I've noticed on some scam forums and subreddits I frequent that scammers have been using target site's own support searches to redirect users to scam phone numbers.
On both Ticketmaster and Facebook, and many other sites, when you perform a search on their support site it spits back your query in big letters at the top of the page. If you craft the correct search and then buy Google Ads pretending to be Ticketmaster, then you can redirect users to your call center and scam them. And because they link for your ad actually links to Ticketmaster the ad passes validation and appears to be a legit link in the eyes of Google.
So, I craft a search where the search query is “call 1 800 scam”, then I buy a google ad with key word of “ticketmaster help”, the ad links to real ticketmaster with my query, and google shows that ad to someone having trouble and hey presto they call my scam line at 4 quid a minute from their mobile?
Yuck all round. I mean ticketmaster is just a sin eater for greedy popstars but yuck ..
Yes, but also it's an impressive digital Jedi mind trick on a website.
signs a question mark with hand
"This is the support number you're looking for."
And the victim is extra primed here because so many companies make it nearly impossible to talk to a human. Yikes!
Almost seems like there's room here for a grey hat to come in and use this trick to do a good faith job trying to help the customer through their problem. Then tell them at the end that a recent anti-trust suit requires them to tell the customer about alternate independent venues in their area where they can support live music.
> Almost seems like there's room here for a grey hat to come in and ...
... call the scam numbers to tie up their staff and prevent them from talking to potential victims. Someone like Kitboga could do this at scale. Where there's a phone number, there's a way.
Exactly. And when you try and help these people and explain that you didn't actually call Ticketmaster support they will tell you that they found the phone number on the official Ticketmaster website and Google said it was a verified link.
Completely unrelated tangent: Jesus Christ Reddit is such a cesspit.
Tried tapping that link on mobile, got a screen to view the corresponding post. Tapped it, and I got taken to the App Store. No thanks, force quit the App Store and go back.
Now I get a full screen notice on the original Reddit tab saying “didn’t go where you expected? Next time try the long press!” With instructions to not use private browsing and to long press any link and open in safari. (Wha? You, Reddit, are what are trying to force me to use your app!)
So I long press like they say, open in new tab, and what do I see? A large blank page that just says “REDDIT” in all caps, with the button “Get the app” on the bottom. The link was just to “reddit.app.link” the whole time.
Can’t a company who has a website, just … let me use the website? At every possible turn, Reddit HATES anyone using Reddit from a browser. They will ruin every single aspect of the website they possibly can to try to push you to the app. The entirety of reddit.com seems to be just a broken honeypot to get you to use the app instead. I just can’t fathom how a company can be that broken.
Just delete the Reddit website, it would make more sense.
> The entirety of redit.com seems to be just a broken honeypot to get you to use the app instead. I just can’t fathom how a company can be that broken.
It's their intention to have the website be a funnel so that they can get more mobile users.
I sometimes use https://old.reddit.com, though it doesn't look that great on mobile, maybe there are some other alternatives.
I know reddit will connect accounts together based on device ID, i wonder if their data becomes more valuable if you can tie multiple independent accounts together in to one profile?
Its a site where users will often have multiple login for different subjects of discussion.
> Tried tapping that link on mobile, got a screen to view the corresponding post. Tapped it, and I got taken to the App Store.
It's obnoxious, but if you really want to view the post you can switch the screenshot page to desktop mode, and the "View post" button shouldn't redirect to the App Store. The result isn't pretty but it's readable in a pinch.
(They're still not desperate enough to track the UA and detect the switch.)
But why does google allow unverified owners of a domain to buy ads for it? Surely only ticketmaster or agencies approved by ticket master should be allowed to do this?
Because most of the ads are created by external ad agencies, and the people involved are not competent enough to do any verification.
Source: I've also thought this was ridiculous and asked someone working on the adsense team. Apparently tried enforcing some domain verification mechanism in an experiment, but most companies and agencies struggled to get the verification done and of course the $ metrics on this launch dropped, causing execs to force them to stop.
Maybe a partial solution here would be to offer some kind of "domain locking" option?
Allow sites that are heavy targets of this kind of scam - like ticketmaster - to add a "AdSense: locked" line to their robots.txt (or similar) - if that line is present then advertisers have to go through an additional domain verification step in order to place an ad.
Not necessarily, if you have an affiliate program or something like that you could buy ads for, say, eBay using your affiliate link in the hopes of you generating more profit than the ads cost.
One time an article about Facebook logins got to #1 and its comments were full of people mad that Facebook changed their website yet again, how can they login to Facebook, waah, waah!
On top of that, you receive private information about people from Google, because if someone calls your number, then you know that they were on ticketmaster. Replace ticketmaster by e.g. a swingers club, and now Google's ad businessmodel is
in real trouble because it leaks sensitive information.
> ticketmaster is just a sin eater for greedy popstars
Apparently Live Nation owns many performance venues and leverages their power in that market to gain an advantage in the ticket sales market. “Sell through us or you won’t be allowed to play at any famous venue in this city” kind of deal.
Don’t have any sources beyond “heard it on a podcast” though ¯\_(ツ)_/¯
I've been seeing similar scams via PayPal. The scammers apparently add the target email address as a forwarding address on a compromised or created-for-purpose email account. And that bouncer email address is signed up for PayPal. So the scam email is actually from PayPal, bounced through some other inbox. The To name and address is of the bouncer email address PayPal sent it to.
One version involves sending money to someone with the PayPal account (so the target might think it was sent from their own account) with a "note" to the transaction recipient, which the target sees, which says PayPal has detected unusual activity and please call this phone number to request a refund.
Another involves a "Your ITEM NAME order is on its way" email where the item being ordered is called something like, "Some Company, Inc: Don't recognize the seller? Call us at SOME PHONE NUMBER".
A third is like the second, except it's a "You paid CURRENCY to SELLER" email. This one has the PayPal user's name at the top, so not as convincing perhaps.
A family member fell for this while trying to recover their hacked fb account. I was around and caught wind of the call and some of the absurd steps (absurd to me, anyways) they were proposing and pulled the plug on the "support" call. The phone number was in what seemed to be a cached result of a bad search or something. '"Call us at xxx-xxxx..." not found' is what I saw. (Finding a real support number is either difficult or impossible, which makes this a good trap)
Its cool you at least attempted to do something with a bit of social connection at such a heavily targeted website.
Having personal issues with Ticketmaster's pricing methods (causing many to probably never want to do anything that might help) is a different issue than the website being used as a source for redirecting calls to fake call centers.
Since they escalated maybe something will get done. Ticketmaster would have a motivation, if large numbers fall prey to diverted call center scams it only makes their reputation flounder even worse.
(...obvious joke here would be if the scammers actually offer better support, they're just trying to steal call center business)
This actually makes sense to me; if you're an artist selling tickets on Ticketmaster, it's in everybody's interests to let you show ads for those tickets to your fans.
If only the Ticketmaster team could show ads on that domain, all these ads would have to go through their marketing team (and use ticketmaster's budget, with all the accounting and invoicing this requires), which would massively slow things down.
Instead, it seems that Google has some kind of protection where ads mentioning Ticketmaster must link to their official domain, to prevent things like this from happening. The scammers just found a way for that domain to display arbitrary text.
I don't mean reaching for support. I mean setting up a scam like this. It seems so bottom of the barrel scummy, creative too, but mostly scummy.
Imagine you have the creativity and criminal energy to conceptualize and operate something like this (and the rat tail of justice evasion, laundering money, etc). It seems so much easier to make money in the honest economy.
Unless of course you're operating for a rogue state...
No surprise, having worked in edu the following scenario was very common:
1) Researcher gets a grant for a project
2) Grad student sets up a Drupal site for the project
3) Things are maintained and updated for a couple of years
4) Grant runs out, project wraps up, student graduates, everyone forgets about the server which sits unattended and unmaintained.
Still happens, but most universites have really clamped down on the ability to just stand up a web server on the network. Many are requiring everything to be on a centrally managed enterprise CMS which is a PITA but that's the fallout for too much sloppy administration.
At my old university ~15 years ago, all IPs of all computers were public IPV4 addresses. Any computer plugged in to any ethernet port on campus was given such a "quasi-static" IP address. All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
Ah the good old days of putting my head down at my desk lulled into a nap by the once-a-second sounds of ssh login attempt logs being written to the spinning rust drive...
> At my old university ~15 years ago, all IPs of all computers were public IPV4 addresses. Any computer plugged in to any ethernet port on campus was given such a "quasi-static" IP address.
Well that's fine; my school did the same thing and other than feeling wasteful there was no-
> All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
Oh. Yeah, open ports by default is... and interesting life choice.
> Norton, Kaspersky, Zscaler, F-secure, NordVPN, Virustotal, Palo Alto: all of them marked these links as safe.
This is sad to see, these tools are forced down so many companies in name of "compliance" while totally not worth the maintenance and cost overhead. Apparently they haven't got any better in the last decade.
I work for a cybersecurity company, and I think that the method they used to check these links with the mentioned security companies was not a reflection of how they detect. I'm sure that many of these companies do not have these domains in their DBs of bad sites but if you were to run these products and then visit the site then heuristic detection would have likely flagged the sites.
I would have expected at least Virustotal to flag them if that were the case. It does more than just looking up in a database of known malicious URLs and I think the reputation of the domains is the key factor here.
It is the same for nested links as well. They mostly have a chain of links, each one taking you to a new one with hop count ranging anywhere from 5 up to 10 or more.
damn, i remember seeing old servers just getting dusty and full of holes after the student left. kinda crazy how much messy stuff is hiding in corners like that lol
I have been advised not to disclose specific vulnerabilities since the parties involved are not most friendly and transparent in handling security reports. While most of these got reported and some even got fixed, I can only disclose high-level details of the compromise path. Some just ghosted me after conveniently fixing the flaws, and one even gave me a phone call, which was somewhat scary and perhaps not worth the adrenaline.
What an unprofessional sysadmin move, borderline infuriating.
could someone with legal/data-privacy expertise comment if this would be something they have to disclose under data breach disclosure laws?
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?
they've been contacted through the "proper channels" over 18 months ago by several (more than 1) security researchers.
After some people started publicly naming and shaming on LinkedIn and tagging ENISA, the issue got some exposure, but still was not fixed. It only made it more evident that several people independently reported these issues, and they became aware of peers stumbling over the issue. Still nothing happened.
ENISA is supposed to act as a CNA and expects to be notified of data breaches from EU based orgs for PSIRT / CSIRT as part of the Cybersec Resiliance Act and other laws.
Would I trust that vulnerability data that gets reported as a CVE, or a breach notification is safe with ENSIA ?
... feck no!
Would I trust that documents that europa.eu hosts on its infra are authentic? (such as security-compliance documents telling orgs how to properly implement security, but literally any public communication under one of the domains)
... hecking heck no!
... At this stage I think everyone else except ENISA has control over their infrastructure.
I am surprised no one mentioned using LLMs to spell and grammar check their emails and vibe-code bank landing-pages to continue a more polished version of scamming elderly people out of their life savings.
I have heard that theory from some cybersecurity experts online but have never seen it substantiated in any way (by interviewing some scammers, for example) and frankly don't believe it.
The misspellings and grammatical errors (used to?) continue on the fake sites that are created to steal credentials, and the excuses for most of the reasoning regarding emails do not hold there.
Why wouldn't you believe it? It makes economic sense. The most expensive part for a scammer in any automated scam is the part which can't be automated, where a human has to get involved for e.g. a phonecall.
Economically, the scammer wants to do everything they can to get rid of smart or diligent people who might be harder to scam at the expensive part. It feels like it would cost scammers to not have typos.
Also, anecdotal, but the rise of autocorrect, spell checking and LLMs doesn't seem to have made any impact on the quality of spelling in my spam folder over the past 20 years.
1. The misspellings and grammar issues (used to) continue beyond emails into the websites, etc.
2. The grammar issues, magically, seem to mimic the the same grammar differences between certain countries typical language constructions and those of standard American English
3. Check your spam folder right now if you have gmail. Where did this 4-D chess triage of illiterate potential dupes go? Spelling and grammar are suddenly almost perfect! Also, many of the older scams seem to be replaced with romance or family impersonation scams.
>It makes economic sense. The most expensive part for a scammer in any automated scam is the part which can't be automated, where a human has to get involved for e.g. a phonecall.
Perhaps you haven't heard, but this can also be automated as well, cheaply. Works particularly well on the elderly!
>Economically, the scammer wants to do everything they can to get rid of smart or diligent people who might be harder to scam at the expensive part. It feels like it would cost scammers to not have typos.
I think you are giving too much credit to the spammers. Economically, the easiest thing to do is to send out endless emails and wait for responses. Those people, regardless of diligence or literacy, are already self-selecting and you can let them talk to LLMs to winnow the rest.
>Also, anecdotal, but the rise of autocorrect, spell checking and LLMs doesn't seem to have made any impact on the quality of spelling in my spam folder over the past 20 years.
I agree ... up until the rise of LLM's. Now (outside of more use of emojis) it is very good.
These days most "cyber" crimes are commited by corporations against their customers/users (just like most theft is wage theft). These small fish/phish putting sites on exploited servers are a drop in the bucket. It is sad when some university resource gets shut down because they didn't mantain it after the grad student that set it up graduates though. We really need to teach the people that set up these things to use .html pages instead of dynamic languages and databases.
Is it just me or is cybersecurity... Calming down? I feel like a few years ago there was constant news of ransomware, intrusions, vulnerabilities, etc, but more recently the defensive side seems to have the upper hand.
You only hear about the offensive side winning when the company can't prevent it from leaking. Rest assured, the only thing "calming down" in cybersecurity is the nihilism that nothing involving a human will ever be secure.
Not particularly. The only thing I have noticed in the past decade is the decline of the "American Hacker". Most groups are foreign but will partner with younger Americans for social engineering (ex. Scattered Spider). You just don't have people like Albert Gonzalez/Stephen Watt in America now. However, I suspect that many American hackers have shifted to targeting overseas countries that are not friendly with the US.
> You just don't have people like Albert Gonzalez/Stephen Watt in America now
I don't know what the state of big corps netsec is today but these guys had it somewhat easy. They got initial access through weak wifi then pivoted with SQL injects and such.
I've noticed on some scam forums and subreddits I frequent that scammers have been using target site's own support searches to redirect users to scam phone numbers.
On both Ticketmaster and Facebook, and many other sites, when you perform a search on their support site it spits back your query in big letters at the top of the page. If you craft the correct search and then buy Google Ads pretending to be Ticketmaster, then you can redirect users to your call center and scam them. And because they link for your ad actually links to Ticketmaster the ad passes validation and appears to be a legit link in the eyes of Google.
Example of a crafted search term: https://help.ticketmaster.com/hc/en-us/search?utf8=%E2%9C%93...
So, I craft a search where the search query is “call 1 800 scam”, then I buy a google ad with key word of “ticketmaster help”, the ad links to real ticketmaster with my query, and google shows that ad to someone having trouble and hey presto they call my scam line at 4 quid a minute from their mobile?
Yuck all round. I mean ticketmaster is just a sin eater for greedy popstars but yuck ..
> Yuck all round.
Yes, but also it's an impressive digital Jedi mind trick on a website.
signs a question mark with hand
"This is the support number you're looking for."
And the victim is extra primed here because so many companies make it nearly impossible to talk to a human. Yikes!
Almost seems like there's room here for a grey hat to come in and use this trick to do a good faith job trying to help the customer through their problem. Then tell them at the end that a recent anti-trust suit requires them to tell the customer about alternate independent venues in their area where they can support live music.
> Then tell them at the end that a recent anti-trust suit requires them to...
Bonus points if you point to the actual anti-trust suit!
https://www.justice.gov/archives/opa/pr/justice-department-s...
> Almost seems like there's room here for a grey hat to come in and ...
... call the scam numbers to tie up their staff and prevent them from talking to potential victims. Someone like Kitboga could do this at scale. Where there's a phone number, there's a way.
Exactly. And when you try and help these people and explain that you didn't actually call Ticketmaster support they will tell you that they found the phone number on the official Ticketmaster website and Google said it was a verified link.
Here's a real example from the same thing happening on FB (don't call that number) https://i.redd.it/w9htjqflgjle1.jpeg
Completely unrelated tangent: Jesus Christ Reddit is such a cesspit.
Tried tapping that link on mobile, got a screen to view the corresponding post. Tapped it, and I got taken to the App Store. No thanks, force quit the App Store and go back.
Now I get a full screen notice on the original Reddit tab saying “didn’t go where you expected? Next time try the long press!” With instructions to not use private browsing and to long press any link and open in safari. (Wha? You, Reddit, are what are trying to force me to use your app!)
So I long press like they say, open in new tab, and what do I see? A large blank page that just says “REDDIT” in all caps, with the button “Get the app” on the bottom. The link was just to “reddit.app.link” the whole time.
Can’t a company who has a website, just … let me use the website? At every possible turn, Reddit HATES anyone using Reddit from a browser. They will ruin every single aspect of the website they possibly can to try to push you to the app. The entirety of reddit.com seems to be just a broken honeypot to get you to use the app instead. I just can’t fathom how a company can be that broken.
Just delete the Reddit website, it would make more sense.
> The entirety of redit.com seems to be just a broken honeypot to get you to use the app instead. I just can’t fathom how a company can be that broken.
It's their intention to have the website be a funnel so that they can get more mobile users.
I sometimes use https://old.reddit.com, though it doesn't look that great on mobile, maybe there are some other alternatives.
I still don't understand why mobile users are so much more valuable to them, is it just the inability to block ads?
Your phone has sensors and superior data they can track/sell
>is it just the inability to block ads?
Of course it is.
I know reddit will connect accounts together based on device ID, i wonder if their data becomes more valuable if you can tie multiple independent accounts together in to one profile?
Its a site where users will often have multiple login for different subjects of discussion.
> Tried tapping that link on mobile, got a screen to view the corresponding post. Tapped it, and I got taken to the App Store.
It's obnoxious, but if you really want to view the post you can switch the screenshot page to desktop mode, and the "View post" button shouldn't redirect to the App Store. The result isn't pretty but it's readable in a pinch.
(They're still not desperate enough to track the UA and detect the switch.)
Using Reddit on the laptop seems ok if you set it to the old version.
All websites seem to freak out over you not getting their damn app if you visit on a phone. I just don't use the phone for browsing if I can help it.
Hah. I'd make tbe text:
I used to rely on google filtering when searching for sites. Then on the google search page I fell for an add.
I caught it right after I tried to log in (one of the few sites I remember the password and didn’t have it in a manager). Reset password.
Man did I feel dumb.
I searched the financial institution a few times and the fake ad came up a bunch. I reported but the trust has been broken.
But why does google allow unverified owners of a domain to buy ads for it? Surely only ticketmaster or agencies approved by ticket master should be allowed to do this?
Because most of the ads are created by external ad agencies, and the people involved are not competent enough to do any verification.
Source: I've also thought this was ridiculous and asked someone working on the adsense team. Apparently tried enforcing some domain verification mechanism in an experiment, but most companies and agencies struggled to get the verification done and of course the $ metrics on this launch dropped, causing execs to force them to stop.
Maybe a partial solution here would be to offer some kind of "domain locking" option?
Allow sites that are heavy targets of this kind of scam - like ticketmaster - to add a "AdSense: locked" line to their robots.txt (or similar) - if that line is present then advertisers have to go through an additional domain verification step in order to place an ad.
I like this idea. I would love to hear from Google why they would not do this. Anyone know why Google / Facebook et al would not want to do this?
Money
Money. And no one died because of this behaviour. So why change a running cash-machine...
Not necessarily, if you have an affiliate program or something like that you could buy ads for, say, eBay using your affiliate link in the hopes of you generating more profit than the ads cost.
There are also still plenty of businesses with a Facebook page as their homepage
There was a time when you search for WhatsApp in Google the first sponsored result is a scam site
If you search for "HP Support" or "Dell Phone Number" you will get a scam site 50% of the time now.
One time an article about Facebook logins got to #1 and its comments were full of people mad that Facebook changed their website yet again, how can they login to Facebook, waah, waah!
On top of that, you receive private information about people from Google, because if someone calls your number, then you know that they were on ticketmaster. Replace ticketmaster by e.g. a swingers club, and now Google's ad businessmodel is in real trouble because it leaks sensitive information.
> ticketmaster is just a sin eater for greedy popstars
Apparently Live Nation owns many performance venues and leverages their power in that market to gain an advantage in the ticket sales market. “Sell through us or you won’t be allowed to play at any famous venue in this city” kind of deal.
Don’t have any sources beyond “heard it on a podcast” though ¯\_(ツ)_/¯
I've been seeing similar scams via PayPal. The scammers apparently add the target email address as a forwarding address on a compromised or created-for-purpose email account. And that bouncer email address is signed up for PayPal. So the scam email is actually from PayPal, bounced through some other inbox. The To name and address is of the bouncer email address PayPal sent it to.
One version involves sending money to someone with the PayPal account (so the target might think it was sent from their own account) with a "note" to the transaction recipient, which the target sees, which says PayPal has detected unusual activity and please call this phone number to request a refund.
Another involves a "Your ITEM NAME order is on its way" email where the item being ordered is called something like, "Some Company, Inc: Don't recognize the seller? Call us at SOME PHONE NUMBER".
A third is like the second, except it's a "You paid CURRENCY to SELLER" email. This one has the PayPal user's name at the top, so not as convincing perhaps.
A family member fell for this while trying to recover their hacked fb account. I was around and caught wind of the call and some of the absurd steps (absurd to me, anyways) they were proposing and pulled the plug on the "support" call. The phone number was in what seemed to be a cached result of a bad search or something. '"Call us at xxx-xxxx..." not found' is what I saw. (Finding a real support number is either difficult or impossible, which makes this a good trap)
FWIW I sent this to a friend on the dev team at Ticketmaster and they escalated it.
Its cool you at least attempted to do something with a bit of social connection at such a heavily targeted website.
Having personal issues with Ticketmaster's pricing methods (causing many to probably never want to do anything that might help) is a different issue than the website being used as a source for redirecting calls to fake call centers.
Since they escalated maybe something will get done. Ticketmaster would have a motivation, if large numbers fall prey to diverted call center scams it only makes their reputation flounder even worse.
(...obvious joke here would be if the scammers actually offer better support, they're just trying to steal call center business)
Looks like they already tweaked it so the result is less useful to the scammers.
Terry Davis would never have let this slide
Wow. Programmatic SEO and its consequences. Genius...
This actually makes sense to me; if you're an artist selling tickets on Ticketmaster, it's in everybody's interests to let you show ads for those tickets to your fans.
If only the Ticketmaster team could show ads on that domain, all these ads would have to go through their marketing team (and use ticketmaster's budget, with all the accounting and invoicing this requires), which would massively slow things down.
Instead, it seems that Google has some kind of protection where ads mentioning Ticketmaster must link to their official domain, to prevent things like this from happening. The scammers just found a way for that domain to display arbitrary text.
I found and removed one of these from my company's forums. When I Googled the number I could see it was on a ton of other support forums.
How desperate one has to be...
Have you tried getting ticketing support from Ticketmaster? Even a sketchy phone number is better than no option at all…
I don't mean reaching for support. I mean setting up a scam like this. It seems so bottom of the barrel scummy, creative too, but mostly scummy.
Imagine you have the creativity and criminal energy to conceptualize and operate something like this (and the rat tail of justice evasion, laundering money, etc). It seems so much easier to make money in the honest economy.
Unless of course you're operating for a rogue state...
People do this sort of thing specifically because the "honest" economy is not really that great except for a small percentage of people.
You've got a shocking amount of faith in the honest economy for this moment in time
"This moment" that has lasted about 22 years or so. There were two good runs if you had money to invest, but whatever.
Among the common vulnerabilities listed:
> Outdated Wordpress plugins and CMS systems
No surprise, having worked in edu the following scenario was very common:
1) Researcher gets a grant for a project
2) Grad student sets up a Drupal site for the project
3) Things are maintained and updated for a couple of years
4) Grant runs out, project wraps up, student graduates, everyone forgets about the server which sits unattended and unmaintained.
Still happens, but most universites have really clamped down on the ability to just stand up a web server on the network. Many are requiring everything to be on a centrally managed enterprise CMS which is a PITA but that's the fallout for too much sloppy administration.
At my old university ~15 years ago, all IPs of all computers were public IPV4 addresses. Any computer plugged in to any ethernet port on campus was given such a "quasi-static" IP address. All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
Ah the good old days of putting my head down at my desk lulled into a nap by the once-a-second sounds of ssh login attempt logs being written to the spinning rust drive...
> At my old university ~15 years ago, all IPs of all computers were public IPV4 addresses. Any computer plugged in to any ethernet port on campus was given such a "quasi-static" IP address.
Well that's fine; my school did the same thing and other than feeling wasteful there was no-
> All normal ports were open - ssh, http(s), you name it. It was the OG zero trust architecture.
Oh. Yeah, open ports by default is... and interesting life choice.
When you're living in the residences and there's a DC++ server running, it's pretty sweet. Ours had a whole 1.5TB of stuff on it!
Was this RIT by any chance?
My university does the same, except they understand the concept of "firewalls"
This just got cancelled at my institution. I could have retained it if I argued strongly enough.
I used to have the public IP address of the computer in my dorm room memorized. It's been 20 years, and I still remember it started with 128.211.
Only computers?
At my old university even printers had public IP addresses.
I loved that era and it was hugely educational to me, but I can understand why it had to end.
How am I going to work from home if my computer at university is not recheable?
MIT and their /8?
The low friction solution is to serve public_html from a home dir and direct users to generate static sites.
Yep, I remember having ssh access to production servers from a non-work machine at a well known university.
We could also get external ips and connectivity without much supervision. Core security needs to be prioritized to avoid this from happening.
> Norton, Kaspersky, Zscaler, F-secure, NordVPN, Virustotal, Palo Alto: all of them marked these links as safe.
This is sad to see, these tools are forced down so many companies in name of "compliance" while totally not worth the maintenance and cost overhead. Apparently they haven't got any better in the last decade.
I work for a cybersecurity company, and I think that the method they used to check these links with the mentioned security companies was not a reflection of how they detect. I'm sure that many of these companies do not have these domains in their DBs of bad sites but if you were to run these products and then visit the site then heuristic detection would have likely flagged the sites.
I would have expected at least Virustotal to flag them if that were the case. It does more than just looking up in a database of known malicious URLs and I think the reputation of the domains is the key factor here.
https://www.virustotal.com/gui/url/6dd23e90ee436e1ff066725aa...
> BitDefender - government
> Sophos - government
> Forcepoint ThreatSeeker - government
- https://docs.virustotal.com/docs/how-it-works
Well, that's exactly the difference between complience and security
I'm curious if the link inside the pdf would have been detected.
It is the same for nested links as well. They mostly have a chain of links, each one taking you to a new one with hop count ranging anywhere from 5 up to 10 or more.
https://i.ibb.co/7NZR08TL/Screenshot-2025-05-06-at-5-05-39-P...
damn, i remember seeing old servers just getting dusty and full of holes after the student left. kinda crazy how much messy stuff is hiding in corners like that lol
>
I have been advised not to disclose specific vulnerabilities since the parties involved are not most friendly and transparent in handling security reports. While most of these got reported and some even got fixed, I can only disclose high-level details of the compromise path. Some just ghosted me after conveniently fixing the flaws, and one even gave me a phone call, which was somewhat scary and perhaps not worth the adrenaline.
What an unprofessional sysadmin move, borderline infuriating.
They create meme coins etc?
It's the way forward but not actually a crime. In the future we'll live by selling meme coins to each other while AIs do the actual work.
Once upon a time I typed something like `r57shell gov` and got a PHP webshell on *.gov.br
john wick site:europa.eu https://www.google.com/search?q=john+wick+site%3Aeuropa.eu&h...
gta 5 site:europa.eu https://www.google.com/search?q=gta+5+site%3Aeuropa.eu&hl=en
Watch full site:europa.eu https://www.google.com/search?q=Watch+full+site%3Aeuropa.eu&...
could someone with legal/data-privacy expertise comment if this would be something they have to disclose under data breach disclosure laws?
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?
they've been contacted through the "proper channels" over 18 months ago by several (more than 1) security researchers.
After some people started publicly naming and shaming on LinkedIn and tagging ENISA, the issue got some exposure, but still was not fixed. It only made it more evident that several people independently reported these issues, and they became aware of peers stumbling over the issue. Still nothing happened.
ENISA is supposed to act as a CNA and expects to be notified of data breaches from EU based orgs for PSIRT / CSIRT as part of the Cybersec Resiliance Act and other laws.
Would I trust that vulnerability data that gets reported as a CVE, or a breach notification is safe with ENSIA ?
... feck no!
Would I trust that documents that europa.eu hosts on its infra are authentic? (such as security-compliance documents telling orgs how to properly implement security, but literally any public communication under one of the domains)
... hecking heck no!
... At this stage I think everyone else except ENISA has control over their infrastructure.
When clicked, all show: page not found
So, fixed now?
They're usually designed so only Google sees it. It's for SEO, not to trick people.
I am surprised no one mentioned using LLMs to spell and grammar check their emails and vibe-code bank landing-pages to continue a more polished version of scamming elderly people out of their life savings.
The misspellings/shitty grammar are on purpose.
I have heard that theory from some cybersecurity experts online but have never seen it substantiated in any way (by interviewing some scammers, for example) and frankly don't believe it.
The misspellings and grammatical errors (used to?) continue on the fake sites that are created to steal credentials, and the excuses for most of the reasoning regarding emails do not hold there.
Why wouldn't you believe it? It makes economic sense. The most expensive part for a scammer in any automated scam is the part which can't be automated, where a human has to get involved for e.g. a phonecall.
Economically, the scammer wants to do everything they can to get rid of smart or diligent people who might be harder to scam at the expensive part. It feels like it would cost scammers to not have typos.
Also, anecdotal, but the rise of autocorrect, spell checking and LLMs doesn't seem to have made any impact on the quality of spelling in my spam folder over the past 20 years.
>Why wouldn't you believe it?
Lots of reasons, but here are a few:
1. The misspellings and grammar issues (used to) continue beyond emails into the websites, etc.
2. The grammar issues, magically, seem to mimic the the same grammar differences between certain countries typical language constructions and those of standard American English
3. Check your spam folder right now if you have gmail. Where did this 4-D chess triage of illiterate potential dupes go? Spelling and grammar are suddenly almost perfect! Also, many of the older scams seem to be replaced with romance or family impersonation scams.
>It makes economic sense. The most expensive part for a scammer in any automated scam is the part which can't be automated, where a human has to get involved for e.g. a phonecall.
Perhaps you haven't heard, but this can also be automated as well, cheaply. Works particularly well on the elderly!
>Economically, the scammer wants to do everything they can to get rid of smart or diligent people who might be harder to scam at the expensive part. It feels like it would cost scammers to not have typos.
I think you are giving too much credit to the spammers. Economically, the easiest thing to do is to send out endless emails and wait for responses. Those people, regardless of diligence or literacy, are already self-selecting and you can let them talk to LLMs to winnow the rest.
>Also, anecdotal, but the rise of autocorrect, spell checking and LLMs doesn't seem to have made any impact on the quality of spelling in my spam folder over the past 20 years.
I agree ... up until the rise of LLM's. Now (outside of more use of emojis) it is very good.
I think the time for that has passed. The trend of the last few years has been scarily realistic phishing emails.
These days most "cyber" crimes are commited by corporations against their customers/users (just like most theft is wage theft). These small fish/phish putting sites on exploited servers are a drop in the bucket. It is sad when some university resource gets shut down because they didn't mantain it after the grad student that set it up graduates though. We really need to teach the people that set up these things to use .html pages instead of dynamic languages and databases.
Sure. Corporations commit ransomware attacks all the time.
Honestly you are always (half) a step behind and that’s for the worst cyber criminals cause the state sponsored ones are multiple steps ahead.
It’s very interesting to look at from the outside, thanks for sharing.
Is it just me or is cybersecurity... Calming down? I feel like a few years ago there was constant news of ransomware, intrusions, vulnerabilities, etc, but more recently the defensive side seems to have the upper hand.
You only hear about the offensive side winning when the company can't prevent it from leaking. Rest assured, the only thing "calming down" in cybersecurity is the nihilism that nothing involving a human will ever be secure.
Not particularly. The only thing I have noticed in the past decade is the decline of the "American Hacker". Most groups are foreign but will partner with younger Americans for social engineering (ex. Scattered Spider). You just don't have people like Albert Gonzalez/Stephen Watt in America now. However, I suspect that many American hackers have shifted to targeting overseas countries that are not friendly with the US.
> You just don't have people like Albert Gonzalez/Stephen Watt in America now
I don't know what the state of big corps netsec is today but these guys had it somewhat easy. They got initial access through weak wifi then pivoted with SQL injects and such.
There's a lot of other stuff in the news.