Cybercrime

Hackers use fake Semrush ads to steal Google accounts

Cybercriminals are using fake adverts for popular SEO platform Semrush to trick users into giving up access to their Google accounts, researchers have warned.

The malvertising campaign features ads that link to a bogus Semrush login page, which only allows users to sign in via Google, a tactic designed to steal high-value credentials.

According to Malwarebytes, Semrush accounts are often linked to critical Google services such as Analytics and Search Console.

These tools store confidential business insights, which threat actors could exploit for strategic and financial gain. The scammers may also access names, phone numbers, business details, and partial card information through compromised Semrush accounts.

By impersonating Semrush support, attackers could deceive users into revealing full card details under the pretence of payment or billing updates. However, this may open the door to wider fraud, such as redirecting funds from vendors or business partners.

With Semrush serving over 117,000 customers, including a significant share of Fortune 500 firms, the attack underscores the growing risks of malvertising on platforms like Google.

Security experts are urging businesses to tighten account access controls and remain cautious when engaging with search ads, even from seemingly reputable brands.

For more information on these topics, visit diplomacy.edu.

Australian police warn of Binance-themed crypto scam targeting users

Australian authorities have issued warnings about a sophisticated scam in which fraudsters impersonate Binance via SMS, tricking users into transferring their crypto assets.

The Australian Federal Police (AFP) revealed that scammers use sender ID spoofing to make fraudulent messages appear in the same thread as legitimate Binance communications.

Victims are falsely informed of a security breach and urged to move their funds to a ‘trust wallet,’ which is controlled by the scammers.

The AFP has identified at least 130 potential victims and launched a campaign to warn them. Cybercrime officials explained that once funds are transferred to the scammers’ wallets, they are swiftly moved across multiple accounts, making recovery difficult.

Similar scams have also targeted users of Coinbase and Gemini, exploiting pre-generated recovery phrases to seize control of wallets.

Binance Chief Security Officer Jimmy Su advised users to verify official communications through Binance’s security tools and website.

The Australian government is taking steps to combat these scams, planning to launch an SMS Sender ID Register in late 2025. The initiative will require telecom providers to verify brand-name messages, reducing the risk of spoofing.

Investment scams remain a significant issue in Australia, with AU$382 million ($269 million) lost in the past year, nearly half of which was crypto-related.

Authorities continue to urge caution, warning users to be sceptical of unsolicited messages and requests for seed phrases or urgent transfers.

For more information on these topics, visit diplomacy.edu

Cyberattack exploits a flaw in ZoneAlarm’s vsdatant.sys driver

A sophisticated cyberattack has targeted vulnerabilities in the vsdatant.sys driver, a component of Checkpoint’s ZoneAlarm antivirus software, allowing attackers to bypass critical Windows security features.

The driver, released in 2016, has been exploited in a Bring Your Own Vulnerable Driver (BYOVD) attack, enabling attackers to elevate privileges and access sensitive data.

The vsdatant.sys driver operates with high kernel-level privileges, containing long-known vulnerabilities that allow attackers to exploit crafted Interrupt Request Packets (IRPs).

These flaws, affecting versions of the driver prior to 7.0.362, allow for arbitrary code execution by improperly validating arguments passed to system function handlers.

BYOVD attacks have become increasingly common, with attackers leveraging legitimate but vulnerable drivers to bypass security measures undetected.

In this case, attackers were able to disable Windows’ Memory Integrity feature, which is designed to protect critical system processes.

By exploiting flaws in vsdatant.sys, the attackers gained full access to the compromised system, enabling them to steal sensitive information.

To mitigate the risk of such attacks, security experts recommend implementing driver blocklisting, enabling Memory Integrity, and ensuring that all security products are kept up to date.

Users are urged to update their ZoneAlarm installations to the latest version to avoid exposure to these vulnerabilities.

For more information on these topics, visit diplomacy.edu.

Spanish police dismantle Bitcoin-themed crypto scam

Spanish police have successfully dismantled a Bitcoin-themed pyramid scam, uncovering a fraudulent network that swindled around $32.6 million from unsuspecting victims.

According to the National Police Corps (CNP), eight individuals were arrested, including the mastermind, a computer programmer detained in Malaga. The scam targeted over 3,600 people, mostly in Spain, but extended its reach to 36 countries.

The group operated a seemingly legitimate platform offering various Bitcoin investment plans. Promoted through websites and social media, victims were promised significant returns, with some reportedly offered dividends of 40% in just a month.

However, once funds were invested, obstacles were fabricated to delay or prevent withdrawals.

The police first uncovered the operation in 2022, following a report from a victim in Murcia. Their investigation revealed the scam’s pyramid structure, where older investors were paid with funds from newer ones.

Some victims were even tricked into handing over control of their devices for crypto transfers.

In total, the fraudsters amassed approximately 400 Bitcoin and created a worthless token for investors. Authorities have since frozen 73 bank accounts, seized cars, and impounded various assets as part of the investigation.

For more information on these topics, visit diplomacy.edu

Microsoft warns of new malware targeting cryptocurrency wallets

Microsoft has issued a warning about StilachiRAT, a newly discovered malware that steals cryptocurrency wallet data and sensitive browser information.

The trojan is designed to evade detection while extracting credentials from over 20 different wallets, including MetaMask, Trust Wallet, and Coinbase.

The malware actively scans for cryptocurrency wallet extensions in Google Chrome and monitors clipboard actions for copied keys and passwords.

Attackers can use the stolen data to drain victims’ funds. StilachiRAT also enables remote command execution, allowing cybercriminals to manipulate system settings and maintain control over infected devices.

Beyond stealing data, the malware gathers detailed information about the compromised system, including OS details and hardware identifiers.

It even monitors Remote Desktop Protocol sessions, enabling attackers to impersonate users and spread further across networks.

Microsoft has not yet linked StilachiRAT to a specific threat actor but emphasises the need for caution. Users are advised to download software only from official sources, enable Microsoft Defender real time protection, and use SmartScreen to block malicious websites.

For more information on these topics, visit diplomacy.edu

ICC Office of the Prosecutor invites public input on draft policy for cyber-enabled crimes

The Office of the Prosecutor of the International Criminal Court invites public comments on its draft policy addressing cyber-enabled crimes under the Rome Statute.

The Office encourages participation from all relevant stakeholders, including States Parties, civil society organisations, private sector entities, and experts in the field.

Contributions will support the development of a final policy paper that will guide the Office’s approach to cyber-related conduct within its jurisdiction, including its investigative and prosecutorial activities.

The policy paper builds on the crimes outlined in the Rome Statute, assessed within the broader framework of international law.

It aims to enhance transparency regarding the Office’s work in this area and contribute to discussions on legal standards, best practices, and frameworks for cooperation, including those relevant to national authorities.

The draft policy clarifies that the Court does not have jurisdiction over common cybercrimes, such as fraud or unauthorised access to computer systems, which are typically addressed under national laws.

While some countries have international obligations to prosecute these crimes under specific treaties, they do not fall within the mandate of the Court. However, national efforts to combat such crimes may sometimes overlap with the Court’s work where they intersect with crimes under its jurisdiction.

To date, cyber-related issues have only been considered at the periphery of the Court’s work, and their legal and practical implications have yet to be fully explored.

Investigating and prosecuting cyber-enabled crimes presents new and complex challenges. This policy sets out the Office’s current position on these issues while recognising that certain matters may only be fully addressed as the Court’s practice in this area develops.

As with any crime under the Court’s jurisdiction, cyber-enabled crimes will be assessed based on their gravity—including their scale, nature, manner of commission, and impact.

The Court focuses on crimes of the most serious international concern, typically those causing widespread harm to large populations.

An exception applies to offences against the administration of justice, which are not subject to a gravity threshold but are considered serious due to their impact on the Court’s ability to function.

For more information on these topics, visit diplomacy.edu.

Indian police arrest Garantex administrator wanted by US

Indian authorities have arrested Aleksej Besciokov, an administrator of the Russian cryptocurrency exchange Garantex, at the request of the US.

Besciokov, a Russian resident and Lithuanian national, was taken into custody in Kerala on charges of money laundering and violating sanctions. The Central Bureau of Investigation (CBI) said he was planning to flee India, and Washington is expected to seek his extradition.

The arrest follows a joint operation by the US, Germany, and Finland to dismantle Garantex’s online infrastructure.

The exchange, under US sanctions since 2022, has processed at least $96 billion in cryptocurrency transactions since 2019. The US Justice Department recently charged two administrators, including Besciokov, with operating an unlicensed money-transmitting business.

Experts warn that sanctioned exchanges often attempt to bypass restrictions by setting up new entities. Blockchain research firm TRM Labs called the Garantex takedown a significant step in combating illicit finance but emphasised the need for continued vigilance against evasion tactics.

For more information on these topics, visit diplomacy.edu.

Singapore fraud case involves $390 million in transactions

Singapore prosecutors revealed on Thursday that a fraud case involving local firms accused of illegally supplying US servers to Malaysia involves transactions worth $390 million.

Three men—Singaporeans Aaron Woon and Alan Wei, along with Chinese national Li Ming—have been charged with deceiving tech giants Dell and Super Micro by misrepresenting the servers’ final destination.

The case has been linked to Chinese AI firm DeepSeek, which is under US scrutiny over the potential use of banned Nvidia chips.

While Singapore authorities confirmed the servers may have contained Nvidia components, they did not specify whether these were the restricted high-end semiconductors subject to US export controls.

Singapore’s Law and Home Affairs Minister K Shanmugam declined to comment on the alleged connection.

Prosecutors claim Wei paid himself tens of millions in dividends, while Woon received a multimillion-dollar bonus. Singaporean authorities are investigating a wider network of 22 individuals and companies suspected of similar fraudulent practices, with six additional arrests made.

The accused are set to reappear in court on May 2, while Malaysian authorities are also probing potential legal violations.

For more information on these topics, visit diplomacy.edu.

Switzerland mandates cyberattack reporting for critical infrastructure from 1 April 2025

As of 1 April 2025, operators of critical infrastructure in Switzerland will be required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. This measure, introduced by the Federal Council, is part of an amendment to the Information Security Act (ISA) and aims to enhance cybersecurity coordination and response capabilities.

The reporting obligation applies to key sectors, including energy and water suppliers, transport companies, and public administrations at the cantonal and communal levels. Reports must be submitted when an attack disrupts critical infrastructure, compromises or manipulates information, or involves blackmail, threats, or coercion. Failure to comply may result in financial penalties, which will be enforceable from 1 October, allowing a six-month adjustment period before sanctions take effect.

To facilitate compliance, the NCSC will provide a reporting form on its Cyber Security Hub, with an alternative email submission option for organisations not yet registered on the platform. Initial reports must be submitted within 24 hours, followed by a detailed report within 14 days.

The Federal Council has also approved the Cybersecurity Ordinance, which outlines implementation provisions, reporting exemptions, and mechanisms for information exchange between the NCSC and other authorities. Consultations on the ordinance reflected broad support for streamlined reporting processes, ensuring alignment with existing obligations, such as those under data protection laws.

Additionally, from 1 April, the National Cyber Security Centre will officially change its name as part of its transition into a federal office within the Department of Defence, Civil Protection and Sport (DDPS).

This regulatory update aligns Switzerland with international cybersecurity practices, including the EU’s NIS Directive, which has required cyber incident reporting since 2018.

For more information on these topics, visit diplomacy.edu

Geopolitical tensions drive OT and ICS cyberattacks, a new report warns

Attacks on operational technology (OT) networks have increased, driven in part by geopolitical factors, with OT security gaining broader attention, according to the annual report from Dragos.

In 2024, two additional threat groups began targeting OT systems, bringing the total number of known active groups to nine.

Additionally, researchers from Dragos identified two new malware families designed to compromise industrial control systems (ICS).

According to Dragos’ annual report, barriers to OT/ICS attacks have lowered, making these systems more accessible targets for adversaries.

Ransomware attacks against OT/ICS asset owners also increased by 87% in 2024, with the number of ransomware groups targeting these systems growing by 60%.

Dragos monitors 23 threat groups that engage with OT networks for intelligence gathering or system manipulation. Nine of these groups were active in 2024, including two newly identified ones.

For more information on these topics, visit diplomacy.edu