CyberVault Podcast, to discuss the challenges […]

The post Cybersecurity Talent Shortage: Myth, Mismatch, or Reality? appeared first on Shared Security Podcast.

The post Cybersecurity Talent Shortage: Myth, Mismatch, or Reality? appeared first on Security Boulevard.

Supply chain risks remain top-of-mind for the vast majority of CISOs and cybersecurity leaders, according to SecurityScorecard. Their findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats. The expanding web of vendors increases supply chain cyber risks Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon DBIR. A small group of third-party providers supports much of the world’s … More →

The post Third-party breaches double, creating ripple effects across industries appeared first on Help Net Security.

安全研究员最新发现，模仿蒙特利尔银行（BMO）和EQ Bank等金融机构的Instagram广告，被用来针对加拿大消费者进行网络钓鱼和投资欺诈。

一些广告使用人工智能驱动的深度虚假视频，试图收集个人信息，而另一些广告则使用官方品牌来吸引平台外的流量，使其看起来像与银行无关的非法域名。

密切模仿银行品牌

目前已经发现了多个Instagram广告的例子，这些广告可能看起来是由加拿大银行运营的，但实际上是骗局。

如下所示的广告例子声称来自“EQ  Marketing”，并密切模仿EQ  Bank的品牌和配色方案，同时承诺相当乐观的利率收益率为4.5%。然而，当人们点击它，会看到一个假冒的RBCpromos1[.]cfd网络钓鱼网站，该网站与EQ Bank无关，并试图收集人们的银行凭证。

针对加拿大银行消费者的假冒EQ Bank广告

钓鱼域名中的字母“RBC”也暗示该域名可能与其他针对RBC或加拿大皇家银行（加拿大最大的银行之一）消费者的网络钓鱼活动有关。

点击“Yes, continue with my account”，用户会看到一个欺骗性的“EQ Bank”登录界面，提示用户输入银行凭证。

相比之下，我们在Reddit等平台上看到的EQ Bank的合法广告将访问者引导到官方网站EQ bank.ca 网站（并展示一个更现实的利率）：

在Reddit上看到的合法的EQ Bank广告

利用AI深度伪造银行负责人的AI换脸视频

另一则标题为“BMO Belski”的欺诈广告出现在Instagram上。广告会向用户提出一些筛选问题，比如“你投资股票多久了？”

筛选问题是一种常见的参与工具，被合法的广告商用来评估他们的前景，然后引导他们找到最相关的产品。然而，在这种情况下，在回答了这些虚假的问题之后，用户被引导到一个屏幕，提示他们向广告商提交联系信息，即“BMO Belski”：

“BMO Belski” Instagram 广告被发现收集用户信息

这个广告很巧妙——它不仅滥用BMO的名字，还暗示与Brian Belski有关联，他是该银行的投资策略主管和投资策略组的负责人。一个普通的用户可能会被欺骗，以为他们正在从一位著名专家那里获得可信的财务建议和投资产品。

我们还注意到BMO Belski广告播放了Belski的AI生成的深度伪造视频，诱骗人们加入“私人WhatsApp投资群”。

假的“BMO Belski”广告播放AI换脸视频

Facebook的广告客户不在Instagram上

可以看到在这些广告中观察到的一个共同信息是，投放这些广告的广告客户账户并不存在于Instagram上，而是只存在于Facebook上。

BMO Belski在Facebook上有一个页面（已存档），有数千多名粉丝，但在该实体的广告所在的Instagram上却没有出现。

BMO Belski没有Instagram账号

Meta Business Manager确实使得使用Facebook页面运行Instagram广告成为可能（无需拥有Instagram账户）。

骗子采用这种手法的具体原因尚不明确。然而，这样做可却是可以避免骗子在Instagram上建立存在感和粉丝基础，这可能需要一些时间。此外，最近创建的Instagram账号（与广告相关联）可能比如果它们根本不存在更容易被发现。

有趣的是，自2023年10月27日成立以来，BMO Belski的Facebook页面只包含两篇帖子，都是本周发布的。

BMO Belski的Facebook页面有两个帖子

在冒充BMO发言人之前，该页面在创建时最初名为“Brentlinger Matt Blumm”，这是威胁者重新利用窃取的社交媒体页面等数字资产的另一个迹象，就像前面提到的RBCpromos1网络钓鱼域名一样。

BMO Belski的 Facebook 页面之前名为 Brentlinger Matt Blumm

然而，为他们的骗局创建全新的页面会显示最近的创建日期，这会引起怀疑，重新利用页面会给骗子带来更多的可信度，因为他们现在可以证明一个页面已经存在了一段时间，并且有粉丝（无论是真实的还是机器人）。

研究人员向Instagram报告了这些欺诈性广告，但即使在几天之后，这些广告仍然继续显示，这表明由于后勤延迟，这类活动存在危险。

目前，Meta正在调查这些内容，并将删除任何被认为是欺诈的内容。EQ Bank已经意识到了网络钓鱼广告活动，并正在积极与平台合作，尽快将其撤下。

据统计，这种利用客户的高保真度骗局正在增加。因此，客户在遇到在线促销活动时要谨慎行事，并通过官方渠道直接与工作人员联系，以验证其合法性。用户在点击Instagram和Facebook等社交媒体平台上的广告时应该小心，即使这些广告看起来来自合法组织，并带有他们的品牌也仍需保持谨慎。

来自真正广告商的Instagram广告

来自带有“已验证”徽章的Instagram账户的广告，如上所示，可能更有可信度。然而，用户仍应需提高谨慎，确保他们不被引导到其他存在潜在危险的网址之中。

Tensions have once again flared within the Linux kernel development community, this time centering on the Bcachefs file system — a project promoted as a reliable solution that “won’t eat your data.” While disputes...

The post Linux Kernel Drama: Torvalds Withdraws Bcachefs Support for 6.17 After Clash Over Feature Submissions appeared first on Penetration Testing Tools.

The United Kingdom has confirmed its first fatality directly linked to a cyberattack on the National Health Service (NHS). The incident, which occurred in June of last year, severely disrupted hospital operations across southeast...

The post UK Records First Cyberattack-Linked Death: Patient Dies Amid NHS Ransomware Chaos appeared first on Penetration Testing Tools.

Microsoft has released a new Windows 11 update (Build KB5060838) for participants of the Windows Insider Program in the Dev Channel. This update introduces both publicly available enhancements and features that are being gradually...

The post Windows 11 25H2 Dev Build Unveils Deeper 1Password Integration for Seamless Passkey Management appeared first on Penetration Testing Tools.

Owners of Android smartphones will soon benefit from enhanced protection against one of the most insidious yet dangerous threats in mobile communication — network impersonation. With the introduction of Android 16, Google is implementing...

The post Android 16 Unleashes Stingray Protection: New Security Features Combat Network Impersonation appeared first on Penetration Testing Tools.

Nicholas Michael Kloster, a resident of Kansas City, has found himself at the center of a high-profile criminal case, culminating in his guilty plea to a series of cybercrimes. According to the U.S. Department...

The post Hacker Pleads Guilty: Breached Orgs to Promote Cybersecurity Services, Faces Prison appeared first on Penetration Testing Tools.

Experts at Rapid7 have disclosed a critical vulnerability affecting 689 Brother printer models and 53 models from other manufacturers, including Fujifilm, Toshiba, and Konica Minolta. The flaw lies in a predictable algorithm used to...

The post Urgent Printer Alert: Critical Flaw (CVE-2024-51978, CVSS 9.8) Exposes Brother & Other Printers to Remote Takeover appeared first on Penetration Testing Tools.

The social engineering technique known as ClickFix—based on deceptive CAPTCHA prompts—has witnessed a dramatic surge in popularity among cybercriminals over the past year. According to ESET, between July 2024 and June 2025, the number...

The post ClickFix Attacks Skyrocket 517%: New “FileFix” Tactic Emerges to Deploy Stealthy Malware appeared first on Penetration Testing Tools.